MS03-051

[hdm at metasploit.com (H D Moore)]

On Wednesday 06 September 2006 13:33, Greg Linares wrote:
> On a side note/request, is there any news of developing MS06-035 and
> MS06-036 modules? ?

A PoC for MS06-035 has been included in version 3.0 of the Framework 
(under auxiliary/dos/smb). The kernel pool corruption is tricky to 
reproduce and seems nearly impossible to control the bytes that perform 
the actual overwrite (its always "\xff\xff" on my test systems). Unless 
someone finds a way to make this useful beyond a BSOD, it will stay in 
the 'dos' module directory. I have no plans to port this to 2.6, since it 
doesn't actually execute a payload.

Code for MS06-036 is public, but we have two problems with it:

1) The framework would need to run as root (or have BIND_SERVICE and 
CAP_NET_RAW capabilities under Linux) in order to trigger the bug. 

2) The current public exploit adds a user account. This is because at the 
time of exploitation, the target system doesn't have an IP address. This 
makes the use of a standard win* payload challenging. The public code 
adds a user and you have to wait for the box to reboot to do anything 
with it. The correct way to do this involves tracking the MAC addresses 
of which clients have been exploited, using a payload that stages over a 
raw socket on Windows (we have to write one), and then having that 
payload exit the main thread, then restart the DHCP client service. The 
short answer is unless someone volunteers to do all of these things, it 
probably won't happen.

> I've noticed that many computers are still vulnerable to the MS06-035
> exploit, particularly ones that have patched against the MS06-040
> (which seemed to gotten all the buzz). ?Maybe the MS06-035 method
> doesn't offer as much of a vector/payload room or has severe byte
> restrictions. ?I haven't looked that detailed into it.

Its not much fun in practice :-(

-HD