Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
From: xD 0x41 <secn3t () gmail com>
Date: Fri, 11 Nov 2011 07:03:51 +1100

thx to:
http://www.securityaegis.com/

ms11-083_sniffer.py

"""
 Simple packet sniffer that writes a pcap file for
 any UDP traffic heading for closed ports.
 Written in an attempt to capture data from a
 MS11-083 exploit in the wild.

 Author: Samuel Hunter
 If you have any suggestions or comments find
 me on twitter or send me some mail.
 Dont tell me about my dirty code, I'm aware of that.
 This was written quickly with no concern of standards.

 twitter: @Trowalts
 email: trowalts () gmail com
"""
from pcapy import *
from impacket import ImpactDecoder, ImpactPacket
from socket import *
import fcntl
import struct
import os
import time

class Sniffer:
    def __init__(self):
        self.promiscuous = True
        self.called = 0 #silly habits
        self.interface = 'eth0'
        self.max_bytes = 65535  # Theoretical max size for a UDP packet
        self.read_timeout = 100
        self.ip = self.get_ip_address(self.interface)
        self.bpf = 'ip dst host %s and not src net 192.168.1.0/30'%self.ip

        print "\n---------------------------------------------------"
        print "Sniffing for unsolicited UDP packets to closed ports."
        print "      \"Open ports are for losers\" - MS11-083"
        print "Pcap log started, listening from
%s"%time.strftime("%d:%m:%Y %H:%M:%S", time.localtime())
        print "---------------------------------------------------"

    def get_ip_address(self, ifname):
        s = socket(AF_INET, SOCK_STREAM)
        return inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915,
struct.pack('256s', ifname[:15]))[20:24])

    def start(self):
        self.reader = open_live(self.interface, self.max_bytes,
self.promiscuous, self.read_timeout)
        # Pcapy uses BPF to filter packets, not src net 192.168.1.0/30
        # should be changed, it just filters out 1.0, 1.1, 1.2 and 1.3
        # which I use for diffrent gateways and dont want traffic
        # from the router hitting the logs.
        self.reader.setfilter(self.bpf)
        # Run the packet capture loop
        self.reader.loop(0, self.callback)

    def callonce(self):
        self.dumper =
self.reader.dump_open(time.strftime("%d-%m-%Y_%H-%M-%S.pcap",
time.localtime()))
        self.called = 1

    def callback(self, hdr, data):
        # Parse the Ethernet packet
        decoder = ImpactDecoder.EthDecoder()
        ether = decoder.decode(data)
        # Parse the IP packet inside the Ethernet packet, typep
        iphdr = ether.child()
        udphdr = iphdr.child()

        # First check that the packets are not comming from the local host
        # Then check that it is a UDP packet (incase you changed the BPF) also
        # Check that the destination port for the packet is a closed
port on the host
        if (iphdr.get_ip_src() != self.ip):
            self.refresh_portlist()
            if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and
udphdr.get_uh_dport() not in self.portlist):
                if self.called == 0:
                    self.callonce()
                print "Incoming UDP packet from %s"%iphdr.get_ip_src()
                self.dumper.dump(hdr, data)

    def refresh_portlist(self):
        # bash script to get all the open and listening UDP ports
        # used in the callback function as criteria for logging traffic
        output = os.popen("./getports.sh")
        pl = output.readlines()
        self.portlist = []
        for p in pl:
            self.portlist.append(int(p))

def main():
    snf = Sniffer()
    snf.start()

if __name__ == "__main__":
    main()


and bash script:

#!/bin/bash
netstat -un | awk  'NR>2{ sub(/.*:/,"",$4); uniq[$4] }END{ for(i in
uniq) print i }'
netstat -lun | awk  'NR>2{ sub(/.*:/,"",$4); uniq[$4] }END{ for(i in
uniq) print i }'

NOW you can make your own :D

http://www.securityaegis.com/wp-content/uploads/2011/11/honey_in_jar_black_background.jpg

cheers!
xd--


On 11 November 2011 06:49, Sergito <sergito.lista () gmail com> wrote:
PoC ?
http://www.youtube.com/watch?v=4aBE6o0oDlo

[]'s
Sergito

2011/11/10 Thor (Hammer of God) <thor () hammerofgod com>

So, I've looked about on the web to see what software of any consequence
you have written, but I can't find any.  Can you point me to anything that
illustrates that you know how to develop wide scale software applications
and execute an SDL plan, or do you just like to sit back and bitch about
everyone else without actually doing anything?  I'm serious - I'd really
like to know.  Over all these years, all I've ever seen from you is talk
about how stupid everyone else is, but I've never once actually seen you do
anything constructive.

t

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Georgi
Guninski
Sent: Thursday, November 10, 2011 8:48 AM
To: xD 0x41
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP
Could Allow Remote Code Execution (2588516)

On Thu, Nov 10, 2011 at 08:46:44AM +1100, xD 0x41 wrote:
You could just google for IRC packs of win2k src ;) I know i have a
copy of it somewhere... acvtually tho, would not be helpful tho, as it
does not affect win2k.. so i guess there would be some code there but
not the code you want.

@george
and, ideally if 'years' ago existed for this exploit but, it does only
affect v6 and up , this is tested.... so xp/2k/2k3 not affected...
still, i know people are using other ways anyhow , and thats just how
botting is... one way dies, one takes its place :s i guess we wait for
the rls of this.. maybe!



as in real life, real bugs die (the imaginary case is not clear to me).

i suppose "trustworthy computing" doesn't mean "not many bugs still
alive".

--
j

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]