I'm not sure if this kind of exploit is "real" .....please tell me if you got shell with that. cygwin dll required, please check download for that search forum.
Double-=V=-
Oct 21 2003, 08:43 PM
Thanks for compiling.
dtDaMan
Oct 21 2003, 09:16 PM
Hi!
THX 4 compiling, but there is an error when i start the EXE. "Der Prozedureinsprungpunkt "__getreent" wurde in der DLL "cygwin1.dll" nicht gefunden"
I try to translate:
"The Proceed-Entry-Point "__getreent" was not fpund in the DLL "cygwin1.dll"
Is there an error in my cygwin1.dll, or does the complied Version not work?
DaMan
Daxziz
Oct 21 2003, 09:53 PM
Heya
Thx for the compiled .exe - I've successfully made the application start with this attached version of the cygwin .dll - I've yet to constate whatever this works or not.
Have Fun Everybody
-Daxziz
dtDaMan
Oct 21 2003, 10:34 PM
Hi!
BIG THX!!!!! I downloaded your DLL File. Now the exe works. I hope i will get some shells
DaMan
Daxziz
Oct 21 2003, 10:42 PM
NP - Please report if ya get any results... I've tried several now, but no go
-Daxziz
tte
Oct 21 2003, 11:29 PM
hmm, the exploitation parameter doesnt seem to work at all.. i've tried many hosts, no good. I did manage to work the DoS tho on one host, somehow. altho when i tried the exploit on it before, it did not work. so maybe the DoS does work... anyway, anyone got a scanner for this ?
cyix
Oct 22 2003, 01:24 AM
It's halfway thare. It creates an active connection on port 5000 of the remote computer but fails to do anything else.
Yoni
Oct 22 2003, 02:01 AM
Hi, I scanned with scanport for port 5000... I got some 14 box's... Incloudin' mine box hehe... ( I scanned my range its the fastest way to test exploits )
Any Way the freeze might get work I will try it l8er from the external network of mine.. 'cause now my brother is on the other box of mine... but the exploit it self not seems to do any thing.. so I'm giving power to the post say that the DoS working the exploit, isnt !
aiboforcen
Oct 22 2003, 09:07 AM
I can get connected to some hosts but I cant get shell.. and -f doesent seems to work :/
jsands
Oct 22 2003, 10:18 AM
thx for this tool, but i tested on several machines, including my own, and i just couldn't get it either the freeze or the exploit to work, maybe yall have a clue, i know i don't.
101
Oct 22 2003, 11:50 AM
Date: 24/12/2001 UPNP - Multiple Remote Windows XP/ME/98 Vulnerabilities
CODE
Summary Windows XP ships by default with a UPNP (Universal Plug and Play) service which can be used to detect and integrate with UPNP aware devices. Windows ME does not ship by default with the UPNP service; however, some OEM versions do provide the UPNP service by default. In addition, it is possible to install the Windows XP Internet Connection Sharing on top of Windows 98, therefore making it vulnerable. As described on upnp.org: "UPNP architecture offers pervasive peer-to-peer network connectivity of PCs of all form factors, intelligent appliances, and wireless devices. UPNP architecture leverages TCP/IP and the Web to enable seamless proximity networking in addition to control and data transfer among networked devices in the home, office, and everywhere in between". eEye believes that there are several security issues with the UPNP protocol itself; however, these more generic issues are out of the scope of this advisory. Expect a detailed paper to be released from eEye within the coming weeks. This advisory covers three vulnerabilities within Microsoft's UPNP implementation. A remotely exploitable buffer overflow to gain SYSTEM level access to any default installation of Windows XP, a Denial-of-Service (DoS) attack, and a Distributed Denial-of-Service (DDoS) attack.
Details Vulnerable systems: Microsoft Windows XP (All default systems) mean SP0 ONLY! Microsoft Windows 98 (Certain configurations) Microsoft Windows 98SE (Certain configurations) Microsoft Windows ME (Certain configurations)
1. The SYSTEM Remote Exploit The first vulnerability within Microsoft's implementation of the UPNP protocol can result in an attacker gaining remote SYSTEM level access to any default installation of Windows XP. SYSTEM is the highest level of access within Windows XP.
During testing of the UPNP service, eEye discovered that by sending malformed advertisements at various speeds eEye could cause access violations on the target machine. Most of these violations were due to pointers being overwritten. The following describes one instance of our testing:
If a buffer is incremented in the protocol, port, and uri fields of the Location URL and send sessions with 10,000 microsecond intervals, access violations will begin to be observed. In one situation, The EAX and ECX registers will contain addresses that are pulled from the memory that was overwritten and the svchost.exe process will access an invalid memory address at a "mov" instruction. It throws an access violation because the destination address is an overwritten pointer, but there is nothing interesting at 0x41414141.
