metasploit-framework/modules/auxiliary/scanner/smb/ms08_067_check.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require "msf/core"

class Metasploit4 < Msf::Auxiliary

  include Msf::Exploit::Remote::DCERPC
  include Msf::Exploit::Remote::SMB
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name' => "MS08-067 Scanner",
      'Description' => "This module uses the check in ms08_067_netapi to scan for MS08-067.",
      'Author' => [
        "hdm", # with tons of input/help/testing from the community
        "Brett Moore <brett.moore[at]insomniasec.com>",
        "frank2 <frank2@dc949.org>", # check() detection
        "jduck", # XP SP2/SP3 AlwaysOn DEP bypass
        "sho-luv", # Original module
        "wvu" # Refactor and cleanup
      ],
      'References' => [
        ["CVE", "2008-4250"],
        ["OSVDB", "49243"],
        ["MSB", "MS08-067"],
        # If this vulnerability is found, ms08-67 is exposed as well
        ["URL", "http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos"]
      ],
      'License' => MSF_LICENSE
    ))

    register_options([
      OptString.new("SMBPIPE", [true, "The pipe name to use (BROWSER, SRVSVC)", "BROWSER"])
    ], self.class)
  end

  def run_host(ip)
    case check_vuln
    when Msf::Exploit::CheckCode::Vulnerable
      print_good("#{ip}:#{rport} - MS08-067 VULNERABLE")
      report_vuln({
        :host => ip,
        :name => "MS08-067",
        :info => "Vulnerability in Server service could allow remote code execution",
        :refs => self.references
      })
    when Msf::Exploit::CheckCode::Safe
      vprint_status("#{ip}:#{rport} - MS08-067 SAFE")
    when Msf::Exploit::CheckCode::Unknown
      vprint_status("#{ip}:#{rport} - MS08-067 UNKNOWN")
    end
  end

  def check_vuln
    begin
      connect()
      smb_login()
    rescue Rex::Proto::SMB::Exceptions::LoginError
      return Msf::Exploit::CheckCode::Unknown
    end

    #
    # Build the malicious path name
    # 5b878ae7 "db @eax;g"
    prefix = "\\"
    path =
      "\x00\\\x00/"*0x10 +
      Rex::Text.to_unicode("\\") +
      Rex::Text.to_unicode("R7") +
      Rex::Text.to_unicode("\\..\\..\\") +
      Rex::Text.to_unicode("R7") +
      "\x00"*2

    server = Rex::Text.rand_text_alpha(rand(8)+1).upcase

    handle = dcerpc_handle( '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
      'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
    )

    begin
      # Samba doesn't have this handle and returns an ErrorCode
      dcerpc_bind(handle)
    rescue Rex::Proto::SMB::Exceptions::ErrorCode
      return Msf::Exploit::CheckCode::Safe
    end

    stub =
      NDR.uwstring(server) +
      NDR.UnicodeConformantVaryingStringPreBuilt(path) +
      NDR.long(8) +
      NDR.wstring(prefix) +
      NDR.long(4097) +
      NDR.long(0)

    resp = dcerpc.call(0x1f, stub)
    error = resp[4,4].unpack("V")[0]

    # Cleanup
    simple.client.close
    simple.client.tree_disconnect
    disconnect

    if (error == 0x0052005c) # \R :)
      return Msf::Exploit::CheckCode::Vulnerable
    else
      return Msf::Exploit::CheckCode::Safe
    end
  end

end
Added auxiliary check for MS08_067 I simply copied the check from ms08_0867_netapi.rb and put them in a auxiliary check so I could scan for it. This was done because Nmap's check is not safe and this is more stable. 2014-01-08 21:41:44 +00:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

Clean up formatting 2014-01-09 20:16:31 +00:00			`require "msf/core"`
Added auxiliary check for MS08_067 I simply copied the check from ms08_0867_netapi.rb and put them in a auxiliary check so I could scan for it. This was done because Nmap's check is not safe and this is more stable. 2014-01-08 21:41:44 +00:00
Clean up formatting 2014-01-09 20:16:31 +00:00			`class Metasploit4 < Msf::Auxiliary`
Added auxiliary check for MS08_067 I simply copied the check from ms08_0867_netapi.rb and put them in a auxiliary check so I could scan for it. This was done because Nmap's check is not safe and this is more stable. 2014-01-08 21:41:44 +00:00
			`include Msf::Exploit::Remote::DCERPC`
			`include Msf::Exploit::Remote::SMB`
			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`

Clean up formatting 2014-01-09 20:16:31 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => "MS08-067 Scanner",`
			`'Description' => "This module uses the check in ms08_067_netapi to scan for MS08-067.",`
			`'Author' => [`
			`"hdm", # with tons of input/help/testing from the community`
			`"Brett Moore <brett.moore[at]insomniasec.com>",`
			`"frank2 <frank2@dc949.org>", # check() detection`
			`"jduck", # XP SP2/SP3 AlwaysOn DEP bypass`
			`"sho-luv", # Original module`
			`"wvu" # Refactor and cleanup`
			`],`
			`'References' => [`
			`["CVE", "2008-4250"],`
			`["OSVDB", "49243"],`
			`["MSB", "MS08-067"],`
			`# If this vulnerability is found, ms08-67 is exposed as well`
			`["URL", "http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos"]`
			`],`
			`'License' => MSF_LICENSE`
			`))`

			`register_options([`
			`OptString.new("SMBPIPE", [true, "The pipe name to use (BROWSER, SRVSVC)", "BROWSER"])`
			`], self.class)`
Added auxiliary check for MS08_067 I simply copied the check from ms08_0867_netapi.rb and put them in a auxiliary check so I could scan for it. This was done because Nmap's check is not safe and this is more stable. 2014-01-08 21:41:44 +00:00			`end`

Fix outstanding issues 2014-01-08 23:09:41 +00:00			`def run_host(ip)`
Fix even moar outstanding issues 2014-01-09 01:38:54 +00:00			`case check_vuln`
			`when Msf::Exploit::CheckCode::Vulnerable`
Fix outstanding issues 2014-01-08 23:09:41 +00:00			`print_good("#{ip}:#{rport} - MS08-067 VULNERABLE")`
Fix moar outstanding issues 2014-01-09 00:11:18 +00:00			`report_vuln({`
			`:host => ip,`
			`:name => "MS08-067",`
			`:info => "Vulnerability in Server service could allow remote code execution",`
			`:refs => self.references`
			`})`
Fix even moar outstanding issues 2014-01-09 01:38:54 +00:00			`when Msf::Exploit::CheckCode::Safe`
			`vprint_status("#{ip}:#{rport} - MS08-067 SAFE")`
			`when Msf::Exploit::CheckCode::Unknown`
			`vprint_status("#{ip}:#{rport} - MS08-067 UNKNOWN")`
Fix outstanding issues 2014-01-08 23:09:41 +00:00			`end`
			`end`

			`def check_vuln`
Added auxiliary check for MS08_067 I simply copied the check from ms08_0867_netapi.rb and put them in a auxiliary check so I could scan for it. This was done because Nmap's check is not safe and this is more stable. 2014-01-08 21:41:44 +00:00			`begin`
			`connect()`
			`smb_login()`
Fix even moar outstanding issues 2014-01-09 01:38:54 +00:00			`rescue Rex::Proto::SMB::Exceptions::LoginError`
Fix outstanding issues 2014-01-08 23:09:41 +00:00			`return Msf::Exploit::CheckCode::Unknown`
Added auxiliary check for MS08_067 I simply copied the check from ms08_0867_netapi.rb and put them in a auxiliary check so I could scan for it. This was done because Nmap's check is not safe and this is more stable. 2014-01-08 21:41:44 +00:00			`end`

			`#`
			`# Build the malicious path name`
			`# 5b878ae7 "db @eax;g"`
			`prefix = "\\"`
			`path =`
			`"\x00\\\x00/"*0x10 +`
			`Rex::Text.to_unicode("\\") +`
			`Rex::Text.to_unicode("R7") +`
			`Rex::Text.to_unicode("\\..\\..\\") +`
			`Rex::Text.to_unicode("R7") +`
			`"\x00"*2`

			`server = Rex::Text.rand_text_alpha(rand(8)+1).upcase`

			`handle = dcerpc_handle( '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',`
			`'ncacn_np', ["\\#{datastore['SMBPIPE']}"]`
			`)`

			`begin`
			`# Samba doesn't have this handle and returns an ErrorCode`
			`dcerpc_bind(handle)`
			`rescue Rex::Proto::SMB::Exceptions::ErrorCode`
			`return Msf::Exploit::CheckCode::Safe`
			`end`

			`stub =`
			`NDR.uwstring(server) +`
			`NDR.UnicodeConformantVaryingStringPreBuilt(path) +`
			`NDR.long(8) +`
			`NDR.wstring(prefix) +`
			`NDR.long(4097) +`
			`NDR.long(0)`

			`resp = dcerpc.call(0x1f, stub)`
			`error = resp[4,4].unpack("V")[0]`

			`# Cleanup`
			`simple.client.close`
			`simple.client.tree_disconnect`
			`disconnect`

			`if (error == 0x0052005c) # \R :)`
			`return Msf::Exploit::CheckCode::Vulnerable`
			`else`
			`return Msf::Exploit::CheckCode::Safe`
			`end`
			`end`

			`end`