[Full-Disclosure] ms03-049 exploit by wirepair + compiled version (Microsoft Windows XP target)

["Alexander Antipov" <pk95@yandex.ru>]

Hi again!

-- snip --
ms03-049 by wirepair, pretty sweet find, although i can only get this to work 
on XP. Win2k responds with like
op rng error stating it doesn't know what the hell i'm requesting. Eeye seemed 
to elude to the fact that 'only xp has these
undocumented api's or something, anyways sc is from oc.192's awesome rpc 
exploit. This is beta and the code is friggen disgusting.
It was a hack job basically, but it works and i've tested it on 2 XP no sp 
machines. I'll add the 'change bindshell port' later.
It shouldn't crash the box either, at least in my cases exitthread does the 
trick. 
This code proves how little i know about crazy windows string stuff if you see 
a bunch of crap that makes no sense like weird casting.

After playing with the each SP, I have come to the conclusion that xp sp1a and 
sp0 deal with unicode strings differently. I'm
forced to use the MultiByteToWideChar for SP0 to process my string (\x89 \x81) 
seem to change the single byte to 2 bytes instead
of a null and a byte. SP1 gladly takes my own unicode string but will *not* 
accept the MultiByteToWide.
I will investigate somehow trying to remotely tell which service pack the 
remote victim is by trying to get it to respond with
a unicode string and somehow have it include a 89 or 81 character so i can see 
the difference, then scan the buff and hope
i can find any clues to which sp the remote host is. 
-- snip --

Download source and executable:

http://www.securityfocus.ru/41269.html