Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio - KiXtart.org

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Advanced Scripting » Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio

Page 1 of 4

Topic Options

#76161 - 2003-07-29 07:45 PM

Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio

NTDOC

Administrator

Registered: 2000-07-28
Posts: 11625
Loc: CA

Deploy-KB823980.kix
Script by NTDOC
7/29/2003 9:57AM

Here is a "frame work script" to install the recent security fix by
Microsoft - MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution
You will need to modify SERVERS/PATHS/Etc. for your environment
YOUR USERS MUST HAVE LOCAL ADMIN RIGHTS TO USE THIS SCRIPT

Microsoft Knowledge Base Article - 823980
MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution
http://support.microsoft.com/default.aspx?kbid=823980

Microsoft Security Bulletin MS03-026
Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp[/ URL]

DOWNLOADS: For Windows 2000 and XP 32bit
WINDOWS 2000
[URL=http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en]http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C1 5-8C9F-220354449117&displaylang=en
WINDOWS XP
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44A C-9532-3DE40F69C074&displaylang=en

MODIFIED CODE ON August 9, 2003
(removed the invalid /u switch for NT 4)

Windows NT 4.0 Rpcrt4.dll 4.0.1381.7219
Windows 2000 Rpcrt4.dll 5.0.2195.6753
Windows XP Rpcrt4.dll w/OUT SP1 5.1.2600.109
Windows XP Rpcrt4.dll w/SP1 5.1.2600.1230


$nul=SetOption("WrapAtEOL","On")
$nul=SetOption("Explicit","On")

KB823980

Function KB823980()
IF @INWIN=1
 DIM $KBPath,$Admin,$KBFile,$KBRequired,$IServer,$LServer,$GetLogServer,$Rpcs,$RPCver
 $KBPath='SP\KB823980'
 IF LocalAdmin
    $RPCver=GetRPCVersion
    $Admin ='Yes'
    SELECT
      CASE @ProductType='Windows NT Workstation'
        $KBFile='Q823980i.EXE'
        $KBRequired=KeyExist('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Q823980')
        IF $KBRequired
          ; Patch already installed
        ELSE
          $GetLogServer = GetLogServer()
          $IServer = $GetLogServer[0]
          $LServer = $GetLogServer[1]
          SHELL '%comspec% /c \\'+$IServer+'\'+$KBPath+'\'+$KBFile+' /q /z'          
        ENDIF
      CASE @ProductType='Windows 2000 Professional'
        $KBFile='Windows2000-KB823980-x86-ENU.exe'
        IF $RPCver <> "5.00.2195.6753"
          $GetLogServer = GetLogServer()
          $IServer = $GetLogServer[0]
          $LServer = $GetLogServer[1]
          SHELL '%comspec% /c \\'+$IServer+'\'+$KBPath+'\'+$KBFile+' /u /q /z'
        ENDIF
      CASE @ProductType='Windows XP Professional' OR @ProductType='Windows XP Home Edition'
        $KBFile='WindowsXP-KB823980-x86-ENU.exe'
        IF @CSD = 'Service Pack 1'
          IF $RPCver <> "5.1.2600.1230"
            $GetLogServer = GetLogServer()
            $IServer = $GetLogServer[0]
            $LServer = $GetLogServer[1]
            SHELL '%comspec% /c \\'+$IServer+'\'+$KBPath+'\'+$KBFile+' /u /q /z'
          ENDIF
        ELSE
          IF $RPCver <> "5.1.2600.109"
            $GetLogServer = GetLogServer()
            $IServer = $GetLogServer[0]
            $LServer = $GetLogServer[1]
            SHELL '%comspec% /c \\'+$IServer+'\'+$KBPath+'\'+$KBFile+' /u /q /z'
          ENDIF
        ENDIF
      CASE 1
        ; 'Unknown Error..'
        EXIT @ERROR
    ENDSELECT
 ELSE
   $Admin ='No'
 ENDIF
ENDIF
EndFunction

function LocalAdmin()
 $LocalAdmin=ingroup('@wksta\'+sidtoname('S-1-5-32-544'))-1+@INWIN
endfunction

