Microsoft WINS Vulnerability + OS/SP Scanner

From: class (ad_at_class101.org)
Date: 04/30/05

  • Next message: Kenshoto: "Defcon Capture the Flag registration is open"
    Date: Sat, 30 Apr 2005 23:02:58 +0200
    To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>, Full-Disclosure <Full-Disclosure@lists.grok.org.uk>, "vulnwatch@vulnwatch.org" <vulnwatch@vulnwatch.org>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
     
    While replicating, it's possible to guess the OS and SP, in addition
    you have the heap base address.
    Conclusion: all needed for a skilled hacker to intrude a vulnerable
    computer, however a script kiddie wont be able to do something because
    each wrong hacking attempts may corrupt the WINS database and so on ,
    move where this is needed to overwrite. This is where the skilled
    hacker will use the heap base address retrieved while scanning to
    start a bruteforce attack , nor at best, to analyze how is moving the
    heap :)
    For example, the exploit that I have published (v0.3) is doing a small
    part of 2k with the corresponding heap base , but you will have to
    update it to catch some other heap positions.

    I attach the win32 binary, follow class101.org and hat-squad.com if
    you are seeking for the source or FreeBSD version, I think I will
    share them soon.

    - -v....: lite verbose
    - -vv..: ultra verbose
    threads: 0-4999

    else all go in HS_WINS.txt

    Screenshot:

    IP.............: ***:42
    STATUS.........: wins enabled
    VULNERABILITY..: NOT_PATCHED
    OS.............: Windows 2000 SP3

    IP.............: ***:42
    STATUS.........: wins enabled
    VULNERABILITY..: patched
    OS.............: Windows 2000 SP4

    IP.............: ***:42
    STATUS.........: wins enabled
    VULNERABILITY..: patched
    OS.............: Windows 2000 SP4

    IP.............: ***:42
    STATUS.........: not wins, wrong datas

    IP.............: ***:42
    STATUS.........: wins enabled
    VULNERABILITY..: patched
    OS.............: Windows 2003 SP0

    IP.............: ***:42
    STATUS.........: wins enabled
    VULNERABILITY..: NOT_PATCHED
    OS.............: Windows 2003 SP0

    IP.............: ***:42
    STATUS.........: nothing received, not wins or vulnerable service freezing

    etc,etc

    download: http://class101.org/HS_WINS.exe

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (MingW32)
     
    iD8DBQFCc/J9LyZ8K9aT7rARAu0yAKC68ZxNKTuqwJNLQCNy31425aqLXACfYhvo
    gSJT9elxPzyKOpI+CErbWlM=
    =dkCW
    -----END PGP SIGNATURE-----


  • Next message: Kenshoto: "Defcon Capture the Flag registration is open"

    Relevant Pages