Metasploit mailing list archives

MS08-067 added to SVN trunk (3.2-testing)

From: metafan at intern0t.net (metafan at intern0t.net)
Date: Tue, 28 Oct 2008 07:10:09 -0400

Hi Giorgio,


You need to find AcGenral.dll on your XP SP2 Italian system and then
issue the ./msfpescan -j esi AcGenral.dll , then it will return a lot
of possible (useful) return addresses though keep in mind that it may
not contain any of the bad characters, thus it might do other problems
as well :) To me, it looks like you haven't tried this before, yet it
shouldn't be hard to fix.

And yes, it's normal to get such a big list which is good (at least
in my oppinion when i recreate old ftp exploits), so try out some of
the return addresses, and make sure they don't have any bad characters
included, also make sure that you understand how the exploit works,
at least in the basic terms. :)


~ MaXe # That's all i can help you for now..

Hi, I successfully exploited the vuln on a xp sp3 eng. but following
your comment I couldn't reproduce it on a xp sp2 italian.
So I took the acgenral.dll from the xp sp3 english I successfully
exploited and issue the command you suggested:

msfpescan -j esi AcGenral.dll
but in the address list I couldn't find the one you use in the code 
(0x6F8917C2)

is it normal?.

Thx in advance.

This is the list I've obtained

0x6f88f807 call esi
0x6f8914f8 call esi
0x6f89153f call esi
0x6f8918ab call esi
0x6f8918b6 call esi
0x6f892b32 call esi
0x6f892b37 call esi
0x6f892b65 call esi
0x6f892b70 call esi
0x6f892b94 call esi
0x6f892b9a call esi
0x6f892bea call esi
0x6f892bef call esi
0x6f89349c call esi
0x6f89350c call esi
0x6f895334 call esi
0x6f89533b call esi
0x6f8953b4 call esi
0x6f8953bb call esi
0x6f895a60 call esi
0x6f895a8e call esi
0x6f895add call esi
0x6f895ae2 call esi
0x6f896961 call esi
0x6f896964 call esi
0x6f896967 call esi
0x6f896a08 call esi
0x6f896a44 call esi
0x6f896a54 call esi
0x6f897fef call esi
0x6f897ff9 call esi
0x6f89856e call esi
0x6f89b04a call esi
0x6f89d8c5 call esi
0x6f89d8cd call esi
0x6f89daa8 call esi
0x6f89dac0 call esi
0x6f89dad3 call esi
0x6f89daeb call esi
0x6f89dafe call esi
0x6f89db16 call esi
0x6f89db2d call esi
0x6f89db43 call esi
0x6f89db6c call esi
0x6f89dc4c call esi
0x6f89dc6a call esi
0x6f89dc7d call esi
0x6f89dc95 call esi
0x6f89dcaa call esi
0x6f89de42 call esi
0x6f89deaf call esi
0x6f89e055 call esi
0x6f89e06a call esi
0x6f89e0f5 call esi
0x6f89e105 call esi
0x6f8a092e call esi
0x6f8a093c call esi
0x6f8a1358 call esi
0x6f8a1375 call esi
0x6f8a1403 call esi
0x6f8a1421 call esi
0x6f8a3830 call esi
0x6f8a3843 call esi
0x6f8a387a call esi
0x6f8a388d call esi
0x6f8a38c4 call esi
0x6f8a38d7 call esi
0x6f8a4f80 call esi
0x6f8a4fa9 call esi
0x6f8a4fd2 call esi
0x6f8a4ffb call esi
0x6f8a5024 call esi
0x6f8a504d call esi
0x6f8a5076 call esi
0x6f8a509f call esi
0x6f8a50c8 call esi
0x6f8a8938 call esi
0x6f8a896f call esi
0x6f8a89a2 call esi
0x6f8a89c5 call esi
0x6f8aba79 push esi; ret
0x6f8abac2 push esi; ret
0x6f8abafb push esi; ret
0x6f8ac9da call esi
0x6f8aca35 call esi
0x6f8ad082 call esi
0x6f8ad093 call esi
0x6f8ad0a0 call esi
0x6f8ad0b6 call esi
0x6f8ad0c7 call esi
0x6f8ae111 call esi
0x6f8ae124 call esi
0x6f8aff23 call esi
0x6f8b174b call esi



















2008/10/28 H D Moore <hdm at metasploit.com>:

This module has support for XP SP2/SP3 with DEP/NX as well 2003 SP0/SP2
without DEP/NX. It only supports the english locale right now, but I
included instructions in the module comments for how to add
language-specific targets.  There is no default target and you need to
specify the correct OS/SP, otherwise the module will just crash the
service. This will never be as reliable as MS06-040, but its still great
way to exploit a XP SP2/SP3 system with 139/445 open.

http://metasploit.com/dev/trac/browser/framework3/trunk/modules/exploits/window
s/smb/ms08_067_netapi.rb?rev=5798



-HD
_______________________________________________
http://spool.metasploit.com/mailman/listinfo/framework

_______________________________________________
http://spool.metasploit.com/mailman/listinfo/framework

Current thread:

courtesyshell, (continued)
- - - courtesyshell Wright, Gareth (Oct 30)
    - courtesyshell H D Moore (Oct 30)
    - Message not available
    - courtesyshell H D Moore (Oct 30)
    - MS08-067 added to SVN trunk (3.2-testing) H D Moore (Oct 28)
- MS08-067 added to SVN trunk (3.2-testing) H D Moore (Oct 30)
  - MS08-067 added to SVN trunk (3.2-testing) Ulises2k (Oct 31)
  - MS08-067 added to SVN trunk (3.2-testing) Ulises2k (Oct 31)
  - MS08-067 added to SVN trunk (3.2-testing) think.pink at gmx.de (Oct 31)
    - MS08-067 added to SVN trunk (3.2-testing) Ramon de Carvalho Valle (Oct 31)
  - MS08-067 added to SVN trunk (3.2-testing) Valter Santos (Nov 01)
- MS08-067 added to SVN trunk (3.2-testing) metafan at intern0t.net (Oct 28)