During our testing eEye discovered that there are multiple points of exploitation. eEye found instances of stack overflows and heap overflows, both of which were exploitable. In the case of the heap overflow, eEye saw pointers being overwritten for both buffers and functions.
The SSDP service also listens on Multicast and Broadcast addresses. Therefore gaining SYSTEM access to an entire network of XP machines is possible with only one anonymous UDP SSDP attack session.
2. The DoS and DDoS UPNP consists of multiple protocols, one of which being the Simple Service Discovery Protocol (SSDP). When a UPNP enabled device is installed on a network, whether it be a computer, network device, or even a household appliance, the device sends out an advertisement to notify control points of its existence. On a default XP installation, no support is added for device control, as it would be the case in an installation of UPNP from "Network Services".
Although Microsoft added default support for an "InternetGatewayDevice", if a sniffer is run on a network with XP, XP can be observed searching for this device as XP is loading. This support was added to aid leading network hardware manufactures in making UPnP enabled "gateway devices".
By sending a malicious spoofed UDP packet containing an SSDP advertisement, an attacker can force the XP/ME client to connect back to a specified IP address and pass on a specified HTTP/HTTPS request.
The above packet data needs to be sent as a UDP packet to port 1900 of the XP/ME machine.
When the XP machine receives this request, it will interpret the URL following the LOCATION header entity. With no sanitizing of the URL, it is passed on to the functions in the Windows Internet Services API. The string is broken down and the new session is created.
For example: LOCATION: http://xptest.example.com:19/himom.html
A malicious attacker could specify a chargen service on a remote machine causing the XP client to connect and be caught in a tight read/malloc loop. Doing this will throw the machine into an unstable state where CPU utilization is at %100 and memory is being allocated to the point that it is totally consumed. This makes the remote XP system completely unusable and requires a physical power-off shutdown.
Attackers could also use this exploit to control other XP machines, forcing such machines to perform Unicode attacks, double decode, or random CGI exploiting. Due to the insecure nature of UDP, an attacker can exploit security holes on a web server using UPNP with almost total anonymity.
One of the bigger problems, and why this can become a DDoS attack, is that this SSDP announcement can be sent to broadcast addresses and multicast. It is therefore possible to send one UDP packet causing all XP machines on the target network to be navigated to the URL of choice, performing an attack of choice.
Also since parts of the UPNP service are implemented as UDP (in our opinion, a bad idea), it makes all of these attacks completely untraceable.
Vendor status: Microsoft has released a patch and security bulletin that is located at: http://www.microsoft.com/technet/security/bulletin/MS01-059.asp
To verify that the patch has been installed on your system, do the following:
Windows 98 and 98SE: Select Start, then Run, then run the QFECheck utility. If the patch is installed, "Windows 98 Q314941 Update" will be listed among the installed patches. To verify the individual files, use the file manifest provided in Knowledge Base article Q314941.
Windows ME: Select Start, then Run, then run the QFECheck utility. If the patch is installed, "Windows Millennium Edition Q314757 Update" will be listed among the installed patches. To verify the individual files, use the file manifest provided in Knowledge Base article Q314757.
Windows XP: Confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q315000. To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q315000\Filelist.
eEye would strongly suggest denying all UPNP traffic at your internet borders, as there is really no need to allow UPNP traffic across the Internet. In addition, it would be wise to completely turn off the UPNP services, as most users are probably not utilizing them. The less services running on your machine, the safer you will be. The SSDP Discovery Service and Universal Plug and Play Host service should both be set to manual load.
You are all in late .....
Photon
Oct 22 2003, 08:59 PM
yeah there was a version 4 the older versions but there is also a new one.. so test it first and don't use google too fast
vnet576
Oct 22 2003, 09:31 PM
This exploit doesn't work...I tried it locally on a freshly formatted winxp machine from the original cd...no service packs or patches.
XeKToReX
Oct 23 2003, 12:24 PM
C:\upnp>upnp 2**.31.***.22 -e
C:\upnp>upnp 2**.31.***.32 -e
C:\upnp>upnp 2**.31.***.40 -e
C:\Program Setups>
Any Reason why i get no reponse?
BSDG33K
Oct 23 2003, 12:41 PM
hmm it doens't work for me 2... mybe the shellcode is not working?!, does anyone change it with the metasploit shellcode?, so try it!
btw, im gonna see what happens, with etheral..
The "-f" option, opens about 193 connectios to the remote host.. but is doesn't freeze up, the -e option, doesnt do nothing, it just send the shellcode to the port 5000, but no remote shell, the exploit is not correctly coded, or the shellcode doesn't work.. one of them
LilJon
Oct 23 2003, 02:27 PM
i would like to know what port to scan for is it 5000 or another one please respond
Daxziz
Oct 23 2003, 06:22 PM
Yes - port 5000 is the Universal Plug and Play port.
-Daxziz
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
)
