| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Nov 2011 22:42:49 +1100 From: xD 0x41 <secn3t@...il.com> To: Darren Martyn <d.martyn.fulldisclosure@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Is awesome exploit yes! I have looked at this and, you dont need to be udp... only... it is TCP-IP. ... wich, i was luckily given a copy early than release date so have had time,... this whole thing reopens the old idlescan and, simly one tcp scanner, even a udp one, all you have todo is send a req, receive known SQN and ACK , thats pretty basic packet :s , and then it will open, amongst other things, UDP closed, although please note, the author of this and even technet clearly states, that it can use TCP/IP stack and, use IP and TCP ports/packets to scan, so the scanning just got 10x easier to make, no smb neg, just a simple netbios, maybe a peek down a pipe and, hopefully, i get this thing to go :P , I really want to see what this baby can show me that i dont alredy know.. but i know one thing, this is nothing, this wormhole, is byfar the biggest i have seen since dcom.. and remote code means remote worm...so, yes, expect alot of newer boxes, infected, and yes even fully patched rc2 and datacenter copies are affected..and, if anyone has seen the paper well, it clearly states the packet needs to only contain 2 things, and, probably have some nice little spoofaing even possible, since the nature allows it to scan by udp, can then spoof all scanning to on windows, this is only possible on udp and some tcp syn d0s.. anyhow, yes, this could become easily the next blaster, maybe, because it does by nature bypass dep and aslr, and basically, reopens an old attack vector, so many bot farmers,would probably be seeking to port this already from Poc infos, and, it would not be hard, i will attempt it in private, and, i can alredy forsee this will *not* be a hard one... when the official papers are thru and done, i guess there will be more about the tcp ip but seriously just think of the name of it , lol.. it is tcp-ip stack overflow right... tcp-ip :P anyhow.. yea.. it is goin to see wether the scanner can work fast, ie: a fingerprinter made so it can see if it is a type of box, and thats VERY simple thanks to porting of metasploits dcerpc/smb scanner, wich attaches and makes smb session, to get workgroup and other things...depending on port choosen, personally me, to spped it up, would opt for udp scanner (i have skeleton for a mssql scanner in cpp i have still got wich works, drops to shell etc..0 ... then i guess, making the packet, and, that would need a cpl of headers in the code, woopee, and, some simple fail to respond to xp, must be v6 , if v6 then, can continue on with fingerprinting, etc..so, to find a box can be very fast so, using smb on port 138/UDP , if possible to, or simply connect to 139/SMB-NT authority ,and id simply use if/else, so udp or tcp gets triggered.. very easy to write this for those who have read the poc and know windows cpp, it only will take the packet SQN number, thats it.. the rest is bacon.. it is a very nice exploit for this late in the lifes of these OS..a pty really.. only good thing is, it does nto affect my familys pcs, wich are nice and old now, so, i dont have more maintenance headaches :D cheers , have a happy patch tuesday! xd-- was h3re (cool spraypainting here .. ) On 9 November 2011 22:25, Darren Martyn <d.martyn.fulldisclosure@...il.com> wrote: > Balls, I forgot to add this to the last message, but has anyone examined the > patch yet? I can only imagine it would be VERY interesting to look at... > <sarcasm> Or that it opens all UDP ports so that there are no closed ones to > exploit </sarcasm> > > On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn > <d.martyn.fulldisclosure@...il.com> wrote: >> >> So... Another Conficker type worm possible from this bug if everyone cocks >> up and fails to patch? >> >> On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia >> <nahuel.grisolia@...il.com> wrote: >>> >>> Kingcope, where's the exploit? >>> >>> :P >>> >>> On Nov 8, 2011, at 6:53 PM, Henri Salo wrote: >>> >>> > http://technet.microsoft.com/en-us/security/bulletin/ms11-083 >>> > >>> > "The vulnerability could allow remote code execution if an attacker >>> > sends a continuous flow of specially crafted UDP packets to a closed port on >>> > a target system." >>> > >>> > Microsoft did it once again. >>> > >>> > - Henri Salo >>> > >>> > _______________________________________________ >>> > Full-Disclosure - We believe in it. >>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> > Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> >> -- >> My Homepage :D >> > > > > -- > My Homepage :D > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists