Abysssec Security Research

hi again

i,m sure you know about this ciritical / wormable  vulnerability  . immediate after releasing vulnerability Win32.Gimmiv worm released too . this worm use this vulnerability and will run after first execute as a windows service . but i,m sure this worm is not last worm based on this vulnerability .

this vulnerability specifically exists on Server Service Remote Procedure Call (RPC) handling, where an attacker could perform a stacked-based buffer overflow by sending a request to a vulnerable function, “NetPathCanonicalize()”. In this way an attacker may escalate privileges, using the named pipe “\\pipe\srvsvc” to access other machines over the network via the pipe’s file sharing service.

exploiting this vulnerability On win 2k and XP SP1 Sp2 and Sp3  is really fun just rpc requset to based on 4b324fc8-1670-01d3-1278-5a47bf6ee188 to getting reliable eip and code executing . in windows xp sp1 and 2k and of course windows xp sp2 and sp3 with no dep you need just a jmp or call esi or edi register for code executing .

and about windows xp sp2 and sp3 with dep :

you can use address of NtSetInformationProcess call  in ACGENRAL.DLL for disable DEP  of course you need Scratch ( read/write static memory location) and you can find that in ACCGENRAL.dll too .

hd moore independent security researcher used this method for executing shellcode . in windows xp sp3 you can use this method  (using pre-process disable in ACCGENRAL.dll ) (of course with differing address of calling NtSetInformationProcess()) .

from hdm :

The actual function we use to disable NX looks like this:

push    4
lea     eax, [ebp+arg_0]
push    eax
push    22h
push    0FFFFFFFFh
mov     [ebp+arg_0], 2
call    ds:__imp__NtSetInformationProcess@16
i wrote my own reliable exploit and maybe in future i public that for all

and about GIMMIV  worm :

full discussion :

http://community.ca.com/blogs/securityadvisor/archive/2008/10/27/ms08-067-wormable-vulnerability-patched.aspx

The executable “WinbaseInst.exe” is the worm component you can see  worm service after executing binary following this picture :

you can be sure this worm use this vulnerability from founded UUID in basesvc.dll in %SystemRoot%\system32\wbem

after worm scanned and found vulnerable system using 4b324fc8-1670-01d3-1278-5a47bf6ee188 worm run download and execute shellcode following this picture :

this worm use random number and random server for downloading files . i,m sure this worm  have different compiled version (for leaked servers and AV’s ) . maybe in another post i discuss about this worm completely.

you can read full post about reversing ms08-067 patch here :

http://www.dontstuffbeansupyournose.com

next post will be patch analysis part 1

for now test your skills for write your own worm with this vulnerability .

best regards and have nice hacking