- About us
- Code of Conduct
- Google SoC
- Recent posts
- Security Workshops
(This article was originally published at http://honeytrap.mwcollect.org/msexploit.)
If you followed IT security related blogs or mailinglists lately, you are aware that a critical server service vulnerability in Microsoft operating systems was published recently. I'm not going to talk about the details here, there are great resources available elsewhere (and the "reversing the ms08-067 patch" article isn't the only advice about exploiting holes you get on that page).
OK, what have we got this time? One of our honeytrap sensors caught an MS08-067 exploitation attempt today which we take as an example to show how to perform a quick analysis and check what it does. If you want to play along, get the (sanitized) pcap from here.
Now the first thing we would normally do is take a look at the packet trace. Some people are said to be able to decode hex SMB messages in their head - as we aren't one of those, we might prefer the amazing wireshark (or tshark for the command line guys) that does the decoding for us. Here's the list of packets (shortened and wrapped):
Allright, packet 19 contains a bind call for the
srvsvc API that contains the vulnerable
NetPathCanonicalize function which gets called for the first time in packet 22 and contains the following payload:
\..\..pattern at offset 0x14 that triggers the vulnerability. And hey, there seems to be some shellcode right behind it. Allright, as usual, we get our copy of libemu's
sctestutility out and feed it with the packet payload: