Rapid7 Vulnerability & Exploit Database

MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow

Back to Search

MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow



This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch. Windows 2000 SP4 Rollup 1 also patches this vulnerability. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encountered when using the equivalent bind payloads. Your mileage may vary.


  • Solar Eclipse <solareclipse@phreedom.org>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/smb/ms04_007_killbill
msf exploit(ms04_007_killbill) > show targets
msf exploit(ms04_007_killbill) > set TARGET < target-id >
msf exploit(ms04_007_killbill) > show options
    ...show and set options...
msf exploit(ms04_007_killbill) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security