In vstudio command prompt: mk.bat

vendor:

Windows 2000

by:

milw0rm.com

9.3

CVSS

HIGH

Stack Overflow

121

CWE

Product Name: Windows 2000

Affected Version From: 2k

Affected Version To: 2k3

Patch Exists: YES

Related CWE: CVE-2008-4250

CPE: o:microsoft:windows_2000

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2008

In vstudio command prompt: mk.bat

This vulnerability is a stack overflow vulnerability which allows an attacker to execute arbitrary code on the target system. It occurs when a program writes more data to a buffer than it can hold, and the extra data overwrites adjacent memory locations. This can corrupt data, crash the program, or cause the execution of malicious code.

Mitigation:

The best way to mitigate stack overflow vulnerabilities is to use secure coding practices. This includes using secure coding libraries, avoiding the use of dangerous functions, and using secure coding techniques such as bounds checking.

Source

Exploit-DB raw data:

In vstudio command prompt:

  mk.bat

next:

  attach debugger to services.exe (2k) or the relevant svchost (xp/2k3/...)

  net use \\IPADDRESS\IPC$ /user:user creds
  die \\IPADDRESS \pipe\srvsvc

  In some cases, /user:"" "", will suffice (i.e., anonymous connection)

You should get EIP -> 00 78 00 78, a stack overflow (like a guard page
violation), access violation, etc.  However, in some cases, you will get
nothing.

This is because it depends on the state of the stack prior to the "overflow".
You need a slash on the stack prior to the input buffer.

So play around a bit, you'll get it working reliably...

poc:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6824.zip (2008-ms08-067.zip)

# milw0rm.com [2008-10-23]