Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
From: xD 0x41 <secn3t () gmail com>
Date: Sat, 12 Nov 2011 10:13:44 +1100

lol... yea... no idea, dont care.... this is just for those ppl who
*had* to see something :)
now let them, worry why theyre box is executing ping fkloods and
crap..or, maybe causing, even worse things ;)
I know prdelka, is verry good with backdoors :P lol... i hope he got
every fucker who was breaking ballz.
also, ofcourse, if it takes 49days then...why would ms even woprry..
hehe... just ignore me, until the real author comes forward, and, then
the ppl who abused me, can see for themselfs, how this works.
and not until then, or, until i make my own scanner, will i even share
one bit more of actual info, because, it was always a stack based
overflow, NOT off-by-one :)
anyhow... it doesnty take, 49days, atall..
and, yes, indeed, will be one good packet, if the packet , has the
right SQN + Ack number.
I guess, a stream of udps, would be just as effective....
but, i dont know yet, until my own code scanner is done.
so, i dont care fopr what ppl say... i know my windows... and, know my
ms exploits ... ms, is not as secure as we would love to think, and,
once a hole like this is opened, there is many ways to reopen it..
there is a magic key for every box...
anyhow later..


On 12 November 2011 09:58,  <Valdis.Kletnieks () vt edu> wrote:
On Sat, 12 Nov 2011 09:36:21 +1100, xD 0x41 said:
well look at that :P
not same author but , nice coding predelka! good one, i will add you
to crazycoders.com coderslist... i guess there is a few codes you have
now done wich might be useful... cheers.

Did you actually do a code review?  There's some... issues. ;)

First, the comment block says it needs 2^32 packets sent.

Then we do:

       for(lthreads=0;lthreads<250;lthreads++){//UDP flood
               iret = pthread_create(&thread,NULL,sendpackets,argv[1]);

(250, not 256? Gaak ;)

And then sendpackets() does this:

       for(i=0;i<4294967295;i++){

So this is working 250 times as hard as it has to.  No wonder it takes 52 days. ;)

Also, the variable 'active' is at least theoretically racy - it's *possible*,
but unlikely, that the main program will kick off the 250 threads, and fall
through to the 'while(active)' loop before any of the threads have hit the
active++ in their code.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault