![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
foxgrrlAs you are all well aware, yesterday was Microsoft Patch Tuesday. One of the vulnerabilities, was basically an anonymous remote root exploit against the default install of Windows 2000 (and maybe XP too). There isn't any POC code floating around on the net yet, so I wrote some to settle an argument.
I'm wondering now if I should release it publicly, or sell it to the highest bidder, or something. It currently does require a Windows Active Directory server, but if I work on it some more, I think I can make it work without requiring a separate windows server. (i.e. to work on Linux/*BSD/OSX alone). (Also, only Win2K targets so far.)
The MS advisory on this, less than useful as always: http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx
And the much more detailed - if remarkably vague in areas - eEye advisory on it: http://research.eeye.com/html/advisories/published/AD20061114.html
There's just enough information to find the vulnerability, and a hint as to how to trigger it, but not any details like about how the JoinOptions flag [arg_6] needs to be 0x01 (you'll want to use RPC function 0x16).
Oh yeah, I was going to mention, that this is also the first exploit I've written in the MSF3. I must say that the NDR and DCERPC libraries made this exploit so much faster and easier to write. (Easier to write than giant blobs of raw binary data, which is how I typically write stuff.)
I'm wondering now if I should release it publicly, or sell it to the highest bidder, or something. It currently does require a Windows Active Directory server, but if I work on it some more, I think I can make it work without requiring a separate windows server. (i.e. to work on Linux/*BSD/OSX alone). (Also, only Win2K targets so far.)
The MS advisory on this, less than useful as always: http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx
And the much more detailed - if remarkably vague in areas - eEye advisory on it: http://research.eeye.com/html/advisories/published/AD20061114.html
There's just enough information to find the vulnerability, and a hint as to how to trigger it, but not any details like about how the JoinOptions flag [arg_6] needs to be 0x01 (you'll want to use RPC function 0x16).
Oh yeah, I was going to mention, that this is also the first exploit I've written in the MSF3. I must say that the NDR and DCERPC libraries made this exploit so much faster and easier to write. (Easier to write than giant blobs of raw binary data, which is how I typically write stuff.)
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2006-11-16 06:41 pm (UTC)Are we talking antivirus companies looking to study 'sploits? Or people online wanting an exploit to use?
There is an ethical aspect here, after all.
no subject
Date: 2006-11-18 06:09 am (UTC)I wasn't entirely serious. If I wasn't working right now, and was going to sell it; I was thinking of someplace like Tipping Point — they're one of the companies who buy 0-days and stuff from . But this would be a pretty big conflict of interest for me, since they're a competitor of my company.
Anyway, there's not much that is unique about this exploit to study. And anything that was, I could explain to everyone in English instead of passing around a giant blob of bits and having people pick it apart to try to figure out what it does.
If I wrote a fake Active Directory "server", that told Windows whatever it wants to hear; That would be something new and unique. Otherwise this is just a vanilla stack overflow. (The victim box needs to successfully connect to a domain first, before the vulnerable function is reached. (In theory, if the attacker knew of the victim's usual domain, they could just use that in the attack, but I haven't had time to play with this yet.))
no subject
Date: 2006-11-18 06:25 am (UTC)Hm. You know, I *have* wondered about the idea of just creating a fake server - most of MS's security is based on a top-down belief... what's keeping that from happening?
Yeah, I think having the theory *with* the code would make an awful lot more sense anyway.