|
|
|
 |
Burner
Sep 11 2003, 05:52 PM
here is tha code dunno if it is the good one hopefully it is a good one
greetz
| CODE |
http://www.security.nnov.ru/search/document.asp?docid=5082
can everyone compile this, for Windows ??
# The script code starts here
#
function dcom_recv(socket)
{
local_var buf, len;
buf = recv(socket:socket, length:10);
if(strlen(buf) != 10)return NULL;
len = ord(buf[8]);
len += ord(buf[9])*256;
buf += recv(socket:socket, length:len - 10);
return buf;
}
port = 135;
if(!get_port_state(port))port = 593;
else {
soc = open_sock_tcp(port);
if(!soc)port = 593;
else close(soc);
}
if(!get_port_state(port))exit(0);
#-------------------------------------------------------------#
function hex2raw(s)
{
local_var i, j, ret;
for(i=0;i<strlen(s);i+=2)
{
if(ord(s[i]) >= ord("0") && ord(s[i]) <= ord("9"))
j = int(s[i]);
else
j = int((ord(s[i]) - ord("a")) + 10);
j *= 16;
if(ord(s[i+1]) >= ord("0") && ord(s[i+1]) <= ord("9"))
j += int(s[i+1]);
else
j += int((ord(s[i+1]) - ord("a")) + 10);
ret += raw_string(j);
}
return ret;
}
#--------------------------------------------------------------#
function check(req)
{
local_var soc, bindstr, error_code, r;
soc = open_sock_tcp(port);
if(!soc)exit(0);
bindstr =
& #34;05000b03100000004800000001000000d016d016000000000100000000000100a00100000000
0000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000";
send(socket:soc, data:hex2raw(s:bindstr));
r = dcom_recv(socket:soc);
if(!r)exit(0);
send(socket:soc, data:req);
r = dcom_recv(socket:soc);
if(!r)return NULL;
close(soc);
error_code = substr(r, strlen(r) - 4, strlen(r));
return error_code;
}
function check2(req)
{
local_var soc,bindstr, error_code, r;
soc = open_sock_tcp(port);
if(!soc)exit(0);
bindstr =
& #34;05000b03100000004800000001000000d016d016000000000100000000000100a00100000000
0000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000";
send(socket:soc, data:hex2raw(s:bindstr));
r = dcom_recv(socket:soc);
if(!r)exit(0);
send(socket:soc, data:req);
r = dcom_recv(socket:soc);
if(!r)return NULL;
error_code = substr(r, strlen(r) - 24, strlen(r) - 20);
return error_code;
}
#---------------------------------------------------------------#
# Determine if we the remote host is running Win95/98/ME
bindwinme =
& #34;05000b03100000004800000053535641d016d016000000000100000000000100e6730ce6f988
cf119af10020af6e72f402000000045d888aeb1cc9119fe808002b10486002000000";
soc = open_sock_tcp(port);
if(!soc)exit(0);
send(socket:soc, data:hex2raw(s:bindwinme));
rwinme = dcom_recv(socket:soc);
close(soc);
lenwinme = strlen(rwinme);
stubwinme = substr(rwinme, lenwinme-24, lenwinme-21);
# This is Windows 95/98/ME which is not vulnerable
if("02000100" >< hexstr(stubwinme))exit(0);
#----------------------------------------------------------------#
REGDB_CLASS_NOTREG = "5401048000";
CO_E_BADPATH = "0400088000";
NT_QUOTE_ERROR_CODE_EQUOTE = "00000000";
#
req1 =
& #34;0500000310000000b00300000100000098030000000004000500020000000000000000000000
000000000000000000000000000000000000000000009005140068030000680300004d454f570400
0000a201000000000000c0000000000000463803000000000000c000000000000046000000003803
0000300300000000000001100800ccccccccc80000000000000030030000d8000000000000000200
0000070000000000000000000000000000000000000018018d00b8018d000000000007000000b901
000000000000c000000000000046ab01000000000000c000000000000046a501000000000000c000
000000000046a601000000000000c000000000000046a401000000000000c000000000000046ad01
000000000000c000000000000046aa01000000000000c00000000000004607000000600000005800
00009000000058000000200000006800000030000000c000000001100800cccccccc500000000000
0000ffffffff00000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000001100800cccccccc4800000000000000005d889aeb1cc9119fe808002b104860100000000000
0000000000000100000000000000b84!
