I haven't had time to go through the exploit in question fully, so I thought that maybe I could have the luxury of finding someone who knows how it works, explain it to me.
The exploit I am using for my tests at the moment is (the first one I found, since what it does is not really important, just that it uses the vulnerability in some way)
What I want to know is how this code in particular uses the vulnerability to get the RPC service to execute it's code. From the little that I have read so far it has something to do with the application sending some malicious code, in this case a bind shell, and then it overwrites a return address in the memory, so that the RPC service uses that address to return, thus executing the malicious code.
Would that be somewhat correct?
If anyone knows who it works, or is willing to read through it, then I would appreciate it. If not, then I will read through it when I have finished some Uni work this weekend and I will then write an explanation
EDIT: I moved the topic just after creation since I figured it would fit better in the coding section ^^
The Remote Procedure Call (RPC) is a protocol used by the Windows operating system to provide seamless inter-process communication between programs running on a local machine and a remote machine. The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly across multiple network transports, including Internet protocols such as HTTP.
The RPC and protocols are linked in that the DCOM protocol listens for
DCOM object activation requests that are sent by client machines on RPC enabled ports.
The flaw exists in the DCOM interface and how malformed messages are handled and is not a flaw in the RPC process; however, it is through the RPC local/remote machine relationship that the malformed message can be passed along to the DCOM interface.
This particular vulnerability, if exploited, would provide the intruder with full Local System privileges, where they would be allowed to create new accounts with privileges, install new programs, and view, modify, or delete data. To exploit this vulnerability, a specially crafted request would need to be sent to port 135, 139, 445, 539, or any other port with RPC functionability. The malformed message delivered to the DCOM interface induces a buffer overrun error which causes the machine to fail in such a way that arbitrary code can be executed remotely
knuffeltjes voor mijn knuffel
[img]http://i911.photobucket.com/albums/ac320/stuphsack/Sig.jpg[/img]
In fact,MS03-026 fix two vulnerabilities,one is the local stack overflow and the other is remote stack overflow .They both result from the same interface,the improper API is following:
The sixth Parameter is szName ,In MSDN it is said: File to initialize the object with using IPersistFile::Load. May not be NULL. This parameter will result in buff overflow.
hr =
CoGetInstanceFromFile(pServerInfo,NULL,0,CLSCTX_REMOTE_SERVER,STGM_READWRITE,L"C:\\123456111111111111111
1111111111.doc",1,&qi);
When the filename is too long ,the windows will produce a local buff overflow,because the GetPathForServer function of RPCSS only has 0x220 space. however the API checks the file in local first ,and we can't create a file which filename is long than 0x220.So we can't use this API to expoit, but we can use fuction of LPC by constructing packet . Here we only focus on remote stack overflow:)
After the client transfer the Parameter to the server, the server will translate it to format as
following:
L“\\servername\c$\1234561111111111111111111111111.doc".
Then the server will get the servername first,But here is wrong, the windows Does not check the parameter,only assigns the stack of 0x20 , 0x20 is MAX length of NETBIOS name.Then buffer overflow comes into being.
knuffeltjes voor mijn knuffel
[img]http://i911.photobucket.com/albums/ac320/stuphsack/Sig.jpg[/img]
Found some more on it, appends well to the end of my last post, it's mostly the same thing only an ASM breakdown... can't post it though cause i get an error. I'll try to PM it to you.
knuffeltjes voor mijn knuffel
[img]http://i911.photobucket.com/albums/ac320/stuphsack/Sig.jpg[/img]
lilrofl wrote:Found some more on it, appends well to the end of my last post, it's mostly the same thing only an ASM breakdown... can't post it though cause i get an error. I'll try to PM it to you.