74 replies to this topic

[jpno5]

Indeed it crashes the service on a Windows 2000 SP4 German !
I've got an error telling that the address 0x7c2fa0f7 couldn't be read...
now playing the noob...
what is the process to follow to find out the correct address for that exploit to work on a german system too ?

Could be a good practice for me to start learning these bof

findjmp, like i said a few posts back, if all u skiddies botherd to read shit, uz might fuckin learn something

[Hellraiseruk]

Nice Work M8..i rember when there was a old dameware exploit and was vert successfull so i hope this will be the same

wish me luck

Tibbar says: why should we wish you luck on hacking other people's computers, after this glorified thanx post. Be warned ppl I'm watching you...next one i catch gets whacked.

[isaiah]

all I got to say im dissapointed in this board the way it has gotten.....what is up with all reply post...

oMg my NC w0nt work heeeelpp me...come on now do you guys even bother to read or or check anything out with it? its kinda commen sense...damn admins you guys gotta delet everyone that deleted wrote that kinda post....

[CrowDat]

I trying to download the latest version of dameware to path all vulnerable PC's in my lan and the domain www.dameware.com appears it's down.
This is a whois to the domain

DameWare Development, LLC
  241 Morningside Drive
  Mandeville, LA 70448
  US

I'm spanish, and i don't know the location of Mandeville but looking in google i found this http://www.city-data...-Louisiana.html , it's near of New Orleans.

I think the domain it's down for the hurricane Katrina. it's possible ?

Greetings

[RFlash]

I trying to download the latest version of dameware to path all vulnerable PC's in my lan and the domain www.dameware.com appears it's down.
This is a whois to the domain

DameWare Development, LLC
   241 Morningside Drive
   Mandeville, LA 70448
   US

I'm spanish, and i don't know the location of Mandeville but looking in google i found this http://www.city-data...-Louisiana.html , it's near of New Orleans.

I think the domain it's down for the hurricane Katrina. it's possible ?

Greetings

Yes, you are right:

hxxp://www.itms.dk

hxxp://support.itms.dk/topic.asp?TOPIC_ID=98

But, you may try this to download the updates:

hxxp://itms.dk/download.asp



RFlash

[Rafter]

findjmp, like i said a few posts back, if all u skiddies botherd to read shit, uz might fuckin learn something

<{POST_SNAPBACK}>

Thx for the advice, but I was asking for a bit more information...
Anyway as I don't like when people are calling me a "skiddy" I tried on my own to find a way to my problem (I could have done that before, but I was just being lazy and hoping someone would help )

Now what I did is the following:
- Trying to find out which register I should look for in the "advapi32.dll" by comparing the value of the return adress which is in the code and the one I get by using findjmp on a Win2K SP4 English machine.
The following result led me to the fact that I have got to look for ESP register

Scanning advapi32.dll for code useable with the ESP register
0x7C2E97AB	call ESP
0x7C2E9B53	jmp ESP
0x7C2EE21B	jmp ESP
0x7C2F9561	push ESP - ret
0x7C2FA0F7	jmp ESP
Finished Scanning advapi32.dll for code useable with the ESP register
Found 5 usable addresses

- Now doing the same findjmp command on a Win2K SP4 German I get the following:

Scanning advapi32.dll for code useable with the ESP register
0x79386A55	push ESP - ret
0x7938D043	jmp ESP
0x7938D58C	call ESP
0x7938DE83	call ESP
0x7938E083	call ESP
Finished Scanning advapi32.dll for code useable with the ESP register
Found 5 usable addresses

- At that point I'm not sure if that's good or not, but I have got to admit that as I don't know much of registers and assembly I can only guess for the best

So It looked like to me that the address 0x7938D043 might be the one I was looking for in order to make the exploit work on a German Win2k

- Compiled the whole thing, and tested but doesn't work...

       ====== D4m3w4r3 eXpLo1t, By jpno5 ======
        ======    http://www.jpno5.com    ======

[#] Listening For Shell On: 666...
[*] Target: WIN 2000 SP: 4...
[*] Waiting for Shell...
[*] Enjoy...

[x] Connection closed.

But the difference is that it didn't crashed the service...

So now, could someone tell me if I did it all wrong or if I have to look for something else ?

[TuT]

Hmm,

I was testing this exploit in my network but somehow i never seem to get the connect back shell (Why.. i don't know..) but im pretty sure we're still using a VULN version.. so my question is how can i replace the CB Shell with a Bind Shell if this is possible in anyway ?

I really appreciate your help

Could it be because i got a Dutch windows ?

EDIT:
Ill play around a bit with it i hope i can figure out a way to get it maybe working

[MilchKuh]

genereate a bindshell with metasploit and rewrite the shell step in the source

[jpno5]

uv no chance

[CrowDat]

Trying with DWRCSET.DLL i found this..

Scanning DWRCSET.DLL for code useable with the esp register
0x10007030      push esp - ret
0x1000F910      jmp esp
Finished Scanning DWRCSET.DLL for code useable with the esp register
Found 2 usable addresses

The same result in:

Windows XP SP1,SP2 [Spanish]
Windows 2000 SP2,SP4 [Spanish , English]

Greetings

[LambofGod]

[#]Listening For Shell On: [PORT]...
[*] Target: WIN 2000 SP: 4...
[*] Waiting for Shell...
[*] Enjoy...

Microsoft Windows 2000 [Version 5.00.2195]

i got only this...nothing more...cant enter any cmds in shell...any solutions?

[QuadMedic]

[#] Listening For Shell On: [PORT]...
[*] Target: WIN 2000 SP: 4...
[*] Waiting for Shell...
[*] Enjoy...

Microsoft Windows 2000 [Version 5.00.2195]

i got only this...nothing more...cant enter any cmds in shell...any solutions?

<{POST_SNAPBACK}>

Me 2 but it's only certain boxes so keep trying

[MasterWeb]

after runing this exploit Target was Crash !!! but i got this :
[#] Listening For Shell On: [PORT]...
[*] Target: WIN 2000 SP: 4...
[*] Waiting for Shell...
[*] Enjoy...

[Trackmaster]

[#] Listening For Shell On: [PORT]...
[*] Target: WIN 2000 SP: 4...
[*] Waiting for Shell...
[*] Enjoy...

Microsoft Windows 2000 [Version 5.00.2195]

i got only this...nothing more...cant enter any cmds in shell...any solutions?

<{POST_SNAPBACK}>

Me 2 but it's only certain boxes so keep trying

<{POST_SNAPBACK}>

press enter - and it usually drops fully to a shell

[jpno5]

ffs tracky u didnae huv to tell em that lol