lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20031115112756.53195.qmail@web41708.mail.yahoo.com>
From: alf1num3rik at yahoo.com (Stephen)
Subject: ms03-049 exploit + compiled version

Hi Alexander,

a better exploit is public (more options), just look
on k-otik*

http://www.k-otik.net/exploits/11.14.MS03-049-II.c.php

Cheers.

--- Alexander Antipov <pk95@...dex.ru> wrote:
> Hi again!
> 
> -- snip --
> ms03-049 by wirepair, pretty sweet find, although i
> can only get this to work on XP. Win2k responds with
> like
> op rng error stating it doesn't know what the hell
> i'm requesting. Eeye seemed to elude to the fact
> that 'only xp has these
> undocumented api's or something, anyways sc is from
> oc.192's awesome rpc exploit. This is beta and the
> code is friggen disgusting.
> It was a hack job basically, but it works and i've
> tested it on 2 XP no sp machines. I'll add the
> 'change bindshell port' later.
> It shouldn't crash the box either, at least in my
> cases exitthread does the trick. 
> This code proves how little i know about crazy
> windows string stuff if you see a bunch of crap that
> makes no sense like weird casting.
> 
> After playing with the each SP, I have come to the
> conclusion that xp sp1a and sp0 deal with unicode
> strings differently. I'm
> forced to use the MultiByteToWideChar for SP0 to
> process my string (\x89 \x81) seem to change the
> single byte to 2 bytes instead
> of a null and a byte. SP1 gladly takes my own
> unicode string but will *not* accept the
> MultiByteToWide.
> I will investigate somehow trying to remotely tell
> which service pack the remote victim is by trying to
> get it to respond with


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