Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

ms12-020 PoC

 

 

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


krkemmerer at gmail

Mar 16, 2012, 9:01 AM

Post #1 of 18 (1972 views)
Permalink
ms12-020 PoC

Not my code, just sharing it here.


http://pastebin.com/UzDKcCQy


julius.kivimaki at gmail

Mar 16, 2012, 9:15 AM

Post #2 of 18 (1871 views)
Permalink
Re: ms12-020 PoC [In reply to]

What's the payload?

16. maaliskuuta 2012 18.01 kyle kemmerer <krkemmerer [at] gmail> kirjoitti:

> Not my code, just sharing it here.
>
>
> http://pastebin.com/UzDKcCQy
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


exibar at thelair

Mar 16, 2012, 10:50 AM

Post #3 of 18 (1941 views)
Permalink
Re: ms12-020 PoC [In reply to]

Is that the same code from yesterday? I thought that code was a fake and didn'kt do anything?

Anyone confirm this?

Exibar
Sent via BlackBerry by AT&T

-----Original Message-----
From: kyle kemmerer <krkemmerer [at] gmail>
Sender: full-disclosure-bounces [at] lists
Date: Fri, 16 Mar 2012 12:01:16
To: <full-disclosure [at] lists>
Subject: [Full-disclosure] ms12-020 PoC

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


nahuel.grisolia at gmail

Mar 16, 2012, 11:04 AM

Post #4 of 18 (1877 views)
Permalink
Re: ms12-020 PoC [In reply to]

BSoD! Win7 64 and 32 bits, Spanish. working.

On 16 March 2012 14:50, Exibar <exibar [at] thelair> wrote:
> Is that the same code from yesterday?  I thought that code was a fake and didn'kt do anything?
>
>  Anyone confirm this?
>
>  Exibar
> Sent via BlackBerry by AT&T
>
> -----Original Message-----
> From: kyle kemmerer <krkemmerer [at] gmail>
> Sender: full-disclosure-bounces [at] lists
> Date: Fri, 16 Mar 2012 12:01:16
> To: <full-disclosure [at] lists>
> Subject: [Full-disclosure] ms12-020 PoC
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


cthulhucalling at gmail

Mar 16, 2012, 11:06 AM

Post #5 of 18 (1935 views)
Permalink
Re: ms12-020 PoC [In reply to]

On Fri, Mar 16, 2012 at 10:50 AM, Exibar <exibar [at] thelair> wrote:
> Is that the same code from yesterday?  I thought that code was a fake and didn'kt do anything?
>
>  Anyone confirm this?
>
>  Exibar
> Sent via BlackBerry by AT&T

I haven't run this one, but there is a Ruby script on at
binaryninjas.org that has taken out every testbed Windows box that I
have thrown at it.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


root_ at fibertel

Mar 16, 2012, 11:12 AM

Post #6 of 18 (1947 views)
Permalink
Re: ms12-020 PoC [In reply to]

The SABU code is fake (go figure).
This python script is the first port of the Luigi code to python, that's
why sucks.

Here are better ports: http://pastebin.com/4FnaYYMz and
http://pastebin.com/jzQxvnpj

On 03/16/2012 02:50 PM, Exibar wrote:
> Is that the same code from yesterday? I thought that code was a fake and didn'kt do anything?
>
> Anyone confirm this?
>
> Exibar
> Sent via BlackBerry by AT&T
>
> -----Original Message-----
> From: kyle kemmerer <krkemmerer [at] gmail>
> Sender: full-disclosure-bounces [at] lists
> Date: Fri, 16 Mar 2012 12:01:16
> To: <full-disclosure [at] lists>
> Subject: [Full-disclosure] ms12-020 PoC
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


g13net at gmail

Mar 16, 2012, 11:13 AM

Post #7 of 18 (1876 views)
Permalink
Re: ms12-020 PoC [In reply to]

The original researcher has released his advisory:

http://www.exploit-db.com/exploits/18606/


On Fri, Mar 16, 2012 at 2:06 PM, Ian Hayes <cthulhucalling [at] gmail> wrote:

> On Fri, Mar 16, 2012 at 10:50 AM, Exibar <exibar [at] thelair> wrote:
> > Is that the same code from yesterday? I thought that code was a fake
> and didn'kt do anything?
> >
> > Anyone confirm this?
> >
> > Exibar
> > Sent via BlackBerry by AT&T
>
> I haven't run this one, but there is a Ruby script on at
> binaryninjas.org that has taken out every testbed Windows box that I
> have thrown at it.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


inchcombec at gmail

Mar 16, 2012, 11:32 AM

Post #8 of 18 (1864 views)
Permalink
Re: ms12-020 PoC [In reply to]

That is the first time I've seen that specific one, so not sure if it is
fake or not. The main one that I saw going around about 12 hours ago was
this one: http://pastebin.com/fFWkezQH and it is the allegedly fake one.
The fake that is was supposedly from "sabu [at] fbi" kind of sent off some
alarm bells right away. That is either someone trying to be funny or trying
to trick some scripties into running something they really shouldn't by
using a recognizable name.

I've seen the BinaryNinja's one being talked about in a few different
places now and the consensus seems to be that it is legit but that at the
moment all it does is blue screen of death any vulnerable Windows machine
that it is used against. I haven't seen any that actually have payloads
yet. That said, I'm just passing on what seems to be the general consensus
I've seen so far. I haven't had the chance to test out any of them yet as I
don't have a spare windows box set up right now. I'm waiting for a working
version to come out before I actually try to go through the shellcode for
any backdoors and test it because who knows what some of these fakes might
REALLY do.

On Fri, Mar 16, 2012 at 10:50 AM, Exibar <exibar [at] thelair> wrote:

> Is that the same code from yesterday? I thought that code was a fake and
> didn'kt do anything?
>
> Anyone confirm this?
>
> Exibar
> Sent via BlackBerry by AT&T
>
>
>


nahuel.grisolia at gmail

Mar 16, 2012, 11:41 AM

Post #9 of 18 (1877 views)
Permalink
Re: ms12-020 PoC [In reply to]

Guys,

What about TS Gateway? which is actually listening on port 443 (by def)...

thanks!

Nahu.

On 16 March 2012 15:12, root <root_ [at] fibertel> wrote:
> The SABU code is fake (go figure).
> This python script is the first port of the Luigi code to python, that's
> why sucks.
>
> Here are better ports: http://pastebin.com/4FnaYYMz and
> http://pastebin.com/jzQxvnpj
>
> On 03/16/2012 02:50 PM, Exibar wrote:
>> Is that the same code from yesterday?  I thought that code was a fake and didn'kt do anything?
>>
>>   Anyone confirm this?
>>
>>  Exibar
>> Sent via BlackBerry by AT&T
>>
>> -----Original Message-----
>> From: kyle kemmerer <krkemmerer [at] gmail>
>> Sender: full-disclosure-bounces [at] lists
>> Date: Fri, 16 Mar 2012 12:01:16
>> To: <full-disclosure [at] lists>
>> Subject: [Full-disclosure] ms12-020 PoC
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


exibar at thelair

Mar 16, 2012, 11:46 AM

Post #10 of 18 (1925 views)
Permalink
Re: ms12-020 PoC [In reply to]

Yah, I see the same about the binaryninjas version... That's the one I'll concentrate on..

Thanks!
Sent via BlackBerry by AT&T

-----Original Message-----
From: Chris L <inchcombec [at] gmail>
Date: Fri, 16 Mar 2012 11:32:59
To: <exibar [at] thelair>
Cc: kyle kemmerer<krkemmerer [at] gmail>; <full-disclosure-bounces [at] lists>; <full-disclosure [at] lists>
Subject: Re: [Full-disclosure] ms12-020 PoC

That is the first time I've seen that specific one, so not sure if it is
fake or not. The main one that I saw going around about 12 hours ago was
this one: http://pastebin.com/fFWkezQH and it is the allegedly fake one.
The fake that is was supposedly from "sabu [at] fbi" kind of sent off some
alarm bells right away. That is either someone trying to be funny or trying
to trick some scripties into running something they really shouldn't by
using a recognizable name.

