Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ms12-020 PoC

From: Nahuel Grisolia <nahuel.grisolia () gmail com>
Date: Sun, 18 Mar 2012 16:12:36 -0300
Thanks Thor!

I thought that it was possible to tunnel the attack through HTTPS channel that the TSG generates.

Nahu.

On Mar 18, 2012, at 2:11 PM, Thor (Hammer of God) wrote:


They did last time...  But your advice is actually well noted :)  


-----Original Message-----
From: James Condron [mailto:james () zero-internet org uk]
Sent: Sunday, March 18, 2012 10:06 AM
To: Thor (Hammer of God); full-disclosure-bounces () lists grok org uk; full-
disclosure () lists grok org uk
Subject: Re: [Full-disclosure] ms12-020 PoC

Nobody said a word.

Relax more and you might live long enough to write your next book.

Sent using BlackBerry® from Orange

-----Original Message-----
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Sender: full-disclosure-bounces () lists grok org uk
Date: Sun, 18 Mar 2012 17:03:25
To: full-disclosure () lists grok org uk<full-disclosure () lists grok org uk>
Subject: Re: [Full-disclosure] ms12-020 PoC

P.S. Before someone starts accusing me of "spamming" for the book, (one
asshat tried to compare me to Juan whats-his-face once) note you can actually
view most of the RDP chapter (and others) on the Amazon "preview a page"
feature if you would like.

If you are interested in RDP security, I suggest you take a free read on
Amazon.   Many are worried about worm activity from 020, and I am far more
interested in pointing you to free material that helps you secure yourself and
others than I am trying to make a buck on the book.

If anyone has any questions about how any of this works, I'm happy to help if I
can.

t


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure- bounces () lists grok org uk] On Behalf Of Thor
(Hammer of God)
Sent: Sunday, March 18, 2012 9:21 AM
To: Nahuel Grisolía; root
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] ms12-020 PoC

You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel.
Once you are authenticated and authorized, the TSGateway server will
establish a connection via RDP to the target server, tunneling the RDP
connection back to you within the RPC/HTTP(S) channel.

As such, TSGateway is obviously unaffected by this vulnerability.  For
those of you looking for mitigation and not kiddie code to pop a box,
note that simply using NLA mitigates both RDP issues.

This might be a good time to point out than anyone who followed any of
my advice in the RDP chapter of Thor's Microsoft Security Bible, or who
is using the little ThoRDP tool I wrote (also in the book) was protected from

these

vulnerabilities way before they were discovered.   I say that to simply

identify

that some simple, effective techniques can be deployed that thwarts the
hours and hours people put into developing exploit code and the wasted
time chasing all this stuff down.  *THAT* is what security is about, btw.

t


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure- bounces () lists grok org uk] On Behalf Of
Nahuel Grisolía
Sent: Friday, March 16, 2012 11:41 AM
To: root
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] ms12-020 PoC

Guys,

What about TS Gateway? which is actually listening on port 443 (by def)...

thanks!

Nahu.

On 16 March 2012 15:12, root <root_ () fibertel com ar> wrote:

The SABU code is fake (go figure).
This python script is the first port of the Luigi code to python,
that's why sucks.

Here are better ports: http://pastebin.com/4FnaYYMz and
http://pastebin.com/jzQxvnpj

On 03/16/2012 02:50 PM, Exibar wrote:

Is that the same code from yesterday?  I thought that code was a
fake and

didn'kt do anything?


  Anyone confirm this?

 Exibar
Sent via BlackBerry by AT&T

-----Original Message-----
From: kyle kemmerer <krkemmerer () gmail com>
Sender: full-disclosure-bounces () lists grok org uk
Date: Fri, 16 Mar 2012 12:01:16
To: <full-disclosure () lists grok org uk>
Subject: [Full-disclosure] ms12-020 PoC

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: