[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJtJjZvXHM0jWQMm+xN-VHPE_ttr_1qMd8_zrfCHUCE6CVSnEg@mail.gmail.com>
Date: Sat, 12 Nov 2011 17:27:25 +0000
From: Darren Martyn <d.martyn.fulldisclosure@...il.com>
To: Mario Vilas <mvilas@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Windows vulnerability in TCP/IP
Could Allow Remote Code Execution (2588516)
Off topic (kinda) but with all this talk on SCAPY, has anyone a good
reference on using it IN a python script for crafting/reading packets? Me
and a friend wanted to write a python version of Ettercap/dsniff using the
SCAPY libraries as a challenge and as a learning experience. Even if we can
just get some reliable ARP poisoning to work with it we will be pretty
happy, and will have learned something. Any good literature?
Also, ON topic -
http://packetstormsecurity.org/files/106873/winnuke2011.sh.txt
On Sat, Nov 12, 2011 at 11:39 AM, Mario Vilas <mvilas@...il.com> wrote:
> I've used Impacket to craft raw packets of all kinds. Then again I don't
> know if that counts - used to work at Core at the time, so it was pretty
> much the only choice due to licensing issues with other libraries.
>
> I don't mean to say it's a bad tool to work with, not at all. I happen to
> prefer the newer Scapy, but it's just a matter of personal taste. :)
>
>
> On Sat, Nov 12, 2011 at 6:53 AM, Antony widmal <antony.widmal@...il.com>wrote:
>
>> Dear Dan,
>>
>> Impacket was at first a Pysmb copy/update from Core Security in order to
>> play with RPC. (look at the source)
>> They've done some work on pysmb library in order to implement DCE/RPC
>> functionality in this dinosaurus lib.
>> Saying that we should use Impacket in order to craft *raw* UDP packet
>> is definitively the dumbest thing I've heard today. Seriously. Anyone can
>> confirm that ? Mario ? Carlos ? ....
>>
>> Anyways, This guy doesn't understand shit, talks a lot about shit he
>> doesn't know about, why would you even spend time reading his shit ?
>>
>> This vulnerability is about sending a *huge fucking* stream of UDP
>> packets on a closed port in order to trigger a int overflow via a ref count.
>> Most of the people here didn't even understand what we are talking
>> about/dealing with.
>>
>> Anyways, it's probably time for you to unsubscribe since you don't follow
>> and S-K's like secn3t@...il.com are trying to act like they know.
>>
>> Yeah right, a UDP int overflow triggered via a refcount UDP overflow that
>> you can trigger with 1 single TCP (with the right ACK) packet is the way to
>> go.
>>
>> This mailing list is getting gay, seriously.
>>
>> Cheers,
>> Antony.
>>
>>
>>
>>
>>
>> On Fri, Nov 11, 2011 at 3:10 PM, Dan Ballance <tzewang.dorje@...il.com>wrote:
>>
>>> Okay, now I'm confused! From
>>> http://oss.coresecurity.com/projects/impacket.html
>>>
>>> "Impacket is a collection of Python classes focused on providing access
>>> to network packets. Impacket allows Python developers to craft and decode
>>> network packets in simple and consistent manner. It includes support for
>>> low-level protocols such as IP, UDP and TCP, as well as higher-level
>>> protocols such as NMB and SMB. Impacket is highly effective when used in
>>> conjunction with a packet capture utility or package such as Pcapy<http://oss.coresecurity.com/projects/pcapy.html>.
>>> Packets can be constructed from scratch, as well as parsed from raw data.
>>> Furthermore, the object oriented API makes it simple to work with deep
>>> protocol hierarchies."
>>>
>>> Thanks for your input Antony. Can you explain why impacket has nothing
>>> to do with crafting UDP packets?
>>>
>>> Fascinating thread this. Thanks to all!!
>>>
>>> dan :)
>>>
>>> On 11 November 2011 22:42, Antony widmal <antony.widmal@...il.com>wrote:
>>>
>>>> You are definitely a lamer secn3t.
>>>> Also for you little brain, impacket has nothing to do with crafting UDP
>>>> packets..
>>>>
>>>> Thanks for proving this again and again.
>>>>
>>>> On Fri, Nov 11, 2011 at 2:36 PM, xD 0x41 <secn3t@...il.com> wrote:
>>>>
>>>>> well look at that :P
>>>>> not same author but , nice coding predelka! good one, i will add you
>>>>> to crazycoders.com coderslist... i guess there is a few codes you have
>>>>> now done wich might be useful... cheers.
>>>>> xd
>>>>>
>>>>>
>>>>>
>>>>> On 12 November 2011 05:43, Ryan Dewhurst <ryandewhurst@...il.com>
>>>>> wrote:
>>>>> > An attempt at a possible MS11-083 DoS/PoC exploit, by
>>>>> @hackerfantastic:
>>>>> >
>>>>> > http://pastebin.com/fjZ1k0fi
>>>>> >
>>>>> > On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God)
>>>>> > <thor@...merofgod.com> wrote:
>>>>> >> Yeah, I gotta say, I’m going to use it at some point ;)
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> From: full-disclosure-bounces@...ts.grok.org.uk
>>>>> >> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
>>>>> Mario Vilas
>>>>> >> Sent: Friday, November 11, 2011 9:02 AM
>>>>> >> To: Ryan Dewhurst
>>>>> >>
>>>>> >> Cc: full-disclosure@...ts.grok.org.uk
>>>>> >> Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in
>>>>> TCP/IP
>>>>> >> Could Allow Remote Code Execution (2588516)
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> I liked the "heavy breather in the perv closet" bit.
>>>>> >>
>>>>> >> On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst <
>>>>> ryandewhurst@...il.com>
>>>>> >> wrote:
>>>>> >>
>>>>> >> I think Jon just said what everyone else was thinking, he said what
>>>>> I
>>>>> >> was thinking at least.
>>>>> >>
>>>>> >> On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz <jon.kertz@...il.com>
>>>>> wrote:
>>>>> >>> On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 <secn3t@...il.com> wrote:
>>>>> >>>> About the PPS, i think thats a very bad summary of the exploit,
>>>>> 49days
>>>>> >>>> to send a packet, my butt.
>>>>> >>>> There is many people assuming wrong things, when it can be done
>>>>> with
>>>>> >>>> seconds, syscanner would scan a -b class in minutes, remember it
>>>>> only
>>>>> >>>> has to find the vulns, gather, then it would break scan, and
>>>>> trigger
>>>>> >>>> vuln... so in real world botnet, yes then, with tcpip patchers,
>>>>> like
>>>>> >>>> somany ppl i know myself, even use (tcpipz)patcher ) , wich
>>>>> rocks...
>>>>> >>>> and it is ONLY one wich actually works, when you maybe modify the
>>>>> src
>>>>> >>>> so the sys file, is dropped from within a .cpp file, well thats
>>>>> up to
>>>>> >>>> you but thats better way to make it work, this will open
>>>>> >>>> sockets/threads, as i could, easily proove with one exe, but, the
>>>>> goal
>>>>> >>>> is, to trigger the vuln then exploit it, less than 49days :P , so
>>>>> ,
>>>>> >>>> iguess if this exploit, in real form, gathered 2 million hosts
>>>>> over 3
>>>>> >>>> nights.. i guessing that the exploit, could possibly be triggered
>>>>> with
>>>>> >>>> ONE properly setup packet.. people forget that, a packet is one
>>>>> thing,
>>>>> >>>> and a crafted UDP packet, is quite another..
>>>>> >>>
>>>>> >>> I'd really like to see you actually explain this bug with code.
>>>>> Either
>>>>> >>> with a poc or with the disassembly. You seem to act like you know
>>>>> >>> what's going on, but so far your description has been off base
>>>>> (from
>>>>> >>> what I can make of your writing).
>>>>> >>>
>>>>> >>> No one cares about paragraphs of speculation and bragging, code or
>>>>> you
>>>>> >>> are just another heavy breather in the perv closet of FD.
>>>>> >>>
>>>>> >>> _______________________________________________
>>>>> >>> Full-Disclosure - We believe in it.
>>>>> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> >>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>> >>>
>>>>> >>
>>>>> >> _______________________________________________
>>>>> >> Full-Disclosure - We believe in it.
>>>>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> >> Hosted and sponsored by Secunia - http://secunia.com/
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> --
>>>>> >> “There's a reason we separate military and the police: one fights
>>>>> the enemy
>>>>> >> of the state, the other serves and protects the people. When
>>>>> the military
>>>>> >> becomes both, then the enemies of the state tend to become the
>>>>> people.”
>>>>> >
>>>>> > _______________________________________________
>>>>> > Full-Disclosure - We believe in it.
>>>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>>> >
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> “There's a reason we separate military and the police: one fights
> the enemy of the state, the other serves and protects the people. When
> the military becomes both, then the enemies of the state tend to become the
> people.”
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
My Homepage :D <http://compsoc.nuigalway.ie/%7Einfodox>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists