CVE-2006-2370
published 2006-06-13CVE-2006-2370: Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote…
PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
72.97%
99.4th percentile
Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\xff\xef\xff\xff\x44
bytes↗
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x41\x41\x41\x41\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
- →Detect DCERPC bind requests to the RRAS interface UUID 20610036-fa22-11cf-9823-00a0c911e5df version 1.0 over SMB named pipes \ROUTER or \SRVSVC, which is the attack vector for CVE-2006-2370. ↗
- →Alert on DCERPC opcode 0x0C calls to the RRAS interface (UUID 20610036-fa22-11cf-9823-00a0c911e5df) with oversized request buffers (~0x4000 bytes), indicative of the stack overflow exploit. ↗
- →Alert on DCERPC opcode 0x0A calls to the RRAS interface (UUID 20610036-fa22-11cf-9823-00a0c911e5df) sent twice in rapid succession, indicative of the RASMAN registry overflow exploit (key creation then trigger). ↗
- →Monitor for creation or presence of the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\RAS Phonebook, which is written by the RASMAN registry overflow exploit and persists after a failed attempt. ↗
- →Detect the egghunter shellcode byte pattern \x66\x81\xca\xff\x0f\x42 in SMB/DCERPC traffic, used by the RASMAN registry overflow exploit. ↗
- →Detect the stack adjustment prepend bytes \x81\xc4\xff\xef\xff\xff\x44 in DCERPC payloads over SMB, used by RRAS exploit shellcode to adjust ESP before execution. ↗
- →Flag anomalous svchost.exe network activity on TCP 445 involving large DCERPC stub data (~16 KB) to the RRAS interface, as the exploit payload is padded to 0x4000 bytes. ↗
- ·The RASMAN registry overflow exploit can only be attempted once per target system without manual cleanup. A failed attempt (wrong target offset) leaves a persistent registry key that prevents re-exploitation until manually removed. ↗
- ·On Windows 2000, exploitation requires valid SMB credentials (authenticated attack). On Windows XP SP1, the SMB pipe must be \SRVSVC instead of the default \ROUTER. ↗
- ·A failed exploit attempt targets svchost.exe (which hosts the RRAS service), so a crash will also bring down other services sharing that svchost.exe process. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft RRAS Service - RASMAN Registry Overflow (MS06-025) (Metasploit)
exploitdb·2010-08-25
CVE-2006-2370 Microsoft RRAS Service - RASMAN Registry Overflow (MS06-025) (Metasploit)
Microsoft RRAS Service - RASMAN Registry Overflow (MS06-025) (Metasploit)
---
##
# $Id: ms06_025_rasmans_reg.rb 10150 2010-08-25 20:55:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft RRAS Service RASMAN Registry Overflow',
'Description' => %q{
This module exploits a registry-based stack buffer overflow in the Windows Routing
and Remote Access Service. Since the service is hosted inside svchost.exe,
a failed exploit attempt can cause other system services to fail as well.
A valid username and password is required to exp
Exploit-DB
Microsoft RRAS Service - Remote Overflow (MS06-025) (Metasploit)
exploitdb·2010-05-09
CVE-2006-2370 Microsoft RRAS Service - Remote Overflow (MS06-025) (Metasploit)
Microsoft RRAS Service - Remote Overflow (MS06-025) (Metasploit)
---
##
# $Id: ms06_025_rras.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft RRAS Service Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Windows Routing and Remote
Access Service. Since the service is hosted inside svchost.exe, a failed
exploit attempt can cause other system services to fail as well. A valid
username and password is required to exploit this flaw on Windows 2000.
When attacking X
Exploit-DB
Microsoft Windows - RRAS RASMAN Registry Stack Overflow (MS06-025) (Metasploit)
exploitdb·2006-06-29
CVE-2006-2370 Microsoft Windows - RRAS RASMAN Registry Stack Overflow (MS06-025) (Metasploit)
Microsoft Windows - RRAS RASMAN Registry Stack Overflow (MS06-025) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::rras_ms06_025_rasman;
use base "Msf::Exploit";
use strict;
use Pex::DCERPC;
use Pex::SMB;
use Pex::NDR;
my $advanced = {
'FragSize' => [ 256, 'The DCERPC fragment size' ],
'BindEvasion' => [ 0, 'IDS Evasion of the Bind request' ],
'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ],
};
my $info = {
'Name' => 'Microsoft RRAS MS
Exploit-DB
Microsoft Windows RRAS - Remote Stack Overflow (MS06-025) (Metasploit)
exploitdb·2006-06-22
CVE-2006-2370 Microsoft Windows RRAS - Remote Stack Overflow (MS06-025) (Metasploit)
Microsoft Windows RRAS - Remote Stack Overflow (MS06-025) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::rras_ms06_025;
use base "Msf::Exploit";
use strict;
use Pex::DCERPC;
use Pex::NDR;
my $advanced = {
'FragSize' => [ 256, 'The DCERPC fragment size' ],
'BindEvasion' => [ 0, 'IDS Evasion of the Bind request' ],
'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ],
};
my $info = {
'Name' => 'Microsoft RRAS MSO6-025 Stack Overflow',
'Versi
Metasploit
MS06-025 Microsoft RRAS Service Overflow
metasploit
MS06-025 Microsoft RRAS Service Overflow
MS06-025 Microsoft RRAS Service Overflow
This module exploits a stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
Metasploit
MS06-025 Microsoft RRAS Service RASMAN Registry Overflow
metasploit
MS06-025 Microsoft RRAS Service RASMAN Registry Overflow
MS06-025 Microsoft RRAS Service RASMAN Registry Overflow
This module exploits a registry-based stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. Exploiting this flaw involves two distinct steps - creating the registry key and then triggering an overwrite based on a read of this key. Once the key is created, it cannot be recreated. This means that for any given system, you only get one chance to exploit this flaw. Picking the wrong target will require a manual removal of the following registry key be
No writeups or analysis indexed.
http://secunia.com/advisories/20630http://securitytracker.com/id?1016285http://www.kb.cert.org/vuls/id/631516http://www.osvdb.org/26437http://www.securityfocus.com/bid/18325http://www.us-cert.gov/cas/techalerts/TA06-164A.htmlhttp://www.vupen.com/english/advisories/2006/2323https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-025https://exchange.xforce.ibmcloud.com/vulnerabilities/26812https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1587https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1720https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1741https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1823https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1936https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2061http://secunia.com/advisories/20630http://securitytracker.com/id?1016285http://www.kb.cert.org/vuls/id/631516http://www.osvdb.org/26437http://www.securityfocus.com/bid/18325http://www.us-cert.gov/cas/techalerts/TA06-164A.htmlhttp://www.vupen.com/english/advisories/2006/2323https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-025https://exchange.xforce.ibmcloud.com/vulnerabilities/26812https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1587https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1720https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1741https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1823https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1936https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2061
2006-06-13
Published