RE: smbdie - GUI remote smb DoS tool

From: Dozal, Tim (tdozal@cisco.com)
Date: 08/29/02 

Date: Thu, 29 Aug 2002 14:30:05 -0700
From: "Dozal, Tim" <tdozal@cisco.com>
To: "Wesley Shields" <wxs@csh.rit.edu>, "shawn merdinger" <shawnmer@io.com>

This "proof of concept tool" was very useful a few days ago in
demonstrating how easy this exploit can be taken advantage of. However
today I noticed the virus protection companies added this tools pattern
to their definitions so it can no longer live on a machine running VP
software or pass through the e-mail scanners that were updated today. I
don't know about the rest of you but I was really pissed about this.
The tool is NOT a virus, and I had been sending it to various IT friends
for the last few days to use as a demo tool for their various companies.

I'm curious if anybody knows of a REAL virus that has taken advantage of
this exploit, and also why the VP companies feel they have the right to
add a pattern for a "tool" into their DAT files?

Can somebody explain the logic here?

Tim

Btw, the MS description of this exploit requiring a valid
username/password seems to be total BS based on what this little tool is
able to do.

-----Original Message-----
From: Wesley Shields [mailto:wxs@csh.rit.edu]
Sent: Thursday, August 29, 2002 10:55 AM
To: shawn merdinger
Cc: security-basics@securityfocus.com
Subject: Re: smbdie - GUI remote smb DoS tool

On Wed, Aug 28, 2002 at 10:51:00AM -0500, shawn merdinger wrote:

> fyi,
>
> Yet another reason to disable netbios. This tool runs on Windows and
> has a GUI interface. Windows machines w/ SMB (port 139) access will
> reboot instantly.
>
> Tool is here: http://packetstormsecurity.org/0208-exploits/SMBdie.zip
>
> -scm
>
>

If you're going to post the proof of concept you may want to post the
patch.

MS02-045

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q326830&

-- WXS