[VulnWatch] Microsoft WINS Vulnerability + OS/SP Scanner (source)

From: class (ad@private)
Date: Mon May 02 2005 - 00:52:36 PDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
While replicating, it's possible to guess the OS and SP, in addition
you have the heap base address.
Conclusion: all needed for a skilled hacker to intrude a vulnerable
computer, however a script kiddie wont be able to do something because
each wrong hacking attempts may corrupt the WINS database and so on ,
move where this is needed to overwrite. This is where the skilled
hacker will use the heap base address retrieved while scanning to
start a bruteforce attack , nor at best, to analyze how is moving the
heap   :)
For example, the exploit that I have published (v0.3) is doing a small
part of 2k with the corresponding heap base , but you will have to
update it to catch some other heap positions.

I attach the win32 binary, follow class101.org and hat-squad.com if
you are seeking for the source or FreeBSD version, I think I will
share them soon.

- -v....: lite verbose
- -vv..: ultra verbose
threads: 0-4999

else all go in HS_WINS.txt

Screenshot:

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: NOT_PATCHED
OS.............: Windows 2000 SP3

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2000 SP4

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2000 SP4

IP.............: ***:42
STATUS.........: not wins, wrong datas

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2003 SP0

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: NOT_PATCHED
OS.............: Windows 2003 SP0

IP.............: ***:42
STATUS.........: nothing received, not wins or vulnerable service freezing

etc,etc

temp download: http://class101.org/HS_WINS.exe
temp download: http://class101.org/HS_WINS.cpp
(if both links are broken, then navigate manually trough my website
and find it!)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
 
iD8DBQFCddxCLyZ8K9aT7rARAttoAKCUKwPevLrHgi1pLoZhuQQyST6AbQCfVTg5
5hV6WR3TAB2req9LlAr19Z8=
=l52z
-----END PGP SIGNATURE-----



/*
                     HAT-SQUAD WINS VULNERABILITY/OS SCANNER
                       ------------------------------------
                       ------------------------------------

Note:
----------------

	By default, nothing printed on screen, 200 threads, all results in the file HS_WINS.txt
	-v..: lite verbose, will print the 'NOT_PATCHED' results on the screen
	-vv.: hard verbose, will print ALL results on the screen
	Increase or decrease the number of threads as you need.
	NT4 os are detected but not the vulnerability (not assested)

	Win32....: msvc++6
	FreeBSD..: gcc HS_WINS.cpp -o HS_WINS [-pthread|-lpthread]


sh00t:
----------------

	To all FD kiddies, boring writers, life seekers, as vulcanius, DayJay, and compagnie..
	talking about their politics, minds, ass, on a security mailinglist, shut the fuck up,
	time to gr0w up, blowjob lovers..

	Another stupid one, badpack3t, caught that one spamming on my homepage for his website (gayprotocols.com :>)
	hmm yeah so.. you can maybe claim or ppl might think that wasn't you.
	the spammer had nick/ip badpack3t/63.204.179.51, which was your nick/ip in w00w00 chann, Whaha, kiddie spotted, sh00ted :)

                              -=[®class101.org]=-
*/

#include <stdio.h>
#include <string.h>
#ifdef WIN32
#include <afxext.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
CWinThread* pthread;
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <pthread.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#define ioctlsocket    ioctl
#define UINT		   void*
#define LPVOID		   void*
#define Sleep		   sleep
pthread_t pthread;
#define SOCKET		   int
#define closesocket(s) close(s)
#endif



char data[]=
"\x00\x00\x00\x29\x88\x06\x78\x05\x00\x00\x00\x00\x00\x00\x00\x00"
"\x58\x58\x58\x58\x00\x02\x00\x05\x00\x00\x00\x00\x84\x5b\x4c\x00"
"\x08\x00\x00\xe0\x8a\x18\x02\x01\x40\x59\x02\x01\x6b",pcent[]="%",recvbuf[50],*vvv,*vvv2,*vvv3;

int ok=0,nub=0,mthread=0,mfreeze,scanend=0,done=0,done2=0,thread,sp,spb,rc,scan,ipstart,ipstop,tip;
int ping=0,bose=0,bose2=0,tot=0,se=0,ok2=0,ok3=0,k3=0,k0=0,t4=0,chk(),engine(int argc,char *argv[]);

FILE *fplog;
void ver(),usage(),sl(int time),scr1(struct sockaddr_in server),scr2(struct sockaddr_in server);
UINT engine2(LPVOID tip);
/*
HS_WINS 192.168.0.0
HS_WINS 192.168.0.0 -v
HS_WINS 192.168.0.0 -vv
HS_WINS 192.168.0.0 192.168.0.255
HS_WINS 192.168.0.0 192.168.0.255 -v
HS_WINS 192.168.0.0 192.168.0.255 -vv
HS_WINS 192.168.0.0 192.168.0.255 1000
HS_WINS 192.168.0.0 192.168.0.255 1000 -v
HS_WINS 192.168.0.0 192.168.0.255 1000 -vv
*/
int main(int argc,char *argv[])
{
	vvv=argv[3],vvv2=argv[4],vvv3=argv[2];
	if (argc<2){ver();usage();return -1;}
	for (;;)
	{
		if (argc==2&&strlen(argv[1])>7&&strlen(argv[1])<16||
				argc==3&&strlen(argv[1])>7&&strlen(argv[1])<16&&(strcmp(vvv3,"-v")==0||strcmp(vvv3,"-vv")==0)||
				argc==3&&strlen(argv[1])>7&&strlen(argv[1])<16&&strlen(argv[2])>7&&strlen(argv[2])<16&&argv[1]!=argv[2]||
				argc==4&&strlen(argv[1])>7&&strlen(argv[1])<16&&strlen(argv[2])>7&&strlen(argv[2])<16&&argv[1]!=argv[2]&&(strcmp(vvv,"-v")==0||strcmp(vvv,"-vv")==0)||
				argc==4&&strlen(argv[1])>7&&strlen(argv[1])<16&&strlen(argv[2])>7&&strlen(argv[2])<16&&argv[1]!=argv[2]&&atoi(argv[3])>0&&atoi(argv[3])<5000||
				argc==5&&strlen(argv[1])>7&&strlen(argv[1])<16&&strlen(argv[2])>7&&strlen(argv[2])<16&&argv[1]!=argv[2]&&atoi(argv[3])>0&&atoi(argv[3])<5000&&(strcmp(vvv2,"-v")==0||strcmp(vvv2,"-vv")==0))
				{
					if (argc==3&&strcmp(vvv3,"-v")==0||argc==4&&strcmp(vvv,"-v")==0||argc==5&&strcmp(vvv2,"-v")==0){bose++;}
					else if (argc==3&&strcmp(vvv3,"-vv")==0||argc==4&&strcmp(vvv,"-vv")==0||argc==5&&strcmp(vvv2,"-vv")==0){bose2++;}
					if (argc==2||argc==3&&(strcmp(vvv3,"-v")==0||strcmp(vvv3,"-vv")==0)){ping++;}
					engine(argc,argv);break;
				}
				ver();printf("[+] wrong command line, type HS_WINS without arguments for the usage.\n");return -1;
	}
#ifdef WIN32
	WSACleanup();
#endif
	return 0;
}

int engine(int argc,char *argv[])
{
	ver();
	if (chk()==-1){ver();printf("[+] WARNING! can't create/write HS_WINS.txt, aborting..\n");return -1;}
	ipstart=htonl(inet_addr(argv[1]));
	if (ping==1){ipstop=htonl(inet_addr(argv[1]));}
	else ipstop=htonl(inet_addr(argv[2]));
	if (ipstart>ipstop){printf("[+] wrong command line, type HS_WINS without arguments for the usage.\n");return -1;}
	fprintf(fplog,"----------------------------------------------------------------------------\nCOMMAND: ");
	for (int argccmp=0;argccmp<argc;argccmp++){fprintf(fplog,"%s ", argv[argccmp]);}
	fprintf(fplog,"\n----------------------------------------------------------------------------\n\n");
	fflush(fplog);
	if (argc==4&&bose==0&&bose2==0||argc==5){thread=atoi(argv[3]);}
	else thread=200;
	scan=(ipstop-ipstart)+1;
	for (tip=ipstart;ipstart<=ipstop;ipstart++,tip++,nub++,mthread++,scanend++)
	{
		if (tip%256==0||tip%256==-1){scanend--;scan--;nub--;mthread--;continue;}
		for (;;){if (mthread>=thread){sl(4);}
		else break;}
//		sl(1);
#ifdef WIN32
		CWinThread* pthread=AfxBeginThread(engine2,LPVOID(tip));
#else
		pthread_create(&pthread,NULL,engine2,(void*)tip);
#endif
		if (se>20){printf("[+] too many socket errors, check your system configuration, aborting..\n");break;}
	}
#ifdef WIN32
	for(;;){
		if (done2>25){printf("[+] status..: %d%s thread(s):%d (freezing, supposed done..)       \n",(scanend)*100/(scan),pcent,mthread);break;}
		if (mthread!=0){sl(1);printf("[+] status..: %d%s thread(s):%d       \r",(scanend)*100/(scan),pcent,mthread);
		if (mthread==mfreeze&&(mthread!=0||mfreeze!=0)){done2++;}else{mfreeze=mthread;}continue;}
		else {printf("[+] status..: %d%s thread(s):%d       \n",(scanend)*100/(scan),pcent,mthread);break;}
	}
#endif
	printf("[+] results.: %d / %d IP(s) (open:%d wins:%d win2003:%d win2000:%d nt4:%d)\n",ok,nub,ok2,ok3,k3,k0,t4);
	fprintf(fplog,"----------------------------------------------------------------------------\n");
	fprintf(fplog,"Scan complete: %d / %d IP(s) (open:%d wins:%d win2003:%d win2000:%d nt4:%d)\n",ok,nub,ok2,ok3,k3,k0,t4);
	fprintf(fplog,"------------------------------------------------[class101.org 2004-2005]----\n\n\n");
	fflush(fplog);
	return 0;
}

UINT engine2(LPVOID tip)
{
	int ip=int(tip);
#ifdef WIN32
	WSADATA wsadata;
	if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");mthread--;return -1;}
#endif
	SOCKET s;fd_set mask;struct timeval timeout, timeout2; struct sockaddr_in server;
	s=socket(AF_INET,SOCK_STREAM,0);
	if (s==-1){se++;mthread--;
#ifdef WIN32
	return -1;
#else
	return engine;
#endif
	}
	server.sin_family=AF_INET;
	server.sin_addr.s_addr=htonl(ip);
	server.sin_port=htons(42);
	if (scanend<=scan+1){printf("[+] status..: %d%s thread(s):%d       \r",(scanend)*100/(scan),pcent,mthread);}
	unsigned long flag=1;
	if (ioctlsocket(s,FIONBIO,&flag)!=0)
	{
		se++;mthread--;closesocket(s);
#ifdef WIN32
		return -1;
#else
		return engine;
#endif
	}
	connect(s,( struct sockaddr *)&server,sizeof(server));
	timeout.tv_sec=3;timeout.tv_usec=0;timeout2.tv_sec=5;timeout2.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
	switch(select(s+1,NULL,&mask,NULL,&timeout))
	{
		case -1: {mthread--;closesocket(s);
#ifdef WIN32
		return -1;
#else
		return engine;
#endif
}
		case 0: {mthread--;closesocket(s);
#ifdef WIN32
		return -1;
#else
		return engine;
#endif
}
		default:
		if(FD_ISSET(s,&mask))
		{
			ok2++;
			if (send(s,data,sizeof(data)-1,0)==-1){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: error sending, not wins\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog);
			if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: error sending, not wins            \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));}
			mthread--;tot++;closesocket(s);
#ifdef WIN32
			return -1;
#else
			return engine;
#endif
}
			sl(3);
			switch(select(s+1,&mask,NULL,NULL,&timeout2))
			{
				case -1: {mthread--;closesocket(s);
#ifdef WIN32
				return -1;
#else
				return engine;
#endif
}
				case 0: {fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: nothing received, not wins or vulnerable service freezing\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog);
				if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: nothing received, not wins or vulnerable service freezing\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));}
				mthread--;tot++;closesocket(s);
#ifdef WIN32
				return -1;
#else
				return engine;
#endif
}
				default:
				rc = recv(s,recvbuf,sizeof(recvbuf),0);
			}
			if (rc<40||recvbuf[3]!=41&&recvbuf[8]!=88){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: not wins, wrong datas\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog);
			if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: not wins, wrong datas            \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));}
			mthread--;tot++;closesocket(s);
#ifdef WIN32
			return -1;
#else
			return engine;
#endif
}
			ok3++;
			if (recvbuf[24]==-144&&recvbuf[25]==-107){spb=0;}
			else if (recvbuf[24]==40&&recvbuf[25]==-5){spb=1;}
			if (recvbuf[36]==37&&recvbuf[39]==1){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: NOT_PATCHED\nOS.............: Windows 2003 SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),spb);fflush(fplog);
			if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: wins enabled            \nVULNERABILITY..: NOT_PATCHED            \nOS.............: Windows 2003 SP%d            \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),spb);}
			ok++;k3++;tot++;if (bose==1){scr1(server);}mthread--;closesocket(s);
#ifdef WIN32
			return -1;
#else
			return engine;
#endif
}
			else if (recvbuf[36]==53&&recvbuf[39]==1){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: patched\nOS.............: Windows 2003 SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),spb);fflush(fplog);
			if (recvbuf[24]==-144&&recvbuf[25]==-107){spb=0;}
			else if (recvbuf[24]==40&&recvbuf[25]==-5){spb=1;}
			if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: wins enabled            \nVULNERABILITY..: patched            \nOS.............: Windows 2003 SP%d            \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),spb);}
			k3++;mthread--;tot++;closesocket(s);
#ifdef WIN32
			return -1;
#else
			return engine;
#endif
}
			else if (recvbuf[36]==71&&recvbuf[39]==1){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: patched\nOS.............: Windows 2003 SP1\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog);
			if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: wins enabled            \nVULNERABILITY..: patched            \nOS.............: Windows 2003 SP1            \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));}
			k3++;mthread--;tot++;closesocket(s);
#ifdef WIN32
			return -1;
#else
			return engine;
#endif
}
			else if (recvbuf[36]==85&&recvbuf[37]==31&&recvbuf[40]==24&&recvbuf[41]==37||
							 recvbuf[36]==-111&&recvbuf[37]==-127&&recvbuf[40]==64&&recvbuf[41]==-106||
							 recvbuf[36]==-107&&recvbuf[37]==43&&recvbuf[40]==8&&recvbuf[41]==54||
							 recvbuf[36]==-89&&recvbuf[37]==-99&&recvbuf[40]==-128&&recvbuf[41]==38||
							 recvbuf[36]==69&&recvbuf[37]==-112&&recvbuf[40]==-144&&recvbuf[41]==31||
							 recvbuf[36]==-37&&recvbuf[37]==-128&&recvbuf[40]==-136&&recvbuf[41]==-82){
			if (recvbuf[36]==85&&recvbuf[37]==31&&recvbuf[40]==24&&recvbuf[41]==37||recvbuf[36]==-111&&recvbuf[37]==-127&&recvbuf[40]==64&&recvbuf[41]==-106){sp=4;}
			else if (recvbuf[36]==-107&&recvbuf[37]==43&&recvbuf[40]==8&&recvbuf[41]==54){sp=3;}
			else if (recvbuf[36]==-89&&recvbuf[37]==-99&&recvbuf[40]==-128&&recvbuf[41]==38){sp=2;}
			else if (recvbuf[36]==69&&recvbuf[37]==-112&&recvbuf[40]==-144&&recvbuf[41]==31){sp=1;}
			else if (recvbuf[36]==-37&&recvbuf[37]==-128&&recvbuf[40]==-136&&recvbuf[41]==-82){sp=0;}
			if (recvbuf[16]==0&&recvbuf[17]==0&&recvbuf[18]==0){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: patched\nOS.............: Windows 2000 SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);fflush(fplog);
			if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: wins enabled            \nVULNERABILITY..: patched            \nOS.............: Windows 2000 SP%d            \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);}
			k0++;mthread--;tot++;closesocket(s);
#ifdef WIN32
			return -1;
#else
			return engine;
#endif
}
			else {fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: NOT_PATCHED\nOS.............: Windows 2000 SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);fflush(fplog);
			if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: wins enabled            \nVULNERABILITY..: NOT_PATCHED            \nOS.............: Windows 2000 SP%d            \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);}
			ok++;k0++;tot++;if (bose==1){scr2(server);}mthread--;closesocket(s);
#ifdef WIN32
			return -1;
#else
			return engine;
#endif
}
			}
			else {
				fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: unknown\nOS.............: NT4 (OS not implemented)\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog);
				if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: wins enabled            \nVULNERABILITY..: unknown            \nOS.............: NT4 (OS not implemented)            \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));}
				t4++;mthread--;tot++;closesocket(s);
#ifdef WIN32
				return -1;
#else
				return engine;
#endif
}
		}
	}
	mthread--;
	closesocket(s);
#ifdef WIN32
	return 0;
#else
	return engine;
#endif
}

int chk(){
	if ((fplog =fopen("HS_WINS.txt","a+"))==NULL)
		return -1;
	else return 1;
}

void sl(int time){
#ifdef WIN32
	Sleep(time*1000);
#else
	Sleep(time);
#endif
}

void usage(){
	printf("           [+]  . HS_WINS 192.168.0.1  [-v|-vv]\n");
	printf("           [+]  . HS_WINS 192.168.0.0 192.168.0.255  [-v|-vv]\n");
	printf("           [+]  . HS_WINS 192.168.0.0 192.168.0.255 1000  [-v|-vv]\n");
}

void ver(){
	printf("\n");
	printf("        ===================================================[v1.0]====\n");
	printf("        ============WINS Vulnerability and OS/SP scanner=============\n");
	printf("        ============multi-threaded for Linux and Windows=============\n");
	printf("        ======coded by class101=============[Hat-Squad.com 2005]=====\n");
	printf("        =============================================================\n");
	printf("\n");
}

void scr1(struct sockaddr_in server)
{
	printf("IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: NOT_PATCHED\nOS.............: Windows 2003 SP0\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));
}

void scr2(struct sockaddr_in server)
{
	printf("IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: NOT_PATCHED\nOS.............: Windows 2000 SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);
}



This archive was generated by hypermail 2.1.3 : Mon May 02 2005 - 12:24:29 PDT