A stack-based buffer overflow in the ProcessDataReceivedOnSocket function in the Microsoft Telnet Server Helper (tlntsess.exe) can be used by remote unauthenticated attackers to render the Telnet server unresponsive. This module will crash the tlntsess.exe Helper process, which is in charge of handling a client connection. The tlntsvr.exe process, which is the service listening for incoming connections on port 23, will not notice that a client slot was freed due to the crash, so by triggering this vulnerability multiple times it's possible to consume all the available client slots (2 by default), making the Telnet service to refuse further incoming connections.
This module exploits a vulnerability in "tcpip.sys" by sending a large number of TCP packets with the Time Stamp option enabled. When a TCP packet is sent with a Time Stamp number smaller than the previous, the packet is added in a list an it's never removed. After sending many packets, the 139 TCP port is disabled to receive new connections.
This module exploits a vulnerability on smtpsvc.dll ( "Simple Mail Transfer Protocol" service ) via a malformed MX response packet sent by the spoofed DNS Server. This module exploits a vulnerability on smtpsvc.dll ("Simple Mail Transfer Protocol" service) via a malformed MX response packet sent by the spoofed DNS Server. When the SMTP Client ( this module ) sends an email to "[email protected]" ( "XXXXX" is a random number between 0 and 65536 ), the SMTP Server tries to resolve the IP of "dominioXXXXX.com" domain. In that moment, the SMTP Server sends a DNS request to the configurated DNS Server. This module tries to send a response to the SMTP Server before the configurated DNS Server does.
Subscribe to Windows