[Full-Disclosure] Finding Win2k SP3 with a single packet

From: 0xcd0x80@hush.com
Date: 09/10/02


From: 0xcd0x80@hush.com (0xcd0x80@hush.com)
Date: Mon,  9 Sep 2002 15:08:56 -0700

Just a quick post to highlight something I noticed, you may well need
this the next time a really tasty sploit in IIS comes out.

When deciding which offset to use when you want to mess about on the stack or the heap you need to know the Service Pack in use. So how can you tell that in as few a number of packets as possible. Well if you need to tell whether SP3 has been installed on Win2k you can try this.

I'll assume that you have determined the server is Win 2K by seeing the
web banner is IIS 5.0. So if you send a single SYN packet to port 80, or
any other open port you can find and have a look at the result.

First example Win 2K with SP2 or below:

 hping -S -p 139 10.0.0.3
HPING 10.0.0.3 (eth1 10.0.0.3): S set, 40 headers + 0 data bytes
len=46 ip=10.0.0.3 flags=SA DF seq=0 ttl=128 id=65060 win=16616 rtt=0.7
ms

Then we try on a freshly installed SP3 machine:
 hping -S -p 139 10.0.0.4
HPING 10.0.0.4 (eth1 10.0.0.4): S set, 40 headers + 0 data bytes
len=46 ip=10.0.0.4 flags=SA DF seq=0 ttl=128 id=24532 win=64240 rtt=0.7
ms

As we can see SP3 has a TCP windowsize of 64240 and before that had
16616.

(My warning from before was because Win XP also has win=64240)

So with a single packet we can tell the difference between SP3 and
below. I know its simple and not fool proof but it might just get you
those system privs that you were after.

I admit that I'm pretty lame so I haven't got a nice 0day to put the
theory into practice with. However, if you do know about one let me know
some details and I will do some experimentation.

This is just a stop gap solution, give Fyodor a little time and I'm sure
nmap will build this OS fingerprinting in as it does everything else you
might want it to.

greetz, they know who they are, do you?
b,m,b,e,g,s,u

Get your free encrypted email at https://www.hushmail.com