Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Microsoft WINS Vulnerability + OS/SP Scanner

from [class] Network Security [Permanent Link]
Subject: [Full-disclosure] Microsoft WINS Vulnerability + OS/SP Scanner
Date: Sat, 30 Apr 2005 23:02:58 +0200 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
While replicating, it's possible to guess the OS and SP, in addition
you have the heap base address.
Conclusion: all needed for a skilled hacker to intrude a vulnerable
computer, however a script kiddie wont be able to do something because
each wrong hacking attempts may corrupt the WINS database and so on ,
move where this is needed to overwrite. This is where the skilled
hacker will use the heap base address retrieved while scanning to
start a bruteforce attack , nor at best, to analyze how is moving the
heap :)
For example, the exploit that I have published (v0.3) is doing a small
part of 2k with the corresponding heap base , but you will have to
update it to catch some other heap positions.

I attach the win32 binary, follow class101.org and hat-squad.com if
you are seeking for the source or FreeBSD version, I think I will
share them soon.

- -v....: lite verbose
- -vv..: ultra verbose
threads: 0-4999

else all go in HS_WINS.txt

Screenshot:

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: NOT_PATCHED
OS.............: Windows 2000 SP3

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2000 SP4

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2000 SP4

IP.............: ***:42
STATUS.........: not wins, wrong datas

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2003 SP0

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: NOT_PATCHED
OS.............: Windows 2003 SP0

IP.............: ***:42
STATUS.........: nothing received, not wins or vulnerable service freezing

etc,etc

download: http://class101.org/HS_WINS.exe



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
 
iD8DBQFCc/J9LyZ8K9aT7rARAu0yAKC68ZxNKTuqwJNLQCNy31425aqLXACfYhvo
gSJT9elxPzyKOpI+CErbWlM=
=dkCW
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Microsoft WINS Vulnerability + OS/SP Scanner, class <=
Previous by Date:  [VulnWatch] [CAN-2005-1063] Administration protocol abuse leads to Service and System Denial of Service, Secure Computer Group
Previous by Thread:  [VulnWatch] [CAN-2005-1063] Administration protocol abuse leads to Service and System Denial of Service, Secure Computer Group
Indexes:  [Date] [Thread] [Top] [All Lists]