29 Oct
another talk about MS08-067
hi again
i,m sure you know about this ciritical / wormable vulnerability . immediate after releasing vulnerability Win32.Gimmiv worm released too . this worm use this vulnerability and will run after first execute as a windows service . but i,m sure this worm is not last worm based on this vulnerability .
this vulnerability specifically exists on Server Service Remote Procedure Call (RPC) handling, where an attacker could perform a stacked-based buffer overflow by sending a request to a vulnerable function, “NetPathCanonicalize()”. In this way an attacker may escalate privileges, using the named pipe “\\pipe\srvsvc” to access other machines over the network via the pipe’s file sharing service.
exploiting this vulnerability On win 2k and XP SP1 Sp2 and Sp3 is really fun just rpc requset to based on 4b324fc8-1670-01d3-1278-5a47bf6ee188 to getting reliable eip and code executing . in windows xp sp1 and 2k and of course windows xp sp2 and sp3 with no dep you need just a jmp or call esi or edi register for code executing .
and about windows xp sp2 and sp3 with dep :
you can use address of NtSetInformationProcess call in ACGENRAL.DLL for disable DEP of course you need Scratch ( read/write static memory location) and you can find that in ACCGENRAL.dll too .
hd moore independent security researcher used this method for executing shellcode . in windows xp sp3 you can use this method (using pre-process disable in ACCGENRAL.dll ) (of course with differing address of calling NtSetInformationProcess()) .
from hdm :
The actual function we use to disable NX looks like this:
push 4
lea eax, [ebp+arg_0]
push eax
push 22h
push 0FFFFFFFFh
mov [ebp+arg_0], 2
call ds:__imp__NtSetInformationProcess@16
i wrote my own reliable exploit and maybe in future i public that for all
and about GIMMIV worm :
full discussion :
http://community.ca.com/blogs/securityadvisor/archive/2008/10/27/ms08-067-wormable-vulnerability-patched.aspx
The executable “WinbaseInst.exe” is the worm component you can see worm service after executing binary following this picture :
you can be sure this worm use this vulnerability from founded UUID in basesvc.dll in %SystemRoot%\system32\wbem
after worm scanned and found vulnerable system using 4b324fc8-1670-01d3-1278-5a47bf6ee188 worm run download and execute shellcode following this picture :
this worm use random number and random server for downloading files . i,m sure this worm have different compiled version (for leaked servers and AV’s ) . maybe in another post i discuss about this worm completely.
you can read full post about reversing ms08-067 patch here :
http://www.dontstuffbeansupyournose.com
next post will be patch analysis part 1
for now test your skills for write your own worm with this vulnerability .
best regards and have nice hacking