Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Microsoft WINS Vulnerability + OS/SP Scanner (source)
From: class <ad () class101 org>
Date: Mon, 02 May 2005 09:51:25 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
While replicating, it's possible to guess the OS and SP, in addition
you have the heap base address.
Conclusion: all needed for a skilled hacker to intrude a vulnerable
computer, however a script kiddie wont be able to do something because
each wrong hacking attempts may corrupt the WINS database and so on ,
move where this is needed to overwrite. This is where the skilled
hacker will use the heap base address retrieved while scanning to
start a bruteforce attack , nor at best, to analyze how is moving the
heap   :)
For example, the exploit that I have published (v0.3) is doing a small
part of 2k with the corresponding heap base , but you will have to
update it to catch some other heap positions.

I attach the win32 binary, follow class101.org and hat-squad.com if
you are seeking for the source or FreeBSD version, I think I will
share them soon.

- -v....: lite verbose
- -vv..: ultra verbose
threads: 0-4999

else all go in HS_WINS.txt

Screenshot:

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: NOT_PATCHED
OS.............: Windows 2000 SP3

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2000 SP4

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2000 SP4

IP.............: ***:42
STATUS.........: not wins, wrong datas

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2003 SP0

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: NOT_PATCHED
OS.............: Windows 2003 SP0

IP.............: ***:42
STATUS.........: nothing received, not wins or vulnerable service freezing

etc,etc

temp download: http://class101.org/HS_WINS.exe
temp download: http://class101.org/HS_WINS.cpp
(if both links are broken, then navigate manually trough my website
and find it!)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
 
iD8DBQFCddv7LyZ8K9aT7rARAkQPAJ0Yu5/zvrxn3Vaul5gUalqwM6awfACeMVGC
im4LIEb0mFKQYsaa/lfNk2c=
=k5Sb
-----END PGP SIGNATURE-----

/*
                     HAT-SQUAD WINS VULNERABILITY/OS SCANNER
                       ------------------------------------
                       ------------------------------------

Note:
----------------

        By default, nothing printed on screen, 200 threads, all results in the file HS_WINS.txt
        -v..: lite verbose, will print the 'NOT_PATCHED' results on the screen
        -vv.: hard verbose, will print ALL results on the screen
        Increase or decrease the number of threads as you need.
        NT4 os are detected but not the vulnerability (not assested)

        Win32....: msvc++6
        FreeBSD..: gcc HS_WINS.cpp -o HS_WINS [-pthread|-lpthread]


sh00t:
----------------

        To all FD kiddies, boring writers, life seekers, as vulcanius, DayJay, and compagnie..
        talking about their politics, minds, ass, on a security mailinglist, shut the fuck up,
        time to gr0w up, blowjob lovers..

        Another stupid one, badpack3t, caught that one spamming on my homepage for his website (gayprotocols.com :>)
        hmm yeah so.. you can maybe claim or ppl might think that wasn't you.
        the spammer had nick/ip badpack3t/63.204.179.51, which was your nick/ip in w00w00 chann, Whaha, kiddie spotted, 
sh00ted :)

                              -=[®class101.org]=-
*/

#include <stdio.h>
#include <string.h>
#ifdef WIN32
#include <afxext.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
CWinThread* pthread;
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <pthread.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#define ioctlsocket    ioctl
#define UINT               void*
#define LPVOID             void*
#define Sleep              sleep
pthread_t pthread;
#define SOCKET             int
#define closesocket(s) close(s)
#endif



char data[]=
"\x00\x00\x00\x29\x88\x06\x78\x05\x00\x00\x00\x00\x00\x00\x00\x00"
"\x58\x58\x58\x58\x00\x02\x00\x05\x00\x00\x00\x00\x84\x5b\x4c\x00"
"\x08\x00\x00\xe0\x8a\x18\x02\x01\x40\x59\x02\x01\x6b",pcent[]="%",recvbuf[50],*vvv,*vvv2,*vvv3;

int ok=0,nub=0,mthread=0,mfreeze,scanend=0,done=0,done2=0,thread,sp,spb,rc,scan,ipstart,ipstop,tip;
int ping=0,bose=0,bose2=0,tot=0,se=0,ok2=0,ok3=0,k3=0,k0=0,t4=0,chk(),engine(int argc,char *argv[]);

FILE *fplog;
void ver(),usage(),sl(int time),scr1(struct sockaddr_in server),scr2(struct sockaddr_in server);
UINT engine2(LPVOID tip);
/*
HS_WINS 192.168.0.0
HS_WINS 192.168.0.0 -v
HS_WINS 192.168.0.0 -vv
HS_WINS 192.168.0.0 192.168.0.255
HS_WINS 192.168.0.0 192.168.0.255 -v
HS_WINS 192.168.0.0 192.168.0.255 -vv
HS_WINS 192.168.0.0 192.168.0.255 1000
HS_WINS 192.168.0.0 192.168.0.255 1000 -v
HS_WINS 192.168.0.0 192.168.0.255 1000 -vv
*/
int main(int argc,char *argv[])
{
        vvv=argv[3],vvv2=argv[4],vvv3=argv[2];
        if (argc<2){ver();usage();return -1;}
        for (;;)
        {
                if (argc==2&&strlen(argv[1])>7&&strlen(argv[1])<16||
                                
argc==3&&strlen(argv[1])>7&&strlen(argv[1])<16&&(strcmp(vvv3,"-v")==0||strcmp(vvv3,"-vv")==0)||
                                
argc==3&&strlen(argv[1])>7&&strlen(argv[1])<16&&strlen(argv[2])>7&&strlen(argv[2])<16&&argv[1]!=argv[2]||
                                
argc==4&&strlen(argv[1])>7&&strlen(argv[1])<16&&strlen(argv[2])>7&&strlen(argv[2])<16&&argv[1]!=argv[2]&&(strcmp(vvv,"-v")==0||strcmp(vvv,"-vv")==0)||
                                
argc==4&&strlen(argv[1])>7&&strlen(argv[1])<16&&strlen(argv[2])>7&&strlen(argv[2])<16&&argv[1]!=argv[2]&&atoi(argv[3])>0&&atoi(argv[3])<5000||
                                
argc==5&&strlen(argv[1])>7&&strlen(argv[1])<16&&strlen(argv[2])>7&&strlen(argv[2])<16&&argv[1]!=argv[2]&&atoi(argv[3])>0&&atoi(argv[3])<5000&&(strcmp(vvv2,"-v")==0||strcmp(vvv2,"-vv")==0))
                                {
                                        if 
(argc==3&&strcmp(vvv3,"-v")==0||argc==4&&strcmp(vvv,"-v")==0||argc==5&&strcmp(vvv2,"-v")==0){bose++;}
                                        else if 
(argc==3&&strcmp(vvv3,"-vv")==0||argc==4&&strcmp(vvv,"-vv")==0||argc==5&&strcmp(vvv2,"-vv")==0){bose2++;}
                                        if (argc==2||argc==3&&(strcmp(vvv3,"-v")==0||strcmp(vvv3,"-vv")==0)){ping++;}
                                        engine(argc,argv);break;
                                }
                                ver();printf("[+] wrong command line, type HS_WINS without arguments for the 
usage.\n");return -1;
        }
#ifdef WIN32
        WSACleanup();
#endif
        return 0;
}

