Message-ID: <030901c3ab49$dd8af6a0$0bd3bdd5@pigkiller>
From: pk95 at yandex.ru (Alexander Antipov)
Subject: ms03-049 exploit by wirepair + compiled version (Microsoft Windows XP target)

Hi again!

-- snip --
ms03-049 by wirepair, pretty sweet find, although i can only get this to work on XP. Win2k responds with like
op rng error stating it doesn't know what the hell i'm requesting. Eeye seemed to elude to the fact that 'only xp has these
undocumented api's or something, anyways sc is from oc.192's awesome rpc exploit. This is beta and the code is friggen disgusting.
It was a hack job basically, but it works and i've tested it on 2 XP no sp machines. I'll add the 'change bindshell port' later.
It shouldn't crash the box either, at least in my cases exitthread does the trick. 
This code proves how little i know about crazy windows string stuff if you see a bunch of crap that makes no sense like weird casting.

After playing with the each SP, I have come to the conclusion that xp sp1a and sp0 deal with unicode strings differently. I'm
forced to use the MultiByteToWideChar for SP0 to process my string (\x89 \x81) seem to change the single byte to 2 bytes instead
of a null and a byte. SP1 gladly takes my own unicode string but will *not* accept the MultiByteToWide.
I will investigate somehow trying to remotely tell which service pack the remote victim is by trying to get it to respond with
a unicode string and somehow have it include a 89 or 81 character so i can see the difference, then scan the buff and hope
i can find any clues to which sp the remote host is. 
-- snip --

Download source and executable:

http://www.securityfocus.ru/41269.html


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031115/178bd1a0/attachment.html

Powered by blists - more mailing lists