[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Proof of concept for Windows Messenger Service overflow

To: Hanabishi Recca <recca@mail.ru>
Subject: Re: [Full-Disclosure] Proof of concept for Windows Messenger Service overflow
From: Paul Tinsley <pdt@jackhammer.org>
Date: Sat, 18 Oct 2003 19:53:30 -0500

I compiled the PoC DOS with one small change so that it would accept IP addresses from the command line instead of recompiling per test. I ran the dos several times per OS, here are the results I got (none of the test systems have the KB828035 hotfix applied.)

Windows 2000 Advanced Server SP4: System Crash: http://www.jackhammer.org/exploits/ms03-043/ms03-043_2KASsp4_POC_DOS.jpg

Windows XP Gold:
No effect

Windows XP SP1:
No effect

Windows 2003 Server Enterprise Edition (default config):
No effect

Windows 2003 Server Enterprise Edition (Messenger Service turned on):
No effect

Doesn't look like this one is the silver bullet to catch them all (*phew*) but it does bring us a bit closer to this hole turning ugly.

Hanabishi Recca wrote:

/*

DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard.
Launching it one or two times against the target should make the machine
reboot. Tested against a Win2K SP4.

"The vulnerability results because the Messenger Service does not properly
validate the length of a message before passing it to the allocated buffer"
according to MS bulletin. Digging into it a bit more, we find that when a
character 0x14 in encountered in the 'body' part of the message, it is replaced
by a CR+LF. The buffer allocated for this operation is twice the size of the
string, which is the way to go, but

DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard.
Launching it one or two times against the target should make the machine
reboot. Tested against a Win2K SP4.

"The vulnerability results because the Messenger Service does not properly
validate the length of a message before passing it to the allocated buffer"
according to MS bulletin. Digging into it a bit more, we find that when a
character 0x14 in encountered in the 'body' part of the message, it is replaced
by a CR+LF. The buffer allocated for this operation is twice the size of the
string, which is the way to go, but is then copied to a buffer which was only
allocated 11CAh bytes. Thanks to that, we can bypass the length checks and
overflow the fixed size buffer.

Credits go to LSD :)

*/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re[2]: [Full-Disclosure] Proof of concept for Windows Messenger Serviceoverflow
  - From: "Hanabishi Recca" <recca@mail.ru>

References:
- [Full-Disclosure] Proof of concept for Windows Messenger Service overflow
  - From: "Hanabishi Recca" <recca@mail.ru>

Prev by Date: Re: [Full-Disclosure] [IE] Pure html DOS although some version require minor user interaction ( highlighting/minimising )
Next by Date: Re: [Full-Disclosure] Question: is this exploitable?
Previous by thread: [Full-Disclosure] Proof of concept for Windows Messenger Service overflow
Next by thread: Re[2]: [Full-Disclosure] Proof of concept for Windows Messenger Serviceoverflow
Index(es):
- Date
- Thread