![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
MS06-070
As you are all well aware, yesterday was Microsoft Patch Tuesday. One of the vulnerabilities, was basically an anonymous remote root exploit against the default install of Windows 2000 (and maybe XP too). There isn't any POC code floating around on the net yet, so I wrote some to settle an argument.
I'm wondering now if I should release it publicly, or sell it to the highest bidder, or something. It currently does require a Windows Active Directory server, but if I work on it some more, I think I can make it work without requiring a separate windows server. (i.e. to work on Linux/*BSD/OSX alone). (Also, only Win2K targets so far.)
The MS advisory on this, less than useful as always: http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx
And the much more detailed - if remarkably vague in areas - eEye advisory on it: http://research.eeye.com/html/advisories/published/AD20061114.html
There's just enough information to find the vulnerability, and a hint as to how to trigger it, but not any details like about how the JoinOptions flag [arg_6] needs to be 0x01 (you'll want to use RPC function 0x16).
Oh yeah, I was going to mention, that this is also the first exploit I've written in the MSF3. I must say that the NDR and DCERPC libraries made this exploit so much faster and easier to write. (Easier to write than giant blobs of raw binary data, which is how I typically write stuff.)
I'm wondering now if I should release it publicly, or sell it to the highest bidder, or something. It currently does require a Windows Active Directory server, but if I work on it some more, I think I can make it work without requiring a separate windows server. (i.e. to work on Linux/*BSD/OSX alone). (Also, only Win2K targets so far.)
The MS advisory on this, less than useful as always: http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx
And the much more detailed - if remarkably vague in areas - eEye advisory on it: http://research.eeye.com/html/advisories/published/AD20061114.html
There's just enough information to find the vulnerability, and a hint as to how to trigger it, but not any details like about how the JoinOptions flag [arg_6] needs to be 0x01 (you'll want to use RPC function 0x16).
Oh yeah, I was going to mention, that this is also the first exploit I've written in the MSF3. I must say that the NDR and DCERPC libraries made this exploit so much faster and easier to write. (Easier to write than giant blobs of raw binary data, which is how I typically write stuff.)
no subject
an aside...can you send me both nyah and your email addy's? I wanted to invite you to an event we are doing in December.
my email is veleda@templeofallgods.org
no subject
Are we talking antivirus companies looking to study 'sploits? Or people online wanting an exploit to use?
There is an ethical aspect here, after all.
no subject
I wasn't entirely serious. If I wasn't working right now, and was going to sell it; I was thinking of someplace like Tipping Point — they're one of the companies who buy 0-days and stuff from . But this would be a pretty big conflict of interest for me, since they're a competitor of my company.
Anyway, there's not much that is unique about this exploit to study. And anything that was, I could explain to everyone in English instead of passing around a giant blob of bits and having people pick it apart to try to figure out what it does.
If I wrote a fake Active Directory "server", that told Windows whatever it wants to hear; That would be something new and unique. Otherwise this is just a vanilla stack overflow. (The victim box needs to successfully connect to a domain first, before the vulnerable function is reached. (In theory, if the attacker knew of the victim's usual domain, they could just use that in the attack, but I haven't had time to play with this yet.))
no subject
Hm. You know, I *have* wondered about the idea of just creating a fake server - most of MS's security is based on a top-down belief... what's keeping that from happening?
Yeah, I think having the theory *with* the code would make an awful lot more sense anyway.
codz
They will take a code and test it then write it up for others to understand. Also, don't forget to let Mikrosot know so they can try to fix it and save others from being ripped.
T.L.
no subject
"So let me get this straight... If we do *his* job, we're the bad guys... And if we do *our* job, we're the good guys..."
Incidentally, you know anyone who is a hardware/assembly hack on VEEERY old CPUs? I'm trying to reverse-engineer some old ECUs for cars and motorcycles from the 80s... At least one is 6801-based, and I have a suspicion the other line of boxen here is Intel-based, but I'm not sure. Ideally I'd like to dump the ROM and de-compile the code into assembly, and then write some modifications for it myself, as well as developing hardware (either piggyback or replacing the CPU) that allow real-time data-line outputs of sensor values, as well as the possibility of remapping via a laptop and ideally a live emulator function. But I'm so rusty on these old processors that I'm gonna need some help, especially on the hardware side.
Hope you two are doing well. You're always welcome up here in the boonies if you need to get away from it all. :)