Re: [Full-disclosure] Exploit for MS06-040 Out?
The DLLs for XP SP2 and 2003 SP1 were compiled with Visual Studio's stack protection flag (/GS). This prevents a standard return address overwrite from working. The wcscpy() method everyone is using in their exploits is also blocked by another change in how the compiler orders and passes arguments. The standard way to bypass /GS is to use a SEH ptr overwrite, but so far, it doesn't seem possible to reach a SEH ptr with the overflow, when using the PathCanonicalize method. On Friday 11 August 2006 08:40, Brendan Dolan-Gavitt wrote: > Is there any technical reason that an exploit cannot be developed > against XP SP2 and Server 2003 SP1? Or is this only a limitation of > the current Metasploit exploit? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit for MS06-040 Out?
On 8/11/06, Brendan Dolan-Gavitt <[EMAIL PROTECTED]> wrote: Is there any technical reason that an exploit cannot be developed against XP SP2 and Server 2003 SP1? Or is this only a limitation of the current Metasploit exploit? I think the poster you are referring to was talking about Core IMPACT only having an NT4 exploit. -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit for MS06-040 Out?
Is there any technical reason that an exploit cannot be developed against XP SP2 and Server 2003 SP1? Or is this only a limitation of the current Metasploit exploit? Thanks, Brendan On 8/10/06, H D Moore <[EMAIL PROTECTED]> wrote: On Wednesday 09 August 2006 13:10, Matt Davis wrote: > Did I completely miss exploit code being released in the wild for that > vulnerability? The Metasploit Framework module is now public, I included a copy of the email I sent to the Framework mailing list below. For the lazy: http://metasploit.com/projects/Framework/modules/exploits/netapi_ms06_040.pm -- Forwarded Message -- Subject: [framework] Metasploit Framework Updates Date: Thursday 10 August 2006 02:52 From: H D Moore <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Hello everyone, I just pushed out a new round of updates for version 2.6 of the Metasploit Framework. This update includes new exploits, new features, and massive bug fixes. If it wasn't 3:00am on my birthday I would try for a 2.7 release :-) New exploits: netapi_ms06-040: - This exploit module should work against all Windows 2000 systems and Windows XP SP0 and SP1. It will not work on XP SP2 or 2003 SP1. There is a slim chance it can work with modification on 2003 SP0 and NT 4.0 SP6. The automatic target should be reliable for most users. The cool thing about this exploit is how it uses a strcpy call to place the shellcode into a static buffer and then return straight back into it. I have another version of this exploit that uses a more traditional exploit method, but there doesn't seem to be much point in releasing it now. ie_createobject: - This exploit module is capable of exploiting any "generic" CreateObject vulnerability in an ActiveX control. The current targets allow it to exploit MS06-014 and various controls that don't seem to be documented or often found vulnerable. This exploit uses the PE "wrapper" to download a generated executable containing the selected payload. eiq_license: - This exploit module is one of many for the recent EIQ vulnerabilities. I pushed this one out because of the amount of work the author put into it and the lack of cleanup I had to do before including it. The rest of the EIQ modules will be added and merged as I get time. Thanks again to everyone who submitted modules for these issues. realvnc_client: - This exploits an older client-side vulnerability in the VNC viewer for Windows. Thanks again to MC for writing this up. securecrt_ssh1: - This exploits an older client-side vulnerability in SecureCRT. Another great module provided by MC. mercury_imap: - This exploit module is capable of exploiting the RENAME command overflow found in older versions of the Mercury IMAP software. Yet another exploit by MC. A dozen small bug fixes, new targets, and cosmetic improvements were included with this update. Thanks to David Maciejak for sending in many of these and having the patience to deal with my update schedule. Matt Miller (skape) tracked down a long-time bug in the 'EXE' output mode of msfpayload. The template executable had an invalid stack size set, which caused all DLL Inject payloads to crash when initialized from inside the PE template. This fix should allow you to use the vncinject and metepreter payloads with the msfpayload X mode (standalone exe). The msfpayload tool now has a javascript output format. Simply pass 'J' as the output mode of msfpayload to get an unescape()-ready string. The next 3.0 beta should be ready sometime next week. If I get over my fear of being owned via subversion, the actual source code respository for 3.0 will also become public. Enjoy! -HD ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit for MS06-040 Out?
