Full Disclosure mailing list archives
a small update for HOD NETDDE scanner/exploit MS04-031
From: class <ad () class101 org>
Date: Sun, 12 Jun 2005 20:33:47 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have been interested today to look at the HOD exploit code for the old MS04-031 remote netdde vulnerability. There is a scanner in it wich help you to grab the computername via netbios if you are permitted. But while testing it I found out and you prolly so that its not grabbing the computername on a large part of computer where the cpname is still in the buffer..., the HOD check looks like: [...] r = recv(sock, (char *)buf, 256, 0); if (r < 0) goto err; printf("OK\n"); smbname = find_smbname(buf, r); if (smbname == NULL) goto err; smbname_len = smbname - buf; name = (unsigned char *)calloc(smbname_len, 1); /* decoding */ r = 0; while (smbname_len) { if (*smbname != '\x00') { name[r] = *smbname; r++; } smbname++; smbname_len--; } return name; [...] unsigned char *find_smbname(unsigned char *data, unsigned long len) { unsigned char *ptr; unsigned long i = 0; ptr = data; ptr += 91; while (i <= len - 3) { if (ptr[i] == '\x00') if (ptr[i+1] == '\x00') if (ptr[i+2] == '\x00') return ptr+i+3; i++; } return NULL; } Here is my computername check, yet I got a 100% result on all computername check ok and missed by the HOD's method [...] rc=recv(s,(char *)recvbufa,256,0); } if (rc<=0){mthread--;closesocket(s);return nice;} if (recvbufa[rc-1]==0&&recvbufa[rc-2]==0&&recvbufa[rc-3]==0) { for (j=0,k=0;recvbufa[rc-4-j+1]==0&&recvbufa[rc-4-j]!=0;j++,j++,k++) { memset(name+k,recvbufa[rc-4-j],1); } //how el8, got cpname in 3 lines for (i=0,j=k-1;i<j;i++,j--) //omg, el8 inverse in 3 lines :> { l=name[i]; name[i]=name[j]; name[j]=l; } hn=name; } This might helps you if you are interested to fix your scanner copy/pasted from the HOD code :> Greets to them anyway , I will rip a part of all this for dfind. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCrIAGLyZ8K9aT7rARAjRbAJwMA8CEjgl66lRGTkf/14Sfd9eFKQCfXKf7 R2RRPvz7iwmyh9MZHLT6F2w= =iPKf -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- a small update for HOD NETDDE scanner/exploit MS04-031 class (Jun 12)