MS08-067 As used by Conficker and Stuxnet

How do Worms travel?

Strictly speaking, a computer virus doesn't spread across a network whereas a computer worm can travel from machine to machine. But how do worms move between machines?

A vulnerability with the catchy name of MS08-067 was used by Stuxnet and Conficker to worm themselves across Local Area Networks but how did it work?  I spent a reasonable amount of time reverse engineering the vulnerability to discover how it was exploited. 




Computers on a network can provide services to each other like file and print sharing, it means that a computer is listening on the network for connections from other machines in request of one of the services that it provides. Normally this isn't a problem but as shown by MS08-067, things can go horribly wrong if there should be a programming bug that leads to an exploitable vulnerability.

Without giving away too much useful information, a "behind the scenes" function that provided a network service had a programming bug, whereby a remote computer could send a malformed request that would cause a routine to start searching backwards in CPU stack memory, outside of the function's normal buffer with the aim to find a specific character.  This character would be found in a known position(placed there by a previously executed function) that meant it was possible to overwrite a function return address with a different value causing the computer to jump to an address supplied by the remote computer.  The virus (known as a payload) would be given as part of the malformed request - after things like Data Execution Prevention had been turned off, the exploit would jump to a memory location within the request data payload code.

In short, the exploitation used the fact that this network service code had a programming bug that didn't check the boundary conditions of the supplied data and so it ended up accessing memory that was located outside the boundaries of the appropriate memory buffer.