The Working Remote Lsass Exploit (ms04-011)

Full Version: The Working Remote Lsass Exploit (ms04-011)

GovernmentSecurity.org > The Archives > Exploit Articles

Gurou

Apr 25 2004, 06:26 PM

look here, the sbaaNetapi.dll needed for the exploit was posted on k-otic :

// Comments from K-OTik.COM : to make this exploit work remotely you have
// to use the sbaaNetapi.dll wich modifies the DsRoleUpgradeDownlevelServer
// API, so this will allow the remote host to be specified ...

http://www.k-otik.com/exploits/04252004.ms04011lsass.c.php

DoSed my english XP box, coz the shell works only on CN boxes

who will add the good offset ?

lonely

Apr 25 2004, 07:08 PM

thx m8

i'm trying to compile it

tazthedev

Apr 25 2004, 11:16 PM

thx for the source code.

I tried to compile it with lcc but unfortunately, it doesnt compile fine

some1 can compile it ?

thx

tweakz20

Apr 25 2004, 11:27 PM

#include <windows.h> is the only header...

this beast gave me 31 errors

h3llraz0r

Apr 25 2004, 11:46 PM

i got these errors with it using ms vs 6

CODE

lsass.c
lsass.c(198) : warning C4047: 'function' : 'unsigned long ' differs in levels of indirection from 'char *'
lsass.c(198) : warning C4024: 'DsRoleUpgradeDownlevelServer' : different types for formal and actual parameter 1
lsass.c(198) : warning C4047: 'function' : 'unsigned long ' differs in levels of indirection from 'char *'
lsass.c(198) : warning C4024: 'DsRoleUpgradeDownlevelServer' : different types for formal and actual parameter 2
lsass.c(198) : warning C4047: 'function' : 'unsigned long ' differs in levels of indirection from 'char *'
lsass.c(198) : warning C4024: 'DsRoleUpgradeDownlevelServer' : different types for formal and actual parameter 3
lsass.c(198) : warning C4047: 'function' : 'unsigned long ' differs in levels of indirection from 'char *'
lsass.c(198) : warning C4024: 'DsRoleUpgradeDownlevelServer' : different types for formal and actual parameter 4
lsass.c(198) : warning C4047: 'function' : 'unsigned long ' differs in levels of indirection from 'char *'
lsass.c(198) : warning C4024: 'DsRoleUpgradeDownlevelServer' : different types for formal and actual parameter 5
lsass.c(198) : warning C4047: 'function' : 'unsigned long ' differs in levels of indirection from 'char *'
lsass.c(198) : warning C4024: 'DsRoleUpgradeDownlevelServer' : different types for formal and actual parameter 6
lsass.c(199) : warning C4047: 'function' : 'unsigned long ' differs in levels of indirection from 'char *'
lsass.c(199) : warning C4024: 'DsRoleUpgradeDownlevelServer' : different types for formal and actual parameter 7
lsass.c(199) : warning C4047: 'function' : 'unsigned long ' differs in levels of indirection from 'char *'
lsass.c(199) : warning C4024: 'DsRoleUpgradeDownlevelServer' : different types for formal and actual parameter 8
lsass.c(199) : warning C4047: 'function' : 'unsigned long ' differs in levels of indirection from 'char [200]'
lsass.c(199) : warning C4024: 'DsRoleUpgradeDownlevelServer' : different types for formal and actual parameter 9
lsass.c(199) : warning C4047: 'function' : 'unsigned long ' differs in levels of indirection from 'char *'
lsass.c(199) : warning C4024: 'DsRoleUpgradeDownlevelServer' : different types for formal and actual parameter 10
lsass.c(199) : warning C4047: 'function' : 'unsigned long ' differs in levels of indirection from 'char *'
lsass.c(199) : warning C4024: 'DsRoleUpgradeDownlevelServer' : different types for formal and actual parameter 11
lsass.c(199) : warning C4047: 'function' : 'unsigned long ' differs in levels of indirection from 'char *'
lsass.c(199) : warning C4024: 'DsRoleUpgradeDownlevelServer' : different types for formal and actual parameter 12
lsass.c(145) : warning C4761: integral size mismatch in argument; conversion supplied
lsass.c(156) : warning C4761: integral size mismatch in argument; conversion supplied
Microsoft (R) Incremental Linker Version 6.00.8168
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.

/out:lsass.exe
lsass.obj

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.