📄 lsassscan.c
字号:
/************************************************************************************** * Lsassscan.c - LSASS Remote Buffer OverFlow (MS04-011) Scanner.** Copyright (C) 2004 FZK All Rights Reserved.** Author : fzk* : sysadm@21cn.com* : http://www.ns-one.com* :* Notice : Credits for vulnerability go to EEYE* :* Date : 2004-05-18* :* Complie : cl lsassscan.c* :* Usage :c:\>lsassscan* :LSASS Remote Buffer OverFlow (MS04-011) Scanner V1.0 (2004-05-18)* :Credits for vulnerability go to EEYE* :Code by fzk (sysadm@21cn.com), http://www.ns-one.com* : * :Usage: lsassscan <Options>* : * :[Options:]* : -s Start IP* : -e End IP* : -p Scan Port Default: 445* : -t Scan Thread Default: 100* : -l Log file Default: lsass.txt* : -n Note**************************************************************************************/#include <winsock2.h>#include <stdio.h>#include <stdlib.h>#include <ws2tcpip.h>#pragma comment(lib, "ws2_32")#define SCANPORT 445#define DEFTHREAD 100#define DEFLOGFILE "lsass.txt"#define VERSION "1.0"// lsass request1char lsassrequest1[]="\x00\x00\x00\x57\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x08\x01\xc8""\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x66\x7a""\x6b\x00\x00\x00\x00\x34\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e""\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57""\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02""\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";//lsass request2char lsassrequest2[]="\x00\x00\x00\x9e\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x08\x01\xc8""\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe""\x00\x00\x00\x00\x0c\xff\x00\x00\x00\x01\x40\x02\x00\x01\x00\x00""\x00\x00\x00\x44\x00\x00\x00\x00\x00\x5c\x00\x00\x80\x63\x00\x60""\x61\x06\x81\x06\x2b\x06\x01\x05\x05\x02\xa0\x56\x30\x54\xa0\x1a""\x30\x18\x06\x0a\x2b\x06\x01\x03\x86\xaa\x95\xf2\x33\x06\x06\x0a""\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x36\x04\x34\x4e\x54""\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xe0\x00\x20""\x20\x20\x20\x00\x20\x20\x00\x00\x20\x20\x20\x20\x20\x20\x20\x20""\x20\x20\x00\x00\x00\x00\x20\x20\x00\x00\x20\x20\x00\x20\x20\x20""\x20\x00";int iPort=SCANPORT,iThread=DEFTHREAD,found=0,foundport=0,patched=0,maxthread=0,scanned=0,scannum=0;char *filename=DEFLOGFILE;FILE *fp;//Usage functionvoid usage(char *p){ printf( "Usage:\t%s\t<Options>\n\n" "[Options:]\n" "\t-s\tStart IP\n" "\t-e\tEnd IP\n" "\t-p\tScan Port Default: %d\n" "\t-t\tScan Thread Default: %d\n" "\t-l\tLog file Default: %s\n" "\t-n\tNote\n\n" , p, SCANPORT, DEFTHREAD, DEFLOGFILE); }//WaitThreadEnd functionvoid WaitThreadEnd(){ int i; printf("\r\n"); for(i=0;i<=100;i++) { printf("[+] Please wait %d Thread end... \r", maxthread); if (maxthread != 0) { Sleep(100); continue; } else break; } return;}//TestThread functionvoid TestThread(int thread){ for (;;) { printf("[+] %2d%% Complete... \r", scanned*100/scannum); if (maxthread >= thread) { Sleep(200); } else break; } return;}//scanlsass functionDWORD WINAPI scanlsass(LPVOID ip){ int ipaddr= (int)ip; int l,i; unsigned long flag; unsigned long ul[2]; char recvbuf[2048]; char hostName[256]; char servInfo[256]; SOCKET s; struct sockaddr_in server; struct fd_set mask; struct timeval timeout; server.sin_family=AF_INET; server.sin_addr.s_addr=htonl(ipaddr); server.sin_port=htons((USHORT)iPort); s=socket(AF_INET,SOCK_STREAM,0); timeout.tv_sec=3; // set timeout 2s timeout.tv_usec=0; flag=1; if(connect(s,(struct sockaddr *)&server,sizeof(server)) == 0) { foundport ++; if(ioctlsocket(s,FIONBIO,&flag)!