Full Disclosure mailing list archives
RE: MS03-039 - Exploit ...
From: Andre Ludwig <ALudwig () Calfingroup com>
Date: Wed, 10 Sep 2003 20:17:00 -0700
Please correct me if I am wrong but it looks like this nessus script was written for the eeye exploit. (judging by the 4 requests in the script). Andre Ludwig, CISSP -----Original Message----- From: Elv1S [mailto:elvi52001 () yahoo com] Sent: Wednesday, September 10, 2003 4:24 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] MS03-039 - Exploit ... from nessus lol # The script code starts here # function dcom_recv(socket) { local_var buf, len; buf = recv(socket:socket, length:10); if(strlen(buf) != 10)return NULL; len = ord(buf[8]); len += ord(buf[9])*256; buf += recv(socket:socket, length:len - 10); return buf; } port = 135; if(!get_port_state(port))port = 593; else { soc = open_sock_tcp(port); if(!soc)port = 593; else close(soc); } if(!get_port_state(port))exit(0); #-------------------------------------------------------------# function hex2raw(s) { local_var i, j, ret;
for(i=0;i<strlen(s);i+=2)
{ if(ord(s[i]) >= ord("0") && ord(s[i]) <= ord("9")) j = int(s[i]); else j = int((ord(s[i]) - ord("a")) + 10); j *= 16; if(ord(s[i+1]) >= ord("0") && ord(s[i+1]) <= ord("9")) j += int(s[i+1]); else j += int((ord(s[i+1]) - ord("a")) + 10); ret += raw_string(j); } return ret; } #--------------------------------------------------------------# function check(req) { local_var soc, bindstr, error__code, r; soc = open_sock_tcp(port); if(!soc)exit(0); bindstr = "05000b03100000004800000001000000d016d016000000000100000000000100a0010000000 00000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000"; send(socket:soc, data:hex2raw(s:bindstr)); r = dcom_recv(socket:soc); if(!r)exit(0); send(socket:soc, data:req); r = dcom_recv(socket:soc); if(!r)return NULL; close(soc); error_code = substr(r, strlen(r) - 4, strlen(r)); return error_code; } function check2(req) { local_var soc,bindstr, error_code, r; soc = open_sock_tcp(port); if(!soc)exit(0); bindstr = "05000b03100000004800000001000000d016d016000000000100000000000100a0010000000 00000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000"; send(socket:soc, data:hex2raw(s:bindstr)); r = dcom_recv(socket:soc); if(!r)exit(0); send(socket:soc, data:req); r = dcom_recv(socket:soc); if(!r)return NULL; error_code = substr(r, strlen(r) - 24, strlen(r) - 20); return error_code; } #---------------------------------------------------------------# # Determine if we the remote host is running Win955/98/ME bindwinme = "05000b03100000004800000053535641d016d016000000000100000000000100e6730ce6f98 8cf119af10020af6e72f402000000045d888aeb1cc9119fe808002b10486002000000"; soc = open_sock_tcp(port); if(!soc)exit(0); send(socket:soc, data:hex2raw(s:bindwinme)); rwinme = dcom_recv(socket:soc); close(soc); lenwinme = strlen(rwinme); stubwinme = substr(rwinme, lenwinme-24, lenwinme-21); # This is Windows 95/98/ME which is not vulnerable if("02000100" >< hexstr(stubwinme))exit(0); #----------------------------------------------------------------# REGDB_CLASS_NOTREG = "5401048000"; CO_E_BADPATH = "0400088000"; NT_QUOTE_ERROR_CODE_EQUOTE = "00000000"; # req1 = "0500000310000000b0030000010000009803000000000400050002000000000000000000000 0000000000000000000000000000000000000000000009005140068030000680300004d454f5 704000000a201000000000000c0000000000000463803000000000000c000000000000046000 0000038030000300300000000000001100800ccccccccc80000000000000030030000d800000 00000000002000000070000000000000000000000000000000000000018018d00b8018d00000 0000007000000b901000000000000c000000000000046ab01000000000000c00000000000004 6a501000000000000c000000000000046a601000000000000c000000000000046a4010000000 00000c000000000000046ad01000000000000c000000000000046aa01000000000000c000000 0000000460700000060000000580000009000000058000000200000006800000030000000c00 0000001100800cccccccc5000000000000000ffffffff0000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000001100800cccccccc480000000000000 0005d889aeb1cc9119fe808002b1048601000000000000000000000000100000000000000b84 70a005800 000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc 80000000000000000000000000000000000000000000000020ba090000000000600000006000 00004d454f5704000000c001000000000000c0000000000000463b03000000000000c0000000 00000046000000003000000001000100673c70941333fd4687244d093988939d020000000000 0000000000000000000000000000000000000100000001100800cccccccc4800000000000000 00000000b07e09000000000000000000f0890a0000000000000000000d000000000000000d00 0000730061006a00690061006400650076005f0078003800360000000800cccccccc01100800 cccccccc10000000000000000000000000000000000000000000000001100800cccccccc5800 000000000000c05e0a000000000000000000000000001b000000000000001b0000005c005c00 00005c006a00690061006400650076005f007800000036005c007000750062006c0069006300 5c004100410041004100000000000100150001100800cccccccc200000000000000000000000 905b09000200000001006c00c0df0800010000000700550000000000"; req2 = "0500000310000000b0030000020000009803000000000400050002000000000000000000000 0000000000000000000000000000000000000000000009005140068030000680300004d454f5 704000000a201000000000000c0000000000000463803000000000000c000000000000046000 0000038030000300300000000000001100800ccccccccc80000000000000030030000d800000 00000000002000000070000000000000000000000000000000000000018018d00b8018d00000 0000007000000b901000000000000c000000000000046ab01000000000000c00000000000004 6a501000000000000c000000000000046f601000000000000c000000000000046ff010000000 00000c000000000000046ad01000000000000c000000000000046aa01000000000000c000000 0000000460700000060000000580000009000000058000000200000006800000030000000c00 0000001100800cccccccc5000000000000000ffffffff0000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000001100800cccccccc480000000000000 0005d889aeb1cc9119fe808002b1048601000000000000000000000000100000000000000b84 70a005800 000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc 80000000000000000000000000000000000000000000000020ba090000000000600000006000 00004d454f5704000000c001000000000000c0000000000000463b03000000000000c0000000 00000046000000003000000001000100673c70941333fd4687244d093988939d020000000000 0000000000000000000000000000000000000100000001100800cccccccc4800000000000000 00000000b07e09000000000000000000f0890a0000000000000000000d000000000000000d00 0000730061006a00690061006400650076005f0078003800360000000800cccccccc01100800 cccccccc10000000000000000000000000000000000000000000000001100800cccccccc5800 000000000000c05e0a000000000000000000000000001b000000000000001b0000005c005c00 00005c006a00690061006400650076005f007800000036005c007000750062006c0069006300 5c004100410041004100000000000100150001100800cccccccc200000000000000000000000 905b09000200000001006c00c0df0800010000000700550000000000"; req3 = "05000e03100000004800000003000000d016d01605af00000100000001000100b84a9f4d1c7 dcf11861e0020af6e7c5700000000045d888aeb1cc9119fe808002b10486002000000"; req4 = "05000003100000009a000000030000008200000001000000050002000000000000000000000 00000000000000000000000000000000000009596952a8cda6d4ab23619bcaf2c2dea34eb8f0 00700000000000000070000005c005c004d0045004f00570000000000000000005c0048005c0 048000100000058e98f00010000009596952a8cda6d4ab23619bcaf2c2dea010000000100000 05c00"; #display(hex2raw(s:req)); #exit(0); error1 = check(req:hex2raw(s:req1)); error2 = check(req:hex2raw(s:req2)); #error3 = check(req:hex2raw(s:req3)); #error4 = check2(req:hex2raw(s:req4)); #display("error1=", hexstr(error1), "\n"); #display("error2=", hexstr(error2), "\n"); #display("error3=", hexstr(error3), "\n"); #display("error4=", hexstr(error4), "\n"); if(hexstr(error2) == hexstr(error1)) { if(hexstr(error1) == "0500078000")exit(0); # DCOM disabled security_hole(port); } else { set_kb_item(name:"SMB/KB824146", value:TRUE); } _____ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Testez le nouveau Yahoo! <http://fr.mail.yahoo.com> Mail
Current thread:
- RE: MS03-039 - Exploit ... Andre Ludwig (Sep 10)