Full Disclosure mailing list archives
ms04-006 exploit challenges
From: yuange <yuange1975 () hotmail com>
Date: Sun, 26 Dec 2010 06:04:54 +0000
http://hi.baidu.com/yuange1975/blog/item/05118524c05a8a39d4074238.html Microsoft says this vulnerability winnt \ win2k can not refuse service, win2003 under denial of service can not only use, only that they do not understand overflow. Challenge: 1, write winnt \ win2k \ win2003 under steady use. 2, the stability of writing using a firewall. Firewall only opened tcp42, does not allow outreach services can not affect the original wins. 1 and 2 are willing to write to the company applying for Send your resume over. Vulnerable code is as follows: 0:000> uf wins!getname wins!GetName: 01011d38 55 push ebp 01011d39 8bec mov ebp,esp 01011d3b 8b4508 mov eax,dword ptr [ebp+8] 01011d3e 53 push ebx 01011d3f 56 push esi 01011d40 8b7510 mov esi,dword ptr [ebp+10h] 01011d43 8b00 mov eax,dword ptr [eax] 01011d45 33db xor ebx,ebx 01011d47 891e mov dword ptr [esi],ebx 01011d49 57 push edi 01011d4a 0fb608 movzx ecx,byte ptr [eax] 01011d4d 8bd1 mov edx,ecx 01011d4f 81e2c0000000 and edx,0C0h 01011d55 895510 mov dword ptr [ebp+10h],edx 01011d58 0f8589000000 jne wins!GetName+0xaf (01011de7) wins!GetName+0x26: 01011d5e 83e13f and ecx,3Fh 01011d61 40 inc eax 01011d62 3bcb cmp ecx,ebx 01011d64 894d10 mov dword ptr [ebp+10h],ecx 01011d67 7e28 jle wins!GetName+0x59 (01011d91) wins!GetName+0x31: 01011d69 8b7d0c mov edi,dword ptr [ebp+0Ch] 01011d6c 8d5101 lea edx,[ecx+1] 01011d6f d1ea shr edx,1 wins!GetName+0x39: 01011d71 8a08 mov cl,byte ptr [eax] 01011d73 8a5801 mov bl,byte ptr [eax+1] 01011d76 80e941 sub cl,41h 01011d79 40 inc eax 01011d7a 836d1002 sub dword ptr [ebp+10h],2 01011d7e 80eb41 sub bl,41h 01011d81 c0e104 shl cl,4 01011d84 0ad9 or bl,cl 01011d86 881f mov byte ptr [edi],bl 01011d88 47 inc edi 01011d89 40 inc eax 01011d8a ff06 inc dword ptr [esi] 01011d8c 4a dec edx 01011d8d 75e2 jne wins!GetName+0x39 (01011d71) wins!GetName+0x57: 01011d8f eb03 jmp wins!GetName+0x5c (01011d94) wins!GetName+0x59: 01011d91 8b7d0c mov edi,dword ptr [ebp+0Ch] wins!GetName+0x5c: 01011d94 b901010000 mov ecx,101h 01011d99 2b4d10 sub ecx,dword ptr [ebp+10h] wins!GetName+0x64: 01011d9c 33db xor ebx,ebx 01011d9e 3818 cmp byte ptr [eax],bl 01011da0 7434 je wins!GetName+0x9e (01011dd6) wins!GetName+0x6a: 01011da2 813eef000000 cmp dword ptr [esi],0EFh 01011da8 773d ja wins!GetName+0xaf (01011de7) wins!GetName+0x72: 01011daa 49 dec ecx 01011dab 3bcb cmp ecx,ebx 01011dad 7e38 jle wins!GetName+0xaf (01011de7) wins!GetName+0x77: 01011daf c6072e mov byte ptr [edi],2Eh 01011db2 47 inc edi 01011db3 ff06 inc dword ptr [esi] 01011db5 8a10 mov dl,byte ptr [eax] 01011db7 83e23f and edx,3Fh 01011dba 2bca sub ecx,edx 01011dbc 3bcb cmp ecx,ebx 01011dbe 7e27 jle wins!GetName+0xaf (01011de7) wins!GetName+0x88: 01011dc0 40 inc eax 01011dc1 8bda mov ebx,edx 01011dc3 4a dec edx 01011dc4 85db test ebx,ebx 01011dc6 74d4 je wins!GetName+0x64 (01011d9c) wins!GetName+0x90: 01011dc8 42 inc edx wins!GetName+0x91: 01011dc9 8a18 mov bl,byte ptr [eax] 01011dcb 881f mov byte ptr [edi],bl 01011dcd 47 inc edi 01011dce 40 inc eax 01011dcf ff06 inc dword ptr [esi] 01011dd1 4a dec edx 01011dd2 75f5 jne wins!GetName+0x91 (01011dc9) wins!GetName+0x9c: 01011dd4 ebc6 jmp wins!GetName+0x64 (01011d9c) wins!GetName+0x9e: 01011dd6 40 inc eax 01011dd7 49 dec ecx 01011dd8 85c9 test ecx,ecx 01011dda 7c0b jl wins!GetName+0xaf (01011de7) wins!GetName+0xa4: 01011ddc 8b4d08 mov ecx,dword ptr [ebp+8] 01011ddf 881f mov byte ptr [edi],bl 01011de1 ff06 inc dword ptr [esi] 01011de3 8901 mov dword ptr [ecx],eax 01011de5 eb2a jmp wins!GetName+0xd9 (01011e11) wins!GetName+0xaf: 01011de7 53 push ebx 01011de8 6892030000 push 392h 01011ded 68d4200001 push offset wins!`string' (010020d4) 01011df2 6817100140 push 40011017h 01011df7 6a01 push 1 01011df9 68010000e0 push 0E0000001h 01011dfe e8330b0000 call wins!WinsEvtLogEvt (01012936) 01011e03 53 push ebx 01011e04 53 push ebx 01011e05 53 push ebx 01011e06 680a0000e0 push 0E000000Ah 01011e0b ff1598100001 call dword ptr [wins!_imp__RaiseException (01001098) ] wins!GetName+0xd9: 01011e11 5f pop edi 01011e12 5e pop esi 01011e13 5b pop ebx 01011e14 5d pop ebp 01011e15 c20c00 ret 0Ch 0:000> http://www.microsoft.com/technet/security/bulletin/MS04-006.mspx Technical description: A security vulnerability exists in the Windows Internet Naming Service (WINS). This vulnerability exists because of the method that WINS uses to validate the length of specially-crafted packets. On Windows Server 2003 this vulnerability could allow an attacker who sent a series of specially-crafted packets to a WINS server to cause the service to fail. Most likely, this could cause a denial of service, and the service would have to be manually restarted to restore functionality. The possibility of a denial of service on Windows Server 2003 results from the presence of a security feature that is used in the development of Windows Server 2003. This security feature detects when an attempt is made to exploit a stack-based buffer overrun and reduces the chance that it can be easily exploited. This security feature can be forced to terminate the service to prevent malicious code execution. On Windows Server 2003, when an attempt is made to exploit the buffer overrun, the security feature reacts and terminates the service. This results in a denial of service condition of WINS. Because it is possible that methods may be found in the future to bypass this security feature, which could then enable code execution, customers should apply the update. For more information about these security features, visit the following Web site. On Windows NT and Windows 2000, the nature of the vulnerability is slightly different. WINS will reject the specially-crafted packet and the attack does not result in a denial of service. The vulnerability on these platforms also does not allow code execution. Microsoft is releasing a security update for these platforms that corrects the vulnerable code as a preventive measure to help protect these platforms in case methods are found in the future to exploit this vulnerability. Mitigating factors: • The WINS service is not installed by default. • On Windows Server 2003, WINS automatically restarts if it fails. After the third automatic restart, WINS requires a manual restart to restore functionality. • On Windows 2000 and Windows NT 4.0, WINS contains the vulnerable code. However, on these platforms this issue does not cause a denial of service. • The vulnerability would not enable an attacker to gain any privileges on an affected system. Under the most likely attack scenario, this issue is strictly a denial of service. • Firewall best practices and standard default firewall configurations can help protect networks from remote attacks that originate outside the enterprise perimeter. Best practices recommend blocking all ports that are not being used. In most network configurations, the WINS server is not available for connection from over the Internet.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ms04-006 exploit challenges yuange (Dec 25)
- Re: ms04-006 exploit challenges yuange (Dec 26)