Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
You mad bro? If by mad you mean crazy, well, you're not the only one asking that question these days :) If by mad you mean angry, then I'd have to say yes. Well, angry is too strong a term - I would say frustrated. Information Security is supposed to be about just that - but we've stopped talking about that. We talk about information *insecurity*. What frustrates me is that everyone thinks there is some value to pointing out how bad everyone else's mistakes are, yet it doesn't seem like anyone is actually suggesting ways of fixing things. I could go on, but I think I said it best here: http://syngress.com/phishwrap/july-2011-phishwrap/security-theater/ t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
WOW! HA! Did you type all this from your cell phone?!?!?! It's like youre talking for hours without breathing in!!! =p On Wed, Nov 9, 2011 at 8:42 PM, xD 0x41 sec...@gmail.com wrote: Is awesome exploit yes! I have looked at this and, you dont need to be udp... only... it is TCP-IP. ... wich, i was luckily given a copy early than release date so have had time,... this whole thing reopens the old idlescan and, simly one tcp scanner, even a udp one, all you have todo is send a req, receive known SQN and ACK , thats pretty basic packet :s , and then it will open, amongst other things, UDP closed, although please note, the author of this and even technet clearly states, that it can -- Robert Q Kim Plastic Surgery Client Advisor http://sparkah.com/2011/11/12/top-plastic-surgeons-in-sf-san-francisco-to-see-in-2012/ 2611 S Coast Highway San Diego, CA 92007 310 598 1606 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On 13 November 2011 04:27, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Off topic (kinda) but with all this talk on SCAPY, has anyone a good reference on using it IN a python script for crafting/reading packets? Me and a friend wanted to write a python version of Ettercap/dsniff using the SCAPY libraries as a challenge and as a learning experience. Even if we can just get some reliable ARP poisoning to work with it we will be pretty happy, and will have learned something. Any good literature? A challenge you say? Help on function arpcachepoison in module scapy.layers.l2: arpcachepoison(target, victim, interval=60) Poison target's cache with (your MAC,victim's IP) couple arpcachepoison(target, victim, [interval=60]) - None The official Scapy site has good documentation[0] [0] http://www.secdev.org/projects/scapy/doc/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Thu, Nov 10, 2011 at 05:47:07PM +, Thor (Hammer of God) wrote: So, I've looked about on the web to see what software of any consequence you have written, but I can't find any. Can you point me to anything that illustrates that you know how to develop wide scale software applications and execute an SDL plan, or do you just like to sit back and bitch about everyone else without actually doing anything? I'm serious - I'd really like to know. Over all these years, all I've ever seen from you is talk about how stupid everyone else is, but I've never once actually seen you do anything constructive. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Thursday, November 10, 2011 8:48 AM To: xD 0x41 Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) On Thu, Nov 10, 2011 at 08:46:44AM +1100, xD 0x41 wrote: You could just google for IRC packs of win2k src ;) I know i have a copy of it somewhere... acvtually tho, would not be helpful tho, as it does not affect win2k.. so i guess there would be some code there but not the code you want. @george and, ideally if 'years' ago existed for this exploit but, it does only affect v6 and up , this is tested so xp/2k/2k3 not affected... still, i know people are using other ways anyhow , and thats just how botting is... one way dies, one takes its place :s i guess we wait for the rls of this.. maybe! as in real life, real bugs die (the imaginary case is not clear to me). i suppose trustworthy computing doesn't mean not many bugs still alive. -- j ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ You mad bro? http://www.theregister.co.uk/2011/11/09/nov_patch_tuesday/ Patch Tuesday leaves Duqu 0-day for another day Trustworthy computing is questionably alive and Duqu (including future mutations) is completely alive. On which one a sane better would bet? -- j ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Wow, good eye. I can't remember UDP having an ACK packet type, being a stateless protocol and all, either. I actually looked back through this thread of emails and it is actually mentioned many times, the idea of the exploit involving certain SQN or ACK packets, although only by xD 0x41 as far as I can see. I'm not sure about anyone else, but I at least, take xD 0x41s posts with a spoonful of salt since there is no corroborating information and the descriptions are vague, contradictory, incomprehensible or some combination thereof. Anyway, I'm not an expert, that is just my personal observation. I'm just a comp sci student that joined this list a couple months ago to try to learn some more about real world computer security. (As opposed to just lab-environment, controlled, with expected results, computer security.) I'm interested in this alleged bug, and if there are any other descriptions of it that are more *clear* about the actual effect or impact, I'd appreciate a link. While I'm at it, since I've mentioned I'm a student and learning, any other helpful links to learn from are also appreciated. :) On Fri, Nov 11, 2011 at 3:31 PM, Ian Hayes cthulhucall...@gmail.com wrote: On Fri, Nov 11, 2011 at 3:13 PM, xD 0x41 sec...@gmail.com wrote anyhow... it doesnty take, 49days, atall.. and, yes, indeed, will be one good packet, if the packet , has the right SQN + Ack number. ^^ We are discussing UDP, as per the MS advisory, yes? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Fri, Nov 11, 2011 at 6:26 PM, xD 0x41 sec...@gmail.com wrote: i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. Yes, it is. The only problem is you've failed to provide the pudding, so there is no proof. Back to your regularly scheduled huffing, panting, and closet drooling. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Cheers Antony, I began by asking if Scapy was a suitable tool for crafting this attack - and then asked more generally what tools/languages/frameworks do people recommend for this kind of task? Are you suggesting due to the very large numbers of packets involved that for performance reasons this needs to be written in c/c++? On 12 November 2011 06:22, Antony widmal antony.wid...@gmail.com wrote: On Fri, Nov 11, 2011 at 10:08 PM, Jeffrey Walton noloa...@gmail.comwrote: On Sat, Nov 12, 2011 at 12:53 AM, Antony widmal antony.wid...@gmail.com wrote: Dear Dan, Impacket was at first a Pysmb copy/update from Core Security in order to play with RPC. (look at the source) They've done some work on pysmb library in order to implement DCE/RPC functionality in this dinosaurus lib. You can also try Dave Aitel's SPIKE. Yeah sure; If you're passionate about medieval history and you are a fan of the Flintstones, you'll be happy with Dave's Aitel fuzzer. Regards, Antony This vulnerability is about sending a *huge fucking* stream of UDP packets on a closed port in order to trigger a int overflow via a ref count. Most of the people here didn't even understand what we are talking about/dealing with. Is this related to the undisclosed MS09-048, which we were told did not require remediation because the Windows firewall (et al) mitigated the vulnerability? http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Sat, 12 Nov 2011 02:42:00 GMT, baqstabz said: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Actually, the mommy has a better chance. https://xkcd.com/327/ pgpggm9LpJxnc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
http://www.secdev.org/projects/scapy/build_your_own_tools.html Seems to be what you want. On Sat, Nov 12, 2011 at 12:27 PM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Off topic (kinda) but with all this talk on SCAPY, has anyone a good reference on using it IN a python script for crafting/reading packets? Me and a friend wanted to write a python version of Ettercap/dsniff using the SCAPY libraries as a challenge and as a learning experience. Even if we can just get some reliable ARP poisoning to work with it we will be pretty happy, and will have learned something. Any good literature? Also, ON topic - http://packetstormsecurity.org/files/106873/winnuke2011.sh.txt On Sat, Nov 12, 2011 at 11:39 AM, Mario Vilas mvi...@gmail.com wrote: I've used Impacket to craft raw packets of all kinds. Then again I don't know if that counts - used to work at Core at the time, so it was pretty much the only choice due to licensing issues with other libraries. I don't mean to say it's a bad tool to work with, not at all. I happen to prefer the newer Scapy, but it's just a matter of personal taste. :) On Sat, Nov 12, 2011 at 6:53 AM, Antony widmal antony.wid...@gmail.com wrote: Dear Dan, Impacket was at first a Pysmb copy/update from Core Security in order to play with RPC. (look at the source) They've done some work on pysmb library in order to implement DCE/RPC functionality in this dinosaurus lib. Saying that we should use Impacket in order to craft *raw* UDP packet is definitively the dumbest thing I've heard today. Seriously. Anyone can confirm that ? Mario ? Carlos ? Anyways, This guy doesn't understand shit, talks a lot about shit he doesn't know about, why would you even spend time reading his shit ? This vulnerability is about sending a *huge fucking* stream of UDP packets on a closed port in order to trigger a int overflow via a ref count. Most of the people here didn't even understand what we are talking about/dealing with. Anyways, it's probably time for you to unsubscribe since you don't follow and S-K's like sec...@gmail.com are trying to act like they know. Yeah right, a UDP int overflow triggered via a refcount UDP overflow that you can trigger with 1 single TCP (with the right ACK) packet is the way to go. This mailing list is getting gay, seriously. Cheers, Antony. On Fri, Nov 11, 2011 at 3:10 PM, Dan Ballance tzewang.do...@gmail.com wrote: Okay, now I'm confused! From http://oss.coresecurity.com/projects/impacket.html Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapy. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies. Thanks for your input Antony. Can you explain why impacket has nothing to do with crafting UDP packets? Fascinating thread this. Thanks to all!! dan :) On 11 November 2011 22:42, Antony widmal antony.wid...@gmail.com wrote: You are definitely a lamer secn3t. Also for you little brain, impacket has nothing to do with crafting UDP packets.. Thanks for proving this again and again. On Fri, Nov 11, 2011 at 2:36 PM, xD 0x41 sec...@gmail.com wrote: well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. xd On 12 November 2011 05:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Is this thread about a sk who talk about shit he doesnt know, or impacket, or about an actual vuln ? Not sure here Le 14 nov. 2011 00:56, Dan Tulovsky d...@wetsnow.com a écrit : http://www.secdev.org/projects/scapy/build_your_own_tools.html Seems to be what you want. On Sat, Nov 12, 2011 at 12:27 PM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Off topic (kinda) but with all this talk on SCAPY, has anyone a good reference on using it IN a python script for crafting/reading packets? Me and a friend wanted to write a python version of Ettercap/dsniff using the SCAPY libraries as a challenge and as a learning experience. Even if we can just get some reliable ARP poisoning to work with it we will be pretty happy, and will have learned something. Any good literature? Also, ON topic - http://packetstormsecurity.org/files/106873/winnuke2011.sh.txt On Sat, Nov 12, 2011 at 11:39 AM, Mario Vilas mvi...@gmail.com wrote: I've used Impacket to craft raw packets of all kinds. Then again I don't know if that counts - used to work at Core at the time, so it was pretty much the only choice due to licensing issues with other libraries. I don't mean to say it's a bad tool to work with, not at all. I happen to prefer the newer Scapy, but it's just a matter of personal taste. :) On Sat, Nov 12, 2011 at 6:53 AM, Antony widmal antony.wid...@gmail.com wrote: Dear Dan, Impacket was at first a Pysmb copy/update from Core Security in order to play with RPC. (look at the source) They've done some work on pysmb library in order to implement DCE/RPC functionality in this dinosaurus lib. Saying that we should use Impacket in order to craft *raw* UDP packet is definitively the dumbest thing I've heard today. Seriously. Anyone can confirm that ? Mario ? Carlos ? Anyways, This guy doesn't understand shit, talks a lot about shit he doesn't know about, why would you even spend time reading his shit ? This vulnerability is about sending a *huge fucking* stream of UDP packets on a closed port in order to trigger a int overflow via a ref count. Most of the people here didn't even understand what we are talking about/dealing with. Anyways, it's probably time for you to unsubscribe since you don't follow and S-K's like sec...@gmail.com are trying to act like they know. Yeah right, a UDP int overflow triggered via a refcount UDP overflow that you can trigger with 1 single TCP (with the right ACK) packet is the way to go. This mailing list is getting gay, seriously. Cheers, Antony. On Fri, Nov 11, 2011 at 3:10 PM, Dan Ballance tzewang.do...@gmail.com wrote: Okay, now I'm confused! From http://oss.coresecurity.com/projects/impacket.html Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapy. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies. Thanks for your input Antony. Can you explain why impacket has nothing to do with crafting UDP packets? Fascinating thread this. Thanks to all!! dan :) On 11 November 2011 22:42, Antony widmal antony.wid...@gmail.com wrote: You are definitely a lamer secn3t. Also for you little brain, impacket has nothing to do with crafting UDP packets.. Thanks for proving this again and again. On Fri, Nov 11, 2011 at 2:36 PM, xD 0x41 sec...@gmail.com wrote: well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. xd On 12 November 2011 05:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
I've used Impacket to craft raw packets of all kinds. Then again I don't know if that counts - used to work at Core at the time, so it was pretty much the only choice due to licensing issues with other libraries. I don't mean to say it's a bad tool to work with, not at all. I happen to prefer the newer Scapy, but it's just a matter of personal taste. :) On Sat, Nov 12, 2011 at 6:53 AM, Antony widmal antony.wid...@gmail.comwrote: Dear Dan, Impacket was at first a Pysmb copy/update from Core Security in order to play with RPC. (look at the source) They've done some work on pysmb library in order to implement DCE/RPC functionality in this dinosaurus lib. Saying that we should use Impacket in order to craft *raw* UDP packet is definitively the dumbest thing I've heard today. Seriously. Anyone can confirm that ? Mario ? Carlos ? Anyways, This guy doesn't understand shit, talks a lot about shit he doesn't know about, why would you even spend time reading his shit ? This vulnerability is about sending a *huge fucking* stream of UDP packets on a closed port in order to trigger a int overflow via a ref count. Most of the people here didn't even understand what we are talking about/dealing with. Anyways, it's probably time for you to unsubscribe since you don't follow and S-K's like sec...@gmail.com are trying to act like they know. Yeah right, a UDP int overflow triggered via a refcount UDP overflow that you can trigger with 1 single TCP (with the right ACK) packet is the way to go. This mailing list is getting gay, seriously. Cheers, Antony. On Fri, Nov 11, 2011 at 3:10 PM, Dan Ballance tzewang.do...@gmail.comwrote: Okay, now I'm confused! From http://oss.coresecurity.com/projects/impacket.html Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapyhttp://oss.coresecurity.com/projects/pcapy.html. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies. Thanks for your input Antony. Can you explain why impacket has nothing to do with crafting UDP packets? Fascinating thread this. Thanks to all!! dan :) On 11 November 2011 22:42, Antony widmal antony.wid...@gmail.comwrote: You are definitely a lamer secn3t. Also for you little brain, impacket has nothing to do with crafting UDP packets.. Thanks for proving this again and again. On Fri, Nov 11, 2011 at 2:36 PM, xD 0x41 sec...@gmail.com wrote: well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. xd On 12 November 2011 05:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Off topic (kinda) but with all this talk on SCAPY, has anyone a good reference on using it IN a python script for crafting/reading packets? Me and a friend wanted to write a python version of Ettercap/dsniff using the SCAPY libraries as a challenge and as a learning experience. Even if we can just get some reliable ARP poisoning to work with it we will be pretty happy, and will have learned something. Any good literature? Also, ON topic - http://packetstormsecurity.org/files/106873/winnuke2011.sh.txt On Sat, Nov 12, 2011 at 11:39 AM, Mario Vilas mvi...@gmail.com wrote: I've used Impacket to craft raw packets of all kinds. Then again I don't know if that counts - used to work at Core at the time, so it was pretty much the only choice due to licensing issues with other libraries. I don't mean to say it's a bad tool to work with, not at all. I happen to prefer the newer Scapy, but it's just a matter of personal taste. :) On Sat, Nov 12, 2011 at 6:53 AM, Antony widmal antony.wid...@gmail.comwrote: Dear Dan, Impacket was at first a Pysmb copy/update from Core Security in order to play with RPC. (look at the source) They've done some work on pysmb library in order to implement DCE/RPC functionality in this dinosaurus lib. Saying that we should use Impacket in order to craft *raw* UDP packet is definitively the dumbest thing I've heard today. Seriously. Anyone can confirm that ? Mario ? Carlos ? Anyways, This guy doesn't understand shit, talks a lot about shit he doesn't know about, why would you even spend time reading his shit ? This vulnerability is about sending a *huge fucking* stream of UDP packets on a closed port in order to trigger a int overflow via a ref count. Most of the people here didn't even understand what we are talking about/dealing with. Anyways, it's probably time for you to unsubscribe since you don't follow and S-K's like sec...@gmail.com are trying to act like they know. Yeah right, a UDP int overflow triggered via a refcount UDP overflow that you can trigger with 1 single TCP (with the right ACK) packet is the way to go. This mailing list is getting gay, seriously. Cheers, Antony. On Fri, Nov 11, 2011 at 3:10 PM, Dan Ballance tzewang.do...@gmail.comwrote: Okay, now I'm confused! From http://oss.coresecurity.com/projects/impacket.html Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapyhttp://oss.coresecurity.com/projects/pcapy.html. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies. Thanks for your input Antony. Can you explain why impacket has nothing to do with crafting UDP packets? Fascinating thread this. Thanks to all!! dan :) On 11 November 2011 22:42, Antony widmal antony.wid...@gmail.comwrote: You are definitely a lamer secn3t. Also for you little brain, impacket has nothing to do with crafting UDP packets.. Thanks for proving this again and again. On Fri, Nov 11, 2011 at 2:36 PM, xD 0x41 sec...@gmail.com wrote: well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. xd On 12 November 2011 05:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
def callback(self, hdr, data): # Parse the Ethernet packet decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(data) # Parse the IP packet inside the Ethernet packet, typep iphdr = ether.child() udphdr = iphdr.child() # First check that the packets are not comming from the local host # Then check that it is a UDP packet (incase you changed the BPF) also # Check that the destination port for the packet is a closed port on the host if (iphdr.get_ip_src() != self.ip): self.refresh_portlist() if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and udphdr.get_uh_dport() not in self.portlist): if self.called == 0: self.callonce() print Incoming UDP packet from %s%iphdr.get_ip_src() self.dumper.dump(hdr, data) def refresh_portlist(self): # bash script to get all the open and listening UDP ports # used in the callback function as criteria for logging traffic output = os.popen(./getports.sh) pl = output.readlines() self.portlist = [] for p in pl: self.portlist.append(int(p)) Seriously? popen()ing a bash script that calls netstat and awk twice for every packet? Tillmann ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
