On Jul 16th, 2003,LSD published that they had discovered a critical security vulnerability in all recent versions of Microsoft operating systems. The vulnerability affects default installations of Windows NT 4.0, Windows 2000, Windows XP as well as Windows 2003 Server.But they didn't publish codes or any technical details.For analysing and exploit the vulnerability,Members of Xfocus have researched the problem and read the code day after night.Through the process,we find the "Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability",and now we have gotton the reason of vulnerability found by LSD.We thanks all members of xfocus and yuange,EYAS,IPXODI,these guys gave us much help.And at the same time, we admire LSD for their brightness.
Analysis
In fact,MS03-026 fix two vulnerabilities,one is the local stack overflow and the other is remote stack overflow .They both result from the same interface,the improper API is following:
HRESULT CoGetInstanceFromFile(
COSERVERINFO * pServerInfo,
CLSID * pclsid,
IUnknown * punkOuter,
DWORD dwClsCtx,
DWORD grfMode,
OLECHAR * szName,
ULONG cmq,
MULTI_QI * rgmqResults
);
The sixth Parameter is szName ,In MSDN it is said: File to initialize the object with using IPersistFile::Load. May not be NULL. This parameter will result in buff overflow.
When the filename is too long ,the windows will produce a local buff voerflow,because the GetPathForServer function of RPCSS only has 0x220 space. however the API checks the file in local first ,and we can't create a file which filename is long than 0x220.So we can't use this API to expoit, but we can use fuction of LPC by constructing packet . Here we only focus on remote stack overflow:)
After the client transfer the Parameter to the server, the server will translate it to format as following:
Then the server will get the servername first,But here is wrong, the windows Does not check the parameter,only assigns the stack of 0x20 , 0x20 is MAX length of NETBIOS name.Then buff overflow comes into being.
the key code is list as following:
GetPathForServerú║
.text:761543DA push ebp
.text:761543DB mov ebp, esp
.text:761543DD sub esp, 20h <-----the length is ony 0x20
.text:761543E0 mov eax, [ebp+arg_4]
.text:761543E3 push ebx
.text:761543E4 push esi
.text:761543E5 mov esi, [ebp+hMem]
.text:761543E8 push edi
.text:761543E9 push 5Ch
.text:761543EB pop ebx
.text:761543EC mov [eax], esi
.text:761543EE cmp [esi], bx
.text:761543F1 mov edi, esi
.text:761543F3 jnz loc_761544BF
.text:761543F9 cmp [esi+2], bx
.text:761543FD jnz loc_761544BF
.text:76154403 lea eax, [ebp+String1] <-----------addr to place servername ,only have the length of 0X20
.text:76154406 push 0
.text:76154408 push eax
.text:76154409 push esi <----------------------here is the parameter of filename
.text:7615440A call GetMachineName
.......................................................... when the fuction return ,it will be buffer overflow.
GetMachineName:
.text:7614DB6F mov eax, [ebp+arg_0]
.text:7614DB72 mov ecx, [ebp+arg_4]
.text:7614DB75 lea edx, [eax+4]
.text:7614DB78 mov ax, [eax+4]
.text:7614DB7C cmp ax, 5Ch <-----------------check if it is 0X5C,if yes,the servername is over
.text:7614DB84 mov [ecx], ax <----------------write the servername to addr,if longer than 0x20,buff overflow comes into being
.text:7614DB87 inc ecx
.text:7614DB88 inc ecx
.text:7614DB89 mov ax, [ecx+edx]
.text:7614DB8D cmp ax, 5Ch
.text:7614DB91 jnz short loc_7614DB84
.text:7614DB93
Now here we find the problem and can exploit it.The only question is that the "\\servername" is named bye system,but we can construct it ourselves by sending malformed messages.
BTW,there can't include "0x5c" in the shellcode because the function GetMachineName checks it .
Exploit:
1íóThe exploit uses JMP ESP (FF E4)to jump ,so we should adjuse the address to other windows version;
2íóThe shellcode can connect reversedú¼so we should run nc -l -p XXX first;
3íóThe length of shellcode must be sizeof(shellcode)%16=12 ,if not please fill with 0x90,or the packet formatof RPC will be wrong;
4íóBefore the buffer overflow return ,the 2 Parameters after return address need to be used ,so we should these addresses can be written.
5íóThe exploit use JMP ESP,and we can expoit by overlaying SEH.
Xfocus is a non-profit and free technology organization which was founded in 1998 in China. We are devoting to research and demonstration of weaknesses related to network services and communication security.
We hope that we can use new technical tools to achieve our goal, and to broaden our outlook. We also hope we can communicate and help with each other through this amazing Internet.