I've seen the BinaryNinja's one being talked about in a few different
places now and the consensus seems to be that it is legit but that at the
moment all it does is blue screen of death any vulnerable Windows machine
that it is used against. I haven't seen any that actually have payloads
yet. That said, I'm just passing on what seems to be the general consensus
I've seen so far. I haven't had the chance to test out any of them yet as I
don't have a spare windows box set up right now. I'm waiting for a working
version to come out before I actually try to go through the shellcode for
any backdoors and test it because who knows what some of these fakes might
REALLY do.

On Fri, Mar 16, 2012 at 10:50 AM, Exibar <exibar [at] thelair> wrote:

> Is that the same code from yesterday? I thought that code was a fake and
> didn'kt do anything?
>
> Anyone confirm this?
>
> Exibar
> Sent via BlackBerry by AT&T
>
>
>


krkemmerer at gmail

Mar 16, 2012, 12:37 PM

Post #11 of 18 (1918 views)
Permalink
Re: ms12-020 PoC [In reply to]

I have not had a chance to analyze this yet, but it is not the same code
as the fake sabu one on pastebin. This one supppsedly showed up on some
chinese security forum. Claimed to be causing bsod on xp sp3 and server
2003
On Mar 16, 2012 2:04 PM, "Nahuel Grisolía" <nahuel.grisolia [at] gmail>
wrote:

> BSoD! Win7 64 and 32 bits, Spanish. working.
>
> On 16 March 2012 14:50, Exibar <exibar [at] thelair> wrote:
> > Is that the same code from yesterday? I thought that code was a fake
> and didn'kt do anything?
> >
> > Anyone confirm this?
> >
> > Exibar
> > Sent via BlackBerry by AT&T
> >
> > -----Original Message-----
> > From: kyle kemmerer <krkemmerer [at] gmail>
> > Sender: full-disclosure-bounces [at] lists
> > Date: Fri, 16 Mar 2012 12:01:16
> > To: <full-disclosure [at] lists>
> > Subject: [Full-disclosure] ms12-020 PoC
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>


adlt at tid

Mar 16, 2012, 12:50 PM

Post #12 of 18 (1867 views)
Permalink
Re: ms12-020 PoC [In reply to]

I've tried this one against a new installation of Windows 2008 Server.
Blue screen is shown and the server is rebooted.

El viernes, 16 de marzo de 2012 20:37:43, kyle kemmerer escribió:
> I have not had a chance to analyze this yet, but it is not the same
> code as the fake sabu one on pastebin. This one supppsedly showed up
> on some chinese security forum. Claimed to be causing bsod on xp sp3
> and server 2003
>
> On Mar 16, 2012 2:04 PM, "Nahuel Grisolía" <nahuel.grisolia [at] gmail
> <mailto:nahuel.grisolia [at] gmail>> wrote:
>
> BSoD! Win7 64 and 32 bits, Spanish. working.
>
> On 16 March 2012 14:50, Exibar <exibar [at] thelair
> <mailto:exibar [at] thelair>> wrote:
> > Is that the same code from yesterday? I thought that code was a
> fake and didn'kt do anything?
> >
> > Anyone confirm this?
> >
> > Exibar
> > Sent via BlackBerry by AT&T
> >
> > -----Original Message-----
> > From: kyle kemmerer <krkemmerer [at] gmail
> <mailto:krkemmerer [at] gmail>>
> > Sender: full-disclosure-bounces [at] lists
> <mailto:full-disclosure-bounces [at] lists>
> > Date: Fri, 16 Mar 2012 12:01:16
> > To: <full-disclosure [at] lists
> <mailto:full-disclosure [at] lists>>
> > Subject: [Full-disclosure] ms12-020 PoC
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>



Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo.
This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at
http://www.tid.es/ES/PAGINAS/disclaimer.aspx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


citypw at gmail

Mar 16, 2012, 9:36 PM

Post #13 of 18 (1870 views)
Permalink
Re: ms12-020 PoC [In reply to]

On Sat, Mar 17, 2012 at 1:50 AM, Exibar <exibar [at] thelair> wrote:
> Is that the same code from yesterday?  I thought that code was a fake and didn'kt do anything?
>
>  Anyone confirm this?
>
I tested it on win-xp sp3 machine but it didn't work. According to the
post[1] on slashdot, the correct exploit could make windows machine
crash.

[1] http://it.slashdot.org/story/12/03/16/1349205/rdp-proof-of-concept-exploit-triggers-blue-screen-of-death


--
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


thor at hammerofgod

Mar 18, 2012, 9:21 AM

Post #14 of 18 (1854 views)
Permalink
Re: ms12-020 PoC [In reply to]

You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel. Once you are authenticated and authorized, the TSGateway server will establish a connection via RDP to the target server, tunneling the RDP connection back to you within the RPC/HTTP(S) channel.

As such, TSGateway is obviously unaffected by this vulnerability. For those of you looking for mitigation and not kiddie code to pop a box, note that simply using NLA mitigates both RDP issues.

This might be a good time to point out than anyone who followed any of my advice in the RDP chapter of Thor's Microsoft Security Bible, or who is using the little ThoRDP tool I wrote (also in the book) was protected from these vulnerabilities way before they were discovered. I say that to simply identify that some simple, effective techniques can be deployed that thwarts the hours and hours people put into developing exploit code and the wasted time chasing all this stuff down. *THAT* is what security is about, btw.

t

>-----Original Message-----
>From: full-disclosure-bounces [at] lists [mailto:full-disclosure-
>bounces [at] lists] On Behalf Of Nahuel Grisolía
>Sent: Friday, March 16, 2012 11:41 AM
>To: root
>Cc: full-disclosure [at] lists
>Subject: Re: [Full-disclosure] ms12-020 PoC
>
>Guys,
>
>What about TS Gateway? which is actually listening on port 443 (by def)...
>
>thanks!
>
>Nahu.
>
>On 16 March 2012 15:12, root <root_ [at] fibertel> wrote:
>> The SABU code is fake (go figure).
>> This python script is the first port of the Luigi code to python,
>> that's why sucks.
>>
>> Here are better ports: http://pastebin.com/4FnaYYMz and
>> http://pastebin.com/jzQxvnpj
>>
>> On 03/16/2012 02:50 PM, Exibar wrote:
>>> Is that the same code from yesterday?  I thought that code was a fake and
>didn'kt do anything?
>>>
>>>   Anyone confirm this?
>>>
>>>  Exibar
>>> Sent via BlackBerry by AT&T
>>>
>>> -----Original Message-----
>>> From: kyle kemmerer <krkemmerer [at] gmail>
>>> Sender: full-disclosure-bounces [at] lists
>>> Date: Fri, 16 Mar 2012 12:01:16
>>> To: <full-disclosure [at] lists>
>>> Subject: [Full-disclosure] ms12-020 PoC
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


thor at hammerofgod

Mar 18, 2012, 10:03 AM

Post #15 of 18 (1843 views)
Permalink
Re: ms12-020 PoC [In reply to]

P.S. Before someone starts accusing me of "spamming" for the book, (one asshat tried to compare me to Juan whats-his-face once) note you can actually view most of the RDP chapter (and others) on the Amazon "preview a page" feature if you would like.

If you are interested in RDP security, I suggest you take a free read on Amazon. Many are worried about worm activity from 020, and I am far more interested in pointing you to free material that helps you secure yourself and others than I am trying to make a buck on the book.

If anyone has any questions about how any of this works, I'm happy to help if I can.

t

>-----Original Message-----
>From: full-disclosure-bounces [at] lists [mailto:full-disclosure-
>bounces [at] lists] On Behalf Of Thor (Hammer of God)
>Sent: Sunday, March 18, 2012 9:21 AM
>To: Nahuel Grisolía; root
>Cc: full-disclosure [at] lists
>Subject: Re: [Full-disclosure] ms12-020 PoC
>
>You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel.
>Once you are authenticated and authorized, the TSGateway server will
>establish a connection via RDP to the target server, tunneling the RDP
>connection back to you within the RPC/HTTP(S) channel.
>
>As such, TSGateway is obviously unaffected by this vulnerability. For those of
>you looking for mitigation and not kiddie code to pop a box, note that simply
>using NLA mitigates both RDP issues.
>
>This might be a good time to point out than anyone who followed any of my
>advice in the RDP chapter of Thor's Microsoft Security Bible, or who is using
>the little ThoRDP tool I wrote (also in the book) was protected from these
>vulnerabilities way before they were discovered. I say that to simply identify
>that some simple, effective techniques can be deployed that thwarts the
>hours and hours people put into developing exploit code and the wasted time
>chasing all this stuff down. *THAT* is what security is about, btw.
>
>t
>
>>-----Original Message-----
>>From: full-disclosure-bounces [at] lists
>>[mailto:full-disclosure- bounces [at] lists] On Behalf Of Nahuel
>>Grisolía
>>Sent: Friday, March 16, 2012 11:41 AM
>>To: root
>>Cc: full-disclosure [at] lists
>>Subject: Re: [Full-disclosure] ms12-020 PoC
>>
>>Guys,
>>
>>What about TS Gateway? which is actually listening on port 443 (by def)...
>>
>>thanks!
>>
>>Nahu.
>>
>>On 16 March 2012 15:12, root <root_ [at] fibertel> wrote:
>>> The SABU code is fake (go figure).
>>> This python script is the first port of the Luigi code to python,
>>> that's why sucks.
>>>
>>> Here are better ports: http://pastebin.com/4FnaYYMz and
>>> http://pastebin.com/jzQxvnpj
>>>
>>> On 03/16/2012 02:50 PM, Exibar wrote:
>>>> Is that the same code from yesterday?  I thought that code was a
>>>> fake and
>>didn'kt do anything?
>>>>
>>>>   Anyone confirm this?
>>>>
>>>>  Exibar
>>>> Sent via BlackBerry by AT&T
>>>>
>>>> -----Original Message-----
>>>> From: kyle kemmerer <krkemmerer [at] gmail>
>>>> Sender: full-disclosure-bounces [at] lists
>>>> Date: Fri, 16 Mar 2012 12:01:16
>>>> To: <full-disclosure [at] lists>
>>>> Subject: [Full-disclosure] ms12-020 PoC
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


james at zero-internet

Mar 18, 2012, 10:05 AM

Post #16 of 18 (1845 views)
Permalink
Re: ms12-020 PoC [In reply to]

Nobody said a word.

Relax more and you might live long enough to write your next book.

Sent using BlackBerry® from Orange

-----Original Message-----
From: "Thor (Hammer of God)" <thor [at] hammerofgod>
Sender: full-disclosure-bounces [at] lists
Date: Sun, 18 Mar 2012 17:03:25
To: full-disclosure [at] lists<full-disclosure [at] lists>
Subject: Re: [Full-disclosure] ms12-020 PoC

P.S. Before someone starts accusing me of "spamming" for the book, (one asshat tried to compare me to Juan whats-his-face once) note you can actually view most of the RDP chapter (and others) on the Amazon "preview a page" feature if you would like.

If you are interested in RDP security, I suggest you take a free read on Amazon. Many are worried about worm activity from 020, and I am far more interested in pointing you to free material that helps you secure yourself and others than I am trying to make a buck on the book.

If anyone has any questions about how any of this works, I'm happy to help if I can.

t

>-----Original Message-----
>From: full-disclosure-bounces [at] lists [mailto:full-disclosure-
>bounces [at] lists] On Behalf Of Thor (Hammer of God)
>Sent: Sunday, March 18, 2012 9:21 AM
>To: Nahuel Grisolía; root
>Cc: full-disclosure [at] lists
>Subject: Re: [Full-disclosure] ms12-020 PoC
>
>You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel.
>Once you are authenticated and authorized, the TSGateway server will
>establish a connection via RDP to the target server, tunneling the RDP
>connection back to you within the RPC/HTTP(S) channel.
>
>As such, TSGateway is obviously unaffected by this vulnerability. For those of
>you looking for mitigation and not kiddie code to pop a box, note that simply
>using NLA mitigates both RDP issues.
>
>This might be a good time to point out than anyone who followed any of my
>advice in the RDP chapter of Thor's Microsoft Security Bible, or who is using
>the little ThoRDP tool I wrote (also in the book) was protected from these
>vulnerabilities way before they were discovered. I say that to simply identify
>that some simple, effective techniques can be deployed that thwarts the
>hours and hours people put into developing exploit code and the wasted time
>chasing all this stuff down. *THAT* is what security is about, btw.
>
>t
>
>>-----Original Message-----
>>From: full-disclosure-bounces [at] lists
>>[mailto:full-disclosure- bounces [at] lists] On Behalf Of Nahuel
>>Grisolía
>>Sent: Friday, March 16, 2012 11:41 AM
>>To: root
>>Cc: full-disclosure [at] lists
>>Subject: Re: [Full-disclosure] ms12-020 PoC
>>
>>Guys,
>>
>>What about TS Gateway? which is actually listening on port 443 (by def)...
>>
>>thanks!
>>
>>Nahu.
>>
>>On 16 March 2012 15:12, root <root_ [at] fibertel> wrote:
>>> The SABU code is fake (go figure).
>>> This python script is the first port of the Luigi code to python,
>>> that's why sucks.
>>>
>>> Here are better ports: http://pastebin.com/4FnaYYMz and
>>> http://pastebin.com/jzQxvnpj
>>>
>>> On 03/16/2012 02:50 PM, Exibar wrote:
>>>> Is that the same code from yesterday?  I thought that code was a
>>>> fake and
>>didn'kt do anything?
>>>>
>>>>   Anyone confirm this?
>>>>
>>>>  Exibar
>>>> Sent via BlackBerry by AT&T
>>>>
>>>> -----Original Message-----
>>>> From: kyle kemmerer <krkemmerer [at] gmail>
>>>> Sender: full-disclosure-bounces [at] lists
>>>> Date: Fri, 16 Mar 2012 12:01:16
>>>> To: <full-disclosure [at] lists>
>>>> Subject: [Full-disclosure] ms12-020 PoC
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


thor at hammerofgod

Mar 18, 2012, 10:11 AM

Post #17 of 18 (1844 views)
Permalink
Re: ms12-020 PoC [In reply to]

They did last time... But your advice is actually well noted :)

>-----Original Message-----
>From: James Condron [mailto:james [at] zero-internet]
>Sent: Sunday, March 18, 2012 10:06 AM
>To: Thor (Hammer of God); full-disclosure-bounces [at] lists; full-
>disclosure [at] lists
>Subject: Re: [Full-disclosure] ms12-020 PoC
>
>Nobody said a word.
>
>Relax more and you might live long enough to write your next book.
>
>Sent using BlackBerry® from Orange
>
>-----Original Message-----
>From: "Thor (Hammer of God)" <thor [at] hammerofgod>
>Sender: full-disclosure-bounces [at] lists
>Date: Sun, 18 Mar 2012 17:03:25
>To: full-disclosure [at] lists<full-disclosure [at] lists>
>Subject: Re: [Full-disclosure] ms12-020 PoC
>
>P.S. Before someone starts accusing me of "spamming" for the book, (one
>asshat tried to compare me to Juan whats-his-face once) note you can actually
>view most of the RDP chapter (and others) on the Amazon "preview a page"
>feature if you would like.
>
>If you are interested in RDP security, I suggest you take a free read on
>Amazon. Many are worried about worm activity from 020, and I am far more
>interested in pointing you to free material that helps you secure yourself and
>others than I am trying to make a buck on the book.
>
>If anyone has any questions about how any of this works, I'm happy to help if I
>can.
>
>t
>
>>-----Original Message-----
>>From: full-disclosure-bounces [at] lists
>>[mailto:full-disclosure- bounces [at] lists] On Behalf Of Thor
>>(Hammer of God)
>>Sent: Sunday, March 18, 2012 9:21 AM
>>To: Nahuel Grisolía; root
>>Cc: full-disclosure [at] lists
>>Subject: Re: [Full-disclosure] ms12-020 PoC
>>
>>You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel.
>>Once you are authenticated and authorized, the TSGateway server will
>>establish a connection via RDP to the target server, tunneling the RDP
>>connection back to you within the RPC/HTTP(S) channel.
>>
>>As such, TSGateway is obviously unaffected by this vulnerability. For
>>those of you looking for mitigation and not kiddie code to pop a box,
>>note that simply using NLA mitigates both RDP issues.
>>
>>This might be a good time to point out than anyone who followed any of
>>my advice in the RDP chapter of Thor's Microsoft Security Bible, or who
>>is using the little ThoRDP tool I wrote (also in the book) was protected from
>these
>>vulnerabilities way before they were discovered. I say that to simply
>identify
>>that some simple, effective techniques can be deployed that thwarts the
>>hours and hours people put into developing exploit code and the wasted
>>time chasing all this stuff down. *THAT* is what security is about, btw.
>>
>>t
>>
>>>-----Original Message-----
>>>From: full-disclosure-bounces [at] lists
>>>[mailto:full-disclosure- bounces [at] lists] On Behalf Of
>>>Nahuel Grisolía
>>>Sent: Friday, March 16, 2012 11:41 AM
>>>To: root
>>>Cc: full-disclosure [at] lists
>>>Subject: Re: [Full-disclosure] ms12-020 PoC
>>>
>>>Guys,
>>>
>>>What about TS Gateway? which is actually listening on port 443 (by def)...
>>>
>>>thanks!
>>>
>>>Nahu.
>>>
>>>On 16 March 2012 15:12, root <root_ [at] fibertel> wrote:
>>>> The SABU code is fake (go figure).
>>>> This python script is the first port of the Luigi code to python,
>>>> that's why sucks.
>>>>
>>>> Here are better ports: http://pastebin.com/4FnaYYMz and
>>>> http://pastebin.com/jzQxvnpj
>>>>
>>>> On 03/16/2012 02:50 PM, Exibar wrote:
>>>>> Is that the same code from yesterday?  I thought that code was a
>>>>> fake and
>>>didn'kt do anything?
>>>>>
>>>>>   Anyone confirm this?
>>>>>
>>>>>  Exibar
>>>>> Sent via BlackBerry by AT&T
>>>>>
>>>>> -----Original Message-----
>>>>> From: kyle kemmerer <krkemmerer [at] gmail>
>>>>> Sender: full-disclosure-bounces [at] lists
>>>>> Date: Fri, 16 Mar 2012 12:01:16
>>>>> To: <full-disclosure [at] lists>
>>>>> Subject: [Full-disclosure] ms12-020 PoC
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>_______________________________________________
>>>Full-Disclosure - We believe in it.
>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>Hosted and sponsored by Secunia - http://secunia.com/
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


nahuel.grisolia at gmail

Mar 18, 2012, 12:12 PM

Post #18 of 18 (1837 views)
Permalink
Re: ms12-020 PoC [In reply to]

Thanks Thor!

I thought that it was possible to tunnel the attack through HTTPS channel that the TSG generates.

Nahu.

On Mar 18, 2012, at 2:11 PM, Thor (Hammer of God) wrote:

