lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
From: alf1num3rik at yahoo.com (Stephen) Subject: ms03-049 exploit + compiled version Hi Alexander, a better exploit is public (more options), just look on k-otik* http://www.k-otik.net/exploits/11.14.MS03-049-II.c.php Cheers. --- Alexander Antipov <pk95@...dex.ru> wrote: > Hi again! > > -- snip -- > ms03-049 by wirepair, pretty sweet find, although i > can only get this to work on XP. Win2k responds with > like > op rng error stating it doesn't know what the hell > i'm requesting. Eeye seemed to elude to the fact > that 'only xp has these > undocumented api's or something, anyways sc is from > oc.192's awesome rpc exploit. This is beta and the > code is friggen disgusting. > It was a hack job basically, but it works and i've > tested it on 2 XP no sp machines. I'll add the > 'change bindshell port' later. > It shouldn't crash the box either, at least in my > cases exitthread does the trick. > This code proves how little i know about crazy > windows string stuff if you see a bunch of crap that > makes no sense like weird casting. > > After playing with the each SP, I have come to the > conclusion that xp sp1a and sp0 deal with unicode > strings differently. I'm > forced to use the MultiByteToWideChar for SP0 to > process my string (\x89 \x81) seem to change the > single byte to 2 bytes instead > of a null and a byte. SP1 gladly takes my own > unicode string but will *not* accept the > MultiByteToWide. > I will investigate somehow trying to remotely tell > which service pack the remote victim is by trying to > get it to respond with __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
Powered by blists - more mailing lists