Hey Hey,

A new MS exploit showed up on milw0rm yesterday — http://www.milw0rm.com/exploits/2672 (Code is written in Python and quite easy to follow)…

Microsoft Windows NAT Helper Components (ipnathlp.dll) 0day Remote DoS Exploit

The exploit requires Internet Connection Sharing to be enabled and requires that the attacker be on the shared interface (from what I’ve seen in my playing thus far).

Malicious Person — Computer with ICS — Internet

I ran Windows Updates on an XP SP2 machine immediately prior to testing this… so it *SHOULD* have been fully up-to-date

I've got additional details (and will be adding more in the morning when I've had a chance to do some more serious debugging) available at http://www.computerdefense.org/?p=149


I've also submitted this to both SANS ISC and MSRC to ensure they're aware of it