After receiving many PM's to supply source code etc, I've decided to post the code with a batch file to feed off scan500.exe.

usage is simple.

first run scan500.exe to generate a list of ip with open port 139 - i.e.:

scan500 -p 139 startip endip

this will generate scan.txt for you.

edit scan txt to remove 1st line - i.e. you only want ips in this file, no text.


Now simply run scanlist.bat to automatically test each ip in scan.txt.

Enjoy ;-)

(for educational purposes only).

heh it's best for .edu...use it remotely to bypass the blocked 139...

thx for sharing i will ve a look

great...might become handy...

THX for sharing!!

i am going to recode this as a single .c prog, as it runs a lot slower like this through batch file.

i will post it here in a few days...

i think there are too many virus for this hole
and now many machines install a firewall
further more the isp has block the port 139 445

very true stonebreaker, but that is not it's only use.

Suppose you have remote access to a box on a lan or wan. Behind the corporate firewall, all the netbios ports are open...and this exploit will work perfectly on the pre-Nov '03 patched.

is this a auto hacker then it goes through scans and then checks for shell?
or just a checker to find vun servers , if so does it make a output file saying what vunrable etc?

by typing scan500 -p 139 ipstart ipend it will generate a ip list of possible targets (i.e. ones with one port 139).

you then type scanlist.bat to run this list through the exploit prog.

and it's undetectable by antivirus tnx

thanks a lot, do you have the source code of the exploit as well ?

Ill try it @ my school, when im on some pc.
Going to be fun i hope, thnx

thanx for your work
but i try 60000 computers on a lan network
it's sends the exoplit but it's allways says
connect() to the bindshell failed

hmm maybe i need to list NC on port 4445 ??
or its auto ?

not that it matters, but FYI the scan500.exe is detected by Kaspersky as 'Exploit.Win32.WebDav.n" .. to the person who said it was undetected.

KAV detects most things. this is undetected by the mainsteam AV's...no one except hackers use KAV anyway

I get the same error, on each boxes I try!

Must be a bug, or everyone of them are patched!

yes i get this error too and every time connect to bindshell failed anything wrong ?

if you get the error:

[+] 172.16.1.13: Assuming alive, checking 139.
[+] 172.16.1.13: 139 open, creating exploit thread.
[+] 172.16.1.13: Waiting.
[+] 172.16.1.13: Attacking, attempting a null session.
[+] 172.16.1.13: Success.
[+] 172.16.1.13: GetProcAddr: 71c7c8f8.
[+] 172.16.1.13: Sending exploit.
[+] 172.16.1.13: Connecting to port 4445.
[x] 172.16.1.13: connect() to bindshell failed.


that means the box is patched. N.B. you dont need to run netcat, the exploit does it for you.

I have only had success running this on a LAN / WAN...i generally find about 1 in 10 boxes are unpatched.

However, if you try this on a commerical LAN, you should not be surprised if 99% of boxes are patched. Most firms apply updates weekly.

I have never seen the error window pop up that technoboy got, and I cant think of why it happened, maybe his AV didnt like it?

For those asking for working exploit, this is it. I have heard it enjoys great success on .edus...