
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML><HEAD>

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


<META content="MSHTML 6.00.2715.400" name=GENERATOR></HEAD>

<BODY>

<DIV><SPAN class=507471203-11092003><FONT face=Arial color=#0000ff size=2>Please 

correct me if&nbsp;I am wrong but it looks like this nessus script was written 

for the eeye exploit. (judging by the 4 requests in the script).&nbsp; 

</FONT></SPAN></DIV>

<DIV><SPAN class=507471203-11092003><FONT face=Arial color=#0000ff 

size=2></FONT></SPAN>&nbsp;</DIV>

<DIV><SPAN class=507471203-11092003><FONT face=Arial color=#0000ff size=2>Andre 

Ludwig, CISSP</FONT></SPAN></DIV>

<BLOCKQUOTE>

  <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma 

  size=2>-----Original Message-----<BR><B>From:</B> Elv1S 

  [mailto:elvi52001@yahoo.com]<BR><B>Sent:</B> Wednesday, September 10, 2003 

  4:24 PM<BR><B>To:</B> full-disclosure@lists.netsys.com<BR><B>Subject:</B> 

  [Full-Disclosure] MS03-039 - Exploit ...<BR><BR></FONT></DIV>

  <DIV>

  <P>from nessus lol</P>

  <P># The script code starts here<BR>#<BR><BR>function 

  dcom_recv(socket)<BR>{<BR>local_var buf, len;<BR><BR>buf = recv(socket:socket, 

  length:10);<BR>if(strlen(buf) != 10)return NULL;<BR><BR>len = 

  ord(buf[8]);<BR>len += ord(buf[9])*256;<BR>buf += recv(socket:socket, 

  length:len - 10);<BR>return buf;<BR>}<BR><BR><BR>port = 

  135;<BR>if(!get_port_state(port))port = 593;<BR>else {<BR>soc = 

  open_sock_tcp(port);<BR>if(!soc)port = 593;<BR>else 

  close(soc);<BR>}<BR>if(!get_port_state(port))exit(0);<BR><BR>#-------------------------------------------------------------#<BR><BR>function 

  hex2raw(s)<BR>{<BR>local_var i, j, 

  ret;<BR><BR>&gt;for(i=0;i&lt;strlen(s);i+=2)<BR>{<BR>&nbsp; if(ord(s[i]) &gt;= 

  ord("0") &amp;&amp; ord(s[i]) &lt;= ord("9"))<BR>&nbsp; j = 

  int(s[i]);<BR>&nbsp; else<BR>&nbsp; j = int((ord(s[i]) - ord("a")) + 

  10);<BR><BR>&nbsp; j *= 16;<BR>&nbsp; if(ord(s[i+1]) &gt;= ord("0") &amp;&amp; 

  ord(s[i+1]) &lt;= ord("9"))<BR>&nbsp; j += int(s[i+1]);<BR>&nbsp; 

  else<BR>&nbsp; j += int((ord(s[i+1]) - ord("a")) + 10);<BR>&nbsp; ret += 

  raw_string(j);<BR>}<BR>return 

  ret;<BR>}<BR><BR>#--------------------------------------------------------------#<BR>function 

  check(req)<BR>{ <BR>local_var soc, bindstr, error__code, r;<BR><BR><BR>soc = 

  open_sock_tcp(port);<BR>if(!soc)exit(0);<BR><BR>bindstr = 

  "05000b03100000004800000001000000d016d016000000000100000000000100a001000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000";<BR>send(socket:soc, 

  data:hex2raw(s:bindstr));<BR>r = 

  dcom_recv(socket:soc);<BR>if(!r)exit(0);<BR><BR>send(socket:soc, 

  data:req);<BR>r = dcom_recv(socket:soc);<BR>if(!r)return 

  NULL;<BR><BR>close(soc);<BR>error_code = substr(r, strlen(r) - 4, 

  strlen(r));<BR>return error_code;<BR>}<BR><BR>function check2(req)<BR>{ 

  <BR>local_var soc,bindstr, error_code, r;<BR><BR><BR>soc = 

  open_sock_tcp(port);<BR>if(!soc)exit(0);<BR><BR>bindstr = 

  "05000b03100000004800000001000000d016d016000000000100000000000100a001000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000";<BR>send(socket:soc, 

  data:hex2raw(s:bindstr));<BR>r = 

  dcom_recv(socket:soc);<BR>if(!r)exit(0);<BR><BR>send(socket:soc, 

  data:req);<BR>r = dcom_recv(socket:soc);<BR>if(!r)return 

  NULL;<BR><BR><BR>error_code = substr(r, strlen(r) - 24, strlen(r) - 

  20);<BR>return 

  error_code;<BR>}<BR>#---------------------------------------------------------------#<BR><BR><BR># 

  Determine if we the remote host is running Win955/98/ME<BR>bindwinme = 

  "05000b03100000004800000053535641d016d016000000000100000000000100e6730ce6f988cf119af10020af6e72f402000000045d888aeb1cc9119fe808002b10486002000000";<BR>soc 

  = open_sock_tcp(port);<BR>if(!soc)exit(0);<BR>send(socket:soc, 

  data:hex2raw(s:bindwinme));<BR>rwinme = 

  dcom_recv(socket:soc);<BR>close(soc);<BR>lenwinme = 

  strlen(rwinme);<BR>stubwinme = substr(rwinme, lenwinme-24, 

  lenwinme-21);<BR><BR># This is Windows 95/98/ME which is not 

  vulnerable<BR>if("02000100" &gt;&lt; 

  hexstr(stubwinme))exit(0);<BR><BR><BR>#----------------------------------------------------------------#<BR><BR>REGDB_CLASS_NOTREG 

  = "5401048000";<BR>CO_E_BADPATH = "0400088000";<BR>NT_QUOTE_ERROR_CODE_EQUOTE 

  = "00000000";<BR><BR><BR><BR>#<BR>req1 = 

  "0500000310000000b00300000100000098030000000004000500020000000000000000000000000000000000000000000000000000000000000000009005140068030000680300004d454f5704000000a201000000000000c0000000000000463803000000000000c0000000000000460000000038030000300300000000000001100800ccccccccc80000000000000030030000d80000000000000002000000070000000000000000000000000000000000000018018d00b8018d000000000007000000b901000000000000c000000000000046ab01000000000000c000000000000046a501000000000000c000000000000046a601000000000000c000000000000046a401000000000000c000000000000046ad01000000000000c000000000000046aa01000000000000c0000000000000460700000060000000580000009000000058000000200000006800000030000000c000000001100800cccccccc5000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001100800cccccccc4800000000000000005d889aeb1cc9119fe808002b1048601000000000000000000000000100000000000000b8470a005800 

  000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc80000000000000000000000000000000000000000000000020ba09000000000060000000600000004d454f5704000000c001000000000000c0000000000000463b03000000000000c000000000000046000000003000000001000100673c70941333fd4687244d093988939d0200000000000000000000000000000000000000000000000100000001100800cccccccc480000000000000000000000b07e09000000000000000000f0890a0000000000000000000d000000000000000d000000730061006a00690061006400650076005f0078003800360000000800cccccccc01100800cccccccc10000000000000000000000000000000000000000000000001100800cccccccc5800000000000000c05e0a000000000000000000000000001b000000000000001b0000005c005c0000005c006a00690061006400650076005f007800000036005c007000750062006c00690063005c004100410041004100000000000100150001100800cccccccc200000000000000000000000905b09000200000001006c00c0df0800010000000700550000000000";<BR><BR>req2 

  = 

  "0500000310000000b00300000200000098030000000004000500020000000000000000000000000000000000000000000000000000000000000000009005140068030000680300004d454f5704000000a201000000000000c0000000000000463803000000000000c0000000000000460000000038030000300300000000000001100800ccccccccc80000000000000030030000d80000000000000002000000070000000000000000000000000000000000000018018d00b8018d000000000007000000b901000000000000c000000000000046ab01000000000000c000000000000046a501000000000000c000000000000046f601000000000000c000000000000046ff01000000000000c000000000000046ad01000000000000c000000000000046aa01000000000000c0000000000000460700000060000000580000009000000058000000200000006800000030000000c000000001100800cccccccc5000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001100800cccccccc4800000000000000005d889aeb1cc9119fe808002b1048601000000000000000000000000100000000000000b8470a005800 

  000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc80000000000000000000000000000000000000000000000020ba09000000000060000000600000004d454f5704000000c001000000000000c0000000000000463b03000000000000c000000000000046000000003000000001000100673c70941333fd4687244d093988939d0200000000000000000000000000000000000000000000000100000001100800cccccccc480000000000000000000000b07e09000000000000000000f0890a0000000000000000000d000000000000000d000000730061006a00690061006400650076005f0078003800360000000800cccccccc01100800cccccccc10000000000000000000000000000000000000000000000001100800cccccccc5800000000000000c05e0a000000000000000000000000001b000000000000001b0000005c005c0000005c006a00690061006400650076005f007800000036005c007000750062006c00690063005c004100410041004100000000000100150001100800cccccccc200000000000000000000000905b09000200000001006c00c0df0800010000000700550000000000";<BR><BR><BR>req3&nbsp; 

  = 

  "05000e03100000004800000003000000d016d01605af00000100000001000100b84a9f4d1c7dcf11861e0020af6e7c5700000000045d888aeb1cc9119fe808002b10486002000000";<BR><BR>req4 

  = 

  "05000003100000009a00000003000000820000000100000005000200000000000000000000000000000000000000000000000000000000009596952a8cda6d4ab23619bcaf2c2dea34eb8f000700000000000000070000005c005c004d0045004f00570000000000000000005c0048005c0048000100000058e98f00010000009596952a8cda6d4ab23619bcaf2c2dea01000000010000005c00";<BR><BR><BR><BR><BR>#display(hex2raw(s:req));<BR>#exit(0);<BR><BR><BR><BR><BR><BR><BR>error1 

  = check(req:hex2raw(s:req1));<BR>error2 = check(req:hex2raw(s:req2)); 

  <BR><BR><BR>#error3 = check(req:hex2raw(s:req3));<BR>#error4 = 

  check2(req:hex2raw(s:req4));<BR><BR>#display("error1=", hexstr(error1), 

  "\n");<BR>#display("error2=", hexstr(error2), "\n");<BR>#display("error3=", 

  hexstr(error3), "\n");<BR>#display("error4=", hexstr(error4), 

  "\n");<BR><BR><BR><BR>if(hexstr(error2) == 

  hexstr(error1))<BR>{<BR>if(hexstr(error1) == "0500078000")exit(0); # DCOM 

  disabled<BR>security_hole(port);<BR>}<BR>else 

  {<BR>set_kb_item(name:"SMB/KB824146", value:TRUE);<BR>}</P>

  <P>&nbsp;</P></DIV>

  <P><BR>

  <HR SIZE=1>

  Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !<BR><A 

  href="http://fr.mail.yahoo.com">Testez le nouveau Yahoo! 

Mail</A></BLOCKQUOTE></BODY></HTML>