[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] ms04-006 exploit challenges
From: yuange <yuange1975 () hotmail ! com>
Date: 2010-12-27 6:58:01
Message-ID: SNT104-W20C2E9FABE520EE14F9A2EC4000 () phx ! gbl
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
http://hi.baidu.com/yuange1975/blog/item/fa2935389de768d0d56225b5.html#comment
0x101+(0x3f+1)/2+1=0x122, buff ebp-140 ,can not rewrite eip?
VOID GetName( IN OUT LPBYTE *pName,
IN OUT LPBYTE Name,
OUT LPDWORD NameLen
)
{
int Length;
int MaxLen = 0x101;
int nbtlen;
*NameLen = 0;
if (( *pName &0xc0) != 0) goto error;
Length = *pName &0x3f;
pName++;
nbtlen=(Length+1)/2;
while(nbtlen > 0 )
{
Length -= 2;
*Name++ =(((*pName ++- 'A')<< 4) | (*pName ++ - 'A'));
(*NameLen)++;
nbtlen--;
}
MaxLen -= Length;
/*
bug!
Length=0 or Length=-1?
MaxLen -= (*NameLen);
*/
while(TRUE)
{
...
}
if (--inLen >= 0) {
*Name++ = 0;
} else {
goto error;
}
(*NameLen)++;
return;
error:
WinsEvtLogEvt(...);
RaiseException(...);
return;
}
0:000> uf NmsMsgfProcNbtReq
wins!NmsMsgfProcNbtReq:
01011abe 55 push ebp
01011abf 8bec mov ebp,esp
01011ac1 6aff push 0FFFFFFFFh
01011ac3 6850210001 push offset wins!`string'+0x7c (01002150)
01011ac8 6880280101 push offset wins!_except_handler3 (01012880)
01011acd 64a100000000 mov eax,dword ptr fs:[00000000h]
01011ad3 50 push eax
01011ad4 64892500000000 mov dword ptr fs:[0],esp
01011adb 51 push ecx
01011adc 51 push ecx
01011add 81ec74020000 sub esp,274h
01011ae3 53 push ebx
01011ae4 56 push esi
01011ae5 57 push edi
01011ae6 8965e8 mov dword ptr [ebp-18h],esp
01011ae9 c785bcfeffff01000000 mov dword ptr [ebp-144h],1
01011af3 8365dc00 and dword ptr [ebp-24h],0
01011af7 8b7d0c mov edi,dword ptr [ebp+0Ch]
01011afa 897dd8 mov dword ptr [ebp-28h],edi
01011afd 8365fc00 and dword ptr [ebp-4],0
01011b01 8a5f02 mov bl,byte ptr [edi+2]
01011b04 c1eb03 shr ebx,3
01011b07 83e30f and ebx,0Fh
01011b0a 895de0 mov dword ptr [ebp-20h],ebx
01011b0d 8d470c lea eax,[edi+0Ch]
01011b10 8945d8 mov dword ptr [ebp-28h],eax
01011b13 8945c4 mov dword ptr [ebp-3Ch],eax
01011b16 8d45c8 lea eax,[ebp-38h]
01011b19 50 push eax
01011b1a 8d85c0feffff lea eax,[ebp-140h]
/*
buff, ebp-140
0x101+0x21=0x122
can not rewrite eip ?
*/
01011b20 50 push eax
01011b21 8d45d8 lea eax,[ebp-28h]
01011b24 50 push eax
01011b25 e815020000 call wins!GetName (01011d3f)
From: yuange1975@hotmail.com
To: full-disclosure@lists.grok.org.uk
Subject: ms04-006 exploit challenges
Date: Sun, 26 Dec 2010 06:04:54 +0000
http://hi.baidu.com/yuange1975/blog/item/05118524c05a8a39d4074238.html
Microsoft says this vulnerability winnt \ win2k can not refuse service, win2003 under denial \
of service can not only use, only that they do not understand overflow.
Challenge:
1, write winnt \ win2k \ win2003 under steady use.
2, the stability of writing using a firewall. Firewall only opened tcp42, does not allow \
outreach services can not affect the original wins.
1 and 2 are willing to write to the company applying for Send your resume over.
