[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCvwp4DTeWatFPRm9n7F+S-j54_J7g6ED0nPo1=2A2yGA7njw@mail.gmail.com>
Date: Wed, 9 Nov 2011 22:42:49 +1100
From: xD 0x41 <secn3t@...il.com>
To: Darren Martyn <d.martyn.fulldisclosure@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Windows vulnerability in TCP/IP
Could Allow Remote Code Execution (2588516)
Is awesome exploit yes!
I have looked at this and, you dont need to be udp... only... it is
TCP-IP. ... wich, i was luckily given a copy early than release date
so have had time,... this whole thing reopens the old idlescan and,
simly one tcp scanner, even a udp one, all you have todo is send a
req, receive known SQN and ACK , thats pretty basic packet :s , and
then it will open, amongst other things, UDP closed, although please
note, the author of this and even technet clearly states, that it can
use TCP/IP stack and, use IP and TCP ports/packets to scan, so the
scanning just got 10x easier to make, no smb neg, just a simple
netbios, maybe a peek down a pipe and, hopefully, i get this thing to
go :P , I really want to see what this baby can show me that i dont
alredy know.. but i know one thing, this is nothing, this wormhole, is
byfar the biggest i have seen since dcom.. and remote code means
remote worm...so, yes, expect alot of newer boxes, infected, and yes
even fully patched rc2 and datacenter copies are affected..and, if
anyone has seen the paper well, it clearly states the packet needs to
only contain 2 things, and, probably have some nice little spoofaing
even possible, since the nature allows it to scan by udp, can then
spoof all scanning to on windows, this is only possible on udp and
some tcp syn d0s.. anyhow, yes, this could become easily the next
blaster, maybe, because it does by nature bypass dep and aslr, and
basically, reopens an old attack vector, so many bot farmers,would
probably be seeking to port this already from Poc infos, and, it would
not be hard, i will attempt it in private, and, i can alredy forsee
this will *not* be a hard one... when the official papers are thru and
done, i guess there will be more about the tcp ip but seriously just
think of the name of it , lol.. it is tcp-ip stack overflow right...
tcp-ip :P anyhow.. yea.. it is goin to see wether the scanner can work
fast, ie: a fingerprinter made so it can see if it is a type of box,
and thats VERY simple thanks to porting of metasploits dcerpc/smb
scanner, wich attaches and makes smb session, to get workgroup and
other things...depending on port choosen, personally me, to spped it
up, would opt for udp scanner (i have skeleton for a mssql scanner in
cpp i have still got wich works, drops to shell etc..0 ... then i
guess, making the packet, and, that would need a cpl of headers in the
code, woopee, and, some simple fail to respond to xp, must be v6 , if
v6 then, can continue on with fingerprinting, etc..so, to find a box
can be very fast so, using smb on port 138/UDP , if possible to, or
simply connect to 139/SMB-NT authority ,and id simply use if/else, so
udp or tcp gets triggered.. very easy to write this for those who have
read the poc and know windows cpp, it only will take the packet SQN
number, thats it.. the rest is bacon.. it is a very nice exploit for
this late in the lifes of these OS..a pty really.. only good thing
is, it does nto affect my familys pcs, wich are nice and old now, so,
i dont have more maintenance headaches :D
cheers , have a happy patch tuesday!
xd-- was h3re (cool spraypainting here .. )
On 9 November 2011 22:25, Darren Martyn
<d.martyn.fulldisclosure@...il.com> wrote:
> Balls, I forgot to add this to the last message, but has anyone examined the
> patch yet? I can only imagine it would be VERY interesting to look at...
> <sarcasm> Or that it opens all UDP ports so that there are no closed ones to
> exploit </sarcasm>
>
> On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn
> <d.martyn.fulldisclosure@...il.com> wrote:
>>
>> So... Another Conficker type worm possible from this bug if everyone cocks
>> up and fails to patch?
>>
>> On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia
>> <nahuel.grisolia@...il.com> wrote:
>>>
>>> Kingcope, where's the exploit?
>>>
>>> :P
>>>
>>> On Nov 8, 2011, at 6:53 PM, Henri Salo wrote:
>>>
>>> > http://technet.microsoft.com/en-us/security/bulletin/ms11-083
>>> >
>>> > "The vulnerability could allow remote code execution if an attacker
>>> > sends a continuous flow of specially crafted UDP packets to a closed port on
>>> > a target system."
>>> >
>>> > Microsoft did it once again.
>>> >
>>> > - Henri Salo
>>> >
>>> > _______________________________________________
>>> > Full-Disclosure - We believe in it.
>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>> --
>> My Homepage :D
>>
>
>
>
> --
> My Homepage :D
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists