lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050309004800.22398.qmail@www.securityfocus.com>
Date: 9 Mar 2005 00:48:00 -0000
From: <caldcv@...dents.fccj.org>
To: bugtraq@...urityfocus.com
Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability


In-Reply-To: <20050307215532.GA24251@...os.microshaft.org>

>All:
>
>I would like to hear from someone who can reproduce this. If you can, please send
>details with OS, patches installed, pcaps, etc. not a report of what tools you used
>to create the packet, sniff and replay the results. I've tested this and either my
>machines are magically protected from this attack, or it is invalid (despite what
>the press might say). I'd like some outside corroboration of this attack.

OK,

 I run Microsoft Windows [Version 5.2.3790] aka Windows Server 2003.
 All service packs have been installed. I went to Windows Update, and
 nothing installed. Windows Firewall is off. 

 My linux box is a sarge installation of Debian, which is up to date.

Interesting ports on 192.168.0.100:
(The 1600 ports scanned but not shown below are in state: closed)
Port       State       Service
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn


 The code I used is from here:
http://www.k-otik.com/exploits/20050307.windos.c.php

eight@...set-bitch:~/code$ sudo ./land-new 192.168.0.100 139
Packet sent. Remote machine should be down.

 The original land.c code didn't want to compile on my linux box.. so I saw this on a slashdot post, tested it, and it locks the machine up to 100% CPU for about 8-10 secs, then goes back to normal.

 I hope this helps.

--CC


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