lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAJtJjZs3YPmjHsz7Qme4azJq7=THjd+Kf4gotFz3sFEKPZEwwA@mail.gmail.com>
Date: Wed, 9 Nov 2011 11:46:08 +0000
From: Darren Martyn <d.martyn.fulldisclosure@...il.com>
To: secn3t@...il.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Windows vulnerability in TCP/IP
 Could Allow Remote Code Execution (2588516)

xD, does this mean you HAVE exploit code for this? Care to share that?

On Wed, Nov 9, 2011 at 11:42 AM, xD 0x41 <secn3t@...il.com> wrote:

> Is awesome exploit yes!
> I have looked at this and, you dont need to be udp... only... it is
> TCP-IP. ... wich, i was luckily given a copy early than release date
> so have had time,... this whole thing reopens the old idlescan and,
> simly one tcp scanner, even a udp one, all you have todo is send a
> req, receive known SQN and ACK , thats pretty basic packet :s , and
> then it will open, amongst other things, UDP closed, although please
> note, the author of this and even technet clearly states, that it can
> use TCP/IP stack and, use IP and TCP ports/packets to scan, so the
> scanning just got 10x easier to make, no smb neg, just a simple
> netbios, maybe a peek down a pipe and, hopefully, i get this thing to
> go :P , I really want to see what this baby can show me that i dont
> alredy know.. but i know one thing, this is nothing, this wormhole, is
> byfar the biggest i have seen since dcom.. and remote code means
> remote worm...so, yes, expect alot of newer boxes, infected, and yes
> even fully patched rc2 and datacenter copies are affected..and, if
> anyone has seen the paper well, it clearly states the packet needs to
> only contain 2 things, and, probably have some nice little spoofaing
> even possible, since the nature allows it to scan by udp, can then
> spoof all scanning to on windows, this is only possible on udp and
> some tcp syn d0s.. anyhow, yes, this could become easily the next
> blaster, maybe, because it does by nature bypass dep and aslr, and
> basically, reopens an old attack vector, so many bot farmers,would
> probably be seeking to port this already from Poc infos, and, it would
> not be hard, i will attempt it in private, and, i can alredy forsee
> this will *not* be a hard one... when the official papers are thru and
> done, i guess there will be more about the tcp ip but seriously just
> think of the name of it , lol.. it is tcp-ip stack overflow right...
> tcp-ip :P anyhow.. yea.. it is goin to see wether the scanner can work
> fast, ie: a fingerprinter made so it can see if it is a type of box,
> and thats VERY simple thanks to porting of metasploits dcerpc/smb
> scanner, wich attaches and makes smb session, to get workgroup and
> other things...depending on port choosen, personally me, to spped it
> up, would opt for udp scanner (i have skeleton for a mssql scanner in
> cpp i have still got wich works, drops to shell etc..0 ... then i
> guess, making the packet, and, that would need a cpl of headers in the
> code, woopee, and, some simple fail to respond to xp, must be v6 , if
> v6 then, can continue on with fingerprinting, etc..so, to find a box
> can be very fast so, using smb on port 138/UDP , if possible to, or
> simply connect to 139/SMB-NT authority ,and id simply use if/else, so
> udp or tcp gets triggered.. very easy to write this for those who have
> read the poc and know windows cpp, it only will take the packet SQN
> number, thats it.. the rest is bacon.. it is a very nice exploit for
> this late in the lifes of these OS..a  pty really.. only good thing
> is, it does nto affect my familys pcs, wich are nice and old now, so,
> i dont have more maintenance headaches :D
> cheers , have a happy patch tuesday!
> xd-- was h3re (cool spraypainting here .. )
>
>
> On 9 November 2011 22:25, Darren Martyn
> <d.martyn.fulldisclosure@...il.com> wrote:
> > Balls, I forgot to add this to the last message, but has anyone examined
> the
> > patch yet? I can only imagine it would be VERY interesting to look at...
> > <sarcasm> Or that it opens all UDP ports so that there are no closed
> ones to
> > exploit </sarcasm>
> >
> > On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn
> > <d.martyn.fulldisclosure@...il.com> wrote:
> >>
> >> So... Another Conficker type worm possible from this bug if everyone
> cocks
> >> up and fails to patch?
> >>
> >> On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia
> >> <nahuel.grisolia@...il.com> wrote:
> >>>
> >>> Kingcope, where's the exploit?
> >>>
> >>> :P
> >>>
> >>> On Nov 8, 2011, at 6:53 PM, Henri Salo wrote:
> >>>
> >>> > http://technet.microsoft.com/en-us/security/bulletin/ms11-083
> >>> >
> >>> > "The vulnerability could allow remote code execution if an attacker
> >>> > sends a continuous flow of specially crafted UDP packets to a closed
> port on
> >>> > a target system."
> >>> >
> >>> > Microsoft did it once again.
> >>> >
> >>> > - Henri Salo
> >>> >
> >>> > _______________________________________________
> >>> > Full-Disclosure - We believe in it.
> >>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> > Hosted and sponsored by Secunia - http://secunia.com/
> >>>
> >>> _______________________________________________
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >>
> >>
> >> --
> >> My Homepage :D
> >>
> >
> >
> >
> > --
> > My Homepage :D
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>



-- 
My Homepage :D <http://compsoc.nuigalway.ie/%7Einfodox>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