Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: MS08-067 POCs?

  1. #11
    Member
    Join Date
    Dec 2007
    Location
    @InterN0T
    Posts
    315

    Default

    I wish someone would release a PoC in f.ex. Perl or C which just executes calc lol
    (then it would be easyere to understand how and where to overwrite the eip or seh-address)
    [quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]

  2. #12
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    net use \\IPADDRESS\IPC$ /user:user creds
    die \\IPADDRESS \pipe\srvsvc

    is that the exploit?
    I think some people have posted it out, but i can't seem to find it, does any one know?

  3. #13
    Junior Member
    Join Date
    Feb 2008
    Posts
    26

    Default

    Here's the code of the vulnerable function on Windows XP SP3:

    #include <wchar.h>

    // This is the decompiled function sub_5B86A51B in netapi32.dll on XP SP3

    int ms08_067(wchar_t* path)
    {
    wchar_t* p;
    wchar_t* q;
    wchar_t* previous_slash = NULL;
    wchar_t* current_slash = NULL;
    wchar_t ch;

    // If the path starts with a server name, skip it

    if ((path[0] == L'\\' || path[0] == L'/') &&
    (path[1] == L'\\' || path[1] == L'/'))
    {
    p = path+2;

    while (*p != L'\\' || *p != L'/') {
    if (*p == L'\0')
    return 0;
    p++;
    }

    p++;

    // make path point after the server name

    path = p;

    // make sure the server name is followed by a single slash

    if (path[0] == L'\\' || path[0] == L'/')
    return 0;
    }

    if (path[0] == L'\0') // return if the path is empty
    return 1;

    // Iterate through the path and canonicalize ..\ and .\

    p = path;

    while (1) {
    if (*p == L'\\') {
    // we have a slash

    if (current_slash == p-1) // don't allow consequtive slashes
    return 0;

    // store the locations of the current and previous slashes

    previous_slash = current_slash;
    current_slash = p;
    }
    else if (*p == L'.' && (current_slash == p-1 || p == path)) {
    // we have \. or ^.

    if (p[1] == L'.' && (p[2] == L'\\' || p[2] == L'\0')) {
    // we have a \..\, \..$, ^..\ or ^..$ sequence

    if (previous_slash == NULL)
    return 0;

    // example: aaa\bbb\..\ccc
    // ^ ^ ^
    // | | &p[2]
    // | |
    // | current_slash
    // |
    // previous_slash

    ch = p[2];

    wcscpy(previous_slash, &p[2]);

    if (ch == L'\0')
    return 1;

    current_slash = previous_slash;
    p = previous_slash;

    // find the slash before p

    // BUG: if previous_slash points to the beginning of the
    // string, we'll go beyond the start of the buffer
    //
    // example string: \a\..\

    q = p-1;

    while (*q != L'\\' && q != path)
    q--;

    if (*p == L'\\')
    previous_slash = q;
    else
    previous_slash = NULL;
    }
    else if (p[1] == L'\\') {
    // we have \.\ or ^.\

    if (current_slash != NULL) {
    wcscpy(current_slash, &p[1]);
    goto end_of_loop;
    }
    else { // current_slash == NULL
    wcscpy(p, p+2);
    goto end_of_loop;
    }
    }
    else if (p[1] != L'\0') {
    // we have \. or ^. followed by some other char

    if (current_slash != NULL) {
    p = current_slash;
    }
    *p = L'\0';
    return 1;
    }
    }

    p++;

    end_of_loop:
    if (*p == L'\0')
    return 1;
    }
    }

    // Run this program to simulate the MS08-067 vulnerability

    int main()
    {
    return ms08_067(L"\\a\\..\\");
    }

  4. #14
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    send path eg, http://www.google.com
    = http://google.com http://google.com

    p = http://google.com http://google.com


    current_slash =http://google.com http://google.com


    ch = http://google.com
    previous slash = null

    wcscpy(previous_slash, &p[2]);
    there for
    perous_slash = http://google.com

    current_slash = http://google.com

    p =http://google.com

    int or usigned int or char = p - 1

    damn can some one take over this is twitsed logic

  5. #15
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    This is a interesting read.....

    http://www.dontstuffbeansupyournose.com/

  6. #16
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    thanks
    The sad thing is i didn't understand what they were say. Arr google

  7. #17
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    just checking but
    net use \\IPADDRESS\IPC$ /user:user creds
    die \\\IPADDRESS \pipe\srvsvc
    or
    net use \\\IPADDRESS\IPC$ /user:user creds
    die \\IPADDRESS \pipe\srvsvc
    or
    net use \\\IPADDRESS\IPC$ /user:user creds
    die \\\IPADDRESS \pipe\srvsvc

    would do it?

  8. #18
    Junior Member
    Join Date
    Feb 2008
    Posts
    26

    Default

    The following Windows 2000 proof of concept and exploit are available to members of the Immunity Partners program:

    hxxps://xxx.immunityinc.com/downloads/immpartners/ms08_067.tgz
    hxxps://xxx.immunityinc.com/downloads/immpartners/ms08_067-2.tgz

    Immunity has released the following Windows XP SP3 exploit to members of the Immunity Partners program:

    hxxps://xxx.immunityinc.com/downloads/immpartners/ms08_067-3.tgz

  9. #19
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by compaq View Post
    send path eg, http://www.google.com
    = http://google.com http://google.com

    p = http://google.com http://google.com


    current_slash =http://google.com http://google.com


    ch = http://google.com
    previous slash = null

    wcscpy(previous_slash, &p[2]);
    there for
    perous_slash = http://google.com

    current_slash = http://google.com

    p =http://google.com

    int or usigned int or char = p - 1

    damn can some one take over this is twitsed logic
    Wrong protocol.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  10. #20
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    A windows version of the exploit is now on milw0rm
    http://www.milw0rm.com/exploits/6841

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •