Hello MS08-067, My Old Friend

By Jason Matthyser on 29 November, 2016

This paper aims to guide it's reader towards building a working exploit for MS08-067, specifically targeting 64-bit systems. This was largely motivated due to the lack of known publicly available exploits  against 64-bit machines not patched for MS08-067.


Since the discovery of MS08-067, a buffer overflow vulnerability triggered by a specially crafted RPC request, much has been done to create a working exploit to target vulnerable hosts. This work by the security community was largely motivated by the vulnerability’s impact – unauthenticated remote code execution, in a SYSTEM context, against numerous versions of Microsoft Windows [1].

As a result, many publicly available proof of concept exploits (PoCs) exist for this vulnerability. It is also used by the well-known Conficker worm [2]. However, all of the publicly available PoCs were found to only target the affected 32-bit systems, prior to Windows Vista, listed in Microsoft's security bulletin [1]. Since the vulnerability's discovery, no PoCs for the affected 64-bit systems have been widely released.

The article provides an overview of the development of such a PoC. More specifically, the article targets Windows Server 2003 x64, SP0. This article does not introduce new techniques to the field of exploit development, but simply documents a real-world encounter with 64-bit exploit development, while discussing the challenges associated with 64-bit exploit development.


[1] https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

[2] https://en.wikipedia.org/wiki/Conficker

[3] http://www.phreedom.org/blog/2008/decompiling-ms08-067/