Re: [Full-disclosure] ms04-006 exploit challenges





http://hi.baidu.com/yuange1975/blog/item/fa2935389de768d0d56225b5.html#comment

0x101+(0x3f+1)/2+1=0x122, buff ebp-140 ,can not rewrite eip?




VOID GetName( IN OUT LPBYTE *pName,
IN OUT LPBYTE Name,
OUT LPDWORD NameLen
)
{
int Length;
int MaxLen = 0x101;
int nbtlen;

*NameLen = 0;
if (( *pName &0xc0) != 0) goto error;
Length = *pName &0x3f;

pName++;
nbtlen=(Length+1)/2;
while(nbtlen > 0 )
{

Length -= 2;
*Name++ =(((*pName ++- 'A')<< 4) | (*pName ++ - 'A'));
(*NameLen)++;
nbtlen--;

}
MaxLen -= Length;
/*
bug!
Length=0 or Length=-1?
MaxLen -= (*NameLen);
*/

while(TRUE)
{
...
}
if (--inLen >= 0) {
*Name++ = 0;
} else {
goto error;
}
(*NameLen)++;
return;
error:
WinsEvtLogEvt(...);
RaiseException(...);
return;
}



0:000> uf NmsMsgfProcNbtReq
wins!NmsMsgfProcNbtReq:
01011abe 55 push ebp
01011abf 8bec mov ebp,esp
01011ac1 6aff push 0FFFFFFFFh
01011ac3 6850210001 push offset wins!`string'+0x7c (01002150)
01011ac8 6880280101 push offset wins!_except_handler3 (01012880)
01011acd 64a100000000 mov eax,dword ptr fs:[00000000h]
01011ad3 50 push eax
01011ad4 64892500000000 mov dword ptr fs:[0],esp
01011adb 51 push ecx
01011adc 51 push ecx
01011add 81ec74020000 sub esp,274h
01011ae3 53 push ebx
01011ae4 56 push esi
01011ae5 57 push edi
01011ae6 8965e8 mov dword ptr [ebp-18h],esp
01011ae9 c785bcfeffff01000000 mov dword ptr [ebp-144h],1
01011af3 8365dc00 and dword ptr [ebp-24h],0
01011af7 8b7d0c mov edi,dword ptr [ebp+0Ch]
01011afa 897dd8 mov dword ptr [ebp-28h],edi
01011afd 8365fc00 and dword ptr [ebp-4],0
01011b01 8a5f02 mov bl,byte ptr [edi+2]
01011b04 c1eb03 shr ebx,3
01011b07 83e30f and ebx,0Fh
01011b0a 895de0 mov dword ptr [ebp-20h],ebx
01011b0d 8d470c lea eax,[edi+0Ch]
01011b10 8945d8 mov dword ptr [ebp-28h],eax
01011b13 8945c4 mov dword ptr [ebp-3Ch],eax
01011b16 8d45c8 lea eax,[ebp-38h]
01011b19 50 push eax
01011b1a 8d85c0feffff lea eax,[ebp-140h]
/*
buff, ebp-140
0x101+0x21=0x122
can not rewrite eip ?
*/
01011b20 50 push eax
01011b21 8d45d8 lea eax,[ebp-28h]
01011b24 50 push eax
01011b25 e815020000 call wins!GetName (01011d3f)









From: yuange1975@xxxxxxxxxxx
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: ms04-006 exploit challenges
Date: Sun, 26 Dec 2010 06:04:54 +0000






http://hi.baidu.com/yuange1975/blog/item/05118524c05a8a39d4074238.html



Microsoft says this vulnerability winnt \ win2k can not refuse service, win2003 under denial of service can not only use, only that they do not understand overflow.

Challenge:

1, write winnt \ win2k \ win2003 under steady use.

2, the stability of writing using a firewall. Firewall only opened tcp42, does not allow outreach services can not affect the original wins.

1 and 2 are willing to write to the company applying for Send your resume over.