=0) { maxthread --; closesocket(s); return -1; } if(send(s, lsassrequest1, sizeof(lsassrequest1)-1, 0)) { ul[0] = 1; ul[1] = s; l = select (0, (fd_set *)&ul, NULL, NULL, &timeout); if(l == 1) { l = recv (s, recvbuf, sizeof(recvbuf), 0); if (l >= 0) { if(recvbuf[9] == '\x00' && recvbuf[10] == '\x00' && recvbuf[11] == '\x00' && recvbuf[12] == '\x00') { if(send(s, lsassrequest2, sizeof(lsassrequest2)-1, 0)) { l = select (0, (fd_set *)&ul, NULL, NULL, &timeout); if(l == 1) { memset(recvbuf,0,sizeof(recvbuf)); l = recv (s, recvbuf, sizeof(recvbuf), 0); if (l >= 0) { if(recvbuf[9] == '\x16' && recvbuf[10] == '\x00' && recvbuf[11] == '\x00' && recvbuf[12] == '\xc0') { found ++; printf("[+] %s\tVULNERABLE!!!\t%s\r\n",inet_ntoa(server.sin_addr),hostName); fprintf(fp, "%s\t%s\r\n", inet_ntoa(server.sin_addr),hostName); fflush(fp); } else if(recvbuf[9] == '\x0d' && recvbuf[10] == '\x00' && recvbuf[11] == '\x00' && recvbuf[12] == '\xc0') { patched ++; printf("[-] %s\tPatched.\t%s\r\n",inet_ntoa(server.sin_addr),hostName); } } } } } } } } } Sleep(50); closesocket(s); maxthread --; return 1;}int main(int argc, char **argv){ int i; char *startip=NULL,*endip=NULL,*note=NULL; int portip,ipstart,ipstop,hoststart,hoststop; WSADATA wsadata; printf( "LSASS Remote Buffer OverFlow (MS04-011) Scanner V%s (2004-05-18)\r\n" "Credits for vulnerability go to EEYE\r\n" "Code by fzk (sysadm@21cn.com), http://www.ns-one.com\r\n\n" , VERSION); if(argc < 2) { usage(argv[0]); return -1; } for(i=1;i<argc;i+=2) { if(strlen(argv[i]) != 2) { usage(argv[0]); return -1; } // check parameter if(i == argc-1) { usage(argv[0]); return -1; } switch(argv[i][1]) { case 's': startip = argv[i+1]; break; case 'e': endip = argv[i+1]; break; case 'p': iPort = atoi(argv[i+1]); break; case 't': iThread = atoi(argv[i+1]); break; case 'l': filename = argv[i+1]; break; case 'n': note = argv[i+1]; break; } } if(startip == NULL || endip == NULL) { printf("[-] Please enter start and end ip!\r\n"); return -1; } if(iPort <1 || iPort >65535) { usage(argv[0]); printf("[-] Invalid port.\n"); return -1; } if(iThread <10 || iThread >300) { usage(argv[0]); printf("[-] Invalid thread.\n"); return -1; } fp = fopen(filename, "a+"); if(fp == NULL) { printf("[-] Open log file:%s error!\r\n", filename); return -1; } fprintf(fp, "%s-%s %s\r\n", startip, endip, note); fflush(fp); if (WSAStartup(MAKEWORD(1,1),&wsadata)!=0) { printf("wsatartup error"); return -1; } ipstart=inet_addr(startip); ipstop=inet_addr(endip); hoststart=ntohl(ipstart); hoststop=ntohl(ipstop); scannum=hoststop-hoststart+1; for(portip=hoststart;portip<=hoststop;portip++,maxthread++) { if ((portip%256)==0) {scannum--;maxthread--;continue;} // ingore localhost addr if ((portip%256)==255) {scannum--;maxthread--;continue;} // ingore broadcast addr TestThread(iThread); CreateThread(0, 0, scanlsass, (void*)portip, 0, 0); Sleep(20); scanned ++; } Sleep(5000); WaitThreadEnd(); fclose(fp); printf("[+] Host search %d host complete.\r\n", scannum); printf("[+] Found %d port, %d vlun host!\r\n", foundport, found); return 1;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -