ms03-049 exploit by wirepair + compiled version (Microsoft Windows XP target)

["Alexander Antipov" <pk95 () yandex ru>]

Hi again!

-- snip --
ms03-049 by wirepair, pretty sweet find, although i can only get this to work on XP. Win2k responds with like
op rng error stating it doesn't know what the hell i'm requesting. Eeye seemed to elude to the fact that 'only xp has 
these
undocumented api's or something, anyways sc is from oc.192's awesome rpc exploit. This is beta and the code is friggen 
disgusting.
It was a hack job basically, but it works and i've tested it on 2 XP no sp machines. I'll add the 'change bindshell 
port' later.
It shouldn't crash the box either, at least in my cases exitthread does the trick. 
This code proves how little i know about crazy windows string stuff if you see a bunch of crap that makes no sense like 
weird casting.

After playing with the each SP, I have come to the conclusion that xp sp1a and sp0 deal with unicode strings 
differently. I'm
forced to use the MultiByteToWideChar for SP0 to process my string (\x89 \x81) seem to change the single byte to 2 
bytes instead
of a null and a byte. SP1 gladly takes my own unicode string but will *not* accept the MultiByteToWide.
I will investigate somehow trying to remotely tell which service pack the remote victim is by trying to get it to 
respond with
a unicode string and somehow have it include a 89 or 81 character so i can see the difference, then scan the buff and 
hope
i can find any clues to which sp the remote host is. 
-- snip --

Download source and executable:

http://www.securityfocus.ru/41269.html