Full Disclosure mailing list archives
Re: Proof of concept for Windows Messenger Service overflow
From: Paul Tinsley <pdt () jackhammer org>
Date: Sat, 18 Oct 2003 19:53:30 -0500
I compiled the PoC DOS with one small change so that it would accept IP addresses from the command line instead of recompiling per test. I ran the dos several times per OS, here are the results I got (none of the test systems have the KB828035 hotfix applied.)
Windows 2000 Advanced Server SP4:System Crash: http://www.jackhammer.org/exploits/ms03-043/ms03-043_2KASsp4_POC_DOS.jpg
Windows XP Gold: No effect Windows XP SP1: No effect Windows 2003 Server Enterprise Edition (default config): No effect Windows 2003 Server Enterprise Edition (Messenger Service turned on): No effectDoesn't look like this one is the silver bullet to catch them all (*phew*) but it does bring us a bit closer to this hole turning ugly.
Hanabishi Recca wrote:
/* DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard. Launching it one or two times against the target should make the machine reboot. Tested against a Win2K SP4. "The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer" according to MS bulletin. Digging into it a bit more, we find that when a character 0x14 in encountered in the 'body' part of the message, it is replaced by a CR+LF. The buffer allocated for this operation is twice the size of the string, which is the way to go, but DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard. Launching it one or two times against the target should make the machine reboot. Tested against a Win2K SP4. "The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer" according to MS bulletin. Digging into it a bit more, we find that when a character 0x14 in encountered in the 'body' part of the message, it is replaced by a CR+LF. The buffer allocated for this operation is twice the size of the string, which is the way to go, but is then copied to a buffer which was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks and overflow the fixed size buffer. Credits go to LSD :) */
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Proof of concept for Windows Messenger Service overflow Hanabishi Recca (Oct 18)
- Re: Proof of concept for Windows Messenger Service overflow Paul Tinsley (Oct 18)
- Re[2]: Proof of concept for Windows Messenger Serviceoverflow Hanabishi Recca (Oct 19)
- Re: Proof of concept for Windows Messenger Service overflow Paul Tinsley (Oct 18)