[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] ms04-006 exploit challenges



 
    
http://hi.baidu.com/yuange1975/blog/item/fa2935389de768d0d56225b5.html#comment
 
    0x101+(0x3f+1)/2+1=0x122,  buff  ebp-140 ,can not rewrite eip?
 
 
 
 
VOID GetName(   IN  OUT LPBYTE    *pName,
 IN  OUT LPBYTE    Name,
 OUT LPDWORD   NameLen
 )
{
   int    Length;  
   int    MaxLen   = 0x101; 
   int    nbtlen;

   *NameLen = 0;  
   if (( *pName &0xc0) != 0) goto error;
   Length = *pName &0x3f;

   pName++;  
  nbtlen=(Length+1)/2;
   while(nbtlen > 0 )
   {
 
 Length -= 2;     
 *Name++  =(((*pName ++- 'A')<< 4) | (*pName ++ - 'A'));
 (*NameLen)++;
 nbtlen--;
 
   } 
   MaxLen -= Length;
 /*
     bug! 
      Length=0  or Length=-1?
     MaxLen -= (*NameLen);
*/
 
  while(TRUE)
  {
    ...
  }
    if (--inLen >= 0) {
        *Name++ = 0;  
    } else {
        goto error;
    }
   (*NameLen)++;   
   return;
error:
  WinsEvtLogEvt(...);
 RaiseException(...);
   return;
}
 
 
 
0:000> uf  NmsMsgfProcNbtReq
wins!NmsMsgfProcNbtReq:
01011abe 55              push    ebp
01011abf 8bec            mov     ebp,esp
01011ac1 6aff            push    0FFFFFFFFh
01011ac3 6850210001      push    offset wins!`string'+0x7c (01002150)
01011ac8 6880280101      push    offset wins!_except_handler3 (01012880)
01011acd 64a100000000    mov     eax,dword ptr fs:[00000000h]
01011ad3 50              push    eax
01011ad4 64892500000000  mov     dword ptr fs:[0],esp
01011adb 51              push    ecx
01011adc 51              push    ecx
01011add 81ec74020000    sub     esp,274h
01011ae3 53              push    ebx
01011ae4 56              push    esi
01011ae5 57              push    edi
01011ae6 8965e8          mov     dword ptr [ebp-18h],esp
01011ae9 c785bcfeffff01000000 mov dword ptr [ebp-144h],1
01011af3 8365dc00        and     dword ptr [ebp-24h],0
01011af7 8b7d0c          mov     edi,dword ptr [ebp+0Ch]
01011afa 897dd8          mov     dword ptr [ebp-28h],edi
01011afd 8365fc00        and     dword ptr [ebp-4],0
01011b01 8a5f02          mov     bl,byte ptr [edi+2]
01011b04 c1eb03          shr     ebx,3
01011b07 83e30f          and     ebx,0Fh
01011b0a 895de0          mov     dword ptr [ebp-20h],ebx
01011b0d 8d470c          lea     eax,[edi+0Ch]
01011b10 8945d8          mov     dword ptr [ebp-28h],eax
01011b13 8945c4          mov     dword ptr [ebp-3Ch],eax
01011b16 8d45c8          lea     eax,[ebp-38h]
01011b19 50              push    eax
01011b1a 8d85c0feffff    lea     eax,[ebp-140h]
/*
buff, ebp-140
0x101+0x21=0x122
 can not rewrite eip ?
*/
01011b20 50              push    eax
01011b21 8d45d8          lea     eax,[ebp-28h]
01011b24 50              push    eax
01011b25 e815020000      call    wins!GetName (01011d3f)

 
 
 
 

 


From: yuange1975@xxxxxxxxxxx
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: ms04-006 exploit challenges
Date: Sun, 26 Dec 2010 06:04:54 +0000




 
 
     http://hi.baidu.com/yuange1975/blog/item/05118524c05a8a39d4074238.html
 
 
 
   Microsoft says this vulnerability winnt \ win2k can not refuse service, 
win2003 under denial of service can not only use, only that they do not 
understand overflow.

Challenge:

1, write winnt \ win2k \ win2003 under steady use.

2, the stability of writing using a firewall. Firewall only opened tcp42, does 
not allow outreach services can not affect the original wins.

1 and 2 are willing to write to the company applying for Send your resume over.

 

Vulnerable code is as follows:
 
 
 
0:000> uf wins!getname
wins!GetName:
01011d38 55              push    ebp
01011d39 8bec            mov     ebp,esp
01011d3b 8b4508          mov     eax,dword ptr [ebp+8]
01011d3e 53              push    ebx
01011d3f 56              push    esi
01011d40 8b7510          mov     esi,dword ptr [ebp+10h]
01011d43 8b00            mov     eax,dword ptr [eax]
01011d45 33db            xor     ebx,ebx
01011d47 891e            mov     dword ptr [esi],ebx
01011d49 57              push    edi
01011d4a 0fb608          movzx   ecx,byte ptr [eax]
01011d4d 8bd1            mov     edx,ecx
01011d4f 81e2c0000000    and     edx,0C0h
01011d55 895510          mov     dword ptr [ebp+10h],edx
01011d58 0f8589000000    jne     wins!GetName+0xaf (01011de7)
wins!GetName+0x26:
01011d5e 83e13f          and     ecx,3Fh
01011d61 40              inc     eax
01011d62 3bcb            cmp     ecx,ebx
01011d64 894d10          mov     dword ptr [ebp+10h],ecx
01011d67 7e28            jle     wins!GetName+0x59 (01011d91)
wins!GetName+0x31:
01011d69 8b7d0c          mov     edi,dword ptr [ebp+0Ch]
01011d6c 8d5101          lea     edx,[ecx+1]
01011d6f d1ea            shr     edx,1
wins!GetName+0x39:
01011d71 8a08            mov     cl,byte ptr [eax]
01011d73 8a5801          mov     bl,byte ptr [eax+1]
01011d76 80e941          sub     cl,41h
01011d79 40              inc     eax
01011d7a 836d1002        sub     dword ptr [ebp+10h],2
01011d7e 80eb41          sub     bl,41h
01011d81 c0e104          shl     cl,4
01011d84 0ad9            or      bl,cl
01011d86 881f            mov     byte ptr [edi],bl
01011d88 47              inc     edi
01011d89 40              inc     eax
01011d8a ff06            inc     dword ptr [esi]
01011d8c 4a              dec     edx
01011d8d 75e2            jne     wins!GetName+0x39 (01011d71)
wins!GetName+0x57:
01011d8f eb03            jmp     wins!GetName+0x5c (01011d94)
wins!GetName+0x59:
01011d91 8b7d0c          mov     edi,dword ptr [ebp+0Ch]
wins!GetName+0x5c:
01011d94 b901010000      mov     ecx,101h
01011d99 2b4d10          sub     ecx,dword ptr [ebp+10h]
wins!GetName+0x64:
01011d9c 33db            xor     ebx,ebx
01011d9e 3818            cmp     byte ptr [eax],bl
01011da0 7434            je      wins!GetName+0x9e (01011dd6)
wins!GetName+0x6a:
01011da2 813eef000000    cmp     dword ptr [esi],0EFh
01011da8 773d            ja      wins!GetName+0xaf (01011de7)
wins!GetName+0x72:
01011daa 49              dec     ecx
01011dab 3bcb            cmp     ecx,ebx
01011dad 7e38            jle     wins!GetName+0xaf (01011de7)
wins!GetName+0x77:
01011daf c6072e          mov     byte ptr [edi],2Eh
01011db2 47              inc     edi
01011db3 ff06            inc     dword ptr [esi]
01011db5 8a10            mov     dl,byte ptr [eax]
01011db7 83e23f          and     edx,3Fh
01011dba 2bca            sub     ecx,edx
01011dbc 3bcb            cmp     ecx,ebx
01011dbe 7e27            jle     wins!GetName+0xaf (01011de7)
wins!GetName+0x88:
01011dc0 40              inc     eax
01011dc1 8bda            mov     ebx,edx
01011dc3 4a              dec     edx
01011dc4 85db            test    ebx,ebx
01011dc6 74d4            je      wins!GetName+0x64 (01011d9c)
wins!GetName+0x90:
01011dc8 42              inc     edx
wins!GetName+0x91:
01011dc9 8a18            mov     bl,byte ptr [eax]
01011dcb 881f            mov     byte ptr [edi],bl
01011dcd 47              inc     edi
01011dce 40              inc     eax
01011dcf ff06            inc     dword ptr [esi]
01011dd1 4a              dec     edx
01011dd2 75f5            jne     wins!GetName+0x91 (01011dc9)
wins!GetName+0x9c:
01011dd4 ebc6            jmp     wins!GetName+0x64 (01011d9c)
wins!GetName+0x9e:
01011dd6 40              inc     eax
01011dd7 49              dec     ecx
01011dd8 85c9            test    ecx,ecx
01011dda 7c0b            jl      wins!GetName+0xaf (01011de7)
wins!GetName+0xa4:
01011ddc 8b4d08          mov     ecx,dword ptr [ebp+8]
01011ddf 881f            mov     byte ptr [edi],bl
01011de1 ff06            inc     dword ptr [esi]
01011de3 8901            mov     dword ptr [ecx],eax
01011de5 eb2a            jmp     wins!GetName+0xd9 (01011e11)
wins!GetName+0xaf:
01011de7 53              push    ebx
01011de8 6892030000      push    392h
01011ded 68d4200001      push    offset wins!`string' (010020d4)
01011df2 6817100140      push    40011017h
01011df7 6a01            push    1
01011df9 68010000e0      push    0E0000001h
01011dfe e8330b0000      call    wins!WinsEvtLogEvt (01012936)
01011e03 53              push    ebx
01011e04 53              push    ebx
01011e05 53              push    ebx
01011e06 680a0000e0      push    0E000000Ah
01011e0b ff1598100001    call    dword ptr [wins!_imp__RaiseException (01001098)
]
wins!GetName+0xd9:
01011e11 5f              pop     edi
01011e12 5e              pop     esi
01011e13 5b              pop     ebx
01011e14 5d              pop     ebp
01011e15 c20c00          ret     0Ch
0:000>
 
