Windows 2000 Advanced Server SP4:
System Crash: http://www.jackhammer.org/exploits/ms03-043/ms03-043_2KASsp4_POC_DOS.jpg
Windows XP Gold: No effect
Windows XP SP1: No effect
Windows 2003 Server Enterprise Edition (default config): No effect
Windows 2003 Server Enterprise Edition (Messenger Service turned on): No effect
Doesn't look like this one is the silver bullet to catch them all (*phew*) but it does bring us a bit closer to this hole turning ugly.
Hanabishi Recca wrote:
/*
DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard. Launching it one or two times against the target should make the machine reboot. Tested against a Win2K SP4.
"The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer" according to MS bulletin. Digging into it a bit more, we find that when a character 0x14 in encountered in the 'body' part of the message, it is replaced by a CR+LF. The buffer allocated for this operation is twice the size of the string, which is the way to go, but
DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard. Launching it one or two times against the target should make the machine reboot. Tested against a Win2K SP4.
"The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer" according to MS bulletin. Digging into it a bit more, we find that when a character 0x14 in encountered in the 'body' part of the message, it is replaced by a CR+LF. The buffer allocated for this operation is twice the size of the string, which is the way to go, but is then copied to a buffer which was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks and overflow the fixed size buffer.
Credits go to LSD :)
*/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
