Archive for septembre, 2010

Windows deamon exploitme

Rien de nouveau dans ce post. Juste un exemple de petit deamon sous Windows qui permet d’émuler un accept()+fork()+execve() comme on en voit souvent lors de challenges. D’abord pour montrer que c’est faisable et ensuite pour avoir du fun avec les potes :]

Le binaire que je fournis ne possède aucune mitigation. A vous de voir donc si vous voulez utiliser du GS, de l’ASLR, du DEP, voir du SAFESEH le tout avec du SEHOP. Vous pouvez bien sûr toujours changer la vuln :]

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
 
#pragma comment (lib, "ws2_32.lib")
 
#define PORT 1337
 
//
//
//
int Fork(SOCKET Csock)
{
	CHAR ProcessName[MAX_PATH];
	STARTUPINFO StartupInfo;
	PROCESS_INFORMATION ProcessInformation;
 
	GetModuleFileName(GetModuleHandle(NULL), ProcessName, sizeof(ProcessName)-sizeof(CHAR));
	printf("[*] Forking \"%s\" process \n", ProcessName);
 
	RtlZeroMemory(&StartupInfo, sizeof(StartupInfo));
	RtlZeroMemory(&ProcessInformation, sizeof(ProcessInformation));
 
	StartupInfo.cb=sizeof(StartupInfo);
	StartupInfo.dwFlags=STARTF_USESTDHANDLES;
	StartupInfo.hStdInput=(HANDLE)Csock;
	StartupInfo.hStdOutput=(HANDLE)Csock;
	StartupInfo.hStdError=(HANDLE)Csock;
 
	if(CreateProcess(ProcessName, NULL, NULL, NULL, TRUE, DETACHED_PROCESS, NULL, NULL, &StartupInfo, &ProcessInformation)==0)
	{
		printf("[-] Error in fork() with CreateProcess: %u\n", GetLastError());
		return 0;	
	}
	CloseHandle(ProcessInformation.hProcess);
	CloseHandle(ProcessInformation.hThread);
 
	printf("[+] New process %u created !\n", ProcessInformation.dwProcessId);
 
	return 1;	
}
 
//
//
//
int Parent()
{
	int AddrLen;
	BOOL OptVal;
	SOCKET Ssock, Csock;
	SOCKADDR_IN Ssaddr, Csaddr;
 
	printf("[*] Windows vulnerable deamon by Ivanlef0u - H4CKZ ME - BE M4D!\n");
 
	//
	// Use WSASocket() instead of socket() because we don't want an asynchronous socket.
	//
	Ssock=WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
	if(Ssock==INVALID_SOCKET)
	{
		printf("[-] Error in Parent() with WSASocket(): %d\n", WSAGetLastError());	
		goto end;
	}
 
	OptVal=TRUE;
	if(setsockopt(Ssock, SOL_SOCKET, SO_REUSEADDR, (char*)&OptVal, sizeof(OptVal))==SOCKET_ERROR)
	{
		printf("[-] Error in Parent() with setsockopt(): %d\n", WSAGetLastError());	
		goto end;
	}
 
	Ssaddr.sin_family=AF_INET;
	Ssaddr.sin_port=htons(PORT);
	Ssaddr.sin_addr.s_addr=INADDR_ANY;
	if(bind(Ssock, (struct sockaddr *)&Ssaddr, sizeof(Ssaddr))==SOCKET_ERROR)
	{
		printf("[-] Error in Parent() with bind(): %d\n", WSAGetLastError());
		goto end;
	}
 
	if(listen(Ssock, 10)==SOCKET_ERROR)
	{
		printf("[-] Error in Parent() with listen(): %d\n", WSAGetLastError());
		goto end;
	}
 
	while(1)
	{
		AddrLen=sizeof(Csaddr);
		Csock=accept(Ssock, (struct sockaddr *)&Csaddr, &AddrLen);
		if(Csock==INVALID_SOCKET)
			continue;
		printf("[*] Connection from : %s:%hu\n", inet_ntoa(Csaddr.sin_addr), ntohs(Csaddr.sin_port));
 
		if(Fork(Csock)==0)
			printf("[-] Error in Parent() with Fork() :(\n");
 
		closesocket(Csock);
	}
 
end:
	closesocket(Ssock);
	WSACleanup();
	return 1;	
}
 
 
//
//
//
int Child()
{
	CHAR Buff[256];
	printf("How it taste motherfucker ?!\n");
	gets(Buff);  // BOFME !
	printf("%s\n", Buff);
	return 1;	
}
 
 
//
//
//
int __cdecl main(int argc, char * argv[])
{
	int Err, AddrLen;
	SOCKADDR_IN Csaddr;
	SOCKET Csock;
	WSADATA WSAData;
 
	Err=WSAStartup(WINSOCK_VERSION, &WSAData);
	if(Err!=0)
	{
		printf("[-] Error in main() with WSAStartup(): %d\n", Err);
		return 0;
	}
 
	//
	// Check if STD_INPUT_HANDLE is a socket. 
	// If yes then we are the child. 
	// If no we are the parend so we start the deamon.
	//
	Csock=(SOCKET)GetStdHandle(STD_INPUT_HANDLE);
	AddrLen=sizeof(Csaddr);
	if(getsockname(Csock, (struct sockaddr *)&Csaddr, &AddrLen)==0)
	{
		//
		// We don't need standard IO buffering
		//
		setvbuf(stdin, NULL, _IONBF, 0);
		setvbuf(stdout, NULL, _IONBF, 0);
		setvbuf(stderr, NULL, _IONBF, 0);	
 
		Child();
 
		closesocket(Csock);
		WSACleanup();
		TerminateProcess(GetCurrentProcess(), 0);		
	}
	else
		Parent();
 
	return 0;
}

Source+binaire:
http://ivanlef0u.fr/repo/exploitme.rar
hf!

2 comments septembre 5th, 2010


Calendar

septembre 2010
L Ma Me J V S D
« juil   nov »
 12345
6789101112
13141516171819
20212223242526
27282930  

Posts by Month

Posts by Category