NI3
10-30-2003, 10:17 AM
enjoy it :D :
---------------------
function dcom_recv(socket)
{
local_var buf, len;
buf = recv(socket:socket, length:10);
if(strlen(buf) != 10)return NULL;
len = ord(buf[8]);
len += ord(buf[9])*256;
buf += recv(socket:socket, length:len - 10);
return buf;
}
port = 135;
if(!get_port_state(port))port = 593;
else {
soc = open_sock_tcp(port);
if(!soc)port = 593;
else close(soc);
}
if(!get_port_state(port))exit(0);
#-------------------------------------------------------------#
function hex2raw(s)
{
local_var i, j, ret;
for(i=0;i<strlen(s);i+=2)
{
if(ord(s[i]) >= ord("0") && ord(s[i]) <= ord("9"))
j = int(s[i]);
else
j = int((ord(s[i]) - ord("a")) + 10);
j *= 16;
if(ord(s[i+1]) >= ord("0") && ord(s[i+1]) <= ord("9"))
j += int(s[i+1]);
else
j += int((ord(s[i+1]) - ord("a")) + 10);
ret += raw_string(j);
}
return ret;
}
#--------------------------------------------------------------#
function check(req)
{
local_var soc, bindstr, error_code, r;
soc = open_sock_tcp(port);
if(!soc)exit(0);
bindstr = "05000b03100000004800000001000000d016d0160000000001 00000000000100a001000000000000c0000000000000460000 0000045d888aeb1cc9119fe808002b10486002000000";
send(socket:soc, data:hex2raw(s:bindstr));
r = dcom_recv(socket:soc);
if(!r)exit(0);
send(socket:soc, data:req);
r = dcom_recv(socket:soc);
if(!r)return NULL;
close(soc);
error_code = substr(r, strlen(r) - 4, strlen(r));
return error_code;
}
function check2(req)
{
local_var soc,bindstr, error_code, r;
soc = open_sock_tcp(port);
if(!soc)exit(0);
bindstr = "05000b03100000004800000001000000d016d0160000000001 00000000000100a001000000000000c0000000000000460000 0000045d888aeb1cc9119fe808002b10486002000000";
send(socket:soc, data:hex2raw(s:bindstr));
r = dcom_recv(socket:soc);
if(!r)exit(0);
send(socket:soc, data:req);
r = dcom_recv(socket:soc);
if(!r)return NULL;
error_code = substr(r, strlen(r) - 24, strlen(r) - 20);
return error_code;
}
#---------------------------------------------------------------#
# Determine if we the remote host is running Win95/98/ME
bindwinme = "05000b03100000004800000053535641d016d0160000000001 00000000000100e6730ce6f988cf119af10020af6e72f40200 0000045d888aeb1cc9119fe808002b10486002000000";
soc = open_sock_tcp(port);
if(!soc)exit(0);
send(socket:soc, data:hex2raw(s:bindwinme));
rwinme = dcom_recv(socket:soc);
close(soc);
lenwinme = strlen(rwinme);
stubwinme = substr(rwinme, lenwinme-24, lenwinme-21);
# This is Windows 95/98/ME which is not vulnerable
if("02000100" >< hexstr(stubwinme))exit(0);
#----------------------------------------------------------------#
REGDB_CLASS_NOTREG = "5401048000";
CO_E_BADPATH = "0400088000";
NT_QUOTE_ERROR_CODE_EQUOTE = "00000000";
#
req1 =
"0500000310000000b003000001000000980300000000040005 00020000000000000000000000000000000000000000000000 000000000000000000009005140068030000680300004d454f 5704000000a201000000000000c00000000000004638030000 00000000c00000000000004600000000380300003003000000 00000001100800ccccccccc80000000000000030030000d800 00000000000002000000070000000000000000000000000000 000000000018018d00b8018d000000000007000000b9010000 00000000c000000000000046ab01000000000000c000000000 000046a501000000000000c000000000000046a60100000000 0000c000000000000046a401000000000000c0000000000000 46ad01000000000000c000000000000046aa01000000000000 c0000000000000460700000060000000580000009000000058 000000200000006800000030000000c000000001100800cccc cccc5000000000000000ffffffff0000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000001100800cccccccc4800 000000000000005d889aeb1cc9119fe808002b104860100000 0000000000000000000100000000000000b84!
