-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While replicating, it's possible to guess the OS and SP, in addition you have the heap base address. Conclusion: all needed for a skilled hacker to intrude a vulnerable computer, however a script kiddie wont be able to do something because each wrong hacking attempts may corrupt the WINS database and so on , move where this is needed to overwrite. This is where the skilled hacker will use the heap base address retrieved while scanning to start a bruteforce attack , nor at best, to analyze how is moving the heap :) For example, the exploit that I have published (v0.3) is doing a small part of 2k with the corresponding heap base , but you will have to update it to catch some other heap positions. I attach the win32 binary, follow class101.org and hat-squad.com if you are seeking for the source or FreeBSD version, I think I will share them soon. - -v....: lite verbose - -vv..: ultra verbose threads: 0-4999 else all go in HS_WINS.txt Screenshot: IP.............: ***:42 STATUS.........: wins enabled VULNERABILITY..: NOT_PATCHED OS.............: Windows 2000 SP3 IP.............: ***:42 STATUS.........: wins enabled VULNERABILITY..: patched OS.............: Windows 2000 SP4 IP.............: ***:42 STATUS.........: wins enabled VULNERABILITY..: patched OS.............: Windows 2000 SP4 IP.............: ***:42 STATUS.........: not wins, wrong datas IP.............: ***:42 STATUS.........: wins enabled VULNERABILITY..: patched OS.............: Windows 2003 SP0 IP.............: ***:42 STATUS.........: wins enabled VULNERABILITY..: NOT_PATCHED OS.............: Windows 2003 SP0 IP.............: ***:42 STATUS.........: nothing received, not wins or vulnerable service freezing etc,etc temp download: http://class101.org/HS_WINS.exe temp download: http://class101.org/HS_WINS.cpp (if both links are broken, then navigate manually trough my website and find it!) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCddxCLyZ8K9aT7rARAttoAKCUKwPevLrHgi1pLoZhuQQyST6AbQCfVTg5 5hV6WR3TAB2req9LlAr19Z8= =l52z -----END PGP SIGNATURE----- /* HAT-SQUAD WINS VULNERABILITY/OS SCANNER ------------------------------------ ------------------------------------ Note: ---------------- By default, nothing printed on screen, 200 threads, all results in the file HS_WINS.txt -v..: lite verbose, will print the 'NOT_PATCHED' results on the screen -vv.: hard verbose, will print ALL results on the screen Increase or decrease the number of threads as you need. NT4 os are detected but not the vulnerability (not assested) Win32....: msvc++6 FreeBSD..: gcc HS_WINS.cpp -o HS_WINS [-pthread|-lpthread] sh00t: ---------------- To all FD kiddies, boring writers, life seekers, as vulcanius, DayJay, and compagnie.. talking about their politics, minds, ass, on a security mailinglist, shut the fuck up, time to gr0w up, blowjob lovers.. Another stupid one, badpack3t, caught that one spamming on my homepage for his website (gayprotocols.com :>) hmm yeah so.. you can maybe claim or ppl might think that wasn't you. the spammer had nick/ip badpack3t/63.204.179.51, which was your nick/ip in w00w00 chann, Whaha, kiddie spotted, sh00ted :) -=[®class101.org]=- */ #include <stdio.h> #include <string.h> #ifdef WIN32 #include <afxext.h> #include <winsock2.h> #pragma comment(lib, "ws2_32") CWinThread* pthread; #else #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <sys/time.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netdb.h> #include <arpa/inet.h> #include <pthread.h> #include <unistd.h> #include <stdlib.h> #include <fcntl.h> #define ioctlsocket ioctl #define UINT void* #define LPVOID void* #define Sleep sleep pthread_t pthread; #define SOCKET int #define closesocket(s) close(s) #endif char data[]= "\x00\x00\x00\x29\x88\x06\x78\x05\x00\x00\x00\x00\x00\x00\x00\x00" "\x58\x58\x58\x58\x00\x02\x00\x05\x00\x00\x00\x00\x84\x5b\x4c\x00" "\x08\x00\x00\xe0\x8a\x18\x02\x01\x40\x59\x02\x01\x6b",pcent[]="%",recvbuf[50],*vvv,*vvv2,*vvv3; int ok=0,nub=0,mthread=0,mfreeze,scanend=0,done=0,done2=0,thread,sp,spb,rc,scan,ipstart,ipstop,tip; int ping=0,bose=0,bose2=0,tot=0,se=0,ok2=0,ok3=0,k3=0,k0=0,t4=0,chk(),engine(int argc,char *argv[]); FILE *fplog; void ver(),usage(),sl(int time),scr1(struct sockaddr_in server),scr2(struct sockaddr_in server); UINT engine2(LPVOID tip); /* HS_WINS 192.168.0.0 HS_WINS 192.168.0.0 -v HS_WINS 192.168.0.0 -vv HS_WINS 192.168.0.0 192.168.0.255 HS_WINS 192.168.0.0 192.168.0.255 -v HS_WINS 192.168.0.0 192.168.0.255 -vv HS_WINS 192.168.0.0 192.168.0.255 1000 HS_WINS 192.168.0.0 192.168.0.255 1000 -v HS_WINS 192.168.0.0 192.168.0.255 1000 -vv */ int main(int argc,char *argv[]) { vvv=argv[3],vvv2=argv[4],vvv3=argv[2]; if (argc<2){ver();usage();return -1;} for (;;) { if (argc==2&&strlen(argv[1])>7&&strlen(argv[1])<16|| argc==3&&strlen(argv[1])>7&&strlen(argv[1])<16&&(strcmp(vvv3,"-v")==0||strcmp(vvv3,"-vv")==0)|| argc==3&&strlen(argv[1])>7&&strlen(argv[1])<16&&strlen(argv[2])>7&&strlen(argv[2])<16&&argv[1]!=argv[2]|| argc==4&&strlen(argv[1])>7&&strlen(argv[1])<16&&strlen(argv[2])>7&&strlen(argv[2])<16&&argv[1]!=argv[2]&&(strcmp(vvv,"-v")==0||strcmp(vvv,"-vv")==0)|| argc==4&&strlen(argv[1])>7&&strlen(argv[1])<16&&strlen(argv[2])>7&&strlen(argv[2])<16&&argv[1]!=argv[2]&&atoi(argv[3])>0&&atoi(argv[3])<5000|| argc==5&&strlen(argv[1])>7&&strlen(argv[1])<16&&strlen(argv[2])>7&&strlen(argv[2])<16&&argv[1]!=argv[2]&&atoi(argv[3])>0&&atoi(argv[3])<5000&&(strcmp(vvv2,"-v")==0||strcmp(vvv2,"-vv")==0)) { if (argc==3&&strcmp(vvv3,"-v")==0||argc==4&&strcmp(vvv,"-v")==0||argc==5&&strcmp(vvv2,"-v")==0){bose++;} else if (argc==3&&strcmp(vvv3,"-vv")==0||argc==4&&strcmp(vvv,"-vv")==0||argc==5&&strcmp(vvv2,"-vv")==0){bose2++;} if (argc==2||argc==3&&(strcmp(vvv3,"-v")==0||strcmp(vvv3,"-vv")==0)){ping++;} engine(argc,argv);break; } ver();printf("[+] wrong command line, type HS_WINS without arguments for the usage.\n");return -1; } #ifdef WIN32 WSACleanup(); #endif return 0; } int engine(int argc,char *argv[]) { ver(); if (chk()==-1){ver();printf("[+] WARNING! can't create/write HS_WINS.txt, aborting..\n");return -1;} ipstart=htonl(inet_addr(argv[1])); if (ping==1){ipstop=htonl(inet_addr(argv[1]));} else ipstop=htonl(inet_addr(argv[2])); if (ipstart>ipstop){printf("[+] wrong command line, type HS_WINS without arguments for the usage.\n");return -1;} fprintf(fplog,"----------------------------------------------------------------------------\nCOMMAND: "); for (int argccmp=0;argccmp<argc;argccmp++){fprintf(fplog,"%s ", argv[argccmp]);} fprintf(fplog,"\n----------------------------------------------------------------------------\n\n"); fflush(fplog); if (argc==4&&bose==0&&bose2==0||argc==5){thread=atoi(argv[3]);} else thread=200; scan=(ipstop-ipstart)+1; for (tip=ipstart;ipstart<=ipstop;ipstart++,tip++,nub++,mthread++,scanend++) { if (tip%256==0||tip%256==-1){scanend--;scan--;nub--;mthread--;continue;} for (;;){if (mthread>=thread){sl(4);} else break;} // sl(1); #ifdef WIN32 CWinThread* pthread=AfxBeginThread(engine2,LPVOID(tip)); #else pthread_create(&pthread,NULL,engine2,(void*)tip); #endif if (se>20){printf("[+] too many socket errors, check your system configuration, aborting..\n");break;} } #ifdef WIN32 for(;;){ if (done2>25){printf("[+] status..: %d%s thread(s):%d (freezing, supposed done..) \n",(scanend)*100/(scan),pcent,mthread);break;} if (mthread!=0){sl(1);printf("[+] status..: %d%s thread(s):%d \r",(scanend)*100/(scan),pcent,mthread); if (mthread==mfreeze&&(mthread!=0||mfreeze!=0)){done2++;}else{mfreeze=mthread;}continue;} else {printf("[+] status..: %d%s thread(s):%d \n",(scanend)*100/(scan),pcent,mthread);break;} } #endif printf("[+] results.: %d / %d IP(s) (open:%d wins:%d win2003:%d win2000:%d nt4:%d)\n",ok,nub,ok2,ok3,k3,k0,t4); fprintf(fplog,"----------------------------------------------------------------------------\n"); fprintf(fplog,"Scan complete: %d / %d IP(s) (open:%d wins:%d win2003:%d win2000:%d nt4:%d)\n",ok,nub,ok2,ok3,k3,k0,t4); fprintf(fplog,"------------------------------------------------[class101.org 2004-2005]----\n\n\n"); fflush(fplog); return 0; } UINT engine2(LPVOID tip) { int ip=int(tip); #ifdef WIN32 WSADATA wsadata; if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");mthread--;return -1;} #endif SOCKET s;fd_set mask;struct timeval timeout, timeout2; struct sockaddr_in server; s=socket(AF_INET,SOCK_STREAM,0); if (s==-1){se++;mthread--; #ifdef WIN32 return -1; #else return engine; #endif } server.sin_family=AF_INET; server.sin_addr.s_addr=htonl(ip); server.sin_port=htons(42); if (scanend<=scan+1){printf("[+] status..: %d%s thread(s):%d \r",(scanend)*100/(scan),pcent,mthread);} unsigned long flag=1; if (ioctlsocket(s,FIONBIO,&flag)!=0) { se++;mthread--;closesocket(s); #ifdef WIN32 return -1; #else return engine; #endif } connect(s,( struct sockaddr *)&server,sizeof(server)); timeout.tv_sec=3;timeout.tv_usec=0;timeout2.tv_sec=5;timeout2.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask); switch(select(s+1,NULL,&mask,NULL,&timeout)) { case -1: {mthread--;closesocket(s); #ifdef WIN32 return -1; #else return engine; #endif } case 0: {mthread--;closesocket(s); #ifdef WIN32 return -1; #else return engine; #endif } default: if(FD_ISSET(s,&mask)) { ok2++; if (send(s,data,sizeof(data)-1,0)==-1){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: error sending, not wins\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog); if (bose2==1){printf("IP.............: %s:%d \nSTATUS.........: error sending, not wins \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));} mthread--;tot++;closesocket(s); #ifdef WIN32 return -1; #else return engine; #endif } sl(3); switch(select(s+1,&mask,NULL,NULL,&timeout2)) { case -1: {mthread--;closesocket(s); #ifdef WIN32 return -1; #else return engine; #endif } case 0: {fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: nothing received, not wins or vulnerable service freezing\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog); if (bose2==1){printf("IP.............: %s:%d \nSTATUS.........: nothing received, not wins or vulnerable service freezing\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));} mthread--;tot++;closesocket(s); #ifdef WIN32 return -1; #else return engine; #endif } default: rc = recv(s,recvbuf,sizeof(recvbuf),0); } if (rc<40||recvbuf[3]!=41&&recvbuf[8]!=88){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: not wins, wrong datas\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog); if (bose2==1){printf("IP.............: %s:%d \nSTATUS.........: not wins, wrong datas \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));} mthread--;tot++;closesocket(s); #ifdef WIN32 return -1; #else return engine; #endif } ok3++; if (recvbuf[24]==-144&&recvbuf[25]==-107){spb=0;} else if (recvbuf[24]==40&&recvbuf[25]==-5){spb=1;} if (recvbuf[36]==37&&recvbuf[39]==1){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: NOT_PATCHED\nOS.............: Windows 2003 SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),spb);fflush(fplog); if (bose2==1){printf("IP.............: %s:%d \nSTATUS.........: wins enabled \nVULNERABILITY..: NOT_PATCHED \nOS.............: Windows 2003 SP%d \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),spb);} ok++;k3++;tot++;if (bose==1){scr1(server);}mthread--;closesocket(s); #ifdef WIN32 return -1; #else return engine; #endif } else if (recvbuf[36]==53&&recvbuf[39]==1){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: patched\nOS.............: Windows 2003 SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),spb);fflush(fplog); if (recvbuf[24]==-144&&recvbuf[25]==-107){spb=0;} else if (recvbuf[24]==40&&recvbuf[25]==-5){spb=1;} if (bose2==1){printf("IP.............: %s:%d \nSTATUS.........: wins enabled \nVULNERABILITY..: patched \nOS.............: Windows 2003 SP%d \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),spb);} k3++;mthread--;tot++;closesocket(s); #ifdef WIN32 return -1; #else return engine; #endif } else if (recvbuf[36]==71&&recvbuf[39]==1){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: patched\nOS.............: Windows 2003 SP1\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog); if (bose2==1){printf("IP.............: %s:%d \nSTATUS.........: wins enabled \nVULNERABILITY..: patched \nOS.............: Windows 2003 SP1 \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));} k3++;mthread--;tot++;closesocket(s); #ifdef WIN32 return -1; #else return engine; #endif } else if (recvbuf[36]==85&&recvbuf[37]==31&&recvbuf[40]==24&&recvbuf[41]==37|| recvbuf[36]==-111&&recvbuf[37]==-127&&recvbuf[40]==64&&recvbuf[41]==-106|| recvbuf[36]==-107&&recvbuf[37]==43&&recvbuf[40]==8&&recvbuf[41]==54|| recvbuf[36]==-89&&recvbuf[37]==-99&&recvbuf[40]==-128&&recvbuf[41]==38|| recvbuf[36]==69&&recvbuf[37]==-112&&recvbuf[40]==-144&&recvbuf[41]==31|| recvbuf[36]==-37&&recvbuf[37]==-128&&recvbuf[40]==-136&&recvbuf[41]==-82){ if (recvbuf[36]==85&&recvbuf[37]==31&&recvbuf[40]==24&&recvbuf[41]==37||recvbuf[36]==-111&&recvbuf[37]==-127&&recvbuf[40]==64&&recvbuf[41]==-106){sp=4;} else if (recvbuf[36]==-107&&recvbuf[37]==43&&recvbuf[40]==8&&recvbuf[41]==54){sp=3;} else if (recvbuf[36]==-89&&recvbuf[37]==-99&&recvbuf[40]==-128&&recvbuf[41]==38){sp=2;} else if (recvbuf[36]==69&&recvbuf[37]==-112&&recvbuf[40]==-144&&recvbuf[41]==31){sp=1;} else if (recvbuf[36]==-37&&recvbuf[37]==-128&&recvbuf[40]==-136&&recvbuf[41]==-82){sp=0;} if (recvbuf[16]==0&&recvbuf[17]==0&&recvbuf[18]==0){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: patched\nOS.............: Windows 2000 SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);fflush(fplog); if (bose2==1){printf("IP.............: %s:%d \nSTATUS.........: wins enabled \nVULNERABILITY..: patched \nOS.............: Windows 2000 SP%d \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);} k0++;mthread--;tot++;closesocket(s); #ifdef WIN32 return -1; #else return engine; #endif } else {fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: NOT_PATCHED\nOS.............: Windows 2000 SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);fflush(fplog); if (bose2==1){printf("IP.............: %s:%d \nSTATUS.........: wins enabled \nVULNERABILITY..: NOT_PATCHED \nOS.............: Windows 2000 SP%d \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);} ok++;k0++;tot++;if (bose==1){scr2(server);}mthread--;closesocket(s); #ifdef WIN32 return -1; #else return engine; #endif } } else { fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: unknown\nOS.............: NT4 (OS not implemented)\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog); if (bose2==1){printf("IP.............: %s:%d \nSTATUS.........: wins enabled \nVULNERABILITY..: unknown \nOS.............: NT4 (OS not implemented) \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));} t4++;mthread--;tot++;closesocket(s); #ifdef WIN32 return -1; #else return engine; #endif } } } mthread--; closesocket(s); #ifdef WIN32 return 0; #else return engine; #endif } int chk(){ if ((fplog =fopen("HS_WINS.txt","a+"))==NULL) return -1; else return 1; } void sl(int time){ #ifdef WIN32 Sleep(time*1000); #else Sleep(time); #endif } void usage(){ printf(" [+] . HS_WINS 192.168.0.1 [-v|-vv]\n"); printf(" [+] . HS_WINS 192.168.0.0 192.168.0.255 [-v|-vv]\n"); printf(" [+] . HS_WINS 192.168.0.0 192.168.0.255 1000 [-v|-vv]\n"); } void ver(){ printf("\n"); printf(" ===================================================[v1.0]====\n"); printf(" ============WINS Vulnerability and OS/SP scanner=============\n"); printf(" ============multi-threaded for Linux and Windows=============\n"); printf(" ======coded by class101=============[Hat-Squad.com 2005]=====\n"); printf(" =============================================================\n"); printf("\n"); } void scr1(struct sockaddr_in server) { printf("IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: NOT_PATCHED\nOS.............: Windows 2003 SP0\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port)); } void scr2(struct sockaddr_in server) { printf("IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: NOT_PATCHED\nOS.............: Windows 2000 SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp); }
This archive was generated by hypermail 2.1.3 : Mon May 02 2005 - 12:24:29 PDT