Metasploit mailing list archives
MS03-051
From: hdm at metasploit.com (H D Moore)
Date: Wed, 6 Sep 2006 13:57:28 -0500
On Wednesday 06 September 2006 13:33, Greg Linares wrote:
On a side note/request, is there any news of developing MS06-035 and MS06-036 modules? ?
A PoC for MS06-035 has been included in version 3.0 of the Framework (under auxiliary/dos/smb). The kernel pool corruption is tricky to reproduce and seems nearly impossible to control the bytes that perform the actual overwrite (its always "\xff\xff" on my test systems). Unless someone finds a way to make this useful beyond a BSOD, it will stay in the 'dos' module directory. I have no plans to port this to 2.6, since it doesn't actually execute a payload. Code for MS06-036 is public, but we have two problems with it: 1) The framework would need to run as root (or have BIND_SERVICE and CAP_NET_RAW capabilities under Linux) in order to trigger the bug. 2) The current public exploit adds a user account. This is because at the time of exploitation, the target system doesn't have an IP address. This makes the use of a standard win* payload challenging. The public code adds a user and you have to wait for the box to reboot to do anything with it. The correct way to do this involves tracking the MAC addresses of which clients have been exploited, using a payload that stages over a raw socket on Windows (we have to write one), and then having that payload exit the main thread, then restart the DHCP client service. The short answer is unless someone volunteers to do all of these things, it probably won't happen.
I've noticed that many computers are still vulnerable to the MS06-035 exploit, particularly ones that have patched against the MS06-040 (which seemed to gotten all the buzz). ?Maybe the MS06-035 method doesn't offer as much of a vector/payload room or has severe byte restrictions. ?I haven't looked that detailed into it.
Its not much fun in practice :-( -HD
Current thread:
- MS03-051 jack ciabatta (Sep 06)