2008-10-24 11:07:58
By Tim Brown
OpenVAS already detects for MS08-067 as part of the Windows Local Check plugin family but as a penetration tester, I wanted a little more, the possibility of detecting the vulnerability in cases where we don't have valid credentials. To that end, I spent part of today investigating the problem a little further. I started off with the PoC that can be found on milw0rm but could not get it to compile either under VS 6.0 or 2k3. A quick google showed that other had the same problem but noone had found a solution, so I began thinking about other lines of enquiry. I briefly considered using Impacket but I recanted - I hate Python. Then I looked as some of the PoC for MS06-040 but most of these seemed to be using hardcoded RPC calls. Then it struck me, Samba has a full implementation of the Windows RPC/CIFS stack. Sure enough, there was rpccli_srvsvc_NetPathCanonicalize() which allows remote calls to the vulnerable function NetprPathCanonicalize exported by netapi32.dll. From there it was all too trivial to hack rpcclient to make the malicious call and there you have it:
bin/rpcclient -Uuser%password 192.168.179.129 -c pwn Receiving SMB: Server stopped responding rpc_api_pipe: Remote machine 192.168.179.129 pipe srvsvc fnum 0x4001 returned critical error. Error was Call timed out: server did not respond after 10000 milliseconds result was DOS code 0xe85eecc0 cli_rpc_pipe_close: cli_close failed on pipe srvsvc, fnum 0x4001 to machine 192.168.179.129. Error was Call timed out: server did not respond after 10000 milliseconds
Interestingly, Samba just returns WERR_NOT_SUPPORTED if you try to make a remote call to it. Anyway, since I now have a working PoC (which will remain private for obvious reasons), I'll probably take some time this weekend to collect packet dumps and stack traces and see if I can write a reliable plugin. I'll be sure to blog regarding how I get on.
Mood: Geeky
Music: Nothing playing right now
You are unknown, comment