lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: elvi52001 at yahoo.com (Elv1S)
Subject: Re: MS03-039 has been released (DoS) sploit ?

this exploit was released at the same time as MS03-026, BUT that patch was not made for this exploit, it was against the bof.
 
Only the MS03-039 protect you against this sploit
 
http://www.k-otik.com/exploits/07.21.win2kdos.c.php
 
About MS03-039, the exploit (eeye) is public in nessus plugin :
 
# The script code starts here
#

function dcom_recv(socket)
{
 local_var buf, len;
 
 buf = recv(socket:socket, length:10);
 if(strlen(buf) != 10)return NULL;
 
 len = ord(buf[8]);
 len += ord(buf[9])*256;
 buf += recv(socket:socket, length:len - 10);
 return buf;
}
 

port = 135;
if(!get_port_state(port))port = 593;
else {
 soc = open_sock_tcp(port);
 if(!soc)port = 593;
 else close(soc);
}
if(!get_port_state(port))exit(0);

#-------------------------------------------------------------#

function hex2raw(s)
{
 local_var i, j, ret;
 
 for(i=0;i<strlen(s);i+=2)
 {
  if(ord(s[i]) >= ord("0") && ord(s[i]) <= ord("9"))
  	j = int(s[i]);
  else
  	j = int((ord(s[i]) - ord("a")) + 10);

  j *= 16;
  if(ord(s[i+1]) >= ord("0") && ord(s[i+1]) <= ord("9"))
  	j += int(s[i+1]);
  else
  	j += int((ord(s[i+1]) - ord("a")) + 10);
  ret += raw_string(j);
 }
 return ret;
}

#--------------------------------------------------------------#
function check(req)
{ 
 local_var soc, bindstr, error_code, r;
 
 
 soc = open_sock_tcp(port);
 if(!soc)exit(0);

 bindstr = "05000b03100000004800000001000000d016d016000000000100000000000100a001000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000";
 send(socket:soc, data:hex2raw(s:bindstr));
 r = dcom_recv(socket:soc);
 if(!r)exit(0);

 send(socket:soc, data:req);
 r = dcom_recv(socket:soc);
 if(!r)return NULL;

 close(soc);
 error_code = substr(r, strlen(r) - 4, strlen(r));
 return error_code;
}

function check2(req)
{ 
 local_var soc,bindstr, error_code, r;
 
 
 soc = open_sock_tcp(port);
 if(!soc)exit(0);

 bindstr = "05000b03100000004800000001000000d016d016000000000100000000000100a001000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000";
 send(socket:soc, data:hex2raw(s:bindstr));
 r = dcom_recv(socket:soc);
 if(!r)exit(0);

 send(socket:soc, data:req);
 r = dcom_recv(socket:soc);
 if(!r)return NULL;


 error_code = substr(r, strlen(r) - 24, strlen(r) - 20);
 return error_code;
}
#---------------------------------------------------------------#


# Determine if we the remote host is running Win95/98/ME
bindwinme = "05000b03100000004800000053535641d016d016000000000100000000000100e6730ce6f988cf119af10020af6e72f402000000045d888aeb1cc9119fe808002b10486002000000";
soc = open_sock_tcp(port);
if(!soc)exit(0);
send(socket:soc, data:hex2raw(s:bindwinme));
rwinme = dcom_recv(socket:soc);
close(soc);
lenwinme = strlen(rwinme);
stubwinme = substr(rwinme, lenwinme-24, lenwinme-21);

# This is Windows 95/98/ME which is not vulnerable
if("02000100" >< hexstr(stubwinme))exit(0);


#----------------------------------------------------------------#

REGDB_CLASS_NOTREG = "5401048000";
CO_E_BADPATH = "0400088000";
NT_QUOTE_ERROR_CODE_EQUOTE = "00000000";



#
req1 =
 "0500000310000000b00300000100000098030000000004000500020000000000000000000000000000000000000000000000000000000000000000009005140068030000680300004d454f5704000000a201000000000000c0000000000000463803000000000000c0000000000000460000000038030000300300000000000001100800ccccccccc80000000000000030030000d80000000000000002000000070000000000000000000000000000000000000018018d00b8018d000000000007000000b901000000000000c000000000000046ab01000000000000c000000000000046a501000000000000c000000000000046a601000000000000c000000000000046a401000000000000c000000000000046ad01000000000000c000000000000046aa01000000000000c0000000000000460700000060000000580000009000000058000000200000006800000030000000c000000001100800cccccccc5000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001100800cccccccc4800000000000000005d889aeb1cc9119fe808002b1048601000000000000000000000000100000000000000b8470a005800
000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc80000000000000000000000000000000000000000000000020ba09000000000060000000600000004d454f5704000000c001000000000000c0000000000000463b03000000000000c000000000000046000000003000000001000100673c70941333fd4687244d093988939d0200000000000000000000000000000000000000000000000100000001100800cccccccc480000000000000000000000b07e09000000000000000000f0890a0000000000000000000d000000000000000d000000730061006a00690061006400650076005f0078003800360000000800cccccccc01100800cccccccc10000000000000000000000000000000000000000000000001100800cccccccc5800000000000000c05e0a000000000000000000000000001b000000000000001b0000005c005c0000005c006a00690061006400650076005f007800000036005c007000750062006c00690063005c004100410041004100000000000100150001100800cccccccc200000000000000000000000905b09000200000001006c00c0df0800010000000700550000000000";

req2 =
 "0500000310000000b00300000200000098030000000004000500020000000000000000000000000000000000000000000000000000000000000000009005140068030000680300004d454f5704000000a201000000000000c0000000000000463803000000000000c0000000000000460000000038030000300300000000000001100800ccccccccc80000000000000030030000d80000000000000002000000070000000000000000000000000000000000000018018d00b8018d000000000007000000b901000000000000c000000000000046ab01000000000000c000000000000046a501000000000000c000000000000046f601000000000000c000000000000046ff01000000000000c000000000000046ad01000000000000c000000000000046aa01000000000000c0000000000000460700000060000000580000009000000058000000200000006800000030000000c000000001100800cccccccc5000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001100800cccccccc4800000000000000005d889aeb1cc9119fe808002b1048601000000000000000000000000100000000000000b8470a005800
000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc80000000000000000000000000000000000000000000000020ba09000000000060000000600000004d454f5704000000c001000000000000c0000000000000463b03000000000000c000000000000046000000003000000001000100673c70941333fd4687244d093988939d0200000000000000000000000000000000000000000000000100000001100800cccccccc480000000000000000000000b07e09000000000000000000f0890a0000000000000000000d000000000000000d000000730061006a00690061006400650076005f0078003800360000000800cccccccc01100800cccccccc10000000000000000000000000000000000000000000000001100800cccccccc5800000000000000c05e0a000000000000000000000000001b000000000000001b0000005c005c0000005c006a00690061006400650076005f007800000036005c007000750062006c00690063005c004100410041004100000000000100150001100800cccccccc200000000000000000000000905b09000200000001006c00c0df0800010000000700550000000000";


req3  = "05000e03100000004800000003000000d016d01605af00000100000001000100b84a9f4d1c7dcf11861e0020af6e7c5700000000045d888aeb1cc9119fe808002b10486002000000";

req4 = "05000003100000009a00000003000000820000000100000005000200000000000000000000000000000000000000000000000000000000009596952a8cda6d4ab23619bcaf2c2dea34eb8f000700000000000000070000005c005c004d0045004f00570000000000000000005c0048005c0048000100000058e98f00010000009596952a8cda6d4ab23619bcaf2c2dea01000000010000005c00";




#display(hex2raw(s:req));
#exit(0);



 
 

error1 = check(req:hex2raw(s:req1));
error2 = check(req:hex2raw(s:req2)); 


#error3 = check(req:hex2raw(s:req3));
#error4 = check2(req:hex2raw(s:req4));

#display("error1=", hexstr(error1), "\n");
#display("error2=", hexstr(error2), "\n");
#display("error3=", hexstr(error3), "\n");
#display("error4=", hexstr(error4), "\n");



if(hexstr(error2) == hexstr(error1))
{
 if(hexstr(error1) == "0500078000")exit(0); # DCOM disabled
 security_hole(port);
}
else {
 set_kb_item(name:"SMB/KB824146", value:TRUE);
}


R?da_Zitouni <Reda.Zitouni@...ilante.com> wrote:
Seems guys you are mistaking. Here is the NSfocus advisory. In fact they found (as the M$ advisory is not clear on the subject) the 2nd BoF(CAN-2003-0528)  and not the DoS. The one you are talking of is an old (few weeks) vulnerability related to MS03-026 found by Ben Jurry.
 
http://www.nsfocus.com/english/homepage/research/0306.htm
 

Reda Zitouni

Security Engineer

VIGILANTe - France

http://www.VIGILANTe.com

 






---------------------------------
De : Exibar [mailto:exibar@...lair.com] 
Envoy? : jeudi 11 septembre 2003 01:58
? : Elv1S; full-disclosure@...ts.netsys.com



Sure looks that way, especially with the 7/21 datestamp for the directory and in the page name :-)
 
  It's *very* unlikely that we see a worm that acts on the DoS vuln, it's just too much work.  The BoF's are the ones that has my attention and need to patch urgently.
 
  Exibar
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Elv1S
Sent: Wednesday, September 10, 2003 6:49 PM
To: full-disclosure@...ts.netsys.com
Subject: [inbox] [Full-Disclosure] Re: MS03-039 has been released (DoS) sploit ?


thinkin' that they talking about the xfocus sploit public since 07-21 ? for the DoS vuln MS03-032
 
true or not ?
 
http://www.k-otik.com/exploits/07.21.win2kdos.c.php


Mike Tancsa <mike@...tex.net> wrote:

http://xforce.iss.net/xforce/alerts/id/152 says,

"The new DoS vulnerability was disclosed by a hacking group in China on
July 25, 2003, and functional exploit code is already in use on the
Internet. "

---Mike


At 01:41 PM 10/09/2003, Exibar wrote:
>anyone know of a 'sploit for this one yet? Or even proof of concept code?
>
>
>----- Original Message -----
>From: "Ryan, Pete" 

>To: 
>Sent: Wednesday, September 10, 2003 12:23 PM
>Subject: [Full-Disclosure] MS03-039 has been released - critical
>
>
> >
> >
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> > bulletin/MS03-039.asp
> >
> > -Pete
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software


---------------------------------
Yahoo! Search
- Looking for more? Try the new Yahoo! Search
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030911/8c400a0e/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