lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALCvwp66LFf0hqV5D19A2u8d08kYL8LGBT-rEzkXhMdiVBNQsA@mail.gmail.com>
Date: Fri, 11 Nov 2011 07:03:51 +1100
From: xD 0x41 <secn3t@...il.com>
To: Sergito <sergito.lista@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Windows vulnerability in TCP/IP
 Could Allow Remote Code Execution (2588516)

thx to:
http://www.securityaegis.com/

ms11-083_sniffer.py

"""
 Simple packet sniffer that writes a pcap file for
 any UDP traffic heading for closed ports.
 Written in an attempt to capture data from a
 MS11-083 exploit in the wild.

 Author: Samuel Hunter
 If you have any suggestions or comments find
 me on twitter or send me some mail.
 Dont tell me about my dirty code, I'm aware of that.
 This was written quickly with no concern of standards.

 twitter: @Trowalts
 email: trowalts@...il.com
"""
from pcapy import *
from impacket import ImpactDecoder, ImpactPacket
from socket import *
import fcntl
import struct
import os
import time

class Sniffer:
    def __init__(self):
        self.promiscuous = True
        self.called = 0 #silly habits
        self.interface = 'eth0'
        self.max_bytes = 65535  # Theoretical max size for a UDP packet
        self.read_timeout = 100
        self.ip = self.get_ip_address(self.interface)
        self.bpf = 'ip dst host %s and not src net 192.168.1.0/30'%self.ip

        print "\n---------------------------------------------------"
        print "Sniffing for unsolicited UDP packets to closed ports."
        print "      \"Open ports are for losers\" - MS11-083"
        print "Pcap log started, listening from
%s"%time.strftime("%d:%m:%Y %H:%M:%S", time.localtime())
        print "---------------------------------------------------"

    def get_ip_address(self, ifname):
        s = socket(AF_INET, SOCK_STREAM)
        return inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915,
struct.pack('256s', ifname[:15]))[20:24])

    def start(self):
        self.reader = open_live(self.interface, self.max_bytes,
self.promiscuous, self.read_timeout)
        # Pcapy uses BPF to filter packets, not src net 192.168.1.0/30
        # should be changed, it just filters out 1.0, 1.1, 1.2 and 1.3
        # which I use for diffrent gateways and dont want traffic
        # from the router hitting the logs.
        self.reader.setfilter(self.bpf)
        # Run the packet capture loop
        self.reader.loop(0, self.callback)

    def callonce(self):
        self.dumper =
self.reader.dump_open(time.strftime("%d-%m-%Y_%H-%M-%S.pcap",
time.localtime()))
        self.called = 1

    def callback(self, hdr, data):
        # Parse the Ethernet packet
        decoder = ImpactDecoder.EthDecoder()
        ether = decoder.decode(data)
        # Parse the IP packet inside the Ethernet packet, typep
        iphdr = ether.child()
        udphdr = iphdr.child()

        # First check that the packets are not comming from the local host
        # Then check that it is a UDP packet (incase you changed the BPF) also
        # Check that the destination port for the packet is a closed
port on the host
        if (iphdr.get_ip_src() != self.ip):
            self.refresh_portlist()
            if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and
udphdr.get_uh_dport() not in self.portlist):
                if self.called == 0:
                    self.callonce()
                print "Incoming UDP packet from %s"%iphdr.get_ip_src()
                self.dumper.dump(hdr, data)

    def refresh_portlist(self):
        # bash script to get all the open and listening UDP ports
        # used in the callback function as criteria for logging traffic
        output = os.popen("./getports.sh")
        pl = output.readlines()
        self.portlist = []
        for p in pl:
            self.portlist.append(int(p))

def main():
    snf = Sniffer()
    snf.start()

if __name__ == "__main__":
    main()


and bash script:

#!/bin/bash
netstat -un | awk  'NR>2{ sub(/.*:/,"",$4); uniq[$4] }END{ for(i in
uniq) print i }'
netstat -lun | awk  'NR>2{ sub(/.*:/,"",$4); uniq[$4] }END{ for(i in
uniq) print i }'

NOW you can make your own :D

http://www.securityaegis.com/wp-content/uploads/2011/11/honey_in_jar_black_background.jpg

cheers!
xd--


On 11 November 2011 06:49, Sergito <sergito.lista@...il.com> wrote:
> PoC ?
> http://www.youtube.com/watch?v=4aBE6o0oDlo
>
> []'s
> Sergito
>
> 2011/11/10 Thor (Hammer of God) <thor@...merofgod.com>
>>
>> So, I've looked about on the web to see what software of any consequence
>> you have written, but I can't find any.  Can you point me to anything that
>> illustrates that you know how to develop wide scale software applications
>> and execute an SDL plan, or do you just like to sit back and bitch about
>> everyone else without actually doing anything?  I'm serious - I'd really
>> like to know.  Over all these years, all I've ever seen from you is talk
>> about how stupid everyone else is, but I've never once actually seen you do
>> anything constructive.
>>
>> t
>>
>> -----Original Message-----
>> From: full-disclosure-bounces@...ts.grok.org.uk
>> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Georgi
>> Guninski
>> Sent: Thursday, November 10, 2011 8:48 AM
>> To: xD 0x41
>> Cc: full-disclosure@...ts.grok.org.uk
>> Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP
>> Could Allow Remote Code Execution (2588516)
>>
>> On Thu, Nov 10, 2011 at 08:46:44AM +1100, xD 0x41 wrote:
>> > You could just google for IRC packs of win2k src ;) I know i have a
>> > copy of it somewhere... acvtually tho, would not be helpful tho, as it
>> > does not affect win2k.. so i guess there would be some code there but
>> > not the code you want.
>> >
>> > @george
>> > and, ideally if 'years' ago existed for this exploit but, it does only
>> > affect v6 and up , this is tested.... so xp/2k/2k3 not affected...
>> > still, i know people are using other ways anyhow , and thats just how
>> > botting is... one way dies, one takes its place :s i guess we wait for
>> > the rls of this.. maybe!
>> >
>> >
>>
>> as in real life, real bugs die (the imaginary case is not clear to me).
>>
>> i suppose "trustworthy computing" doesn't mean "not many bugs still
>> alive".
>>
>> --
>> j
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