> They did last time... But your advice is actually well noted :)
>
>> -----Original Message-----
>> From: James Condron [mailto:james [at] zero-internet]
>> Sent: Sunday, March 18, 2012 10:06 AM
>> To: Thor (Hammer of God); full-disclosure-bounces [at] lists; full-
>> disclosure [at] lists
>> Subject: Re: [Full-disclosure] ms12-020 PoC
>>
>> Nobody said a word.
>>
>> Relax more and you might live long enough to write your next book.
>>
>> Sent using BlackBerry® from Orange
>>
>> -----Original Message-----
>> From: "Thor (Hammer of God)" <thor [at] hammerofgod>
>> Sender: full-disclosure-bounces [at] lists
>> Date: Sun, 18 Mar 2012 17:03:25
>> To: full-disclosure [at] lists<full-disclosure [at] lists>
>> Subject: Re: [Full-disclosure] ms12-020 PoC
>>
>> P.S. Before someone starts accusing me of "spamming" for the book, (one
>> asshat tried to compare me to Juan whats-his-face once) note you can actually
>> view most of the RDP chapter (and others) on the Amazon "preview a page"
>> feature if you would like.
>>
>> If you are interested in RDP security, I suggest you take a free read on
>> Amazon. Many are worried about worm activity from 020, and I am far more
>> interested in pointing you to free material that helps you secure yourself and
>> others than I am trying to make a buck on the book.
>>
>> If anyone has any questions about how any of this works, I'm happy to help if I
>> can.
>>
>> t
>>
>>> -----Original Message-----
>>> From: full-disclosure-bounces [at] lists
>>> [mailto:full-disclosure- bounces [at] lists] On Behalf Of Thor
>>> (Hammer of God)
>>> Sent: Sunday, March 18, 2012 9:21 AM
>>> To: Nahuel Grisolía; root
>>> Cc: full-disclosure [at] lists
>>> Subject: Re: [Full-disclosure] ms12-020 PoC
>>>
>>> You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel.
>>> Once you are authenticated and authorized, the TSGateway server will
>>> establish a connection via RDP to the target server, tunneling the RDP
>>> connection back to you within the RPC/HTTP(S) channel.
>>>
>>> As such, TSGateway is obviously unaffected by this vulnerability. For
>>> those of you looking for mitigation and not kiddie code to pop a box,
>>> note that simply using NLA mitigates both RDP issues.
>>>
>>> This might be a good time to point out than anyone who followed any of
>>> my advice in the RDP chapter of Thor's Microsoft Security Bible, or who
>>> is using the little ThoRDP tool I wrote (also in the book) was protected from
>> these
>>> vulnerabilities way before they were discovered. I say that to simply
>> identify
>>> that some simple, effective techniques can be deployed that thwarts the
>>> hours and hours people put into developing exploit code and the wasted
>>> time chasing all this stuff down. *THAT* is what security is about, btw.
>>>
>>> t
>>>
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces [at] lists
>>>> [mailto:full-disclosure- bounces [at] lists] On Behalf Of
>>>> Nahuel Grisolía
>>>> Sent: Friday, March 16, 2012 11:41 AM
>>>> To: root
>>>> Cc: full-disclosure [at] lists
>>>> Subject: Re: [Full-disclosure] ms12-020 PoC
>>>>
>>>> Guys,
>>>>
>>>> What about TS Gateway? which is actually listening on port 443 (by def)...
>>>>
>>>> thanks!
>>>>
>>>> Nahu.
>>>>
>>>> On 16 March 2012 15:12, root <root_ [at] fibertel> wrote:
>>>>> The SABU code is fake (go figure).
>>>>> This python script is the first port of the Luigi code to python,
>>>>> that's why sucks.
>>>>>
>>>>> Here are better ports: http://pastebin.com/4FnaYYMz and
>>>>> http://pastebin.com/jzQxvnpj
>>>>>
>>>>> On 03/16/2012 02:50 PM, Exibar wrote:
>>>>>> Is that the same code from yesterday? I thought that code was a
>>>>>> fake and
>>>> didn'kt do anything?
>>>>>>
>>>>>> Anyone confirm this?
>>>>>>
>>>>>> Exibar
>>>>>> Sent via BlackBerry by AT&T
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: kyle kemmerer <krkemmerer [at] gmail>
>>>>>> Sender: full-disclosure-bounces [at] lists
>>>>>> Date: Fri, 16 Mar 2012 12:01:16
>>>>>> To: <full-disclosure [at] lists>
>>>>>> Subject: [Full-disclosure] ms12-020 PoC
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.