lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKKbY4mpt=g8w4x0Sqd8aRCnax2CXWzz6d5pCjE0ZBxN0h5z_Q@mail.gmail.com> Date: Sat, 12 Nov 2011 20:30:00 -0500 From: Dan Tulovsky <dant@...snow.com> To: Darren Martyn <d.martyn.fulldisclosure@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) http://www.secdev.org/projects/scapy/build_your_own_tools.html Seems to be what you want. On Sat, Nov 12, 2011 at 12:27 PM, Darren Martyn <d.martyn.fulldisclosure@...il.com> wrote: > Off topic (kinda) but with all this talk on SCAPY, has anyone a good > reference on using it IN a python script for crafting/reading packets? Me > and a friend wanted to write a python version of Ettercap/dsniff using the > SCAPY libraries as a challenge and as a learning experience. Even if we can > just get some reliable ARP poisoning to work with it we will be pretty > happy, and will have learned something. Any good literature? > > Also, ON topic - > http://packetstormsecurity.org/files/106873/winnuke2011.sh.txt > > On Sat, Nov 12, 2011 at 11:39 AM, Mario Vilas <mvilas@...il.com> wrote: >> >> I've used Impacket to craft raw packets of all kinds. Then again I don't >> know if that counts - used to work at Core at the time, so it was pretty >> much the only choice due to licensing issues with other libraries. >> I don't mean to say it's a bad tool to work with, not at all. I happen to >> prefer the newer Scapy, but it's just a matter of personal taste. :) >> >> On Sat, Nov 12, 2011 at 6:53 AM, Antony widmal <antony.widmal@...il.com> >> wrote: >>> >>> Dear Dan, >>> Impacket was at first a Pysmb copy/update from Core Security in order to >>> play with RPC. (look at the source) >>> They've done some work on pysmb library in order to implement DCE/RPC >>> functionality in this dinosaurus lib. >>> Saying that we should use Impacket in order to craft *raw* UDP packet >>> is definitively the dumbest thing I've heard today. Seriously. Anyone can >>> confirm that ? Mario ? Carlos ? .... >>> Anyways, This guy doesn't understand shit, talks a lot about shit he >>> doesn't know about, why would you even spend time reading his shit ? >>> This vulnerability is about sending a *huge fucking* stream of UDP >>> packets on a closed port in order to trigger a int overflow via a ref count. >>> Most of the people here didn't even understand what we are talking >>> about/dealing with. >>> Anyways, it's probably time for you to unsubscribe since you don't follow >>> and S-K's like secn3t@...il.com are trying to act like they know. >>> Yeah right, a UDP int overflow triggered via a refcount UDP overflow that >>> you can trigger with 1 single TCP (with the right ACK) packet is the way to >>> go. >>> This mailing list is getting gay, seriously. >>> Cheers, >>> Antony. >>> >>> >>> >>> On Fri, Nov 11, 2011 at 3:10 PM, Dan Ballance <tzewang.dorje@...il.com> >>> wrote: >>>> >>>> Okay, now I'm confused! >>>> From http://oss.coresecurity.com/projects/impacket.html >>>> "Impacket is a collection of Python classes focused on providing access >>>> to network packets. Impacket allows Python developers to craft and decode >>>> network packets in simple and consistent manner. It includes support for >>>> low-level protocols such as IP, UDP and TCP, as well as higher-level >>>> protocols such as NMB and SMB. Impacket is highly effective when used in >>>> conjunction with a packet capture utility or package such as Pcapy. Packets >>>> can be constructed from scratch, as well as parsed from raw data. >>>> Furthermore, the object oriented API makes it simple to work with deep >>>> protocol hierarchies." >>>> Thanks for your input Antony. Can you explain why impacket has nothing >>>> to do with crafting UDP packets? >>>> >>>> Fascinating thread this. Thanks to all!! >>>> >>>> dan :) >>>> On 11 November 2011 22:42, Antony widmal <antony.widmal@...il.com> >>>> wrote: >>>>> >>>>> You are definitely a lamer secn3t. >>>>> Also for you little brain, impacket has nothing to do with crafting UDP >>>>> packets.. >>>>> Thanks for proving this again and again. >>>>> On Fri, Nov 11, 2011 at 2:36 PM, xD 0x41 <secn3t@...il.com> wrote: >>>>>> >>>>>> well look at that :P >>>>>> not same author but , nice coding predelka! good one, i will add you >>>>>> to crazycoders.com coderslist... i guess there is a few codes you have >>>>>> now done wich might be useful... cheers. >>>>>> xd >>>>>> >>>>>> >>>>>> >>>>>> On 12 November 2011 05:43, Ryan Dewhurst <ryandewhurst@...il.com> >>>>>> wrote: >>>>>> > An attempt at a possible MS11-083 DoS/PoC exploit, by >>>>>> > @hackerfantastic: >>>>>> > >>>>>> > http://pastebin.com/fjZ1k0fi >>>>>> > >>>>>> > On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) >>>>>> > <thor@...merofgod.com> wrote: >>>>>> >> Yeah, I gotta say, I’m going to use it at some point ;) >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> From: full-disclosure-bounces@...ts.grok.org.uk >>>>>> >> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of >>>>>> >> Mario Vilas >>>>>> >> Sent: Friday, November 11, 2011 9:02 AM >>>>>> >> To: Ryan Dewhurst >>>>>> >> >>>>>> >> Cc: full-disclosure@...ts.grok.org.uk >>>>>> >> Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in >>>>>> >> TCP/IP >>>>>> >> Could Allow Remote Code Execution (2588516) >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> I liked the "heavy breather in the perv closet" bit. >>>>>> >> >>>>>> >> On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst >>>>>> >> <ryandewhurst@...il.com> >>>>>> >> wrote: >>>>>> >> >>>>>> >> I think Jon just said what everyone else was thinking, he said what >>>>>> >> I >>>>>> >> was thinking at least. >>>>>> >> >>>>>> >> On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz <jon.kertz@...il.com> >>>>>> >> wrote: >>>>>> >>> On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 <secn3t@...il.com> wrote: >>>>>> >>>> About the PPS, i think thats a very bad summary of the exploit, >>>>>> >>>> 49days >>>>>> >>>> to send a packet, my butt. >>>>>> >>>> There is many people assuming wrong things, when it can be done >>>>>> >>>> with >>>>>> >>>> seconds, syscanner would scan a -b class in minutes, remember it >>>>>> >>>> only >>>>>> >>>> has to find the vulns, gather, then it would break scan, and >>>>>> >>>> trigger >>>>>> >>>> vuln... so in real world botnet, yes then, with tcpip patchers, >>>>>> >>>> like >>>>>> >>>> somany ppl i know myself, even use (tcpipz)patcher ) , wich >>>>>> >>>> rocks... >>>>>> >>>> and it is ONLY one wich actually works, when you maybe modify the >>>>>> >>>> src >>>>>> >>>> so the sys file, is dropped from within a .cpp file, well thats >>>>>> >>>> up to >>>>>> >>>> you but thats better way to make it work, this will open >>>>>> >>>> sockets/threads, as i could, easily proove with one exe, but, the >>>>>> >>>> goal >>>>>> >>>> is, to trigger the vuln then exploit it, less than 49days :P , so >>>>>> >>>> , >>>>>> >>>> iguess if this exploit, in real form, gathered 2 million hosts >>>>>> >>>> over 3 >>>>>> >>>> nights.. i guessing that the exploit, could possibly be triggered >>>>>> >>>> with >>>>>> >>>> ONE properly setup packet.. people forget that, a packet is one >>>>>> >>>> thing, >>>>>> >>>> and a crafted UDP packet, is quite another.. >>>>>> >>> >>>>>> >>> I'd really like to see you actually explain this bug with code. >>>>>> >>> Either >>>>>> >>> with a poc or with the disassembly. You seem to act like you know >>>>>> >>> what's going on, but so far your description has been off base >>>>>> >>> (from >>>>>> >>> what I can make of your writing). >>>>>> >>> >>>>>> >>> No one cares about paragraphs of speculation and bragging, code or >>>>>> >>> you >>>>>> >>> are just another heavy breather in the perv closet of FD. >>>>>> >>> >>>>>> >>> _______________________________________________ >>>>>> >>> Full-Disclosure - We believe in it. >>>>>> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>> >>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>> >>> >>>>>> >> >>>>>> >> _______________________________________________ >>>>>> >> Full-Disclosure - We believe in it. >>>>>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>> >> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> -- >>>>>> >> “There's a reason we separate military and the police: one fights >>>>>> >> the enemy >>>>>> >> of the state, the other serves and protects the people. When >>>>>> >> the military >>>>>> >> becomes both, then the enemies of the state tend to become the >>>>>> >> people.” >>>>>> > >>>>>> > _______________________________________________ >>>>>> > Full-Disclosure - We believe in it. >>>>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>> > Hosted and sponsored by Secunia - http://secunia.com/ >>>>>> > >>>>>> >>>>>> _______________________________________________ >>>>>> Full-Disclosure - We believe in it. >>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> >> -- >> “There's a reason we separate military and the police: one fights >> the enemy of the state, the other serves and protects the people. When >> the military becomes both, then the enemies of the state tend to become the >> people.” >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > -- > My Homepage :D > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists