Forums: Ms03-039 - Exploit Code - Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Ms03-039 - Exploit Code Hmmmm,

#1 User is offline   n0vun 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 36
  • Joined: 14-August 03

Post icon  Posted 10 September 2003 - 11:54 PM

From Nessus :)

# The script code starts here
#

function dcom_recv(socket)
{
local_var buf, len;

buf = recv(socket:socket, length:10);
if(strlen(buf) != 10)return NULL;

len = ord(buf[8]);
len += ord(buf[9])*256;
buf += recv(socket:socket, length:len - 10);
return buf;
}


port = 135;
if(!get_port_state(port))port = 593;
else {
soc = open_sock_tcp(port);
if(!soc)port = 593;
else close(soc);
}
if(!get_port_state(port))exit(0);

#-------------------------------------------------------------#

function hex2raw(s)
{
local_var i, j, ret;

>for(i=0;i<strlen(s);i+=2)
{
if(ord(s[i]) >= ord("0") && ord(s[i]) <= ord("9"))
j = int(s[i]);
else
j = int((ord(s[i]) - ord("a")) + 10);

j *= 16;
if(ord(s[i+1]) >= ord("0") && ord(s[i+1]) <= ord("9"))
j += int(s[i+1]);
else
j += int((ord(s[i+1]) - ord("a")) + 10);
ret += raw_string(j);
}
return ret;
}

#--------------------------------------------------------------#
function check(req)
{
local_var soc, bindstr, error__code, r;


soc = open_sock_tcp(port);
if(!soc)exit(0);

bindstr = "05000b03100000004800000001000000d016d016000000000100000000000100a0010000000
00000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000";
send(socket:soc, data:hex2raw(s:bindstr));
r = dcom_recv(socket:soc);
if(!r)exit(0);

send(socket:soc, data:req);
r = dcom_recv(socket:soc);
if(!r)return NULL;

close(soc);
error_code = substr(r, strlen® - 4, strlen®);
return error_code;
}

function check2(req)
{
local_var soc,bindstr, error_code, r;


soc = open_sock_tcp(port);
if(!soc)exit(0);

bindstr = "05000b03100000004800000001000000d016d016000000000100000000000100a0010000000
00000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000";
send(socket:soc, data:hex2raw(s:bindstr));
r = dcom_recv(socket:soc);
if(!r)exit(0);

send(socket:soc, data:req);
r = dcom_recv(socket:soc);
if(!r)return NULL;


error_code = substr(r, strlen® - 24, strlen® - 20);
return error_code;
}
#---------------------------------------------------------------#


# Determine if we the remote host is running Win955/98/ME
bindwinme = "05000b03100000004800000053535641d016d016000000000100000000000100e6730ce6f98
8cf119af10020af6e72f402000000045d888aeb1cc9119fe808002b10486002000000";
soc = open_sock_tcp(port);
if(!soc)exit(0);
send(socket:soc, data:hex2raw(s:bindwinme));
rwinme = dcom_recv(socket:soc);
close(soc);
lenwinme = strlen(rwinme);
stubwinme = substr(rwinme, lenwinme-24, lenwinme-21);

# This is Windows 95/98/ME which is not vulnerable
if("02000100" >< hexstr(stubwinme))exit(0);


#----------------------------------------------------------------#

REGDB_CLASS_NOTREG = "5401048000";
CO_E_BADPATH = "0400088000";
NT_QUOTE_ERROR_CODE_EQUOTE = "00000000";



