rpc universal offset exploit. go to shields up security (search for it on google) and make sure port 135 is not steathled, mainly for remote testing.

hmm dunno what it is, but I'll give it a try...
Finding shields up website now...


btw this can be run on a local network too, right?


^RB^

edit: just to answer my own question... yes it can be run on a local network... Stupid question anywayz...
Now for another thing... This doesn't work for me...
for rpc3scan I get "program too big to fit in memory"
rpc3 just crashes...

if i'm not wrong u need bshell2 to make this exploit working if u already dont have it here its the code need to be compiled
http://www.security.nnov.ru/files/unshell.asm

(rename it to bshell2.asm and compile)

here is the link to shields up. do a common port scan, and make sure port 135 is open (only do this if you are testing from a remote computer, on the remote computer, it will ALWAYS work locally) even then, it is a good local rights elevation exploit, since code can still be executed, and the service is running as system. The DoS will always work, but it is made so the exploit itself won't. You don't need bshell, this is a little bit different. . . . . Code is in the exploit, makes it all go smoother. I would like some feedback please, tell me how it worked, or if it didn't, or anything that happened. By the way, you need cygwin and rpc3 in the same directory to use the program. That's why you might have gotten the "program will not fit in memory" problem.

I'd like to know the results of attempted exploiting. Try it and see, then post the results here. Here is cygwin1.dll, see if it helps a little bit better.

I've downloaded your cygwin1.dll and still does not work for me

Thanks For This

It's Been Here A While And I Never Noticed Hmm... Thats Funny Hehe

As For The Site You Are Reffering To I Think It Is A Site Called GRC

A Site Designed By The Security Expert "Steve Gibson"

The Link Is www.GRC.Com

Thanks "What"

Many Thanks

Best Regards

Adam

Vast Gsm

ok, I am an IDIOT. Flame me later. I created bshell2 a long time ago, and, um, forgot about it. I am really sorry. Put bshell2 and rpc3 in the %systemroot% folder, open a command prompt, and fire it off. Should work like a charm.

Thats not a valid shellcode...the exploit just calls whatever is in that bshell2 file. Its up to you to find put a valid shell into bshell2.

Well,
First I want to thank u for the compiled exploit .

Second, I've got a question:

I found a ( erm I think I found don't really know ) unpatched server.
I tried it and what I got was that:

xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx - send exploit to Win2K
2703

It started with 1 and I aborted the operation at 2703 .
Erm well..
Call me dumbass but did the exploit work or not ?

Thanks

ok where could we get a valid shellcode , do u have a valid shellcode ??

search for it on google, this is just a DoS POC. There are a lot out there, pick one you like. I don't want to give everyone the key into someones system to just do as they like. If you want it, you will need to work for it a little.

ok ok , i found a bshell2 but its 417 bytes from securitylab.ru , i tried this and i think it creates a user 'a' with password 'a' .. , any one has the compiled bindshell bshell2 file ? a cmd shell is alot better than adding a user 'a' with pass 'a'

http://www.metasploit.com/sc/win32_adduser.c this will add a new user to the administrator group, locally, with a username X and passwork X.

so i compile the exe and rename it as bshell ?? i tried that didnt work , anyopne has bshell2 compiled file

i know metasploit.com has a cmdshell , adduser and reversecmdshell i tried them all and worked , best is bindshell not adduser

Most of the time, this exploit will now be used as privelege escalation. With some more modifying, it can once again bypass most firewall due to high level ports that the RPC services run on (135, 445, etc, etc) including UDP. I'm just doing what is conventional at the time. The best shellcode is the shellcode that you make yourself.

plz anyone assemble the bindshellcode from the metasploit site and plz post it , and did anyone get a succesful cmshell with that exploit ??

anyone here find a Valid Shell Code That Work Yet ??

Would Be Nice To Share And See What We Can Do So We Can Undertstand how to secure our box a little better.

Best Regards

Adam

Vast Gsm

there is a valid shellcode at k-otik in assembly, so if anyone can assemble that source code , plz post it here , btw i tried the bshell2 by securitylab.ru and it failed to create user

this is an assembled file from metasploit.com it should bind shell to port 8721 , any one can get it to any use ? i cant make it run , i replaced it with bshell2 file , a question to exploit this vulnerability should i add characters before the exploit or what should i exactly do because i tried that and didnt work but im sure the assembled shellcode i assembled should work thnx

thx 4 sharing dude

ill try it out

greetz to @ll

btw i asked a good exploit coder , we must compile that asm file at k-otik guys and to "what": there is not that many shellcodes , this is a heap overflow not a buffer overflow , so the shellcode differs , and currently i dont think there is any working shellcode ..

yes, Im wondering the same thing myself. I heard from someone that this was a d.o.s. "proof of concept" and not a real remote exploit. I've tested this exploit with the assembled shellcodes at metaspolit on targets confirmed by scanners to be vulnerable and nothing, the damn thing just keeps on counting untill I get "send error". this was released sometime in september and still not many knows what to do with it. thats a shame. someone please shed some light on this. I would even agree to pay $$$ for a working exploit for ms03039.

me 2 , i think l33t ppl and coders can work it out , i can pay $ for working that ... i dunno why ppl still cant make it work

hey
can anyone publish working source?

would be great

thanks guys

if anyone has source code or have the files needed to make this work to get cmdshell won't share with us , because he is a l33t one , and we r n00bz we shouldnt know right , i think one or more ppl said they know how it works but the wont upload anything , i think so

hmm, i have only that... if that can help you..

guys we already have the exploit we need a working bshell2 to bind a cmd shell . or any other bshell2 working , but plz not a DoS bshell2 that contains "ax400"