Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Messenger Service DoS

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785

    Messenger Service DoS

    The folks at LSD have come out with a “proof of concept” code that will cause the victim computer to re-boot if they are running the messenger service...as if ads weren't bad enough. While most of us have disabled this service a long time ago there will be many who have not.

    From the remarks:

    /*

    DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard.
    Launching it one or two times against the target should make the
    machine reboot. Tested against a Win2K SP4.

    "The vulnerability results because the Messenger Service does not
    properly validate the length of a message before passing it to the allocated
    buffer" according to MS bulletin. Digging into it a bit more, we find that when
    a character 0x14 in encountered in the 'body' part of the message, it is
    replaced by a CR+LF. The buffer allocated for this operation is twice the size
    of the string, which is the way to go, but is then copied to a buffer which
    was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks
    and overflow the fixed size buffer.

    Credits go to LSD

    */
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    huh... a while back I tried to overflow the buffer too...

    guess I wasn't doing it right! LoL

    thanks for the heads up. (though people should not even have this service running... we killed it a long time ago)

  3. #3
    Nice post...


    For those n00bs that aren't sure on how to disable this spawn of satan--

    1. Open Control Panel
    2. Double-click Administrative Tools.
    3. Double-click Services.
    4. Double-click Messenger.
    5. In the Startup type list, click Disabled.
    6. Click Stop, and then click OK.

  4. #4
    Thanx Conf1rm3d_K1ll , for the steps to disable the service (Iwas wondering how should i do it).

    The FACT that people ignore FACTS
    doesnt mean that FACTS are not FACTS

  5. #5
    Do point me elsewhere if this has already been covered, but what does the messenger service actually do? If it is disabled, apart from not dying a slow and painful death, what else will not happen on my computer? Is it purely for MS/internet messages? Will it cause any issues across the corporate network?

    I just want to check before I recommend that we get this disabled corporately. I don't like looking totally stupid.

  6. #6
    Schrodinger the messanger sevice is used to send pop-ups to another machine
    try it by going into dos and typing
    Code:
    net send compname then this will be msg displayed
    a little box like an error msg will pop-up on the computer whos name you specified - the name can be that comps name on network or an ip addy

    heh could you not DoS someone by simply putting

    Code:
    :LOOP
    @echo off
    net send 127.0.0.1 is this annoying yet?
    GOTO LOOP
    in a .bat file and leaving it running -

    v_Ln

  7. #7
    valhallen - thank you. That is what I thought it might be. Given our users ability to ignore VERY IMPORTANT AND URGENT messages, I think I could leave that running for a week before some people complained. And then it would be that their keyboard wasn't working ( missing keystrokes ).

    All I have to do now is convince people that it isn't worth having running. We mainly use this for telling people that email is down - so maybe we will have to keep email running instead.

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    Schrodinger i wouldn't woryy about it in a corporate environment behind a firewall. fws block these messages from the internet.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    OFFTOPIC:

    heh could you not DoS someone by simply putting

    <code>
    :LOOP
    @echo off
    net send 127.0.0.1 is this annoying yet?
    GOTO LOOP
    </code>

    in a .bat file and leaving it running -
    I know someone who did this on their high school network. They were an assistant (and very immature). They had the login script copy it to everyone startup folders, along with copying it to a "hidden" folder and adding an entry to the .reg to start it at boot. (these machines were not secured by any means... default installs of 2k and the admins gave the assistants admin access... DUH!)

    Instead of hitting one machine, he sent the message to the whole domain (on purpose)... but every single box was doing it! Every computer monitor filled with messages from different machines. Nobody knew what was going on... everyone was rebooting, etc. problem still happening. He was just sitting there laughing his a$$ off! Everyone knew he had something to do with it.

    Needless to say... he is no longer an assistant and got suspended from school.
    Though.. he said given the chance, he'd do it again, just to see the admins faces again!

    Some people will never grow up...

  10. #10
    Thanks for both how to disable it and the actual information itself. I'm gonna try that on my own network, pretty funny if it kills the family computer Do you consider it a large vulnerability? Like if my home computer has messanger running. Could I message myself 'net send <my IP> 0x14 0x14 0x14 0x14 0x14' will that crash my computer?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •