.

[guidance needed] Am I doing it wrong?

<<

Makaveli

Newbie
Newbie

Posts: 3

Joined: Thu Jun 02, 2011 5:21 am

Post Tue Feb 12, 2013 2:26 pm

[guidance needed] Am I doing it wrong?

Hey fellas,

Can you please explain smth to me?

There is this vulnerability:

Code:

  Code:
http://technet.microsoft.com/en-us/security/bulletin/ms12-020


It explicitly says that it allows for remote code execution. However when I search in exploit-db for that CVE I get an exploit which does DoS on my lab and crashes the system, and it's also categorized as DOS in metasploit. So how is this arbitrary code? All over the net when looking at notes of this vulnerability, it specifically says the attacker who exploits it can create users, get information etc.

Am I missing something?
I am trying to get shell..ultimately :)
<<

DragonGorge

User avatar

Jr. Member
Jr. Member

Posts: 86

Joined: Wed Feb 08, 2012 6:30 pm

Post Tue Feb 12, 2013 2:50 pm

Re: [guidance needed] Am I doing it wrong?

IIRC, this is a vulnerability that hasn't had an exploit (to do what you want) written for it (yet).

I seem to recall seeing exploits that claimed to allow remote code execution or something similar on Pastebin BUT in reality they were bogus and ended up pwning the downloader's machine.
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Tue Feb 12, 2013 3:01 pm

Re: [guidance needed] Am I doing it wrong?

DragonGorge wrote:I seem to recall seeing exploits that claimed to allow remote code execution or something similar on Pastebin BUT in reality they were bogus and ended up pwning the downloader's machine.


An example of why you shouldn't run exploit code blindly:  http://www.insinuator.net/tag/ms12-020/
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Feb 12, 2013 4:54 pm

Re: [guidance needed] Am I doing it wrong?

The Bulletin states that the maximum impact is RCE. That just means that the conditions are such that someone could theoretically get code to run. RDP is a complex and convoluted protocol, and RCE may only be successful under obscure circumstances.

Imagine something like a buffer overflow that only overwrites one byte of EIP. Sure, you could potentially leverage that to redirect execution flow, but you'd probably win the lottery sooner. More often than not, something like that will only result in DoS, not RCE.

I'm not that familiar with the details of 12-020, but there are clearly some serious hurdles to overcome.
The day you stop learning is the day you start becoming obsolete.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Feb 12, 2013 9:28 pm

Re: [guidance needed] Am I doing it wrong?

Rumors are there is a real exploit floating around.

When I looked at this to see if exploitation was possible, I started with a 2 second packet capture of the RDP protocol, saw 10K packets in wireshark and said, well effff this bug. I'm out.

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software