At some point, depending on time. Feel free to add one :-) -HD On Thursday 10 August 2006 06:03, David Taylor wrote: > Hi HD, > > Do you plan on building a 'check' feature into this in the future? I > find those to be very handy in scripting checks on our systems. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit for MS06-040 Out?
On 8/10/06, H D Moore <[EMAIL PROTECTED]> wrote: On Wednesday 09 August 2006 13:10, Matt Davis wrote: > Did I completely miss exploit code being released in the wild for that > vulnerability? The Metasploit Framework module is now public, I included a copy of the email I sent to the Framework mailing list below. and its like 20,000 dollars cheaper than Core Impact or CANVAS sweet! -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit for MS06-040 Out?
Hi HD, Do you plan on building a 'check' feature into this in the future? I find those to be very handy in scripting checks on our systems. On 8/10/06 3:57 AM, "H D Moore" <[EMAIL PROTECTED]> wrote: > On Wednesday 09 August 2006 13:10, Matt Davis wrote: >> Did I completely miss exploit code being released in the wild for that >> vulnerability? > > The Metasploit Framework module is now public, I included a copy of the > email I sent to the Framework mailing list below. > > For the lazy: > http://metasploit.com/projects/Framework/modules/exploits/netapi_ms06_040.pm > > -- Forwarded Message -- > > Subject: [framework] Metasploit Framework Updates > Date: Thursday 10 August 2006 02:52 > From: H D Moore <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > > Hello everyone, > > I just pushed out a new round of updates for version 2.6 of the > Metasploit Framework. This update includes new exploits, new features, > and massive bug fixes. If it wasn't 3:00am on my birthday I would try > for a 2.7 release :-) > > New exploits: > > netapi_ms06-040: > - This exploit module should work against all Windows 2000 systems and > Windows XP SP0 and SP1. It will not work on XP SP2 or 2003 SP1. There is > a slim chance it can work with modification on 2003 SP0 and NT 4.0 SP6. > The automatic target should be reliable for most users. The cool thing > about this exploit is how it uses a strcpy call to place the shellcode > into a static buffer and then return straight back into it. I have > another version of this exploit that uses a more traditional exploit > method, but there doesn't seem to be much point in releasing it now. > > ie_createobject: > - This exploit module is capable of exploiting any "generic" > CreateObject vulnerability in an ActiveX control. The current targets > allow it to exploit MS06-014 and various controls that don't seem to be > documented or often found vulnerable. This exploit uses the PE "wrapper" > to download a generated executable containing the selected payload. > > eiq_license: > - This exploit module is one of many for the recent EIQ vulnerabilities. > I pushed this one out because of the amount of work the author put into > it and the lack of cleanup I had to do before including it. The rest of > the EIQ modules will be added and merged as I get time. Thanks again to > everyone who submitted modules for these issues. > > realvnc_client: > - This exploits an older client-side vulnerability in the VNC viewer for > Windows. Thanks again to MC for writing this up. > > securecrt_ssh1: > - This exploits an older client-side vulnerability in SecureCRT. Another > great module provided by MC. > > mercury_imap: > - This exploit module is capable of exploiting the RENAME command > overflow found in older versions of the Mercury IMAP software. Yet > another exploit by MC. > > A dozen small bug fixes, new targets, and cosmetic improvements were > included with this update. Thanks to David Maciejak for sending in many > of these and having the patience to deal with my update schedule. > > Matt Miller (skape) tracked down a long-time bug in the 'EXE' output mode > of msfpayload. The template executable had an invalid stack size set, > which caused all DLL Inject payloads to crash when initialized from > inside the PE template. This fix should allow you to use the vncinject > and metepreter payloads with the msfpayload X mode (standalone exe). > > The msfpayload tool now has a javascript output format. Simply pass 'J' > as the output mode of msfpayload to get an unescape()-ready string. > > The next 3.0 beta should be ready sometime next week. If I get over my > fear of being owned via subversion, the actual source code respository > for 3.0 will also become public. > > Enjoy! > > -HD > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ == David Taylor //Sr. Information Security Specialist University of Pennsylvania Information Security Philadelphia PA USA (215) 898-1236 http://www.upenn.edu/computing/security/ == Penn Information Security RSS feed http://www.upenn.edu/computing/security/rss/rssfeed.xml Add link to your favorite RSS reader ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit for MS06-040 Out?
On Wednesday 09 August 2006 13:10, Matt Davis wrote: > Did I completely miss exploit code being released in the wild for that > vulnerability? The Metasploit Framework module is now public, I included a copy of the email I sent to the Framework mailing list below. For the lazy: http://metasploit.com/projects/Framework/modules/exploits/netapi_ms06_040.pm -- Forwarded Message -- Subject: [framework] Metasploit Framework Updates Date: Thursday 10 August 2006 02:52 From: H D Moore <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Hello everyone, I just pushed out a new round of updates for version 2.6 of the Metasploit Framework. This update includes new exploits, new features, and massive bug fixes. If it wasn't 3:00am on my birthday I would try for a 2.7 release :-) New exploits: netapi_ms06-040: - This exploit module should work against all Windows 2000 systems and Windows XP SP0 and SP1. It will not work on XP SP2 or 2003 SP1. There is a slim chance it can work with modification on 2003 SP0 and NT 4.0 SP6. The automatic target should be reliable for most users. The cool thing about this exploit is how it uses a strcpy call to place the shellcode into a static buffer and then return straight back into it. I have another version of this exploit that uses a more traditional exploit method, but there doesn't seem to be much point in releasing it now. ie_createobject: - This exploit module is capable of exploiting any "generic" CreateObject vulnerability in an ActiveX control. The current targets allow it to exploit MS06-014 and various controls that don't seem to be documented or often found vulnerable. This exploit uses the PE "wrapper" to download a generated executable containing the selected payload. eiq_license: - This exploit module is one of many for the recent EIQ vulnerabilities. I pushed this one out because of the amount of work the author put into it and the lack of cleanup I had to do before including it. The rest of the EIQ modules will be added and merged as I get time. Thanks again to everyone who submitted modules for these issues. realvnc_client: - This exploits an older client-side vulnerability in the VNC viewer for Windows. Thanks again to MC for writing this up. securecrt_ssh1: - This exploits an older client-side vulnerability in SecureCRT. Another great module provided by MC. mercury_imap: - This exploit module is capable of exploiting the RENAME command overflow found in older versions of the Mercury IMAP software. Yet another exploit by MC. A dozen small bug fixes, new targets, and cosmetic improvements were included with this update. Thanks to David Maciejak for sending in many of these and having the patience to deal with my update schedule. Matt Miller (skape) tracked down a long-time bug in the 'EXE' output mode of msfpayload. The template executable had an invalid stack size set, which caused all DLL Inject payloads to crash when initialized from inside the PE template. This fix should allow you to use the vncinject and metepreter payloads with the msfpayload X mode (standalone exe). The msfpayload tool now has a javascript output format. Simply pass 'J' as the output mode of msfpayload to get an unescape()-ready string. The next 3.0 beta should be ready sometime next week. If I get over my fear of being owned via subversion, the actual source code respository for 3.0 will also become public. Enjoy! -HD ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit for MS06-040 Out?
On Wed, 09 Aug 2006 13:45:08 CDT, Matt Davis said: > Thanks. What threw me for a loop was that I consider CANVAS et. al. > to be security tools... not hacker tools. Same thing. Just wear a different color hat when you hit 'enter'. pgpMnkUdmxJGx.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit for MS06-040 Out?
That "one other tool" would be Core IMPACT (I guess it's ok to talk about commercial security tools on this list, right?) Anyway, we made our MS06-040 exploit available to all of our customers within a few hours of the patch release. It is not a PoC but a commercial-grade exploit that has been documented and QA tested before being shipped to all our customers. It works against Win2k and NT4 (still working on XP/win2k3) over port 139/tcp and 445/tcp, it supports DCE and SMB fragmentation and NTLM/LANMAN authentication. -ivan Joris Evers wrote: > Mehta was referring to a proof-of-concept exploit that is available for > Canvas and at least one other tool. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Matt > Davis > Sent: Wednesday, August 09, 2006 11:10 AM > To: full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] Exploit for MS06-040 Out? > > Just came across this on news.com regarding MS06-040 and homeland > security's response: > > http://news.com.com/2100-7348_3-6103805.html?part=rss&tag=6103805&subj=n > ews > > "Overnight, popular hacker toolkits were updated with code that allows > researchers to check for the flaw and exploit it, said Neel Mehta, a > security expert at Internet Security Systems in Atlanta." > > Did I completely miss exploit code being released in the wild for that > vulnerability? > > TIA > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- --- "Buy the ticket, take the ride" -HST Ivan Arce CTO CORE SECURITY TECHNOLOGIES http://www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit for MS06-040 Out?
Thanks. What threw me for a loop was that I consider CANVAS et. al. to be security tools... not hacker tools. So, I wasn't thinking of those applications when I read that. I didn't see any mention of exploit code at the usual places. On 8/9/06, H D Moore <[EMAIL PROTECTED]> wrote: Core Impact and Canvas both have exploits out. Metasploit technically has one, but it hasn't been completed/released yet. -HD On Wednesday 09 August 2006 13:10, Matt Davis wrote: > Did I completely miss exploit code being released in the wild for that > vulnerability? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- email: mjd [AT] mattdavis [DOT] biz AIM: MattJDavis MSN: [EMAIL PROTECTED] ICQ: 4632557 G-Talk: [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit for MS06-040 Out?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm not sure if "overnight" is correct - since we released it around 4pm EST into our Partner's program. This is something different from CANVAS Professional in that it's more a program for large penetration testing companies, government agencies, and security providers. But it's still funny that you can write an exploit faster than someone can go through Microsoft Updatesometimes I don't know why people bother patching at all. - -dave Matt Davis wrote: > Just came across this on news.com regarding MS06-040 and homeland > security's response: > > http://news.com.com/2100-7348_3-6103805.html?part=rss&tag=6103805&subj=news > > > > > "Overnight, popular hacker toolkits were updated with code that > allows researchers to check for the flaw and exploit it, said Neel > Mehta, a security expert at Internet Security Systems in Atlanta." > > Did I completely miss exploit code being released in the wild for > that vulnerability? > > TIA > > ___ Full-Disclosure - > We believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and > sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFE2iszB8JNm+PA+iURAvEWAJ0RU+sURftT8RI6DMNz7VWUBvDOYQCeLN/+ Y6ag2D5CHVSFJpZFyLtoJwU= =YV/P -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit for MS06-040 Out?
Core Impact and Canvas both have exploits out. Metasploit technically has one, but it hasn't been completed/released yet. -HD On Wednesday 09 August 2006 13:10, Matt Davis wrote: > Did I completely miss exploit code being released in the wild for that > vulnerability? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Exploit for MS06-040 Out?
Mehta was referring to a proof-of-concept exploit that is available for Canvas and at least one other tool. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Davis Sent: Wednesday, August 09, 2006 11:10 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Exploit for MS06-040 Out? Just came across this on news.com regarding MS06-040 and homeland security's response: http://news.com.com/2100-7348_3-6103805.html?part=rss&tag=6103805&subj=n ews "Overnight, popular hacker toolkits were updated with code that allows researchers to check for the flaw and exploit it, said Neel Mehta, a security expert at Internet Security Systems in Atlanta." Did I completely miss exploit code being released in the wild for that vulnerability? TIA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
