This module exploits a vulnerability on "wins.exe" sending a DNS request packet followed by a RESET connection. When the WINS service tries to answer this request, the "send" function fails and an exception is produced triggering the bug. At the end, the WINS port ( port 42 ) is verified to know if the service is listening or it was broken.
The vulnerability is caused due to a WSD message with a long header value, this can lead to memory corruption within the process hosting WSDApi.dll. This can cause the service or application to crash. To be clear, the vulnerability is in the Windows module used to interact with devices that support Web Services on Devices, and does not affect the devices themselves.
A stack-based buffer overflow in the ProcessDataReceivedOnSocket function in the Microsoft Telnet Server Helper (tlntsess.exe) can be used by remote unauthenticated attackers to render the Telnet server unresponsive. This module will crash the tlntsess.exe Helper process, which is in charge of handling a client connection. The tlntsvr.exe process, which is the service listening for incoming connections on port 23, will not notice that a client slot was freed due to the crash, so by triggering this vulnerability multiple times it's possible to consume all the available client slots (2 by default), making the Telnet service to refuse further incoming connections.
This module exploits a vulnerability in "tcpip.sys" by sending a large number of TCP packets with the Time Stamp option enabled. When a TCP packet is sent with a Time Stamp number smaller than the previous, the packet is added in a list an it's never removed. After sending many packets, the 139 TCP port is disabled to receive new connections.
Subscribe to Remote