10.29.06

New MS 0day on milw0rm

Posted in Exploits, IT, Security, Vulnerabilities at 3:34 am by Tyler Reguly

A new MS exploit showed up on milw0rm yesterday -- http://www.milw0rm.com/exploits/2672 (Code is written in Python and quite easy to follow)...

Microsoft Windows NAT Helper Components (ipnathlp.dll) 0day Remote DoS Exploit

The exploit requires Internet Connection Sharing to be enabled and requires that the attacker be on the shared interface (from what I've seen in my playing thus far).

Malicious Person --- Computer with ICS --- Internet

I ran Windows Updates on an XP SP2 machine immediately prior to testing this... so it *SHOULD* have been fully up-to-date

I've attached a few of the details below.

------
Microsoft Error Message:

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

View What's in this report:

Error signature:

szAppName: svchost.exe szAppVer: 5.1.2600.2180
szModName: ipnathlp.dll szModVer 5.1.2600.2180 offset: 0001d45e

mdmp file created during crash loaded into WinDbg

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.

This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(570.5ec): Access violation - code c0000005 (first/second chance not available)

0:077> .ecxr
eax=00000000 ebx=0018aef8 ecx=00000001 edx=0000022d esi=0018af44 edi=00800002
eip=6647d45e esp=0207fed0 ebp=0207ff30 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ipnathlp!DnsProcessQueryMessage+0xe8:
6647d45e 8a10 mov dl,byte ptr [eax] ds:0023:00000000=??

PermalinkDigg this story ?