not my code dude. i just offered it, for anyone who was interested... again, people bashing the user, who does nothing but inform :s ghood one. On 11 November 2011 19:17, Tillmann Werner tillmann.wer...@gmx.de wrote: def callback(self, hdr, data): # Parse the Ethernet packet decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(data) # Parse the IP packet inside the Ethernet packet, typep iphdr = ether.child() udphdr = iphdr.child() # First check that the packets are not comming from the local host # Then check that it is a UDP packet (incase you changed the BPF) also # Check that the destination port for the packet is a closed port on the host if (iphdr.get_ip_src() != self.ip): self.refresh_portlist() if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and udphdr.get_uh_dport() not in self.portlist): if self.called == 0: self.callonce() print Incoming UDP packet from %s%iphdr.get_ip_src() self.dumper.dump(hdr, data) def refresh_portlist(self): # bash script to get all the open and listening UDP ports # used in the callback function as criteria for logging traffic output = os.popen(./getports.sh) pl = output.readlines() self.portlist = [] for p in pl: self.portlist.append(int(p)) Seriously? popen()ing a bash script that calls netstat and awk twice for every packet? Tillmann ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
btw, you do realise, it is doing exactly what it is meant to , right ? it is called a honeypot sir... try figure out WHY it is looping... then maybe, the code is nicer yes... i dont really care for it... i am, making the proper.cpp scanner. nothing more interests me about it, and, nothing else, i need others to tell me, thx. I have done this my own b4, please, dont try holding any hands. I will only, cut off your feet ;) later On 11 November 2011 19:17, Tillmann Werner tillmann.wer...@gmx.de wrote: def callback(self, hdr, data): # Parse the Ethernet packet decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(data) # Parse the IP packet inside the Ethernet packet, typep iphdr = ether.child() udphdr = iphdr.child() # First check that the packets are not comming from the local host # Then check that it is a UDP packet (incase you changed the BPF) also # Check that the destination port for the packet is a closed port on the host if (iphdr.get_ip_src() != self.ip): self.refresh_portlist() if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and udphdr.get_uh_dport() not in self.portlist): if self.called == 0: self.callonce() print Incoming UDP packet from %s%iphdr.get_ip_src() self.dumper.dump(hdr, data) def refresh_portlist(self): # bash script to get all the open and listening UDP ports # used in the callback function as criteria for logging traffic output = os.popen(./getports.sh) pl = output.readlines() self.portlist = [] for p in pl: self.portlist.append(int(p)) Seriously? popen()ing a bash script that calls netstat and awk twice for every packet? Tillmann ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
PoC ? http://www.youtube.com/watch?v=4aBE6o0oDlo http://www.youtube.com/watch?v=4aBE6o0oDlo[]'s Sergito 2011/11/10 Thor (Hammer of God) t...@hammerofgod.com So, I've looked about on the web to see what software of any consequence you have written, but I can't find any. Can you point me to anything that illustrates that you know how to develop wide scale software applications and execute an SDL plan, or do you just like to sit back and bitch about everyone else without actually doing anything? I'm serious - I'd really like to know. Over all these years, all I've ever seen from you is talk about how stupid everyone else is, but I've never once actually seen you do anything constructive. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Thursday, November 10, 2011 8:48 AM To: xD 0x41 Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) On Thu, Nov 10, 2011 at 08:46:44AM +1100, xD 0x41 wrote: You could just google for IRC packs of win2k src ;) I know i have a copy of it somewhere... acvtually tho, would not be helpful tho, as it does not affect win2k.. so i guess there would be some code there but not the code you want. @george and, ideally if 'years' ago existed for this exploit but, it does only affect v6 and up , this is tested so xp/2k/2k3 not affected... still, i know people are using other ways anyhow , and thats just how botting is... one way dies, one takes its place :s i guess we wait for the rls of this.. maybe! as in real life, real bugs die (the imaginary case is not clear to me). i suppose trustworthy computing doesn't mean not many bugs still alive. -- j ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.comwrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Talk is indeed cheap! Gary B On 11/11/2011 11:43 AM, Ryan Dewhurst wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Yeah, I gotta say, I'm going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.commailto:ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.commailto:jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.commailto:sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Would scapy be a suitable tool to attempt this kind of packet manipulation with? I'm a programmer, but I'm new to this kind of network/packet-level/security scripting. What tools / frameworks / languages etc do you guys use to write these kinds of exploit scripts? cheers, dan :) (keep forgetting I need to reply-all on this list) On 11 November 2011 17:01, Mario Vilas mvi...@gmail.com wrote: I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.comwrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
I have said, when the author wants to, and when hes ready to, i am sure he will. On 12 November 2011 00:54, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
yer yer... everyone trys to shoot the messenger, when, i should have just stfu, and, not offered any insight, wich would probably have been better, sorry, ill makesure to keep this shit to myself, until the actual author, gives out shit.. .ok...thx. my mistake On 12 November 2011 03:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
are you braindead ? your humor, is really lost on me..so, i think, look within :P On 12 November 2011 04:01, Mario Vilas mvi...@gmail.com wrote: I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
yep! next time, i wont say shit, and, believe it. seems, you cannot even wait for the author to do it... as, to wich, i have said... and, i tried to show yu also, ow to simply *catch* it... but, you trying to get code from me, wich, i will never give you :) so to those who care about it, and want to wait, they can then see who is bullshitting who.. I am shocked, howmany socalled 'skilled' people, cannot get this bug to work... but, theyre NOT the ones whining about code :) they probably already doing what I am, making a nice, portable cpp version, wich, wouldnot be hard, if you already know what to start with etc.. so, i guess idscussion, would only assist maliugn use of code, wich i wont have , as a ms user. Sorry but, wen the author likes, he will gief to u. until then , go roll a joint and relax. thx! On 12 November 2011 03:57, Gary Baribault g...@baribault.net wrote: Talk is indeed cheap! Gary B On 11/11/2011 11:43 AM, Ryan Dewhurst wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Would scapy be a suitable tool to attempt this kind of packet manipulation with? I'm a programmer, but I'm new to this kind of network/packet-level/security scripting. Yes, scapy + impacket./..would probably help u with the python side... On 12 November 2011 04:04, Dan Ballance tzewang.do...@gmail.com wrote: Would scapy be a suitable tool to attempt this kind of packet manipulation with? I'm a programmer, but I'm new to this kind of network/packet-level/security scripting. What tools / frameworks / languages etc do you guys use to write these kinds of exploit scripts? cheers, dan :) (keep forgetting I need to reply-all on this list) On 11 November 2011 17:01, Mario Vilas mvi...@gmail.com wrote: I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. xd On 12 November 2011 05:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Sat, 12 Nov 2011 09:22:19 +1100, xD 0x41 said: yer yer... everyone trys to shoot the messenger, when, i should have just stfu, and, not offered any insight, wich would probably have been better, sorry, ill makesure to keep this shit to myself, until the actual author, gives out shit.. .ok...thx. I think the problem was that you didn't offer any insight that they were able to understand and follow. pgpNNplnLFfgR.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
You are definitely a lamer secn3t. Also for you little brain, impacket has nothing to do with crafting UDP packets.. Thanks for proving this again and again. On Fri, Nov 11, 2011 at 2:36 PM, xD 0x41 sec...@gmail.com wrote: well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. xd On 12 November 2011 05:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Sat, 12 Nov 2011 09:36:21 +1100, xD 0x41 said: well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. Did you actually do a code review? There's some... issues. ;) First, the comment block says it needs 2^32 packets sent. Then we do: for(lthreads=0;lthreads250;lthreads++){//UDP flood iret = pthread_create(thread,NULL,sendpackets,argv[1]); (250, not 256? Gaak ;) And then sendpackets() does this: for(i=0;i4294967295;i++){ So this is working 250 times as hard as it has to. No wonder it takes 52 days. ;) Also, the variable 'active' is at least theoretically racy - it's *possible*, but unlikely, that the main program will kick off the 250 threads, and fall through to the 'while(active)' loop before any of the threads have hit the active++ in their code. pgpZZmnYj19D9.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
lol... yea... no idea, dont care this is just for those ppl who *had* to see something :) now let them, worry why theyre box is executing ping fkloods and crap..or, maybe causing, even worse things ;) I know prdelka, is verry good with backdoors :P lol... i hope he got every fucker who was breaking ballz. also, ofcourse, if it takes 49days then...why would ms even woprry.. hehe... just ignore me, until the real author comes forward, and, then the ppl who abused me, can see for themselfs, how this works. and not until then, or, until i make my own scanner, will i even share one bit more of actual info, because, it was always a stack based overflow, NOT off-by-one :) anyhow... it doesnty take, 49days, atall.. and, yes, indeed, will be one good packet, if the packet , has the right SQN + Ack number. I guess, a stream of udps, would be just as effective but, i dont know yet, until my own code scanner is done. so, i dont care fopr what ppl say... i know my windows... and, know my ms exploits ... ms, is not as secure as we would love to think, and, once a hole like this is opened, there is many ways to reopen it.. there is a magic key for every box... anyhow later.. On 12 November 2011 09:58, valdis.kletni...@vt.edu wrote: On Sat, 12 Nov 2011 09:36:21 +1100, xD 0x41 said: well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. Did you actually do a code review? There's some... issues. ;) First, the comment block says it needs 2^32 packets sent. Then we do: for(lthreads=0;lthreads250;lthreads++){//UDP flood iret = pthread_create(thread,NULL,sendpackets,argv[1]); (250, not 256? Gaak ;) And then sendpackets() does this: for(i=0;i4294967295;i++){ So this is working 250 times as hard as it has to. No wonder it takes 52 days. ;) Also, the variable 'active' is at least theoretically racy - it's *possible*, but unlikely, that the main program will kick off the 250 threads, and fall through to the 'while(active)' loop before any of the threads have hit the active++ in their code. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewski lcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Let me guess your M$ 0days can be triggered by hitting ALT-F4 while browsing with IE ? On Fri, Nov 11, 2011 at 3:26 PM, xD 0x41 sec...@gmail.com wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewski lcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
I have no doubt that a lot of things are lost on you. On Fri, Nov 11, 2011 at 11:23 PM, xD 0x41 sec...@gmail.com wrote: are you braindead ? your humor, is really lost on me..so, i think, look within :P On 12 November 2011 04:01, Mario Vilas mvi...@gmail.com wrote: I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Fri, Nov 11, 2011 at 5:28 PM, xD 0x41 sec...@gmail.com wrote: I am shocked, howmany socalled 'skilled' people, cannot get this bug to work... but, theyre NOT the ones whining about code :) I didn't ask for a proof of concept, I told you to explain the bug and/or your claims with code. There is a difference. You've come here making some outrageous claims that you can trigger the bug with one packet, how we're all wrong about the timing aspect of the bug, and even a rather unusual description of the bug itself (which was difficult to interpret, but seems flat out wrong, however it may be due to the language barrier). We can look beyond your broken English and read code, whether it be disassembly or a proof of concept, then determine if your claims are sensible or not. You've made statements that seem to indicate have analyzed the bug and attempted to describe it, so I'm asking you to put that in a form we can all understand and that isn't bound by language limitations. I can read disassembly, I can't read and comprehend your English. I'm trying not to jump to conclusions here, but so far you've made claims that no one else seems to back up and it appears you are just blathering and foaming at the mouth to appear l33t like a lot of other people talking about this bug. You can resolve that by providing code to prove your claims, otherwise no one is going to listen to you or care. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Okay, now I'm confused! From http://oss.coresecurity.com/projects/impacket.html Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapyhttp://oss.coresecurity.com/projects/pcapy.html. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies. Thanks for your input Antony. Can you explain why impacket has nothing to do with crafting UDP packets? Fascinating thread this. Thanks to all!! dan :) On 11 November 2011 22:42, Antony widmal antony.wid...@gmail.com wrote: You are definitely a lamer secn3t. Also for you little brain, impacket has nothing to do with crafting UDP packets.. Thanks for proving this again and again. On Fri, Nov 11, 2011 at 2:36 PM, xD 0x41 sec...@gmail.com wrote: well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. xd On 12 November 2011 05:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Fri, Nov 11, 2011 at 3:13 PM, xD 0x41 sec...@gmail.com wrote anyhow... it doesnty take, 49days, atall.. and, yes, indeed, will be one good packet, if the packet , has the right SQN + Ack number. ^^ We are discussing UDP, as per the MS advisory, yes? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
or a blue screen... 2011/11/11 Antony widmal antony.wid...@gmail.com Let me guess your M$ 0days can be triggered by hitting ALT-F4 while browsing with IE ? On Fri, Nov 11, 2011 at 3:26 PM, xD 0x41 sec...@gmail.com wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewski lcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
0day for ms, is not so hard, and, i hjave already explained one of them to some people :) but, i dont care, because, you dont have it, and, i do. so, many people have 0days...whats wrong with this ? i found my own, and, thats why i am happy to keep them. and, as i said, one, i have discussed and, made a working scanner binary for.. so, i guess that much, some people do know is true... so, thats not rare atall.. you want to wonder about just wibndows, imagine linux... and, there is , the imagination, is big there and there is plenty and plenty of attacks still available on fully patched NON grsec kernels :) and yes, i have 0days of those, also. enjoy.some get lucky, others just...suck.. On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
unleash the dragons and let you see what a 10k botnet feels like. unleash away son :) another, hider... always have some bs to say, but, your just jealous... as most lame botnet owners, are.. ddos, is yo9ur no.1 skill, and only reason your here, is to try get the .cpp scanner, and thats that. so you go stfu, and, believe me, 10k, is nothing. youcome out , and show yourself, and, your bum will be much worse off than b4. now, dont play with adults, go jack some net...lame d0skid. On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
oh, you really areee lame... go ahead... ddos away... but, you will never face me, as always :) typical doskiddy... jealousy bites eh :) go home, your boring me. again, this is great stuff from Fd! DDos, and, all for trying, to mention a few things, and try to be civil about it. meh. fuck you all. lame. if this is your idea, of how to beat on someone, for somethin that, will soon be public, then go ahead... as i said, no ddos , and no dsokid,ever dares face me, and, if the list is causing me this much problems, then it can goto my spam nowon. fucking gits. and kiddo, come on out and show yaself..whats matter, scared that ill fire back ? On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Received: from [127.0.0.1] (host86-160-211-44.range86-160.btcentralplus.com. [86.160.211.44]) to bad eh... On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Typical S-K behavior; talk about stuff he has nfi. Le 11 nov. 2011 19:15, xD 0x41 sec...@gmail.com a écrit : 0day for ms, is not so hard, and, i hjave already explained one of them to some people 0day for ms, is not so hard, and, i hjave already explained one of them to some people :) but, i dont care, because, you dont have it, and, i do. so, many people have 0days...whats wrong with this ? i found my own, and, thats why i am happy to keep them. and, as i said, one, i have discussed and, made a working scanner binary for.. so, i guess that much, some people do know is true... so, thats not rare atall.. you want to wonder about just wibndows, imagine linux... and, there is , the imagination, is big there and there is plenty and plenty of attacks still available on fully patched NON grsec kernels :) and yes, i have 0days of those, also. enjoy.some get lucky, others just...suck.. On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Nop. Im in your mom's bedroom,walk up the stairs you will hear us.. Le 11 nov. 2011 19:57, xD 0x41 sec...@gmail.com a écrit : another fuck who hides :) On 12 November 2011 14:51, Antony widmal antony.wid...@gmail.com wrote: Typical S-K behavior; talk about stuff he has nfi. Le 11 nov. 2011 19:15, xD 0x41 sec...@gmail.com a écrit : 0day for ms, is not so hard, and, i hjave already explained one of them to some people 0day for ms, is not so hard, and, i hjave already explained one of them to some people :) but, i dont care, because, you dont have it, and, i do. so, many people have 0days...whats wrong with this ? i found my own, and, thats why i am happy to keep them. and, as i said, one, i have discussed and, made a working scanner binary for.. so, i guess that much, some people do know is true... so, thats not rare atall.. you want to wonder about just wibndows, imagine linux... and, there is , the imagination, is big there and there is plenty and plenty of attacks still available on fully patched NON grsec kernels :) and yes, i have 0days of those, also. enjoy.some get lucky, others just...suck.. On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Walk the stairs i said. Im fixing your father genetic issue. Le 11 nov. 2011 20:47, xD 0x41 sec...@gmail.com a écrit : yes, dude, if i were to ever see you, in aus, id beat your arse so good, mother jokes would become a fucking dream to you.. believe it stupid. keep it up to... thinking, im someone who i am not , still.. now, go fuck yaself. if i find out who you are, you will cry mercy forever. On 12 November 2011 15:44, Antony widmal antony.wid...@gmail.com wrote: Nop. Im in your mom's bedroom,walk up the stairs you will hear us.. Le 11 nov. 2011 19:57, xD 0x41 sec...@gmail.com a écrit : another fuck who hides :) On 12 November 2011 14:51, Antony widmal antony.wid...@gmail.com wrote: Typical S-K behavior; talk about stuff he has nfi. Le 11 nov. 2011 19:15, xD 0x41 sec...@gmail.com a écrit : 0day for ms, is not so hard, and, i hjave already explained one of them to some people 0day for ms, is not so hard, and, i hjave already explained one of them to some people :) but, i dont care, because, you dont have it, and, i do. so, many people have 0days...whats wrong with this ? i found my own, and, thats why i am happy to keep them. and, as i said, one, i have discussed and, made a working scanner binary for.. so, i guess that much, some people do know is true... so, thats not rare atall.. you want to wonder about just wibndows, imagine linux... and, there is , the imagination, is big there and there is plenty and plenty of attacks still available on fully patched NON grsec kernels :) and yes, i have 0days of those, also. enjoy.some get lucky, others just...suck.. On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
as ive stated, when the pudding is ready, it would been released, simple... it is not my fault, if a friend hands me papers, and i am not obliged to re release them... simple. I dont care to provide amusement for you, and any other idiot like you. So, go fk yourself to :) thx, and have a nice day. On 12 November 2011 16:02, Jon Kertz jon.ke...@gmail.com wrote: On Fri, Nov 11, 2011 at 6:26 PM, xD 0x41 sec...@gmail.com wrote: i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. Yes, it is. The only problem is you've failed to provide the pudding, so there is no proof. Back to your regularly scheduled huffing, panting, and closet drooling. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Dear Dan, Impacket was at first a Pysmb copy/update from Core Security in order to play with RPC. (look at the source) They've done some work on pysmb library in order to implement DCE/RPC functionality in this dinosaurus lib. Saying that we should use Impacket in order to craft *raw* UDP packet is definitively the dumbest thing I've heard today. Seriously. Anyone can confirm that ? Mario ? Carlos ? Anyways, This guy doesn't understand shit, talks a lot about shit he doesn't know about, why would you even spend time reading his shit ? This vulnerability is about sending a *huge fucking* stream of UDP packets on a closed port in order to trigger a int overflow via a ref count. Most of the people here didn't even understand what we are talking about/dealing with. Anyways, it's probably time for you to unsubscribe since you don't follow and S-K's like sec...@gmail.com are trying to act like they know. Yeah right, a UDP int overflow triggered via a refcount UDP overflow that you can trigger with 1 single TCP (with the right ACK) packet is the way to go. This mailing list is getting gay, seriously. Cheers, Antony. On Fri, Nov 11, 2011 at 3:10 PM, Dan Ballance tzewang.do...@gmail.comwrote: Okay, now I'm confused! From http://oss.coresecurity.com/projects/impacket.html Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapyhttp://oss.coresecurity.com/projects/pcapy.html. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies. Thanks for your input Antony. Can you explain why impacket has nothing to do with crafting UDP packets? Fascinating thread this. Thanks to all!! dan :) On 11 November 2011 22:42, Antony widmal antony.wid...@gmail.com wrote: You are definitely a lamer secn3t. Also for you little brain, impacket has nothing to do with crafting UDP packets.. Thanks for proving this again and again. On Fri, Nov 11, 2011 at 2:36 PM, xD 0x41 sec...@gmail.com wrote: well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. xd On 12 November 2011 05:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Sat, Nov 12, 2011 at 12:53 AM, Antony widmal antony.wid...@gmail.com wrote: Dear Dan, Impacket was at first a Pysmb copy/update from Core Security in order to play with RPC. (look at the source) They've done some work on pysmb library in order to implement DCE/RPC functionality in this dinosaurus lib. You can also try Dave Aitel's SPIKE. This vulnerability is about sending a *huge fucking* stream of UDP packets on a closed port in order to trigger a int overflow via a ref count. Most of the people here didn't even understand what we are talking about/dealing with. Is this related to the undisclosed MS09-048, which we were told did not require remediation because the Windows firewall (et al) mitigated the vulnerability? http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Fri, Nov 11, 2011 at 10:08 PM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Nov 12, 2011 at 12:53 AM, Antony widmal antony.wid...@gmail.com wrote: Dear Dan, Impacket was at first a Pysmb copy/update from Core Security in order to play with RPC. (look at the source) They've done some work on pysmb library in order to implement DCE/RPC functionality in this dinosaurus lib. You can also try Dave Aitel's SPIKE. Yeah sure; If you're passionate about medieval history and you are a fan of the Flintstones, you'll be happy with Dave's Aitel fuzzer. Regards, Antony This vulnerability is about sending a *huge fucking* stream of UDP packets on a closed port in order to trigger a int overflow via a ref count. Most of the people here didn't even understand what we are talking about/dealing with. Is this related to the undisclosed MS09-048, which we were told did not require remediation because the Windows firewall (et al) mitigated the vulnerability? http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Thu, Nov 10, 2011 at 08:46:44AM +1100, xD 0x41 wrote: You could just google for IRC packs of win2k src ;) I know i have a copy of it somewhere... acvtually tho, would not be helpful tho, as it does not affect win2k.. so i guess there would be some code there but not the code you want. @george and, ideally if 'years' ago existed for this exploit but, it does only affect v6 and up , this is tested so xp/2k/2k3 not affected... still, i know people are using other ways anyhow , and thats just how botting is... one way dies, one takes its place :s i guess we wait for the rls of this.. maybe! as in real life, real bugs die (the imaginary case is not clear to me). i suppose trustworthy computing doesn't mean not many bugs still alive. -- j ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
So, I've looked about on the web to see what software of any consequence you have written, but I can't find any. Can you point me to anything that illustrates that you know how to develop wide scale software applications and execute an SDL plan, or do you just like to sit back and bitch about everyone else without actually doing anything? I'm serious - I'd really like to know. Over all these years, all I've ever seen from you is talk about how stupid everyone else is, but I've never once actually seen you do anything constructive. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Thursday, November 10, 2011 8:48 AM To: xD 0x41 Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) On Thu, Nov 10, 2011 at 08:46:44AM +1100, xD 0x41 wrote: You could just google for IRC packs of win2k src ;) I know i have a copy of it somewhere... acvtually tho, would not be helpful tho, as it does not affect win2k.. so i guess there would be some code there but not the code you want. @george and, ideally if 'years' ago existed for this exploit but, it does only affect v6 and up , this is tested so xp/2k/2k3 not affected... still, i know people are using other ways anyhow , and thats just how botting is... one way dies, one takes its place :s i guess we wait for the rls of this.. maybe! as in real life, real bugs die (the imaginary case is not clear to me). i suppose trustworthy computing doesn't mean not many bugs still alive. -- j ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Not sure. but the actual real one, is in english :) About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I would not use that YT as the base for anything, it is bs, the author is NOT russian. Anyhow, nice try but no banana. On 11 November 2011 06:49, Sergito sergito.li...@gmail.com wrote: PoC ? http://www.youtube.com/watch?v=4aBE6o0oDlo []'s Sergito 2011/11/10 Thor (Hammer of God) t...@hammerofgod.com So, I've looked about on the web to see what software of any consequence you have written, but I can't find any. Can you point me to anything that illustrates that you know how to develop wide scale software applications and execute an SDL plan, or do you just like to sit back and bitch about everyone else without actually doing anything? I'm serious - I'd really like to know. Over all these years, all I've ever seen from you is talk about how stupid everyone else is, but I've never once actually seen you do anything constructive. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Thursday, November 10, 2011 8:48 AM To: xD 0x41 Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) On Thu, Nov 10, 2011 at 08:46:44AM +1100, xD 0x41 wrote: You could just google for IRC packs of win2k src ;) I know i have a copy of it somewhere... acvtually tho, would not be helpful tho, as it does not affect win2k.. so i guess there would be some code there but not the code you want. @george and, ideally if 'years' ago existed for this exploit but, it does only affect v6 and up , this is tested so xp/2k/2k3 not affected... still, i know people are using other ways anyhow , and thats just how botting is... one way dies, one takes its place :s i guess we wait for the rls of this.. maybe! as in real life, real bugs die (the imaginary case is not clear to me). i suppose trustworthy computing doesn't mean not many bugs still alive. -- j ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
thx to: http://www.securityaegis.com/ ms11-083_sniffer.py Simple packet sniffer that writes a pcap file for any UDP traffic heading for closed ports. Written in an attempt to capture data from a MS11-083 exploit in the wild. Author: Samuel Hunter If you have any suggestions or comments find me on twitter or send me some mail. Dont tell me about my dirty code, I'm aware of that. This was written quickly with no concern of standards. twitter: @Trowalts email: trowa...@gmail.com from pcapy import * from impacket import ImpactDecoder, ImpactPacket from socket import * import fcntl import struct import os import time class Sniffer: def __init__(self): self.promiscuous = True self.called = 0 #silly habits self.interface = 'eth0' self.max_bytes = 65535 # Theoretical max size for a UDP packet self.read_timeout = 100 self.ip = self.get_ip_address(self.interface) self.bpf = 'ip dst host %s and not src net 192.168.1.0/30'%self.ip print \n--- print Sniffing for unsolicited UDP packets to closed ports. print \Open ports are for losers\ - MS11-083 print Pcap log started, listening from %s%time.strftime(%d:%m:%Y %H:%M:%S, time.localtime()) print --- def get_ip_address(self, ifname): s = socket(AF_INET, SOCK_STREAM) return inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', ifname[:15]))[20:24]) def start(self): self.reader = open_live(self.interface, self.max_bytes, self.promiscuous, self.read_timeout) # Pcapy uses BPF to filter packets, not src net 192.168.1.0/30 # should be changed, it just filters out 1.0, 1.1, 1.2 and 1.3 # which I use for diffrent gateways and dont want traffic # from the router hitting the logs. self.reader.setfilter(self.bpf) # Run the packet capture loop self.reader.loop(0, self.callback) def callonce(self): self.dumper = self.reader.dump_open(time.strftime(%d-%m-%Y_%H-%M-%S.pcap, time.localtime())) self.called = 1 def callback(self, hdr, data): # Parse the Ethernet packet decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(data) # Parse the IP packet inside the Ethernet packet, typep iphdr = ether.child() udphdr = iphdr.child() # First check that the packets are not comming from the local host # Then check that it is a UDP packet (incase you changed the BPF) also # Check that the destination port for the packet is a closed port on the host if (iphdr.get_ip_src() != self.ip): self.refresh_portlist() if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and udphdr.get_uh_dport() not in self.portlist): if self.called == 0: self.callonce() print Incoming UDP packet from %s%iphdr.get_ip_src() self.dumper.dump(hdr, data) def refresh_portlist(self): # bash script to get all the open and listening UDP ports # used in the callback function as criteria for logging traffic output = os.popen(./getports.sh) pl = output.readlines() self.portlist = [] for p in pl: self.portlist.append(int(p)) def main(): snf = Sniffer() snf.start() if __name__ == __main__: main() and bash script: #!/bin/bash netstat -un | awk 'NR2{ sub(/.*:/,,$4); uniq[$4] }END{ for(i in uniq) print i }' netstat -lun | awk 'NR2{ sub(/.*:/,,$4); uniq[$4] }END{ for(i in uniq) print i }' NOW you can make your own :D http://www.securityaegis.com/wp-content/uploads/2011/11/honey_in_jar_black_background.jpg cheers! xd-- On 11 November 2011 06:49, Sergito sergito.li...@gmail.com wrote: PoC ? http://www.youtube.com/watch?v=4aBE6o0oDlo []'s Sergito 2011/11/10 Thor (Hammer of God) t...@hammerofgod.com So, I've looked about on the web to see what software of any consequence you have written, but I can't find any. Can you point me to anything that illustrates that you know how to develop wide scale software applications and execute an SDL plan, or do you just like to sit back and bitch about everyone else without actually doing anything? I'm serious - I'd really like to know. Over all these years, all I've ever seen from you is talk about how stupid everyone else is, but I've never once actually seen you do anything constructive. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Thursday, November 10, 2011 8:48 AM To: xD 0x41 Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) On Thu, Nov 10, 2011 at 08:46
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Fri, 11 Nov 2011 06:59:31 +1100, xD 0x41 said: nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. Evidence for this, given that the announcement specifically says a *stream* of crafted UDP packets? pgpvRjdEweWRb.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Fake :) From: Sergito [mailto:sergito.li...@gmail.com] Sent: Thursday, November 10, 2011 11:50 AM To: Thor (Hammer of God) Cc: Georgi Guninski; xD 0x41; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) PoC ? http://www.youtube.com/watch?v=4aBE6o0oDlo []'s Sergito 2011/11/10 Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com So, I've looked about on the web to see what software of any consequence you have written, but I can't find any. Can you point me to anything that illustrates that you know how to develop wide scale software applications and execute an SDL plan, or do you just like to sit back and bitch about everyone else without actually doing anything? I'm serious - I'd really like to know. Over all these years, all I've ever seen from you is talk about how stupid everyone else is, but I've never once actually seen you do anything constructive. t -Original Message- From: full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Thursday, November 10, 2011 8:48 AM To: xD 0x41 Cc: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) On Thu, Nov 10, 2011 at 08:46:44AM +1100, xD 0x41 wrote: You could just google for IRC packs of win2k src ;) I know i have a copy of it somewhere... acvtually tho, would not be helpful tho, as it does not affect win2k.. so i guess there would be some code there but not the code you want. @george and, ideally if 'years' ago existed for this exploit but, it does only affect v6 and up , this is tested so xp/2k/2k3 not affected... still, i know people are using other ways anyhow , and thats just how botting is... one way dies, one takes its place :s i guess we wait for the rls of this.. maybe! as in real life, real bugs die (the imaginary case is not clear to me). i suppose trustworthy computing doesn't mean not many bugs still alive. -- j ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Kingcope, where's the exploit? :P On Nov 8, 2011, at 6:53 PM, Henri Salo wrote: http://technet.microsoft.com/en-us/security/bulletin/ms11-083 The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Microsoft did it once again. - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
So... Another Conficker type worm possible from this bug if everyone cocks up and fails to patch? On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia nahuel.griso...@gmail.comwrote: Kingcope, where's the exploit? :P On Nov 8, 2011, at 6:53 PM, Henri Salo wrote: http://technet.microsoft.com/en-us/security/bulletin/ms11-083 The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Microsoft did it once again. - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Balls, I forgot to add this to the last message, but has anyone examined the patch yet? I can only imagine it would be VERY interesting to look at... sarcasm Or that it opens all UDP ports so that there are no closed ones to exploit /sarcasm On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: So... Another Conficker type worm possible from this bug if everyone cocks up and fails to patch? On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia nahuel.griso...@gmail.com wrote: Kingcope, where's the exploit? :P On Nov 8, 2011, at 6:53 PM, Henri Salo wrote: http://technet.microsoft.com/en-us/security/bulletin/ms11-083 The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Microsoft did it once again. - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Is awesome exploit yes! I have looked at this and, you dont need to be udp... only... it is TCP-IP. ... wich, i was luckily given a copy early than release date so have had time,... this whole thing reopens the old idlescan and, simly one tcp scanner, even a udp one, all you have todo is send a req, receive known SQN and ACK , thats pretty basic packet :s , and then it will open, amongst other things, UDP closed, although please note, the author of this and even technet clearly states, that it can use TCP/IP stack and, use IP and TCP ports/packets to scan, so the scanning just got 10x easier to make, no smb neg, just a simple netbios, maybe a peek down a pipe and, hopefully, i get this thing to go :P , I really want to see what this baby can show me that i dont alredy know.. but i know one thing, this is nothing, this wormhole, is byfar the biggest i have seen since dcom.. and remote code means remote worm...so, yes, expect alot of newer boxes, infected, and yes even fully patched rc2 and datacenter copies are affected..and, if anyone has seen the paper well, it clearly states the packet needs to only contain 2 things, and, probably have some nice little spoofaing even possible, since the nature allows it to scan by udp, can then spoof all scanning to on windows, this is only possible on udp and some tcp syn d0s.. anyhow, yes, this could become easily the next blaster, maybe, because it does by nature bypass dep and aslr, and basically, reopens an old attack vector, so many bot farmers,would probably be seeking to port this already from Poc infos, and, it would not be hard, i will attempt it in private, and, i can alredy forsee this will *not* be a hard one... when the official papers are thru and done, i guess there will be more about the tcp ip but seriously just think of the name of it , lol.. it is tcp-ip stack overflow right... tcp-ip :P anyhow.. yea.. it is goin to see wether the scanner can work fast, ie: a fingerprinter made so it can see if it is a type of box, and thats VERY simple thanks to porting of metasploits dcerpc/smb scanner, wich attaches and makes smb session, to get workgroup and other things...depending on port choosen, personally me, to spped it up, would opt for udp scanner (i have skeleton for a mssql scanner in cpp i have still got wich works, drops to shell etc..0 ... then i guess, making the packet, and, that would need a cpl of headers in the code, woopee, and, some simple fail to respond to xp, must be v6 , if v6 then, can continue on with fingerprinting, etc..so, to find a box can be very fast so, using smb on port 138/UDP , if possible to, or simply connect to 139/SMB-NT authority ,and id simply use if/else, so udp or tcp gets triggered.. very easy to write this for those who have read the poc and know windows cpp, it only will take the packet SQN number, thats it.. the rest is bacon.. it is a very nice exploit for this late in the lifes of these OS..a pty really.. only good thing is, it does nto affect my familys pcs, wich are nice and old now, so, i dont have more maintenance headaches :D cheers , have a happy patch tuesday! xd-- was h3re (cool spraypainting here .. ) On 9 November 2011 22:25, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Balls, I forgot to add this to the last message, but has anyone examined the patch yet? I can only imagine it would be VERY interesting to look at... sarcasm Or that it opens all UDP ports so that there are no closed ones to exploit /sarcasm On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: So... Another Conficker type worm possible from this bug if everyone cocks up and fails to patch? On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia nahuel.griso...@gmail.com wrote: Kingcope, where's the exploit? :P On Nov 8, 2011, at 6:53 PM, Henri Salo wrote: http://technet.microsoft.com/en-us/security/bulletin/ms11-083 The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Microsoft did it once again. - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D -- My Homepage :D ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia -
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
xD, does this mean you HAVE exploit code for this? Care to share that? On Wed, Nov 9, 2011 at 11:42 AM, xD 0x41 sec...@gmail.com wrote: Is awesome exploit yes! I have looked at this and, you dont need to be udp... only... it is TCP-IP. ... wich, i was luckily given a copy early than release date so have had time,... this whole thing reopens the old idlescan and, simly one tcp scanner, even a udp one, all you have todo is send a req, receive known SQN and ACK , thats pretty basic packet :s , and then it will open, amongst other things, UDP closed, although please note, the author of this and even technet clearly states, that it can use TCP/IP stack and, use IP and TCP ports/packets to scan, so the scanning just got 10x easier to make, no smb neg, just a simple netbios, maybe a peek down a pipe and, hopefully, i get this thing to go :P , I really want to see what this baby can show me that i dont alredy know.. but i know one thing, this is nothing, this wormhole, is byfar the biggest i have seen since dcom.. and remote code means remote worm...so, yes, expect alot of newer boxes, infected, and yes even fully patched rc2 and datacenter copies are affected..and, if anyone has seen the paper well, it clearly states the packet needs to only contain 2 things, and, probably have some nice little spoofaing even possible, since the nature allows it to scan by udp, can then spoof all scanning to on windows, this is only possible on udp and some tcp syn d0s.. anyhow, yes, this could become easily the next blaster, maybe, because it does by nature bypass dep and aslr, and basically, reopens an old attack vector, so many bot farmers,would probably be seeking to port this already from Poc infos, and, it would not be hard, i will attempt it in private, and, i can alredy forsee this will *not* be a hard one... when the official papers are thru and done, i guess there will be more about the tcp ip but seriously just think of the name of it , lol.. it is tcp-ip stack overflow right... tcp-ip :P anyhow.. yea.. it is goin to see wether the scanner can work fast, ie: a fingerprinter made so it can see if it is a type of box, and thats VERY simple thanks to porting of metasploits dcerpc/smb scanner, wich attaches and makes smb session, to get workgroup and other things...depending on port choosen, personally me, to spped it up, would opt for udp scanner (i have skeleton for a mssql scanner in cpp i have still got wich works, drops to shell etc..0 ... then i guess, making the packet, and, that would need a cpl of headers in the code, woopee, and, some simple fail to respond to xp, must be v6 , if v6 then, can continue on with fingerprinting, etc..so, to find a box can be very fast so, using smb on port 138/UDP , if possible to, or simply connect to 139/SMB-NT authority ,and id simply use if/else, so udp or tcp gets triggered.. very easy to write this for those who have read the poc and know windows cpp, it only will take the packet SQN number, thats it.. the rest is bacon.. it is a very nice exploit for this late in the lifes of these OS..a pty really.. only good thing is, it does nto affect my familys pcs, wich are nice and old now, so, i dont have more maintenance headaches :D cheers , have a happy patch tuesday! xd-- was h3re (cool spraypainting here .. ) On 9 November 2011 22:25, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Balls, I forgot to add this to the last message, but has anyone examined the patch yet? I can only imagine it would be VERY interesting to look at... sarcasm Or that it opens all UDP ports so that there are no closed ones to exploit /sarcasm On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: So... Another Conficker type worm possible from this bug if everyone cocks up and fails to patch? On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia nahuel.griso...@gmail.com wrote: Kingcope, where's the exploit? :P On Nov 8, 2011, at 6:53 PM, Henri Salo wrote: http://technet.microsoft.com/en-us/security/bulletin/ms11-083 The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Microsoft did it once again. - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D -- My Homepage :D ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Wed, Nov 9, 2011 at 6:25 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Balls, I forgot to add this to the last message, but has anyone examined the patch yet? I can only imagine it would be VERY interesting to look at... sarcasm Or that it opens all UDP ports so that there are no closed ones to exploit /sarcasm Yet another bug class (refcount overflows) that the PaX Team eradicated years ago and everyone else is still scrambling to catch up. People seem incredulous that the bug can be triggered by sending traffic to closed ports. Keep in mind that the only way your networking stack knows to reject packets that are directed towards closed ports is to do some preliminary parsing of those packets, namely allocating some control structures, receiving at least the physical/link layer frame, IP header, and transport layer header, and parsing out the port and destination address. There's plenty of things that can go wrong before the kernel decides this is for a port that's not open and drops it, which appears to be what happened here. Doesn't make the bug any less terrible, but it's not quite as surprising as people seem to think. On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: So... Another Conficker type worm possible from this bug if everyone cocks up and fails to patch? While I'd love to see an exploit from a purely academic perspective, it doesn't appear that this is the type of bug where exploitation is going to be reliable enough to support a worm. The reference counter in question is most likely 32 bits, but even giving the benefit of the doubt and saying it's a 16-bit refcount, that's still 2^16 events (probably receiving a certain UDP packet) that need to be triggered precisely in order to cause a refcount overflow and then trigger a remote kernel use-after-free condition, which wouldn't be trivial to exploit even by itself. On an unreliable network like the Internet, it seems unlikely that the kind of traffic volume required to trigger this bug could be generated without dropping a single packet. Reliable DoS seems more likely though. -Dan On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia nahuel.griso...@gmail.com wrote: Kingcope, where's the exploit? :P On Nov 8, 2011, at 6:53 PM, Henri Salo wrote: http://technet.microsoft.com/en-us/security/bulletin/ms11-083 The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Microsoft did it once again. - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D -- My Homepage :D ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
I have the PoC from another src than the actual author, but, yes was given to me only infos and poc, a week or so ago.. and there is code but, i do not have this.. i will just say that, i have asmuch as technet does, maybe abit more about packet infos.. like what exactly must be done, and thats only 2 things, wich is i between the packet arriving to the closed port, two things, then one-two-5 packets, it might take 10 on some boxes, but the overflow will 100% work and bypasses all protections on and upto rc2 of the datacenter edition, yes it is big, it is the biggest secret actually, but, we will see more when the author comes out with it wich is, possibly never, but, i know that i have enough infos from what ive read, to start testing, and, this i have done many times and still hold a cpl undiscloseds for m$ but, i guess the bug on this is that it hits the newest boxes, NOT the oldies as most were doing over and over...and no vector relly matters at that stage, the scan is dead. anyhow, this tcp ip bug, makes for a gret cpp code, and, for the two things it needs well, i have said it, SQN and ACK, and this could be gained then set to the packet, then sent.. there is a buffer size at wich the port opens, but this is undisclosed. cheers. On 9 November 2011 22:46, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: xD, does this mean you HAVE exploit code for this? Care to share that? On Wed, Nov 9, 2011 at 11:42 AM, xD 0x41 sec...@gmail.com wrote: Is awesome exploit yes! I have looked at this and, you dont need to be udp... only... it is TCP-IP. ... wich, i was luckily given a copy early than release date so have had time,... this whole thing reopens the old idlescan and, simly one tcp scanner, even a udp one, all you have todo is send a req, receive known SQN and ACK , thats pretty basic packet :s , and then it will open, amongst other things, UDP closed, although please note, the author of this and even technet clearly states, that it can use TCP/IP stack and, use IP and TCP ports/packets to scan, so the scanning just got 10x easier to make, no smb neg, just a simple netbios, maybe a peek down a pipe and, hopefully, i get this thing to go :P , I really want to see what this baby can show me that i dont alredy know.. but i know one thing, this is nothing, this wormhole, is byfar the biggest i have seen since dcom.. and remote code means remote worm...so, yes, expect alot of newer boxes, infected, and yes even fully patched rc2 and datacenter copies are affected..and, if anyone has seen the paper well, it clearly states the packet needs to only contain 2 things, and, probably have some nice little spoofaing even possible, since the nature allows it to scan by udp, can then spoof all scanning to on windows, this is only possible on udp and some tcp syn d0s.. anyhow, yes, this could become easily the next blaster, maybe, because it does by nature bypass dep and aslr, and basically, reopens an old attack vector, so many bot farmers,would probably be seeking to port this already from Poc infos, and, it would not be hard, i will attempt it in private, and, i can alredy forsee this will *not* be a hard one... when the official papers are thru and done, i guess there will be more about the tcp ip but seriously just think of the name of it , lol.. it is tcp-ip stack overflow right... tcp-ip :P anyhow.. yea.. it is goin to see wether the scanner can work fast, ie: a fingerprinter made so it can see if it is a type of box, and thats VERY simple thanks to porting of metasploits dcerpc/smb scanner, wich attaches and makes smb session, to get workgroup and other things...depending on port choosen, personally me, to spped it up, would opt for udp scanner (i have skeleton for a mssql scanner in cpp i have still got wich works, drops to shell etc..0 ... then i guess, making the packet, and, that would need a cpl of headers in the code, woopee, and, some simple fail to respond to xp, must be v6 , if v6 then, can continue on with fingerprinting, etc..so, to find a box can be very fast so, using smb on port 138/UDP , if possible to, or simply connect to 139/SMB-NT authority ,and id simply use if/else, so udp or tcp gets triggered.. very easy to write this for those who have read the poc and know windows cpp, it only will take the packet SQN number, thats it.. the rest is bacon.. it is a very nice exploit for this late in the lifes of these OS..a pty really.. only good thing is, it does nto affect my familys pcs, wich are nice and old now, so, i dont have more maintenance headaches :D cheers , have a happy patch tuesday! xd-- was h3re (cool spraypainting here .. ) On 9 November 2011 22:25, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Balls, I forgot to add this to the last message, but has anyone examined the patch yet? I can only imagine it would be VERY interesting to look at... sarcasm Or that it opens all UDP ports so that there are no closed
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/11/2011 11:45, Dan Rosenberg wrote: On Wed, Nov 9, 2011 at 6:25 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Balls, I forgot to add this to the last message, but has anyone examined the patch yet? I can only imagine it would be VERY interesting to look at... sarcasm Or that it opens all UDP ports so that there are no closed ones to exploit /sarcasm Yet another bug class (refcount overflows) that the PaX Team eradicated years ago and everyone else is still scrambling to catch up. People seem incredulous that the bug can be triggered by sending traffic to closed ports. Keep in mind that the only way your networking stack knows to reject packets that are directed towards closed ports is to do some preliminary parsing of those packets, namely allocating some control structures, receiving at least the physical/link layer frame, IP header, and transport layer header, and parsing out the port and destination address. There's plenty of things that can go wrong before the kernel decides this is for a port that's not open and drops it, which appears to be what happened here. Doesn't make the bug any less terrible, but it's not quite as surprising as people seem to think. Yes, I agree. The term closed port is somewhat misleading to those who have no idea of how a TCP/IP stack works. What is surprising though is that this flaw exists in such a mature OS as Windows. But then again this is Microsoft we are talking about. On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: So... Another Conficker type worm possible from this bug if everyone cocks up and fails to patch? While I'd love to see an exploit from a purely academic perspective, it doesn't appear that this is the type of bug where exploitation is going to be reliable enough to support a worm. The reference counter in question is most likely 32 bits, but even giving the benefit of the doubt and saying it's a 16-bit refcount, that's still 2^16 events (probably receiving a certain UDP packet) that need to be triggered precisely in order to cause a refcount overflow and then trigger a remote kernel use-after-free condition, which wouldn't be trivial to exploit even by itself. On an unreliable network like the Internet, it seems unlikely that the kind of traffic volume required to trigger this bug could be generated without dropping a single packet. Reliable DoS seems more likely though. -Dan On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia nahuel.griso...@gmail.com wrote: Kingcope, where's the exploit? :P On Nov 8, 2011, at 6:53 PM, Henri Salo wrote: http://technet.microsoft.com/en-us/security/bulletin/ms11-083 The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Microsoft did it once again. - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D -- My Homepage :D ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTrp77rIvn8UFHWSmAQLAoAf/SQFShTXjNjfclb73hs4z/RajsNJfzl5x PIdT7N5q57Uzem1c7rvRoIPwF/Uv3wyL5qpyjq7USO4X/VhswlXgjVM022NPkCRE uRV5/rES2lvBM7CVpJo/virO9qoKOs4VGzZK1GNbGyiE4PeCvzFZvyrtGHyEALc9 rDX00ZCo31O1xVP9M6X7g0il82x5LcDGpNQ5GZRFhpwfEkJeIZOIb80j90Y17Gu2 3fSFmFIHQRWT2vx3gEEi6PgI3rquQWKgS2RMLdBGigTJX5Sq2vD9RjT26enpRl4V NO9BEBVm9/zdebCQ4ahfPrv+M9IZGxak6sQ+SB+mMaoukSFz8cqWsA== =VEn4 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Tue, Nov 08, 2011 at 11:53:52PM +0200, Henri Salo wrote: http://technet.microsoft.com/en-us/security/bulletin/ms11-083 The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Microsoft did it once again. - Henri Salo Imagine if you knew about this a few years ago... -- j ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Oddly enough, I was aware the kernel has to handle packets sent to closed ports, just was not thinking of HOW it handles them. I would love to see the code for that, and am planning to look at the same code on Linux so I can see exactly what the hell it does. On Wed, Nov 9, 2011 at 1:56 PM, Georgi Guninski gunin...@guninski.comwrote: On Tue, Nov 08, 2011 at 11:53:52PM +0200, Henri Salo wrote: http://technet.microsoft.com/en-us/security/bulletin/ms11-083 The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Microsoft did it once again. - Henri Salo Imagine if you knew about this a few years ago... -- j ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D http://compsoc.nuigalway.ie/%7Einfodox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote: [..] While I'd love to see an exploit from a purely academic perspective, it doesn't appear that this is the type of bug where exploitation is going to be reliable enough to support a worm. The reference counter in question is most likely 32 bits, but even giving the benefit of the doubt and saying it's a 16-bit refcount, that's still 2^16 events (probably receiving a certain UDP packet) that need to be triggered precisely in order to cause a refcount overflow and then trigger a remote kernel use-after-free condition, which wouldn't be trivial to exploit even by itself. On an unreliable network like the Internet, it seems unlikely that the kind of traffic volume required to trigger this bug could be generated without dropping a single packet. Reliable DoS seems more likely though. I would love to hear about results running this exploit/PoC/whatever against a xBSD TCP/IP stack. Microsoft Windows TCP/IP stack looks so BSDish to me since Windows Vista. But that's probably because they rewrote it completely at that time (with integration of their new IPv6 stack also). Joke: Chuck Norris can exploit sockets that aren't even listening. -- ^ ___ ___ http://www.GomoR.org/ -+ | / __ |__/Senior Security Engineer | | \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]---| +-- Net::Frame = http://search.cpan.org/~gomor/ ---+ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Joke: Chuck Norris can exploit sockets that aren't even listening. No... that's Bruce Schneier :P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote: People seem incredulous that the bug can be triggered by sending traffic to closed ports. Keep in mind that the only way your networking stack knows to reject packets that are directed towards closed ports is to do some preliminary parsing of those packets, namely allocating some control structures, receiving at least the physical/link layer frame, IP header, and transport layer header, and parsing out the port and destination address. There's plenty of things that can go wrong before the kernel decides this is for a port that's not open and drops it, which appears to be what happened here. Doesn't make the bug any less terrible, but it's not quite as surprising as people seem to think. I am surprised about this, because Microsoft is definately lagging some level of testing and change management in critical code. How many servers are people using without networking these days. We do talk about remote execution vulnerable in something, which obviously might get unnoticed when we think of security audits, PCI and such. I wonder if integrated firewall in Windows could block this as Microsoft should do everything in their power to stop attacks in this security vulnerability. Related picture: http://paste.nerv.fi/72975464-itbegins.jpeg Best regards, Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
You could just google for IRC packs of win2k src ;) I know i have a copy of it somewhere... acvtually tho, would not be helpful tho, as it does not affect win2k.. so i guess there would be some code there but not the code you want. @george and, ideally if 'years' ago existed for this exploit but, it does only affect v6 and up , this is tested so xp/2k/2k3 not affected... still, i know people are using other ways anyhow , and thats just how botting is... one way dies, one takes its place :s i guess we wait for the rls of this.. maybe! On 10 November 2011 01:51, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Oddly enough, I was aware the kernel has to handle packets sent to closed ports, just was not thinking of HOW it handles them. I would love to see the code for that, and am planning to look at the same code on Linux so I can see exactly what the hell it does. On Wed, Nov 9, 2011 at 1:56 PM, Georgi Guninski gunin...@guninski.com wrote: On Tue, Nov 08, 2011 at 11:53:52PM +0200, Henri Salo wrote: http://technet.microsoft.com/en-us/security/bulletin/ms11-083 The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Microsoft did it once again. - Henri Salo Imagine if you knew about this a few years ago... -- j ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- My Homepage :D ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
http://technet.microsoft.com/en-us/security/bulletin/ms11-083 The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Microsoft did it once again. - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Major roflage! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/