axl
Aug 25 2003, 02:05 PM
great exploit!
but how do i scan 4 this shit ?!!?
http://www.thc.org/misc/sploits/THCREALbad.zipN-joy
edit-scanning for port 554 will do-cheers !
axl
Aug 25 2003, 04:42 PM
checked!
working great!
Ripper
Aug 25 2003, 09:15 PM
yep axl, did you have a shell ????
Alexander01
Aug 26 2003, 08:27 AM
many scans, no shells..
axl
Aug 26 2003, 08:38 AM
3 scans
6 results
3 shells !
jurk-off
Aug 26 2003, 11:37 AM
ThnX alot for this great share dude!!!! ill check it out hope this one works i trust you
Jambo
Aug 26 2003, 12:19 PM
Lets see if I can use it
I'm curious
thx for posting
koko
Aug 26 2003, 12:24 PM
where_s the scanner for this one ?
axl
Aug 26 2003, 12:28 PM
u dont need a scanner!!!
just scan for port 554 !
koko
Aug 26 2003, 01:55 PM
ok i found ips, i run thcrealbad on that ip, after it told me to nc on port 31337, it worked but after ? telnet on this port ?
mojo
Aug 26 2003, 02:03 PM
Im having trouble finding any place that has realserver setup
rocco60
Aug 26 2003, 02:50 PM
hello veiled I have a small problem thus I scan port 554 with scan1000.exe all occurs well I have some results then I have it test with realscan.php until A it all is well it gives me the maid. the problem as soon as want to connect me with netcat with the order nc xxx.xxx.xxx.xxx 31337 the fenetre netcat opens and is closed again at once have yourself of koi Ca peuxx to come itself thank you
ma622
Aug 26 2003, 03:15 PM
http://www.safermag.com/html/safer24/dos/02.htmlits written there that realservers runs on port 7070 and here 554.....
whats the true?
koko
Aug 26 2003, 04:12 PM
i think 554 is good cause with nscan i have :
- realaudvid0 -- open
so... but i dont have any shell for the moment
arhamz
Aug 27 2003, 07:20 AM
hm... thanx but didnt work for me either ....
koko
Aug 27 2003, 12:54 PM
same....nobody got some news ? :'(
ssj4conejo
Aug 27 2003, 04:59 PM
I have a small theory on scanning for real servers, which i will try very soon, why not look for real audio or real video sites, that have like 100 different streams 1 click away, why not dns each one of the sites streaming, or if its just an ip you already have what you want, than just try to exploit = ). it beats scanin for 5 hours.
DaywalkerX
Aug 27 2003, 07:53 PM
Hoi,
for me its work oke 2 scanes 8 results 1 haxxed....
I use NC for remote dos and tftp for file upload.
VincentVega
Aug 27 2003, 08:12 PM
i found a hole bunch of servers listening to port 554 using sfind
The scan proggie from Mazer doe not work for me, without the PHP.ini file in my windows directory is stops scanning and with the PHP.ini file nothing happens only a prompt and it stays black after the php.exe realscan.php command
if i click enter twice (because with the PHP.ini file it does not ask for the ip list and port) i will get an message (BTW i have windows XP Pro SP1):
X-Powered-By: PHP/4.2.3
Content-type: text/html
PHP Warning: file("") - No error in D:\RealServerexploit\realscan.php on line 82
PHP Notice: Undefined offset: 1 in D:\RealServerexploit\realscan.php on line 87
Please input the file with the IPLIST-:#
Please input the Port(DEFAULT 554) to Scan-:#
\\ PHP REALSERVER Scanner by >maZER<
\\ IPLIST:
\\ Port: 554
// RESULTS ARE WRITTEN IN -result.txt
So it did not scan anything!
so i decided to manually enter all the ip's that rare listening to port 554 with the THCrealbad exploit tool, i found a lot of servers:
example's
x.x.x.x Detected OS: Microsoft-IIS/5.0
x.x.x.x Detected OS: WMServer/9.0.0.3372
x.x.x.x Detected OS: RealServer Version 8.0.1.367 (irix-6.2-mips)
x.x.x.x Detected OS: RealServer Version 8.0.1.367 (linux-2.0-libc6-i386)
every time THCrealbad says:
exploit send .... sleeping a while ....
ok ... now try to connect to port 31337 via netcat !
So what do i do from dos: nc.exe ip 31337
the it waits for a while (me hoping for a shell)
but every time tille now nothing happens
What am i doing wrong OR is there anything wrong with this exploit?
DaywalkerX
Aug 27 2003, 08:28 PM
start [ thcrealbad ip 2 ] then u becomme an info about the running OS make sure u start then thcrealbad with the corecct value 0 / Windows | 1 / Linux .
mortello
Aug 28 2003, 04:43 AM
Guys, that exploit works, but its nothing compare to what RPC was used to be
be patient and get info on OS the comp is running
that will help you alot (does with me ---> 10 results so far with that exploit)
fredje
Aug 28 2003, 02:06 PM
HI,. a lot of times a get this result
QTSS/4.1.3 (Build/412.45; Platform/MacOSX)
do i have to go for option 0 or 1?
and i only seem to get succes with windows servers,..
thnx
fredje
Shivers123
Sep 5 2003, 09:39 AM
Is there A version of THCREALbad that works for realservers that are on port 7070??
| QUOTE (fredje @ Aug 28 2003, 02:06 PM) |
HI,. a lot of times a get this result
QTSS/4.1.3 (Build/412.45; Platform/MacOSX)
do i have to go for option 0 or 1?
and i only seem to get succes with windows servers,..
thnx
fredje |
everyone who reads this thread plz look throughout the board since there are numerous posts on this exploit and this thread si rather old. the exploit works rather good. you cant exploit the macosx machines and all others that turn up that aren ot realservers either. if you are looking for a good scanner check out the file download section . plz do not !!!! share that scanner or post it on fxp boards or any other site for that matter without consulting mazer.the scanner also gives output if the servers are vulnerable or not , basing on experience alot of ppl have made with realservers. if you successfully exploited and can not connect then your target box most likely has a firewall blocking the port nc wants to connect , forgot the port something with 341** .
if the scanner hangs then kill real.exe and it will go to the next ip. if it hangs again do the same til it doesnt hang anymore. out of experience i can say it hangs often but killing real.exe does the job very good . if you scanned and have a scanlist like
65.x.x.x
65.x.x.y
65.x.x.z
65.x.x.w
65.x.x.lame
etc.
[EDITED BY THE MODERATOR: DO NOT INCLUDE REAL IP RANGES EVEN IF YOU JUST MAKE THEM UP AND THEY MAY OR MAY NOT ACTUALLY HAVE SYSTEMS ON THEM - USE THE RFC1918 RANGES LIKE 10.0.0.0 OR MUNGE YOUR IPS]
propability is veryh igh they are runing another service on port 554 which will bring the scanner to a halt so you can delete those ip's. now mazers scanner version3 deals with this in a fairly good manner and just timeso ut and goes to the next.
bring patience as most ppl in this thread said it iant like rpc. it takes time and aptience to find some vulnerable hosts where that do not have a firewall blocking port 341** .
hope i answerd some questions and if possible check out the other threads concerning this exploit , eg. the scanner threasd in file downloads and read through some of the threads cause alot of ppl posted their experience with the exploit there and will answer alot of questions
StreetZone_
Sep 5 2003, 04:09 PM
maZer`-
Sep 5 2003, 05:24 PM
THX PSR that you told the Users there! ;D
Really big thx!
But the New scanner didnt hangs!
And he got a Honeypod Protection
My isp provider kicked me on scanning realservers with realscanv2
In the letter of my ISP was the ip of the Honeypod!
I looked on the Ports and anything!
This machine like to be invisible!
But all ports are opened and any port will answer ya!
I includet a kill function! If u connect to one the EXE will hang up for 30seconds!
gogu258
Sep 6 2003, 12:14 AM
Check for NSCAN from nscan.hypermart.com. It's just a simple port scanner but works fine. Make your list with RS servers and use MAZE scanner to verify. QTSS doesn't work....
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