70a005800
000005000600010000000000000000000000c0000000000000 46cccccccc01100800cccccccc800000000000000000000000 00000000000000000000000020ba0900000000006000000060 0000004d454f5704000000c001000000000000c00000000000 00463b03000000000000c00000000000004600000000300000 0001000100673c70941333fd4687244d093988939d02000000 00000000000000000000000000000000000000000100000001 100800cccccccc480000000000000000000000b07e09000000 000000000000f0890a0000000000000000000d000000000000 000d000000730061006a00690061006400650076005f007800 3800360000000800cccccccc01100800cccccccc1000000000 0000000000000000000000000000000000000001100800cccc cccc5800000000000000c05e0a000000000000000000000000 001b000000000000001b0000005c005c0000005c006a006900 61006400650076005f007800000036005c007000750062006c 00690063005c00410041004100410000000000010015000110 0800cccccccc200000000000000000000000905b0900020000 0001006c00c0df0800010000000700550000000000";
req2 =
"0500000310000000b003000002000000980300000000040005 00020000000000000000000000000000000000000000000000 000000000000000000009005140068030000680300004d454f 5704000000a201000000000000c00000000000004638030000 00000000c00000000000004600000000380300003003000000 00000001100800ccccccccc80000000000000030030000d800 00000000000002000000070000000000000000000000000000 000000000018018d00b8018d000000000007000000b9010000 00000000c000000000000046ab01000000000000c000000000 000046a501000000000000c000000000000046f60100000000 0000c000000000000046ff01000000000000c0000000000000 46ad01000000000000c000000000000046aa01000000000000 c0000000000000460700000060000000580000009000000058 000000200000006800000030000000c000000001100800cccc cccc5000000000000000ffffffff0000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000001100800cccccccc4800 000000000000005d889aeb1cc9119fe808002b104860100000 0000000000000000000100000000000000b84!
70a005800
000005000600010000000000000000000000c0000000000000 46cccccccc01100800cccccccc800000000000000000000000 00000000000000000000000020ba0900000000006000000060 0000004d454f5704000000c001000000000000c00000000000 00463b03000000000000c00000000000004600000000300000 0001000100673c70941333fd4687244d093988939d02000000 00000000000000000000000000000000000000000100000001 100800cccccccc480000000000000000000000b07e09000000 000000000000f0890a0000000000000000000d000000000000 000d000000730061006a00690061006400650076005f007800 3800360000000800cccccccc01100800cccccccc1000000000 0000000000000000000000000000000000000001100800cccc cccc5800000000000000c05e0a000000000000000000000000 001b000000000000001b0000005c005c0000005c006a006900 61006400650076005f007800000036005c007000750062006c 00690063005c00410041004100410000000000010015000110 0800cccccccc200000000000000000000000905b0900020000 0001006c00c0df0800010000000700550000000000";
req3 = "05000e03100000004800000003000000d016d01605af000001 00000001000100b84a9f4d1c7dcf11861e0020af6e7c570000 0000045d888aeb1cc9119fe808002b10486002000000";
req4 = "05000003100000009a00000003000000820000000100000005 00020000000000000000000000000000000000000000000000 0000000000009596952a8cda6d4ab23619bcaf2c2dea34eb8f 000700000000000000070000005c005c004d0045004f005700 00000000000000005c0048005c0048000100000058e98f0001 0000009596952a8cda6d4ab23619bcaf2c2dea010000000100 00005c00";
#display(hex2raw(s:req));
#exit(0);
error1 = check(req:hex2raw(s:req1));
error2 = check(req:hex2raw(s:req2));
#error3 = check(req:hex2raw(s:req3));
#error4 = check2(req:hex2raw(s:req4));
#display("error1=", hexstr(error1), "\n");
#display("error2=", hexstr(error2), "\n");
#display("error3=", hexstr(error3), "\n");
#display("error4=", hexstr(error4), "\n");
if(hexstr(error2) == hexstr(error1))
{
if(hexstr(error1) == "0500078000")exit(0); # DCOM disabled
security_hole(port);
}
else {
