Full Disclosure mailing list archives
ms03-049 exploit by wirepair + compiled version (Microsoft Windows XP target)
From: "Alexander Antipov" <pk95 () yandex ru>
Date: Sat, 15 Nov 2003 10:27:01 +0300
Hi again! -- snip -- ms03-049 by wirepair, pretty sweet find, although i can only get this to work on XP. Win2k responds with like op rng error stating it doesn't know what the hell i'm requesting. Eeye seemed to elude to the fact that 'only xp has these undocumented api's or something, anyways sc is from oc.192's awesome rpc exploit. This is beta and the code is friggen disgusting. It was a hack job basically, but it works and i've tested it on 2 XP no sp machines. I'll add the 'change bindshell port' later. It shouldn't crash the box either, at least in my cases exitthread does the trick. This code proves how little i know about crazy windows string stuff if you see a bunch of crap that makes no sense like weird casting. After playing with the each SP, I have come to the conclusion that xp sp1a and sp0 deal with unicode strings differently. I'm forced to use the MultiByteToWideChar for SP0 to process my string (\x89 \x81) seem to change the single byte to 2 bytes instead of a null and a byte. SP1 gladly takes my own unicode string but will *not* accept the MultiByteToWide. I will investigate somehow trying to remotely tell which service pack the remote victim is by trying to get it to respond with a unicode string and somehow have it include a 89 or 81 character so i can see the difference, then scan the buff and hope i can find any clues to which sp the remote host is. -- snip -- Download source and executable: http://www.securityfocus.ru/41269.html
Current thread:
- ms03-049 exploit by wirepair + compiled version (Microsoft Windows XP target) Alexander Antipov (Nov 14)
- Re: ms03-049 exploit + compiled version Stephen (Nov 15)