<DIV>this exploit was released at the same time as MS03-026, BUT that patch was not made for this exploit, it was against the bof.</DIV>
<DIV> </DIV>
<DIV>Only the MS03-039 protect you against this sploit</DIV>
<DIV> </DIV>
<DIV><A href="http://www.k-otik.com/exploits/07.21.win2kdos.c.php">http://www.k-otik.com/exploits/07.21.win2kdos.c.php</A></DIV>
<DIV> </DIV>
<DIV>About MS03-039, the exploit (eeye) is public in nessus plugin :</DIV>
<DIV> </DIV>
<DIV># The script code starts here<BR>#<BR><BR>function dcom_recv(socket)<BR>{<BR> local_var buf, len;<BR> <BR> buf = recv(socket:socket, length:10);<BR> if(strlen(buf) != 10)return NULL;<BR> <BR> len = ord(buf[8]);<BR> len += ord(buf[9])*256;<BR> buf += recv(socket:socket, length:len - 10);<BR> return buf;<BR>}<BR> <BR><BR>port = 135;<BR>if(!get_port_state(port))port = 593;<BR>else {<BR> soc = open_sock_tcp(port);<BR> if(!soc)port = 593;<BR> else close(soc);<BR>}<BR>if(!get_port_state(port))exit(0);<BR><BR>#-------------------------------------------------------------#<BR><BR>function hex2raw(s)<BR>{<BR> local_var i, j, ret;<BR> <BR> for(i=0;i<strlen(s);i+=2)<BR> {<BR> if(ord(s[i]) >= ord("0") && ord(s[i]) <= ord("9"))<BR> j = int(s[i]);<BR> else<BR> j = int((ord(s[i]) - ord("a")) + 10);<BR><BR> j *= 16;<BR> if(ord(s[i+1]) >= ord("0") && ord(s[i+1]) <= ord("9"))<BR> j += int(s[i+1]);<BR> else<BR>
j += int((ord(s[i+1]) - ord("a")) + 10);<BR> ret += raw_string(j);<BR> }<BR> return ret;<BR>}<BR><BR>#--------------------------------------------------------------#<BR>function check(req)<BR>{ <BR> local_var soc, bindstr, error_code, r;<BR> <BR> <BR> soc = open_sock_tcp(port);<BR> if(!soc)exit(0);<BR><BR> bindstr = "05000b03100000004800000001000000d016d016000000000100000000000100a001000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000";<BR> send(socket:soc, data:hex2raw(s:bindstr));<BR> r = dcom_recv(socket:soc);<BR> if(!r)exit(0);<BR><BR> send(socket:soc, data:req);<BR> r = dcom_recv(socket:soc);<BR> if(!r)return NULL;<BR><BR> close(soc);<BR> error_code = substr(r, strlen(r) - 4, strlen(r));<BR> return error_code;<BR>}<BR><BR>function check2(req)<BR>{ <BR> local_var soc,bindstr, error_code, r;<BR> <BR> <BR> soc = open_sock_tcp(port);<BR> if(!soc)exit(0);<BR><BR> bindstr =
"05000b03100000004800000001000000d016d016000000000100000000000100a001000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000";<BR> send(socket:soc, data:hex2raw(s:bindstr));<BR> r = dcom_recv(socket:soc);<BR> if(!r)exit(0);<BR><BR> send(socket:soc, data:req);<BR> r = dcom_recv(socket:soc);<BR> if(!r)return NULL;<BR><BR><BR> error_code = substr(r, strlen(r) - 24, strlen(r) - 20);<BR> return error_code;<BR>}<BR>#---------------------------------------------------------------#<BR><BR><BR># Determine if we the remote host is running Win95/98/ME<BR>bindwinme = "05000b03100000004800000053535641d016d016000000000100000000000100e6730ce6f988cf119af10020af6e72f402000000045d888aeb1cc9119fe808002b10486002000000";<BR>soc = open_sock_tcp(port);<BR>if(!soc)exit(0);<BR>send(socket:soc, data:hex2raw(s:bindwinme));<BR>rwinme = dcom_recv(socket:soc);<BR>close(soc);<BR>lenwinme = strlen(rwinme);<BR>stubwinme = substr(rwinme, lenwinme-24, lenwinme-21);<BR><BR># This is Windows
95/98/ME which is not vulnerable<BR>if("02000100" >< hexstr(stubwinme))exit(0);<BR><BR><BR>#----------------------------------------------------------------#<BR><BR>REGDB_CLASS_NOTREG = "5401048000";<BR>CO_E_BADPATH = "0400088000";<BR>NT_QUOTE_ERROR_CODE_EQUOTE = "00000000";<BR><BR><BR><BR>#<BR>req1 =
"0500000310000000b00300000100000098030000000004000500020000000000000000000000000000000000000000000000000000000000000000009005140068030000680300004d454f5704000000a201000000000000c0000000000000463803000000000000c0000000000000460000000038030000300300000000000001100800ccccccccc80000000000000030030000d80000000000000002000000070000000000000000000000000000000000000018018d00b8018d000000000007000000b901000000000000c000000000000046ab01000000000000c000000000000046a501000000000000c000000000000046a601000000000000c000000000000046a401000000000000c000000000000046ad01000000000000c000000000000046aa01000000000000c0000000000000460700000060000000580000009000000058000000200000006800000030000000c000000001100800cccccccc5000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001100800cccccccc4800000000000000005d889aeb1cc9119fe808002b1048601000000000000000000000000100000000000000b8470a005800
000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc80000000000000000000000000000000000000000000000020ba09000000000060000000600000004d454f5704000000c001000000000000c0000000000000463b03000000000000c000000000000046000000003000000001000100673c70941333fd4687244d093988939d0200000000000000000000000000000000000000000000000100000001100800cccccccc480000000000000000000000b07e09000000000000000000f0890a0000000000000000000d000000000000000d000000730061006a00690061006400650076005f0078003800360000000800cccccccc01100800cccccccc10000000000000000000000000000000000000000000000001100800cccccccc5800000000000000c05e0a000000000000000000000000001b000000000000001b0000005c005c0000005c006a00690061006400650076005f007800000036005c007000750062006c00690063005c004100410041004100000000000100150001100800cccccccc200000000000000000000000905b09000200000001006c00c0df0800010000000700550000000000";<BR><BR>req2 =
"0500000310000000b00300000200000098030000000004000500020000000000000000000000000000000000000000000000000000000000000000009005140068030000680300004d454f5704000000a201000000000000c0000000000000463803000000000000c0000000000000460000000038030000300300000000000001100800ccccccccc80000000000000030030000d80000000000000002000000070000000000000000000000000000000000000018018d00b8018d000000000007000000b901000000000000c000000000000046ab01000000000000c000000000000046a501000000000000c000000000000046f601000000000000c000000000000046ff01000000000000c000000000000046ad01000000000000c000000000000046aa01000000000000c0000000000000460700000060000000580000009000000058000000200000006800000030000000c000000001100800cccccccc5000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001100800cccccccc4800000000000000005d889aeb1cc9119fe808002b1048601000000000000000000000000100000000000000b8470a005800
000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc80000000000000000000000000000000000000000000000020ba09000000000060000000600000004d454f5704000000c001000000000000c0000000000000463b03000000000000c000000000000046000000003000000001000100673c70941333fd4687244d093988939d0200000000000000000000000000000000000000000000000100000001100800cccccccc480000000000000000000000b07e09000000000000000000f0890a0000000000000000000d000000000000000d000000730061006a00690061006400650076005f0078003800360000000800cccccccc01100800cccccccc10000000000000000000000000000000000000000000000001100800cccccccc5800000000000000c05e0a000000000000000000000000001b000000000000001b0000005c005c0000005c006a00690061006400650076005f007800000036005c007000750062006c00690063005c004100410041004100000000000100150001100800cccccccc200000000000000000000000905b09000200000001006c00c0df0800010000000700550000000000";<BR><BR><BR>req3 =
"05000e03100000004800000003000000d016d01605af00000100000001000100b84a9f4d1c7dcf11861e0020af6e7c5700000000045d888aeb1cc9119fe808002b10486002000000";<BR><BR>req4 = "05000003100000009a00000003000000820000000100000005000200000000000000000000000000000000000000000000000000000000009596952a8cda6d4ab23619bcaf2c2dea34eb8f000700000000000000070000005c005c004d0045004f00570000000000000000005c0048005c0048000100000058e98f00010000009596952a8cda6d4ab23619bcaf2c2dea01000000010000005c00";<BR><BR><BR><BR><BR>#display(hex2raw(s:req));<BR>#exit(0);<BR><BR><BR><BR> <BR> <BR><BR>error1 = check(req:hex2raw(s:req1));<BR>error2 = check(req:hex2raw(s:req2)); <BR><BR><BR>#error3 = check(req:hex2raw(s:req3));<BR>#error4 = check2(req:hex2raw(s:req4));<BR><BR>#display("error1=", hexstr(error1), "\n");<BR>#display("error2=", hexstr(error2), "\n");<BR>#display("error3=", hexstr(error3), "\n");<BR>#display("error4=", hexstr(error4), "\n");<BR><BR><BR><BR>if(hexstr(error2) == hexstr(error1))<BR>{<BR> if(hexstr(error1)
== "0500078000")exit(0); # DCOM disabled<BR> security_hole(port);<BR>}<BR>else {<BR> set_kb_item(name:"SMB/KB824146", value:TRUE);<BR>}<BR><BR><BR><B><I>Réda_Zitouni <Reda.Zitouni@vigilante.com></I></B> wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">
<META content="MSHTML 6.00.2730.1700" name=GENERATOR>
<DIV><SPAN class=553291203-11092003><FONT face=Arial color=#0000ff size=2>Seems guys you are mistaking. Here is the NSfocus advisory. In fact they found (as the M$ advisory is not clear on the subject) the 2nd BoF(<A href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0528"><FONT face="Times New Roman" size=3>CAN-2003-0528</FONT></A>) and not the DoS. The one you are talking of is an old (few weeks) vulnerability related to MS03-026 found by Ben Jurry.</FONT></SPAN></DIV>
<DIV><SPAN class=553291203-11092003><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=553291203-11092003><FONT face=Arial color=#0000ff size=2><A href="http://www.nsfocus.com/english/homepage/research/0306.htm">http://www.nsfocus.com/english/homepage/research/0306.htm</A></FONT></SPAN></DIV>
<DIV><SPAN class=553291203-11092003><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=553291203-11092003>
<DIV class=Section1>
<P class=MsoNormal style="LINE-HEIGHT: 12pt; mso-line-height-rule: exactly">Reda Zitouni</P>
<P class=MsoNormal style="LINE-HEIGHT: 12pt; mso-line-height-rule: exactly">Security Engineer</P>
<P class=MsoNormal style="LINE-HEIGHT: 12pt; mso-line-height-rule: exactly">VIGILANTe - France</P>
<P class=MsoNormal style="LINE-HEIGHT: 12pt; mso-line-height-rule: exactly"><A title=http://www.vigilante.com/ href="outbind://157/BLOCKED"><SPAN style="FONT-SIZE: 10pt">http://www.VIGILANTe.com</SPAN></A></P>
<P class=MsoNormal style="LINE-HEIGHT: 12pt; mso-line-height-rule: exactly"> </P></DIV></SPAN></DIV>
<DIV><BR><BR></DIV>
<DIV class=OutlookMessageHeader lang=fr dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>De :</B> Exibar [mailto:exibar@thelair.com] <BR><B>Envoyé :</B> jeudi 11 septembre 2003 01:58<BR><B>À :</B> Elv1S; full-disclosure@lists.netsys.com<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=915375623-10092003><FONT face=Arial color=#0000ff size=2>Sure looks that way, especially with the 7/21 datestamp for the directory and in the page name :-)</FONT></SPAN></DIV>
<DIV><SPAN class=915375623-10092003><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=915375623-10092003><FONT face=Arial color=#0000ff size=2> It's *very* unlikely that we see a worm that acts on the DoS vuln, it's just too much work. The BoF's are the ones that has my attention and need to patch urgently.</FONT></SPAN></DIV>
<DIV><SPAN class=915375623-10092003><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=915375623-10092003><FONT face=Arial color=#0000ff size=2> Exibar</FONT></SPAN></DIV>
<BLOCKQUOTE>
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> full-disclosure-admin@lists.netsys.com [mailto:full-disclosure-admin@lists.netsys.com]<B>On Behalf Of </B>Elv1S<BR><B>Sent:</B> Wednesday, September 10, 2003 6:49 PM<BR><B>To:</B> full-disclosure@lists.netsys.com<BR><B>Subject:</B> [inbox] [Full-Disclosure] Re: MS03-039 has been released (DoS) sploit ?<BR><BR></FONT></DIV>
<DIV>
<DIV>thinkin' that they talking about the xfocus sploit public since 07-21 ? for the DoS vuln MS03-032</DIV>
<DIV> </DIV>
<DIV>true or not ?</DIV>
<DIV> </DIV>
<DIV><A href="http://www.k-otik.com/exploits/07.21.win2kdos.c.php">http://www.k-otik.com/exploits/07.21.win2kdos.c.php</A></DIV>
<DIV><BR><BR><B><I>Mike Tancsa <mike@sentex.net></I></B> wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid"><BR>http://xforce.iss.net/xforce/alerts/id/152 says,<BR><BR>"The new DoS vulnerability was disclosed by a hacking group in China on<BR>July 25, 2003, and functional exploit code is already in use on the<BR>Internet. "<BR><BR>---Mike<BR><BR><BR>At 01:41 PM 10/09/2003, Exibar wrote:<BR>>anyone know of a 'sploit for this one yet? Or even proof of concept code?<BR>><BR>><BR>>----- Original Message -----<BR>>From: "Ryan, Pete" <PETE.RYAN@THOMSON.COM><BR>>To: <FULL-DISCLOSURE@LISTS.NETSYS.COM><BR>>Sent: Wednesday, September 10, 2003 12:23 PM<BR>>Subject: [Full-Disclosure] MS03-039 has been released - critical<BR>><BR>><BR>> ><BR>> ><BR>>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/<BR>> > bulletin/MS03-039.asp<BR>> ><BR>> > -Pete<BR>> ><BR>> >
_______________________________________________<BR>> > Full-Disclosure - We believe in it.<BR>> > Charter: http://lists.netsys.com/full-disclosure-charter.html<BR>><BR>>_______________________________________________<BR>>Full-Disclosure - We believe in it.<BR>>Charter: http://lists.netsys.com/full-disclosure-charter.html<BR><BR>_______________________________________________<BR>Full-Disclosure - We believe in it.<BR>Charter: http://lists.netsys.com/full-disclosure-charter.html</BLOCKQUOTE></DIV>
<P>
<HR SIZE=1>
Do you Yahoo!?<BR><A href="http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com">Yahoo! SiteBuilder</A> - Free, easy-to-use web site design software</BLOCKQUOTE></BLOCKQUOTE><p><br><hr size=1>
<a href="http://au.rd.yahoo.com/mail/welcome/*http://au.search.yahoo.com" target=_blank><b>Yahoo! Search</b></a><br>
- Looking for more? Try the new Yahoo! Search