hi
i am wondering if there is an easy way to secure a shell against the ms04-011 expoit.
one way would be to dl and install the right patch - but is there any other / faster way to do the task??
thx in advance
=k3Rn=
i am sorry, just found another thread to this topic - i replyed there too.
but the question remains - is there an easier way to secure it?
and does it have to be the right language ?
Full Version: How To Secure Lsass Vuln - Ms04-011
yes there is ...
but kern u are asking stupid questions in this forum all day long :[ just install a dos firewall or just run your ftp on the xploit port . i guess its 666
so think about your questions first alone and if you got no clue then ask at gover !
greetz crackie
but kern u are asking stupid questions in this forum all day long :[ just install a dos firewall or just run your ftp on the xploit port . i guess its 666
so think about your questions first alone and if you got no clue then ask at gover ! greetz crackie
| CODE |
| just run your ftp on the xploit port . i guess its 666 |
the port is 445. and running an ftp on that port isnt possible cuz its in use...
i read about another way to secure against the lsass exploits somewhere in the forum, but i think patching the box is the best way
fastest way is to remove File and print sharing (This closes port 445) . Or just stop rpc services .
Delete IPC$ for a fast patch
.. but yea best way is to patch it
And oh Crakie ..... he asked a stupid question and you gave the stupidest reply.
.. but yea best way is to patch it
And oh Crakie ..... he asked a stupid question and you gave the stupidest reply.
or just dont be lazy and install the patch.. 
whats so hard about 30 secs more work... 
whats so hard about 30 secs more work...
@crackie: the only thing stupid here is your answer!
i still wonder if it's nessessary to install the right language of the patch - anyone tested that yet?
and thx for all the other answers!
i still wonder if it's nessessary to install the right language of the patch - anyone tested that yet?
and thx for all the other answers!
| QUOTE (crackie @ Aug 21 2004, 02:47 PM) |
| yes there is ... but kern u are asking stupid questions in this forum all day long :[ just install a dos firewall or just run your ftp on the xploit port . i guess its 666 so think about your questions first alone and if you got no clue then ask at gover ! greetz crackie |
Stupid answer
. But try to learn from ur mistakes
| QUOTE (BuzzDee @ Aug 21 2004, 11:47 AM) | ||
the port is 445. and running an ftp on that port isnt possible cuz its in use... i read about another way to secure against the lsass exploits somewhere in the forum, but i think patching the box is the best way |
lol ... damn .... 445 is the port that is being exploited but the normal autohacker shellport is 666 ... and if you disconnect from the shell u get its not in use anymore.. so i am right with 666 ! think first than talk nubs
autohacker 
u r l33t
sry i'm not that "experienced" with autohackers since i use the exploits to test my own pcs and not to hack into systems i dont own...
u r l33t sry i'm not that "experienced" with autohackers since i use the exploits to test my own pcs and not to hack into systems i dont own...
| CODE |
| i still wonder if it's nessessary to install the right language of the patch |
it depends on the os language which patch u have to use.
| QUOTE (crackie @ Aug 21 2004, 01:14 PM) | ||||
lol ... damn .... 445 is the port that is being exploited but the normal autohacker shellport is 666 ... and if you disconnect from the shell u get its not in use anymore.. so i am right with 666 ! think first than talk nubs |
crackie dont be stupid please... For the shellport you can use 666 or whatever port that you want... Good idea to patch LSASS servers using your ftp server in 666 port LOL
continue like tis m8
what a nonsens crackie !
how to delete IPC$ share or administra
The Patch is the best solution 
You can use quite command:
Windows2000-KB835732-x86-XXX.EXE /quiet /forcerestart /o /n /f
Another solution is upload reg.exe and type this command:
You can use quite command:
Windows2000-KB835732-x86-XXX.EXE /quiet /forcerestart /o /n /f
Another solution is upload reg.exe and type this command:
| CODE |
| reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v AutoShareWks /t REG_DWORD /d 00000000 /f reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v AutoShareServer /t REG_DWORD /d 00000000 /f reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RestrictAnonymous /t REG_DWORD /d 00000002 /f reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server" /v Enabled /t REG_BINARY /d 00 /f |
Crackie stop thinking like a kiddie, I don't have anything against you, but just read what your wrote:
| QUOTE |
| lol ... damn .... 445 is the port that is being exploitedbut the normal autohacker shellport is 666 ... and if you disconnect from the shell u get its not in use anymore.. /*Wow . . . */ so i am right with 666 ! think first than talk nubs |
Coz, I don't get it
Cheers, M4Z3R
And yeah K3RN, Look if you go down 3 topics in the "Windows Systems" forum, what do you have . . . yet another topic on this subject, I know, it's amazing
http://www.governmentsecurity.org/forum/in...?showtopic=8187
mazer, no offence, but i found that thread by searching - just some minutes too late - and then i replyed there too with an excuse... :|
Crackie 666 is port which we can specify to get shell . But if u have little brain see when lsass is exploited ur attacking program connects to port 445 . You can also change reverse shell port from 666 to any other . If u would have seen syntax of program then u wouldnt have replied this
. You can also change reverse shell port from 666 to any other . If u would have seen syntax of program then u wouldnt have replied this| QUOTE |
MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1 ------ Usage: E:\LSASS.EXE <target> <victim IP> <bindport> [connectback IP] [options] Targets: 0 [0x01004600]: WinXP Professional [universal] lsass.exe 1 [0x7515123c]: Win2k Professional [universal] netrap.dll 2 [0x751c123c]: Win2k Advanced Server [SP4] netrap.dll Options: -t: Detect remote OS: Windows 5.1 - WinXP Windows 5.0 - Win2k |
meh people here are (filtered) lazy.. do some research yourself before asking stupid ass questions
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
