Fw: MS08-067 Win2K3 German lang. support <<< Untrusted Mail >>>

[christopher.riley at r-it.at (christopher.riley at r-it.at)]

Just to add to the previous email. I've looked at the Win2K3 Universal exploit that uses CALL ESI in svchost.exe. Not 
sure why I didn't see this before. I've taken a look at the svchost.exe from sp2 (English and German) they both appear 
to have a CALL ESI at 0x01001173. If somebody with a 3rd language edition of Win2K3 sp2 could check this as well it 
could be a suitable universal for sp2. The exploit seems to run fine using this address on the German edition.

I don't have an English sp1 to hand but the same CALL ESI in svchost.exe is at
0x01001200. Again the exploit works fine using this address. Multiple exploit attempts on the same box seem to be ok as 
well, so it doesn't crash the service.

Hope this helps. If not feel free to file it in the bin and ignore.

Chris John Riley


----- Original Message -----
From: christopher.riley
Sent: 13.04.2009 00:03 ZE2
To: framework at spool.metasploit.com
Subject: [framework] MS08-067 Win2K3 German lang. support <<< Untrusted Mail >>>




I've finally had the time to look at the current ms08_067_netapi.rb exploit
with a mind to finding the return-to-ESI addresses for the German language
edition of Win2K3 (sp0-2).

SP0 ret => 0x71a034ce
SP1 ret => 0x71a03ece
SP2 ret => 0x71a03a05

Hopefully this will stop people saying the exploit is only valid on
Engllish systems and there is no need to patch other language systems. Hard
to believe, but I've heard this arguement recently.

These addresses are all based on the existing JMP ESI in ws2help.dll used
by the existing Win2K3 English exploit (NO NX)

It would be great if anybody on the list using German Win2K3 could recheck
my results. Its always good to have a second opinion. Also I'd like to
suggest the non-english speaking users on the list to do this for your
localized version of Windows server as well. Metasploit supports a lot of
WinXP languages but not so many on the server side.

For those not aware of how to do this, it's a simple case of using the
msfpescan -f <dll to examine> -j <desired JMP> then try out the various
results to find a viable option. The exploits have a lot of information on
what is required, so reading the code is enough to figure most of it out.
when testing NO NX exploits remember to change the /NoExecute= in boot.ini
to AlwaysOff. I lost some time to this myself ;)

Now to my question. The above results are all well and good (how can I go
about getting them into the SVN version ?), however the language pack of
the Win2K3 system isn't detected automatically, leaving a manual target
setting as the only option. Where can I find the language pack detection
and what can I do to help Metasploit better detect ? Is there a signature
matching process (as with NMAP) or is it (as I fear) much more complex ?

Also what can I do to recreate the NX bypass for the German version. Its
not going to be as simple as the NO NX stuff I'm sure.

As always, I'm just learning this stuff, so feel free to point out my
obvious mistakes.

Chris John Riley
----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR
0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail
dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche
Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with above mentioned sender via e-mail is only for
information purposes. This medium may not be used for exchange of
legally-binding communications.
----------------------------------------

----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. 
Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. 
Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for 
exchange of legally-binding communications.
----------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090413/329c4d59/attachment.htm>
-------------- next part --------------
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework