Thanks Thor! I thought that it was possible to tunnel the attack through HTTPS channel that the TSG generates.
Nahu. On Mar 18, 2012, at 2:11 PM, Thor (Hammer of God) wrote: > They did last time... But your advice is actually well noted :) > >> -----Original Message----- >> From: James Condron [mailto:[email protected]] >> Sent: Sunday, March 18, 2012 10:06 AM >> To: Thor (Hammer of God); [email protected]; full- >> [email protected] >> Subject: Re: [Full-disclosure] ms12-020 PoC >> >> Nobody said a word. >> >> Relax more and you might live long enough to write your next book. >> >> Sent using BlackBerry® from Orange >> >> -----Original Message----- >> From: "Thor (Hammer of God)" <[email protected]> >> Sender: [email protected] >> Date: Sun, 18 Mar 2012 17:03:25 >> To: [email protected]<[email protected]> >> Subject: Re: [Full-disclosure] ms12-020 PoC >> >> P.S. Before someone starts accusing me of "spamming" for the book, (one >> asshat tried to compare me to Juan whats-his-face once) note you can actually >> view most of the RDP chapter (and others) on the Amazon "preview a page" >> feature if you would like. >> >> If you are interested in RDP security, I suggest you take a free read on >> Amazon. Many are worried about worm activity from 020, and I am far more >> interested in pointing you to free material that helps you secure yourself >> and >> others than I am trying to make a buck on the book. >> >> If anyone has any questions about how any of this works, I'm happy to help >> if I >> can. >> >> t >> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:full-disclosure- [email protected]] On Behalf Of Thor >>> (Hammer of God) >>> Sent: Sunday, March 18, 2012 9:21 AM >>> To: Nahuel Grisolía; root >>> Cc: [email protected] >>> Subject: Re: [Full-disclosure] ms12-020 PoC >>> >>> You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel. >>> Once you are authenticated and authorized, the TSGateway server will >>> establish a connection via RDP to the target server, tunneling the RDP >>> connection back to you within the RPC/HTTP(S) channel. >>> >>> As such, TSGateway is obviously unaffected by this vulnerability. For >>> those of you looking for mitigation and not kiddie code to pop a box, >>> note that simply using NLA mitigates both RDP issues. >>> >>> This might be a good time to point out than anyone who followed any of >>> my advice in the RDP chapter of Thor's Microsoft Security Bible, or who >>> is using the little ThoRDP tool I wrote (also in the book) was protected >>> from >> these >>> vulnerabilities way before they were discovered. I say that to simply >> identify >>> that some simple, effective techniques can be deployed that thwarts the >>> hours and hours people put into developing exploit code and the wasted >>> time chasing all this stuff down. *THAT* is what security is about, btw. >>> >>> t >>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:full-disclosure- [email protected]] On Behalf Of >>>> Nahuel Grisolía >>>> Sent: Friday, March 16, 2012 11:41 AM >>>> To: root >>>> Cc: [email protected] >>>> Subject: Re: [Full-disclosure] ms12-020 PoC >>>> >>>> Guys, >>>> >>>> What about TS Gateway? which is actually listening on port 443 (by def)... >>>> >>>> thanks! >>>> >>>> Nahu. >>>> >>>> On 16 March 2012 15:12, root <[email protected]> wrote: >>>>> The SABU code is fake (go figure). >>>>> This python script is the first port of the Luigi code to python, >>>>> that's why sucks. >>>>> >>>>> Here are better ports: http://pastebin.com/4FnaYYMz and >>>>> http://pastebin.com/jzQxvnpj >>>>> >>>>> On 03/16/2012 02:50 PM, Exibar wrote: >>>>>> Is that the same code from yesterday? I thought that code was a >>>>>> fake and >>>> didn'kt do anything? >>>>>> >>>>>> Anyone confirm this? >>>>>> >>>>>> Exibar >>>>>> Sent via BlackBerry by AT&T >>>>>> >>>>>> -----Original Message----- >>>>>> From: kyle kemmerer <[email protected]> >>>>>> Sender: [email protected] >>>>>> Date: Fri, 16 Mar 2012 12:01:16 >>>>>> To: <[email protected]> >>>>>> Subject: [Full-disclosure] ms12-020 PoC >>>>>> >>>>>> _______________________________________________ >>>>>> Full-Disclosure - We believe in it. >>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>> >>>>>> _______________________________________________ >>>>>> Full-Disclosure - We believe in it. >>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
