Full Disclosure mailing list archives
Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
From: xD 0x41 <secn3t () gmail com>
Date: Wed, 9 Nov 2011 22:42:49 +1100
Is awesome exploit yes! I have looked at this and, you dont need to be udp... only... it is TCP-IP. ... wich, i was luckily given a copy early than release date so have had time,... this whole thing reopens the old idlescan and, simly one tcp scanner, even a udp one, all you have todo is send a req, receive known SQN and ACK , thats pretty basic packet :s , and then it will open, amongst other things, UDP closed, although please note, the author of this and even technet clearly states, that it can use TCP/IP stack and, use IP and TCP ports/packets to scan, so the scanning just got 10x easier to make, no smb neg, just a simple netbios, maybe a peek down a pipe and, hopefully, i get this thing to go :P , I really want to see what this baby can show me that i dont alredy know.. but i know one thing, this is nothing, this wormhole, is byfar the biggest i have seen since dcom.. and remote code means remote worm...so, yes, expect alot of newer boxes, infected, and yes even fully patched rc2 and datacenter copies are affected..and, if anyone has seen the paper well, it clearly states the packet needs to only contain 2 things, and, probably have some nice little spoofaing even possible, since the nature allows it to scan by udp, can then spoof all scanning to on windows, this is only possible on udp and some tcp syn d0s.. anyhow, yes, this could become easily the next blaster, maybe, because it does by nature bypass dep and aslr, and basically, reopens an old attack vector, so many bot farmers,would probably be seeking to port this already from Poc infos, and, it would not be hard, i will attempt it in private, and, i can alredy forsee this will *not* be a hard one... when the official papers are thru and done, i guess there will be more about the tcp ip but seriously just think of the name of it , lol.. it is tcp-ip stack overflow right... tcp-ip :P anyhow.. yea.. it is goin to see wether the scanner can work fast, ie: a fingerprinter made so it can see if it is a type of box, and thats VERY simple thanks to porting of metasploits dcerpc/smb scanner, wich attaches and makes smb session, to get workgroup and other things...depending on port choosen, personally me, to spped it up, would opt for udp scanner (i have skeleton for a mssql scanner in cpp i have still got wich works, drops to shell etc..0 ... then i guess, making the packet, and, that would need a cpl of headers in the code, woopee, and, some simple fail to respond to xp, must be v6 , if v6 then, can continue on with fingerprinting, etc..so, to find a box can be very fast so, using smb on port 138/UDP , if possible to, or simply connect to 139/SMB-NT authority ,and id simply use if/else, so udp or tcp gets triggered.. very easy to write this for those who have read the poc and know windows cpp, it only will take the packet SQN number, thats it.. the rest is bacon.. it is a very nice exploit for this late in the lifes of these OS..a pty really.. only good thing is, it does nto affect my familys pcs, wich are nice and old now, so, i dont have more maintenance headaches :D cheers , have a happy patch tuesday! xd-- was h3re (cool spraypainting here .. ) On 9 November 2011 22:25, Darren Martyn <d.martyn.fulldisclosure () gmail com> wrote:
Balls, I forgot to add this to the last message, but has anyone examined the patch yet? I can only imagine it would be VERY interesting to look at... <sarcasm> Or that it opens all UDP ports so that there are no closed ones to exploit </sarcasm> On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn <d.martyn.fulldisclosure () gmail com> wrote:So... Another Conficker type worm possible from this bug if everyone cocks up and fails to patch? On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia <nahuel.grisolia () gmail com> wrote:Kingcope, where's the exploit? :P On Nov 8, 2011, at 6:53 PM, Henri Salo wrote:http://technet.microsoft.com/en-us/security/bulletin/ms11-083 "The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system." Microsoft did it once again. - Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- My Homepage :D-- My Homepage :D _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Henri Salo (Nov 08)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Dan Dart (Nov 08)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Nahuel Grisolia (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) xD 0x41 (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Robert Kim App and Facebook Marketing (Nov 13)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Dan Rosenberg (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Dave (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) GomoR (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Dan Dart (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Henri Salo (Nov 09)
- Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) Darren Martyn (Nov 09)