![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
foxgrrlAs you are all well aware, yesterday was Microsoft Patch Tuesday. One of the vulnerabilities, was basically an anonymous remote root exploit against the default install of Windows 2000 (and maybe XP too). There isn't any POC code floating around on the net yet, so I wrote some to settle an argument.
I'm wondering now if I should release it publicly, or sell it to the highest bidder, or something. It currently does require a Windows Active Directory server, but if I work on it some more, I think I can make it work without requiring a separate windows server. (i.e. to work on Linux/*BSD/OSX alone). (Also, only Win2K targets so far.)
The MS advisory on this, less than useful as always: http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx
And the much more detailed - if remarkably vague in areas - eEye advisory on it: http://research.eeye.com/html/advisories/published/AD20061114.html
There's just enough information to find the vulnerability, and a hint as to how to trigger it, but not any details like about how the JoinOptions flag [arg_6] needs to be 0x01 (you'll want to use RPC function 0x16).
Oh yeah, I was going to mention, that this is also the first exploit I've written in the MSF3. I must say that the NDR and DCERPC libraries made this exploit so much faster and easier to write. (Easier to write than giant blobs of raw binary data, which is how I typically write stuff.)
I'm wondering now if I should release it publicly, or sell it to the highest bidder, or something. It currently does require a Windows Active Directory server, but if I work on it some more, I think I can make it work without requiring a separate windows server. (i.e. to work on Linux/*BSD/OSX alone). (Also, only Win2K targets so far.)
The MS advisory on this, less than useful as always: http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx
And the much more detailed - if remarkably vague in areas - eEye advisory on it: http://research.eeye.com/html/advisories/published/AD20061114.html
There's just enough information to find the vulnerability, and a hint as to how to trigger it, but not any details like about how the JoinOptions flag [arg_6] needs to be 0x01 (you'll want to use RPC function 0x16).
Oh yeah, I was going to mention, that this is also the first exploit I've written in the MSF3. I must say that the NDR and DCERPC libraries made this exploit so much faster and easier to write. (Easier to write than giant blobs of raw binary data, which is how I typically write stuff.)
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2006-11-17 12:42 am (UTC)"So let me get this straight... If we do *his* job, we're the bad guys... And if we do *our* job, we're the good guys..."
Incidentally, you know anyone who is a hardware/assembly hack on VEEERY old CPUs? I'm trying to reverse-engineer some old ECUs for cars and motorcycles from the 80s... At least one is 6801-based, and I have a suspicion the other line of boxen here is Intel-based, but I'm not sure. Ideally I'd like to dump the ROM and de-compile the code into assembly, and then write some modifications for it myself, as well as developing hardware (either piggyback or replacing the CPU) that allow real-time data-line outputs of sensor values, as well as the possibility of remapping via a laptop and ideally a live emulator function. But I'm so rusty on these old processors that I'm gonna need some help, especially on the hardware side.
Hope you two are doing well. You're always welcome up here in the boonies if you need to get away from it all. :)