Full Disclosure mailing list archives
Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
From: xD 0x41 <secn3t () gmail com>
Date: Fri, 11 Nov 2011 07:03:51 +1100
thx to: http://www.securityaegis.com/ ms11-083_sniffer.py """ Simple packet sniffer that writes a pcap file for any UDP traffic heading for closed ports. Written in an attempt to capture data from a MS11-083 exploit in the wild. Author: Samuel Hunter If you have any suggestions or comments find me on twitter or send me some mail. Dont tell me about my dirty code, I'm aware of that. This was written quickly with no concern of standards. twitter: @Trowalts email: trowalts () gmail com """ from pcapy import * from impacket import ImpactDecoder, ImpactPacket from socket import * import fcntl import struct import os import time class Sniffer: def __init__(self): self.promiscuous = True self.called = 0 #silly habits self.interface = 'eth0' self.max_bytes = 65535 # Theoretical max size for a UDP packet self.read_timeout = 100 self.ip = self.get_ip_address(self.interface) self.bpf = 'ip dst host %s and not src net 192.168.1.0/30'%self.ip print "\n---------------------------------------------------" print "Sniffing for unsolicited UDP packets to closed ports." print " \"Open ports are for losers\" - MS11-083" print "Pcap log started, listening from %s"%time.strftime("%d:%m:%Y %H:%M:%S", time.localtime()) print "---------------------------------------------------" def get_ip_address(self, ifname): s = socket(AF_INET, SOCK_STREAM) return inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', ifname[:15]))[20:24]) def start(self): self.reader = open_live(self.interface, self.max_bytes, self.promiscuous, self.read_timeout) # Pcapy uses BPF to filter packets, not src net 192.168.1.0/30 # should be changed, it just filters out 1.0, 1.1, 1.2 and 1.3 # which I use for diffrent gateways and dont want traffic # from the router hitting the logs. self.reader.setfilter(self.bpf) # Run the packet capture loop self.reader.loop(0, self.callback) def callonce(self): self.dumper = self.reader.dump_open(time.strftime("%d-%m-%Y_%H-%M-%S.pcap", time.localtime())) self.called = 1 def callback(self, hdr, data): # Parse the Ethernet packet decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(data) # Parse the IP packet inside the Ethernet packet, typep iphdr = ether.child() udphdr = iphdr.child() # First check that the packets are not comming from the local host # Then check that it is a UDP packet (incase you changed the BPF) also # Check that the destination port for the packet is a closed port on the host if (iphdr.get_ip_src() != self.ip): self.refresh_portlist() if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and udphdr.get_uh_dport() not in self.portlist): if self.called == 0: self.callonce() print "Incoming UDP packet from %s"%iphdr.get_ip_src() self.dumper.dump(hdr, data) def refresh_portlist(self): # bash script to get all the open and listening UDP ports # used in the callback function as criteria for logging traffic output = os.popen("./getports.sh") pl = output.readlines() self.portlist = [] for p in pl: self.portlist.append(int(p)) def main(): snf = Sniffer() snf.start() if __name__ == "__main__": main() and bash script: #!/bin/bash netstat -un | awk 'NR>2{ sub(/.*:/,"",$4); uniq[$4] }END{ for(i in uniq) print i }' netstat -lun | awk 'NR>2{ sub(/.*:/,"",$4); uniq[$4] }END{ for(i in uniq) print i }' NOW you can make your own :D http://www.securityaegis.com/wp-content/uploads/2011/11/honey_in_jar_black_background.jpg cheers! xd-- On 11 November 2011 06:49, Sergito <sergito.lista () gmail com> wrote:
PoC ? http://www.youtube.com/watch?v=4aBE6o0oDlo []'s Sergito 2011/11/10 Thor (Hammer of God) <thor () hammerofgod com>So, I've looked about on the web to see what software of any consequence you have written, but I can't find any. Can you point me to anything that illustrates that you know how to develop wide scale software applications and execute an SDL plan, or do you just like to sit back and bitch about everyone else without actually doing anything? I'm serious - I'd really like to know. Over all these years, all I've ever seen from you is talk about how stupid everyone else is, but I've never once actually seen you do anything constructive. t -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Georgi Guninski Sent: Thursday, November 10, 2011 8:48 AM To: xD 0x41 Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) On Thu, Nov 10, 2011 at 08:46:44AM +1100, xD 0x41 wrote:You could just google for IRC packs of win2k src ;) I know i have a copy of it somewhere... acvtually tho, would not be helpful tho, as it does not affect win2k.. so i guess there would be some code there but not the code you want. @george and, ideally if 'years' ago existed for this exploit but, it does only affect v6 and up , this is tested.... so xp/2k/2k3 not affected... still, i know people are using other ways anyhow , and thats just how botting is... one way dies, one takes its place :s i guess we wait for the rls of this.. maybe!as in real life, real bugs die (the imaginary case is not clear to me). i suppose "trustworthy computing" doesn't mean "not many bugs still alive". -- j _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516), (continued)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 11)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 11)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 11)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Valdis . Kletnieks (Nov 13)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Jon Kertz (Nov 13)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 11)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Jon Kertz (Nov 11)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 11)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Valdis . Kletnieks (Nov 11)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 11)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 10)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Tillmann Werner (Nov 11)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 11)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 11)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Thor (Hammer of God) (Nov 10)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Georgi Guninski (Nov 13)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Thor (Hammer of God) (Nov 14)