[38689] in bugtraq
Microsoft WINS Vulnerability + OS/SP Scanner
daemon@ATHENA.MIT.EDU (class)
Mon May 2 16:47:11 2005
Message-ID: <4273F282.5060203@class101.org>
Date: Sat, 30 Apr 2005 23:02:58 +0200
From: class <ad@class101.org>
MIME-Version: 1.0
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>,
Full-Disclosure <Full-Disclosure@lists.grok.org.uk>,
"vulnwatch@vulnwatch.org" <vulnwatch@vulnwatch.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
While replicating, it's possible to guess the OS and SP, in addition
you have the heap base address.
Conclusion: all needed for a skilled hacker to intrude a vulnerable
computer, however a script kiddie wont be able to do something because
each wrong hacking attempts may corrupt the WINS database and so on ,
move where this is needed to overwrite. This is where the skilled
hacker will use the heap base address retrieved while scanning to
start a bruteforce attack , nor at best, to analyze how is moving the
heap :)
For example, the exploit that I have published (v0.3) is doing a small
part of 2k with the corresponding heap base , but you will have to
update it to catch some other heap positions.
I attach the win32 binary, follow class101.org and hat-squad.com if
you are seeking for the source or FreeBSD version, I think I will
share them soon.
- -v....: lite verbose
- -vv..: ultra verbose
threads: 0-4999
else all go in HS_WINS.txt
Screenshot:
IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: NOT_PATCHED
OS.............: Windows 2000 SP3
IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2000 SP4
IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2000 SP4
IP.............: ***:42
STATUS.........: not wins, wrong datas
IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2003 SP0
IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: NOT_PATCHED
OS.............: Windows 2003 SP0
IP.............: ***:42
STATUS.........: nothing received, not wins or vulnerable service freezing
etc,etc
download: http://class101.org/HS_WINS.exe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
iD8DBQFCc/J9LyZ8K9aT7rARAu0yAKC68ZxNKTuqwJNLQCNy31425aqLXACfYhvo
gSJT9elxPzyKOpI+CErbWlM=
=dkCW
-----END PGP SIGNATURE-----