int engine(int argc,char *argv[])
{
        ver();
        if (chk()==-1){ver();printf("[+] WARNING! can't create/write HS_WINS.txt, aborting..\n");return -1;}
        ipstart=htonl(inet_addr(argv[1]));
        if (ping==1){ipstop=htonl(inet_addr(argv[1]));}
        else ipstop=htonl(inet_addr(argv[2]));
        if (ipstart>ipstop){printf("[+] wrong command line, type HS_WINS without arguments for the usage.\n");return 
-1;}
        fprintf(fplog,"----------------------------------------------------------------------------\nCOMMAND: ");
        for (int argccmp=0;argccmp<argc;argccmp++){fprintf(fplog,"%s ", argv[argccmp]);}
        fprintf(fplog,"\n----------------------------------------------------------------------------\n\n");
        fflush(fplog);
        if (argc==4&&bose==0&&bose2==0||argc==5){thread=atoi(argv[3]);}
        else thread=200;
        scan=(ipstop-ipstart)+1;
        for (tip=ipstart;ipstart<=ipstop;ipstart++,tip++,nub++,mthread++,scanend++)
        {
                if (tip%256==0||tip%256==-1){scanend--;scan--;nub--;mthread--;continue;}
                for (;;){if (mthread>=thread){sl(4);}
                else break;}
//              sl(1);
#ifdef WIN32
                CWinThread* pthread=AfxBeginThread(engine2,LPVOID(tip));
#else
                pthread_create(&pthread,NULL,engine2,(void*)tip);
#endif
                if (se>20){printf("[+] too many socket errors, check your system configuration, aborting..\n");break;}
        }
#ifdef WIN32
        for(;;){
                if (done2>25){printf("[+] status..: %d%s thread(s):%d (freezing, supposed done..)       
\n",(scanend)*100/(scan),pcent,mthread);break;}
                if (mthread!=0){sl(1);printf("[+] status..: %d%s thread(s):%d       
\r",(scanend)*100/(scan),pcent,mthread);
                if (mthread==mfreeze&&(mthread!=0||mfreeze!=0)){done2++;}else{mfreeze=mthread;}continue;}
                else {printf("[+] status..: %d%s thread(s):%d       \n",(scanend)*100/(scan),pcent,mthread);break;}
        }
#endif
        printf("[+] results.: %d / %d IP(s) (open:%d wins:%d win2003:%d win2000:%d nt4:%d)\n",ok,nub,ok2,ok3,k3,k0,t4);
        fprintf(fplog,"----------------------------------------------------------------------------\n");
        fprintf(fplog,"Scan complete: %d / %d IP(s) (open:%d wins:%d win2003:%d win2000:%d 
nt4:%d)\n",ok,nub,ok2,ok3,k3,k0,t4);
        fprintf(fplog,"------------------------------------------------[class101.org 2004-2005]----\n\n\n");
        fflush(fplog);
        return 0;
}

UINT engine2(LPVOID tip)
{
        int ip=int(tip);
#ifdef WIN32
        WSADATA wsadata;
        if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");mthread--;return -1;}
#endif
        SOCKET s;fd_set mask;struct timeval timeout, timeout2; struct sockaddr_in server;
        s=socket(AF_INET,SOCK_STREAM,0);
        if (s==-1){se++;mthread--;
#ifdef WIN32
        return -1;
#else
        return engine;
#endif
        }
        server.sin_family=AF_INET;
        server.sin_addr.s_addr=htonl(ip);
        server.sin_port=htons(42);
        if (scanend<=scan+1){printf("[+] status..: %d%s thread(s):%d       \r",(scanend)*100/(scan),pcent,mthread);}
        unsigned long flag=1;
        if (ioctlsocket(s,FIONBIO,&flag)!=0)
        {
                se++;mthread--;closesocket(s);
#ifdef WIN32
                return -1;
#else
                return engine;
#endif
        }
        connect(s,( struct sockaddr *)&server,sizeof(server));
        timeout.tv_sec=3;timeout.tv_usec=0;timeout2.tv_sec=5;timeout2.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
        switch(select(s+1,NULL,&mask,NULL,&timeout))
        {
                case -1: {mthread--;closesocket(s);
#ifdef WIN32
                return -1;
#else
                return engine;
#endif
}
                case 0: {mthread--;closesocket(s);
#ifdef WIN32
                return -1;
#else
                return engine;
#endif
}
                default:
                if(FD_ISSET(s,&mask))
                {
                        ok2++;
                        if (send(s,data,sizeof(data)-1,0)==-1){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: 
error sending, not wins\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog);
                        if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: error sending, not 
wins            \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));}
                        mthread--;tot++;closesocket(s);
#ifdef WIN32
                        return -1;
#else
                        return engine;
#endif
}
                        sl(3);
                        switch(select(s+1,&mask,NULL,NULL,&timeout2))
                        {
                                case -1: {mthread--;closesocket(s);
#ifdef WIN32
                                return -1;
#else
                                return engine;
#endif
}
                                case 0: {fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: nothing received, not 
wins or vulnerable service freezing\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog);
                                if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: nothing 
received, not wins or vulnerable service freezing\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));}
                                mthread--;tot++;closesocket(s);
#ifdef WIN32
                                return -1;
#else
                                return engine;
#endif
}
                                default:
                                rc = recv(s,recvbuf,sizeof(recvbuf),0);
                        }
                        if (rc<40||recvbuf[3]!=41&&recvbuf[8]!=88){fprintf(fplog,"IP.............: 
%s:%d\nSTATUS.........: not wins, wrong datas\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog);
                        if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: not wins, wrong 
datas            \n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));}
                        mthread--;tot++;closesocket(s);
#ifdef WIN32
                        return -1;
#else
                        return engine;
#endif
}
                        ok3++;
                        if (recvbuf[24]==-144&&recvbuf[25]==-107){spb=0;}
                        else if (recvbuf[24]==40&&recvbuf[25]==-5){spb=1;}
                        if (recvbuf[36]==37&&recvbuf[39]==1){fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: 
wins enabled\nVULNERABILITY..: NOT_PATCHED\nOS.............: Windows 2003 
SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),spb);fflush(fplog);
                        if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: wins enabled         
   \nVULNERABILITY..: NOT_PATCHED            \nOS.............: Windows 2003 SP%d            
\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),spb);}
                        ok++;k3++;tot++;if (bose==1){scr1(server);}mthread--;closesocket(s);
#ifdef WIN32
                        return -1;
#else
                        return engine;
#endif
}
                        else if (recvbuf[36]==53&&recvbuf[39]==1){fprintf(fplog,"IP.............: 
%s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: patched\nOS.............: Windows 2003 
SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),spb);fflush(fplog);
                        if (recvbuf[24]==-144&&recvbuf[25]==-107){spb=0;}
                        else if (recvbuf[24]==40&&recvbuf[25]==-5){spb=1;}
                        if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: wins enabled         
   \nVULNERABILITY..: patched            \nOS.............: Windows 2003 SP%d            
\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),spb);}
                        k3++;mthread--;tot++;closesocket(s);
#ifdef WIN32
                        return -1;
#else
                        return engine;
#endif
}
                        else if (recvbuf[36]==71&&recvbuf[39]==1){fprintf(fplog,"IP.............: 
%s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: patched\nOS.............: Windows 2003 
SP1\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog);
                        if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: wins enabled         
   \nVULNERABILITY..: patched            \nOS.............: Windows 2003 SP1            
\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));}
                        k3++;mthread--;tot++;closesocket(s);
#ifdef WIN32
                        return -1;
#else
                        return engine;
#endif
}
                        else if (recvbuf[36]==85&&recvbuf[37]==31&&recvbuf[40]==24&&recvbuf[41]==37||
                                                         
recvbuf[36]==-111&&recvbuf[37]==-127&&recvbuf[40]==64&&recvbuf[41]==-106||
                                                         
recvbuf[36]==-107&&recvbuf[37]==43&&recvbuf[40]==8&&recvbuf[41]==54||
                                                         
recvbuf[36]==-89&&recvbuf[37]==-99&&recvbuf[40]==-128&&recvbuf[41]==38||
                                                         
recvbuf[36]==69&&recvbuf[37]==-112&&recvbuf[40]==-144&&recvbuf[41]==31||
                                                         
recvbuf[36]==-37&&recvbuf[37]==-128&&recvbuf[40]==-136&&recvbuf[41]==-82){
                        if 
(recvbuf[36]==85&&recvbuf[37]==31&&recvbuf[40]==24&&recvbuf[41]==37||recvbuf[36]==-111&&recvbuf[37]==-127&&recvbuf[40]==64&&recvbuf[41]==-106){sp=4;}
                        else if (recvbuf[36]==-107&&recvbuf[37]==43&&recvbuf[40]==8&&recvbuf[41]==54){sp=3;}
                        else if (recvbuf[36]==-89&&recvbuf[37]==-99&&recvbuf[40]==-128&&recvbuf[41]==38){sp=2;}
                        else if (recvbuf[36]==69&&recvbuf[37]==-112&&recvbuf[40]==-144&&recvbuf[41]==31){sp=1;}
                        else if (recvbuf[36]==-37&&recvbuf[37]==-128&&recvbuf[40]==-136&&recvbuf[41]==-82){sp=0;}
                        if (recvbuf[16]==0&&recvbuf[17]==0&&recvbuf[18]==0){fprintf(fplog,"IP.............: 
%s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: patched\nOS.............: Windows 2000 
SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);fflush(fplog);
                        if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: wins enabled         
   \nVULNERABILITY..: patched            \nOS.............: Windows 2000 SP%d            
\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);}
                        k0++;mthread--;tot++;closesocket(s);
#ifdef WIN32
                        return -1;
#else
                        return engine;
#endif
}
                        else {fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: 
NOT_PATCHED\nOS.............: Windows 2000 
SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);fflush(fplog);
                        if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: wins enabled         
   \nVULNERABILITY..: NOT_PATCHED            \nOS.............: Windows 2000 SP%d            
\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);}
                        ok++;k0++;tot++;if (bose==1){scr2(server);}mthread--;closesocket(s);
#ifdef WIN32
                        return -1;
#else
                        return engine;
#endif
}
                        }
                        else {
                                fprintf(fplog,"IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: 
unknown\nOS.............: NT4 (OS not 
implemented)\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));fflush(fplog);
                                if (bose2==1){printf("IP.............: %s:%d            \nSTATUS.........: wins enabled 
           \nVULNERABILITY..: unknown            \nOS.............: NT4 (OS not implemented)            
\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));}
                                t4++;mthread--;tot++;closesocket(s);
#ifdef WIN32
                                return -1;
#else
                                return engine;
#endif
}
                }
        }
        mthread--;
        closesocket(s);
#ifdef WIN32
        return 0;
#else
        return engine;
#endif
}

int chk(){
        if ((fplog =fopen("HS_WINS.txt","a+"))==NULL)
                return -1;
        else return 1;
}

void sl(int time){
#ifdef WIN32
        Sleep(time*1000);
#else
        Sleep(time);
#endif
}

void usage(){
        printf("           [+]  . HS_WINS 192.168.0.1  [-v|-vv]\n");
        printf("           [+]  . HS_WINS 192.168.0.0 192.168.0.255  [-v|-vv]\n");
        printf("           [+]  . HS_WINS 192.168.0.0 192.168.0.255 1000  [-v|-vv]\n");
}

void ver(){
        printf("\n");
        printf("        ===================================================[v1.0]====\n");
        printf("        ============WINS Vulnerability and OS/SP scanner=============\n");
        printf("        ============multi-threaded for Linux and Windows=============\n");
        printf("        ======coded by class101=============[Hat-Squad.com 2005]=====\n");
        printf("        =============================================================\n");
        printf("\n");
}

void scr1(struct sockaddr_in server)
{
        printf("IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: NOT_PATCHED\nOS.............: 
Windows 2003 SP0\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port));
}

void scr2(struct sockaddr_in server)
{
        printf("IP.............: %s:%d\nSTATUS.........: wins enabled\nVULNERABILITY..: NOT_PATCHED\nOS.............: 
Windows 2000 SP%d\n\n",inet_ntoa(server.sin_addr),ntohs(server.sin_port),sp);
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Microsoft WINS Vulnerability + OS/SP Scanner (source) class (May 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]