<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=koi8-r">
<META content="MSHTML 6.00.2800.1152" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV>Hi again!</DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>-- snip --</FONT></DIV>
<DIV>ms03-049 by wirepair, pretty sweet find, although i can only get this to
work on XP. Win2k responds with like<BR>op rng error stating it doesn't know
what the hell i'm requesting. Eeye seemed to elude to the fact that 'only xp has
these<BR>undocumented api's or something, anyways sc is from oc.192's awesome
rpc exploit. This is beta and the code is friggen disgusting.<BR>It was a hack
job basically, but it works and i've tested it on 2 XP no sp machines. I'll add
the 'change bindshell port' later.<BR>It shouldn't crash the box either, at
least in my cases exitthread does the trick. <BR>This code proves how little i
know about crazy windows string stuff if you see a bunch of crap that makes no
sense like weird casting.<BR></DIV>
<DIV>After playing with the each SP, I have come to the conclusion that xp sp1a
and sp0 deal with unicode strings differently. I'm<BR>forced to use the
MultiByteToWideChar for SP0 to process my string (\x89 \x81) seem to change the
single byte to 2 bytes instead<BR>of a null and a byte. SP1 gladly takes my own
unicode string but will *not* accept the MultiByteToWide.<BR>I will investigate
somehow trying to remotely tell which service pack the remote victim is by
trying to get it to respond with<BR>a unicode string and somehow have it include
a 89 or 81 character so i can see the difference, then scan the buff and
hope<BR>i can find any clues to which sp the remote host is. </DIV>
<DIV><FONT face=Arial size=2>-- snip --</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Download source and executable:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><A
href="http://www.securityfocus.ru/41269.html">http://www.securityfocus.ru/41269.html</A></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV></BODY></HTML>