Microsoft Windows Server - Code Execution PoC MS08-067

2008-10-23T00:00:00
ID EDB-ID:6824
Type exploitdb
Reporter stephen lawler
Modified 2008-10-23T00:00:00

Description

MS Windows Server Service Code Execution PoC (MS08-067). CVE-2008-4250. Dos exploit for windows platform

                                        
                                            In vstudio command prompt:

  mk.bat

next:

  attach debugger to services.exe (2k) or the relevant svchost (xp/2k3/...)

  net use \\IPADDRESS\IPC$ /user:user creds
  die \\IPADDRESS \pipe\srvsvc

  In some cases, /user:"" "", will suffice (i.e., anonymous connection)

You should get EIP -> 00 78 00 78, a stack overflow (like a guard page
violation), access violation, etc.  However, in some cases, you will get
nothing.

This is because it depends on the state of the stack prior to the "overflow".
You need a slash on the stack prior to the input buffer.

So play around a bit, you'll get it working reliably...

poc:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/6824.zip (2008-ms08-067.zip)

# milw0rm.com [2008-10-23]