lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F91E08A.9030207@jackhammer.org>
From: pdt at jackhammer.org (Paul Tinsley)
Subject: Proof of concept for Windows Messenger Service
 overflow

I compiled the PoC DOS with one small change so that it would accept IP 
addresses from the command line instead of recompiling per test.  I ran 
the dos several times per OS, here are the results I got (none of the 
test systems have the KB828035 hotfix applied.)

Windows 2000 Advanced Server SP4:
System Crash: 
http://www.jackhammer.org/exploits/ms03-043/ms03-043_2KASsp4_POC_DOS.jpg

Windows XP Gold:
No effect

Windows XP SP1:
No effect

Windows 2003 Server Enterprise Edition (default config):
No effect

Windows 2003 Server Enterprise Edition (Messenger Service turned on):
No effect

Doesn't look like this one is the silver bullet to catch them all 
(*phew*) but it does bring us a bit closer to this hole turning ugly.

Hanabishi Recca wrote:

>/*
>
>DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard.
>Launching it one or two times against the target should make the machine
>reboot. Tested against a Win2K SP4.
>
>"The vulnerability results because the Messenger Service does not properly
>validate the length of a message before passing it to the allocated buffer"
>according to MS bulletin. Digging into it a bit more, we find that when a
>character 0x14 in encountered in the 'body' part of the message, it is replaced
>by a CR+LF. The buffer allocated for this operation is twice the size of the
>string, which is the way to go, but
>
>DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard.
>Launching it one or two times against the target should make the machine
>reboot. Tested against a Win2K SP4.
>
>"The vulnerability results because the Messenger Service does not properly
>validate the length of a message before passing it to the allocated buffer"
>according to MS bulletin. Digging into it a bit more, we find that when a
>character 0x14 in encountered in the 'body' part of the message, it is replaced
>by a CR+LF. The buffer allocated for this operation is twice the size of the
>string, which is the way to go, but is then copied to a buffer which was only
>allocated 11CAh bytes. Thanks to that, we can bypass the length checks and
>overflow the fixed size buffer.
>
>Credits go to LSD :)
>
>*/
>  
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