hey,
1.)
i tasted the universal exploit on my self box... (Windows Xp Pro Sp 1)
got nc listen on port 8721 ( c:\netcat\nc -l -p 8721 )
tasted telnet to it so my port is open and works..
but now if i tasted the exploit got port 445 and 5000 open and Retina Scanner
said Vulnerable 192.168.178.20
tried the exploit so far c:\exploit 192.168.178.20
check ya shell at 8721...
but there is no shell comming up...
2.) Wtf is vuln?
I took nmap and did a open port scan for 445 and 5000 (seems to be 445 is open 5000 mostly too...) so got a lot of open portīs on different ispīs other ranges.
Then i tried to scan lotīs of them with Retina but it allways says Not Vulnerable
so anyways wtf is that got 0,zero, niente shell with this crap so far, am iīam doing somethin wrong?
....thx so far
Articles
Metasploit Framework Windows Tutorial The Archives General GSO | Full Version: Windows 2000 Plug And Play Universal!
1 it's an exploit for windows 2000 and on windows 2000 port 5000 isn't open.
2 this exploit bind a shell on 8721 on the targetso why are u binding with nc at your home?
lol, there are allways people know it better ,
i read this too man. But the universal schould be for xp and so on too.. otherwise i also checked many ones running 2000 and yes many got port 5000 open too! 5000 [ UPnP => Universal Plug and Play ] 445 [ Microsoft-Ds ] 139 [ Netbios-ssn => NETBIOS Session Service ] they was all open.. so what?
so could anybody just tell me how to get a shell if my system is vulnerable using the universal exploit MS05-039 ?
And range scan with this Retina thing sucks, start ip: ok
end ip : canīt type in a shit lol
but the exploit that spawn a shell on 8721 isn't for windows xp since the ret he is using (0x75021e3e) isn't a good pop pop retn for windows xp.
also i'm not sure that the ret used in the exploit from hod (0x767a38f6) will work on windows xp but i dont have xp at home so i cant verify this.
next time please read the discreption of each exploit....
CODE * Description: * A remote code execution and local elevation of privilege * vulnerability exists in Plug and Play that could allow an * attacker who successfully exploited this vulnerability to take * complete control of the affected system. * * This is a remote code execution and local privilege elevation * vulnerability. On Windows 2000, an anonymous attacker could * remotely try to exploit this vulnerability. * * On Windows XP Service Pack 1, only an authenticated user could * remotely try to exploit this vulnerability. * On Window XP Service Pack 2 and Windows Server 2003, only an * administrator can remotely access the affected component. * Therefore, on Windows XP Service Pack 2 and Windows Server 2003, * this is strictly a local privilege elevation vulnerability. * An anonymous user cannot remotely attempt to exploit this * vulnerability on Windows XP Service Pack 2 and Windows * Server 2003. QUOTE(apoc_neo @ Aug 13 2005, 10:11 PM) next time please read the discreption of each exploit.... CODE * Description: * A remote code execution and local elevation of privilege * vulnerability exists in Plug and Play that could allow an * attacker who successfully exploited this vulnerability to take * complete control of the affected system. * * This is a remote code execution and local privilege elevation * vulnerability. On Windows 2000, an anonymous attacker could * remotely try to exploit this vulnerability. * * On Windows XP Service Pack 1, only an authenticated user could * remotely try to exploit this vulnerability. * On Window XP Service Pack 2 and Windows Server 2003, only an * administrator can remotely access the affected component. * Therefore, on Windows XP Service Pack 2 and Windows Server 2003, * this is strictly a local privilege elevation vulnerability. * An anonymous user cannot remotely attempt to exploit this * vulnerability on Windows XP Service Pack 2 and Windows * Server 2003.  again somebody must know it better lmao, look at my question i didnīt want to know which systems are infected!!! I have tastes lots of windows 2000 servers with tcp 445 open and 5000 for e.g [*] connecting to 62.*.*.*:445...ok [*] null session...ok [*] bind pipe...ok [*] sending crafted packet...ok [*] check your shell on 62.*.*.*:8721 l0st@server2:~/... > ./nc 62.*.*.* 8721 l0st@server2:~/... > u see how good this works ... 
Yes somebody must know it better cause your only objective is to root some foreign servers ...and anybody who is so stupid enough to help only get unfriendly responses from you ...damn skiddie.
..port 5000 is open.. -> read the adv ..i got no shell .. -> then start a debugger and debug it on YOUR computer btw. i tested it on my box german w2k sp4 added the correct german offset and it works like a charm, with the houseofdabuse one the service even didn't crash after exploitation so you can own it again and again and again. Why i'm telling you that? Because it's fun to know that there is no box for you until you get it running. ps. Your ip starts with 62? you should try 127.0.0.1 that's all ..believe me ..you only typed the wrong ip into your cmdline  Have a nice day 
itīs no german win2k... and so on 62 is not my ip that would ne 192.. or 127.0.0.1 wow how did i know that, rofl :-)
iīam not interessting of owning some crap win2k servers with uptime of 2 hours just tested it on my own 2 servers running win2k and if you have a problem with that tell it to someone interested in... bye QUOTE Then i tried to scan lotīs of them with Retina but it allways says Not Vulnerable QUOTE otherwise i also checked many ones running 2000 and yes many got port 5000 open too! QUOTE And range scan with this Retina thing sucks All this for testing your two boxes? Try to patch them and test the exploit in a vmware i mean better secure your boxes before somebody owns them..with that well working public exploit. QUOTE I have tastes lots of windows 2000 servers with tcp 445 open and 5000 Mh servers tastes sooo good 62.*.*.* is an european range so better add your own fitting offsets And you seem to be interested because you are answering and waiting for the next post. ps.: win2k with 2 hours uptime... better press F1 so your boxes could become better uptimes pps.: I have a problem with you because you are offending anybody who tries to help you. 
my butt has got this rash lately. It use to be a rosy pink splotch but not it's a dark red stripe across my buttocks, like a flesh runway for gays. It itches so much too.
Anywho, something about exploits?...
hey nolimit better get some Vaseline on that rash before CeR3al decides to exploit your buttocks
SkitZZ
this exploit has nothing to do with port 5000.
port 5000 is for upnp, but this exploit is for pnp which is a service provided by rpc. this exploit won't work for other Os than windows 2000. it will only work with the english version of this os. it won't work if you got the patch installed. it won't work if null session is disabled. it won't work if the rpc endpoints are blocked. you got it now? okay fine, trash this post please and give this guy some warning points. people try to help and tell him the truth and he flames around. QUOTE(CeR3al @ Aug 13 2005, 07:09 PM) itīs no german win2k... and so on 62 is not my ip that would ne 192.. or 127.0.0.1 wow how did i know that, rofl :-) iīam not interessting of owning some crap win2k servers with uptime of 2 hours just tested it on my own 2 servers running win2k and if you have a problem with that tell it to someone interested in... bye Big mistake admitting that you are trying to hack servers other than your own. Warned and account suspended.
Guys im lost.
I want to test this xploit on my laptop. But i have a Dutch Win . So can anybody give me some help with those offsets changing. 
QUOTE(soundsearch @ Aug 14 2005, 06:51 PM) Guys im lost. I want to test this xploit on my laptop. But i have a Dutch Win . So can anybody give me some help with those offsets changing. make a search on the forum it was answered.
plug-n-pray on win2k listens at port 1025
have u allready tested more ip's than one???
there arent very much vulns left atm, but I tried it remote on like 10000 boxes got like about 200 shells. QUOTE(Decept @ Aug 17 2005, 05:39 AM) have u allready tested more ip's than one??? there arent very much vulns left atm, but I tried it remote on like 10000 boxes got like about 200 shells. Account warned and suspended. Unless of course you can prove that you are an administrator of 10,000 computers. If that is the case then your account will be fully restored. This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc. |
||
