brOmstar
Mar 28 2004, 09:50 PM
i read the source
btw a the moment i set up a testsystem i will give further information later
kebab1701
Mar 28 2004, 09:54 PM
hmmm yeah i'd like to hear some more opinions on this exploit b4 i look into it seems a bit strange.
brOmstar
Mar 28 2004, 10:09 PM
it seems a bit strange..why?
ps: jockel what language is your w2k and what version of bice??
I tried to test it with w2k sp0 german + BlackIce_Defender_v3.6cbd .
The iss-pam1.dll is version 3.6.06. ---> no shell
jockel
Mar 29 2004, 01:33 AM
| QUOTE (vnet576 @ Mar 28 2004, 09:45 PM) |
| Really? What was the subversion of blackice that u used. Each blackice has a 3 letter extension after the version (example:.v3.6.cbx). |
BlackICE PC Protection 3.6 ccb
language german
theres a worm useing same whole :
http://securityresponse.symantec.com/avcen...witty.worm.html
Hexadecimal
Mar 29 2004, 04:18 AM
http://illmob.org/0day/iis_pam_autosploit.rarthere is the autohaxor for it. You gotta scan port 4000. The sploit is compiled and everything. Thanx illmob !!
cyrixx
Mar 29 2004, 05:20 AM
your autohaxxor scans 4 tcp. not for udp
Alexander01
Mar 29 2004, 05:32 AM
how do i use that nasl script.. it's created to work for with the nesses scanner, but that scanner runs under unix and i can only download the source code of that script.. there is also a win32 version of nessus but how do i import that script.. do i need to compile something or how does it works?
x1`
Mar 29 2004, 05:41 AM
rockerx
Mar 29 2004, 08:14 AM
i had no probs to compile it under suse 9.0
but no targets found, yet
greetz
willywutz
Mar 29 2004, 09:37 AM
I added this Exploit to TheWatcher´s ExploitManager ( damn, i like this Tool ) ;>
So not necessary to scan for a port and after to check the scan´s again for a vuln. Couldn´t get a shell yet but tried only some few machines. Think need more time for me to completly figure it out.
XpProf
Mar 29 2004, 03:08 PM
Thanks for the tip
I'm gonna to test the sploit on my system
Xp
nolimit
Mar 30 2004, 04:23 AM
Just picked this exploit up and started playing with it, from what I've gathered thier is no way to scan, not UDP nor TCP. port 4000 is the binded port on the exploiters computer, When ran my firewall indicates the sploit sends the UDP packet at port 49597(not cited anywhere in code, presumably non important).
| CODE |
S:\HACKING\tools>nc -l -u -p 49597 -vv
listening on [any] 49597 ...
DNS fwd/rev mismatch: localhost != meh
connect to [127.0.0.1] from localhost [127.0.0.1] 4000
♣ ↕☻ ☻, ♣ n ☺ A☻♣ ▐♥
☺ ☺ ☺ ▲☻ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
|
So What I've gathered is
1. All transmissions are done over UDP protocol.
2. While source port is 4000 on exploiters machine, the target port is unimportant, as Blackice monitors all ports and is exploited through that mechanism.
Therefore, I'm pretty sure thiers only a few ways to scan for this, most unappealing.
This is why the whitty worm as far I could tell just blindly launches packets out at hosts on the network rather then scanning for them.
So most likely if I was going to exploit this on a mass scale level I'd just build a quick packet transmitter and go down a range..
This was all gathered in a span of 10 minutes or so, If anything's incorrect feel free to comment and/or suggest.
krush
Mar 30 2004, 01:41 PM
what's the deal with the listen port and listen host part, when we have the ip's from the scan, what should we add as the port to listne on?
slaughter
Mar 30 2004, 06:04 PM
Thanks for sharing. sland nmap can scan UDP port
CU.
prog
Mar 30 2004, 06:14 PM
Are there any reports of a remote nt udp scanner?
Any help would be appreciated.
fre4k
Mar 30 2004, 06:16 PM
| QUOTE (slaughter @ Mar 30 2004, 06:04 PM) |
Thanks for sharing. sland nmap can scan UDP port
CU. |
nmap is for UNIX/LINUX, right ?!?
usch
Mar 30 2004, 06:38 PM
yes it is but Superscan 4.0 (www.foundstone.com) also supports UDP scanning
regards
x1`
Mar 30 2004, 07:01 PM
so if i scan port 4000 udp there the ips with blackice running and the sploit will work
using superscan v4
nolimit
Mar 30 2004, 07:52 PM
| QUOTE (Dickybob20 @ Mar 30 2004, 07:01 PM) |
so if i scan port 4000 udp there the ips with blackice running and the sploit will work
using superscan v4 |
No, As everyone seems to be ignoring 4000 is the source port of the attack, from the exploiter, NOT the target. scanning UDP port 4000 will not help.
BuzzDee
Mar 30 2004, 09:20 PM
lol give it up - they wont believe u
clubfed already said twice whats the point and everyone keeps talking about scanning udp port 4000...
strange ppl in here
Parce
Mar 31 2004, 05:33 PM
if u guys wanna know wut proggy scans udp and is cmd line ill tell ya the name... ScanLine 1.01 ... but its not important coz this xploit has nottin to do with port 4000 ... as sum1 said... just get a range of ips.. and test with all of em.. ne machine may be vuln.. ull never know
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