 
 
http://www.microsoft.com/technet/security/bulletin/MS04-006.mspx
 
Technical description: 
A security vulnerability exists in the Windows Internet Naming Service (WINS). 
This vulnerability exists because of the method that WINS uses to validate the 
length of specially-crafted packets. On Windows Server 2003 this vulnerability 
could allow an attacker who sent a series of specially-crafted packets to a 
WINS server to cause the service to fail. Most likely, this could cause a 
denial of service, and the service would have to be manually restarted to 
restore functionality.
The possibility of a denial of service on Windows Server 2003 results from the 
presence of a security feature that is used in the development of Windows 
Server 2003. This security feature detects when an attempt is made to exploit a 
stack-based buffer overrun and reduces the chance that it can be easily 
exploited. This security feature can be forced to terminate the service to 
prevent malicious code execution. On Windows Server 2003, when an attempt is 
made to exploit the buffer overrun, the security feature reacts and terminates 
the service. This results in a denial of service condition of WINS. Because it 
is possible that methods may be found in the future to bypass this security 
feature, which could then enable code execution, customers should apply the 
update. For more information about these security features, visit the following 
Web site.
On Windows NT and Windows 2000, the nature of the vulnerability is slightly 
different. WINS will reject the specially-crafted packet and the attack does 
not result in a denial of service. The vulnerability on these platforms also 
does not allow code execution. Microsoft is releasing a security update for 
these platforms that corrects the vulnerable code as a preventive measure to 
help protect these platforms in case methods are found in the future to exploit 
this vulnerability.
Mitigating factors: 




•

The WINS service is not installed by default.


•
On Windows Server 2003, WINS automatically restarts if it fails. After the 
third automatic restart, WINS requires a manual restart to restore 
functionality.


•
On Windows 2000 and Windows NT 4.0, WINS contains the vulnerable code. However, 
on these platforms this issue does not cause a denial of service. 


•
The vulnerability would not enable an attacker to gain any privileges on an 
affected system. Under the most likely attack scenario, this issue is strictly 
a denial of service. 


•
Firewall best practices and standard default firewall configurations can help 
protect networks from remote attacks that originate outside the enterprise 
perimeter. Best practices recommend blocking all ports that are not being used. 
In most network configurations, the WINS server is not available for connection 
from over the Internet. 

                                          
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/