set_kb_item(name:"SMB/KB824146", value:TRUE);
}
----------------------------------------------------------
inja ham berid bad nis :
[Only registered and activated users can see links]
---------------------
function dcom_recv(socket)
{
local_var buf, len;
buf = recv(socket:socket, length:10);
if(strlen(buf) != 10)return NULL;
len = ord(buf[8]);
len += ord(buf[9])*256;
buf += recv(socket:socket, length:len - 10);
return buf;
}
port = 135;
if(!get_port_state(port))port = 593;
else {
soc = open_sock_tcp(port);
if(!soc)port = 593;
else close(soc);
}
if(!get_port_state(port))exit(0);
#-------------------------------------------------------------#
function hex2raw(s)
{
local_var i, j, ret;
for(i=0;i<strlen(s);i+=2)
{
if(ord(s[i]) >= ord("0") && ord(s[i]) <= ord("9"))
j = int(s[i]);
else
j = int((ord(s[i]) - ord("a")) + 10);
j *= 16;
if(ord(s[i+1]) >= ord("0") && ord(s[i+1]) <= ord("9"))
j += int(s[i+1]);
else
j += int((ord(s[i+1]) - ord("a")) + 10);
ret += raw_string(j);
}
return ret;
}
#--------------------------------------------------------------#
function check(req)
{
local_var soc, bindstr, error_code, r;
soc = open_sock_tcp(port);
if(!soc)exit(0);
bindstr = "05000b03100000004800000001000000d016d0160000000001 00000000000100a001000000000000c0000000000000460000 0000045d888aeb1cc9119fe808002b10486002000000";
send(socket:soc, data:hex2raw(s:bindstr));
r = dcom_recv(socket:soc);
if(!r)exit(0);
send(socket:soc, data:req);
r = dcom_recv(socket:soc);
if(!r)return NULL;
close(soc);
error_code = substr(r, strlen(r) - 4, strlen(r));
return error_code;
}
function check2(req)
{
local_var soc,bindstr, error_code, r;
soc = open_sock_tcp(port);
if(!soc)exit(0);
bindstr = "05000b03100000004800000001000000d016d0160000000001 00000000000100a001000000000000c0000000000000460000 0000045d888aeb1cc9119fe808002b10486002000000";
send(socket:soc, data:hex2raw(s:bindstr));
r = dcom_recv(socket:soc);
if(!r)exit(0);
send(socket:soc, data:req);
r = dcom_recv(socket:soc);
if(!r)return NULL;
error_code = substr(r, strlen(r) - 24, strlen(r) - 20);
return error_code;
}
#---------------------------------------------------------------#
# Determine if we the remote host is running Win95/98/ME
bindwinme = "05000b03100000004800000053535641d016d0160000000001 00000000000100e6730ce6f988cf119af10020af6e72f40200 0000045d888aeb1cc9119fe808002b10486002000000";
soc = open_sock_tcp(port);
if(!soc)exit(0);
send(socket:soc, data:hex2raw(s:bindwinme));
rwinme = dcom_recv(socket:soc);
close(soc);
lenwinme = strlen(rwinme);
stubwinme = substr(rwinme, lenwinme-24, lenwinme-21);
# This is Windows 95/98/ME which is not vulnerable
if("02000100" >< hexstr(stubwinme))exit(0);
#----------------------------------------------------------------#
REGDB_CLASS_NOTREG = "5401048000";
CO_E_BADPATH = "0400088000";
NT_QUOTE_ERROR_CODE_EQUOTE = "00000000";
#
req1 =
"0500000310000000b003000001000000980300000000040005 00020000000000000000000000000000000000000000000000 000000000000000000009005140068030000680300004d454f 5704000000a201000000000000c00000000000004638030000 00000000c00000000000004600000000380300003003000000 00000001100800ccccccccc80000000000000030030000d800 00000000000002000000070000000000000000000000000000 000000000018018d00b8018d000000000007000000b9010000 00000000c000000000000046ab01000000000000c000000000 000046a501000000000000c000000000000046a60100000000 0000c000000000000046a401000000000000c0000000000000 46ad01000000000000c000000000000046aa01000000000000 c0000000000000460700000060000000580000009000000058 000000200000006800000030000000c000000001100800cccc cccc5000000000000000ffffffff0000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000001100800cccccccc4800 000000000000005d889aeb1cc9119fe808002b104860100000 0000000000000000000100000000000000b84!
70a005800
000005000600010000000000000000000000c0000000000000 46cccccccc01100800cccccccc800000000000000000000000 00000000000000000000000020ba0900000000006000000060 0000004d454f5704000000c001000000000000c00000000000 00463b03000000000000c00000000000004600000000300000 0001000100673c70941333fd4687244d093988939d02000000 00000000000000000000000000000000000000000100000001 100800cccccccc480000000000000000000000b07e09000000 000000000000f0890a0000000000000000000d000000000000 000d000000730061006a00690061006400650076005f007800 3800360000000800cccccccc01100800cccccccc1000000000 0000000000000000000000000000000000000001100800cccc cccc5800000000000000c05e0a000000000000000000000000 001b000000000000001b0000005c005c0000005c006a006900 61006400650076005f007800000036005c007000750062006c 00690063005c00410041004100410000000000010015000110 0800cccccccc200000000000000000000000905b0900020000 0001006c00c0df0800010000000700550000000000";
req2 =
"0500000310000000b003000002000000980300000000040005 00020000000000000000000000000000000000000000000000 000000000000000000009005140068030000680300004d454f 5704000000a201000000000000c00000000000004638030000 00000000c00000000000004600000000380300003003000000 00000001100800ccccccccc80000000000000030030000d800 00000000000002000000070000000000000000000000000000 000000000018018d00b8018d000000000007000000b9010000 00000000c000000000000046ab01000000000000c000000000 000046a501000000000000c000000000000046f60100000000 0000c000000000000046ff01000000000000c0000000000000 46ad01000000000000c000000000000046aa01000000000000 c0000000000000460700000060000000580000009000000058 000000200000006800000030000000c000000001100800cccc cccc5000000000000000ffffffff0000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000001100800cccccccc4800 000000000000005d889aeb1cc9119fe808002b104860100000 0000000000000000000100000000000000b84!
70a005800
000005000600010000000000000000000000c0000000000000 46cccccccc01100800cccccccc800000000000000000000000 00000000000000000000000020ba0900000000006000000060 0000004d454f5704000000c001000000000000c00000000000 00463b03000000000000c00000000000004600000000300000 0001000100673c70941333fd4687244d093988939d02000000 00000000000000000000000000000000000000000100000001 100800cccccccc480000000000000000000000b07e09000000 000000000000f0890a0000000000000000000d000000000000 000d000000730061006a00690061006400650076005f007800 3800360000000800cccccccc01100800cccccccc1000000000 0000000000000000000000000000000000000001100800cccc cccc5800000000000000c05e0a000000000000000000000000 001b000000000000001b0000005c005c0000005c006a006900 61006400650076005f007800000036005c007000750062006c 00690063005c00410041004100410000000000010015000110 0800cccccccc200000000000000000000000905b0900020000 0001006c00c0df0800010000000700550000000000";
req3 = "05000e03100000004800000003000000d016d01605af000001 00000001000100b84a9f4d1c7dcf11861e0020af6e7c570000 0000045d888aeb1cc9119fe808002b10486002000000";
req4 = "05000003100000009a00000003000000820000000100000005 00020000000000000000000000000000000000000000000000 0000000000009596952a8cda6d4ab23619bcaf2c2dea34eb8f 000700000000000000070000005c005c004d0045004f005700 00000000000000005c0048005c0048000100000058e98f0001 0000009596952a8cda6d4ab23619bcaf2c2dea010000000100 00005c00";
#display(hex2raw(s:req));
#exit(0);
error1 = check(req:hex2raw(s:req1));
error2 = check(req:hex2raw(s:req2));
#error3 = check(req:hex2raw(s:req3));
#error4 = check2(req:hex2raw(s:req4));
#display("error1=", hexstr(error1), "\n");
#display("error2=", hexstr(error2), "\n");
#display("error3=", hexstr(error3), "\n");
#display("error4=", hexstr(error4), "\n");
if(hexstr(error2) == hexstr(error1))
{
if(hexstr(error1) == "0500078000")exit(0); # DCOM disabled
security_hole(port);
}
else {
set_kb_item(name:"SMB/KB824146", value:TRUE);
}
----------------------------------------------------------
inja ham berid bad nis :
[Only registered and activated users can see links]