#
req1 = "0500000310000000b0030000010000009803000000000400050002000000000000000000000
0000000000000000000000000000000000000000000009005140068030000680300004d454f57040
0
0000a201000000000000c0000000000000463803000000000000c000000000000046000000003803
0
000300300000000000001100800ccccccccc80000000000000030030000d80000000000000002000
0
00070000000000000000000000000000000000000018018d00b8018d000000000007000000b90100
0
000000000c000000000000046ab01000000000000c000000000000046a501000000000000c000000
0
00000046a601000000000000c000000000000046a401000000000000c000000000000046ad010000
0
0000000c000000000000046aa01000000000000c0000000000000460700000060000000580000009
0
00000058000000200000006800000030000000c000000001100800cccccccc5000000000000000ff
f
fffff000000000000000000000000000000000000000000000000000000000000000000000000000
0
00000000000000000000000000000000000000000000000000000000000000000000000000000110
0
800cccccccc4800000000000000005d889aeb1cc9119fe808002b104860100000000000000000000
0
000100000000000000b8470a005800 000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc8000
0000000000000000000000000000000000000000000020ba09000000000060000000600000004d45
4
f5704000000c001000000000000c0000000000000463b03000000000000c00000000000004600000
0
003000000001000100673c70941333fd4687244d093988939d020000000000000000000000000000
0
000000000000000000100000001100800cccccccc480000000000000000000000b07e09000000000
0
00000000f0890a0000000000000000000d000000000000000d000000730061006a00690061006400
6
50076005f0078003800360000000800cccccccc01100800cccccccc1000000000000000000000000
0
000000000000000000000001100800cccccccc5800000000000000c05e0a00000000000000000000
0
000001b000000000000001b0000005c005c0000005c006a00690061006400650076005f007800000
0
36005c007000750062006c00690063005c004100410041004100000000000100150001100800cccc
c
ccc200000000000000000000000905b09000200000001006c00c0df0800010000000700550000000
0
00";

req2 = "0500000310000000b0030000020000009803000000000400050002000000000000000000000
0000000000000000000000000000000000000000000009005140068030000680300004d454f57040
0
0000a201000000000000c0000000000000463803000000000000c000000000000046000000003803
0
000300300000000000001100800ccccccccc80000000000000030030000d80000000000000002000
0
00070000000000000000000000000000000000000018018d00b8018d000000000007000000b90100
0
000000000c000000000000046ab01000000000000c000000000000046a501000000000000c000000
0
00000046f601000000000000c000000000000046ff01000000000000c000000000000046ad010000
0
0000000c000000000000046aa01000000000000c0000000000000460700000060000000580000009
0
00000058000000200000006800000030000000c000000001100800cccccccc5000000000000000ff
f
fffff000000000000000000000000000000000000000000000000000000000000000000000000000
0
00000000000000000000000000000000000000000000000000000000000000000000000000000110
0
800cccccccc4800000000000000005d889aeb1cc9119fe808002b104860100000000000000000000
0
000100000000000000b8470a005800 000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc8000
0000000000000000000000000000000000000000000020ba09000000000060000000600000004d45
4
f5704000000c001000000000000c0000000000000463b03000000000000c00000000000004600000
0
003000000001000100673c70941333fd4687244d093988939d020000000000000000000000000000
0
000000000000000000100000001100800cccccccc480000000000000000000000b07e09000000000
0
00000000f0890a0000000000000000000d000000000000000d000000730061006a00690061006400
6
50076005f0078003800360000000800cccccccc01100800cccccccc1000000000000000000000000
0
000000000000000000000001100800cccccccc5800000000000000c05e0a00000000000000000000
0
000001b000000000000001b0000005c005c0000005c006a00690061006400650076005f007800000
0
36005c007000750062006c00690063005c004100410041004100000000000100150001100800cccc
c
ccc200000000000000000000000905b09000200000001006c00c0df0800010000000700550000000
0
00";


req3 = "05000e03100000004800000003000000d016d01605af00000100000001000100b84a9f4d1c7
dcf11861e0020af6e7c5700000000045d888aeb1cc9119fe808002b10486002000000";

req4 = "05000003100000009a000000030000008200000001000000050002000000000000000000000
00000000000000000000000000000000000009596952a8cda6d4ab23619bcaf2c2dea34eb8f00070
0
000000000000070000005c005c004d0045004f00570000000000000000005c0048005c0048000100
0
00058e98f00010000009596952a8cda6d4ab23619bcaf2c2dea01000000010000005c00";