Function GetCurrentIP()
DIM $IP, $TempFile, $Line, $cf
$TempFile = "%TEMP%\PING.TXT"
If Exist($TempFile)
 Del $TempFile
EndIf
SHELL '%COMSPEC% /C PING -n 1 @WKSTA >'+$TempFile
$IP = ""
If Open(1, $TempFile) = 0
 $Line = ReadLine(1)
 While @ERROR = 0
  If InStr($Line,@WKSTA)
   $Line = SubStr($Line,InStr($Line,"[")+1)
   $GetCurrentIP = Substr($Line,1,InStr($Line,"]")-1)
  EndIf
  $Line = ReadLine(1)
 Loop
 $cf = Close(1)
EndIf
If Exist($TempFile)
 Del $TempFile
EndIf
EndFunction

Function GetLogServer()
  DIM $InstallerArray[2],$IP,$UserDomain,$spServer,$LogServer
  $UserDomain=@DOMAIN
  $IP=GetCurrentIP
  SELECT
   CASE InStr($IP, '132.36.')
    $spServer='none'
    $LogServer='APPSERVER1'
    EXIT @ERROR
   CASE InStr($IP, '122.124.111')
    $spServer='FPSERV2'
    $LogServer='APPSERVER1'
   CASE InStr($IP, '122.124.112')
    $spServer='FPSERV2'
    $LogServer='APPSERVER1'
   CASE $UserDomain='DOMAIN1'
    $spServer='FPSERV3'
    $LogServer='APPSERVER3'
   CASE $UserDomain='DOMAIN2'
    $spServer='FPSERV1'
    $LogServer='APPSERVER1'
   CASE $UserDomain='DOMAIN3'
    $spServer='FPSERV4'
    $LogServer='APPSERVER1'
   CASE 1
    $spServer='FPSERV1'
    $LogServer='APPSERVER1'
  ENDSELECT

  $InstallerArray[0]=$spServer
  $InstallerArray[1]=$LogServer
  $GetLogServer=$InstallerArray
EndFunction

Function GetRPCVersion()
  $GetRPCVersion = GetFileVersion('%windir%\system32\Rpcrt4.dll', 'Productversion')
endfunction

[ 14. August 2003, 08:09: Message edited by: NTDOC ]

Top

#76162 - 2003-07-30 07:22 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	Looks like I was ahead of the game this time. Management came to me and asked if we could roll this out tomorrow. Sure... no problem.
Top

#76163 - 2003-07-30 08:02 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	"Sure no problem ... just that I will have to work through the night on this, and at much overtime and banked vacation days expense to you !! - nice one. [edit] You old pro-active kixfart you ! -Shawn [ 30. July 2003, 20:03: Message edited by: Shawn ]
Top

#76164 - 2003-07-30 09:14 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	LOL http://www.minasidownloads.com/nws0307.htm
Top

#76165 - 2003-07-31 03:52 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
Anonymous Anonymous Unregistered	Man that was fast!! I have a newb question. Is this script version dependent? I'm running 4.12. I have stripped out everything from my debug.kix scripts except for this: $nul=SetOption("WrapAtEOL","On") $nul=SetOption("Explicit","On") Function GetCurrentIP() DIM $IP, $TempFile, $Line, $cf $TempFile = "%TEMP%\PING.TXT" If Exist($TempFile) Del $TempFile EndIf SHELL '%COMSPEC% /C PING -n 1 @WKSTA >'+$TempFile $IP = "" If Open(1, $TempFile) = 0 $Line = ReadLine(1) While @ERROR = 0 If InStr($Line,@WKSTA) $Line = SubStr($Line,InStr($Line,"[")+1) $GetCurrentIP = Substr($Line,1,InStr($Line,"]")-1) EndIf $Line = ReadLine(1) Loop $cf = Close(1) EndIf If Exist($TempFile) Del $TempFile EndIf EndFunction ? "Login Script Complete" EXIT When I run kix in debug mode it shows the Function GetCurrentIP() line and then goes right to ? "Login Script Complete" next. What am I missing? Thanks
Top

#76166 - 2003-07-31 03:57 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	LOL... You stripped out too much. Allthat is left is the UDF definition but nothing to call it. See the FAQ on how to use UDFs. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#76167 - 2003-07-31 08:55 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	DevFrag, Please review and copy the code from above. Microsoft changed the documentation on how to determine if this patch was applied, so I changed my script accordingly. The above code also has the command to call the Main function. Only modify the stuff that pertains to the names and usage of your servers. If you are all one Domain then the GetLogServer() function could be removed or modified with appropriate changes to the calling Function as well. For testing, in place of the SHELL command maybe replace it with a ? and then add some @ERROR @SERROR code to see the returned values. Make sure you have the SERVER/SHARES/PATHS working correctly. Also, please post any CODE within the [ ] code brackets so that it preserves the formatting, or better yet, use POST PREP to post to this board. There is a link in my signature to get PostPrep.
Top

#76168 - 2003-07-31 08:59 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	Trivia tidbit for regular KiX-aholics What is in the code above that is NOT KiX related but is still invalid. hint... Network related. Who will be the first to answer correctly?
Top

#76169 - 2003-07-31 09:14 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	I would use @IPADDRESSx to get the IP address for @WKSTA. [ 31. July 2003, 21:17: Message edited by: sealeopard ] _________________________ There are two types of vessels, submarines and targets.
Top

#76170 - 2003-07-31 09:16 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	Not the answer.. Not KiX related. However, in reply to that answer... that is not a good method either as you will find that many laptops will not respond with the correct IP using that method.
Top

#76171 - 2003-07-31 09:22 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	Not double-quoting the paths in the shell commands ? re (long file names?) [edit] no, thats not it [ 31. July 2003, 21:23: Message edited by: Shawn ]
Top

#76172 - 2003-07-31 09:23 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	Nope.. I really thought Jens would spot it right off the bat. Thought he replied to a post once about this somewhere. Will post the answer in a bit.
Top

#76173 - 2003-07-31 09:26 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	Whos script we talking about here, the first (docs) or the second ? Doc, imagine $TempFile in this line should be double-quoted: SHELL '%COMSPEC% /C PING -n 1 @WKSTA >'+$TempFile ja? -Shawn
Top

#76174 - 2003-07-31 09:30 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	No sorry Shawn... Nothing to do with the KIX code. The code is fully functional. (I'm sure some of the KiX purists out there could pick it apart quite a bit, but that is not the challenge of this game) I'm talking about my re-posted code from above in PostPrep format. DevFrag, I can say if 4.12 works or not. I'm using 4.21 [ 31. July 2003, 21:32: Message edited by: NTDOC ]
Top

#76175 - 2003-07-31 09:43 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	bastah ! Next guess - something to do with the way your checking ip addys using simple InStr()'s instead of something more robust ?
Top

#76176 - 2003-07-31 09:47 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	LOL Not KiX code related. (I mean the code is there, but it is valid code for most cases, just not in this case) Okay, that was clue #2
Top

#76177 - 2003-07-31 09:52 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	I dont know, going to quit while I am not ahead. But back on the Kix thing, did notice that RETURN statement you have in your GetLogServer function case statement - that will bite you for sure.
Top

#76178 - 2003-07-31 09:55 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	well... the only non-KiX code in there is the SHELL stuff and I notice you using %comspec% needlessly in some but not all cases. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#76179 - 2003-07-31 10:57 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	I don't see anything , either _________________________ There are two types of vessels, submarines and targets.
Top

#76180 - 2003-07-31 11:01 PM Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
Bryce Bryce KiX Supporter Registered: 2000-02-29 Posts: 3167 Loc: Houston TX	using instr to id different ip subnets??
Top

Page 1 of 4

Previous Topic View All Topics

Index Next Topic

Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Search the board with:
superb Board Search
or try with google:

	Web kixtart.org