70a005800
000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc8000
0000000000000000000000000000000000000000000020ba09000000000060000000600000004d45
4f5704000000c001000000000000c0000000000000463b03000000000000c0000000000000460000
00003000000001000100673c70941333fd4687244d093988939d0200000000000000000000000000
000000000000000000000100000001100800cccccccc480000000000000000000000b07e09000000
000000000000f0890a0000000000000000000d000000000000000d000000730061006a0069006100
6400650076005f0078003800360000000800cccccccc01100800cccccccc10000000000000000000
000000000000000000000000000001100800cccccccc5800000000000000c05e0a00000000000000
0000000000001b000000000000001b0000005c005c0000005c006a00690061006400650076005f00
7800000036005c007000750062006c00690063005c00410041004100410000000000010015000110
0800cccccccc200000000000000000000000905b09000200000001006c00c0df0800010000000700
550000000000";
req2 =
& #34;0500000310000000b00300000200000098030000000004000500020000000000000000000000
000000000000000000000000000000000000000000009005140068030000680300004d454f570400
0000a201000000000000c0000000000000463803000000000000c000000000000046000000003803
0000300300000000000001100800ccccccccc80000000000000030030000d8000000000000000200
0000070000000000000000000000000000000000000018018d00b8018d000000000007000000b901
000000000000c000000000000046ab01000000000000c000000000000046a501000000000000c000
000000000046f601000000000000c000000000000046ff01000000000000c000000000000046ad01
000000000000c000000000000046aa01000000000000c00000000000004607000000600000005800
00009000000058000000200000006800000030000000c000000001100800cccccccc500000000000
0000ffffffff00000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000001100800cccccccc4800000000000000005d889aeb1cc9119fe808002b104860100000000000
0000000000000100000000000000b84!
70a005800
000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc8000
0000000000000000000000000000000000000000000020ba09000000000060000000600000004d45
4f5704000000c001000000000000c0000000000000463b03000000000000c0000000000000460000
00003000000001000100673c70941333fd4687244d093988939d0200000000000000000000000000
000000000000000000000100000001100800cccccccc480000000000000000000000b07e09000000
000000000000f0890a0000000000000000000d000000000000000d000000730061006a0069006100
6400650076005f0078003800360000000800cccccccc01100800cccccccc10000000000000000000
000000000000000000000000000001100800cccccccc5800000000000000c05e0a00000000000000
0000000000001b000000000000001b0000005c005c0000005c006a00690061006400650076005f00
7800000036005c007000750062006c00690063005c00410041004100410000000000010015000110
0800cccccccc200000000000000000000000905b09000200000001006c00c0df0800010000000700
550000000000";
req3 =
& #34;05000e03100000004800000003000000d016d01605af00000100000001000100b84a9f4d1c7d
cf11861e0020af6e7c5700000000045d888aeb1cc9119fe808002b10486002000000";
req4 =
& #34;05000003100000009a0000000300000082000000010000000500020000000000000000000000
0000000000000000000000000000000000009596952a8cda6d4ab23619bcaf2c2dea34eb8f000700
000000000000070000005c005c004d0045004f00570000000000000000005c0048005c0048000100
000058e98f00010000009596952a8cda6d4ab23619bcaf2c2dea01000000010000005c00";
#display(hex2raw(s:req));
#exit(0);
error1 = check(req:hex2raw(s:req1));
error2 = check(req:hex2raw(s:req2));
#error3 = check(req:hex2raw(s:req3));
#error4 = check2(req:hex2raw(s:req4));
#display("error1=", hexstr(error1), "\n");
#display("error2=", hexstr(error2), "\n");
#display("error3=", hexstr(error3), "\n");
#display("error4=", hexstr(error4), "\n");
if(hexstr(error2) == hexstr(error1))
{
if(hexstr(error1) == "0500078000")exit(0); # DCOM disabled
security_hole(port);
}
else {
set_kb_item(name:"SMB/KB824146", value:TRUE);
}
|
ps if it is the good one can someone complile it for me it would be great
greetz
mortello
Sep 11 2003, 05:55 PM
this is a proof of exploit, no code in there (no overflow code)
thatsmej
Sep 11 2003, 06:01 PM
can some one nuke / close the threads when it`s a fake / not the right one??
else i`ll see the same code whole the time posted over different threads..
arhamz
Sep 11 2003, 09:21 PM
i so wish that it wasnt fake  ....... damn ... that hurts .. Dcom2.... come out come out where ever u are .... 
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
| |
|
