Below you will find a quick recap of a few denial of service exploits I discovered against Windows XP and selected versions of WinME. Microsoft confirmed my findings: bulletin MS01-54. The paper is a narrative and the author hopes it will be useful for newbies and an enjoyable paper for the experts. Do not hesitate to contact me at the following email address: franklin_tech_unlimitedat_private . It is also listed in the paper. - 'ken' ---------------------------------------------- Just a side note: this paper really should be named 'I still haven't found what I'm looking for': I expected a buffer overflow. We are attacking a server named SSDPSRV bound to port 5000 running on XP or selected versions of WinME. This is Microsoft's UPNP server that is installed and runs by default on WindowsXP. In two of the three hacks we are interested in a .dll named MSVCRT.dll. This library has a page fault that can be used to crash the application. The first DOS is simply due to bad code. We can send the application a specific header and it will crash the server. There is a page fault at 0197:78004a16 in MSCVRT.dll. The second DOS is due to the way the SSDPSRV handles input. We can chew up memory by opening a connection, sending the proper header, and then just strings and strings of 'A's (or whatever else you like). If one connection is made and such strings are sent we will receive a page fault in MSVCRT.dll again. This time it is at 0197:010083fe. But, if we open approximately 200 connections and send the proper header followed by a string of 'A's we can deplete the system resources. Using a Pentium II 336Mhz machine I tested a Pentium IV 1.4Ghz with 128M of memory and took the system resources from 65% to 48% in 20 minutes. The only problem with this method is that it takes a substantial amount of time to send these strings over the network. The third and final DOS is the cool one. SSDPSRV cannot handle multiple connections well. If one opens up 1018 simultaneous connections one can temporarily freeze the machine. The user's keyboard and mouse input are held in the buffer but do not appear to register. With this attack one can sink the system resources under 4% in about a second. In a minute or two the system corrects itself.
This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 21:22:29 PST