Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: ms12-020 PoC
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Sun, 18 Mar 2012 16:21:26 +0000

You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel.  Once you are authenticated and authorized, 
the TSGateway server will establish a connection via RDP to the target server, tunneling the RDP connection back to you 
within the RPC/HTTP(S) channel. 

As such, TSGateway is obviously unaffected by this vulnerability.  For those of you looking for mitigation and not 
kiddie code to pop a box, note that simply using NLA mitigates both RDP issues. 

This might be a good time to point out than anyone who followed any of my advice in the RDP chapter of Thor's Microsoft 
Security Bible, or who is using the little ThoRDP tool I wrote (also in the book) was protected from these 
vulnerabilities way before they were discovered.   I say that to simply identify that some simple, effective techniques 
can be deployed that thwarts the hours and hours people put into developing exploit code and the wasted time chasing 
all this stuff down.  *THAT* is what security is about, btw.  

t

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-
bounces () lists grok org uk] On Behalf Of Nahuel Grisolía
Sent: Friday, March 16, 2012 11:41 AM
To: root
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] ms12-020 PoC

Guys,

What about TS Gateway? which is actually listening on port 443 (by def)...

thanks!

Nahu.

On 16 March 2012 15:12, root <root_ () fibertel com ar> wrote:
The SABU code is fake (go figure).
This python script is the first port of the Luigi code to python,
that's why sucks.

Here are better ports: http://pastebin.com/4FnaYYMz and
http://pastebin.com/jzQxvnpj

On 03/16/2012 02:50 PM, Exibar wrote:
Is that the same code from yesterday?  I thought that code was a fake and
didn'kt do anything?

  Anyone confirm this?

 Exibar
Sent via BlackBerry by AT&T

-----Original Message-----
From: kyle kemmerer <krkemmerer () gmail com>
Sender: full-disclosure-bounces () lists grok org uk
Date: Fri, 16 Mar 2012 12:01:16
To: <full-disclosure () lists grok org uk>
Subject: [Full-disclosure] ms12-020 PoC

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]