Vulnerable code is as follows:
0:000> uf wins!getname
wins!GetName:
01011d38 55 push ebp
01011d39 8bec mov ebp,esp
01011d3b 8b4508 mov eax,dword ptr [ebp+8]
01011d3e 53 push ebx
01011d3f 56 push esi
01011d40 8b7510 mov esi,dword ptr [ebp+10h]
01011d43 8b00 mov eax,dword ptr [eax]
01011d45 33db xor ebx,ebx
01011d47 891e mov dword ptr [esi],ebx
01011d49 57 push edi
01011d4a 0fb608 movzx ecx,byte ptr [eax]
01011d4d 8bd1 mov edx,ecx
01011d4f 81e2c0000000 and edx,0C0h
01011d55 895510 mov dword ptr [ebp+10h],edx
01011d58 0f8589000000 jne wins!GetName+0xaf (01011de7)
wins!GetName+0x26:
01011d5e 83e13f and ecx,3Fh
01011d61 40 inc eax
01011d62 3bcb cmp ecx,ebx
01011d64 894d10 mov dword ptr [ebp+10h],ecx
01011d67 7e28 jle wins!GetName+0x59 (01011d91)
wins!GetName+0x31:
01011d69 8b7d0c mov edi,dword ptr [ebp+0Ch]
01011d6c 8d5101 lea edx,[ecx+1]
01011d6f d1ea shr edx,1
wins!GetName+0x39:
01011d71 8a08 mov cl,byte ptr [eax]
01011d73 8a5801 mov bl,byte ptr [eax+1]
01011d76 80e941 sub cl,41h
01011d79 40 inc eax
01011d7a 836d1002 sub dword ptr [ebp+10h],2
01011d7e 80eb41 sub bl,41h
01011d81 c0e104 shl cl,4
01011d84 0ad9 or bl,cl
01011d86 881f mov byte ptr [edi],bl
01011d88 47 inc edi
01011d89 40 inc eax
01011d8a ff06 inc dword ptr [esi]
01011d8c 4a dec edx
01011d8d 75e2 jne wins!GetName+0x39 (01011d71)
wins!GetName+0x57:
01011d8f eb03 jmp wins!GetName+0x5c (01011d94)
wins!GetName+0x59:
01011d91 8b7d0c mov edi,dword ptr [ebp+0Ch]
wins!GetName+0x5c:
01011d94 b901010000 mov ecx,101h
01011d99 2b4d10 sub ecx,dword ptr [ebp+10h]
wins!GetName+0x64:
01011d9c 33db xor ebx,ebx
01011d9e 3818 cmp byte ptr [eax],bl
01011da0 7434 je wins!GetName+0x9e (01011dd6)
wins!GetName+0x6a:
01011da2 813eef000000 cmp dword ptr [esi],0EFh
01011da8 773d ja wins!GetName+0xaf (01011de7)
wins!GetName+0x72:
01011daa 49 dec ecx
01011dab 3bcb cmp ecx,ebx
01011dad 7e38 jle wins!GetName+0xaf (01011de7)
wins!GetName+0x77:
01011daf c6072e mov byte ptr [edi],2Eh
01011db2 47 inc edi
01011db3 ff06 inc dword ptr [esi]
01011db5 8a10 mov dl,byte ptr [eax]
01011db7 83e23f and edx,3Fh
01011dba 2bca sub ecx,edx
01011dbc 3bcb cmp ecx,ebx
01011dbe 7e27 jle wins!GetName+0xaf (01011de7)
wins!GetName+0x88:
01011dc0 40 inc eax
01011dc1 8bda mov ebx,edx
01011dc3 4a dec edx
01011dc4 85db test ebx,ebx
01011dc6 74d4 je wins!GetName+0x64 (01011d9c)
wins!GetName+0x90:
01011dc8 42 inc edx
wins!GetName+0x91:
01011dc9 8a18 mov bl,byte ptr [eax]
01011dcb 881f mov byte ptr [edi],bl
01011dcd 47 inc edi
01011dce 40 inc eax
01011dcf ff06 inc dword ptr [esi]
01011dd1 4a dec edx
01011dd2 75f5 jne wins!GetName+0x91 (01011dc9)
wins!GetName+0x9c:
01011dd4 ebc6 jmp wins!GetName+0x64 (01011d9c)
wins!GetName+0x9e:
01011dd6 40 inc eax
01011dd7 49 dec ecx
01011dd8 85c9 test ecx,ecx
01011dda 7c0b jl wins!GetName+0xaf (01011de7)
wins!GetName+0xa4:
01011ddc 8b4d08 mov ecx,dword ptr [ebp+8]
01011ddf 881f mov byte ptr [edi],bl
01011de1 ff06 inc dword ptr [esi]
01011de3 8901 mov dword ptr [ecx],eax
01011de5 eb2a jmp wins!GetName+0xd9 (01011e11)
wins!GetName+0xaf:
01011de7 53 push ebx
01011de8 6892030000 push 392h
01011ded 68d4200001 push offset wins!`string' (010020d4)
01011df2 6817100140 push 40011017h
01011df7 6a01 push 1
01011df9 68010000e0 push 0E0000001h
01011dfe e8330b0000 call wins!WinsEvtLogEvt (01012936)
01011e03 53 push ebx
01011e04 53 push ebx
01011e05 53 push ebx
01011e06 680a0000e0 push 0E000000Ah
01011e0b ff1598100001 call dword ptr [wins!_imp__RaiseException (01001098)
]
wins!GetName+0xd9:
01011e11 5f pop edi
01011e12 5e pop esi
01011e13 5b pop ebx
01011e14 5d pop ebp
01011e15 c20c00 ret 0Ch
0:000>
http://www.microsoft.com/technet/security/bulletin/MS04-006.mspx
Technical description:
A security vulnerability exists in the Windows Internet Naming Service (WINS). This \
vulnerability exists because of the method that WINS uses to validate the length of \
specially-crafted packets. On Windows Server 2003 this vulnerability could allow an attacker \
who sent a series of specially-crafted packets to a WINS server to cause the service to fail. \
Most likely, this could cause a denial of service, and the service would have to be manually \
restarted to restore functionality. The possibility of a denial of service on Windows Server \
2003 results from the presence of a security feature that is used in the development of Windows \
Server 2003. This security feature detects when an attempt is made to exploit a stack-based \
buffer overrun and reduces the chance that it can be easily exploited. This security feature \
can be forced to terminate the service to prevent malicious code execution. On Windows Server \
2003, when an attempt is made to exploit the buffer overrun, the security feature reacts and \
terminates the service. This results in a denial of service condition of WINS. Because it is \
possible that methods may be found in the future to bypass this security feature, which could \
then enable code execution, customers should apply the update. For more information about these \
security features, visit the following Web site. On Windows NT and Windows 2000, the nature of \
the vulnerability is slightly different. WINS will reject the specially-crafted packet and the \
attack does not result in a denial of service. The vulnerability on these platforms also does \
not allow code execution. Microsoft is releasing a security update for these platforms that \
corrects the vulnerable code as a preventive measure to help protect these platforms in case \
methods are found in the future to exploit this vulnerability. Mitigating factors:
•
The WINS service is not installed by default.
•
On Windows Server 2003, WINS automatically restarts if it fails. After the third automatic \
restart, WINS requires a manual restart to restore functionality.
•
On Windows 2000 and Windows NT 4.0, WINS contains the vulnerable code. However, on these \
platforms this issue does not cause a denial of service.
•
The vulnerability would not enable an attacker to gain any privileges on an affected system. \
Under the most likely attack scenario, this issue is strictly a denial of service.
•
Firewall best practices and standard default firewall configurations can help protect networks \
from remote attacks that originate outside the enterprise perimeter. Best practices recommend \
blocking all ports that are not being used. In most network configurations, the WINS server is \
not available for connection from over the Internet.
[Attachment #5 (text/html)]
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:????
}
--></style>
</head>
<body class='hmmessage'>
<BR>
<A \
href="http://hi.baidu.com/yuange1975/blog/item/fa2935389de768d0d56225b5.html#comment">http://hi.baidu.com/yuange1975/blog/item/fa2935389de768d0d56225b5.html#comment</A><BR>
<BR>
0x101+(0x3f+1)/2+1=0x122, buff ebp-140 ,can not rewrite eip?<BR>
<BR>
<BR>
<BR>
<BR>
VOID GetName( IN OUT LPBYTE *pName,<BR> IN \
OUT LPBYTE Name,<BR> OUT LPDWORD NameLen<BR> )<BR> \
{<BR> int Length; <BR>
int MaxLen = 0x101; <BR>
int nbtlen;<BR>
<BR> *NameLen = 0; <BR>
if (( *pName &0xc0) != 0) goto error;<BR>
Length = *pName &0x3f;<BR>
<BR> pName++; <BR>
nbtlen=(Length+1)/2;<BR>
while(nbtlen > 0 )<BR> {<BR> <BR>
Length -= 2; <BR> *Name++ =(((*pName ++- \
'A')<< 4) | (*pName ++ - 'A'));<BR> (*NameLen)++;<BR> nbtlen--;<BR>
<BR> } <BR>
MaxLen -= Length;<BR>
/*<BR>
bug! <BR>
Length=0 or Length=-1?<BR>
MaxLen -= (*NameLen);<BR>
*/<BR>
<BR>
while(TRUE)<BR> {<BR>
...<BR> }<BR>
if (--inLen >= 0) {<BR> *Name++ \
= 0; <BR> } else {<BR> \
goto error;<BR> }<BR> (*NameLen)++; <BR>
return;<BR>
error:<BR> WinsEvtLogEvt(...);<BR>
RaiseException(...);<BR>
return;<BR>}<BR>
<BR>
<BR>
<BR>
0:000> uf NmsMsgfProcNbtReq<BR>wins!NmsMsgfProcNbtReq:<BR>01011abe \
55 \
push ebp<BR>01011abf \
8bec \
mov ebp,esp<BR>01011ac1 \
6aff push \
0FFFFFFFFh<BR>01011ac3 6850210001 push offset \
wins!`string'+0x7c (01002150)<BR>01011ac8 6880280101 \
push offset wins!_except_handler3 (01012880)<BR>01011acd \
64a100000000 mov eax,dword ptr \
fs:[00000000h]<BR>01011ad3 \
50 \
push eax<BR>01011ad4 64892500000000 mov dword \
ptr fs:[0],esp<BR>01011adb \
51 \
push ecx<BR>01011adc \
51 \
push ecx<BR>01011add 81ec74020000 \
sub esp,274h<BR>01011ae3 \
53 \
push ebx<BR>01011ae4 \
56 \
push esi<BR>01011ae5 \
57 \
push edi<BR>01011ae6 \
8965e8 mov dword \
ptr [ebp-18h],esp<BR>01011ae9 c785bcfeffff01000000 mov dword ptr [ebp-144h],1<BR>01011af3 \
8365dc00 and dword ptr \
[ebp-24h],0<BR>01011af7 8b7d0c \
mov edi,dword ptr [ebp+0Ch]<BR>01011afa \
897dd8 mov dword \
ptr [ebp-28h],edi<BR>01011afd 8365fc00 \
and dword ptr [ebp-4],0<BR>01011b01 \
8a5f02 mov \
bl,byte ptr [edi+2]<BR>01011b04 c1eb03 \
shr ebx,3<BR>01011b07 \
83e30f and \
ebx,0Fh<BR>01011b0a 895de0 \
mov dword ptr [ebp-20h],ebx<BR>01011b0d \
8d470c lea \
eax,[edi+0Ch]<BR>01011b10 8945d8 \
mov dword ptr [ebp-28h],eax<BR>01011b13 \
8945c4 mov dword \
ptr [ebp-3Ch],eax<BR>01011b16 8d45c8 \
lea eax,[ebp-38h]<BR>01011b19 \
50 \
push eax<BR>01011b1a 8d85c0feffff \
lea eax,[ebp-140h]<BR> /*<BR>
buff, ebp-140<BR>
0x101+0x21=0x122<BR>
can not rewrite eip ?<BR>
*/<BR>01011b20 50 \
push eax<BR>01011b21 \
8d45d8 lea \
eax,[ebp-28h]<BR>01011b24 \
50 \
push eax<BR>01011b25 e815020000 \
call wins!GetName (01011d3f)<BR><BR> <BR>
<BR>
<BR>
<BR>
<BR> <BR>
<HR id=stopSpelling>
From: yuange1975@hotmail.com<BR>To: full-disclosure@lists.grok.org.uk<BR>Subject: ms04-006 \
exploit challenges<BR>Date: Sun, 26 Dec 2010 06:04:54 +0000<BR><BR> <META name=Generator \
content="Microsoft SafeHTML"> <STYLE>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:????;}
</STYLE>
<BR> <BR> <A \
href="http://hi.baidu.com/yuange1975/blog/item/05118524c05a8a39d4074238.html" \
target=_blank>http://hi.baidu.com/yuange1975/blog/item/05118524c05a8a39d4074238.html</A><BR> <BR> <BR> <BR> \
<SPAN class=ecxhps title=?????????>Microsoft says</SPAN> <SPAN class=ecxhps \
title=?????????>this vulnerability</SPAN> <SPAN class=ecxhps title=?????????>winnt \ \
win2k</SPAN> <SPAN class=ecxhps title=?????????>can not</SPAN> <SPAN class=ecxhps \
title=?????????>refuse</SPAN> <SPAN class=ecxhps title=?????????>service</SPAN><SPAN \
title=?????????>, win2003</SPAN> <SPAN class=ecxhps title=?????????>under</SPAN> <SPAN \
class=ecxhps title=?????????>denial of service</SPAN> <SPAN class=ecxhps title=?????????>can \
not</SPAN> <SPAN class=ecxhps title=?????????>only</SPAN> <SPAN class=ecxhps \
title=?????????>use,</SPAN> <SPAN class=ecxhps title=?????????>only</SPAN> <SPAN class=ecxhps \
title=?????????>that they</SPAN> <SPAN class=ecxhps title=?????????>do not understand</SPAN> \
<SPAN class=ecxhps title=?????????>overflow.</SPAN><BR><BR><SPAN class=ecxhps \
title=?????????>Challenge:</SPAN><BR><BR><SPAN class=ecxhps title=?????????>1,</SPAN> <SPAN \
class=ecxhps title=?????????>write</SPAN> <SPAN class=ecxhps title=?????????>winnt \ win2k \ \
win2003</SPAN> <SPAN class=ecxhps title=?????????>under</SPAN> <SPAN class=ecxhps \
title=?????????>steady</SPAN> <SPAN class=ecxhps title=?????????>use.</SPAN><BR><BR><SPAN \
class=ecxhps title=?????????>2,</SPAN> <SPAN class=ecxhps title=?????????>the stability \
of</SPAN> <SPAN class=ecxhps title=?????????>writing</SPAN> <SPAN class=ecxhps \
title=?????????>using</SPAN> <SPAN class=ecxhps title=?????????>a firewall</SPAN><SPAN \
title=?????????>.</SPAN> <SPAN class=ecxhps title=?????????>Firewall only</SPAN> <SPAN \
class=ecxhps title=?????????>opened</SPAN> <SPAN class=ecxhps title=?????????>tcp42,</SPAN> \
<SPAN class=ecxhps title=?????????>does not allow</SPAN> <SPAN class=ecxhps \
title=?????????>outreach</SPAN> <SPAN class=ecxhps title=?????????>services</SPAN> <SPAN \
class=ecxhps title=?????????>can not</SPAN> <SPAN class=ecxhps title=?????????>affect the \
original</SPAN> <SPAN class=ecxhps title=?????????>wins</SPAN><SPAN \
title=?????????>.</SPAN><BR><BR><SPAN class=ecxhps title=?????????>1 and 2</SPAN> <SPAN \
class=ecxhps title=?????????>are willing</SPAN> <SPAN class=ecxhps title=?????????>to \
write</SPAN> <SPAN class=ecxhps title=?????????>to the company</SPAN> <SPAN class=ecxhps \
title=?????????>applying for</SPAN> <SPAN class=ecxhps title=?????????>Send your resume</SPAN> \
<SPAN class=ecxhps title=?????????>over.</SPAN><BR><BR> <BR><BR><SPAN class=ecxhps \
title=?????????>Vulnerable code</SPAN> <SPAN class=ecxhps title=?????????>is as \
follows:</SPAN><BR><SPAN class=ecxhps title=?????????></SPAN> <BR><SPAN class=ecxhps \
title=?????????></SPAN> <BR><SPAN class=ecxhps title=?????????></SPAN> <BR><SPAN \
class=ecxhps title=?????????>0:000> uf wins!getname<BR>wins!GetName:<BR>01011d38 \
55 \
push ebp<BR>01011d39 \
8bec \
mov ebp,esp<BR>01011d3b \
8b4508 mov \
eax,dword ptr [ebp+8]<BR>01011d3e \
53 \
push ebx<BR>01011d3f \
56 \
push esi<BR>01011d40 \
8b7510 mov \
esi,dword ptr [ebp+10h]<BR>01011d43 \
8b00 \
mov eax,dword ptr [eax]<BR>01011d45 \
33db \
xor ebx,ebx<BR>01011d47 \
891e \
mov dword ptr [esi],ebx<BR>01011d49 \
57 \
push edi<BR>01011d4a \
0fb608 movzx ecx,byte ptr \
[eax]<BR>01011d4d 8bd1 \
mov edx,ecx<BR>01011d4f 81e2c0000000 \
and edx,0C0h<BR>01011d55 \
895510 mov dword \
ptr [ebp+10h],edx<BR>01011d58 0f8589000000 jne \
wins!GetName+0xaf (01011de7)<BR>wins!GetName+0x26:<BR>01011d5e \
83e13f and \
ecx,3Fh<BR>01011d61 40 \
inc eax<BR>01011d62 \
3bcb \
cmp ecx,ebx<BR>01011d64 \
894d10 mov dword \
ptr [ebp+10h],ecx<BR>01011d67 \
7e28 \
jle wins!GetName+0x59 (01011d91)<BR>wins!GetName+0x31:<BR>01011d69 \
8b7d0c mov \
edi,dword ptr [ebp+0Ch]<BR>01011d6c \
8d5101 lea \
edx,[ecx+1]<BR>01011d6f d1ea \
shr edx,1<BR>wins!GetName+0x39:<BR>01011d71 \
8a08 \
mov cl,byte ptr [eax]<BR>01011d73 \
8a5801 mov \
bl,byte ptr [eax+1]<BR>01011d76 80e941 \
sub cl,41h<BR>01011d79 \
40 \
inc eax<BR>01011d7a 836d1002 \
sub dword ptr [ebp+10h],2<BR>01011d7e \
80eb41 sub \
bl,41h<BR>01011d81 c0e104 \
shl cl,4<BR>01011d84 \
0ad9 \
or bl,cl<BR>01011d86 \
881f \
mov byte ptr [edi],bl<BR>01011d88 \
47 \
inc edi<BR>01011d89 \
40 \
inc eax<BR>01011d8a \
ff06 \
inc dword ptr [esi]<BR>01011d8c \
4a \
dec edx<BR>01011d8d \
75e2 \
jne wins!GetName+0x39 (01011d71)<BR>wins!GetName+0x57:<BR>01011d8f \
eb03 \
jmp wins!GetName+0x5c (01011d94)<BR>wins!GetName+0x59:<BR>01011d91 \
8b7d0c mov \
edi,dword ptr [ebp+0Ch]<BR>wins!GetName+0x5c:<BR>01011d94 \
b901010000 mov ecx,101h<BR>01011d99 \
2b4d10 sub \
ecx,dword ptr [ebp+10h]<BR>wins!GetName+0x64:<BR>01011d9c \
33db \
xor ebx,ebx<BR>01011d9e \
3818 \
cmp byte ptr [eax],bl<BR>01011da0 \
7434 \
je wins!GetName+0x9e (01011dd6)<BR>wins!GetName+0x6a:<BR>01011da2 \
813eef000000 cmp dword ptr [esi],0EFh<BR>01011da8 \
773d \
ja wins!GetName+0xaf (01011de7)<BR>wins!GetName+0x72:<BR>01011daa \
49 \
dec ecx<BR>01011dab \
3bcb \
cmp ecx,ebx<BR>01011dad \
7e38 \
jle wins!GetName+0xaf (01011de7)<BR>wins!GetName+0x77:<BR>01011daf \
c6072e mov byte \
ptr [edi],2Eh<BR>01011db2 \
47 \
inc edi<BR>01011db3 \
ff06 \
inc dword ptr [esi]<BR>01011db5 \
8a10 \
mov dl,byte ptr [eax]<BR>01011db7 \
83e23f and \
edx,3Fh<BR>01011dba 2bca \
sub ecx,edx<BR>01011dbc \
3bcb \
cmp ecx,ebx<BR>01011dbe \
7e27 \
jle wins!GetName+0xaf (01011de7)<BR>wins!GetName+0x88:<BR>01011dc0 \
40 \
inc eax<BR>01011dc1 \
8bda \
mov ebx,edx<BR>01011dc3 \
4a \
dec edx<BR>01011dc4 \
85db test \
ebx,ebx<BR>01011dc6 74d4 \
je wins!GetName+0x64 (01011d9c)<BR>wins!GetName+0x90:<BR>01011dc8 \
42 \
inc edx<BR>wins!GetName+0x91:<BR>01011dc9 \
8a18 \
mov bl,byte ptr [eax]<BR>01011dcb \
881f \
mov byte ptr [edi],bl<BR>01011dcd \
47 \
inc edi<BR>01011dce \
40 \
inc eax<BR>01011dcf \
ff06 \
inc dword ptr [esi]<BR>01011dd1 \
4a \
dec edx<BR>01011dd2 \
75f5 \
jne wins!GetName+0x91 (01011dc9)<BR>wins!GetName+0x9c:<BR>01011dd4 \
ebc6 \
jmp wins!GetName+0x64 (01011d9c)<BR>wins!GetName+0x9e:<BR>01011dd6 \
40 \
inc eax<BR>01011dd7 \
49 \
dec ecx<BR>01011dd8 \
85c9 test \
ecx,ecx<BR>01011dda 7c0b \
jl wins!GetName+0xaf (01011de7)<BR>wins!GetName+0xa4:<BR>01011ddc \
8b4d08 mov \
ecx,dword ptr [ebp+8]<BR>01011ddf \
881f \
mov byte ptr [edi],bl<BR>01011de1 \
ff06 \
inc dword ptr [esi]<BR>01011de3 \
8901 \
mov dword ptr [ecx],eax<BR>01011de5 \
eb2a \
jmp wins!GetName+0xd9 (01011e11)<BR>wins!GetName+0xaf:<BR>01011de7 \
53 \
push ebx<BR>01011de8 6892030000 \
push 392h<BR>01011ded 68d4200001 \
push offset wins!`string' (010020d4)<BR>01011df2 \
6817100140 push 40011017h<BR>01011df7 \
6a01 push \
1<BR>01011df9 68010000e0 push \
0E0000001h<BR>01011dfe e8330b0000 call \
wins!WinsEvtLogEvt (01012936)<BR>01011e03 \
53 \
push ebx<BR>01011e04 \
53 \
push ebx<BR>01011e05 \
53 \
push ebx<BR>01011e06 680a0000e0 \
push 0E000000Ah<BR>01011e0b ff1598100001 \
call dword ptr [wins!_imp__RaiseException \
(01001098)<BR>]<BR>wins!GetName+0xd9:<BR>01011e11 \
5f \
pop edi<BR>01011e12 \
<TABLE border=0 cellSpacing=0 cellPadding=0>
<TBODY>
<TR>
<TD class=ecxlistBullet vAlign=top>•</TD>
<TD class=ecxlistItem>
The WINS service is not installed by default.<BR><BR></TD></TR>
<TR>
<TD class=ecxlistBullet vAlign=top>•</TD>
<TD class=ecxlistItem>On Windows Server 2003, WINS automatically restarts if it fails. After \
the third automatic restart, WINS requires a manual restart to restore \
functionality.<BR></TD></TR> <TR>
<TD class=ecxlistBullet vAlign=top>•</TD>
<TD class=ecxlistItem>On Windows 2000 and Windows NT 4.0, WINS contains the vulnerable code. \
However, on these platforms this issue does not cause a denial of service. <BR></TD></TR> <TR>
<TD class=ecxlistBullet vAlign=top>•</TD>
<TD class=ecxlistItem>The vulnerability would not enable an attacker to gain any privileges on \
an affected system. Under the most likely attack scenario, this issue is strictly a denial of \
service. <BR></TD></TR> <TR>
<TD class=ecxlistBullet vAlign=top>•</TD>
<TD class=ecxlistItem>Firewall best practices and standard default firewall configurations can \
help protect networks from remote attacks that originate outside the enterprise perimeter. Best \
practices recommend blocking all ports that are not being used. In most network configurations, \
the WINS server is not available for connection from over the Internet. \
<BR></TD></TR></TBODY></TABLE> <BR></SPAN> </body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic