![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
foxgrrlAs you are all well aware, yesterday was Microsoft Patch Tuesday. One of the vulnerabilities, was basically an anonymous remote root exploit against the default install of Windows 2000 (and maybe XP too). There isn't any POC code floating around on the net yet, so I wrote some to settle an argument.
I'm wondering now if I should release it publicly, or sell it to the highest bidder, or something. It currently does require a Windows Active Directory server, but if I work on it some more, I think I can make it work without requiring a separate windows server. (i.e. to work on Linux/*BSD/OSX alone). (Also, only Win2K targets so far.)
The MS advisory on this, less than useful as always: http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx
And the much more detailed - if remarkably vague in areas - eEye advisory on it: http://research.eeye.com/html/advisories/published/AD20061114.html
There's just enough information to find the vulnerability, and a hint as to how to trigger it, but not any details like about how the JoinOptions flag [arg_6] needs to be 0x01 (you'll want to use RPC function 0x16).
Oh yeah, I was going to mention, that this is also the first exploit I've written in the MSF3. I must say that the NDR and DCERPC libraries made this exploit so much faster and easier to write. (Easier to write than giant blobs of raw binary data, which is how I typically write stuff.)
I'm wondering now if I should release it publicly, or sell it to the highest bidder, or something. It currently does require a Windows Active Directory server, but if I work on it some more, I think I can make it work without requiring a separate windows server. (i.e. to work on Linux/*BSD/OSX alone). (Also, only Win2K targets so far.)
The MS advisory on this, less than useful as always: http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx
And the much more detailed - if remarkably vague in areas - eEye advisory on it: http://research.eeye.com/html/advisories/published/AD20061114.html
There's just enough information to find the vulnerability, and a hint as to how to trigger it, but not any details like about how the JoinOptions flag [arg_6] needs to be 0x01 (you'll want to use RPC function 0x16).
Oh yeah, I was going to mention, that this is also the first exploit I've written in the MSF3. I must say that the NDR and DCERPC libraries made this exploit so much faster and easier to write. (Easier to write than giant blobs of raw binary data, which is how I typically write stuff.)
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2006-11-18 06:25 am (UTC)Hm. You know, I *have* wondered about the idea of just creating a fake server - most of MS's security is based on a top-down belief... what's keeping that from happening?
Yeah, I think having the theory *with* the code would make an awful lot more sense anyway.