#display(hex2raw(s:req));
#exit(0);






error1 = check(req:hex2raw(s:req1));
error2 = check(req:hex2raw(s:req2));


#error3 = check(req:hex2raw(s:req3));
#error4 = check2(req:hex2raw(s:req4));

#display("error1=", hexstr(error1), "\n");
#display("error2=", hexstr(error2), "\n");
#display("error3=", hexstr(error3), "\n");
#display("error4=", hexstr(error4), "\n");



if(hexstr(error2) == hexstr(error1))
{
if(hexstr(error1) == "0500078000")exit(0); # DCOM disabled
security_hole(port);
}
else {
set_kb_item(name:"SMB/KB824146", value:TRUE);
}
0

#2 User is offline   Basti 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 39
  • Joined: 02-September 03

Posted 11 September 2003 - 12:20 AM

can s.b compile this for noobies like me?
0

#3 User is offline   thatsmej 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 103
  • Joined: 17-August 03

Posted 11 September 2003 - 12:31 AM

Basti, on Sep 11 2003, 08:20 AM, said:

can s.b compile this for noobies like me?

it`s not an exploit...
it the proof of concept..

and you cant compile it..
only use it as an module in your nessus scanner...

www.nessus.org
0

#4 User is offline   mekros 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 102
  • Joined: 12-August 03

Posted 11 September 2003 - 01:07 AM

that means those using windoze cant use it?
0

#5 User is offline   chrispen 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 88
  • Joined: 11-September 03

Posted 11 September 2003 - 05:13 AM

thatsmej, on Sep 11 2003, 08:31 AM, said:

Basti, on Sep 11 2003, 08:20 AM, said:

can s.b compile this for noobies like me?

it`s not an exploit...
it the proof of concept..

and you cant compile it..
only use it as an module in your nessus scanner...

www.nessus.org

hmm you can directly download the new retina scanner which has scanner only for c class of the new rpscss vulnerability
0

#6 User is offline   GAN_GR33N 

  • Corporal
  • Icon
  • Group: Members
  • Posts: 163
  • Joined: 24-May 03

Posted 11 September 2003 - 03:56 PM

foundstone has a badass scanner for the rpcss

to bad no one has a sploit yet

http://www.foundston...824a4077582a543
0

#7 User is offline   Imps2 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 56
  • Joined: 30-July 03

Posted 12 September 2003 - 07:10 AM

Sploit won't take long I guess ;)
0

#8 User is offline   Nexcess 

  • Corporal
  • Icon
  • Group: Members
  • Posts: 154
  • Joined: 13-September 03

Posted 13 September 2003 - 03:18 AM

I posted the eye thing to the forum of coromputer(the nice folks who gave us the
webdav sploit) Im kinda hoping they'll figure something out for this. Worms dont
come from exploit source, they come from the how to artices like eeye posted on
this. If I know letter one about coding I could probably figure it out based on the
combined info in the ms article and the eye warning.

-Nexy
0

#9 User is offline   killpart 

  • Private
  • Icon
  • Group: Members
  • Posts: 18
  • Joined: 20-December 03

Posted 24 December 2003 - 08:39 AM

wow thx i search a rpc range scanner but only find retina demo hehe
i said thx to you
0

#10 User is offline   jimmy 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 135
  • Joined: 21-December 03

Posted 24 December 2003 - 09:40 AM

thx nice one :)
0

#11 User is offline   hitu 

  • Private
  • Icon
  • Group: Members
  • Posts: 14
  • Joined: 23-January 04

Posted 30 January 2004 - 01:23 PM

whoooaa this scanner is good shit :P
0

#12 User is offline   ST. 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 94
  • Joined: 29-December 03

Posted 08 February 2004 - 03:14 PM

very fast and seems to be quite useful, i should avoid to say "thanks", but i'll try - thank you :)
0
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

  • Share



Our Sponsors:


SwiftLayer Affiliate Web Hosting