xD, does this mean you HAVE exploit code for this? Care to share that? On Wed, Nov 9, 2011 at 11:42 AM, xD 0x41 <[email protected]> wrote:
> Is awesome exploit yes! > I have looked at this and, you dont need to be udp... only... it is > TCP-IP. ... wich, i was luckily given a copy early than release date > so have had time,... this whole thing reopens the old idlescan and, > simly one tcp scanner, even a udp one, all you have todo is send a > req, receive known SQN and ACK , thats pretty basic packet :s , and > then it will open, amongst other things, UDP closed, although please > note, the author of this and even technet clearly states, that it can > use TCP/IP stack and, use IP and TCP ports/packets to scan, so the > scanning just got 10x easier to make, no smb neg, just a simple > netbios, maybe a peek down a pipe and, hopefully, i get this thing to > go :P , I really want to see what this baby can show me that i dont > alredy know.. but i know one thing, this is nothing, this wormhole, is > byfar the biggest i have seen since dcom.. and remote code means > remote worm...so, yes, expect alot of newer boxes, infected, and yes > even fully patched rc2 and datacenter copies are affected..and, if > anyone has seen the paper well, it clearly states the packet needs to > only contain 2 things, and, probably have some nice little spoofaing > even possible, since the nature allows it to scan by udp, can then > spoof all scanning to on windows, this is only possible on udp and > some tcp syn d0s.. anyhow, yes, this could become easily the next > blaster, maybe, because it does by nature bypass dep and aslr, and > basically, reopens an old attack vector, so many bot farmers,would > probably be seeking to port this already from Poc infos, and, it would > not be hard, i will attempt it in private, and, i can alredy forsee > this will *not* be a hard one... when the official papers are thru and > done, i guess there will be more about the tcp ip but seriously just > think of the name of it , lol.. it is tcp-ip stack overflow right... > tcp-ip :P anyhow.. yea.. it is goin to see wether the scanner can work > fast, ie: a fingerprinter made so it can see if it is a type of box, > and thats VERY simple thanks to porting of metasploits dcerpc/smb > scanner, wich attaches and makes smb session, to get workgroup and > other things...depending on port choosen, personally me, to spped it > up, would opt for udp scanner (i have skeleton for a mssql scanner in > cpp i have still got wich works, drops to shell etc..0 ... then i > guess, making the packet, and, that would need a cpl of headers in the > code, woopee, and, some simple fail to respond to xp, must be v6 , if > v6 then, can continue on with fingerprinting, etc..so, to find a box > can be very fast so, using smb on port 138/UDP , if possible to, or > simply connect to 139/SMB-NT authority ,and id simply use if/else, so > udp or tcp gets triggered.. very easy to write this for those who have > read the poc and know windows cpp, it only will take the packet SQN > number, thats it.. the rest is bacon.. it is a very nice exploit for > this late in the lifes of these OS..a pty really.. only good thing > is, it does nto affect my familys pcs, wich are nice and old now, so, > i dont have more maintenance headaches :D > cheers , have a happy patch tuesday! > xd-- was h3re (cool spraypainting here .. ) > > > On 9 November 2011 22:25, Darren Martyn > <[email protected]> wrote: > > Balls, I forgot to add this to the last message, but has anyone examined > the > > patch yet? I can only imagine it would be VERY interesting to look at... > > <sarcasm> Or that it opens all UDP ports so that there are no closed > ones to > > exploit </sarcasm> > > > > On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn > > <[email protected]> wrote: > >> > >> So... Another Conficker type worm possible from this bug if everyone > cocks > >> up and fails to patch? > >> > >> On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia > >> <[email protected]> wrote: > >>> > >>> Kingcope, where's the exploit? > >>> > >>> :P > >>> > >>> On Nov 8, 2011, at 6:53 PM, Henri Salo wrote: > >>> > >>> > http://technet.microsoft.com/en-us/security/bulletin/ms11-083 > >>> > > >>> > "The vulnerability could allow remote code execution if an attacker > >>> > sends a continuous flow of specially crafted UDP packets to a closed > port on > >>> > a target system." > >>> > > >>> > Microsoft did it once again. > >>> > > >>> > - Henri Salo > >>> > > >>> > _______________________________________________ > >>> > Full-Disclosure - We believe in it. > >>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >>> > Hosted and sponsored by Secunia - http://secunia.com/ > >>> > >>> _______________________________________________ > >>> Full-Disclosure - We believe in it. > >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >>> Hosted and sponsored by Secunia - http://secunia.com/ > >> > >> > >> > >> -- > >> My Homepage :D > >> > > > > > > > > -- > > My Homepage :D > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > -- My Homepage :D <http://compsoc.nuigalway.ie/%7Einfodox>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
