Hello MS08-067, My Old Friend
By Jason Matthyser on 29 November, 2016
This paper aims to guide it's reader towards building a working exploit for MS08-067, specifically targeting 64-bit systems. This was largely motivated due to the lack of known publicly available exploits against 64-bit machines not patched for MS08-067.
Introduction
Since the discovery of MS08-067, a buffer overflow vulnerability triggered by a specially crafted RPC request, much has been done to create a working exploit to target vulnerable hosts. This work by the security community was largely motivated by the vulnerability’s impact – unauthenticated remote code execution, in a SYSTEM context, against numerous versions of Microsoft Windows [1].
As a result, many publicly available proof of concept exploits (PoCs) exist for this vulnerability. It is also used by the well-known Conficker worm [2]. However, all of the publicly available PoCs were found to only target the affected 32-bit systems, prior to Windows Vista, listed in Microsoft's security bulletin [1]. Since the vulnerability's discovery, no PoCs for the affected 64-bit systems have been widely released.
The article provides an overview of the development of such a PoC. More specifically, the article targets Windows Server 2003 x64, SP0. This article does not introduce new techniques to the field of exploit development, but simply documents a real-world encounter with 64-bit exploit development, while discussing the challenges associated with 64-bit exploit development.