<<< Date Index >>>     <<< Thread Index >>>

Microsoft WINS Vulnerability + OS/SP Scanner



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
While replicating, it's possible to guess the OS and SP, in addition
you have the heap base address.
Conclusion: all needed for a skilled hacker to intrude a vulnerable
computer, however a script kiddie wont be able to do something because
each wrong hacking attempts may corrupt the WINS database and so on ,
move where this is needed to overwrite. This is where the skilled
hacker will use the heap base address retrieved while scanning to
start a bruteforce attack , nor at best, to analyze how is moving the
heap :)
For example, the exploit that I have published (v0.3) is doing a small
part of 2k with the corresponding heap base , but you will have to
update it to catch some other heap positions.

I attach the win32 binary, follow class101.org and hat-squad.com if
you are seeking for the source or FreeBSD version, I think I will
share them soon.

- -v....: lite verbose
- -vv..: ultra verbose
threads: 0-4999

else all go in HS_WINS.txt

Screenshot:

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: NOT_PATCHED
OS.............: Windows 2000 SP3

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2000 SP4

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2000 SP4

IP.............: ***:42
STATUS.........: not wins, wrong datas

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: patched
OS.............: Windows 2003 SP0

IP.............: ***:42
STATUS.........: wins enabled
VULNERABILITY..: NOT_PATCHED
OS.............: Windows 2003 SP0

IP.............: ***:42
STATUS.........: nothing received, not wins or vulnerable service freezing

etc,etc

download: http://class101.org/HS_WINS.exe



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
 
iD8DBQFCc/J9LyZ8K9aT7rARAu0yAKC68ZxNKTuqwJNLQCNy31425aqLXACfYhvo
gSJT9elxPzyKOpI+CErbWlM=
=dkCW
-----END PGP SIGNATURE-----