[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCvwp6TVB3pKPvOV4HOAu7W0b6f3jivmenf8h3=mgX1TB-1wQ@mail.gmail.com>
Date: Wed, 9 Nov 2011 23:18:43 +1100
From: xD 0x41 <secn3t@...il.com>
To: Darren Martyn <d.martyn.fulldisclosure@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Windows vulnerability in TCP/IP
Could Allow Remote Code Execution (2588516)
I have the PoC from another src than the actual author, but, yes was
given to me only infos and poc, a week or so ago.. and there is code
but, i do not have this.. i will just say that, i have asmuch as
technet does, maybe abit more about packet infos.. like what exactly
must be done, and thats only 2 things, wich is i between the packet
arriving to the closed port, two things, then one-two-5 packets, it
might take 10 on some boxes, but the overflow will 100% work and
bypasses all protections on and upto rc2 of the datacenter edition,
yes it is big, it is the biggest secret actually, but, we will see
more when the author comes out with it wich is, possibly never, but, i
know that i have enough infos from what ive read, to start testing,
and, this i have done many times and still hold a cpl undiscloseds for
m$ but, i guess the bug on this is that it hits the newest boxes, NOT
the oldies as most were doing over and over...and no vector relly
matters at that stage, the scan is dead.
anyhow, this tcp ip bug, makes for a gret cpp code, and, for the two
things it needs well, i have said it, SQN and ACK, and this could be
gained then set to the packet, then sent.. there is a buffer size at
wich the port opens, but this is undisclosed.
cheers.
On 9 November 2011 22:46, Darren Martyn
<d.martyn.fulldisclosure@...il.com> wrote:
> xD, does this mean you HAVE exploit code for this? Care to share that?
>
> On Wed, Nov 9, 2011 at 11:42 AM, xD 0x41 <secn3t@...il.com> wrote:
>>
>> Is awesome exploit yes!
>> I have looked at this and, you dont need to be udp... only... it is
>> TCP-IP. ... wich, i was luckily given a copy early than release date
>> so have had time,... this whole thing reopens the old idlescan and,
>> simly one tcp scanner, even a udp one, all you have todo is send a
>> req, receive known SQN and ACK , thats pretty basic packet :s , and
>> then it will open, amongst other things, UDP closed, although please
>> note, the author of this and even technet clearly states, that it can
>> use TCP/IP stack and, use IP and TCP ports/packets to scan, so the
>> scanning just got 10x easier to make, no smb neg, just a simple
>> netbios, maybe a peek down a pipe and, hopefully, i get this thing to
>> go :P , I really want to see what this baby can show me that i dont
>> alredy know.. but i know one thing, this is nothing, this wormhole, is
>> byfar the biggest i have seen since dcom.. and remote code means
>> remote worm...so, yes, expect alot of newer boxes, infected, and yes
>> even fully patched rc2 and datacenter copies are affected..and, if
>> anyone has seen the paper well, it clearly states the packet needs to
>> only contain 2 things, and, probably have some nice little spoofaing
>> even possible, since the nature allows it to scan by udp, can then
>> spoof all scanning to on windows, this is only possible on udp and
>> some tcp syn d0s.. anyhow, yes, this could become easily the next
>> blaster, maybe, because it does by nature bypass dep and aslr, and
>> basically, reopens an old attack vector, so many bot farmers,would
>> probably be seeking to port this already from Poc infos, and, it would
>> not be hard, i will attempt it in private, and, i can alredy forsee
>> this will *not* be a hard one... when the official papers are thru and
>> done, i guess there will be more about the tcp ip but seriously just
>> think of the name of it , lol.. it is tcp-ip stack overflow right...
>> tcp-ip :P anyhow.. yea.. it is goin to see wether the scanner can work
>> fast, ie: a fingerprinter made so it can see if it is a type of box,
>> and thats VERY simple thanks to porting of metasploits dcerpc/smb
>> scanner, wich attaches and makes smb session, to get workgroup and
>> other things...depending on port choosen, personally me, to spped it
>> up, would opt for udp scanner (i have skeleton for a mssql scanner in
>> cpp i have still got wich works, drops to shell etc..0 ... then i
>> guess, making the packet, and, that would need a cpl of headers in the
>> code, woopee, and, some simple fail to respond to xp, must be v6 , if
>> v6 then, can continue on with fingerprinting, etc..so, to find a box
>> can be very fast so, using smb on port 138/UDP , if possible to, or
>> simply connect to 139/SMB-NT authority ,and id simply use if/else, so
>> udp or tcp gets triggered.. very easy to write this for those who have
>> read the poc and know windows cpp, it only will take the packet SQN
>> number, thats it.. the rest is bacon.. it is a very nice exploit for
>> this late in the lifes of these OS..a pty really.. only good thing
>> is, it does nto affect my familys pcs, wich are nice and old now, so,
>> i dont have more maintenance headaches :D
>> cheers , have a happy patch tuesday!
>> xd-- was h3re (cool spraypainting here .. )
>>
>>
>> On 9 November 2011 22:25, Darren Martyn
>> <d.martyn.fulldisclosure@...il.com> wrote:
>> > Balls, I forgot to add this to the last message, but has anyone examined
>> > the
>> > patch yet? I can only imagine it would be VERY interesting to look at...
>> > <sarcasm> Or that it opens all UDP ports so that there are no closed
>> > ones to
>> > exploit </sarcasm>
>> >
>> > On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn
>> > <d.martyn.fulldisclosure@...il.com> wrote:
>> >>
>> >> So... Another Conficker type worm possible from this bug if everyone
>> >> cocks
>> >> up and fails to patch?
>> >>
>> >> On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia
>> >> <nahuel.grisolia@...il.com> wrote:
>> >>>
>> >>> Kingcope, where's the exploit?
>> >>>
>> >>> :P
>> >>>
>> >>> On Nov 8, 2011, at 6:53 PM, Henri Salo wrote:
>> >>>
>> >>> > http://technet.microsoft.com/en-us/security/bulletin/ms11-083
>> >>> >
>> >>> > "The vulnerability could allow remote code execution if an attacker
>> >>> > sends a continuous flow of specially crafted UDP packets to a closed
>> >>> > port on
>> >>> > a target system."
>> >>> >
>> >>> > Microsoft did it once again.
>> >>> >
>> >>> > - Henri Salo
>> >>> >
>> >>> > _______________________________________________
>> >>> > Full-Disclosure - We believe in it.
>> >>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >>>
>> >>> _______________________________________________
>> >>> Full-Disclosure - We believe in it.
>> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >>> Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>> >>
>> >>
>> >> --
>> >> My Homepage :D
>> >>
>> >
>> >
>> >
>> > --
>> > My Homepage :D
>> >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>
>
>
> --
> My Homepage :D
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists