75 lines
2.0 KiB
Ruby
75 lines
2.0 KiB
Ruby
require 'msf/core'
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
include Exploit::Remote::Tcp
|
|
Rank = ManualRanking
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Exploit Auto-Targeting for Windows',
|
|
'Description' => %q{ This module is a test bed for automatic targeting for Windows exploits. },
|
|
'Author' => [ 'thelightcosine' ],
|
|
'License' => MSF_LICENSE,
|
|
'Privileged' => true,
|
|
'DefaultOptions' =>
|
|
{
|
|
'WfsDelay' => 10,
|
|
'EXITFUNC' => 'thread'
|
|
},
|
|
'Payload' =>
|
|
{
|
|
'Space' => 3072,
|
|
'DisableNops' => true
|
|
},
|
|
'Platform' => 'win',
|
|
'Arch' => [ARCH_X86, ARCH_X64],
|
|
'Targets' =>
|
|
[
|
|
['Windows 2000 Universal',
|
|
{
|
|
'Ret' => 0x001f1cb0,
|
|
'Scratch' => 0x00020408,
|
|
}
|
|
], # JMP EDI SVCHOST.EXE
|
|
|
|
#
|
|
# Standard return-to-ESI without NX bypass
|
|
# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
|
|
#
|
|
['Windows XP SP0/SP1 Universal',
|
|
{
|
|
'Ret' => 0x01001361,
|
|
'Scratch' => 0x00020408,
|
|
}
|
|
], # JMP ESI SVCHOST.EXE
|
|
|
|
# Standard return-to-ESI without NX bypass
|
|
['Windows 2003 SP0 Universal',
|
|
{
|
|
'Ret' => 0x0100129e,
|
|
'Scratch' => 0x00020408,
|
|
}
|
|
], # JMP ESI SVCHOST.EXE
|
|
# Metasploit's NX bypass for XP SP2/SP3
|
|
['Windows XP SP3 English (NX)',
|
|
{
|
|
'Ret' => 0x6f88f807,
|
|
'DisableNX' => 0x6f8917c2,
|
|
'Scratch' => 0x00020408
|
|
}
|
|
]
|
|
|
|
],
|
|
'DisclosureDate' => 'Jan 01 1999'
|
|
))
|
|
|
|
deregister_options('RPORT')
|
|
end
|
|
|
|
def exploit
|
|
print_status("This exploit doesn't actually do anything")
|
|
print_status "Target Selected: #{target.name}"
|
|
end
|
|
|
|
|
|
end |