net use \\IPADDRESS\IPC$ /user:user creds
die \\IPADDRESS \pipe\srvsvc
is that the exploit?
I think some people have posted it out, but i can't seem to find it, does any one know?
I wish someone would release a PoC in f.ex. Perl or C which just executes calc lol
(then it would be easyere to understand how and where to overwrite the eip or seh-address)
[quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]
net use \\IPADDRESS\IPC$ /user:user creds
die \\IPADDRESS \pipe\srvsvc
is that the exploit?
I think some people have posted it out, but i can't seem to find it, does any one know?
Here's the code of the vulnerable function on Windows XP SP3:
#include <wchar.h>
// This is the decompiled function sub_5B86A51B in netapi32.dll on XP SP3
int ms08_067(wchar_t* path)
{
wchar_t* p;
wchar_t* q;
wchar_t* previous_slash = NULL;
wchar_t* current_slash = NULL;
wchar_t ch;
// If the path starts with a server name, skip it
if ((path[0] == L'\\' || path[0] == L'/') &&
(path[1] == L'\\' || path[1] == L'/'))
{
p = path+2;
while (*p != L'\\' || *p != L'/') {
if (*p == L'\0')
return 0;
p++;
}
p++;
// make path point after the server name
path = p;
// make sure the server name is followed by a single slash
if (path[0] == L'\\' || path[0] == L'/')
return 0;
}
if (path[0] == L'\0') // return if the path is empty
return 1;
// Iterate through the path and canonicalize ..\ and .\
p = path;
while (1) {
if (*p == L'\\') {
// we have a slash
if (current_slash == p-1) // don't allow consequtive slashes
return 0;
// store the locations of the current and previous slashes
previous_slash = current_slash;
current_slash = p;
}
else if (*p == L'.' && (current_slash == p-1 || p == path)) {
// we have \. or ^.
if (p[1] == L'.' && (p[2] == L'\\' || p[2] == L'\0')) {
// we have a \..\, \..$, ^..\ or ^..$ sequence
if (previous_slash == NULL)
return 0;
// example: aaa\bbb\..\ccc
// ^ ^ ^
// | | &p[2]
// | |
// | current_slash
// |
// previous_slash
ch = p[2];
wcscpy(previous_slash, &p[2]);
if (ch == L'\0')
return 1;
current_slash = previous_slash;
p = previous_slash;
// find the slash before p
// BUG: if previous_slash points to the beginning of the
// string, we'll go beyond the start of the buffer
//
// example string: \a\..\
q = p-1;
while (*q != L'\\' && q != path)
q--;
if (*p == L'\\')
previous_slash = q;
else
previous_slash = NULL;
}
else if (p[1] == L'\\') {
// we have \.\ or ^.\
if (current_slash != NULL) {
wcscpy(current_slash, &p[1]);
goto end_of_loop;
}
else { // current_slash == NULL
wcscpy(p, p+2);
goto end_of_loop;
}
}
else if (p[1] != L'\0') {
// we have \. or ^. followed by some other char
if (current_slash != NULL) {
p = current_slash;
}
*p = L'\0';
return 1;
}
}
p++;
end_of_loop:
if (*p == L'\0')
return 1;
}
}
// Run this program to simulate the MS08-067 vulnerability
int main()
{
return ms08_067(L"\\a\\..\\");
}
send path eg, http://www.google.com
= http://google.com http://google.com
p = http://google.com http://google.com
current_slash =http://google.com http://google.com
ch = http://google.com
previous slash = null
wcscpy(previous_slash, &p[2]);
there for
perous_slash = http://google.com
current_slash = http://google.com
p =http://google.com
int or usigned int or char = p - 1
damn can some one take over this is twitsed logic
This is a interesting read.....
http://www.dontstuffbeansupyournose.com/
thanks
The sad thing is i didn't understand what they were say. Arr google
just checking but
net use \\IPADDRESS\IPC$ /user:user creds
die \\\IPADDRESS \pipe\srvsvc
or
net use \\\IPADDRESS\IPC$ /user:user creds
die \\IPADDRESS \pipe\srvsvc
or
net use \\\IPADDRESS\IPC$ /user:user creds
die \\\IPADDRESS \pipe\srvsvc
would do it?
The following Windows 2000 proof of concept and exploit are available to members of the Immunity Partners program:
hxxps://xxx.immunityinc.com/downloads/immpartners/ms08_067.tgz
hxxps://xxx.immunityinc.com/downloads/immpartners/ms08_067-2.tgz
Immunity has released the following Windows XP SP3 exploit to members of the Immunity Partners program:
hxxps://xxx.immunityinc.com/downloads/immpartners/ms08_067-3.tgz
Wrong protocol.Originally Posted by compaq
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
A windows version of the exploit is now on milw0rm
http://www.milw0rm.com/exploits/6841
Posting Permissions