Full Disclosure mailing list archives
Re: ms03-049 exploit + compiled version
From: Stephen <alf1num3rik () yahoo com>
Date: Sat, 15 Nov 2003 03:27:56 -0800 (PST)
Hi Alexander, a better exploit is public (more options), just look on k-otik* http://www.k-otik.net/exploits/11.14.MS03-049-II.c.php Cheers. --- Alexander Antipov <pk95 () yandex ru> wrote:
Hi again! -- snip -- ms03-049 by wirepair, pretty sweet find, although i can only get this to work on XP. Win2k responds with like op rng error stating it doesn't know what the hell i'm requesting. Eeye seemed to elude to the fact that 'only xp has these undocumented api's or something, anyways sc is from oc.192's awesome rpc exploit. This is beta and the code is friggen disgusting. It was a hack job basically, but it works and i've tested it on 2 XP no sp machines. I'll add the 'change bindshell port' later. It shouldn't crash the box either, at least in my cases exitthread does the trick. This code proves how little i know about crazy windows string stuff if you see a bunch of crap that makes no sense like weird casting. After playing with the each SP, I have come to the conclusion that xp sp1a and sp0 deal with unicode strings differently. I'm forced to use the MultiByteToWideChar for SP0 to process my string (\x89 \x81) seem to change the single byte to 2 bytes instead of a null and a byte. SP1 gladly takes my own unicode string but will *not* accept the MultiByteToWide. I will investigate somehow trying to remotely tell which service pack the remote victim is by trying to get it to respond with
__________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ms03-049 exploit by wirepair + compiled version (Microsoft Windows XP target) Alexander Antipov (Nov 14)
- Re: ms03-049 exploit + compiled version Stephen (Nov 15)