noproto
commented
5 years ago "this is a PoC not a working exploit" from the source repo you linked
Closed FilterUnfiltered closed 5 years ago
noproto
commented
5 years ago "this is a PoC not a working exploit" from the source repo you linked
FilterUnfiltered
commented
5 years ago @noproto is that not enough to make an exploit from? Isn't it like a DOS proof of concept?
noproto
commented
5 years ago It is, just modify it and submit a pull request
FilterUnfiltered
commented
5 years ago It is, just modify it and submit a pull request
I'm too retarded. All I do on here is find things for new modules and add a suggestion post. I can barely make scripts in python
ghost
commented
5 years ago That is a fake PoC. It doesn't do anything besides the RDP handshake. It doesn't trigger the UAF or have a pool spray.
FilterUnfiltered
commented
5 years ago That is a fake PoC. It doesn't do anything besides the RDP handshake. It doesn't trigger the UAF or have a pool spray.
wait are you serious?
ghost
commented
5 years ago I have working RCE, so I know what it should look like, but it's not even just my opinion:
https://twitter.com/MalwareTechBlog/status/1134249272029802496 https://twitter.com/ryHanson/status/1134236087511949312
Also: "Generating the payloads is hard, especially when alsr is involved with it"... everything in the exploit chain is pre-calculated because XP and 7 have bad KASLR.
wvu
commented
5 years ago It was another exercise in lobbing binary blobs at RDP. @zerosum0x0's non-RCE scanner actually does more.
I at least hope the author found the experience edifying.
MyEyes
commented
5 years ago The linked repo does contain a PoC for the DOS at least. Sadly the packets are malformed and so after triggering the bug the service immediately disconnects the client and causes the bsod.
It can be modified to trigger the use after free state properly though. That's where I'm currently stuck. Just wanted to chime in to say that the linked repository isn't a complete sham.
FilterUnfiltered
commented
5 years ago Well that's good. Does this mean we can expect an exploit for this soon?
wvu
commented
5 years ago There are already exploits, but they're not public, perhaps rightfully so. This isn't Hollywood either, so exploit R&D isn't as quick as Hugh Jackman and a bottle of wine.
MyEyes
commented
5 years ago I don't think anybody capable of writing an RCE will release it publicly unless they want to cause mayhem. The public exploits are kind of badly executed and I haven't come across one yet that properly triggers the vulnerability so that it could be used for RCE.
Finding a good gadget to write into the needed memory location to take over control flow is quite tricky as well, at least for me.
ryrnnnlaleaaa
commented
5 years ago how to get the exploit module ?? i cant see that in msfconsole
bcoles
commented
5 years ago how to get the exploit module ?? i cant see that in msfconsole
ccondon-r7
commented
5 years ago
A POC has finally been released here, and this is great for pentests against networks with older Windows machines, as the XP/2003 machines have a patch but not an official update. Unpatched Windows 7/2008 could also be vulnerable so this would be great for there, too.