18.11.05

Microsoft Windows RPC Memory Allocation Remote Denial of Service Exploit

While working on the exploit for MS05-047 i came across a condition where a specially crafted request to upnp_getdevicelist would cause services.exe to consume memory to a point where the target machines virtual memory gets exhausted. This exploit is NOT similar to the MS05-047 exploit I published earlier. The earlier one trashed the EIP of the target causing a crash in services.exe and eventually brought down the system to shut down. However in this exploit (again a DOS) the virtual memory is consumed to a point where desktop requests (like clicking "My Computer"), HTTP requests, SMB requests etc does not get serviced for sometime. After sometime the memory usage comes down and the target system would work as normal. However this code when continuosly executed against a target leads to a sustained DOS attack. Start the task manager on the target system and run this code against the target and watch the virtual memory usage shoot up.

I used windbg to break on calls to upnp_getdevicelist when running this code. However even before the break point is hit the system becomes unresponsive. Strangely though changing the operation number in the DCERPC request to something else other than 0xa (upnp_getdevicelist) will make the DOS attempt fail. Perhaps changing the payload a little bit, so that the underlying demarshalling routines dont return an error, might reproduce this effect for other UPNP operations as well.

TESTED ON: Windows 2000 server SP0, SP2 and SP3. I have not tested this on any of the above machines with the recent hot fixes for UPNP.

Note: This code is for educational and/or testing purposes by authorized persons on networks systems setup for such purposes. The author shall bear no responsibility for any damage caused by using this code.




Note from editor: Windowz is as almost as insecure as OSX

OSX