Here it is, I retreived the RET add for DCOM-2, these were found by decompiling MS scanner. I hope it will be usefull for someone .


0x00407EC8
0x004080A8
0x00408134
0x004081D2
0x0040824F
0x004082C1
0x0040831D
0x00408379
0x004083EC
0x0040845B
0x004084D7
0x0040855F
0x004085DB
0x00408669
0x004086D8
0x00408738
0x0040879F
0x0040A000
0x0040A02A
0x0040E151
0x0040E15E
0x004276BA
0x004276c6
0x00427E44
0x00427E8B
0x00427EAF
0x00427EC5
0x00427F12
0x00429B91
0x00429C77


As your see there is more then 1... the "universal" address still not found

Will compile this now. I am sorta bored. Will try a few diff things with my extra box here
Thanks for the hard work.

They are all valid RET? how can insert them in ur code posted before? ....there are only two space with top scret

i have the new rpcss exploit but this don´t work!
The "Top Secret" Ret´s are :

Windows XP All = 0100139d
Windows 2k All = 0018759F

öm Lemongreen , you have wrong ret´s!!!
Here the Orginal List:

WinntSP4eng = e527f377 English WinNT SP4
WinntSP5cn = cfdaee77 china WinNT SP5
WinntSP6cn = ac0ef077 china WinNT SP6
WinntSP6acn = c3eaf077 china NT SP6a
Win2knoSPpl = 4d3fe377 polish Win2k noSP ver 5.00.2195
Win2kSP3pl = 292ce477 polish Win2k SP3 - ver 5.00.2195 tested
Win2kSP4SP = 133ba577 SPanish Win2k SP4
Win2knoSPeng1 = 7416e877 english Win2k noSP 1
Win2knoSPeng2 = 6d3fe377 english Win2k noSP 2
Win2kSP1eng = ec29e877 english Win2k SP1
Win2kSP2eng1 = 2b49e277 english Win2k SP2 1
Win2kSP2eng2 = b524e877 english Win2k SP2 2
Win2kSP3eng1 = 7a36e877 english Win2k SP3 1
Win2kSP3eng2 = 5cfa2e77 english Win2k SP3 2
Win2kSP4eng = 9b2af977 english Win2k SP4
Win2knoSPchi = 2ae3e277 china Win2k noSP
Win2kSP1chi = 8b89e677 china Win2k SP1
Win2kSP2chi = 2b49e077 china Win2k SP2
Win2kSP3chi = 44434241 china Win2k SP3
Win2kSP4chi = 294cdf77 china Win2k SP4
Win2kSP3ger = 7a882e77 german Win2k SP3
Win2knoSPjap = e527f377 Japanese Win2k noSP
Win2kSP1jap = 8b89e577 Japanese Win2k SP1
Win2kSP2jap = 2b49df77 japanese Win2k SP2
Win2knoSPkr = 2ae3e177 Korea Win2k noSP
Win2kSP1kr = 8b89e577 Korea Win2k SP1 same offset as Win2kjp_SP1 ??
Win2kSP2kr = 2b49df77 Korea Win2k SP2
Win2knoSPm = 2ae3e177 Meican Win2k noSP
Win2kSP1m = 8b89e877 Meican Win2k SP1
Win2knoSPken = 4d3fe377 Kenya Win2k SP1
Win2kSP1ken = 8b89e877 Kenya Win2k SP1
Win2kSP2ken = 2b49e277 Kenya Win2k SP1
WinpnoSPeng = e3afe977 english p noSP ver 5.1.2600
WinpSP1eng1 = ba26e677 english p SP1 1
WinpSP1eng2 = db37d777 english p SP1 2
WinpSP2eng = bd737d77 english p SP2
Win2k3noSPeng = b0542277 english Win2k3
Win2kSP3ger = 292ce377 Germanh Win2 SP3
Win2kSP4ger1 = 294ce077 German Win2 SP4 1
Win2kSP4ger2 = 56c2e277 German Win2 SP4 2
WinpSP1ger = fc18d477 German p SP1
Win2kSP1fr = 4b3ee477 French Win2k Server SP1
Win2kSP4fr = 56c2e277 French Win2k Server SP4
WinpSP0fr = 4a75d477 French Win p no SP
WinpSP1fr = fc18d477 French Win p SP 1
Win2kSP3big = 252baa77
Win2kSP4big = 294cdf77
WinpSP01big = fb7ba171

Thanks royo!

Grezz
Hyp3r

Aren't those the old ret's as stated in the code?

/* DCOMv1: 0x0018759F */
/* DCOMv1: 0x0100139d */

I don't believe these are the "top secret" ret's

Probably why it's not working for you

realy ?
hmmm
If this the old RPC Rets then Sry!
Grezz
Hyp3r

hm the RET's don't work , i've tried it on 3 pcs @ my network ... no way on the highway

can u helop me get the exploit ?

seems not work with those Ret , anyone confirm?

u need more than just new offsets...

and by the way the "secret" RET's are pulibc since weeks.. (from dcom1 exploit).

I use my correct RET Address(for sure),It DOESN'T WORK.

All ret's listed above are either from old dcom 1 code or they are not working. I tried on my network @ home and no go.

and axl dont you think if we had the xploit we wouldnt be here still compiling? Go back to hacking webdav or something......

Same problem with me... I've tried on stock xp and stock 2k, no luck. In fact, the daemon haven't crashed too... Even if we don't have the good RET, it should have crashed the daemon since it wouldn't exit via the Exit cmd?

The Key Problem is RET ADDRESS,I use my Correct Address To Attack,then
In Ollydebug It resaise exception[System: Win2k sp4+RPC1Patch]:



Continue going...

The RET address are 100% working, the problem in my proof of concept , it that the overflows codes dont overwrites the informations located in 0x761BC258 (rpcss.dll).

Which means my overflows only target ".data" 0x761BC258 without overwitring it.

Why? Well i dont have the knocklegde to overwrite that offser with my own EIP...



more infomartion about heap corruption:

http://www.eeye.com/html/Research/Advisori...AD20030910.html

stop to say it not work,,, bad ossfet crash deamon

no wonder i tried everything but didnt work.... lol....

How EEye scanner handle this hole?!Just an ideea, if scanner can find exploit then I think we can find how that's done....sorry for my poor english....

Maybe this will help u to find the return adres

1/ How do I find the right return address for my system ?


- Get the right KERNEL32.DLL file (you can find it directly in the SP file).
- Open it in your favorite disassembler (IDA, WDASM, ...).
- Look for the following byte sequence : "FF D3" (call ebx).
- Note the corresponding address (should look like 0x7???????, otherwise
your disassembler is not smart enough to add the section base address to
relative addresses).


Greetz Imps2

thnx Imps2... gonna try as soon as possible