k-otik - Automated Script for W2K3 Malformed Packet Vuln
Results 1 to 4 of 4

Thread: k-otik - Automated Script for W2K3 Malformed Packet Vuln

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    k-otik - Automated Script for W2K3 Malformed Packet Vuln

    Yep. That didn't take long. This will prolly morph into a worm before long. If you are not aware of the issue, see this post:

    http://www.antionline.com/showthread...hreadid=266661

    Here is the link to the code used to automate the attack:

    http://www.k-otik.com/exploits/20050307.windos.c.php


    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Do you know if theres a snort signature or white hat breakdown of this exploit?

    I guess now that Sourcefire is screwing all the snort users with there new licensing scheme I will start submiting more rules to here and other forums I goto.
    That which does not kill me makes me stronger -- Friedrich Nietzche

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Not sure if one exists for snort but you can certainly craft one up in no time.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The problem with a Snort sig for this is that you would need a sig for each vulnerable server. Since the source address has to be spoofed as the same as the attacked target you either need to define a variable for each asset, ($HTTP_SERVER__1, $HTTP_SERVER_2 etc.) and then write a rule for each variable or write rules with the addresses hard coded in. The only fixed thing is the SYN flag must be set. Thus rules would look like this:-

    alert tcp $HTTP_1 any -> $HTTP_1 any (msg: "Land Attack on HTTP 1"; Flags: S; classtype: attempted-dos;)

    or

    alert tcp 192.168.1.1 any -> 192.168.1.1 any (msg: "Land Attack on HTTP 1"; Flags: S; classtype: attempted-dos;)

    You couldn't use:-

    alert tcp $HTTP_SERVERS any -> $HTTP_SERVERS any (msg: "Land Attack on HTTP 1"; Flags: S; classtype: attempted-dos;)

    when you have multiple servers because if one server talks to the other it would FP, (false Positive), though it should work if you only have one web server.

    Having said that I'm not sure that this would run in snort. It might throw an error when it parses the rules and kick out.

    [Edit]

    It doesn't blow out snort so it should work.... But it's all a bit of a waste really.... If snort picks it up then it's already done it's bit.

    It's possible you could place a react clause in the rule to RST both ends of the connection, (oer a single end since they are both "the same"), which _might_ bring the attacked server out of the loop)

    [/EDIT]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •