![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
As you are all well aware, yesterday was Microsoft Patch Tuesday. One of the vulnerabilities, was basically an anonymous remote root exploit against the default install of Windows 2000 (and maybe XP too). There isn't any POC code floating around on the net yet, so I wrote some to settle an argument.
I'm wondering now if I should release it publicly, or sell it to the highest bidder, or something. It currently does require a Windows Active Directory server, but if I work on it some more, I think I can make it work without requiring a separate windows server. (i.e. to work on Linux/*BSD/OSX alone). (Also, only Win2K targets so far.)
The MS advisory on this, less than useful as always: http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx
And the much more detailed - if remarkably vague in areas - eEye advisory on it: http://research.eeye.com/html/advisories/published/AD20061114.html
There's just enough information to find the vulnerability, and a hint as to how to trigger it, but not any details like about how the JoinOptions flag [arg_6] needs to be 0x01 (you'll want to use RPC function 0x16).
Oh yeah, I was going to mention, that this is also the first exploit I've written in the MSF3. I must say that the NDR and DCERPC libraries made this exploit so much faster and easier to write. (Easier to write than giant blobs of raw binary data, which is how I typically write stuff.)
I'm wondering now if I should release it publicly, or sell it to the highest bidder, or something. It currently does require a Windows Active Directory server, but if I work on it some more, I think I can make it work without requiring a separate windows server. (i.e. to work on Linux/*BSD/OSX alone). (Also, only Win2K targets so far.)
The MS advisory on this, less than useful as always: http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx
And the much more detailed - if remarkably vague in areas - eEye advisory on it: http://research.eeye.com/html/advisories/published/AD20061114.html
There's just enough information to find the vulnerability, and a hint as to how to trigger it, but not any details like about how the JoinOptions flag [arg_6] needs to be 0x01 (you'll want to use RPC function 0x16).
Oh yeah, I was going to mention, that this is also the first exploit I've written in the MSF3. I must say that the NDR and DCERPC libraries made this exploit so much faster and easier to write. (Easier to write than giant blobs of raw binary data, which is how I typically write stuff.)
![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif){kind=small}
