lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <42AC800B.7030400@class101.org>
Date: Sun Jun 12 19:36:43 2005
From: ad at class101.org (class)
Subject: a small update for HOD NETDDE scanner/exploit
	MS04-031

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I have been interested today to look at the HOD exploit code for the old
MS04-031 remote netdde vulnerability. There is a scanner in it wich
help you to grab the computername via netbios if you are permitted.
But while testing it I found out and you prolly so that its not
grabbing the computername on a large part of computer where the cpname
is still in the buffer..., the HOD check looks like:

  [...]
  r = recv(sock, (char *)buf, 256, 0);
  if (r < 0) goto err;
 
  printf("OK\n");
  smbname = find_smbname(buf, r);
  if (smbname == NULL) goto err;
  smbname_len = smbname - buf;
 
  name = (unsigned char *)calloc(smbname_len, 1);
 
  /* decoding */
  r = 0;
  while (smbname_len) {
   if (*smbname != '\x00') {
    name[r] = *smbname;
    r++;
   }
   smbname++;
   smbname_len--;
  }
  return name;

[...]

unsigned char *find_smbname(unsigned char *data, unsigned long len)
{
 unsigned char *ptr;
 unsigned long i = 0;
 
 ptr = data;
 ptr += 91;
 
 while (i <= len - 3) {
  if (ptr[i] == '\x00')
  if (ptr[i+1] == '\x00')
  if (ptr[i+2] == '\x00')
   return ptr+i+3;
 i++;
 }
 
return NULL;
}


Here is my computername check, yet I got a 100% result on all
computername check ok and missed by the HOD's method


    [...]
    rc=recv(s,(char *)recvbufa,256,0);
}
if (rc<=0){mthread--;closesocket(s);return nice;}
if (recvbufa[rc-1]==0&&recvbufa[rc-2]==0&&recvbufa[rc-3]==0)
{
    for (j=0,k=0;recvbufa[rc-4-j+1]==0&&recvbufa[rc-4-j]!=0;j++,j++,k++)
    {
        memset(name+k,recvbufa[rc-4-j],1);
    } //how el8, got cpname in 3 lines
    for (i=0,j=k-1;i<j;i++,j--)  //omg, el8 inverse in 3 lines :>
    {
        l=name[i];
        name[i]=name[j];
        name[j]=l;
    }
    hn=name;
}


This might helps you if you are interested to fix your scanner
copy/pasted from the HOD code :>
Greets to them anyway , I will rip a part of all this for dfind.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
 
iD8DBQFCrIAGLyZ8K9aT7rARAjRbAJwMA8CEjgl66lRGTkf/14Sfd9eFKQCfXKf7
R2RRPvz7iwmyh9MZHLT6F2w=
=iPKf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