Vulnerable code is as follows:



0:000> uf wins!getname
wins!GetName:
01011d38 55 push ebp
01011d39 8bec mov ebp,esp
01011d3b 8b4508 mov eax,dword ptr [ebp+8]
01011d3e 53 push ebx
01011d3f 56 push esi
01011d40 8b7510 mov esi,dword ptr [ebp+10h]
01011d43 8b00 mov eax,dword ptr [eax]
01011d45 33db xor ebx,ebx
01011d47 891e mov dword ptr [esi],ebx
01011d49 57 push edi
01011d4a 0fb608 movzx ecx,byte ptr [eax]
01011d4d 8bd1 mov edx,ecx
01011d4f 81e2c0000000 and edx,0C0h
01011d55 895510 mov dword ptr [ebp+10h],edx
01011d58 0f8589000000 jne wins!GetName+0xaf (01011de7)
wins!GetName+0x26:
01011d5e 83e13f and ecx,3Fh
01011d61 40 inc eax
01011d62 3bcb cmp ecx,ebx
01011d64 894d10 mov dword ptr [ebp+10h],ecx
01011d67 7e28 jle wins!GetName+0x59 (01011d91)
wins!GetName+0x31:
01011d69 8b7d0c mov edi,dword ptr [ebp+0Ch]
01011d6c 8d5101 lea edx,[ecx+1]
01011d6f d1ea shr edx,1
wins!GetName+0x39:
01011d71 8a08 mov cl,byte ptr [eax]
01011d73 8a5801 mov bl,byte ptr [eax+1]
01011d76 80e941 sub cl,41h
01011d79 40 inc eax
01011d7a 836d1002 sub dword ptr [ebp+10h],2
01011d7e 80eb41 sub bl,41h
01011d81 c0e104 shl cl,4
01011d84 0ad9 or bl,cl
01011d86 881f mov byte ptr [edi],bl
01011d88 47 inc edi
01011d89 40 inc eax
01011d8a ff06 inc dword ptr [esi]
01011d8c 4a dec edx
01011d8d 75e2 jne wins!GetName+0x39 (01011d71)
wins!GetName+0x57:
01011d8f eb03 jmp wins!GetName+0x5c (01011d94)
wins!GetName+0x59:
01011d91 8b7d0c mov edi,dword ptr [ebp+0Ch]
wins!GetName+0x5c:
01011d94 b901010000 mov ecx,101h
01011d99 2b4d10 sub ecx,dword ptr [ebp+10h]
wins!GetName+0x64:
01011d9c 33db xor ebx,ebx
01011d9e 3818 cmp byte ptr [eax],bl
01011da0 7434 je wins!GetName+0x9e (01011dd6)
wins!GetName+0x6a:
01011da2 813eef000000 cmp dword ptr [esi],0EFh
01011da8 773d ja wins!GetName+0xaf (01011de7)
wins!GetName+0x72:
01011daa 49 dec ecx
01011dab 3bcb cmp ecx,ebx
01011dad 7e38 jle wins!GetName+0xaf (01011de7)
wins!GetName+0x77:
01011daf c6072e mov byte ptr [edi],2Eh
01011db2 47 inc edi
01011db3 ff06 inc dword ptr [esi]
01011db5 8a10 mov dl,byte ptr [eax]
01011db7 83e23f and edx,3Fh
01011dba 2bca sub ecx,edx
01011dbc 3bcb cmp ecx,ebx
01011dbe 7e27 jle wins!GetName+0xaf (01011de7)
wins!GetName+0x88:
01011dc0 40 inc eax
01011dc1 8bda mov ebx,edx
01011dc3 4a dec edx
01011dc4 85db test ebx,ebx
01011dc6 74d4 je wins!GetName+0x64 (01011d9c)
wins!GetName+0x90:
01011dc8 42 inc edx
wins!GetName+0x91:
01011dc9 8a18 mov bl,byte ptr [eax]
01011dcb 881f mov byte ptr [edi],bl
01011dcd 47 inc edi
01011dce 40 inc eax
01011dcf ff06 inc dword ptr [esi]
01011dd1 4a dec edx
01011dd2 75f5 jne wins!GetName+0x91 (01011dc9)
wins!GetName+0x9c:
01011dd4 ebc6 jmp wins!GetName+0x64 (01011d9c)
wins!GetName+0x9e:
01011dd6 40 inc eax
01011dd7 49 dec ecx
01011dd8 85c9 test ecx,ecx
01011dda 7c0b jl wins!GetName+0xaf (01011de7)
wins!GetName+0xa4:
01011ddc 8b4d08 mov ecx,dword ptr [ebp+8]
01011ddf 881f mov byte ptr [edi],bl
01011de1 ff06 inc dword ptr [esi]
01011de3 8901 mov dword ptr [ecx],eax
01011de5 eb2a jmp wins!GetName+0xd9 (01011e11)
wins!GetName+0xaf:
01011de7 53 push ebx
01011de8 6892030000 push 392h
01011ded 68d4200001 push offset wins!`string' (010020d4)
01011df2 6817100140 push 40011017h
01011df7 6a01 push 1
01011df9 68010000e0 push 0E0000001h
01011dfe e8330b0000 call wins!WinsEvtLogEvt (01012936)
01011e03 53 push ebx
01011e04 53 push ebx
01011e05 53 push ebx
01011e06 680a0000e0 push 0E000000Ah
01011e0b ff1598100001 call dword ptr [wins!_imp__RaiseException (01001098)
]
wins!GetName+0xd9:
01011e11 5f pop edi
01011e12 5e pop esi
01011e13 5b pop ebx
01011e14 5d pop ebp
01011e15 c20c00 ret 0Ch
0:000>



http://www.microsoft.com/technet/security/bulletin/MS04-006.mspx

Technical description:
A security vulnerability exists in the Windows Internet Naming Service (WINS). This vulnerability exists because of the method that WINS uses to validate the length of specially-crafted packets. On Windows Server 2003 this vulnerability could allow an attacker who sent a series of specially-crafted packets to a WINS server to cause the service to fail. Most likely, this could cause a denial of service, and the service would have to be manually restarted to restore functionality.
The possibility of a denial of service on Windows Server 2003 results from the presence of a security feature that is used in the development of Windows Server 2003. This security feature detects when an attempt is made to exploit a stack-based buffer overrun and reduces the chance that it can be easily exploited. This security feature can be forced to terminate the service to prevent malicious code execution. On Windows Server 2003, when an attempt is made to exploit the buffer overrun, the security feature reacts and terminates the service. This results in a denial of service condition of WINS. Because it is possible that methods may be found in the future to bypass this security feature, which could then enable code execution, customers should apply the update. For more information about these security features, visit the following Web site.
On Windows NT and Windows 2000, the nature of the vulnerability is slightly different. WINS will reject the specially-crafted packet and the attack does not result in a denial of service. The vulnerability on these platforms also does not allow code execution. Microsoft is releasing a security update for these platforms that corrects the vulnerable code as a preventive measure to help protect these platforms in case methods are found in the future to exploit this vulnerability.
Mitigating factors:






The WINS service is not installed by default.



On Windows Server 2003, WINS automatically restarts if it fails. After the third automatic restart, WINS requires a manual restart to restore functionality.



On Windows 2000 and Windows NT 4.0, WINS contains the vulnerable code. However, on these platforms this issue does not cause a denial of service.



The vulnerability would not enable an attacker to gain any privileges on an affected system. Under the most likely attack scenario, this issue is strictly a denial of service.



Firewall best practices and standard default firewall configurations can help protect networks from remote attacks that originate outside the enterprise perimeter. Best practices recommend blocking all ports that are not being used. In most network configurations, the WINS server is not available for connection from over the Internet.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages